agent2agent M. U. Sardar Internet-Draft TU Dresden, Germany Intended status: Informational 6 July 2026 Expires: 7 January 2027 Intra-handshake.fail (CVE-2026-33697 of CVSS 7.5) draft-intra-handshake-fail-00 Abstract The draft aims to provide technical details of CVE-2026-33697, which is substantial technical evidence of how intra-handshake attestation fails in practice. About This Document This note is to be removed before publishing as an RFC. The latest revision of this draft can be found at https://muhammad- usama-sardar.github.io/intra-handshake-fail/draft-intra-handshake- fail.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-intra-handshake-fail/. Source for this draft and an issue tracker can be found at https://github.com/muhammad-usama-sardar/intra-handshake-fail. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 7 January 2027. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. Sardar Expires 7 January 2027 [Page 1] Internet-Draft TODO - Abbreviation July 2026 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Detailed vulnerability disclosure timeline . . . . . . . 3 1.1.1. Comparison with other vulnerabilities in confidential computing literature . . . . . . . . . . . . . . . . 3 1.2. Overview . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3. Affected Implementations . . . . . . . . . . . . . . . . 5 1.4. Binding Levels . . . . . . . . . . . . . . . . . . . . . 5 1.5. Correlation Goals . . . . . . . . . . . . . . . . . . . . 5 1.6. Main results . . . . . . . . . . . . . . . . . . . . . . 5 1.6.1. Implications of Research for IETF SEAT WG . . . . . . 6 1.6.2. Implications of Research for IETF TLS WG . . . . . . 6 1.6.3. Implications of Research for Agent2Agent . . . . . . 7 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 7 3. Technical Details . . . . . . . . . . . . . . . . . . . . . . 7 3.1. Tool . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.2. Modeling . . . . . . . . . . . . . . . . . . . . . . . . 7 3.3. Technical Report . . . . . . . . . . . . . . . . . . . . 7 3.4. Artifacts . . . . . . . . . . . . . . . . . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 6.1. Normative References . . . . . . . . . . . . . . . . . . 8 6.2. Informative References . . . . . . . . . . . . . . . . . 8 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 8 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 1. Introduction We _responsibly_ disclosed the vulnerability in intra-handshake attestation -- as noted in security advisory (https://github.com/ultravioletrs/cocos/security/advisories/GHSA- vfgg-mvxx-mgg7) issued -- to the vendors, which resulted in CVE ([CVE-2026-33697]) of CVSS 7.5. Sardar Expires 7 January 2027 [Page 2] Internet-Draft TODO - Abbreviation July 2026 1.1. Detailed vulnerability disclosure timeline * our initial responsible disclosure to vendor: 07 Oct, 2025 * acknowledgement by vendor: 14 Dec, 2025 * information to IETF (https://mailarchive.ietf.org/arch/msg/ rats/6gbqx0XY8WYrH3Mx4vO8n2-uKgY/): 11 Jan, 2026 * public announcement (https://web.archive.org/web/20260227160554/ https://www.ultraviolet.rs/blog/tee-tls-privacy/) by vendor: 27 Feb, 2026 * security advisory issued (https://github.com/ultravioletrs/cocos/security/advisories/GHSA- vfgg-mvxx-mgg7): 23 March, 2026 {*Severity = HIGH (CVSS 7.8)*} * CVE (CVE-2026-33697 (https://www.cve.org/CVERecord?id=CVE- 2026-33697)) published: 26 March, 2026 {*Severity = HIGH (CVSS 7.5)*} 1.1.1. Comparison with other vulnerabilities in confidential computing literature * wiretap.fail (https://wiretap.fail/files/wiretap.pdf): *No* CVE (Intel (https://www.intel.com/content/www/us/en/security- center/announcement/intel-security-announcement- 2025-10-28-001.html) and AMD (https://www.intel.com/content/www/us/en/security- center/announcement/intel-security-announcement- 2025-10-28-001.html) announcements) * TEE.fail (https://tee.fail/files/paper.pdf): *No* CVE * TDXdown (https://dl.acm.org/doi/10.1145/3658644.3690230): CVSS *2.5* by Intel (https://www.intel.com/content/www/us/en/security- center/announcement/intel-security-announcement- 2024-10-08-001.html) * Staleus (https://xca-attacks.github.io/staleus/ staleus_usenix26.pdf): CVE-2025-54509 (https://nvd.nist.gov/vuln/detail/CVE-2025-54509): CVSS *4.0* * BreakFAST (https://xca-attacks.github.io/breakfast/ breakfast_oakland26.pdf): CVE-2025-61972 (https://nvd.nist.gov/vuln/detail/CVE-2025-6197): CVSS *4.2* and CVE-2025-61971 (https://nvd.nist.gov/vuln/detail/CVE-2025-61971): CVSS *5.9* Sardar Expires 7 January 2027 [Page 3] Internet-Draft TODO - Abbreviation July 2026 * BadRAM (https://badram.eu/badram.pdf): CVSS *5.3* by AMD (https://www.amd.com/en/resources/product-security/bulletin/amd- sb-3015.html) * Fabricked (https://xca-attacks.github.io/fabricked/ fabricked_usenix26.pdf): CVE-2025-54510 (https://nvd.nist.gov/vuln/detail/cve-2025-54510): CVSS *5.9* The comparison of the above with CVSS *7.5* for [Intra-handshake.fail] indicates that attested TLS is not mature yet compared to the rest of the confidential computing stack, and is currently one of the weakest links in the ecosystem. Further formal analysis of *production* implementation of intra- handshake attestation has led to discovery of another class of attacks and will potentially lead to three CVEs (currently under _responsible_ disclosure) each with an expected *CVSS 9.1*. 1.2. Overview This draft presents the formal specification and analysis of the candidate binding mechanisms for binding in intra-handshake attestation for standardization for attested TLS protocols: 1. Client’s TLS nonce: used in Meta's AI (https://ai.meta.com/ static-resource/private-processing-technical-whitepaper) 2. Client’s attestation nonce 3. Early exporter 4. Server’s public key 5. Combination of #2 and #3 6. Combination of #2 and #4: used in: Edgeless Systems Contrast (https://github.com/CCC-Attestation/meetings/blob/main/materials/ MarkusRudy.contrast-atls-ccc-attestation.pdf), Cocos AI (https://www.ultraviolet.rs/products/cocos-ai/), and CCC Attestation SIG's adopted project attested TLS proof of concept (https://github.com/ccc-attestation/attested-tls-poc) 7. Combination of #2, #3, and #4: proposed in draft-fossati-tls- attestation-06 (https://www.ietf.org/archive/id/draft-fossati- tls-attestation-06.html) Sardar Expires 7 January 2027 [Page 4] Internet-Draft TODO - Abbreviation July 2026 We provide a formal proof of insecurity of all the above candidate binding mechanisms of intra-handshake attestation using the state-of-the-art tool ProVerif and propose a mitigation for the discovered security vulnerabilities. Our study reveals that it may not be possible to achieve strong application-traffic (level 3) binding using intra-handshake attestation alone. 1.3. Affected Implementations * Meta's AI (https://ai.meta.com/static-resource/private-processing- technical-whitepaper) * Cocos AI (https://github.com/ultravioletrs/cocos) * Edgeless Systems Contrast (https://github.com/edgelesssys/ contrast) * CCC Attestation SIG's adopted project attested TLS proof of concept (https://github.com/ccc-attestation/attested-tls-poc) 1.4. Binding Levels 1. DH shared secret 2. Handshake traffic key 3. Application traffic key 1.5. Correlation Goals We consider TLS Server as RATS Attester, which is typical in confidential computing. 1. Correlation of Evidence to a DH Shared Secret (G1) 2. Correlation of Evidence to Client’s Handshake Traffic Key (G2) 3. Correlation of Evidence to Client’s Application Traffic Key (G3) 1.6. Main results * All analyzed binding mechanisms and the corresponding implementations of intra-handshake attestation are vulnerable to relay attacks. * Early exporter helps achieve level 1 binding. * Our proposed mechanism helps achieve level 2 binding. Sardar Expires 7 January 2027 [Page 5] Internet-Draft TODO - Abbreviation July 2026 * It may not be possible to achieve level 3 in intra-handshake attestation alone without additional assumptions. +====================+====================+===========+===========+ | Property | Mechanism #1,2,4,6 | Mechanism | Proposed | | | | #3,5,7 | mechanism | +====================+====================+===========+===========+ | G1 : Correlation | ❌ | ✅ | ✅ | | of Evidence to gxy | | | | +--------------------+--------------------+-----------+-----------+ | G2 : Correlation | ❌ | ❌ | ✅ | | of Evidence to kch | | | | +--------------------+--------------------+-----------+-----------+ | G3 : Correlation | ❌ | ❌ | ❌ | | of Evidence to kc | | | | +--------------------+--------------------+-----------+-----------+ Table 1 1.6.1. Implications of Research for IETF SEAT WG * We believe post-handshake attestation alone, such as draft- fossati-seat-expat (https://datatracker.ietf.org/doc/draft- fossati-seat-expat/), can achieve level 3 binding. * The research suggests that recent hybrid proposals (combination of intra-handshake attestation and post-handshake attestation) draft- fossati-seat-early-attestation (https://datatracker.ietf.org/doc/ draft-fossati-seat-early-attestation/04/) and draft-ritz-seat- facts (https://datatracker.ietf.org/doc/draft-ritz-seat-facts/00/) may add unnecessary complexity of intra-handshake attestation without adding any security benefit compared to post-handshake attestation alone, such as draft-fossati-seat-expat (https://datatracker.ietf.org/doc/draft-fossati-seat-expat/). 1.6.2. Implications of Research for IETF TLS WG * Remote attestation _within_ the handshake is very dangerous, since to our knowledge, it is one of the highest scored vulnerabilities in confidential computing literature (see this (https://github.com/CCC-Attestation/formal-spec-KBS#comparison- with-other-vulnerabilities-in-confidential-computing-literature)). Given the high-severity vulnerabilities, the developers and maintainers of intra-handshake attestation MUST urgently move to post-handshake attestation. Sardar Expires 7 January 2027 [Page 6] Internet-Draft TODO - Abbreviation July 2026 1.6.3. Implications of Research for Agent2Agent Intra-handshake attestation does more damage than protection for AI agents. 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. Technical Details 3.1. Tool We use state-of-the-art symbolic security analysis tool ProVerif (https://ieeexplore.ieee.org/document/9833653) for the specification of the protocols. 3.2. Modeling The formal model uses the fixed version of diversion attacks in intra-handshake attestation (https://github.com/CCC-Attestation/ formal-spec-id-crisis/tree/main/TLS-a/fix) from our previous work as the starting point to focus on relay attacks in intra-handshake attestation in this work. The rationale is that we consider it more useful to show the added value of this contribution to the community by using the fixed version of diversion attacks in intra-handshake attestation (https://github.com/CCC-Attestation/formal-spec-id- crisis/tree/main/TLS-a/fix) as the baseline, rather than showing the same diversion attacks from ID-Crisis paper (https://dl.acm.org/ doi/10.1145/3779208.3785387), and the discovered CVE ([CVE-2026-33697]) -- which the previous analysis could not find -- practically demonstrates the added value. This modeling choice makes it clear that even with the diversion attacks fixed, high-severity relay attacks would still remain in intra-handshake attestation. 3.3. Technical Report Technical report is available at [Intra-handshake.fail]. 3.4. Artifacts Artifacts are available at [Intra-handshake.fail-repo] under Apache- 2.0 License. Sardar Expires 7 January 2027 [Page 7] Internet-Draft TODO - Abbreviation July 2026 4. Security Considerations All of this document is about the insecurity of intra-handshake attestation. 5. IANA Considerations This document has no IANA actions. 6. References 6.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 6.2. Informative References [CVE-2026-33697] CVE, "CoCoS attested TLS is vulnerable to relay attacks via extracted ephemeral TLS keys", March 2026, . [Intra-handshake.fail] Sardar, M. U., Dubeyko, V., and J.-M. Jacquet, "Intra- handshake.fail (CVE-2026-33697): High-severity CVE in Attested TLS", September 2026, . [Intra-handshake.fail-repo] Sardar, M. U., Dubeyko, V., and J.-M. Jacquet, "Intra- handshake.fail (CVE-2026-33697): High-severity CVE in Attested TLS", June 2026, . Acknowledgments We would like to thank our co-authors of paper for their valuable contributions: Sardar Expires 7 January 2027 [Page 8] Internet-Draft TODO - Abbreviation July 2026 * Viacheslav Dubeyko * Jean-Marie Jacquet We gratefully acknowledge the following for insightful discussions on this work: * Eric Rescorla * Juho Forsén * Markus Rudy * Mariam Moustafa * Bruno Blanchet * Steve Kremer * Tjaden Hess * Martin Thomson * Yuning Jiang * Pavel Nikonorov * Casey Wilson * Danko Miladinovic * Songbo Bu * Nathanael Ritz We also gratefully acknowledge the following who gave feedback on previous state-of-the-art (https://github.com/CCC-Attestation/formal- spec-id-crisis) that we utilize as the basis: * Tuomas Aura * Ionut Mihalcea * Thomas Fossati * Hannes Tschofenig * Yaron Sheffer Sardar Expires 7 January 2027 [Page 9] Internet-Draft TODO - Abbreviation July 2026 * Laurence Lundblade * Giridhar Mandyam * Christopher Patton * Jonathan Hoyland * Richard Barnes Several others at the IETF, IRTF, and CCC have contributed by providing feedback. We sincerely thank Karthikeyan Bhargavan, Bruno Blanchet, and Nadim Kobeissi for the foundational formal model of draft 20 of TLS 1.3 in their work (https://ieeexplore.ieee.org/document/7958594). Author's Address Muhammad Usama Sardar TU Dresden, Germany Email: muhammad_usama.sardar@tu-dresden.de Sardar Expires 7 January 2027 [Page 10]