[Seat] Relay Attacks in Intra-handshake Attestation for Confidential Agentic AI Systems
Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> Sun, 11 January 2026 01:17 UTC
Return-Path: <muhammad_usama.sardar@tu-dresden.de>
X-Original-To: seat@mail2.ietf.org
Delivered-To: seat@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 892B1A5F019D for <seat@mail2.ietf.org>; Sat, 10 Jan 2026 17:17:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=tu-dresden.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kWkvunWRYHYp for <seat@mail2.ietf.org>; Sat, 10 Jan 2026 17:17:47 -0800 (PST)
Received: from mailout3.zih.tu-dresden.de (mailout3.zih.tu-dresden.de [141.30.67.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id A6706A5F018E for <seat@ietf.org>; Sat, 10 Jan 2026 17:17:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tu-dresden.de; s=dkim2022; h=Content-Type:To:Subject:From:MIME-Version:Date :Message-ID:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=MLSN3Jjf5WUmnNIfaTiiHdIyUlh/F+R6V4ZUeVULvpA=; b=v4UE1KzYrPEqXi+QeU8RuTFACZ mzTncuiJicPmUnZLP+l93Bh3PSmYLYMNb+D+ia/Ap3bYTH3I5Wft/5cZdPUAYUHALSa613Gm65zrD maOID3zj2qIQ/2PnF3Hu/ogtdcrC2jDiUgLb/96oF5+xVmSf/9nq3/CHl3HZCBkY48UvrEhVLLhFl YwWuwbhjq5qibYQGNDW6DqBSJw7dBoQ/uMBvrTxlkH7N+fy9Th/hi3DFiD4xUgR2B4WC6USF1irh3 a7WqeswRsE5g3XZk7FXFwI2K2aX95ta33jOZU4it+8LJ+BbFzOgCy3iOav4qRcj+nIrfpXk0jmOru 8MBHH+Aw==;
Received: from msx-t422.msx.ad.zih.tu-dresden.de ([172.26.35.139] helo=msx.tu-dresden.de) by mailout3.zih.tu-dresden.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <muhammad_usama.sardar@tu-dresden.de>) id 1vek5R-00D0uz-Ma; Sun, 11 Jan 2026 02:17:46 +0100
Received: from [10.12.5.228] (141.76.13.165) by msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.35; Sun, 11 Jan 2026 02:17:42 +0100
Message-ID: <5521ffe4-4f9f-4470-93a2-644841713996@tu-dresden.de>
Date: Sun, 11 Jan 2026 02:17:42 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
To: "seat@ietf.org" <seat@ietf.org>, UFMRG IRTF <ufmrg@irtf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms070101010601050705060008"
X-ClientProxiedBy: msx-t420.msx.ad.zih.tu-dresden.de (172.26.35.137) To msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139)
X-TUD-Virus-Scanned: mailout3.zih.tu-dresden.de
Message-ID-Hash: 4NAMA5O3QKAKHHF3U6WAWZUZHU2QL5BI
X-Message-ID-Hash: 4NAMA5O3QKAKHHF3U6WAWZUZHU2QL5BI
X-MailFrom: muhammad_usama.sardar@tu-dresden.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Seat] Relay Attacks in Intra-handshake Attestation for Confidential Agentic AI Systems
List-Id: "Secure Evidence and Attestation Transport (SEAT) WG" <seat.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/seat/x3eQxFjQFJLceae6l4_NgXnmsDY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/seat>
List-Help: <mailto:seat-request@ietf.org?subject=help>
List-Owner: <mailto:seat-owner@ietf.org>
List-Post: <mailto:seat@ietf.org>
List-Subscribe: <mailto:seat-join@ietf.org>
List-Unsubscribe: <mailto:seat-leave@ietf.org>
Hi SEAT and UFMRG,
# *Context*
We (i.e., I, Dr. Viacheslav Dubeyko [IBM], and Prof. Jean-Marie Jacquet
[University of Namur]) did an extensive exploration of binding
mechanisms in intra-handshake attestation for confidential agentic AI
systems, that was presented on mic at SEAT meeting 124 and later
submitted as a draft [0] with focus on AI agent. In line with the scope
of SEAT charter, we also did formal analysis in state-of-the-art tool
ProVerif and we would like to share a summary of our findings from our
formal analysis with the hope that the analysis provides important data
points to WG for making informed decisions.
# *Key Finding*
/All/ analyzed binding mechanisms and implementations are ad-hoc and
/all/ of them result in relay attacks.
Please note that this includes Meta's AI [1] for which a thorough
security assessment [2] was carried out by /Trail of Bits/ and they were
unable to capture the relay attacks but as kindly clarified by Tjaden
Hess, no formal methods were used in their review process. Our analysis
shows the value of formal methods in the review process.
# *Fundamental Issue*
Basically, there is no binding of Evidence to the TLS connection in all
of these implementations.
# *TEE-agnostic System Model*
* Layered Attester (e.g., Intel TDX)
* Composite Attester (e.g., Arm CCA)
# *Scope of Attested TLS*
* Intra-handshake attestation
# *Formalization Approach*
* Symbolic security analysis
# *Formalization Tool*
* ProVerif
# *Binding Mechanisms*
*A*. We considered the following values for user-defined field "rdata"
in TEEs
1. Client's TLS nonce
2. Client's Attestation nonce
3. Early exporter
4. (Hash of) Server's public key
/Question for WG/RG/: Is someone aware of any other value that folks use
in "rdata"? If possible, please share a link to specification and/or
implementation together.
*B*. Combinations:
We considered the following combinations of binding mechanisms from *A*:
1. Hash (Client's TLS nonce || Server's public key)
2. Hash (Client's Attestation nonce || Server's public key)
/Question//for WG/RG/: Is someone aware of any other combination that
folks use in "rdata"? If possible, please share a link to specification
and/or implementation together.
# *Prominent Industrial Implementations*
1. Edgeless Systems Contrast [3]: uses binding mechanism *B*.2
2. Cocos AI [4]
3. CCC proof-of-concept [5]: Implementation of
draft-fossati-tls-attestation
4. Meta’s AI [1]: uses binding mechanism *A*.1
/Question//for WG/RG/: Is someone aware of any other intra-handshake
attestation implementation? If possible, please share a link to
specification and/or implementation together.
# *Binding Levels*
1. Shared DH secret (g^xy)
2. Client's handshake traffic key (htsc)
3. Client's application traffic key (atsc)
# *Correlation Properties*
* G1: Correlation of Evidence to Shared DH Secret
* G2: Correlation of Evidence to Client’s Handshake Traffic Key
* G3: Correlation of Evidence to Client’s Application Traffic Key
# *Results*
We proved the proposition: G3 => G2 => G1
We discovered relay attacks in all above proposals for binding
mechanisms as well as all implementations analyzed. We provide a formal
proof of insecurity that all above binding mechanisms and
implementations fail to even achieve G1 property (Level 1 binding).
Any binding that involves server's public key needs additional
assumption that server's public key does not leak.
In general, all solutions fail when server's public key is leaked. In
other words, extension of TLS with attestation in these implementations
is not really bringing much benefit from a security perspective and
rather giving a false sense of security.
We believe that it is not possible to achieve level 3 binding for
intra-handshake attestation within the scope of SEAT charter.
# *Implementation Issues*
* Meta's AI uses client's TLS nonce (instead of attestation nonce),
and hence does not provide Evidence freshness.
* Cocos AI abuses the SNI extension to convey attestation nonce.
* Edgeless Systems Contrast was abusing the SNI extension to convey
attestation nonce, and currently abusing the ALPN extension to
convey attestation nonce.
# *Proposed Mitigation*
* We propose a cryptographic binder and modify CertificateVerify
message, which achieves level 2 binding.
# *Paper and Artifacts*
A paper draft has been prepared and artifacts are well-documented. If
you are interested in reviewing one/both of them and can provide some
feedback until 19th Jan, please reach out to me off-list. If someone can
substantially improve the paper and/or artifacts, we are very welcoming
to adding you as co-author. We will make the paper and artifacts public
later on.
# *Contributors*
We thank Juho Forsén, Mariam Moustafa, Markus Rudy, Tjaden Hess, Yuning
Jiang, and Pavel Nikonorov for sharing their insights and providing
valuable feedback.
# *Other known related implementations*
* Attested EDHOC: Our intuition (no formal proof yet) is that the
attacks should apply to attested EDHOC protocol in intra-handshake
attestation [6] as well -- at least for the case of Responder as
Attester. We will reach out to LAKE WG to inform them about these
attacks.
* Attested Noise: Confer's private inference [7] uses binding
mechanism *A*.4 [8] for Noise protocol. This implementation started
just 3 weeks ago (with holidays in between) and is not mature yet.
Anyway, we will reach out to the implementer (Moxie Marlinspike) to
inform him about these attacks.
# *Feedback/Ideas*
We believe that we have explored all options in intra-handshake
attestation within the scope of SEAT charter. We look forward to your
thoughts and ideas on how we can mutually progress this work forward.
-Usama
[0] https://datatracker.ietf.org/doc/draft-jiang-seat-dynamic-attestation/
[1]
https://ai.meta.com/static-resource/private-processing-technical-whitepaper
[2]
https://github.com/trailofbits/publications/blob/master/reviews/2025-08-meta-whatsapp-privateprocessing-securityreview.pdf
[3]
https://github.com/CCC-Attestation/meetings/blob/main/materials/MarkusRudy.contrast-atls-ccc-attestation.pdf
[4] https://docs.cocos.ultraviolet.rs/atls
[5] https://github.com/ccc-attestation/attested-tls-poc
[6] https://datatracker.ietf.org/doc/draft-ietf-lake-ra/
[7] https://confer.to/blog/2026/01/private-inference/
[8]
https://github.com/ConferLabs/confer-proxy/blob/0f69f522f7597c6587741055e86ae802c10891ab/src/main/java/org/moxie/confer/proxy/attestation/AttestationService.java#L145
- [Seat] Relay Attacks in Intra-handshake Attestati… Muhammad Usama Sardar