


  TLS Working Group                                            P. Urien 
  Internet Draft                                          Telecom Paris 
  Intended status: Experimental                              Ethertrust 
                                                                        
                                                            28 May 2026 
  Expires: November 2026 
 
                    TLS 1.3 Identity Module Trusted Exporter 
                   draft-urien-tls-im-trusted-exporter-00.txt 
    
    
Abstract 
    
   The Transport Layer Security (TLS) 1.3 protocol supports external 
   Pre-Shared Keys (PSKs), which are provisioned out of band. A PSK 
   binder, included in the ClientHello message, is computed as an HMAC 
   over a transcript hash using a key called the Finished External Key 
   (FEK). For the "PSK with (EC)DHE" key exchange mode, where Diffie-
   Hellman is performed over either finite fields or elliptic curves, 
   the Handshake Secret (HS) is computed from the (EC)DHE shared secret 
   using HKDF-Extract with a key called the Derived Secret Key (DSK), 
   which is derived from the PSK. A TLS identity module SHOULD be used 
   to protect procedures involving keys bound to the PSK, such as the 
   FEK or the DSK. TLS defines keying material exporters, which rely on 
   secrets produced during the handshake protocol. This draft 
   introduces an Exporter Trusted Key (ETK), which is securely stored 
   and used within a TLS identity module. The ETK transforms exporter 
   secrets into trusted values that cannot be recovered by TLS 
   software. A trusted exporter is similar to the legacy TLS exporter, 
   but it uses an additional trusted secret. 
    
    
Requirements Language 
    
   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 
   "OPTIONAL" in this document are to be interpreted as described in 
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 
   capitals, as shown here. 
    
Status of this Memo 
    
   This Internet-Draft is submitted in full conformance with the 
   provisions of BCP 78 and BCP 79. 
    
   Internet-Drafts are working documents of the Internet Engineering 
   Task Force (IETF).  Note that other groups may also distribute 
   working documents as Internet-Drafts. The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/. 
    
   Internet-Drafts are draft documents valid for a maximum of six 
   months and may be updated, replaced, or obsoleted by other documents 

   Urien                    Expires November 2026           [page 1] 
 
   TLS 1.3 Identity Module Trusted Exporter                  May 2026 
 
   at any time. It is inappropriate to use Internet-Drafts as reference 
   material or to cite them other than as "work in progress." 
    
   This Internet-Draft will expire on November 2026. 
    
    
Copyright Notice 
    
   Copyright (c) 2026 IETF Trust and the persons identified as the 
   document authors.  All rights reserved. 
    
   This document is subject to BCP 78 and the IETF Trust's Legal 
   Provisions Relating to IETF Documents 
   (https://trustee.ietf.org/license-info) in effect on the date of 
   publication of this document. 
   Please review these documents carefully, as they describe your 
   rights and restrictions with respect to this document. Code 
   Components extracted from this document must include Revised BSD 
   License text as described in Section 4.e of the Trust Legal 
   Provisions and are provided without warranty as described in the 
   Revised BSD License. 
    
    
Table of Contents 
   Abstract........................................................... 1 
   Requirements Language.............................................. 1 
   Status of this Memo................................................ 1 
   Copyright Notice................................................... 2 
   1 Introduction..................................................... 3 
   2 TLS PSK with (EC)DHE............................................. 3 
      2.1 PSK Binder procedure........................................ 3 
      2.2 Handshake Secret............................................ 4 
      2.3 Identity Module............................................. 4 
      2.4 TLS For Secure Element...................................... 4 
   3 Exporter Trusted Key............................................. 4 
   4 TLS-Exporter Secrets............................................. 4 
      4.1 Early Exporter Master Secret................................ 5 
      4.2 Exporter Master Secret...................................... 5 
   4 TLS-Trusted-Exporter Secrets..................................... 5 
      4.1 Trusted Early Exporter Master Secret........................ 5 
      4.2 Trusted-Exporter-Master-Secret.............................. 5 
   5 TLS Trusted Exporter............................................. 5 
   5 IANA Considerations.............................................. 6 
   6 Security Considerations.......................................... 6 
   7 References....................................................... 6 
      7.1 Normative References........................................ 6 
      7.2 Informative References...................................... 6 
   8 Authors' Addresses............................................... 6 
 



   Urien                 Expires November 2026               [Page 2] 
 
   TLS 1.3 Identity Module Trusted Exporter                  May 2026 
 
    
1 Introduction 
    
   TLS 1.3 [RFC8446] defines keying material exporters. An exporter 
   relies on a secret produced during the handshake protocol. This 
   secret is either: 
    
   - the early-exporter-master-secret, computed from the PSK as 
   follows: 
    
     Derive-Secret(Early-Secret, "e exp master", ClientHello) 
    
   - or the exporter-master-secret, computed from the master secret as 
   follows: 
    
     Derive-Secret(master-secret, "exp master", ClientHello...Server 
   Finished) 
    
   The main objective of this draft is to define exporters that can 
   only be computed within a TLS identity module [IM]. 
    
   This draft defines the Exported Trusted Key (ETK), derived from the 
   PSK and securely stored and used within the TLS identity module. 
   This key modifies the exporter secrets required by the TLS Trusted 
   Exporter according to the following relation: 
    
     Trusted-Secret = HKDF-Extract(Secret, ETK) = HMAC(Secret, ETK) 
    
   The TLS Trusted Exporter is similar to the legacy TLS exporter, but 
   it uses a Trusted-Secret. 
    
2 TLS PSK with (EC)DHE 
    
2.1 PSK Binder procedure 
    
   According to [RFC8446], external PSKs MAY be provisioned outside 
   TLS. 
    
   The Early Secret (ESK) is computed as follows: 
    
     ESK = HKDF-Extract(salt = 0s, PSK) = HMAC(salt = 0s, PSK) 
    
   The Binder Key (BSK) for external provisioning is computed as 
   follows: 
    
     BSK = Derive-Secret(ESK, "ext binder", "") 
    
   The Finished External Key (FEK) is computed as follows: 
    
     FEK = KDF-Expand-Label(BSK, "finished", "", Hash.length) 
    

   Urien                 Expires November 2026               [Page 3] 
 
   TLS 1.3 Identity Module Trusted Exporter                  May 2026 
 
   For Derive-Secret procedures, "" is equivalent to Hash(empty), whose 
   size is Hash.length. 
    
   The PSK binder is computed as follows: 
    
     PSK-Binder = HMAC(FEK, transcript_hash) 
    
   The PSK binder is included in clear text in the ClientHello message. 
   It can therefore be used in brute-force attacks to recover the PSK 
   value. 
    
    
2.2 Handshake Secret 
    
   The Derived Secret Key (DSK) is computed as follows: 
    
     DSK = Derive-Secret(ESK, "derived", "") 
    
   The Handshake Secret (HS) is computed as follows: 
    
     HS = HKDF-Extract(salt = DSK, (EC)DHE) 
    
    
2.3 Identity Module 
    
   A TLS identity module [IM] securely computes the PSK binder and the 
   Handshake Secret. 
    
    
2.4 TLS For Secure Element 
    
   TLS for secure elements [TLSSE] is a TLS 1.3 server using the "PSK 
   with (EC)DHE" exchange mode and running inside a secure element, 
   i.e., a tamper-resistant device. 
    
   The Trusted Exporter MAY be used to export wrapping keys that cannot 
   be recovered by client software, without a TLS identity module. 
    
3 Exporter Trusted Key 
    
   The Exporter Trusted Key (ETK) is always stored and used within the 
   TLS identity module [IM]. 
    
   It is computed according to the relation 
    
   ETK = Derive-Secret(ESK, "trusted exporter", "") 
    
    
4 TLS-Exporter Secrets 
    


   Urien                 Expires November 2026               [Page 4] 
 
   TLS 1.3 Identity Module Trusted Exporter                  May 2026 
 
4.1 Early Exporter Master Secret 
    
   EEMS= early-exporter-master-secret = Derive-Secret(ESK, "e exp 
   master", ClientHello) 
    
4.2 Exporter Master Secret 
    
   DS = Derive-Secret(HS, "derived", "") 
    
   MasterSecret = MS= HKDF-Extract(DS,0s) = HMAC(DS,0s) 
    
   EMS= exporter_master_secret=  
   Derive-Secret(MS, "exp master", ClientHello...server Finished) 
    
    
4 TLS-Trusted-Exporter Secrets 
    
4.1 Trusted Early Exporter Master Secret 
    
   The trusted-early-exporter-master-secret is defined as : 
    
   trusted-early-exporter-master-secret = TEEMS =  
    HKDF-Extract(EEMS, ETK) = HMAC(EEMS, ETK) 
    
4.2 Trusted-Exporter-Master-Secret 
    
   The trusted-exporter-master-secret is defined as: 
    
   trusted-exporter-master-secret = TEMS =  
    HKDF-Extract(EMS, ETK) = HMAC(EMS, ETK) 
    
5 TLS Trusted Exporter 
    
   [RFC5705] defines keying material exporters for TLS in terms of the 
   TLS pseudorandom function (PRF). [RFC8446] replaces the PRF with 
   HKDF, thus requiring a new construction. The exporter interface 
   remains the same. The exporter value is computed as: 
    
   TLS-Exporter(label, context_value, key_length) = 
     HKDF-Expand-Label(Derive-Secret(Secret, label, ""), 
                       "exporter", Hash(context_value), 
                        key_length) 
    
   According to this draft the TLS-Trusted-Exporter procedure SHOULD be 
   executed by the TLS Identity module, and is defined as 
    
   TLS-Trusted-Exporter(label, context_value, key_length) = 
       HKDF-Expand-Label(Derive-Secret(Trusted-Secret, label, ""), 
       "exporter", Hash(context_value), 
       key_length) 
    

   Urien                 Expires November 2026               [Page 5] 
 
   TLS 1.3 Identity Module Trusted Exporter                  May 2026 
 
    
5 IANA Considerations 
    
   This draft does not require any action from IANA. 
    
6 Security Considerations 
    
   This entire document is about security. 
    
    
7 References 
    
7.1 Normative References 
    
   [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 
   Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 
   https://www.rfc-editor.org/info/rfc8446. 
    
   [RFC5705] Rescorla, E., "Keying Material Exporters for Transport 
   Layer Security (TLS)", RFC 5705, DOI 10.17487/RFC5705, March 2010, 
   https://www.rfc-editor.org/info/rfc5705. 
    
7.2 Informative References 
    
   [IM] Urien, P., "Identity Module for TLS Version 1.3", draft-urien-
   tls-im-10.txt, January 2024. 
    
   [TLSSE] Urien, P., "Secure Element for TLS Version 1.3", draft-
   urien-tls-se-08.txt June 2024 
    
8 Authors' Addresses 
    
   Pascal Urien 
   EtherTrust - Telecom Paris 
   19 place Marguerite Perey 
   91120 Palaiseau 
   France 
   Email: Pascal.Urien@telecom-paris.fr 














   Urien                 Expires November 2026               [Page 6] 
