Key Exchange and Session Establishment

Following certificate verification, the client and server must establish a shared secret that will be used to generate symmetric encryption keys for the session. The specific method used depends on the chosen cipher suite, but commonly involves either RSA or Diffie-Hellman key exchange algorithms. In RSA key exchange, the client generates a pre-master secret, encrypts it with the server's public key, and sends it to the server. Only the server, possessing the corresponding private key, can decrypt this pre-master secret.

Diffie-Hellman key exchange offers forward secrecy, a security property ensuring that past sessions remain secure even if the server's private key is compromised in the future. In this method, both client and server contribute to generating the shared secret through mathematical operations that allow them to arrive at the same value without directly transmitting it. Ephemeral Diffie-Hellman (DHE or ECDHE) generates new key pairs for each session, further enhancing security.

Once both parties have the pre-master secret, they combine it with the random numbers exchanged earlier to generate the master secret. This master secret serves as the foundation for creating multiple session keys: one for client-to-server encryption, one for server-to-client encryption, and keys for message authentication. This key derivation process ensures that even if an attacker captures encrypted traffic, they cannot decrypt it without access to the master secret.