After a master key has been chosen (or recovered from the cache) both the client and the server can generate encryption keys for this session. Different keys are used for each direction of transmission. The keys are generated by feeding the master key, the session identifier, and the challenge data through an algorithm which generates values for the session keys. The two ends of the connection do this independently. The master key is particularly hard for an attacker to discover because no data is sent encrypted with this key.
Once the keys are chosen the client indicates that it is ready to enter the data transfer phase of the session by sending the client finished message.
Although there is no explicit length field for the session identifier in the client finished message the server can find the length of the session identifier because it is the only variable length field in the message and the total length of the message can be found from the message header.
This message is encrypted using the client write key for this session.