Skip to main content

1. Introduction

1. Introduction

Note: The mechanism described in this document was previously known as "TLS Extractors" but was changed to avoid a name conflict with the use of the term "Extractor" in the cryptographic community.

A number of protocols wish to leverage Transport Layer Security (TLS) [RFC5246] or Datagram TLS (DTLS) [RFC4347] to perform key establishment but then use some of the keying material for their own purposes. A typical example is DTLS-SRTP [DTLS-SRTP], a key management scheme for the Secure Real-time Transport Protocol (SRTP) that uses DTLS to perform a key exchange and negotiate the SRTP [RFC3711] protection suite and then uses the DTLS master_secret to generate the SRTP keys.

These applications imply a need to be able to export keying material (later called Exported Keying Material or EKM) from TLS/DTLS to an application or protocol residing at an upper layer, and to securely agree on the upper-layer context where the keying material will be used. The mechanism for exporting the keying material has the following requirements:

  • Both client and server need to be able to export the same EKM value.

  • EKM values should be indistinguishable from random data to attackers who don't know the master_secret.

  • It should be possible to export multiple EKM values from the same TLS/DTLS association.

  • Knowing one EKM value should not reveal any useful information about the master_secret or about other EKM values.

The mechanism described in this document is intended to fulfill these requirements. This mechanism is compatible with all versions of TLS.

Last updated on