Another libelous post by US government affiliated "cryptographer". Perhaps next we will see other familiar faces chipping in like tptacek from matasano )
Impossible to succeed at this level without making a few enemies.
Not sure hiring a US security firm is a safer approach than crowdsourcing using the power of the global community.
After all, Matasano's tptacek obviously did spend some of his time inspecting and criticizing Telegram this week. However, he overlooked the 100K vulnerability that was later discovered by a Russian guy who considers himself a newbie in cryptography.
The other reason that makes me somewhat reluctant to spend money on hiring Matasano is the recent RSA-gate (and the strange role of tptacek in it).
I understand that you care about Telegram and want to defend it when it is attacked, but comments like this are inappropriate and will damage Telegram's reputation.
It is unfair to imply incompetence on tptacek's part given only that he spent some finite amount of time looking at your protocol and did not find the nonce vulnerability. It is also unfair to say that he didn't find any vulnerabilities despite the potential for a 100k reward as the potential for such a reward (outside of your specific contest) had not been stated clearly.
If you do in fact have evidence that tptacek was involved in RSA's deal with the NSA, you should state your accusations explicitly and provide that evidence. If you do not, I think the accusation is inappropriate and certainly counterproductive.
That said, I very much appreciate the resources you are donating to open source crypto software. It is undeniable that the potential for a 100k reward will send a lot of eyes to your source code. I would encourage you to also consider hiring a security firm (US based or otherwise) and to consider how your comments will affect public perception of Telegram.
Wow, you really are as arrogant as you seemed. I'm sorry I'm normally not rude, but attack tptaeck like that? That's just pathetic mate.
Oh, and the vuln was outside your contest. You gave him 100k, instead of the 200k because of that. No one knew that you'd pay out if they found something outside your competition. So saying that people here looked at it but missed that vuln because they didn't claim the reward is disingenuous -- it was outside the contest.
So, to make it clear, do you imply that "professionals" are just bragging that they know what's better, but they're not much when it comes to the real deal?
Matasano is known crypto company, why would they volonterouly spend their working time fixing telegram for you? Hire them formfew days to see them in action.
While I'm not saying that Telegram "is RIP" (whatever it means in this thread), Linux, Chrome and Android don't have crypto as their main killer feature.
It is good to see that you recognise modesty as a virtue.
May I suggest that you guys take a leaf out of his book and rewrite the security claims in your FAQ to reflect the fact that the protocol is new and at this point there are likely to be some bugs but that you are working hard to make it secure.
He has essentially defeated your protocol, so he deserves the full $200,000. After Lavabit, it is no longer a fair assumption that you (or government agencies forcing your hand) will not interfere with the protocol to compromise it.
Эта история заставляет в очередной раз восхититься российскими программистами. Целую неделю маститые американские криптографы на HackerNews безуспешно цеплялись к протоколу — в основном, с требованием заменить наше решение на алгоритмы, которые продвигает АНБ в своем Suite B. А российский программист, называющий себя "новичком", смог в рамках статьи на Хабре с ходу определить потенциально уязвимое место в секретных чатах.
На всякий случай, поясню для массовых пользователей: утечки данных не было, уязвимость закрыта, опасности нет.
Еще раз убедился в том, насколько правильным решением было полностью открывать протокол и исходный код. Это позволяет привлекать тысячи умных людей, которые могут помогать нам постоянно совершенствовать систему, находя потенциально уязвимые места.
Разработчик, нашедший слабое место в нашем алгоритме, заслужил награду в $100,000. Подобную награду заслужит любой, кто найдет возможности схожей атаки (напоминаю, за расшифровку потока трафика мной была объявлена награда в $200,000). Продолжаем искать — вместе мы сделаем протокол нерушимым.
This story makes us once again admire the Russian programmers . Whole week at the venerable American cryptographers HackerNews unsuccessfully clung to the protocol - mainly with our decision to replace the requirement for algorithms that promotes its NSA Suite B. A Russian programmer who calls himself a "newcomer " could under Article Habré stride identify potential vulnerabilities in secret chats .
In any case , I will explain the bulk of users : data leakage was not a vulnerability is closed, there is no danger .
Once again convinced of how the right decision was fully open protocol, and source code. This allows you to attract thousands of smart people who can help us to constantly improve the system by finding potential vulnerabilities .
The developer, who found a weak spot in our algorithm , deserve a reward of $ 100,000 . Deserve such an award anyone who finds the possibility of similar attacks (remember, for decrypting traffic flow me was declared a reward of $ 200,000) . Continue to seek - together we will make a protocol indestructible .
After reading tptacek's comments in the latest thread about Telegram https://news.ycombinator.com/item?id=6940665 I can only agree. He insisted Telegram team should abandon its custom solution without providing any actual proof that it's vulnerable. His advice was to rely only on "modern" algorithms (mostly the ones included in "NSA Suite B Cryptography"), but he provided zero evidence why these algorithms should be more secure than the ones already in use.
In cryptography, the expectation is that the person presenting the algorithm should substantiate their claims, preferably with a proof. Saying that something is secure because it hasn't been broken yet does not settle well with people. And when it does happen, it's clearly caveated ("assuming the hardness of Discrete Logarithms", for example).
That aside, your challenge smacks of snake oil. I gave an analogy earlier that captures the essence of the complaints:
Suppose I am selling fire-proof safes. These are designed to protect your documents and valuables from thieves and from fire and other events.
The normal way people set up tests is to put some documents and valuables in a box and actually try to break it (MythBusters style, bringing out cool machinery and trying different ways). For fire resistance, there is a rating system (https://en.wikipedia.org/wiki/Fire-resistance_rating) and a standard way to test.
The Telegram proposition is: we are going to place the safe in Fort Knox. If you can't break the safe that is in Fort Knox, then clearly our safe is secure.
People are arguing that in order to break the safe, you have to break into Fort Knox. And for all intents and purposes that's not going to happen. You could have put a cardboard box in Fort Knox but no one can tell the difference because of the way you structured the challenge.
In that sense, you aren't testing the real-life security.
You guys are still failing to appreciate that your composition of cryptographic primitives is unproven, which means it is probably broken. Why is it probably broken? Because most compositions of crypto primitives are broken and your adversary is so formidable he will find the smallest problem.
In cryptography, you either prove it is safe or you consider it broken. Your choice should be considered broken until you prove otherwise.
This is a really bad and somewhat frustrating comment (if you're trolling, nicely done). He's absolutely correct about Telegram and this is not how you run crypto contests. This isn't even a tptacek opinion, it's a "everybody who has any reputation in the crypto field" opinion.
Edit: Oh, you're the Telegram employee who designed the contest. I encourage you to read moxie's blog post, and Schneiers rebuttals to crypto contests that are probably linked all over your other threads.
Ah, the Telegram HN account just said he "proposed the contest", so I assumed employee. If he is the financier, then it is not surprising that he doesn't understand why his crypto contest is a bad idea.
right and it also explains why the Telegram guys went ahead with his suggestion, because they're presumably keen to keep their main financial backer happy.
I don't think there's any attempt to sell snakeoil here, this is a case of a road to hell being paved with good intentions. To people not well versed in cryptography the things Pavel is saying and the approach Telegram is taking all seem completely reasonable, and the people who do do crypto and are responding might as well be talking a different language. To them the flaws and red flags are so obvious that their responses are incredulous, which has led to the vitriolic back and forth we've seen - neither side can comprehend the other's position. This is Dunning-Kruger[0].
With all due respect, nothing can be "obvious" unless it is proven. You cannot take something for granted just because a respected cryptographer says that. Not after we learned that NSA pushes backdoors using respected firms and people in the crypto-community.
By this reasoning you should presumably agree that the onus is on Telegram to prove the security of their system, not on the rest of the cryptography community to prove that it is insecure. Telegram have completely failed to do this. Even if Telegram had a formal proof of their system (and implementation), would you be in a position to read and understand that proof? I suspect not. Like me, you'd have to trust a group of respected cryptographers to do that job for you, so I don't really know what you're trying to say here. Just because one or two respected cryptographers appear to have become NSA tools, does not mean everyone has.
Also note that it's not a case of one random crypto guy saying that Telegram's approach is flawed, but a case of virtually the entire crypto community saying that the approach is flawed. Does this not ring alarm bells for you? How can you judge that the Telegram guys know their stuff and aren't leading you down the garden path or are themselves deluded?
With your backing, there is a real chance for Telegram to bring secure communications to the masses. This is indisputably a noble goal, but the areas that Telegram should be innovating in are in UI and features - not cryptography. There is no such thing as mostly correct, 'good enough' cryptography, either the system is secure, or it's insecure - there is basically no middle ground. If you fail, it's a bit more serious than your typical software bug - innocent people can literally die - the very people that need this the most are the most at risk. These are the reasons Telegram have been met with such a frosty reception here. Because they come across as arrogant in an area where arrogance is the absolute least desirable trait.
The wish to broaden the contest is understandable and already taken into account http://bit.ly/1htlEod
What I was saying in the comment above, however, had nothing to do with the contest. I expressed concern about tptacek's aggressive promotion of one algorithms (branded as "modern") over the other (claimed as "anachronistic") without any substantial proof. https://news.ycombinator.com/item?id=6941934
Here's an unedited Google Translate translation (I read it, and I think it conveys the message):
As I see it , there is not so much Anonymus as creators local competitor - TextSecure under Android . Telegram gathered a lot of users , and they're rightly fuss . The boys are torn between argument " either too new algorithm , why is it , if there is a proven " and your " algorithm either too old , why is it when new ." Nevertheless , trade on HN gives thousands of registrations Anglo-Saxons and tons of references .
I think the debate will be a good end to the competition announcement decoding traffic Telegram. Let's say I was ready to open all of my correspondence traffic since registration in Telegram and give $ 200,000 to anyone who will decipher it and tell you how . As a result Telegram or detect and close the loophole for special services, or - more likely - will receive another proof of the inviolability of their protocol
Я помню первый обзор о ВКонтакте на Хабрахабре, кажется, в 2006 году. Эксперты делились комментариями вроде "кто они такие", "еще одна соцсеть не нужна" и "на php пишут только нубы". Неудивительно, что HackerNews, построенный примерно тех же принципах (карма, ранжирование), создает чувство deja vu.
Тем не менее, будет здорово, если там объявятся не только любители поговорить, но и те, кто реально прочитает документацию к MTProto.
Which roughly translates to:
I remember the first reviews of VK back in 2006. The experts were saying "who are they?", "we don't need another social network", "only noobs write in php". It is not surprising that HN is built on the exact same principles (karma, rankings), brings up a deja vu.
However, it would be great if someone who actually read the MTProto docs can show up, and not just those who like to talk.
In this case, it doesn't actually matter who he is, so there is no need really. Our responses would not be different if it were someone else saying the same thing.
Hey, but now he knows that you are planning to do the opposite of what he says, presumably he will start giving you good advice, just to trick you.
The reason that people are so cynical about your custom solution is that being completely and utterly cynical about custom solutions, unless the architects can defend the solution rigorously, is the only sane approach in cryptography.
That, your fierce battle against everything unconventional and the fact that you get emotional instead of actually proving your point makes me think some "best practices" are indeed intentionally promoted in the crypto-community (https://news.ycombinator.com/item?id=6938622)
Disclaimer. I'm not an employee or shareholder in Telegram. I support them like I support some other non-profits like Wikimedia Foundation. As a reader here I would prefer to see an actual mathematical proof of how a certain system could be hacked instead of rhetoric like "No cryptosystem in the world would use...", "the fact that you do argue it is extraordinarily damning" or "Why? Why? Why would you do that?".
Because, with cryptography, the onus is on you to prove that your system is secure, not on other people to prove that it is broken. Everyone tells you there are many hints that your system is not secure, and you just go "well you can't prove it isn't, so there".
Do you truly need to ad-hominem attack tptacek? You sound pretty much like pseudoscientists when they blame mainstream science being too rigid and not accepting their groundbreaking theories.
Scientific approach is exactly what I'm calling for here. When a cryptographer resorts to arguments like "this algorithm won't work because it is not common/modern/accepted" without providing an exact way to break it, it doesn't sound like scientific approach to me. It's more like the religious mindset of someone who rigidly worships some limited list of tools (e.g. "NSA Suite B Cryptography") and punishes anyone who is independent enough to deviate from it.
In cryptography, the burden of proof is on the one proposing the system. It's up to the system designer to prove it secure. The reason why we stick to things like encrypt-then-HMAC, rather than rolling our own protocol, is that they HAVE been PROVEN secure. There are rigorous proofs [1,2] that HMAC and encrypt-then-HMAC are secure, assuming the underlying primitive is secure. There are no such proofs for Telegram's protocol, and there are many "smells" indicating attacks are possible, and I'm sure you'll see some actual examples soon.
Cryptography is HARD. It's so hard that it's hard to understand how hard it is. A large part of becoming a cryptographer is just learning how hard it is, and that you NEED security proofs, because it's just too easy to screw up.
I understand you're frustrated, but there's no need for the ad hominem attacks. tptacek is giving you good advice. We all want to see good crypto getting used. So why don't we work together to fix it instead of wasting our time defending a broken system? Honestly, replacing your protocol with encrypt-then-HMAC or the protocol from TextSecure isn't that big of a change, and it would make Telegram a lot better. So why not do it?
Pavel, folks here are being hard on you guys because historically, 9 out of 10 times "independent thinkers" who roll out their own crypto stacks get something wrong. That's why if you want to market your app to this crowd, you'll have a hard time selling something that is not what is a currently recommended crypto stack. Emphasizing that it is the NSA who recommends it is just a pasive-aggressive conspiracy theorizing. It may very well be the case that the NSA have ways of cracking their "Suite B", but we have no evidence of that, and if they do, do you really think that your ad-hoc solution would do much better against them?
So as I understand, you do agree that moxie's mock protocol ( http://thoughtcrime.org/blog/telegram-crypto-challenge/ ), which he designed to be as awful as possible, is as secure as Telegram's mtproto? There's no exact way to break it either, it's just as new, it doesn't use 'limited set of tools' too, both don't have any mathematical proofs. By your logic, I can't see how is it different to mtproto then? How do we know you don't have a protocol just like his?
I like this. "I'm calling for a scientific approach". Meaning, we throw out the last 20 years of scientific work on cryptography and start over from first principles, because the weight of the literature is inconvenient for your argument. It's an interesting tactic you've invented, and I'm surprised I haven't seen it in client change denial posts.
Well, when some of this "research" you promote ends up being backdoors planted by NSA (http://reut.rs/192XWwG), one has to be cautious.
Personally, I am more comfortable with 70s algorithms like Diffie-Hellman that have known and well-researched weaknesses. The "modern" algorithms actively promoted by US security firms after 9/11 are not time-tested, to say the least.
A large number of people who know what they are talking about have stated to you in the clearest terms possible that when it comes to cryptography and security systems, it is appropriate to place the burden of proof on the creators. It isn't an opinion, its a fact agreed on by every competent security practitioner on the planet. If you are going to continue to ignore this, no one is going to take anything you say about cryptography seriously.
Its not about dogma, its about safety. The fact that you fail to understand that is a testament to your inability to contribute to a meaningful conversation about security.
As mentioned at http://core.telegram.org/contestfaq if more tools to interact with the traffic are needed for the contestants to crack Telegram, they will be provided in the next contest right after 1 March, 2014. The current contest has an important practical task of deciphering traffic that is being intercepted in real time. This is the basic concern of regular users like myself (me and lots of other people in Russia had to stop using WhatsApp because of easily decipherable intercepted traffic). If Telegram proves to be robust in this respect, more tools to manipulate traffic and wider contests with similar prizes are to follow. Like all startups, this contest by Telegram starts from solving a basic but most important problem, then gradually gets more complicated in functionality and scope.
Telegram will always be interested in creating incentives for the crypto-community to check its security and provide feedback. So if you are waiting for tools to try, e.g., a MITM on Telegram and get your $200К, please stay tuned. It's @telegram on Twitter.
Thanks for sponsoring the Telegram product. (Even though I think what they are trying to do could be done much better.)
Could you please ask the Telegram team to post the exact contents of the first message that Paul sent to Nick, except with the secret email address X'ed out? I explained in https://news.ycombinator.com/item?id=6937631 that if the MT protocol is secure, then there is no risk in posting such a "known plaintext", so the Telegram team should have no problem posting it.
Alas, I am not a cryptographer and not even a member of the Telegram team. I'm just a guy who backs Telegram financially and proposed to start their contest. I described my motives behind it here https://news.ycombinator.com/item?id=6938622
As for your contest, I will make sure the Telegram team will have a look at it once they are awake. As far as I understand, you designed it to be similar to Telegram's contest. How do you send messages that affect traffic in real-time? How large is the prize? Is there a deadline?
I think the "prize" is obvious. Breaking this "unbreakable" 896bit-RSA + no auth + no signature + MD2 + XOR is a necessary condition for the Telegram contest to be taken seriously.
You can generate your own messages according to the scheme he gave (even using the same public key from Bob if you like), but they will not be aggregated into a public log.
abcd_f, I'm not part of the Telegram team, nor am I a cryptographer. However, I do support these guys, and for the last 3 days I saw the Telegram team diligently reply tech questions in Twitter, HN and blogs. I saw them collect questions from security experts and put up FAQs based on them http://core.telegram.org/techfaq or http://core.telegram.org/contestfaq as well as update the obscure parts of their documentation.
>> Perhaps consider offering an alternative crypto suite based on standard protocols? In parallel with what you have. Just reuse an existing crypto framework and redo transport layer to your needs.
Again, I am not cryptographer. But as a person who wants his data to be secure I don't see anything wrong with different teams trying different approaches. I 100% agree that people crave a good encrypted communication system, but I'm not sure it can be achieved in a world where everybody uses similar methods. What if some of the common "best practices" are intentionally promoted in the crypto-community as the best ones exactly because they contain flaws and backdoors?
Please allow me to give you an example of something that could be just that.
The Telegram team was criticized by some NH critics for their custom auth key exchange protocol. People asked – why take a random value from server and a random value from client and combine both with a creepy function? Why not, e.g., just generate a random value on the client and use RSA instead? Well, the answer is simple – the Telegram guys did not trust that the random value generated on the client-side was really random.
In August 2013 it turned out that their custom approach to protocol enabled Telegram to stay more secure when multiple other secure apps using more conventional solutions were hacked (http://android-developers.blogspot.ru/2013/08/some-secureran...). Many Bitcoin apps were cracked and people lost money, Open Whisper Systems (I noticed these guys are aggressively promoted here in the NH community as the epitome of best security) had to hasten to patch their RedPhone app to avoid that vulnerability.
So I'm kind of suspicious when I see strong pressure to enforce the use of common techniques and get rid of uncommon ones just because they are uncommon. I think the Telegram guys have the right to choose their own path, and I'm sure our society will only benefit from it.
Of course, building custom solutions is no easy task and requires a lot of effort. But I've seen some of the Telegram guys (yes, the "6 ACM champions") create things that I'd thought were impossible. Maybe I am wrong in putting my trust in their abilities, and I will be fined $200K+ for my naivete. However, I am willing to continue financing such contests, and I do hope that eventually we'll all get something much more valuable than $200K.
Well, to prove my point of you guys coming across as cocky know-it-alls. Here you just did it again, perhaps without realizing it -
> People asked – why take a random value from server and a random value from client and combine both with a creepy function?
People well-versed in applied crypto would never ask this question, because all standard key exchange protocols most certainly use both sides as a source of randomness. Furthermore - "creepy"? That's all you got away from all those comments that said your KDF was unproven, not peer-reviewed and weak in comparison? You basically cherry-picked a dumb question (I assume you haven't made it up) and then proceeded to demonstrate how clever you are. Guess what? You just reiterated basic facts, but assigned them to yourself.
Let me repeat what I said. Your problem is not your crypto. Your problem is the attitude.
Impossible to succeed at this level without making a few enemies.