diff --git a/src/handshake.c b/src/handshake.c
index 14b9322e..c17aac85 100644
--- a/src/handshake.c
+++ b/src/handshake.c
@@ -651,6 +651,21 @@ const uint8_t *handshake_util_find_pmkid_kde(const uint8_t *data,
 	return pmkid;
 }
 
+/* Defined in 802.11-2016 12.7.2 j), Figure 12-34 */
+void handshake_util_build_gtk_kde(enum crypto_cipher cipher, const uint8_t *key,
+					unsigned int key_index, uint8_t *to)
+{
+	size_t key_len = crypto_cipher_key_len(cipher);
+
+	*to++ = IE_TYPE_VENDOR_SPECIFIC;
+	*to++ = 6 + key_len;
+	l_put_be32(HANDSHAKE_KDE_GTK, to);
+	to += 4;
+	*to++ = key_index;
+	*to++ = 0;
+	memcpy(to, key, key_len);
+}
+
 /*
  * Unwrap a GTK / IGTK included in an FTE following 802.11-2012, Section 12.8.5:
  *
diff --git a/src/handshake.h b/src/handshake.h
index 6ad6889d..37ab511c 100644
--- a/src/handshake.h
+++ b/src/handshake.h
@@ -26,6 +26,7 @@
 #include <linux/types.h>
 
 struct handshake_state;
+enum crypto_cipher;
 
 /* 802.11-2016 Table 12-6 in section 12.7.2 */
 enum handshake_kde {
@@ -194,6 +195,8 @@ const uint8_t *handshake_util_find_igtk_kde(const uint8_t *data,
 					size_t data_len, size_t *out_igtk_len);
 const uint8_t *handshake_util_find_pmkid_kde(const uint8_t *data,
 					size_t data_len);
+void handshake_util_build_gtk_kde(enum crypto_cipher cipher, const uint8_t *key,
+					unsigned int key_index, uint8_t *to);
 
 void handshake_event(struct handshake_state *hs, enum handshake_event event,
 		void *event_data);