diff --git a/src/eapol.c b/src/eapol.c
index 6ca89fbb..39a545fe 100644
--- a/src/eapol.c
+++ b/src/eapol.c
@@ -352,6 +352,22 @@ bool eapol_encrypt_key_data(const uint8_t *kek, uint8_t *key_data,
 	return true;
 }
 
+void eapol_key_data_append(struct eapol_key *ek, enum handshake_kde selector,
+				const uint8_t *data, size_t data_len)
+{
+	uint16_t key_data_len = L_BE16_TO_CPU(ek->key_data_len);
+
+	ek->key_data[key_data_len++] = IE_TYPE_VENDOR_SPECIFIC;
+	ek->key_data[key_data_len++] = 4 + data_len; /* OUI + Data type + len */
+	l_put_be32(selector, ek->key_data + key_data_len);
+	key_data_len += 4;
+
+	memcpy(ek->key_data + key_data_len, data, data_len);
+	key_data_len += data_len;
+
+	ek->key_data_len = L_CPU_TO_BE16(key_data_len);
+}
+
 const struct eapol_key *eapol_key_validate(const uint8_t *frame, size_t len)
 {
 	const struct eapol_key *ek;
diff --git a/src/eapol.h b/src/eapol.h
index 8564b4e9..c46d86d0 100644
--- a/src/eapol.h
+++ b/src/eapol.h
@@ -50,6 +50,7 @@ enum eapol_key_descriptor_version {
 struct eapol_sm;
 struct handshake_state;
 struct preauth_sm;
+enum handshake_kde;
 
 struct eapol_header {
 	uint8_t protocol_version;
@@ -138,6 +139,8 @@ uint8_t *eapol_decrypt_key_data(const uint8_t *kek,
 bool eapol_encrypt_key_data(const uint8_t *kek, uint8_t *key_data,
 				size_t key_data_len,
 				struct eapol_key *out_frame);
+void eapol_key_data_append(struct eapol_key *ek, enum handshake_kde selector,
+				const uint8_t *data, size_t data_len);
 
 const struct eapol_key *eapol_key_validate(const uint8_t *frame, size_t len);
 
diff --git a/src/handshake.h b/src/handshake.h
index 1bdbef8d..5d4ac3de 100644
--- a/src/handshake.h
+++ b/src/handshake.h
@@ -25,6 +25,21 @@
 #include <asm/byteorder.h>
 #include <linux/types.h>
 
+/* 802.11-2016 Table 12-6 in section 12.7.2 */
+enum handshake_kde {
+	HANDSHAKE_KDE_GTK		= 0x000fac01,
+	HANDSHAKE_KDE_MAC_ADDRESS	= 0x000fac03,
+	HANDSHAKE_KDE_PMKID		= 0x000fac04,
+	HANDSHAKE_KDE_SMK		= 0x000fac05,
+	HANDSHAKE_KDE_NONCE		= 0x000fac06,
+	HANDSHAKE_KDE_LIFETIME		= 0x000fac07,
+	HANDSHAKE_KDE_ERROR		= 0x000fac08,
+	HANDSHAKE_KDE_IGTK		= 0x000fac09,
+	HANDSHAKE_KDE_KEY_ID		= 0x000fac0a,
+	HANDSHAKE_KDE_MULTIBAND_GTK	= 0x000fac0b,
+	HANDSHAKE_KDE_MULTIBAND_KEY_ID	= 0x000fac0c,
+};
+
 typedef bool (*handshake_get_nonce_func_t)(uint8_t nonce[]);
 typedef void (*handshake_install_tk_func_t)(uint32_t ifindex, const uint8_t *aa,
 					const uint8_t *tk, uint32_t cipher,