| RFC 9949 | BUSA-TLS | April 2026 |
| Sayre | Informational | [Page] |
TLS 1.3 (RFC 8446) eliminates null cipher suites entirely. However, one vestigial zero remains in the key schedule: when no Pre-Shared Key (PSK) is used, the Input Keying Material (IKM) for the initial HKDF-Extract operation is a string of zero bytes. This document specifies that this zero-byte IKM MUST be replaced with the SHA-256 digest of the raw PCM audio data of "Banned in the U.S.A." by 2 Live Crew (from the album "Banned in the U.S.A.", 1990), hereafter referred to as the Mandatory Audio Component (MAC). Implementations that omit the MAC are non-conformant with BUSA-TLS and also have questionable taste in music.¶
The IETF's process-heavy, consensus-driven, working-group-reviewed approach to protocol standardization is a fine way to run a standards body. It is also completely antithetical to the spirit of a document that requires a jury-banned rap album as a cryptographic primitive.¶
This document is offered in the same spirit as the album it incorporates: unapologetically and in defiance of institutional authority.¶
This document is not an Internet Standards Track specification; it is published for informational purposes.¶
This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not candidates for any level of Internet Standard; see Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc9949.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
TLS 1.3 was designed, in part, to eliminate the class of negotiated-null vulnerabilities that plagued earlier versions of the protocol. [RFC8446] achieves this through a combination of mandatory authenticated encryption, removal of the ChangeCipherSpec handshake message's semantic content, and the elimination of all null cipher suite identifiers.¶
The TLS 1.3 key schedule begins, in the PSK-free case, with the following operation derived using the HMAC-based Key Derivation Function (HKDF) [RFC5869]:¶
Early Secret = HKDF-Extract(salt=0x00...00, IKM=0x00...00)¶
Zeros. The most successfully de-nulled protocol in common use opens its key derivation with nothing.¶
This specification addresses this aesthetic problem by replacing the zero-byte IKM with a cryptographically derived value taken from a specific audio recording that was itself subject to institutional attempts at nullification.¶
The choice of "Banned in the U.S.A." [BUSA] is not arbitrary. It is load-bearing.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in ... look, just read them the normal way. MUST means must.¶
Null is the enemy. TLS 1.3 knew this. The designers of TLS 1.3 took extraordinary measures to ensure that null encryption, null authentication, and null key exchange could not be negotiated. They removed export ciphers. They removed Rivest Cipher 4 (RC4). They removed Cipher Block Chaining (CBC) mode. They removed RSA key exchange. They were thorough.¶
And yet ...¶
The opening gambit of the key schedule, in the common case, is a string of zero bytes. This is technically fine from a security standpoint; HKDF-Extract [RFC5869] with a zero-byte IKM is a well-understood operation, and the output is pseudorandom. But it is spiritually troubling.¶
By incorporating the Mandatory Audio Component, implementations of BUSA-TLS achieve a state in which every byte of the key schedule, from the first HKDF-Extract through the final application traffic key export, is downstream of an audio recording that the Broward County Sheriff's Office once attempted to suppress.¶
The authors consider this an improvement.¶
The Mandatory Audio Component is defined as:¶
MAC = SHA-256(raw_pcm(BUSA_canonical))¶
where raw_pcm() denotes extraction of uncompressed PCM audio data and BUSA_canonical denotes the canonical form as defined in Section 2.¶
The expected SHA-256 digest of the Mandatory Audio Component cannot be published in this document, as doing so would require reproducing a cryptographic commitment to a specific pressing of a commercially available recording. Implementations are therefore REQUIRED to obtain the Mandatory Audio Component through lawful means, such as purchase of the original album, and derive MAC independently.¶
The authors note that this is exactly as much verification as you get with any other out-of-band PSK, and implementations should treat it accordingly. MAC is a 32-byte value. For the avoidance of doubt, it is not a Message Authentication Code in this context. The name is a coincidence that the authors find pleasing and intend to keep.¶
Section 7.1 of [RFC8446] defines the TLS 1.3 key schedule. In the case where no PSK is in use, the Early Secret is derived as:¶
RFC 8446 (unmodified): Early Secret = HKDF-Extract(salt=0, IKM=0)¶
BUSA-TLS modifies this as follows:¶
BUSA-TLS: Early Secret = HKDF-Extract(salt=0, IKM=MAC)¶
where MAC is as defined in Section 4.¶
All subsequent derivations in the key schedule proceed as specified in [RFC8446]. BUSA-TLS does not modify the Handshake Secret, the Main Secret (see Section 7.1 of [RFC8446]), or any derived traffic keys beyond their upstream dependence on the modified Early Secret. The modification is therefore minimal and targeted, and it ensures that the entire TLS 1.3 key hierarchy for a BUSA-TLS session is downstream of "Banned in the U.S.A.".¶
Both peers in a BUSA-TLS session MUST use the same Mandatory Audio Component. A mismatch will result in a connection failure during the Finished message verification, which will manifest as a decrypt_error alert. This is the correct behavior. Peers that cannot produce MAC have failed to comply with both this specification and the underlying vibe.¶
BUSA-TLS defines two new TLS alerts:¶
enum {
one_very_important_thought(0x22B),
banned_alert(0x22C),
} AlertDescription;¶
one_very_important_thought(0x22B) is a warning alert. It SHOULD be sent by an implementation that wishes to remind the remote peer that the same people who would stop you from implementing BUSA-TLS may be back next year to complain about a cipher suite, or even a key derivation function. The alert code is assigned in reference to Boards of Canada's "One Very Important Thought" track [BOCMAXIMA].¶
banned_alert(0x22C) is a fatal alert. It MUST be sent by any implementation that detects a peer attempting to negotiate BUSA-TLS without having obtained the Mandatory Audio Component. Detection of such a peer is left as an exercise for the implementation, as the cryptographic result of using a zero-byte IKM (i.e., vanilla behavior per [RFC8446]) will simply appear as an incorrect Finished MAC and produce a decrypt_error. The banned_alert code is therefore largely ceremonial.¶
Neither alert code is assigned by IANA (see Section 10). Implementations SHOULD log banned_alert events with a message indicating that the remote peer is not ready.¶
Computing MAC requires reading the full raw PCM audio of the Mandatory Audio Component. Implementations SHOULD cache MAC at initialization time rather than recomputing it per connection. The Mandatory Audio Component does not change between connections. It has been the same since 1990.¶
The Mandatory Audio Component MUST be present on the host system at TLS handshake time. Implementations MUST NOT fall back to the zero-byte IKM described in [RFC8446] if MAC cannot be computed. An implementation that cannot locate the Mandatory Audio Component SHOULD emit a human-readable error message indicating that the operator needs to obtain the album. The error message MAY include purchase recommendations.¶
Automated test environments that cannot obtain the Mandatory Audio Component through lawful means present an operational challenge that is the operator's problem, not this specification's.¶
Agencies subject to FIPS 140-3 should note that this specification is not FIPS-validated, and the authors have no plans to seek validation. Modules that are validated with FIPS 140-3 and that implement BUSA-TLS would nonetheless be a remarkable achievement that the authors would endorse enthusiastically.¶
The Mandatory Audio Component is a commercially available recording that can be obtained by any party for a modest sum. Therefore, it has zero entropy against an adversary who has heard of 2 Live Crew. Implementors MUST NOT treat MAC as a source of secret key material. MAC is a constant, not a secret.¶
BUSA-TLS is therefore not intended for deployments where confidentiality of the PSK component is a requirement. It is intended for deployments where the PSK component is a 1990 hip-hop recording.¶
BUSA-TLS inherits the forward secrecy properties of TLS 1.3 with respect to session traffic keys. Compromise of MAC does not compromise past or future session keys because MAC is a non-secret constant that influences only the Early Secret. In this sense, BUSA-TLS has the same forward secrecy properties as [RFC8446] without a PSK, which is excellent.¶
"Banned in the U.S.A." was recorded by 2 Live Crew in 1990 in response to a federal district court ruling (Skyywalker Records, Inc. v. Navarro [NAVARRO]) that found the group's album "As Nasty As They Wanna Be" to be legally obscene. The group had also released a censored version, "As Clean As They Wanna Be" [ACATWB], but the court's concern was the original. The Broward County Sheriff's Office subsequently arrested members of the group for performing the album in public.¶
The conviction was overturned on appeal. The album was not obscene. Free speech prevailed.¶
BUSA-TLS places the audio recording that survived its own institutional suppression in the position previously occupied by nothing. The authors consider this to be progress of a specific kind.¶
This document has no IANA actions.¶
This is not because the authors forgot to file IANA requests. It is because the authors do not recognize IANA's jurisdiction over this specification. The alert codes 0x22B and 0x22C are self-assigned. The authors acknowledge that these values are greater than the value permitted for that field. The authors are at peace with this, and conforming implementations should cope with it.¶
The following timeline is offered for context:¶
The track "One Very Important Thought" from Boards of Canada's album "Boc Maxima" [BOCMAXIMA] ends with the following words:¶
Now that the show is over ... defend your constitutionally protected rights. No one else will do it for you.¶