TLS 1.3 Identity Module Trusted Exporter
draft-urien-tls-im-trusted-exporter-00
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Author | Pascal Urien | ||
| Last updated | 2026-05-28 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-urien-tls-im-trusted-exporter-00
TLS Working Group P. Urien
Internet Draft Telecom Paris
Intended status: Experimental Ethertrust
28 May 2026
Expires: November 2026
TLS 1.3 Identity Module Trusted Exporter
draft-urien-tls-im-trusted-exporter-00.txt
Abstract
The Transport Layer Security (TLS) 1.3 protocol supports external
Pre-Shared Keys (PSKs), which are provisioned out of band. A PSK
binder, included in the ClientHello message, is computed as an HMAC
over a transcript hash using a key called the Finished External Key
(FEK). For the "PSK with (EC)DHE" key exchange mode, where Diffie-
Hellman is performed over either finite fields or elliptic curves,
the Handshake Secret (HS) is computed from the (EC)DHE shared secret
using HKDF-Extract with a key called the Derived Secret Key (DSK),
which is derived from the PSK. A TLS identity module SHOULD be used
to protect procedures involving keys bound to the PSK, such as the
FEK or the DSK. TLS defines keying material exporters, which rely on
secrets produced during the handshake protocol. This draft
introduces an Exporter Trusted Key (ETK), which is securely stored
and used within a TLS identity module. The ETK transforms exporter
secrets into trusted values that cannot be recovered by TLS
software. A trusted exporter is similar to the legacy TLS exporter,
but it uses an additional trusted secret.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
Urien Expires November 2026 [page 1]
TLS 1.3 Identity Module Trusted Exporter May 2026
at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 2026.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document.
Please review these documents carefully, as they describe your
rights and restrictions with respect to this document. Code
Components extracted from this document must include Revised BSD
License text as described in Section 4.e of the Trust Legal
Provisions and are provided without warranty as described in the
Revised BSD License.
Table of Contents
Abstract........................................................... 1
Requirements Language.............................................. 1
Status of this Memo................................................ 1
Copyright Notice................................................... 2
1 Introduction..................................................... 3
2 TLS PSK with (EC)DHE............................................. 3
2.1 PSK Binder procedure........................................ 3
2.2 Handshake Secret............................................ 4
2.3 Identity Module............................................. 4
2.4 TLS For Secure Element...................................... 4
3 Exporter Trusted Key............................................. 4
4 TLS-Exporter Secrets............................................. 4
4.1 Early Exporter Master Secret................................ 5
4.2 Exporter Master Secret...................................... 5
4 TLS-Trusted-Exporter Secrets..................................... 5
4.1 Trusted Early Exporter Master Secret........................ 5
4.2 Trusted-Exporter-Master-Secret.............................. 5
5 TLS Trusted Exporter............................................. 5
5 IANA Considerations.............................................. 6
6 Security Considerations.......................................... 6
7 References....................................................... 6
7.1 Normative References........................................ 6
7.2 Informative References...................................... 6
8 Authors' Addresses............................................... 6
Urien Expires November 2026 [Page 2]
TLS 1.3 Identity Module Trusted Exporter May 2026
1 Introduction
TLS 1.3 [RFC8446] defines keying material exporters. An exporter
relies on a secret produced during the handshake protocol. This
secret is either:
- the early-exporter-master-secret, computed from the PSK as
follows:
Derive-Secret(Early-Secret, "e exp master", ClientHello)
- or the exporter-master-secret, computed from the master secret as
follows:
Derive-Secret(master-secret, "exp master", ClientHello...Server
Finished)
The main objective of this draft is to define exporters that can
only be computed within a TLS identity module [IM].
This draft defines the Exported Trusted Key (ETK), derived from the
PSK and securely stored and used within the TLS identity module.
This key modifies the exporter secrets required by the TLS Trusted
Exporter according to the following relation:
Trusted-Secret = HKDF-Extract(Secret, ETK) = HMAC(Secret, ETK)
The TLS Trusted Exporter is similar to the legacy TLS exporter, but
it uses a Trusted-Secret.
2 TLS PSK with (EC)DHE
2.1 PSK Binder procedure
According to [RFC8446], external PSKs MAY be provisioned outside
TLS.
The Early Secret (ESK) is computed as follows:
ESK = HKDF-Extract(salt = 0s, PSK) = HMAC(salt = 0s, PSK)
The Binder Key (BSK) for external provisioning is computed as
follows:
BSK = Derive-Secret(ESK, "ext binder", "")
The Finished External Key (FEK) is computed as follows:
FEK = KDF-Expand-Label(BSK, "finished", "", Hash.length)
Urien Expires November 2026 [Page 3]
TLS 1.3 Identity Module Trusted Exporter May 2026
For Derive-Secret procedures, "" is equivalent to Hash(empty), whose
size is Hash.length.
The PSK binder is computed as follows:
PSK-Binder = HMAC(FEK, transcript_hash)
The PSK binder is included in clear text in the ClientHello message.
It can therefore be used in brute-force attacks to recover the PSK
value.
2.2 Handshake Secret
The Derived Secret Key (DSK) is computed as follows:
DSK = Derive-Secret(ESK, "derived", "")
The Handshake Secret (HS) is computed as follows:
HS = HKDF-Extract(salt = DSK, (EC)DHE)
2.3 Identity Module
A TLS identity module [IM] securely computes the PSK binder and the
Handshake Secret.
2.4 TLS For Secure Element
TLS for secure elements [TLSSE] is a TLS 1.3 server using the "PSK
with (EC)DHE" exchange mode and running inside a secure element,
i.e., a tamper-resistant device.
The Trusted Exporter MAY be used to export wrapping keys that cannot
be recovered by client software, without a TLS identity module.
3 Exporter Trusted Key
The Exporter Trusted Key (ETK) is always stored and used within the
TLS identity module [IM].
It is computed according to the relation
ETK = Derive-Secret(ESK, "trusted exporter", "")
4 TLS-Exporter Secrets
Urien Expires November 2026 [Page 4]
TLS 1.3 Identity Module Trusted Exporter May 2026
4.1 Early Exporter Master Secret
EEMS= early-exporter-master-secret = Derive-Secret(ESK, "e exp
master", ClientHello)
4.2 Exporter Master Secret
DS = Derive-Secret(HS, "derived", "")
MasterSecret = MS= HKDF-Extract(DS,0s) = HMAC(DS,0s)
EMS= exporter_master_secret=
Derive-Secret(MS, "exp master", ClientHello...server Finished)
4 TLS-Trusted-Exporter Secrets
4.1 Trusted Early Exporter Master Secret
The trusted-early-exporter-master-secret is defined as :
trusted-early-exporter-master-secret = TEEMS =
HKDF-Extract(EEMS, ETK) = HMAC(EEMS, ETK)
4.2 Trusted-Exporter-Master-Secret
The trusted-exporter-master-secret is defined as:
trusted-exporter-master-secret = TEMS =
HKDF-Extract(EMS, ETK) = HMAC(EMS, ETK)
5 TLS Trusted Exporter
[RFC5705] defines keying material exporters for TLS in terms of the
TLS pseudorandom function (PRF). [RFC8446] replaces the PRF with
HKDF, thus requiring a new construction. The exporter interface
remains the same. The exporter value is computed as:
TLS-Exporter(label, context_value, key_length) =
HKDF-Expand-Label(Derive-Secret(Secret, label, ""),
"exporter", Hash(context_value),
key_length)
According to this draft the TLS-Trusted-Exporter procedure SHOULD be
executed by the TLS Identity module, and is defined as
TLS-Trusted-Exporter(label, context_value, key_length) =
HKDF-Expand-Label(Derive-Secret(Trusted-Secret, label, ""),
"exporter", Hash(context_value),
key_length)
Urien Expires November 2026 [Page 5]
TLS 1.3 Identity Module Trusted Exporter May 2026
5 IANA Considerations
This draft does not require any action from IANA.
6 Security Considerations
This entire document is about security.
7 References
7.1 Normative References
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
https://www.rfc-editor.org/info/rfc8446.
[RFC5705] Rescorla, E., "Keying Material Exporters for Transport
Layer Security (TLS)", RFC 5705, DOI 10.17487/RFC5705, March 2010,
https://www.rfc-editor.org/info/rfc5705.
7.2 Informative References
[IM] Urien, P., "Identity Module for TLS Version 1.3", draft-urien-
tls-im-10.txt, January 2024.
[TLSSE] Urien, P., "Secure Element for TLS Version 1.3", draft-
urien-tls-se-08.txt June 2024
8 Authors' Addresses
Pascal Urien
EtherTrust - Telecom Paris
19 place Marguerite Perey
91120 Palaiseau
France
Email: Pascal.Urien@telecom-paris.fr
Urien Expires November 2026 [Page 6]