IETF Logo Mail Archive

[Lake] Fwd: [Ufmrg] Relay Attacks in Intra-handshake Attestation for Confidential Agentic AI Systems

Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> Sun, 11 January 2026 01:58 UTC

Return-Path: <muhammad_usama.sardar@tu-dresden.de>
X-Original-To: lake@mail2.ietf.org
Delivered-To: lake@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id D597FA5F14F0 for <lake@mail2.ietf.org>; Sat, 10 Jan 2026 17:58:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=tu-dresden.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f1DgbEYsain9 for <lake@mail2.ietf.org>; Sat, 10 Jan 2026 17:58:31 -0800 (PST)
Received: from mailout3.zih.tu-dresden.de (mailout3.zih.tu-dresden.de [141.30.67.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BF21BA5F14E3 for <lake@ietf.org>; Sat, 10 Jan 2026 17:58:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tu-dresden.de; s=dkim2022; h=Content-Type:In-Reply-To:To:From:References: Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=WpH4sJWx79Wsm4quscrcCuLMpfUJ30Q3bZ5jw9MSnv0=; b=tfSWwObNzKGyxmYxdJkeRbhN97 jZqUr9S9sTR4Qovrhh0o/+oukdYpu32w9XdQZ2liWYKLlx4WEC+drH4Hmq3ITRplHXdEQoVlrEAdU FzGUsaLVfZsQPd8thK94eGNxis8jt1cWm4xzhPa7n/9rdIl71HMBdM2EbkBUf+bR/wQQpovqIutLT qj1fl0UDamjPmHQAwvr8uwqnvC+GnlT8zBD+coqSC2VaIq/qY+nJy3eSi23OOnIdsVQxiTE+Wubol xTfuau3aDLhv22uEnLowZ/4dpDRtewr9TPPyW6Hklj/R9EnXq1FiGFYFv3gSkp83bnmFC5ddvzhQ7 yXzyQ9FQ==;
Received: from msx-t422.msx.ad.zih.tu-dresden.de ([172.26.35.139] helo=msx.tu-dresden.de) by mailout3.zih.tu-dresden.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <muhammad_usama.sardar@tu-dresden.de>) id 1vekir-00D1e8-5N for lake@ietf.org; Sun, 11 Jan 2026 02:58:30 +0100
Received: from [10.12.5.228] (141.76.13.165) by msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.35; Sun, 11 Jan 2026 02:58:27 +0100
Message-ID: <f40756f9-a7d3-4d3e-a744-1e273d96c496@tu-dresden.de>
Date: Sun, 11 Jan 2026 02:58:26 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
References: <5521ffe4-4f9f-4470-93a2-644841713996@tu-dresden.de>
From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
To: "lake@ietf.org" <lake@ietf.org>
In-Reply-To: <5521ffe4-4f9f-4470-93a2-644841713996@tu-dresden.de>
X-Forwarded-Message-Id: <5521ffe4-4f9f-4470-93a2-644841713996@tu-dresden.de>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms000300050603020108060803"
X-ClientProxiedBy: msx-t421.msx.ad.zih.tu-dresden.de (172.26.35.138) To msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139)
X-TUD-Virus-Scanned: mailout3.zih.tu-dresden.de
Message-ID-Hash: LJKC4RL6SDYAFZ7ZLS5PLDSPSY6JC555
X-Message-ID-Hash: LJKC4RL6SDYAFZ7ZLS5PLDSPSY6JC555
X-MailFrom: muhammad_usama.sardar@tu-dresden.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Lake] Fwd: [Ufmrg] Relay Attacks in Intra-handshake Attestation for Confidential Agentic AI Systems
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/Tovtl7wgvzwJWT2I2ZwnhoIOnYQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Owner: <mailto:lake-owner@ietf.org>
List-Post: <mailto:lake@ietf.org>
List-Subscribe: <mailto:lake-join@ietf.org>
List-Unsubscribe: <mailto:lake-leave@ietf.org>

Hi lakers,

Sending this separately to keep the two discussions separate.

We discovered relay attacks in intra-handshake attestation 
implementations of attested TLS. Our intuition (no formal proof yet) is 
that the attacks should apply to attested EDHOC protocol in 
intra-handshake attestation [6] as well -- at least for the case of 
Responder as Attester.

Welcome any questions/thoughts/opinions.

-Usama

PS: For any follow-up, please keep me explicitly in To/CC.



-------- Forwarded Message --------
Subject: 	[Ufmrg] Relay Attacks in Intra-handshake Attestation for 
Confidential Agentic AI Systems
Date: 	Sun, 11 Jan 2026 02:17:42 +0100
From: 	Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
To: 	seat@ietf.org <seat@ietf.org>, UFMRG IRTF <ufmrg@irtf.org>



Hi SEAT and UFMRG,

# *Context*

We (i.e., I, Dr. Viacheslav Dubeyko [IBM], and Prof. Jean-Marie Jacquet 
[University of Namur]) did an extensive exploration of binding 
mechanisms in intra-handshake attestation for confidential agentic AI 
systems, that was presented on mic at SEAT meeting 124 and later 
submitted as a draft [0] with focus on AI agent. In line with the scope 
of SEAT charter, we also did formal analysis in state-of-the-art tool 
ProVerif and we would like to share a summary of our findings from our 
formal analysis with the hope that the analysis provides important data 
points to WG for making informed decisions.

# *Key Finding*

/All/ analyzed binding mechanisms and implementations are ad-hoc and 
/all/ of them result in relay attacks.

Please note that this includes Meta's AI [1] for which a thorough 
security assessment [2] was carried out by /Trail of Bits/ and they were 
unable to capture the relay attacks but as kindly clarified by Tjaden 
Hess, no formal methods were used in their review process. Our analysis 
shows the value of formal methods in the review process.

# *Fundamental Issue*

Basically, there is no binding of Evidence to the TLS connection in all 
of these implementations.

# *TEE-agnostic System Model*

  * Layered Attester (e.g., Intel TDX)
  * Composite Attester (e.g., Arm CCA)

# *Scope of Attested TLS*

  * Intra-handshake attestation

# *Formalization Approach*

  * Symbolic security analysis

# *Formalization Tool*

  * ProVerif


# *Binding Mechanisms*

*A*. We considered the following values for user-defined field "rdata" 
in TEEs

 1. Client's TLS nonce
 2. Client's Attestation nonce
 3. Early exporter
 4. (Hash of) Server's public key

/Question for WG/RG/: Is someone aware of any other value that folks use 
in "rdata"? If possible, please share a link to specification and/or 
implementation together.

*B*. Combinations:
We considered the following combinations of binding mechanisms from *A*:

 1. Hash (Client's TLS nonce || Server's public key)
 2. Hash (Client's Attestation nonce || Server's public key)

/Question//for WG/RG/: Is someone aware of any other combination that 
folks use in "rdata"? If possible, please share a link to specification 
and/or implementation together.


# *Prominent Industrial Implementations*

 1. Edgeless Systems Contrast [3]: uses binding mechanism *B*.2
 2. Cocos AI [4]
 3. CCC proof-of-concept [5]: Implementation of
    draft-fossati-tls-attestation
 4. Meta’s AI [1]: uses binding mechanism *A*.1

/Question//for WG/RG/: Is someone aware of any other intra-handshake 
attestation implementation? If possible, please share a link to 
specification and/or implementation together.


# *Binding Levels*

 1. Shared DH secret (g^xy)
 2. Client's handshake traffic key (htsc)
 3. Client's application traffic key (atsc)


# *Correlation Properties*

  * G1: Correlation of Evidence to Shared DH Secret
  * G2: Correlation of Evidence to Client’s Handshake Traffic Key
  * G3: Correlation of Evidence to Client’s Application Traffic Key


# *Results*

We proved the proposition: G3 => G2 => G1

We discovered relay attacks in all above proposals for binding 
mechanisms as well as all implementations analyzed. We provide a formal 
proof of insecurity that all above binding mechanisms and 
implementations fail to even achieve G1 property (Level 1 binding).

Any binding that involves server's public key needs additional 
assumption that server's public key does not leak.

In general, all solutions fail when server's public key is leaked. In 
other words, extension of TLS with attestation in these implementations 
is not really bringing much benefit from a security perspective and 
rather giving a false sense of security.

We believe that it is not possible to achieve level 3 binding for 
intra-handshake attestation within the scope of SEAT charter.


# *Implementation Issues*

  * Meta's AI uses client's TLS nonce (instead of attestation nonce),
    and hence does not provide Evidence freshness.
  * Cocos AI abuses the SNI extension to convey attestation nonce.
  * Edgeless Systems Contrast was abusing the SNI extension to convey
    attestation nonce, and currently abusing the ALPN extension to
    convey attestation nonce.


# *Proposed Mitigation*

  * We propose a cryptographic binder and modify CertificateVerify
    message, which achieves level 2 binding.


# *Paper and Artifacts*
A paper draft has been prepared and artifacts are well-documented. If 
you are interested in reviewing one/both of them and can provide some 
feedback until 19th Jan, please reach out to me off-list. If someone can 
substantially improve the paper and/or artifacts, we are very welcoming 
to adding you as co-author. We will make the paper and artifacts public 
later on.


# *Contributors*
We thank Juho Forsén, Mariam Moustafa, Markus Rudy, Tjaden Hess, Yuning 
Jiang, and Pavel Nikonorov for sharing their insights and providing 
valuable feedback.


# *Other known related implementations*

  * Attested EDHOC: Our intuition (no formal proof yet) is that the
    attacks should apply to attested EDHOC protocol in intra-handshake
    attestation [6] as well -- at least for the case of Responder as
    Attester. We will reach out to LAKE WG to inform them about these
    attacks.
  * Attested Noise: Confer's private inference [7] uses binding
    mechanism *A*.4 [8] for Noise protocol. This implementation started
    just 3 weeks ago (with holidays in between) and is not mature yet.
    Anyway, we will reach out to the implementer (Moxie Marlinspike) to
    inform him about these attacks.


# *Feedback/Ideas*
We believe that we have explored all options in intra-handshake 
attestation within the scope of SEAT charter. We look forward to your 
thoughts and ideas on how we can mutually progress this work forward.

-Usama

[0] https://datatracker.ietf.org/doc/draft-jiang-seat-dynamic-attestation/

[1] 
https://ai.meta.com/static-resource/private-processing-technical-whitepaper

[2] 
https://github.com/trailofbits/publications/blob/master/reviews/2025-08-meta-whatsapp-privateprocessing-securityreview.pdf

[3] 
https://github.com/CCC-Attestation/meetings/blob/main/materials/MarkusRudy.contrast-atls-ccc-attestation.pdf

[4] https://docs.cocos.ultraviolet.rs/atls

[5] https://github.com/ccc-attestation/attested-tls-poc

[6] https://datatracker.ietf.org/doc/draft-ietf-lake-ra/

[7] https://confer.to/blog/2026/01/private-inference/

[8] 
https://github.com/ConferLabs/confer-proxy/blob/0f69f522f7597c6587741055e86ae802c10891ab/src/main/java/org/moxie/confer/proxy/attestation/AttestationService.java#L145

v2.39.1 | Report a Bug | By Email | System Status