[Rats] Follow-up of draft-sardar-rats-sec-cons: Relay Attacks in Intra-handshake Attestation for Confidential Agentic AI Systems
Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> Sun, 11 January 2026 12:57 UTC
Return-Path: <muhammad_usama.sardar@tu-dresden.de>
X-Original-To: rats@mail2.ietf.org
Delivered-To: rats@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 42F32A60F1DF for <rats@mail2.ietf.org>; Sun, 11 Jan 2026 04:57:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=tu-dresden.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TZQWNYgFG8Pb for <rats@mail2.ietf.org>; Sun, 11 Jan 2026 04:57:44 -0800 (PST)
Received: from mailout4.zih.tu-dresden.de (mailout4.zih.tu-dresden.de [141.30.67.75]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BCC3DA60F1C2 for <rats@ietf.org>; Sun, 11 Jan 2026 04:57:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tu-dresden.de; s=dkim2022; h=Content-Type:To:Subject:From:MIME-Version:Date :Message-ID:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=pnuF/eYrNMEoTl0pLNDp47qP3xyxvrPQ7DsHVZQSgnI=; b=vNmjWNDowFqcKyzqUebs6ycMn1 ZwtE3luHtuq5EwWIsBfJhs2asTQIDqnB9yrxA/ZV8kSJMGpKuvzArxfQmdrMB1Ml6KnY/nRJHZh6b D4/X5Wxr/ClcCi8eOhDBprgcWty3hreiCAp0+z49HhFRFwR4d7tM6U0JBJaAROVuwrNROZxjX0PCw FSz1ysha8ZZnyaHp4iWGZlp/NceXdPdpqEodx1XZqbTaXLkfZ0WfiByf5KZfPsu58YzevOOd5IMI2 Gxq5P1JCsSD0uxHDb8KMRpfkdZ45xgNuLtt6SnGpvA/kBrtpxChHrXgcztIuTzQRCJuMPm7USzccu d8grp0YA==;
Received: from msx-t422.msx.ad.zih.tu-dresden.de ([172.26.35.139] helo=msx.tu-dresden.de) by mailout4.zih.tu-dresden.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <muhammad_usama.sardar@tu-dresden.de>) id 1vev0o-0062gH-TM for rats@ietf.org; Sun, 11 Jan 2026 13:57:43 +0100
Received: from [10.12.5.228] (141.76.13.165) by msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.35; Sun, 11 Jan 2026 13:57:33 +0100
Message-ID: <6383c22e-69bd-421b-8527-d4946a423bbc@tu-dresden.de>
Date: Sun, 11 Jan 2026 13:57:32 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
To: "rats@ietf.org" <rats@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms020800000406040002040600"
X-ClientProxiedBy: MSX-T415.msx.ad.zih.tu-dresden.de (172.26.35.135) To msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139)
X-TUD-Virus-Scanned: mailout4.zih.tu-dresden.de
Message-ID-Hash: EK7CHD7C3BJUWR5YS6ZT433YG6O4EEDF
X-Message-ID-Hash: EK7CHD7C3BJUWR5YS6ZT433YG6O4EEDF
X-MailFrom: muhammad_usama.sardar@tu-dresden.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Rats] Follow-up of draft-sardar-rats-sec-cons: Relay Attacks in Intra-handshake Attestation for Confidential Agentic AI Systems
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/6gbqx0XY8WYrH3Mx4vO8n2-uKgY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>
Hi all,
# *Context*
Thank you for insightful discussion on my draft
draft-sardar-rats-sec-cons at meeting 124, where I presented relay
attacks as part of my presentation [0a].
Now, we (i.e., I, Dr. Viacheslav Dubeyko [IBM], and Prof. Jean-Marie
Jacquet [University of Namur]) have results for a formalization of this
concept for confidential agentic AI systems use case [1]. We extensively
explored binding mechanisms in intra-handshake attestation and did
formal analysis in state-of-the-art tool ProVerif. We would like to
share a summary of our findings from our formal analysis to get some
feedback and share some questions which folks may have something to add.
# *Key Finding*
/All/ analyzed binding mechanisms and implementations are ad-hoc and
/all/ of them result in relay attacks.
Please note that this includes Meta's AI [0b] for which a thorough
security assessment [2] was carried out by /Trail of Bits/ and they were
unable to capture the relay attacks but as kindly clarified by Tjaden
Hess, no formal methods were used in their review process. Our analysis
shows the value of formal methods in the review process.
# *Fundamental Issue*
Basically, there is no binding of Evidence to the TLS connection in all
of these implementations.
# *TEE-agnostic System Model*
* Layered Attester (e.g., Intel TDX)
* Composite Attester (e.g., Arm CCA)
# *Scope of Attested TLS*
* Intra-handshake attestation
# *Formalization Approach*
* Symbolic security analysis
# *Formalization Tool*
* ProVerif
# *Binding Mechanisms*
*A*. We considered the following values for user-defined field "rdata"
in TEEs
1. Client's TLS nonce
2. Client's Attestation nonce
3. Early exporter
4. (Hash of) Server's public key
/Question for WG/: Is someone aware of any other value that folks use in
"rdata"? If possible, please share a link to specification and/or
implementation.
*B*. Combinations:
We considered the following combinations of binding mechanisms from *A*:
1. Hash (Client's TLS nonce || Server's public key)
2. Hash (Client's Attestation nonce || Server's public key)
/Question//for WG/: Is someone aware of any other combination that folks
use in "rdata"? If possible, please share a link to specification and/or
implementation.
# *Prominent Industrial Implementations*
1. Edgeless Systems Contrast [3]: uses binding mechanism *B2*
2. Cocos AI [4]
3. CCC proof-of-concept [5]: Implementation of
draft-fossati-tls-attestation
4. Meta’s AI [0b]: uses binding mechanism *A1*
/Question//for WG/: Is someone aware of any other intra-handshake
attestation implementation? If possible, please share a link to
specification and/or implementation.
# *Binding Levels*
1. Shared DH secret (g^xy)
2. Client's handshake traffic key (htsc)
3. Client's application traffic key (atsc)
# *Correlation Properties*
* G1: Correlation of Evidence to Shared DH Secret
* G2: Correlation of Evidence to Client’s Handshake Traffic Key
* G3: Correlation of Evidence to Client’s Application Traffic Key
# *Results*
We proved the proposition: G3 => G2 => G1
We discovered relay attacks in all above proposals for binding
mechanisms as well as all implementations analyzed. We provide a formal
proof of insecurity that all above binding mechanisms and
implementations fail to even achieve G1 property (Level 1 binding).
Any binding that involves server's public key needs additional
assumption that server's public key does not leak.
In general, all solutions fail when server's public key is leaked. In
other words, extension of TLS with attestation in these implementations
is not really bringing much benefit from a security perspective and
rather giving a false sense of security.
We believe that it is not possible to achieve level 3 binding for
intra-handshake attestation alone without breaking other TLS properties.
# *Implementation Issues*
* Meta's AI uses client's TLS nonce (instead of attestation nonce),
and hence does not provide Evidence freshness.
* Cocos AI abuses the SNI extension to convey attestation nonce.
* Edgeless Systems Contrast was abusing the SNI extension to convey
attestation nonce, and currently abusing the ALPN extension to
convey attestation nonce.
# *Proposed Mitigation*
* We propose a cryptographic binder and modify CertificateVerify
message, which achieves level 2 binding.
# *Paper and Artifacts*
A paper draft has been prepared and artifacts are well-documented. If
you are interested in reviewing one/both of them and can provide some
feedback until 19th Jan, please reach out to me off-list. If someone can
substantially improve the paper and/or artifacts, we are very welcoming
to add you as co-author. We will make the paper and artifacts public
later on.
# *Contributors*
We thank Juho Forsén, Mariam Moustafa, Markus Rudy, Tjaden Hess, Yuning
Jiang, and Pavel Nikonorov for sharing their insights and providing
valuable feedback.
# *Other known related implementations*
* Attested EDHOC: Our intuition (no formal proof yet) is that the
attacks should apply to attested EDHOC protocol in intra-handshake
attestation [6] as well -- at least for the case of Responder as
Attester. We have informed LAKE WG [9] about these attacks.
* Attested Noise: Confer's private inference [7] uses binding
mechanism *A**4* [8] for Noise protocol. This implementation started
just 3 weeks ago (with holidays in between) and is not mature yet.
Anyway, we have informed the implementer (Moxie Marlinspike) about
these attacks.
# *Feedback/Ideas*
We look forward to your thoughts and ideas on how we can mutually
progress this work forward towards secure solutions.
-Usama
[0a]
https://datatracker.ietf.org/meeting/124/materials/slides-124-rats-sessb-guideline-for-security-consideration-of-rats-00#page=6
[0b]
https://ai.meta.com/static-resource/private-processing-technical-whitepaper
[1] https://datatracker.ietf.org/doc/draft-jiang-seat-dynamic-attestation/
[2]
https://github.com/trailofbits/publications/blob/master/reviews/2025-08-meta-whatsapp-privateprocessing-securityreview.pdf
[3]
https://github.com/CCC-Attestation/meetings/blob/main/materials/MarkusRudy.contrast-atls-ccc-attestation.pdf
[4] https://docs.cocos.ultraviolet.rs/atls
[5] https://github.com/ccc-attestation/attested-tls-poc
[6] https://datatracker.ietf.org/doc/draft-ietf-lake-ra/
[7] https://confer.to/blog/2026/01/private-inference/
[8]
https://github.com/ConferLabs/confer-proxy/blob/0f69f522f7597c6587741055e86ae802c10891ab/src/main/java/org/moxie/confer/proxy/attestation/AttestationService.java#L145
[9] https://mailarchive.ietf.org/arch/msg/lake/Tovtl7wgvzwJWT2I2ZwnhoIOnYQ/
- [Rats] Follow-up of draft-sardar-rats-sec-cons: R… Muhammad Usama Sardar
- [Rats] Re: Follow-up of draft-sardar-rats-sec-con… Muhammad Usama Sardar
- [Rats] Re: Follow-up of draft-sardar-rats-sec-con… Muhammad Usama Sardar