Hacker News new | past | comments | ask | show | jobs | submit login
$300k for Cracking Telegram Encryption (telegram.org)
126 points by techquery on Nov 4, 2014 | hide | past | favorite | 90 comments



Obligatory:

https://www.schneier.com/crypto-gram-9812.html

$300,000 isn't a whole lot more than it would cost to get n entire novel cryptosystem for a complex application built out of idiosyncratic components assessed professionally. They should just retain Riscure or Rambus to do that for them instead of the PR stunt.

Previous thread about Telegram on HN, featuring Moxie Marlinspike:

https://news.ycombinator.com/item?id=6913456




See the discussion below between Telegram and the author of the post. A lot of good information there.


What's the mathematical expectation of "Let's pay $300K for the security analysis?"

–$300 000, and good publicity among security experts.

What's the mathematical expectation of "Let's start a contest with $300K for dealing with our crypto on our terms (assuming 5% of success)"?

–$15 000, and much larger PR effect. ($300K-resistant crypto, yay!)

Seems to be an easy choice, unfortunately.


They could probably even purchase insurance against their loss. They just need to convince a prize indemnity insurance company that their security is unlikely to be broken, which might itself necessitate a $300 000 security audit...


Depends if your goal is security or publicity.


See https://news.ycombinator.com/item?id=6931457 as well.

> They should just retain Riscure or Rambus to do that for them instead of the PR stunt.

I'd love to go back through either of the previous threads and count to see how many people were saying "well, if no one can successfully win the challenge, they can use the money for a security audit!" like they are right now.

Telegram is pretty clearly a bad player that should be avoided.


They use 128bits of a SHA-1 key in 2014. I'd say its pretty clear their security is a gimmick only.

https://konklone.com/post/why-google-is-hurrying-the-web-to-...

From the contest: "This can happen if a security check is failed, or in the case that the first 128 bits of the SHA-1 of the newly created encryption key don‘t match on both parties’ clients when this stage is completed (this corresponds to Paul and Nick comparing the key visualizations for the Secret Chat in their Telegram apps)."


Also relevant since the way the clients compare keys is sha-1:

https://www.schneier.com/blog/archives/2012/10/when_will_we_... "211 * 28.4 = 219.4 ~ $700K by 2015"

The cost of brute forcing the answer is greater than the prize for the contest.

"This can happen if a security check is failed, or in the case that the first 128 bits of the SHA-1 of the newly created encryption key don‘t match on both parties’ clients when this stage is completed (this corresponds to Paul and Nick comparing the key visualizations for the Secret Chat in their Telegram apps)."


So, given the contest would "succeed" (or "fail", depending on the viewpoint) with no one getting the prize, the only thing we could be more or less certain of, is that no one would likely consider cracking Telegram under given conditions for $300K in 2 months. Or maybe I'm missing something.


Yep. Unless there is a bug in the bot or their implementation isn't as described, no one will crack it so its a very safe bet for them.

This contest basically admits its crackable for more than $300k as well. They even reduced the number of bits for a collision. :/


" The best products/systems/protocols/algorithms available today have not been the subjects of any contests, and probably never will be."

No? Doesn't this fit the definition of a contest? http://en.wikipedia.org/wiki/Advanced_Encryption_Standard_pr...

Yes, the fairness of the contest plays an important part, and a fair context where only the algorithm is analysed goes a long way.

"Just because no one wins a contest doesn't mean the target is secure...it just means that no one won."

Of course. But the fact that it passed revision by experts means it is (probably) safe today (and for what it is known, it might be trivially breakable "behind closed doors")

"Our Twofish cryptanalysis contest offers a $10K prize for the best negative comments on Twofish that aren't written by the authors. "

Ah ok, so contests suck, except for the ones we throw. Nice.

"There are no arbitrary definitions of what a winning analysis is." No? So what is "best negative comment"? It's still subjective. And the 2nd best gets nothing? Who determines that?


No, you're playing a semantic game with the word "contest" here. The AES competition was a tournament designed to select the best candidate from a collection of ciphers submitted by the world's best cryptographers.

The Twofish bounty was a bounty that guaranteed payment to the best technical critique of a very specific, well-defined cryptographic primitive.


> "The AES competition was a tournament designed to select the best candidate from a collection of ciphers submitted by the world's best cryptographers."

Fair enough. And the focus is exclusively on the algorithm (which is good).

> "The Twofish bounty was a bounty that guaranteed payment to the best technical critique of a very specific, well-defined cryptographic primitive"

"the best technical critique" is still subjective.


It guaranteed payment. It didn't try to prove a negative. It started from the presumption that there would be solid critiques.


How many comments were received/payed?

There's an undated article https://www.schneier.com/twofish-contest.html pointing to a dead link


In the context of a crypto competition that sort of bounty is a way to try to get more attention to your design, therefore making your candidate more likely to be selected. Many designs are rejected due to lack of analysis at the time of the selection process. It's better to pick a well-analyzed primitive than a not-so-well analyzed one that looks more solid but is more of a gamble.


$300,000 is nothing to sneeze at. I imagine someone could hack chat clients, extract private keys and claim the price.


Under the rules of the challenge, that isn't possible since the "clients" aren't real and its just a bot they wrote. :P

All you are getting is the over-the-wire exchanges which makes it kinda a joke.

The part that is actually vulnerable to attack is the way the client functions and handles keys.

MitMing after a key exchange isn't helpful since its like getting the PGP text after its encrypted. You have to brute force the keys at that point.


The big difference is that with one of the two options they don't actually have to spend the $300,000.


It's fairly obvious that Telegram enjoys the challenge of designing their own crypto. The chances of them outsourcing the design are zero, because it will simply kill all the fun.

That's not too dissimilar to suggesting hiring an ISO-certified shop to redo your beautiful hand-optimized assembly code in an industry-standard Java. It's a simplification, but I'm pretty sure a large chunk of HN can relate to how much of a killjoy letting others do the interesting parts is.

In the end all these not-so-subtle backstabs and innuendos that they are just a bunch of annoying f#cking amateurs is counter-productive. They won't be using SSL and $300K is not enough to run their custom crypto through an audit that will be good for all the "experts". Besides, the main issue with the Telegram is not their crypto, is not the contests, it's the fact that they got off the wrong foot with the public applied crypto community. In theory, they should be fixing that, but in reality they don't seem to give a flying f#ck about it, which to me actually looks more like a show of a backbone rather than of an ignorance.

Ultimately they want the same thing as this Moxie person. They want less surveillance. Now pray tell why they should have their head repeatedly dunk in a toilet bowl every time their project gets a mention?


> It's fairly obvious that Telegram enjoys the challenge of designing their own crypto. The chances of them outsourcing the design are zero, because it will simply kill all the fun.

Great! I like to scribble out sponge functions while eating lunch. I've made a few toy stream ciphers. Crypto is fun as all hell, and it's a great way to learn things!

But novelty isn't really a good thing when it comes to actually depending on crypto. You want something that's been well studied by lots of smart people. To paraphrase Schneier (I believe), anyone can design an encryption process that they can't break - the real challenge is keeping the people who are smarter than you from breaking it as well.

Novelty is an _extremely_ bad reason to design and deploy cryptography.

> They want less surveillance. Now pray tell why they should have their head repeatedly dunk in a toilet bowl every time their project gets a mention?

Because the applied crypto community points out issue after issue after issue with their product and is met with variations of "nuh uh, it's fine!"

Bad crypto is worse than no crypto because either way the NSA is watching you, but when you use no crypto you're at least forced to admit to yourself that your adversary has you in their crosshairs.


> Because the applied crypto community points out issue after issue after issue with their product and is met with variations of "nuh uh, it's fine!"

Well, no. That's the thing. That's a Hollywood version of it. He said she said it's all horrible piece of shit, because of something someone else said earlier on an unrelated subject. What makes rounds is the regurgitated abstract hate towards Telegram, whereby the factual matter has been long forgotten.

Let me put it this way - name a couple of open design issues with the current Telegram protocol.


"Let me put it this way - name a couple of open design issues with the current Telegram protocol."

Sorry, it doesn't work this way: 'When someone hands you a security system and says, "I believe this is secure," the first thing you have to ask is, "Who the hell are you?" Show me what you've broken to demonstrate that your assertion of the system's security means something.'


Erm ... what "doesn't work this way"?

The GP said there were numerous issues identified with Telegram's design, all of which were brushed aside by Telegram devs. I asked to name a couple of them.


> Let me put it this way - name a couple of open design issues with the current Telegram protocol.

https://core.telegram.org/img/mtproto_encryption1.png

The use of encrypt and MAC is the one that should jump out at even a crypto neophyte.

There are some nice proofs around this[1] that I've read before. The important one is that encrypt then MAC guarantees INT-CTXT: it's computationally infeasible to produce a ciphertext not before sent by the sender. INT-CTXT implies INT-PTXT which is the weaker claim but typically the one people associate with the function of a MAC: that you can't forge a plaintext the sender never sent.

While E&M isn't immediately bad it has been used as an avenue for attack[2]. If Telegram's aes_ige_decrypt() function accidentally overflows a buffer... and because they're doing E&M it must call aes_ige_decrypt() on whatever message I decide to send it.

Now, Telegram can claim that those attacks don't apply because of their use of IGE, and they may very well be correct! But then we move into IGE: there are known attacks that show chosen error introductions can cause the stream to resynchronize without error[3]. What does that mean in practice? Who knows: we know IGE is broken, but we don't know how badly because no one actually studies IGE, or knows how it is implemented in this system!

The real failings here: Telegram uses a MAC with less security guarantees AND a cipher mode that would be charitably described as anonymous, instead of using a provably secure MAC along with well-studied modes.

Now, I'm a big security dummy (seriously) but if there's one thing people far smarter than me have banged in my head, it's this: you follow the well-beaten path precisely because it is well-beaten. When you start venturing off the trail into the woods of funky block cipher modes and known-problematic MAC modes, your margins get a lot thinner.

[1]: http://cseweb.ucsd.edu/~mihir/papers/oem.pdf

[2]: http://www.thoughtcrime.org/blog/the-cryptographic-doom-prin...

[3]: https://groups.google.com/forum/#!topic/sci.crypt/4bkzm_n7UG...


What actual MAC is that?


What actual MAC is what?

Sorry, I'm a bit confused by the question :)


It's been awhile since I looked at anything in Telegram and I forget what MAC they use. That diagram makes it look like instead of a MAC, they're using a simple digest of the message --- which is not a MAC.


Heh. I just looked again and had misread their specs: I thought the shared secret went into their SHA-1. You are correct, they just take a digest.

So I can make any message look OK just by hashing the plaintext. Heh. Wonder what that KDF looks like...


OTOH it is enough money to get a few interested amateurs going at it I would think.

Not that it proves anything very much if it's not claimed.


It's even counter-productive:

If I find a few small flaws that are problematic, but not enough to claim the prize, I'll definitely keep them to myself until the contest ends. Instead of incentivizing people to share vulnerabilities with them, they incentivize hoarding bugs.


PR stunt has side benefits besides pure security even though the method has shortcomings. Namely, the PR part, which may play a significant role in its actual success.

We know for a fact that most people aim for better known than just better.


There's the "well known" you get after holding a big contest, and the even better known you get after you're prominently featured in indictments, the way Hushmail and Lavabit were.

Not so many news stories about simple OTR.


They don't have nearly as many users to face that indictment at this point in time, which is why they can afford to pull this. Like I said, there are shortcomings in this, but if anything, that does attract more attention to OTR.


But without the PR stunt there wouldn't be PR?


Depends who your audience is. Personally I'm much more interested in a service with a successful professional audit than a gimmicky prize.


well if no one will manage to break it, surely they can spend the money on proper audit.


If no one wins the contest, it proves nothing.

But contests like this are a bad idea for another reason: people will hoard bugs instead of disclose, sometimes for years. For example, the Pwn2Own contest boosted the discovery and disclosure of bugs in browsers for the first few years, but now companies have co-opted it into a marketing event. They sit on exploits in order to win two or three years from now.

I noticed a bug in one of the Telegram clients when the first contest was announced, but it wouldn't have qualified. Now the reward has tripled, and the scope expanded. As the user base grows, the reward will go up again (and again), and I'm sure no one will claim the bug since real experts have better things to do, so maybe it's smart to wait, maybe not...

Telegram, and other projects thinking of doing this: think small. In the lottery model, there is one big winner; you should prefer a model with many (smaller) winners. Pay for patches that improve the quality of the code base, fix compiler warnings, improve documentation, etc. Many grains of sand will sink a ship.


Maybe restating the obvious, but why don't they pay out the 300k to some professional pen testers or cryptography auditors and publish the results. At least then they would have a shot at validity in this area.


"Security audit firm finds 9 flaws in Telegram" doesn't seem quite as a compelling as "Telegram is willing to give anyone $300k to 'break its crypto'".


They could do that: Pay $300k for professionals to maybe or maybe not find something, and get limited PR

Or, what they do now: Get good PR and if someone manages to win the competition, it means they found flaws which the pros would, hopefully, also have found. If no one wins, they can then use the $300k to get pros on it. Win-win if you ask me.


> Win-win if you ask me.

For the company, maybe.

If you're a user of their half-baked crypto you're playing a high stakes game with a partner that isn't actually interested in keeping you safe.


Free PR


Maybe they did?


I have different opinions about Telegram.

I like how Telegram is truly cross-platform with the clients being open source and available on every platform. They usually look great and are simple to use, which is why Telegram is the only non-whatsapp IM that more than 3 of my contacts use. It also works with multiple devices connected*, which is another pro against many other IMs.

What I dislike is that even though Telegram advertises their messages as "private" and "heavily encrypted" on their landing page, secure chats are NOT the default, do not work in group chats and do not work across multiple devices. I am aware that this requires encryption for every recipient, but that shouldn't be an issue. TextSecure actually came up with a great solution [1] for this. What I also do not understand is why they are rolling their own crypto. They say it's for speed and stability [2], but don't provide any facts or measures. The fact that the server is closed source and the founders coming from VK (a russian Facebook alternative) doesn't make this any better.

All in all I consider Telegram a great alternative to WhatsApp, but I wouldn't rely on it for secure messaging.

1: https://whispersystems.org/blog/private-groups/

2: https://core.telegram.org/techfaq#q-why-are-you-not-using-x-...


Have the Nigerian 419 scams gotten more sophisticated?

"Your email must contain: . . - Your bank account details to receive the $300,000 prize."


and what else I can do with your bank account besides send you money?


You'd think nothing, but people have failed attempting to prove this before.

> "But Clarkson admitted he was "wrong" after he discovered a reader had used the details to create a £500 direct debit to the charity Diabetes UK."

http://news.bbc.co.uk/2/hi/7174760.stm


Though the Direct Debit guarantee gives an automatic right to a no-questions asked instant refund.

Not even having a provably validly signed mandate protects merchants against a refund (merchants recourse is small claims court), so while it's a nuisance, and while some people do get de-frauded by not paying attention to their statements, the article overstates things: If he "lost" money it'll be because he chose not to demand a refund.


What....


In order to get the amount, you need to send an email to the secret email of the message, containing your bank account details. Nigerian prince scam also say that.


I get that, but i can't believe anyone that can crack encryption would send their banking information over email.


They already paid $100,000 for finding flaws in their system before:

https://vk.com/wall-52630202_7858


This contest is only valid if they provide access to their servers and databases. They will never prove, this way, that Telegram cannot crack itself.


Well:

  ...this time contestants can not only monitor traffic, but also act as the Telegram server and use active attacks


I give them, or anyone, credit for trying to create a secure messenger. It is not easy. However, I just wish they would release the source code to their clients and server. They have not. That would go a long way.


Both OTR (ChatSecure on your phone) and TextSecure are good options. Telegram is not a good option.


Unfortunately, those are not real alternatives to Telegram. Telegram is meant to be a WhatsApp replacement.

WhatsApp thrives because in many places, SMS costs are prohibitive (so TextSecure is not an option). In addition, it requires no registration and doesn't rely on external services (so ChatSecure is also out of the question).


Textsecure for Android uses wifi/reg data and SMS if you want. Signal, the version for iOS with combined Redphone + TextSecure will be data too. Soon they will also allow email identity instead of only phone numbers. WhatsApp requires just as much registration as TS, and you have to allow WhatsApp full permissions to mine your entire device from reading SMS to /sdcard.


Then use WhatsApp!


Telegram allows you to use the same account on multiple devices, which is the main reason why I use it. It's also independent of Facebook, which many people don't trust.


Doesn't TextSecure use some non-conventional cryptographic constructs, too?

It's just that I heard some concerns about key exchange (that triple Diffie-Hellman exchange) not having a formal security proof, although I'm completely incompetent to evaluate whenever those were valid concerns or just some chatter.


Are you comparing the Axolotl key ratchet Trevor Perrin designed to the 1980s throwback block cipher mode Telegram uses?


Yes and no.

I have no idea whenever and how broken IGE is. I heard, nobody even cared to evaluate that. Boils down to "no formal proofs (but likely to be broken)".

At the same time, I heard the concern there are no security proofs on the key exchange and it may have issues. Since as a commoner I can't evaluate it any further than this, so boils down to "no formal proofs (although hoped to be fine)", too.

Those are surely different cases. I'm just concerned over what I use (TextSecure), though.


If it makes you feel any better, after the paper published last week, it looks like TextSecure is the closest of all the messaging applications to any kind of formal proof.


Not really. Sure, they may be more secure, but their user experience is really bad compared to Telegram.


because...?


http://www.cryptofails.com/post/70546720222/telegrams-crypta...

Because the designers have their heads firmly planted where the sun doesn't shine, for one.


as linked elsewhere in the thread, moxie offers an excellent explanation: http://www.thoughtcrime.org/blog/telegram-crypto-challenge/


[deleted]


Moxie is right. I barely know him and have no stake in TextSecure.


The majority of Telegram's source code seems to be released as free software: https://telegram.org/apps (scroll down)


No. Download the iOS app for instance. It is very very old to what is available in the app store. So thee is no way to really verify the client either today.


Just not the bit that matters (the servers).


Well, it is a client-side encryption app. If the encryption, public key authentication, etc. is being done well on the client, then the server's only purpose should be routing garbled ciphertext between users and managing things like login, etc.


I spectated this whole Telegram circus, and never for a moment thought they aren't disclosing the source code. This is hilarious!


>To prove that the competition was fair, we will add a command that returns the keys used for encryption as soon as a winner is announced.

So, using a bug-prone process (software development) we will alter the software after the fact to introduce a feature which, if it escapes the sandbox and gets into the wrong build, will potentially reveal the secret keys of all users.

Am I reading that right?


Slightly off topic, but I really like their icons on their front page. Very reminiscent of the vault boy icons in the newer fallout games.


Those are reminiscent of 1950s marketing art.


Which encryption? The end-to-end encryption that isn't even available by default for the vast majority of its users, or the SSL one?


When I see contests like this, my first thought always goes to "But do they really have the money to pay me if I figured it out."

For big prize payout contests, I'd get a lot more serious if they provided proof that the funds were waiting in escrow until end-date/winner.

But I'm probably unnecessarily suspicious of the depth of a startup's pockets...


It's not a 'startup'. It's a project by the founders of VK, and they surely have deep pockets.


Even ignoring that $300k isn't that much for most companies, there's insurance for big prize payouts where you'd pay the expected % time you'd have to pay out times the prize amount, plus a vig for the insurance provider.


For the cryptographic newb, can someone explain how this contest is rigged, and destined for failure, like the previous one apparently was?

The rules seem much more liberal this time, to my uneducated eyes...

Even if it's still a contest in bad faith, why not break it and claim the money?


> Your email must contain: > - Your bank account details to receive the $300,000 prize.

Uh, no.


Bruce Schneier on Crypto Cracking Contests (1998) - https://www.schneier.com/crypto-gram-9812.html


The comments here are showing me that this contest is a good idea, because everyone is talking about Telegram. It doesn't matter that they're mostly saying they don't trust it. Without the contest, most people wouldn't even have heard of this app in the first place.


It's worth noting that the contest caused people here to talk about how Telegram's model of security and their approach to testing that security have flaws.

But as is shown by the fact that they are running this contest, plenty of people who are not here see the contest and believe it is an indication of the trust they should have in Telegram. Otherwise, they wouldn't have run another contest after the response on HN to the last one.

The contest is a bad idea because for the people who don't see our discussion here, they will be tempted to trust their sensitive data to Telegram. For lots of people around the world, that trust could put them at risk of serious harm.


I should have said "good idea for Telegram". I can see why the contest, and Telegram's general approach, is a bad idea for everyone as a whole, but IMO this is the best advertising $300,000 can buy.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: