3

I feel like I am getting a little bit confused about how the first half of TLS works. From my understanding, it's like this:

  1. Client sends request to Server (with cipher suite preferences)
  2. Server acknowledges requests, decides on cipher suite, and sends its certificate to client

Now this is where I get confused. This link, like many others I've seen, suggests the Session key is encrypted with the servers certificate and sent directly over the network. However, then I see articles like this that suggests that a premaster secret is generated on the client and encrypted using the server's certificate. This means the key is never sent over the network.

So which is it?

james b
  • 33
  • 3

2 Answers2

2

Pre-master key and Session keys are two different things.

Pre-master key is used to provide a greater consistency between the cipher suites that belong to the client & the server. All your subsequent keys are derived using the pre-master key.
Read this link for more details: What's the point of the pre-master key?

Session key on the other hand is the symmetric key that you will to communicate further. Session key is derived using the pre-master key.

Limit
  • 3,236
  • 1
  • 16
  • 35
  • sorry - but this doesn't answer the question. I know what the difference between the keys are. – james b Dec 05 '16 at 07:37
  • The link does not state the security benefit. Lekensteyn's answer is better about the perfect forward secrecy. – minghua Sep 06 '20 at 00:49
1

The master secret is always used for deriving further key material for a TLS session (and can effectively be seen as session key) in TLS 1.2 and earlier versions. The premaster secret is a result from a key exchange, from this key the master secret is derived.

Two key exchange methods are defined:

  • RSA key exchange (RFC 5246, Section 8.1.1). Here, a random value is generated by the client (premaster secret, Section 7.4.7.1) and encrypted using the public key from the server's certificate. The result is sent over the wire in a Client Key Exchange message.
  • Diffie-Hellman (DH) key exchange (RFC 5246, Section 8.1.2). Here, both the server and client send their public values (not from the Certificate!) using the Client and Server Key Exchange messages (Section 7.4.7.2). Using their respective private components, they can compute a shared secret which is transformed into a premaster secret.

The master secret is directly calculated from the premaster secret (together with two random values from the Client and Server Hello messages):

For all key exchange methods, the same algorithm is used to convert
the pre_master_secret into the master_secret.  The pre_master_secret
should be deleted from memory once the master_secret has been
computed.

  master_secret = PRF(pre_master_secret, "master secret",
                      ClientHello.random + ServerHello.random)
                      [0..47];

As you can see, the premaster secret is essentialy for the initial computation, but can be thrown away after the master secret is calculated. When session resumption is in use, typically the master secret (and not the premaster secret) is stored directly in the TLS session cache.

As a closing note, notice that the premaster secret for RSA key exchanges can be found by decrypting the (1) encrypted premaster secret (which was sent over the network) using the (2) private RSA key (which is bound to the certificate and reused for all RSA key exchanges).

With the DH key exchange, the premaster secret is calculated from (1) a public value (which was sent over the network) and (2) a private value (which is normally different every time). The private value is then discarded (instead of reused, as in the RSA case). This provides the Perfect Forward Secrecy property (when done properly without taking shortcuts).

Lekensteyn
  • 5,958
  • 5
  • 38
  • 62
  • 1
    Actually, for TLS_DH_RSA_*, TLS_DH_RSS_*, TLS_ECDH_ECDSA_*, the server DH or EDH parameters are static (not ephemeral): they are not received from the ServerKeyExchange message (https://datatracker.ietf.org/doc/html/rfc5246#appendix-A.4.2) but taken from the server certificate. In this case, this does not provide PFS (see for example https://ciphersuite.info/cs/TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256/). – ysdx Jul 12 '21 at 21:21