โณ๏ธ SECURITY | CRYPTOGRAPHY โณ๏ธ
Computer Science Master's thesis
Aarhus University Denmark ๐ฉ๐ฐ
_________________
๐ง A practical cryptanalysis of the Telegram messaging protocol
_________________
๐ฅ Author: Jakob Bjerre Jakobsen
๐ฅ Supervisor: Claudio Orlandi
_________________
Full document: http://cs.au.dk/~jakjak/master-thesis.pdf
#security #cryptography #cryptanalysis #MTProto
Computer Science Master's thesis
Aarhus University Denmark ๐ฉ๐ฐ
_________________
๐ง A practical cryptanalysis of the Telegram messaging protocol
_________________
๐ฅ Author: Jakob Bjerre Jakobsen
๐ฅ Supervisor: Claudio Orlandi
_________________
Full document: http://cs.au.dk/~jakjak/master-thesis.pdf
#security #cryptography #cryptanalysis #MTProto
โณ๏ธ SECURITY | CRYPTOGRAPHY โณ๏ธ
โผ๏ธ CONCLUSIONS โผ๏ธ
โถ๏ธ In this work we have shown that Telegram, with its use of aging primitives, does not manage to provide data integrity of ciphertexts nor authenticated encryption, and is vulnerable to chosen-ciphertext attacks.
โถ๏ธ The attempt to mitigate known attacks has introduced new vulnerabilities, and we suggest that the Telegram team updates its protocol to use strong, modern primitives.
โถ๏ธ For message authentication codes it should use a good HMAC, use a proper key derivation function, and up date the key exchange to use elliptic curve Diffie-Hellman based on Curve25519. Telegram has a great emphasis on computational performance of its protocol, which is why CTR with its parallelization seems to be the logical choice of encryption mode. We suggest using CTR instead of IGE mode, as IGE offers no benefits over CTR.
โถ๏ธOverall, we can conclude yet again that homegrown cryptography is a bad approach.
#security #cryptography #cryptanalysis #MTProto
โผ๏ธ CONCLUSIONS โผ๏ธ
โถ๏ธ In this work we have shown that Telegram, with its use of aging primitives, does not manage to provide data integrity of ciphertexts nor authenticated encryption, and is vulnerable to chosen-ciphertext attacks.
โถ๏ธ The attempt to mitigate known attacks has introduced new vulnerabilities, and we suggest that the Telegram team updates its protocol to use strong, modern primitives.
โถ๏ธ For message authentication codes it should use a good HMAC, use a proper key derivation function, and up date the key exchange to use elliptic curve Diffie-Hellman based on Curve25519. Telegram has a great emphasis on computational performance of its protocol, which is why CTR with its parallelization seems to be the logical choice of encryption mode. We suggest using CTR instead of IGE mode, as IGE offers no benefits over CTR.
โถ๏ธOverall, we can conclude yet again that homegrown cryptography is a bad approach.
#security #cryptography #cryptanalysis #MTProto
โณ๏ธ SECURITY | CRYPTOGRAPHY โณ๏ธ
๐ ABSTRACT ๐
โถ๏ธTelegram is a popular messaging app which supports end-to-end encrypted communication. In Spring 2015 we performed an audit of Telegram's source code. This short paper summarizes our findings.
โถ๏ธ Our main discovery is that the symmetric encryption scheme used in Telegram -- known as MTProto -- is not IND-CCA secure, since it is possible to turn any ciphertext into a different ciphertext that decrypts to the same message.
โถ๏ธ We stress that this is a theoretical attack on the definition of security and we do not see any way of turning the attack into a full plaintext-recovery attack. At the same time, we see no reason why one should use a less secure encryption scheme when more secure (and at least as efficient) solutions exist.
โถ๏ธ The take-home message (once again) is that well-studied, provably secure encryption schemes that achieve strong definitions of security (e.g., authenticated-encryption) are to be preferred to home-brewed encryption schemes.
#security #cryptography #cryptanalysis #MTProto
๐ ABSTRACT ๐
โถ๏ธTelegram is a popular messaging app which supports end-to-end encrypted communication. In Spring 2015 we performed an audit of Telegram's source code. This short paper summarizes our findings.
โถ๏ธ Our main discovery is that the symmetric encryption scheme used in Telegram -- known as MTProto -- is not IND-CCA secure, since it is possible to turn any ciphertext into a different ciphertext that decrypts to the same message.
โถ๏ธ We stress that this is a theoretical attack on the definition of security and we do not see any way of turning the attack into a full plaintext-recovery attack. At the same time, we see no reason why one should use a less secure encryption scheme when more secure (and at least as efficient) solutions exist.
โถ๏ธ The take-home message (once again) is that well-studied, provably secure encryption schemes that achieve strong definitions of security (e.g., authenticated-encryption) are to be preferred to home-brewed encryption schemes.
#security #cryptography #cryptanalysis #MTProto