Paper 2023/469

Four Attacks and a Proof for Telegram

Martin R. Albrecht, King's College London
Lenka Mareková, Royal Holloway University of London
Kenneth G. Paterson, ETH Zurich
Igors Stepanovs, ETH Zurich
Abstract

We study the use of symmetric cryptography in the MTProto 2.0 protocol, Telegram's equivalent of the TLS record protocol. We give positive and negative results. On the one hand, we formally and in detail model a slight variant of Telegram's "record protocol" and prove that it achieves security in a suitable bidirectional secure channel model, albeit under unstudied assumptions; this model itself advances the state-of-the-art for secure channels. On the other hand, we first motivate our modelling deviation from MTProto as deployed by giving two attacks – one of practical, one of theoretical interest – against MTProto without our modifications. We then also give a third attack exploiting timing side channels, of varying strength, in three official Telegram clients. On its own this attack is thwarted by the secrecy of salt and id fields that are established by Telegram's key exchange protocol. We chain the third attack with a fourth one against the implementation of the key exchange protocol on Telegram's servers. This fourth attack breaks the authentication properties of Telegram's key exchange, allowing a MitM attack. More mundanely, it also recovers the id field, reducing the cost of the plaintext recovery attack to guessing the 64-bit salt field. In totality, our results provide the first comprehensive study of MTProto's use of symmetric cryptography, as well as highlight weaknesses in its key exchange.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. IEEE S&P 2022
DOI
10.1109/SP46214.2022.9833666
Keywords
Telegramprovable securitysecure messagingbidirectional channelssecurity analysis
Contact author(s)
martin albrecht @ kcl ac uk
lenka marekova 2018 @ rhul ac uk
kenny paterson @ inf ethz ch
igors stepanovs @ gmail com
History
2023-04-01: approved
2023-03-31: received
See all versions
Short URL
https://ia.cr/2023/469
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/469,
      author = {Martin R. Albrecht and Lenka Mareková and Kenneth G. Paterson and Igors Stepanovs},
      title = {Four Attacks and a Proof for Telegram},
      howpublished = {Cryptology ePrint Archive, Paper 2023/469},
      year = {2023},
      doi = {10.1109/SP46214.2022.9833666},
      note = {\url{https://eprint.iacr.org/2023/469}},
      url = {https://eprint.iacr.org/2023/469}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.