Technical Summary
The Transport Layer Security (TLS) master secret is not
cryptographically bound to important session parameters such as the
server certificate. Consequently, it is possible for an active
attacker to set up two sessions, one with a client and another with a
server, such that the master secrets on the two sessions are the
same. Thereafter, any mechanism that relies on the master secret for
authentication, including session resumption, becomes vulnerable to a
man-in-the-middle attack, where the attacker can simply forward
messages back and forth between the client and server. This
specification defines a TLS extension that contextually binds the
master secret to a log of the full handshake that computes it, thus
preventing such attacks.
Working Group Summary
This document has been reviewed by the WG on the mailing list
and has been discussed at numerous TLS meetings (both regularly
scheduled IETF meeting and TLS interims).
Document Quality
It not only reflects WG consensus it documents an implemented solution.
Personnel
Sean Turner is the document shepherd.
Stephen Farrell is the irresponsible AD.