The last time Hackerfall tried to access this page, it returned a not found error. A cached version of the page is below, or click here to continue anyway

Moxie Marlinspike >> Blog >> A Crypto Challenge For The Telegram Developers

Earlier this week, a company called Telegram announced a secure mobile messaging product. How secure? In their words of their FAQ, very secure. Curious to learn more, I went to look at the protocol, and immediately had a number of questions and concerns. However, when pressed on technical details by others, they responded with the academic credentials of their developers (math Ph.Ds) instead of engaging in a more reasonable dialog. They also declined my suggestions for collaboration of any kind.

Most recently, theyve chosen to respond to the concerns of the security community with a crypto cracking contest!

The Fallacy Of The Crypto Contest

As always, these things are a bad sign. By framing the contest the way they have, the Telegram developers are leveraging a rigged challenge to trick the public. They wasted no time in updating their FAQ to point to the challenge as solid proof of their absolute security, even when its essentially meaningless.

So Telegram developers, by way of a response, I have my own crypto cracking contest for you. Below is a horrifically bad secure protocol that wouldnt last a second in a real world environment, but becomes unbreakable when presented in the exact same framework as the Telegram challenge.

  1. Alice generates a random 32 byte value, super_secret, using the NSA backdoored random number generator, Dual_EC_DRBG.
  2. Alice sends a message to Bob asking for his public key.
  3. Bob responds with bob_public, an 896bit RSA public key. Nothing is signed. Nothing is verified. Were just kinda hoping there was no MITM attack.
  4. Alice encrypts super_secret with bob_public using textbook RSA and sends it to Bob. No random padding of any kind, just zeroes. e = 65537.
  5. Both Alice and Bob now compute message_key = MD2(super_secret) (we know you like dated crypto, so we thought youd like the MD2 hash function).
  6. Alice sends her message to Bob by computing ciphertext = message xor message_key. Aged to perfection, our XOR encryption is even older than your 70s era crypto, so whats up now?

Here we have a messaging protocol that employs the NSA backdoored random number generator (Dual_EC_DRBG), weak public key cryptography (896bit RSA, no padding, no signatures, no authenticity), the worst cryptographic hash function possible as a KDF (MD2), and XOR as a cipher. The entire transcript of communication between Alice and Bob is below, and Alice will send her same message to Bob once a day (as with the Telegram contest).

The contest framework is identical to Telegrams (no MITM perspective, no known plaintext, no chosen plaintext, no chosen ciphertext, no tampering, no replay access, etc). If Telegram wants to prove that their protocol is better than this absolute garbage protocol, then I challenge them to publish the plaintext of Alices message. If they cant demonstrate a break in this obviously broken protocol using the same contest framework theyve setup, then well know that their contest is bullshit.

By their logic, this contest is proof of a broken protocols impenetrable security, even though all it proves is that contests like these are tools in the service of snake oil.

Postscript - The Contest Transmission Log

Alice: 7075 626c 6963 206b 6579 2070 6c7a    
Bob  : 3081 8c30 0d06 092a 8648 86f7 0d01 0101  
       0500 037b 0030 7802 7100 acc3 ec17 9fea
       0d19 b29d f347 cc62 423c 02d9 e49b ba54
       b9a7 4cea 7c82 0f99 dcf1 c221 fca2 7882
       0b67 4c7e 8d67 b0e5 4a2b 8873 438d ef0b
       f5d1 6862 fecc ae0d 8736 5e69 cb5e 1346
       f612 49d2 e8ce 1463 8be0 8022 8ef2 01d9
       6917 6a03 19fc 2a03 ddad aad4 eb28 d655
       107c 52bf c1ae e800 a501 0203 0100 01	   
Alice: 53ce e8e4 f6c4 b330 a6aa 0830 81f2 c5e3
       00b2 c3ac 0e54 7cee c9a6 be0e 7a54 9bf0
       dbf2 11c2 853a 8443 da72 4dcf 96ad bc9a
       9373 5f68 6a33 0f5b ea49 f40b 8324 3f8a
       168a 7d78 3e08 85a1 f774 7c6a 10f9 646c
       a13e d6c3 00b3 670a 2af3 d2d6 b153 20b2
       5b1c 2fd1 6599 989a 1938 2c18 1acf 68a5
Alice: 12a6 077f 4625 5523 c23b 2c43 e60f dd39

Continue reading on