Earlier this week, a company called Telegram announced a secure mobile messaging product. How secure? In their words of their FAQ, very secure. Curious to learn more, I went to look at the protocol, and immediately had a number of questions and concerns. However, when pressed on technical details by others, they responded with the academic credentials of their developers (math Ph.Ds) instead of engaging in a more reasonable dialog. They also declined my suggestions for collaboration of any kind.
Most recently, theyve chosen to respond to the concerns of the security community with a crypto cracking contest!
As always, these things are a bad sign. By framing the contest the way they have, the Telegram developers are leveraging a rigged challenge to trick the public. They wasted no time in updating their FAQ to point to the challenge as solid proof of their absolute security, even when its essentially meaningless.
So Telegram developers, by way of a response, I have my own crypto cracking contest for you. Below is a horrifically bad secure protocol that wouldnt last a second in a real world environment, but becomes unbreakable when presented in the exact same framework as the Telegram challenge.
Alice generates a random 32 byte value, super_secret, using the NSA backdoored random number generator, Dual_EC_DRBG.Alice sends a message to Bob asking for his public key.Bob responds with bob_public, an 896bit RSA public key. Nothing is signed. Nothing is verified. Were just kinda
hoping there was no MITM attack.Alice encrypts super_secret with bob_public using textbook RSA and sends it to Bob.
No random padding of any kind, just zeroes. e = 65537.Alice and Bob now compute message_key = MD2(super_secret) (we know you like dated crypto, so we thought youd
like the MD2 hash function).Alice sends her message to Bob by computing ciphertext = message xor message_key. Aged to perfection, our XOR encryption
is even older than your 70s era crypto, so whats up now?Here we have a messaging protocol that employs the NSA backdoored random number generator (Dual_EC_DRBG),
weak public key cryptography (896bit RSA, no padding, no signatures, no authenticity), the worst cryptographic
hash function possible as a KDF (MD2), and XOR as a cipher. The entire transcript of communication between
Alice and Bob is below, and Alice will send her same message to Bob once a day (as with the Telegram contest).
The contest framework is identical to Telegrams (no MITM perspective, no known plaintext, no chosen plaintext, no chosen
ciphertext, no tampering, no replay access, etc). If Telegram wants to prove that their protocol is better than this absolute
garbage protocol, then I challenge them to publish the plaintext of Alices message. If they cant demonstrate a break in this
obviously broken protocol using the same contest framework theyve setup, then well know that their contest is bullshit.
By their logic, this contest is proof of a broken protocols impenetrable security, even though all it proves is that contests like these are tools in the service of snake oil.
Alice: 7075 626c 6963 206b 6579 2070 6c7a
Bob : 3081 8c30 0d06 092a 8648 86f7 0d01 0101
0500 037b 0030 7802 7100 acc3 ec17 9fea
0d19 b29d f347 cc62 423c 02d9 e49b ba54
b9a7 4cea 7c82 0f99 dcf1 c221 fca2 7882
0b67 4c7e 8d67 b0e5 4a2b 8873 438d ef0b
f5d1 6862 fecc ae0d 8736 5e69 cb5e 1346
f612 49d2 e8ce 1463 8be0 8022 8ef2 01d9
6917 6a03 19fc 2a03 ddad aad4 eb28 d655
107c 52bf c1ae e800 a501 0203 0100 01
Alice: 53ce e8e4 f6c4 b330 a6aa 0830 81f2 c5e3
00b2 c3ac 0e54 7cee c9a6 be0e 7a54 9bf0
dbf2 11c2 853a 8443 da72 4dcf 96ad bc9a
9373 5f68 6a33 0f5b ea49 f40b 8324 3f8a
168a 7d78 3e08 85a1 f774 7c6a 10f9 646c
a13e d6c3 00b3 670a 2af3 d2d6 b153 20b2
5b1c 2fd1 6599 989a 1938 2c18 1acf 68a5
Alice: 12a6 077f 4625 5523 c23b 2c43 e60f dd39