IETF Logo Mail Archive

[Lake] Re: Fwd: [Ufmrg] Relay Attacks in Intra-handshake Attestation for Confidential Agentic AI Systems

Paul Wouters <paul.wouters@aiven.io> Tue, 13 January 2026 15:55 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: lake@mail2.ietf.org
Delivered-To: lake@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 2D562A71584F for <lake@mail2.ietf.org>; Tue, 13 Jan 2026 07:55:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QVBKOSUTywtk for <lake@mail2.ietf.org>; Tue, 13 Jan 2026 07:55:56 -0800 (PST)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 2E0C4A715842 for <lake@ietf.org>; Tue, 13 Jan 2026 07:55:56 -0800 (PST)
Received: by mail-ed1-x532.google.com with SMTP id 4fb4d7f45d1cf-64d02c01865so623957a12.1 for <lake@ietf.org>; Tue, 13 Jan 2026 07:55:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1768319755; x=1768924555; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=NNmQeyALKvh/LrJnG6ls8JICSzsqQxvhO+D3Tt07fpo=; b=KNo1YrJYps4S8tXQQJ6+xAImRc6FiwxUUm4rKLxodl5odGKcIQm4InNfCNdj1maCOx wrgawB4sq+5nM+4idwhcU4xoRlN65kBRSZcAUtjh1UL23WjPoca4ioItBS8uC1N1iNm3 eWZ3X2gDKyTC4QdatKT8kImoQKlUL4Hut2l2E=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768319755; x=1768924555; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=NNmQeyALKvh/LrJnG6ls8JICSzsqQxvhO+D3Tt07fpo=; b=G7aM9SrxLMTd1DPhHYz/5DdqCrlAhomNSopgNnAtFnmAl2A5+/03yfHrvQAwsB2xd5 /3QybC0OGBfy0zWHGp2uaCYjNQ7PWIXeuhu1Lz5bQ5WagIl7nOaz/5pVOkHetJ/uYWHR 0UJePl9kee+Hu5a58nWwHEc/9rnsbJBI6KQVKoGd/ne+YS/NAMUB7sIGGo2iehy/blUd OAbiBN1i22kesLzRV9+8PbMThq474glRlDulB09jXomosPo2a2WMVgY/71L/rWkoWQPO 99VIZjtktPLhf6S826ZZHGGcAvXemG8DSciUsQp8Jfi2Rjz4MsmANDAjrgY2cMvM68rZ JCMQ==
X-Forwarded-Encrypted: i=1; AJvYcCWvEecJ5V1I8eXE+X17RC8jTKWQDI4HNtfYpYnZnn+yYm09cDolzWMslXHsmhDdCA2tOY09@ietf.org
X-Gm-Message-State: AOJu0YzOlZUcJEYL04N3BCVV3UqdnxwD2szWJBRS3MD39IpKGorGNX4y hYzmgF4h1Me2xcghRt29I1/3RSBNN66gQc+SzDM87RMxFsofyhGSsiUciaEAZ6mHiz7jlZu/HRP /cAF0HI067MJ4RHZi9JoZTx76ocurserUzKcdhQNN29e8DwwqsMWYemg=
X-Gm-Gg: AY/fxX56fFjwTa0kIalef2s7rNEO7Mv4St1ONLbnin/vY16/2pZXCcLDHbo3TYo9EJk LqKxaaTkNCT17WPw5DDhdm3nk9I1c/tKkD8O38KRjslxnCdgrp+GgkX41qXJabBj1uRfPR7f14e GWv9ioTCv4fLp7HYSFzD9ldveRV6UNjNFuLetTYZtPGyga1YWTth0LsLulC1fY9TZ1e4znHRVKs Rg0laL71aMa9GGuORZvb5/Qv+/N5yRB9xqo7z3p7Vyxe1dy3kDBRmKdqtBuoUCgFdU7jw==
X-Google-Smtp-Source: AGHT+IHYhsdszVcdpPfRq4t5DKBaHyq9sIdFH8mFES/dCPv5Z0ADvDzqhlYmkO56YnyN9QYqj7bg1x1c+j9QhFzHiRc=
X-Received: by 2002:a17:907:3c86:b0:b7c:fe7c:e383 with SMTP id a640c23a62f3a-b8444f2399cmr2252624266b.22.1768319754972; Tue, 13 Jan 2026 07:55:54 -0800 (PST)
MIME-Version: 1.0
References: <5521ffe4-4f9f-4470-93a2-644841713996@tu-dresden.de> <f40756f9-a7d3-4d3e-a744-1e273d96c496@tu-dresden.de> <751199456.37323066.1768229407858.JavaMail.zimbra@inria.fr>
In-Reply-To: <751199456.37323066.1768229407858.JavaMail.zimbra@inria.fr>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Tue, 13 Jan 2026 10:55:42 -0500
X-Gm-Features: AZwV_QiNSYIP9cjoqasmCT5yDTCMCQmgC53TNl5DeYL9NoiuBH7yuUlhIhTmla8
Message-ID: <CAGL5yWZmT0zMztC1BbCq6zLZQveEF6pVH_xKR_QZnRoz5qoiGA@mail.gmail.com>
To: Yuxuan Song <yuxuan.song@inria.fr>
Content-Type: multipart/alternative; boundary="000000000000d841220648470615"
Message-ID-Hash: 7UPMZQALZEPRCZ7Y2FHKMOGV2LA2OCUP
X-Message-ID-Hash: 7UPMZQALZEPRCZ7Y2FHKMOGV2LA2OCUP
X-MailFrom: paul.wouters@aiven.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>, lake <lake@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Lake] Re: Fwd: [Ufmrg] Relay Attacks in Intra-handshake Attestation for Confidential Agentic AI Systems
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/iiEAmhLybS5ZH7vUy6sSXHFnfrw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Owner: <mailto:lake-owner@ietf.org>
List-Post: <mailto:lake@ietf.org>
List-Subscribe: <mailto:lake-join@ietf.org>
List-Unsubscribe: <mailto:lake-leave@ietf.org>

That's a lot of words that doesn't really make clear to me why a two PKI
based system with an interlink using an extra SAN entry on the certificate
would not work? Can you tell me in plain English why that would not work?

Paul

On Mon, Jan 12, 2026 at 9:50 AM Yuxuan Song <yuxuan.song@inria.fr> wrote:

> Hi Usama,
>
> Thanks for the information. We are currently working on it, we'll share
> our latest results in the next IETF meeting.
>
> BR,
> Yuxuan.
> ------------------------------
>
> *De: *"Muhammad Usama Sardar" <muhammad_usama.sardar@tu-dresden.de>
> *À: *"lake" <lake@ietf.org>
> *Envoyé: *Dimanche 11 Janvier 2026 02:58:26
> *Objet: *[Lake] Fwd: [Ufmrg] Relay Attacks in Intra-handshake Attestation
> for Confidential Agentic AI Systems
>
> Hi lakers,
>
> Sending this separately to keep the two discussions separate.
>
> We discovered relay attacks in intra-handshake attestation implementations
> of attested TLS. Our intuition (no formal proof yet) is that the attacks
> should apply to attested EDHOC protocol in intra-handshake attestation [6]
> as well -- at least for the case of Responder as Attester.
>
> Welcome any questions/thoughts/opinions.
>
> -Usama
>
> PS: For any follow-up, please keep me explicitly in To/CC.
>
>
> -------- Forwarded Message --------
> Subject: [Ufmrg] Relay Attacks in Intra-handshake Attestation for
> Confidential Agentic AI Systems
> Date: Sun, 11 Jan 2026 02:17:42 +0100
> From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
> <muhammad_usama.sardar@tu-dresden.de>
> To: seat@ietf.org <seat@ietf.org> <seat@ietf.org>, UFMRG IRTF
> <ufmrg@irtf.org> <ufmrg@irtf.org>
>
> Hi SEAT and UFMRG,
>
> # *Context*
>
> We (i.e., I, Dr. Viacheslav Dubeyko [IBM], and Prof. Jean-Marie Jacquet
> [University of Namur]) did an extensive exploration of binding mechanisms
> in intra-handshake attestation for confidential agentic AI systems, that
> was presented on mic at SEAT meeting 124 and later submitted as a draft [0]
> with focus on AI agent. In line with the scope of SEAT charter, we also did
> formal analysis in state-of-the-art tool ProVerif and we would like to
> share a summary of our findings from our formal analysis with the hope that
> the analysis provides important data points to WG for making informed
> decisions.
>
> # *Key Finding*
>
> *All* analyzed binding mechanisms and implementations are ad-hoc and *all*
> of them result in relay attacks.
>
> Please note that this includes Meta's AI [1] for which a thorough security
> assessment [2] was carried out by *Trail of Bits* and they were unable to
> capture the relay attacks but as kindly clarified by Tjaden Hess, no formal
> methods were used in their review process. Our analysis shows the value of
> formal methods in the review process.
>
> # *Fundamental Issue*
> Basically, there is no binding of Evidence to the TLS connection in all of
> these implementations.
>
> # *TEE-agnostic System Model*
>
>    - Layered Attester (e.g., Intel TDX)
>    - Composite Attester (e.g., Arm CCA)
>
> # *Scope of Attested TLS*
>
>    - Intra-handshake attestation
>
> # *Formalization Approach*
>
>    - Symbolic security analysis
>
> # *Formalization Tool*
>
>    - ProVerif
>
>
> # *Binding Mechanisms*
>
> *A*. We considered the following values for user-defined field "rdata" in
> TEEs
>
>    1. Client's TLS nonce
>    2. Client's Attestation nonce
>    3. Early exporter
>    4. (Hash of) Server's public key
>
> *Question for WG/RG*: Is someone aware of any other value that folks use
> in "rdata"? If possible, please share a link to specification and/or
> implementation together.
> *B*. Combinations:
> We considered the following combinations of binding mechanisms from *A*:
>
>    1. Hash (Client's TLS nonce || Server's public key)
>    2. Hash (Client's Attestation nonce || Server's public key)
>
> *Question** for WG/RG*: Is someone aware of any other combination that
> folks use in "rdata"? If possible, please share a link to specification
> and/or implementation together.
>
>
> # *Prominent Industrial Implementations*
>
>    1. Edgeless Systems Contrast [3]: uses binding mechanism *B*.2
>    2. Cocos AI [4]
>    3. CCC proof-of-concept [5]: Implementation of
>    draft-fossati-tls-attestation
>    4. Meta’s AI [1]: uses binding mechanism *A*.1
>
> *Question** for WG/RG*: Is someone aware of any other intra-handshake
> attestation implementation? If possible, please share a link to
> specification and/or implementation together.
>
>
> # *Binding Levels*
>
>    1. Shared DH secret (g^xy)
>    2. Client's handshake traffic key (htsc)
>    3. Client's application traffic key (atsc)
>
>
> # *Correlation Properties*
>
>    - G1: Correlation of Evidence to Shared DH Secret
>    - G2: Correlation of Evidence to Client’s Handshake Traffic Key
>    - G3: Correlation of Evidence to Client’s Application Traffic Key
>
>
> # *Results*
>
> We proved the proposition: G3 => G2 => G1
>
> We discovered relay attacks in all above proposals for binding mechanisms
> as well as all implementations analyzed. We provide a formal proof of
> insecurity that all above binding mechanisms and implementations fail to
> even achieve G1 property (Level 1 binding).
>
> Any binding that involves server's public key needs additional assumption
> that server's public key does not leak.
>
> In general, all solutions fail when server's public key is leaked. In
> other words, extension of TLS with attestation in these implementations is
> not really bringing much benefit from a security perspective and rather
> giving a false sense of security.
>
> We believe that it is not possible to achieve level 3 binding for
> intra-handshake attestation within the scope of SEAT charter.
>
>
> # *Implementation Issues*
>
>    - Meta's AI uses client's TLS nonce (instead of attestation nonce),
>    and hence does not provide Evidence freshness.
>    - Cocos AI abuses the SNI extension to convey attestation nonce.
>    - Edgeless Systems Contrast was abusing the SNI extension to convey
>    attestation nonce, and currently abusing the ALPN extension to convey
>    attestation nonce.
>
>
> # *Proposed Mitigation*
>
>    - We propose a cryptographic binder and modify CertificateVerify
>    message, which achieves level 2 binding.
>
>
> # *Paper and Artifacts*
> A paper draft has been prepared and artifacts are well-documented. If you
> are interested in reviewing one/both of them and can provide some feedback
> until 19th Jan, please reach out to me off-list. If someone can
> substantially improve the paper and/or artifacts, we are very welcoming to
> adding you as co-author. We will make the paper and artifacts public later
> on.
>
>
> # *Contributors*
> We thank Juho Forsén, Mariam Moustafa, Markus Rudy, Tjaden Hess, Yuning
> Jiang, and Pavel Nikonorov for sharing their insights and providing
> valuable feedback.
>
>
> # *Other known related implementations*
>
>    - Attested EDHOC: Our intuition (no formal proof yet) is that the
>    attacks should apply to attested EDHOC protocol in intra-handshake
>    attestation [6] as well -- at least for the case of Responder as Attester.
>    We will reach out to LAKE WG to inform them about these attacks.
>    - Attested Noise: Confer's private inference [7] uses binding
>    mechanism *A*.4 [8] for Noise protocol. This implementation started
>    just 3 weeks ago (with holidays in between) and is not mature yet. Anyway,
>    we will reach out to the implementer (Moxie Marlinspike) to inform him
>    about these attacks.
>
>
> # *Feedback/Ideas*
> We believe that we have explored all options in intra-handshake
> attestation within the scope of SEAT charter. We look forward to your
> thoughts and ideas on how we can mutually progress this work forward.
>
> -Usama
>
> [0] https://datatracker.ietf.org/doc/draft-jiang-seat-dynamic-attestation/
>
> [1]
> https://ai.meta.com/static-resource/private-processing-technical-whitepaper
>
> [2]
> https://github.com/trailofbits/publications/blob/master/reviews/2025-08-meta-whatsapp-privateprocessing-securityreview.pdf
> [3]
> https://github.com/CCC-Attestation/meetings/blob/main/materials/MarkusRudy.contrast-atls-ccc-attestation.pdf
>
> [4] https://docs.cocos.ultraviolet.rs/atls
>
> [5] https://github.com/ccc-attestation/attested-tls-poc
>
> [6] https://datatracker.ietf.org/doc/draft-ietf-lake-ra/
>
> [7] https://confer.to/blog/2026/01/private-inference/
>
> [8]
> https://github.com/ConferLabs/confer-proxy/blob/0f69f522f7597c6587741055e86ae802c10891ab/src/main/java/org/moxie/confer/proxy/attestation/AttestationService.java#L145
>
> --
> Lake mailing list -- lake@ietf.org
> To unsubscribe send an email to lake-leave@ietf.org
>
> --
> Lake mailing list -- lake@ietf.org
> To unsubscribe send an email to lake-leave@ietf.org
>

v2.39.1 | Report a Bug | By Email | System Status