Internet-Draft TODO - Abbreviation July 2026
Sardar Expires 7 January 2027 [Page]
Workgroup:
agent2agent
Internet-Draft:
draft-intra-handshake-fail-latest
Published:
Intended Status:
Informational
Expires:
Author:
M. U. Sardar
TU Dresden, Germany

Intra-handshake.fail (CVE-2026-33697 of CVSS 7.5)

Abstract

The draft aims to provide technical details of CVE-2026-33697, which is substantial technical evidence of how intra-handshake attestation fails in practice.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://muhammad-usama-sardar.github.io/intra-handshake-fail/draft-intra-handshake-fail.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-intra-handshake-fail/.

Source for this draft and an issue tracker can be found at https://github.com/muhammad-usama-sardar/intra-handshake-fail.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 7 January 2027.

Table of Contents

1. Introduction

We responsibly disclosed the vulnerability in intra-handshake attestation -- as noted in security advisory issued -- to the vendors, which resulted in CVE ([CVE-2026-33697]) of CVSS 7.5.

1.1. Detailed vulnerability disclosure timeline

1.1.1. Comparison with other vulnerabilities in confidential computing literature

The comparison of the above with CVSS 7.5 for [Intra-handshake.fail] indicates that attested TLS is not mature yet compared to the rest of the confidential computing stack, and is currently one of the weakest links in the ecosystem.

Further formal analysis of production implementation of intra-handshake attestation has led to discovery of another class of attacks and will potentially lead to three CVEs (currently under responsible disclosure) each with an expected CVSS 9.1.

1.2. Overview

This draft presents the formal specification and analysis of the candidate binding mechanisms for binding in intra-handshake attestation for standardization for attested TLS protocols:

  1. Client’s TLS nonce: used in Meta's AI

  2. Client’s attestation nonce

  3. Early exporter

  4. Server’s public key

  5. Combination of #2 and #3

  6. Combination of #2 and #4: used in: Edgeless Systems Contrast, Cocos AI, and CCC Attestation SIG's adopted project attested TLS proof of concept

  7. Combination of #2, #3, and #4: proposed in draft-fossati-tls-attestation-06

We provide a formal proof of insecurity of all the above candidate
binding mechanisms of intra-handshake attestation using the
state-of-the-art tool ProVerif and propose a mitigation for the
discovered security vulnerabilities. Our study reveals that it may
not be possible to achieve strong application-traffic (level 3)
binding using intra-handshake attestation alone.

1.4. Binding Levels

  1. DH shared secret

  2. Handshake traffic key

  3. Application traffic key

1.5. Correlation Goals

We consider TLS Server as RATS Attester, which is typical in confidential computing.

  1. Correlation of Evidence to a DH Shared Secret (G1)

  2. Correlation of Evidence to Client’s Handshake Traffic Key (G2)

  3. Correlation of Evidence to Client’s Application Traffic Key (G3)

1.6. Main results

  • All analyzed binding mechanisms and the corresponding implementations of intra-handshake attestation are vulnerable to relay attacks.

  • Early exporter helps achieve level 1 binding.

  • Our proposed mechanism helps achieve level 2 binding.

  • It may not be possible to achieve level 3 in intra-handshake attestation alone without additional assumptions.

Table 1
Property Mechanism #1,2,4,6 Mechanism #3,5,7 Proposed mechanism
G1 : Correlation of Evidence to gxy
G2 : Correlation of Evidence to kch
G3 : Correlation of Evidence to kc

1.6.1. Implications of Research for IETF SEAT WG

1.6.2. Implications of Research for IETF TLS WG

  • Remote attestation within the handshake is very dangerous, since to our knowledge, it is one of the highest scored vulnerabilities in confidential computing literature (see this).

Given the high-severity vulnerabilities, the developers and maintainers
of intra-handshake attestation MUST urgently move to post-handshake
attestation.

1.6.3. Implications of Research for Agent2Agent

Intra-handshake attestation does more damage than protection for AI agents.

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Technical Details

3.1. Tool

We use state-of-the-art symbolic security analysis tool ProVerif for the specification of the protocols.

3.2. Modeling

The formal model uses the fixed version of diversion attacks in intra-handshake attestation from our previous work as the starting point to focus on relay attacks in intra-handshake attestation in this work. The rationale is that we consider it more useful to show the added value of this contribution to the community by using the fixed version of diversion attacks in intra-handshake attestation as the baseline, rather than showing the same diversion attacks from ID-Crisis paper, and the discovered CVE ([CVE-2026-33697]) -- which the previous analysis could not find -- practically demonstrates the added value. This modeling choice makes it clear that even with the diversion attacks fixed, high-severity relay attacks would still remain in intra-handshake attestation.

3.3. Technical Report

Technical report is available at [Intra-handshake.fail].

3.4. Artifacts

Artifacts are available at [Intra-handshake.fail-repo] under Apache-2.0 License.

4. Security Considerations

All of this document is about the insecurity of intra-handshake attestation.

5. IANA Considerations

This document has no IANA actions.

6. References

6.1. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.

6.2. Informative References

[CVE-2026-33697]
CVE, "CoCoS attested TLS is vulnerable to relay attacks via extracted ephemeral TLS keys", , <https://www.cve.org/CVERecord?id=CVE-2026-33697>.
[Intra-handshake.fail]
Sardar, M. U., Dubeyko, V., and J.-M. Jacquet, "Intra-handshake.fail (CVE-2026-33697): High-severity CVE in Attested TLS", , <https://www.researchgate.net/publication/408219182_Intra-handshakefail_CVE-2026-33697_High-severity_CVE_in_Attested_TLS>.
[Intra-handshake.fail-repo]
Sardar, M. U., Dubeyko, V., and J.-M. Jacquet, "Intra-handshake.fail (CVE-2026-33697): High-severity CVE in Attested TLS", , <https://github.com/CCC-Attestation/formal-spec-KBS>.

Acknowledgments

We would like to thank our co-authors of paper for their valuable contributions:

We gratefully acknowledge the following for insightful discussions on this work:

We also gratefully acknowledge the following who gave feedback on previous state-of-the-art that we utilize as the basis:

Several others at the IETF, IRTF, and CCC have contributed by providing feedback.

We sincerely thank Karthikeyan Bhargavan, Bruno Blanchet, and Nadim Kobeissi for the foundational formal model of draft 20 of TLS 1.3 in their work.

Author's Address

Muhammad Usama Sardar
TU Dresden, Germany