target = "https://www.rfc-editor.org/rfc/rfc9001#section-5.1"

# 5.1.  Packet Protection Keys
#
# QUIC derives packet protection keys in the same way that TLS derives
# record protection keys.
# 
# Each encryption level has separate secret values for protection of
# packets sent in each direction.  These traffic secrets are derived by
# TLS (see Section 7.1 of [TLS13]) and are used by QUIC for all
# encryption levels except the Initial encryption level.  The secrets
# for the Initial encryption level are computed based on the client's
# initial Destination Connection ID, as described in Section 5.2.
# 
# The keys used for packet protection are computed from the TLS secrets
# using the KDF provided by TLS.  In TLS 1.3, the HKDF-Expand-Label
# function described in Section 7.1 of [TLS13] is used with the hash
# function from the negotiated cipher suite.  All uses of HKDF-Expand-
# Label in QUIC use a zero-length Context.
# 
# Note that labels, which are described using strings, are encoded as
# bytes using ASCII [ASCII] without quotes or any trailing NUL byte.
# 
# Other versions of TLS MUST provide a similar function in order to be
# used with QUIC.
# 
# The current encryption level secret and the label "quic key" are
# input to the KDF to produce the AEAD key; the label "quic iv" is used
# to derive the Initialization Vector (IV); see Section 5.3.  The
# header protection key uses the "quic hp" label; see Section 5.4.
# Using these labels provides key separation between QUIC and TLS; see
# Section 9.6.
# 
# Both "quic key" and "quic hp" are used to produce keys, so the Length
# provided to HKDF-Expand-Label along with these labels is determined
# by the size of keys in the AEAD or header protection algorithm.  The
# Length provided with "quic iv" is the minimum length of the AEAD
# nonce or 8 bytes if that is larger; see [AEAD].
# 
# The KDF used for initial secrets is always the HKDF-Expand-Label
# function from TLS 1.3; see Section 5.2.

[[spec]]
level = "MUST"
quote = '''
Other versions of TLS MUST provide a similar function in order to be
used with QUIC.
'''