Callback to Telegram developers
About the author: Moxie Marlinspike is a research hacker who invented the SSL-stripping attack (and found half a dozen vulnerabilities in SSL), the developer of Convergence , designed to replace lists of "trusted certificates", and co-founder of Whisper Systems, bought by Twitter in 2011 year Also worth reading the discussion on Hacker News .
This week, a certain company called Telegram announced a “secure” instant messenger. How secure is it? If you believe their FAQ, " very secure." It became interesting to me, and I decided to read the description of their protocol. I immediately had some doubts and fears (but, to put it mildly! But only half an hour ago it was “at first I thought it was Thomas Birdie who decided to be postebat” - approx. Lane ) However, when they tried to draw technical details from them, they began to list developer degrees instead of engaging in dialogue. In addition, they rejected all my offers of cooperation.
But that is not all. To calm the crypto community, they staged ... a hacking contest !
Competition itself is a bad sign (namely, bad sign number 9). The rules are designed to fool people by making them believe in Telegram security. Of course, they did not miss the opportunity to refer to it in their FAQ as proof of the absolute security of the protocol. In fact, the competition is meaningless.
')
So, gentlemen, developers of Telegram, I also have a competition for you. The following describes the indescribably horrible "protected" protocol (which will not last a second in combat conditions), but which is as "unbreakable" in the conditions of your competition as your own protocol.
So, we have a protocol that uses a random number generator with a tab, a weak public key scheme, the worst possible hash function as a key generation function , and the encryption itself is performed using XOR. If you need the traffic log of Alice and Bob's correspondence, he is at the end of the post.
The conditions of this contest are the same as those of Telegram (no man-in-the-middle, no part of the correspondence is known, frauds with traffic are impossible, etc.) If Telegram developers want to prove that their protocol is better than at least this I invite them to publish Alice’s decrypted message. And if they can not demonstrate vulnerability even in such a leaky protocol, playing by their own rules, this will prove that their rules and competition is bullshit.
Let's do everything as it should be. TextSecure, an open messenger that we develop in Open WhisperSystems , is based on the Axolotl ratchet scheme, which, in our opinion, should currently be the basis of any asynchronous messenger. By the way, our algorithm is used "under the hood" CyanogenMod. In fact, we already have ten million more users than Telegram.
Join us . Help with the development, design and writing documentation . You can also help financially - the author of each commit in Github receives a share of the funds raised, and you get the opportunity to know exactly how your money was spent.
This week, a certain company called Telegram announced a “secure” instant messenger. How secure is it? If you believe their FAQ, " very secure." It became interesting to me, and I decided to read the description of their protocol. I immediately had some doubts and fears (but, to put it mildly! But only half an hour ago it was “at first I thought it was Thomas Birdie who decided to be postebat” - approx. Lane ) However, when they tried to draw technical details from them, they began to list developer degrees instead of engaging in dialogue. In addition, they rejected all my offers of cooperation.
But that is not all. To calm the crypto community, they staged ... a hacking contest !
Trap for hacking contests
Competition itself is a bad sign (namely, bad sign number 9). The rules are designed to fool people by making them believe in Telegram security. Of course, they did not miss the opportunity to refer to it in their FAQ as proof of the absolute security of the protocol. In fact, the competition is meaningless.
')
So, gentlemen, developers of Telegram, I also have a competition for you. The following describes the indescribably horrible "protected" protocol (which will not last a second in combat conditions), but which is as "unbreakable" in the conditions of your competition as your own protocol.
- Alice generates a random 32-byte number,
super_secret, using Dual_EC_DRBG - a random number generator with the NSA tab. - Alice sends a message to Bob requesting his public key.
- Bob sends
bob_public, an 896-bit RSA key, to Alice. Subscribes to nothing and not verified. We just hope that no one thinks of man-in-the-middle. - Alice encrypts
super_secretwithbob_publicand sends it to Bob. It takes the implementation of RSA from the textbook - an empty space is filled with zeros, and not random bits, and e = 65537. - Now Bob and Alice calculate
message_key = MD2(super_secret)(since you like outdated algorithms ...) - Alice sends her message to Bob using the XOR as the cipher:
ciphertext = message XOR message_key.
So, we have a protocol that uses a random number generator with a tab, a weak public key scheme, the worst possible hash function as a key generation function , and the encryption itself is performed using XOR. If you need the traffic log of Alice and Bob's correspondence, he is at the end of the post.
The conditions of this contest are the same as those of Telegram (no man-in-the-middle, no part of the correspondence is known, frauds with traffic are impossible, etc.) If Telegram developers want to prove that their protocol is better than at least this I invite them to publish Alice’s decrypted message. And if they can not demonstrate vulnerability even in such a leaky protocol, playing by their own rules, this will prove that their rules and competition is bullshit.
And now I appeal to everyone else
Let's do everything as it should be. TextSecure, an open messenger that we develop in Open WhisperSystems , is based on the Axolotl ratchet scheme, which, in our opinion, should currently be the basis of any asynchronous messenger. By the way, our algorithm is used "under the hood" CyanogenMod. In fact, we already have ten million more users than Telegram.
Join us . Help with the development, design and writing documentation . You can also help financially - the author of each commit in Github receives a share of the funds raised, and you get the opportunity to know exactly how your money was spent.
Alice and Bob traffic log
Alice: 7075 626c 6963 206b 6579 2070 6c7a
Bob: 3081 8c30 0d06 092a 8648 86f7 0d01 0101
0500 037b 0030 7802 7100 acc3 ec17 9fea
0d19 b29d f347 cc62 423c 02d9 e49b ba54
b9a7 4cea 7c82 0f99 dcf1 c221 fca2 7882
0b67 4c7e 8d67 b0e5 4a2b 8873 438d ef0b
f5d1 6862 fecc ae0d 8736 5e69 cb5e 1346
f612 49d2 e8ce 1463 8be0 8022 8ef2 01d9
6917 6a03 19fc 2a03 ddad aad4 eb28 d655
107c 52bf c1ae e800 a501 0203 0100 01
Alice: 53ce e8e4 f6c4 b330 a6aa 0830 81f2 c5e3
00b2 c3ac 0e54 7cee c9a6 be0e 7a54 9bf0
dbf2 11c2 853a 8443 db72 4dcf 96ad bc9a
9373 5f68 6a33 0f5b ea49 f40b 8324 3f8a
168a 7d78 3e08 85a1 f774 7c6a 10f9 646c
a13e d6c3 00b3 670a 2af3 d2d6 b153 20b2
5b1c 2fd1 6599 989a 1938 2c18 1acf 68a5
Alice: 12a6 077f 4625 5523 c23b 2c43 e60f dd39
Source: https://habr.com/ru/post/206724/
All Articles