Four Attacks and a Proof for Telegram

We study the use of symmetric cryptography in the MTProto 2.0 protocol, Telegram’s equivalent of the TLS record protocol. We give positive and negative results. On the one hand, we formally and in detail model a slight variant of Telegram’s “record protocol” and prove that it achieves security in a suitable bidirectional secure channel model, albeit under unstudied assumptions; this model itself advances the state-of-the-art for secure channels. On the other hand, we first motivate our modelling deviation from MTProto as deployed by giving two attacks – one of practical, one of theoretical interest – against MTProto without our modifications. We then also give a third attack exploiting timing side channels, of varying strength, in three official Telegram clients. On its own this attack is thwarted by the secrecy of salt and id fields that are established by Telegram’s key exchange protocol. To recover these, we chain the third attack with a fourth one against the implementation of the key exchange protocol on Telegram’s servers. In totality, our results provide the first comprehensive study of MTProto’s use of symmetric cryptography.

[1]  Jorge Blasco,et al.  Collective Information Security in Large-Scale Urban Protests: the Case of Hong Kong , 2021, USENIX Security Symposium.

[2]  Marino Miculan,et al.  Automated Symbolic Verification of Telegram's MTProto 2.0 , 2020, SECRYPT.

[3]  Marino Miculan,et al.  Automated Symbolic Verification of Telegram’s MTProto 2.0 , 2021, Proceedings of the 18th International Conference on Security and Cryptography.

[4]  Marc Fischlin,et al.  Robust Channels: Handling Unreliable Networks in the Record Layers of QUIC and DTLS 1.3 , 2020, IACR Cryptol. ePrint Arch..

[5]  Nadia Heninger,et al.  Recovering cryptographic keys from partial information, by example , 2020, IACR Cryptol. ePrint Arch..

[6]  Martin R. Albrecht,et al.  On Bounded Distance Decoding with Predicate: Breaking the "Lattice Barrier" for the Hidden Number Problem , 2020, IACR Cryptol. ePrint Arch..

[7]  Nadim Kobeissi Formal Verification for Real-World Cryptographic Protocols and Implementations. (Vérification formelle des protocoles et des implementations cryptographiques) , 2018 .

[8]  Phillip Rogaway,et al.  Simplifying Game-Based Definitions: Indistinguishability up to Correctness and Its Application to Stateful AE , 2018, IACR Cryptol. ePrint Arch..

[9]  Patrick Th. Eugster,et al.  A Cryptographic Look at Multi-party Channels , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[10]  Tomáš Sušánka,et al.  Security Analysis of the Telegram IM , 2017, ROOTS.

[11]  Bertram Poettering,et al.  Security Notions for Bidirectional Channels , 2017, IACR Trans. Symmetric Cryptol..

[12]  Harry Halpin,et al.  Can Johnny build a protocol? Co-ordinating developer and user intentions for privacy-enhanced secure messaging protocols , 2017 .

[13]  Jakob Jakobsen,et al.  On the CCA (in)Security of MTProto , 2015, SPSM@CCS.

[14]  Britta Hale,et al.  From Stateless to Stateful: Generic Authentication and Authenticated Encryption Constructions with Application to TLS , 2015, CT-RSA.

[15]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[16]  Quynh Dang,et al.  Changes in Federal Information Processing Standard (FIPS) 180-4, Secure Hash Standard , 2013, Cryptologia.

[17]  Chanathip Namprempre,et al.  On-line Ciphers and the Hash-CBC Constructions , 2012, Journal of Cryptology.

[18]  Kenneth G. Paterson,et al.  Plaintext Recovery Attacks against SSH , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[19]  M. Stone,et al.  Schema , 2019, Encyclopedia of GIS.

[20]  Jongsung Kim,et al.  Related-Key Rectangle Attack on 42-Round SHACAL-2 , 2006, ISC.

[21]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[22]  Jongsung Kim,et al.  Related-Key Attacks on Reduced Rounds of SHACAL-2 , 2004, INDOCRYPT.

[23]  Phillip Rogaway,et al.  Nonce-Based Symmetric Encryption , 2004, FSE.

[24]  Thomas Shrimpton A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security , 2004, IACR Cryptol. ePrint Arch..

[25]  Mihir Bellare,et al.  A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications , 2003, EUROCRYPT.

[26]  Tadayoshi Kohno,et al.  Building Secure Cryptographic Transforms, or How to Encrypt and MAC , 2003, IACR Cryptol. ePrint Arch..

[27]  Chanathip Namprempre,et al.  Authenticated encryption in SSH: provably fixing the SSH binary packet protocol , 2002, CCS '02.

[28]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..

[29]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[30]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[31]  Hugo Krawczyk,et al.  Pseudorandom functions revisited: the cascade construction and its concrete security , 1996, Proceedings of 37th Conference on Foundations of Computer Science.

[32]  C. Campbell Design and specification of cryptographic capabilities , 1978, IEEE Communications Society Magazine.