Earlier this week, a company called Telegram announced a “secure” mobile messaging product. How secure? In their words of their FAQ, “very secure.” Curious to learn more, I went to look at the protocol, and immediately had a number of questions and concerns. However, when pressed on technical details by others, they responded with the academic credentials of their developers (math Ph.Ds) instead of engaging in a more reasonable dialog. They also declined my suggestions for collaboration of any kind.
Most recently, they’ve chosen to respond to the concerns of the security community with… a crypto cracking contest!
The Fallacy Of The Crypto Contest
As always, these things are a bad sign. By framing the contest the way they have, the Telegram developers are leveraging a rigged challenge to trick the public. They wasted no time in updating their FAQ to point to the challenge as solid proof of their absolute security, even when it’s essentially meaningless.
So Telegram developers, by way of a response, I have my own crypto cracking contest for you. Below is a horrifically bad “secure” protocol that wouldn’t last a second in a real world environment, but becomes “unbreakable” when presented in the exact same framework as the Telegram challenge.
Alicegenerates a random 32 byte value,
super_secret, using the NSA backdoored random number generator, Dual_EC_DRBG.
Alicesends a message to
Bobasking for his public key.
bob_public, an 896bit RSA public key. Nothing is signed. Nothing is verified. We’re just kinda hoping there was no MITM attack.
bob_publicusing “textbook RSA” and sends it to
Bob. No random padding of any kind, just zeroes. e = 65537.
message_key = MD2(super_secret)(we know you like dated crypto, so we thought you’d like the MD2 hash function).
Alicesends her message to
ciphertext = message xor message_key. Aged to perfection, our XOR encryption is even older than your 70s era crypto, so what’s up now?
Here we have a messaging protocol that employs the NSA backdoored random number generator (Dual_EC_DRBG),
weak public key cryptography (896bit RSA, no padding, no signatures, no authenticity), the worst cryptographic
hash function possible as a KDF (MD2), and XOR as a cipher. The entire transcript of communication between
Bob is below, and
Alice will send her same message to
Bob once a day (as with the Telegram contest).
The contest framework is identical to Telegram’s (no MITM perspective, no known plaintext, no chosen plaintext, no chosen
ciphertext, no tampering, no replay access, etc). If Telegram wants to prove that their protocol is better than this absolute
garbage protocol, then I challenge them to publish the plaintext of
Alice’s message. If they can’t demonstrate a break in this
obviously broken protocol using the same contest framework they’ve setup, then we’ll know that their contest is bullshit.
By their logic, this contest is “proof” of a broken protocol’s impenetrable security, even though all it proves is that contests like these are tools in the service of snake oil.
For The Rest Of Us
Let’s do this right and build a real Open Source secure asynchronous messaging solution that is more than snake oil and marketing gimmicks. TextSecure, the Open Source app we’ve been developing at Open WhisperSystems, uses the Axolotol ratchet, which we believe should represent the core of any secure asynchronous messaging solution today. We’ve worked with Cyanogen to transparently integrate the TextSecure protocol into CyanogenMod, which gives us a 10 million user head start on bad faith developers like Telegram.
Please join us in this collective Open Source endeavor. Join the mailing list and start helping out with development, design, or documentation. If you want to contribute financially, you can contribute funds to our BitHub instance, which will give anyone a chance to receive funding for their non-financial contributions, and will give you the opportunity to see exactly how your money was spent.
Big or small, anything you can do to help is one step closer to a truly ubiquitous private messaging solution that makes potential snake oil like Telegram easy to ignore. It’s going to take all of us.
Postscript - The Contest Transmission Log
Alice: 7075 626c 6963 206b 6579 2070 6c7a Bob : 3081 8c30 0d06 092a 8648 86f7 0d01 0101 0500 037b 0030 7802 7100 acc3 ec17 9fea 0d19 b29d f347 cc62 423c 02d9 e49b ba54 b9a7 4cea 7c82 0f99 dcf1 c221 fca2 7882 0b67 4c7e 8d67 b0e5 4a2b 8873 438d ef0b f5d1 6862 fecc ae0d 8736 5e69 cb5e 1346 f612 49d2 e8ce 1463 8be0 8022 8ef2 01d9 6917 6a03 19fc 2a03 ddad aad4 eb28 d655 107c 52bf c1ae e800 a501 0203 0100 01 Alice: 53ce e8e4 f6c4 b330 a6aa 0830 81f2 c5e3 00b2 c3ac 0e54 7cee c9a6 be0e 7a54 9bf0 dbf2 11c2 853a 8443 da72 4dcf 96ad bc9a 9373 5f68 6a33 0f5b ea49 f40b 8324 3f8a 168a 7d78 3e08 85a1 f774 7c6a 10f9 646c a13e d6c3 00b3 670a 2af3 d2d6 b153 20b2 5b1c 2fd1 6599 989a 1938 2c18 1acf 68a5 Alice: 12a6 077f 4625 5523 c23b 2c43 e60f dd39
- Stay in touch,