HackerTrans
TopNewTrendsCommentsPastAskShowJobs

TelegramApp

no profile record

comments

TelegramApp
·قبل 13 سنة·discuss
Kindly take at look at this technical FAQ that we've assebmled based on the conversations on Hacker News and elsewhere: http://core.telegram.org/techfaq
TelegramApp
·قبل 13 سنة·discuss
No. What we mean is, as I've just noted in the reply to tptacek, that so far no attack was named that could harm the setup as described in our docs. And since this setup also delivers the performance that we require in terms of speed, we do not see why it would be necessary to change our approach to KDF.
TelegramApp
·قبل 13 سنة·discuss
Thanks for noticing, we fixed that yesterday.
TelegramApp
·قبل 13 سنة·discuss
> The consensus seems to be that you're doing..

Now, again, could I somehow direct your attention away from speculations and to what we are ACTUALLY doing (as, again, documented here [0], and now here as well [1]).

1. We are not doing plain encrypt-and-mac.

2. The SHA1 in question is for raw unencrypted data.

3. The message key is SHA1-dependent.

4. Note that the AES key and iv depends on that SHA1.

This can be described as a generic composition of cipher with ciphertext, encrypted by a MAC. The resulting data-dependant variable key denies all common attacks.

As for KDF, what particular solution do you have in mind? And even then — certainly, alternative solutions exist, but we do not see how changing this point would affect our system as whole. [1] As stated before, we'd welcome any information on attacks that could in reality threaten the actual setup.

[0] - http://core.telegram.org/mtproto/description [1] - https://core.telegram.org/img/mtproto_encryption.png
TelegramApp
·قبل 13 سنة·discuss
In order to clarify a few points in our setup, we've added this scheme to the protocol description page [0],[1].

We are indeed using well-known older algorithms, created in the days when bandwidth and processing power were both a much rarer commodity. This has valuable side-effects for modern-day mobile development, provided one takes care of the known drawbacks.

The weakspots of the said algorithms are also well-known, and have been exploited for decades. We used these algorithms in such a combination that, to our best knowledge, prevents any known attack from possibly succeeding. Although we’d be grateful to see any evidence of the contrary (so far absent from this thread) and update our system accordingly.

While other ways of achieving the same cryptographic goals, undoubtedly, exist, we feel that the present solution is both robust and also sucсeeds at our secondary task of beating unencrypted messengers in terms of delivery time and stability.

[0] ­­– https://core.telegram.org/img/mtproto_encryption.png [1] - http://core.telegram.org/mtproto/description
TelegramApp
·قبل 13 سنة·discuss
2. A passing look at the docs would reveal that we do not use IGE that way, and instead use SHA1 for integrity check (see 'message key' here: https://core.telegram.org/mtproto/description). The problems you mentioned as endemic to IGE used for integrity verification, are therefore irrelevant in this case.

As for KDF, going for slower provable algorithms used for each incoming\outgoing packet may be a preferred solution for projects aimed at the relatively small security crowd. But we don't really compete in this area, our competition is WhatsApp and other mass market messengers.
TelegramApp
·قبل 13 سنة·discuss
We use SHA1 (see 'message key' here: https://core.telegram.org/mtproto/description). IGE is used instead of CBC.
TelegramApp
·قبل 13 سنة·discuss
This version of the client is using manual padding with random bytes. This isn't too bad, considering the SHA1 presence. (See #4 here: https://core.telegram.org/mtproto/auth_key)

The server now supports OAEP, although this has yet to find its way into the docs and clients. We will update. Thank you!
TelegramApp
·قبل 13 سنة·discuss
In terms of DoS possibilities, one doesn't need to replay old messages, they could just as easily send new ones or random garbage.

We could employ additional filtering techniques, but that increases processing time. And since modern hardware allows for very fast AES decryption, there is no particular gain in building additional layers of protection.

All that, naturally, implies that other anti-DoS measures are also being used.
TelegramApp
·قبل 13 سنة·discuss
Two questions for you:

1. Kindly be more specific about our RSA implementation. Please note, that we only use RSA with public keys, not private. If you are aware of any possible attacks on this setup, please let us know.

2. And what problems with IGE are you aware of? Any known attack? As far as we know, it is the ubiquitous CBC that has had issues. And by the way, Kerberos had to abandon PCBC - not IGE.

Thank you for the offer to join in the project you represent. However, we feel that what we are doing is going in a somewhat different direction and has its own potential.

The team behind Telegram, led by Nikolai Durov, consists of six ACM champions, half of them Ph.Ds in math. It took them about two years to roll out the current version of MTProto. Names and degrees may indeed not mean as much in some fields as they do in others, but this protocol is the result of thougtful and prolonged work of professionals.

The basic copy on telegram.org rightfully appears as simplistic to the Hacker News resident. It was written for the general public, since we want to bring secure messaging to the masses — not just to the security geek, who has it already (in oh so many forms).

But for the technically minded we provided rather detailed documentation for our protocol: http://core.telegram.org/mtproto and API: http://core.telegram.org/api

We would be glad to respond to criticism, but not on the level of "I looked at it for 4 minutes, maybe they didn't think about X" (as another guy in the comments below put it), or "why didn't you just use this?".

If anybody here can identify a specific point and prove that it is vulnerable and can be hacked a certain way, we are ready to respond and\or fix, if neccessary. Gentlemen?
TelegramApp
·قبل 13 سنة·discuss
MTProto still uses RSA, AES + DH. So I would disagree that what we have here means 'compromising security for speed and stability'. It is rather optimizing for speed and stability, while staying secure.
TelegramApp
·قبل 13 سنة·discuss
We have not 'rolled our own crypto'. We still use RSA, AES and DH.

I've changed the part in the FAQ that seems to be one of major sources of this controversy, so that it no longer reads "built from scratch". This was poorly applied marketing language — we do use time-tested security algorithms. Even though Telegram doesn't uses MTProto instead of HTTPS due to mobile speed and trust issues.
TelegramApp
·قبل 13 سنة·discuss
That is correct, Telegram does upload names and numbers — naturally, after receiving permission to do so. (see also: http://telegram.org/privacy)

Apart from identifying Telegram users among the user's friends, this also enables us to use proper names in notifications on the iPhone, as well as facilitates moving between devices.

But you have highlighted an important issue. Our android developer relied on the system prompts when it comes to uploading contacts, which is definitely not enough for the issue at hand. We will add another prompt in the coming version. (As well as update the GitHub code to the current generation soon, it's been becoming a little stale.)
TelegramApp
·قبل 13 سنة·discuss
Still, there are sometimes valid reasons for not re-using existing solutions.

In our case, we needed something that is both secure and competitive in comparison to mass market solutions in terms of speed, working on weak connections and usability.

Disclaimer: I work for Telegram.
TelegramApp
·قبل 13 سنة·discuss
Private keys for secret chats are only stored on the two participating devices.

As for server code — open sourcing the server code wouldn't really do much to improve trust. You would still have to trust us that we are using THAT code, not something different.
TelegramApp
·قبل 13 سنة·discuss
Is anything wrong with it?
TelegramApp
·قبل 13 سنة·discuss
The main reason is speed. MTProto is designed to work fast on weak mobile connections. Another reason is security, with HTTPs you need to trust more parties.
TelegramApp
·قبل 13 سنة·discuss
The reason for designing something new was this: in order for really secure messaging to catch on among the masses today — it needs not only be secure. When you want to compete with the likes of WA, you also need be fast and reliable on weak mobile connections.

TLS/HTTPS is slow and takes a lot of time to restore connection on fragile networks.

MTProto was born as a result of an experiment: whether it would be possible to create something that is both secure and fast.

Disclaimer: Unfortunately, I'm not Nikolay. But I do work for Telegram.