Telegram – a messenger for smartphones positioning itself as a safe, protecting not only from intruders, but also from the state. structures like the NSA. To achieve this security, Telegram uses its own development – the cryptographic protocol MTProto, in the reliability of which many doubt many, I doubt.
After announcing the award for decrypting messages, I tried to understand MTProto. The fact that it is impossible to decipher a set of bytes (at least very difficult) is understandable at once, but listening to the messenger’s traffic is not the only kind of attack.
The first thought was the possibility of a MITM attack (the man in the middle) and I went to read the api protocol. Where it turned out that the protection is quite reliable: at the time of the first client launch, an authorization key is created, it is created directly on the client device using the Diffie-Hellman key exchange protocol , but with a slight difference, the public key of the Telegram server is already stitched in the client code, which excludes its substitution by third parties.
After I installed the client, entered the phone number and most of all I was surprised that I do not need to enter passwords, instead, the phone comes with a one-time five-digit number verification key. I took the second phone, installed the client, entered the same number as the first time, so came the five-digit number, which I entered on the phone number 2 and successfully logged in. Those. that’s the first vulnerability. In Telegram they screwed up a lot of algorithms, excluded the possibility of interception and substitution of traffic, but forgot the banal password. An attacker does not need to listen to the messenger’s traffic, but just need to intercept sms and access is received without problems.
Go ahead. In Telegram there are chats with end-to-end encryption, when the key is known only to the interlocutors, messages are encrypted on it. This key is obtained by the same Diffie-Hellman algorithm. Many messenger users demand to give the opportunity to exchange public keys via NFC and QR-codes in order to completely eliminate the possibility of MITM attacks, including those from the Telegram server. Employees of Digital Fortress (the company that developed the messenger) say that such functionality is unnecessary (which is already suspicious), and to make sure that nobody replaced the public keys generated by the interlocutor, you can compare the visualization of the key (in the form of a picture).
And here there is a couple but:
After the logout of one of the interlocutors, the key for the chat will be regenerated, and to verify that I have the same key as the interlocutor, I can only look at his phone with my eyes. Why do I need encrypted chat if the interlocutor is a meter away from me?
And my eye caught this pseudocode:
key = (pow(g_b, a) mod dh_prime) xor nonce
This is the code for getting the public key by the DH algorithm, almost. Let me remind you that the original algorithm DH has the form
key = pow(g_b, a) mod dh_prime
Variables in the expressions:
- key – the secret key used to encrypt traffic,
- g_b – the public key of the interlocutor,
- a is your private key,
- dh_prime is an open prime number,
- nonce – the “random” received from the Telegram server, the sequence for calculating the key.
Question! Why such a modification in the algorithm? If the nonce is the same sequence for both clients, it will simply turn the key to the wrong side without making it safer. But if it is different then the Telegram server can pick up such a nonce, at which the user’s keys will coincide even with the MITM-attack and no one will know that they are listening. And even if the nonce coincides for the two interlocutors today, there are no guarantees that the nonce will coincide tomorrow, when the NSA / FSB / Other good organization arrives at the Digital Fortress office.
For clarification, we turn to Alice and Bob. The attack can proceed as follows:
- Alice begins a secret chat with Bob and tells it to the server Telegram. The server gives Alice an open prime number (p) and a primitive root modulo p (g). Alice generates her private key (a) and based on it the public key (A) that passes to the server.
- The server generates its own keys (t and T) and passes T to Bob under the guise of Alice’s public key. Together with T, it passes g, p and a random sequence (b_nonce).
- Bob similarly generates keys (b, B) and computes the secret key (s). To the server, it returns its public key (B).
- The server computes s and, on its basis, is not a random sequence (a_nonce), it passes T under the guise of Bob’s public key and a_nonce under the guise of a random sequence.
- Alice calculates the secret key that is equal to both the key for Bob and the key for the server
- Bob looks at the visualization of the key in Alice’s phone and sees the same key as he uses the service without suspicion. And Telegram stores long logs without any obstacles.
So is it worth using? If you need a simple quick chat, Telegram is a great application. If you are paranoid, then you should not use it unambiguously. Because even if I made a mistake and wrote a complete heresy, Telegram knows everything about you: phone number, contacts, sms messages, location, with whom and when you communicate. Note the list of permissions for the application. Those. my opinion Telegram – fast, convenient, but not at all private chat.
UPD: The story ended well. Vulnerability is corrected, documentation and applications are updated,
treasure hunters of bugs are motivated, which has already yielded results ( 1 , 2 ). It is necessary to pay tribute to the developers of Telegram, who immediately reacted to the article.