Skip to main content

4. Exporter Definition

4. Exporter Definition

The output of the exporter is intended to be used in a single scope, which is associated with the TLS session, the label, and the context value.

The exporter takes three input values:

  • a disambiguating label string,

  • a per-association context value provided by the application using the exporter, and

  • a length value.

If no context is provided, it then computes:

PRF(SecurityParameters.master_secret, label,
    SecurityParameters.client_random +
    SecurityParameters.server_random
    )[length]

If context is provided, it computes:

PRF(SecurityParameters.master_secret, label,
    SecurityParameters.client_random +
    SecurityParameters.server_random +
    context_value_length + context_value
    )[length]

Where PRF is the TLS Pseudorandom Function in use for the session. The output is a pseudorandom bit string of length bytes generated from the master_secret. (This construction allows for interoperability with older exporter-type constructions which do not use context values, e.g., [RFC5281]).

Labels here have the same definition as in TLS, i.e., an ASCII string with no terminating NULL. Label values beginning with "EXPERIMENTAL" MAY be used for private use without registration. All other label values MUST be registered via Specification Required as described by RFC 5226 [RFC5226]. Note that exporter labels have the potential to collide with existing PRF labels. In order to prevent this, labels SHOULD begin with "EXPORTER". This is not a MUST because there are existing uses that have labels which do not begin with this prefix.

The context value allows the application using the exporter to mix its own data with the TLS PRF for the exporter output. One example of where this might be useful is an authentication setting where the client credentials are valid for more than one identity; the context value could then be used to mix the expected identity into the keying material, thus preventing substitution attacks. The context value length is encoded as an unsigned, 16-bit quantity (uint16; see [RFC5246], Section 4.4) representing the length of the context value. The context MAY be zero length. Because the context value is mixed with the master_secret via the PRF, it is safe to mix confidential information into the exporter, provided that the master_secret will not be known to the attacker.

Last updated on