[Rats] Follow-up of draft-sardar-rats-sec-cons: Relay Attacks in Intra-handshake Attestation for Confidential Agentic AI Systems

Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> Sun, 11 January 2026 12:57 UTC

Return-Path: <muhammad_usama.sardar@tu-dresden.de>
X-Original-To: rats@mail2.ietf.org
Delivered-To: rats@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 42F32A60F1DF for <rats@mail2.ietf.org>; Sun, 11 Jan 2026 04:57:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=tu-dresden.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TZQWNYgFG8Pb for <rats@mail2.ietf.org>; Sun, 11 Jan 2026 04:57:44 -0800 (PST)
Received: from mailout4.zih.tu-dresden.de (mailout4.zih.tu-dresden.de [141.30.67.75]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BCC3DA60F1C2 for <rats@ietf.org>; Sun, 11 Jan 2026 04:57:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tu-dresden.de; s=dkim2022; h=Content-Type:To:Subject:From:MIME-Version:Date :Message-ID:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=pnuF/eYrNMEoTl0pLNDp47qP3xyxvrPQ7DsHVZQSgnI=; b=vNmjWNDowFqcKyzqUebs6ycMn1 ZwtE3luHtuq5EwWIsBfJhs2asTQIDqnB9yrxA/ZV8kSJMGpKuvzArxfQmdrMB1Ml6KnY/nRJHZh6b D4/X5Wxr/ClcCi8eOhDBprgcWty3hreiCAp0+z49HhFRFwR4d7tM6U0JBJaAROVuwrNROZxjX0PCw FSz1ysha8ZZnyaHp4iWGZlp/NceXdPdpqEodx1XZqbTaXLkfZ0WfiByf5KZfPsu58YzevOOd5IMI2 Gxq5P1JCsSD0uxHDb8KMRpfkdZ45xgNuLtt6SnGpvA/kBrtpxChHrXgcztIuTzQRCJuMPm7USzccu d8grp0YA==;
Received: from msx-t422.msx.ad.zih.tu-dresden.de ([172.26.35.139] helo=msx.tu-dresden.de) by mailout4.zih.tu-dresden.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <muhammad_usama.sardar@tu-dresden.de>) id 1vev0o-0062gH-TM for rats@ietf.org; Sun, 11 Jan 2026 13:57:43 +0100
Received: from [10.12.5.228] (141.76.13.165) by msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.35; Sun, 11 Jan 2026 13:57:33 +0100
Message-ID: <6383c22e-69bd-421b-8527-d4946a423bbc@tu-dresden.de>
Date: Sun, 11 Jan 2026 13:57:32 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
To: "rats@ietf.org" <rats@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms020800000406040002040600"
X-ClientProxiedBy: MSX-T415.msx.ad.zih.tu-dresden.de (172.26.35.135) To msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139)
X-TUD-Virus-Scanned: mailout4.zih.tu-dresden.de
Message-ID-Hash: EK7CHD7C3BJUWR5YS6ZT433YG6O4EEDF
X-Message-ID-Hash: EK7CHD7C3BJUWR5YS6ZT433YG6O4EEDF
X-MailFrom: muhammad_usama.sardar@tu-dresden.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Rats] Follow-up of draft-sardar-rats-sec-cons: Relay Attacks in Intra-handshake Attestation for Confidential Agentic AI Systems
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/6gbqx0XY8WYrH3Mx4vO8n2-uKgY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

Hi all,

# *Context*

Thank you for insightful discussion on my draft 
draft-sardar-rats-sec-cons at meeting 124, where I presented relay 
attacks as part of my presentation [0a].

Now, we (i.e., I, Dr. Viacheslav Dubeyko [IBM], and Prof. Jean-Marie 
Jacquet [University of Namur]) have results for a formalization of this 
concept for confidential agentic AI systems use case [1]. We extensively 
explored binding mechanisms in intra-handshake attestation and did 
formal analysis in state-of-the-art tool ProVerif. We would like to 
share a summary of our findings from our formal analysis to get some 
feedback and share some questions which folks may have something to add.

# *Key Finding*

/All/ analyzed binding mechanisms and implementations are ad-hoc and 
/all/ of them result in relay attacks.

Please note that this includes Meta's AI [0b] for which a thorough 
security assessment [2] was carried out by /Trail of Bits/ and they were 
unable to capture the relay attacks but as kindly clarified by Tjaden 
Hess, no formal methods were used in their review process. Our analysis 
shows the value of formal methods in the review process.

# *Fundamental Issue*

Basically, there is no binding of Evidence to the TLS connection in all 
of these implementations.

# *TEE-agnostic System Model*

  * Layered Attester (e.g., Intel TDX)
  * Composite Attester (e.g., Arm CCA)

# *Scope of Attested TLS*

  * Intra-handshake attestation

# *Formalization Approach*

  * Symbolic security analysis

# *Formalization Tool*

  * ProVerif


# *Binding Mechanisms*

*A*. We considered the following values for user-defined field "rdata" 
in TEEs

 1. Client's TLS nonce
 2. Client's Attestation nonce
 3. Early exporter
 4. (Hash of) Server's public key

/Question for WG/: Is someone aware of any other value that folks use in 
"rdata"? If possible, please share a link to specification and/or 
implementation.

*B*. Combinations:
We considered the following combinations of binding mechanisms from *A*:

 1. Hash (Client's TLS nonce || Server's public key)
 2. Hash (Client's Attestation nonce || Server's public key)

/Question//for WG/: Is someone aware of any other combination that folks 
use in "rdata"? If possible, please share a link to specification and/or 
implementation.


# *Prominent Industrial Implementations*

 1. Edgeless Systems Contrast [3]: uses binding mechanism *B2*
 2. Cocos AI [4]
 3. CCC proof-of-concept [5]: Implementation of
    draft-fossati-tls-attestation
 4. Meta’s AI [0b]: uses binding mechanism *A1*

/Question//for WG/: Is someone aware of any other intra-handshake 
attestation implementation? If possible, please share a link to 
specification and/or implementation.


# *Binding Levels*

 1. Shared DH secret (g^xy)
 2. Client's handshake traffic key (htsc)
 3. Client's application traffic key (atsc)


# *Correlation Properties*

  * G1: Correlation of Evidence to Shared DH Secret
  * G2: Correlation of Evidence to Client’s Handshake Traffic Key
  * G3: Correlation of Evidence to Client’s Application Traffic Key


# *Results*

We proved the proposition: G3 => G2 => G1

We discovered relay attacks in all above proposals for binding 
mechanisms as well as all implementations analyzed. We provide a formal 
proof of insecurity that all above binding mechanisms and 
implementations fail to even achieve G1 property (Level 1 binding).

Any binding that involves server's public key needs additional 
assumption that server's public key does not leak.

In general, all solutions fail when server's public key is leaked. In 
other words, extension of TLS with attestation in these implementations 
is not really bringing much benefit from a security perspective and 
rather giving a false sense of security.

We believe that it is not possible to achieve level 3 binding for 
intra-handshake attestation alone without breaking other TLS properties.


# *Implementation Issues*

  * Meta's AI uses client's TLS nonce (instead of attestation nonce),
    and hence does not provide Evidence freshness.
  * Cocos AI abuses the SNI extension to convey attestation nonce.
  * Edgeless Systems Contrast was abusing the SNI extension to convey
    attestation nonce, and currently abusing the ALPN extension to
    convey attestation nonce.


# *Proposed Mitigation*

  * We propose a cryptographic binder and modify CertificateVerify
    message, which achieves level 2 binding.


# *Paper and Artifacts*
A paper draft has been prepared and artifacts are well-documented. If 
you are interested in reviewing one/both of them and can provide some 
feedback until 19th Jan, please reach out to me off-list. If someone can 
substantially improve the paper and/or artifacts, we are very welcoming 
to add you as co-author. We will make the paper and artifacts public 
later on.


# *Contributors*
We thank Juho Forsén, Mariam Moustafa, Markus Rudy, Tjaden Hess, Yuning 
Jiang, and Pavel Nikonorov for sharing their insights and providing 
valuable feedback.


# *Other known related implementations*

  * Attested EDHOC: Our intuition (no formal proof yet) is that the
    attacks should apply to attested EDHOC protocol in intra-handshake
    attestation [6] as well -- at least for the case of Responder as
    Attester. We have informed LAKE WG [9] about these attacks.
  * Attested Noise: Confer's private inference [7] uses binding
    mechanism *A**4* [8] for Noise protocol. This implementation started
    just 3 weeks ago (with holidays in between) and is not mature yet.
    Anyway, we have informed the implementer (Moxie Marlinspike) about
    these attacks.


# *Feedback/Ideas*
We look forward to your thoughts and ideas on how we can mutually 
progress this work forward towards secure solutions.

-Usama

[0a] 
https://datatracker.ietf.org/meeting/124/materials/slides-124-rats-sessb-guideline-for-security-consideration-of-rats-00#page=6

[0b] 
https://ai.meta.com/static-resource/private-processing-technical-whitepaper

[1] https://datatracker.ietf.org/doc/draft-jiang-seat-dynamic-attestation/

[2] 
https://github.com/trailofbits/publications/blob/master/reviews/2025-08-meta-whatsapp-privateprocessing-securityreview.pdf

[3] 
https://github.com/CCC-Attestation/meetings/blob/main/materials/MarkusRudy.contrast-atls-ccc-attestation.pdf

[4] https://docs.cocos.ultraviolet.rs/atls

[5] https://github.com/ccc-attestation/attested-tls-poc

[6] https://datatracker.ietf.org/doc/draft-ietf-lake-ra/

[7] https://confer.to/blog/2026/01/private-inference/

[8] 
https://github.com/ConferLabs/confer-proxy/blob/0f69f522f7597c6587741055e86ae802c10891ab/src/main/java/org/moxie/confer/proxy/attestation/AttestationService.java#L145

[9] https://mailarchive.ietf.org/arch/msg/lake/Tovtl7wgvzwJWT2I2ZwnhoIOnYQ/