$300,000 isn't a whole lot more than it would cost to get n entire novel cryptosystem for a complex application built out of idiosyncratic components assessed professionally. They should just retain Riscure or Rambus to do that for them instead of the PR stunt.
Previous thread about Telegram on HN, featuring Moxie Marlinspike:
They could probably even purchase insurance against their loss. They just need to convince a prize indemnity insurance company that their security is unlikely to be broken, which might itself necessitate a $300 000 security audit...
> They should just retain Riscure or Rambus to do that for them instead of the PR stunt.
I'd love to go back through either of the previous threads and count to see how many people were saying "well, if no one can successfully win the challenge, they can use the money for a security audit!" like they are right now.
Telegram is pretty clearly a bad player that should be avoided.
From the contest:
"This can happen if a security check is failed, or in the case that the first 128 bits of the SHA-1 of the newly created encryption key don‘t match on both parties’ clients when this stage is completed (this corresponds to Paul and Nick comparing the key visualizations for the Secret Chat in their Telegram apps)."
The cost of brute forcing the answer is greater than the prize for the contest.
"This can happen if a security check is failed, or in the case that the first 128 bits of the SHA-1 of the newly created encryption key don‘t match on both parties’ clients when this stage is completed (this corresponds to Paul and Nick comparing the key visualizations for the Secret Chat in their Telegram apps)."
So, given the contest would "succeed" (or "fail", depending on the viewpoint) with no one getting the prize, the only thing we could be more or less certain of, is that no one would likely consider cracking Telegram under given conditions for $300K in 2 months. Or maybe I'm missing something.
Yes, the fairness of the contest plays an important part, and a fair context where only the algorithm is analysed goes a long way.
"Just because no one wins a contest doesn't mean the target is secure...it just means that no one won."
Of course. But the fact that it passed revision by experts means it is (probably) safe today (and for what it is known, it might be trivially breakable "behind closed doors")
"Our Twofish cryptanalysis contest offers a $10K prize for the best negative comments on Twofish that aren't written by the authors. "
Ah ok, so contests suck, except for the ones we throw. Nice.
"There are no arbitrary definitions of what a winning analysis is." No? So what is "best negative comment"? It's still subjective. And the 2nd best gets nothing? Who determines that?
No, you're playing a semantic game with the word "contest" here. The AES competition was a tournament designed to select the best candidate from a collection of ciphers submitted by the world's best cryptographers.
The Twofish bounty was a bounty that guaranteed payment to the best technical critique of a very specific, well-defined cryptographic primitive.
> "The AES competition was a tournament designed to select the best candidate from a collection of ciphers submitted by the world's best cryptographers."
Fair enough. And the focus is exclusively on the algorithm (which is good).
> "The Twofish bounty was a bounty that guaranteed payment to the best technical critique of a very specific, well-defined cryptographic primitive"
"the best technical critique" is still subjective.
In the context of a crypto competition that sort of bounty is a way to try to get more attention to your design, therefore making your candidate more likely to be selected. Many designs are rejected due to lack of analysis at the time of the selection process. It's better to pick a well-analyzed primitive than a not-so-well analyzed one that looks more solid but is more of a gamble.
It's fairly obvious that Telegram enjoys the challenge of designing their own crypto. The chances of them outsourcing the design are zero, because it will simply kill all the fun.
That's not too dissimilar to suggesting hiring an ISO-certified shop to redo your beautiful hand-optimized assembly code in an industry-standard Java. It's a simplification, but I'm pretty sure a large chunk of HN can relate to how much of a killjoy letting others do the interesting parts is.
In the end all these not-so-subtle backstabs and innuendos that they are just a bunch of annoying f#cking amateurs is counter-productive. They won't be using SSL and $300K is not enough to run their custom crypto through an audit that will be good for all the "experts". Besides, the main issue with the Telegram is not their crypto, is not the contests, it's the fact that they got off the wrong foot with the public applied crypto community. In theory, they should be fixing that, but in reality they don't seem to give a flying f#ck about it, which to me actually looks more like a show of a backbone rather than of an ignorance.
Ultimately they want the same thing as this Moxie person. They want less surveillance. Now pray tell why they should have their head repeatedly dunk in a toilet bowl every time their project gets a mention?
> It's fairly obvious that Telegram enjoys the challenge of designing their own crypto. The chances of them outsourcing the design are zero, because it will simply kill all the fun.
Great! I like to scribble out sponge functions while eating lunch. I've made a few toy stream ciphers. Crypto is fun as all hell, and it's a great way to learn things!
But novelty isn't really a good thing when it comes to actually depending on crypto. You want something that's been well studied by lots of smart people. To paraphrase Schneier (I believe), anyone can design an encryption process that they can't break - the real challenge is keeping the people who are smarter than you from breaking it as well.
Novelty is an _extremely_ bad reason to design and deploy cryptography.
> They want less surveillance. Now pray tell why they should have their head repeatedly dunk in a toilet bowl every time their project gets a mention?
Because the applied crypto community points out issue after issue after issue with their product and is met with variations of "nuh uh, it's fine!"
Bad crypto is worse than no crypto because either way the NSA is watching you, but when you use no crypto you're at least forced to admit to yourself that your adversary has you in their crosshairs.
> Because the applied crypto community points out issue after issue after issue with their product and is met with variations of "nuh uh, it's fine!"
Well, no. That's the thing. That's a Hollywood version of it. He said she said it's all horrible piece of shit, because of something someone else said earlier on an unrelated subject. What makes rounds is the regurgitated abstract hate towards Telegram, whereby the factual matter has been long forgotten.
Let me put it this way - name a couple of open design issues with the current Telegram protocol.
"Let me put it this way - name a couple of open design issues with the current Telegram protocol."
Sorry, it doesn't work this way: 'When someone hands you a security system and says, "I believe this is secure," the first thing you have to ask is, "Who the hell are you?" Show me what you've broken to demonstrate that your assertion of the system's security means something.'
The GP said there were numerous issues identified with Telegram's design, all of which were brushed aside by Telegram devs. I asked to name a couple of them.
The use of encrypt and MAC is the one that should jump out at even a crypto neophyte.
There are some nice proofs around this[1] that I've read before. The important one is that encrypt then MAC guarantees INT-CTXT: it's computationally infeasible to produce a ciphertext not before sent by the sender. INT-CTXT implies INT-PTXT which is the weaker claim but typically the one people associate with the function of a MAC: that you can't forge a plaintext the sender never sent.
While E&M isn't immediately bad it has been used as an avenue for attack[2]. If Telegram's aes_ige_decrypt() function accidentally overflows a buffer... and because they're doing E&M it must call aes_ige_decrypt() on whatever message I decide to send it.
Now, Telegram can claim that those attacks don't apply because of their use of IGE, and they may very well be correct! But then we move into IGE: there are known attacks that show chosen error introductions can cause the stream to resynchronize without error[3]. What does that mean in practice? Who knows: we know IGE is broken, but we don't know how badly because no one actually studies IGE, or knows how it is implemented in this system!
The real failings here: Telegram uses a MAC with less security guarantees AND a cipher mode that would be charitably described as anonymous, instead of using a provably secure MAC along with well-studied modes.
Now, I'm a big security dummy (seriously) but if there's one thing people far smarter than me have banged in my head, it's this: you follow the well-beaten path precisely because it is well-beaten. When you start venturing off the trail into the woods of funky block cipher modes and known-problematic MAC modes, your margins get a lot thinner.
It's been awhile since I looked at anything in Telegram and I forget what MAC they use. That diagram makes it look like instead of a MAC, they're using a simple digest of the message --- which is not a MAC.
If I find a few small flaws that are problematic, but not enough to claim the prize, I'll definitely keep them to myself until the contest ends. Instead of incentivizing people to share vulnerabilities with them, they incentivize hoarding bugs.
PR stunt has side benefits besides pure security even though the method has shortcomings. Namely, the PR part, which may play a significant role in its actual success.
We know for a fact that most people aim for better known than just better.
There's the "well known" you get after holding a big contest, and the even better known you get after you're prominently featured in indictments, the way Hushmail and Lavabit were.
They don't have nearly as many users to face that indictment at this point in time, which is why they can afford to pull this. Like I said, there are shortcomings in this, but if anything, that does attract more attention to OTR.
But contests like this are a bad idea for another reason: people will hoard bugs instead of disclose, sometimes for years. For example, the Pwn2Own contest boosted the discovery and disclosure of bugs in browsers for the first few years, but now companies have co-opted it into a marketing event. They sit on exploits in order to win two or three years from now.
I noticed a bug in one of the Telegram clients when the first contest was announced, but it wouldn't have qualified. Now the reward has tripled, and the scope expanded. As the user base grows, the reward will go up again (and again), and I'm sure no one will claim the bug since real experts have better things to do, so maybe it's smart to wait, maybe not...
Telegram, and other projects thinking of doing this: think small. In the lottery model, there is one big winner; you should prefer a model with many (smaller) winners. Pay for patches that improve the quality of the code base, fix compiler warnings, improve documentation, etc. Many grains of sand will sink a ship.
Maybe restating the obvious, but why don't they pay out the 300k to some professional pen testers or cryptography auditors and publish the results. At least then they would have a shot at validity in this area.
"Security audit firm finds 9 flaws in Telegram" doesn't seem quite as a compelling as "Telegram is willing to give anyone $300k to 'break its crypto'".
They could do that: Pay $300k for professionals to maybe or maybe not find something, and get limited PR
Or, what they do now: Get good PR and if someone manages to win the competition, it means they found flaws which the pros would, hopefully, also have found. If no one wins, they can then use the $300k to get pros on it. Win-win if you ask me.
I like how Telegram is truly cross-platform with the clients being open source and available on every platform. They usually look great and are simple to use, which is why Telegram is the only non-whatsapp IM that more than 3 of my contacts use.
It also works with multiple devices connected*, which is another pro against many other IMs.
What I dislike is that even though Telegram advertises their messages as "private" and "heavily encrypted" on their landing page, secure chats are NOT the default, do not work in group chats and do not work across multiple devices. I am aware that this requires encryption for every recipient, but that shouldn't be an issue. TextSecure actually came up with a great solution [1] for this. What I also do not understand is why they are rolling their own crypto. They say it's for speed and stability [2], but don't provide any facts or measures. The fact that the server is closed source and the founders coming from VK (a russian Facebook alternative) doesn't make this any better.
All in all I consider Telegram a great alternative to WhatsApp, but I wouldn't rely on it for secure messaging.
Though the Direct Debit guarantee gives an automatic right to a no-questions asked instant refund.
Not even having a provably validly signed mandate protects merchants against a refund (merchants recourse is small claims court), so while it's a nuisance, and while some people do get de-frauded by not paying attention to their statements, the article overstates things: If he "lost" money it'll be because he chose not to demand a refund.
In order to get the amount, you need to send an email to the secret email of the message, containing your bank account details. Nigerian prince scam also say that.
I give them, or anyone, credit for trying to create a secure messenger. It is not easy. However, I just wish they would release the source code to their clients and server. They have not. That would go a long way.
Unfortunately, those are not real alternatives to Telegram. Telegram is meant to be a WhatsApp replacement.
WhatsApp thrives because in many places, SMS costs are prohibitive (so TextSecure is not an option). In addition, it requires no registration and doesn't rely on external services (so ChatSecure is also out of the question).
Textsecure for Android uses wifi/reg data and SMS if you want. Signal, the version for iOS with combined Redphone + TextSecure will be data too. Soon they will also allow email identity instead of only phone numbers. WhatsApp requires just as much registration as TS, and you have to allow WhatsApp full permissions to mine your entire device from reading SMS to /sdcard.
Telegram allows you to use the same account on multiple devices, which is the main reason why I use it. It's also independent of Facebook, which many people don't trust.
Doesn't TextSecure use some non-conventional cryptographic constructs, too?
It's just that I heard some concerns about key exchange (that triple Diffie-Hellman exchange) not having a formal security proof, although I'm completely incompetent to evaluate whenever those were valid concerns or just some chatter.
I have no idea whenever and how broken IGE is. I heard, nobody even cared to evaluate that. Boils down to "no formal proofs (but likely to be broken)".
At the same time, I heard the concern there are no security proofs on the key exchange and it may have issues. Since as a commoner I can't evaluate it any further than this, so boils down to "no formal proofs (although hoped to be fine)", too.
Those are surely different cases. I'm just concerned over what I use (TextSecure), though.
If it makes you feel any better, after the paper published last week, it looks like TextSecure is the closest of all the messaging applications to any kind of formal proof.
No. Download the iOS app for instance. It is very very old to what is available in the app store. So thee is no way to really verify the client either today.
Well, it is a client-side encryption app. If the encryption, public key authentication, etc. is being done well on the client, then the server's only purpose should be routing garbled ciphertext between users and managing things like login, etc.
>To prove that the competition was fair, we will add a command that returns the keys used for encryption as soon as a winner is announced.
So, using a bug-prone process (software development) we will alter the software after the fact to introduce a feature which, if it escapes the sandbox and gets into the wrong build, will potentially reveal the secret keys of all users.
Even ignoring that $300k isn't that much for most companies, there's insurance for big prize payouts where you'd pay the expected % time you'd have to pay out times the prize amount, plus a vig for the insurance provider.
The comments here are showing me that this contest is a good idea, because everyone is talking about Telegram. It doesn't matter that they're mostly saying they don't trust it. Without the contest, most people wouldn't even have heard of this app in the first place.
It's worth noting that the contest caused people here to talk about how Telegram's model of security and their approach to testing that security have flaws.
But as is shown by the fact that they are running this contest, plenty of people who are not here see the contest and believe it is an indication of the trust they should have in Telegram. Otherwise, they wouldn't have run another contest after the response on HN to the last one.
The contest is a bad idea because for the people who don't see our discussion here, they will be tempted to trust their sensitive data to Telegram. For lots of people around the world, that trust could put them at risk of serious harm.
I should have said "good idea for Telegram". I can see why the contest, and Telegram's general approach, is a bad idea for everyone as a whole, but IMO this is the best advertising $300,000 can buy.
https://www.schneier.com/crypto-gram-9812.html
$300,000 isn't a whole lot more than it would cost to get n entire novel cryptosystem for a complex application built out of idiosyncratic components assessed professionally. They should just retain Riscure or Rambus to do that for them instead of the PR stunt.
Previous thread about Telegram on HN, featuring Moxie Marlinspike:
https://news.ycombinator.com/item?id=6913456