jensche
Harberts Renette
- Registriert
- 27.10.04
- Beiträge
- 6.987
Rein von der Verschlüsselung her ist Telegram bisher nicht geknackt worden. Zudem ist es seit Langem Open Source.
![security.stackexchange.com](https://cdn.sstatic.net/Sites/security/Img/apple-touch-icon@2.png?v=497726d850f9)
Are Telegram secret chats secure assuming MTProto isn't?
For those who don't know: Telegram is a partially open source Whatsapp alternative (Server is closed source) which offers secret chats and normal chats. Secret chats are encrypted with Diffie-Hellm...
There's an important thing to note about this: MTProto, Telegram's bespoke encryption, is used for all chats, however for non-secret chats it is leveraged as client-server encryption.
Many other messaging apps use a separate client/server encryption protocol for this purpose. Several use TLS. The WhatsApp Security Whitepaper notes they use the Noise protocol when the client is a mobile device.
Telegram's mobile apps also use MTProto for this purpose. Where others are "belt and suspenders" with one transport encryption protocol securing client/server encryption, and another end-to-end encrypted messaging protocol securing asynchronous messages, aside from Telegram Web which uses HTTPS because that's what browsers support, Telegram is all in on MTProto, and MTProto alone provides client/server encryption for mobile devices, even for non-secret chats.
I can quickly go over why MTProto is bad. Here's some historical background:
https://blog.thijsalkema.de/blog/2014/04/02/breaking-half-of-the-telegram-contest/https://www.cryptofails.com/post/70546720222/telegrams-cryptanalysis-contest
The modern bar for symmetric encryption was set in the early 2000s by Phil Rogaway and others with the formulation of Authenticated Encryption with Associated Data. This is a construction that can be generically composed from a cipher and a MAC using encrypt-then-MAC operation ordering. This was later formalized as IND-CCA3 (indistinguishability under chosen ciphertext attacks), which is demonstrated to be equivalent to authenticated encryption.
MTProto... doesn't use a MAC. It originally abused SHA1, and later SHA-256, in what would be the role of a MAC, but not instantiated as HMAC as would be the common way to do this, but rather trying to abuse a hash function as a sort of pseudo-MAC. The absence of a MAC in the protocol has left MTProto vulnerable to a number of attacks which simply do not exist in IND-CCA secure protocols which use authenticated encryption, including padding length extension and last block substitution attacks: https://pdfs.semanticscholar.org/93fe/3a5e70d64964e775ea77dcfaee218b8e62e1.pdf
ja. ist leider so...Absolut, die Aussage ist meist: Was hab ich kleines Licht schon zu verbergen? Außerdem viel zu umständlich zu wechseln. Da hab ich keine Lust drauf.