International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Subverting Telegram’s End-to-End Encryption

Authors:
Benoît Cogliati , CISPA Helmholtz Center for Information Security, Saarbrücken, Germany
Jordan Ethan , CISPA Helmholtz Center for Information Security, Saarbrücken, Germany
Ashwin Jha , CISPA Helmholtz Center for Information Security, Saarbrücken, Germany
Download:
DOI: 10.46586/tosc.v2023.i1.5-40
URL: https://tosc.iacr.org/index.php/ToSC/article/view/10302
Search ePrint
Search Google
Abstract: Telegram is a popular secure messaging service with third biggest user base as of 2021. In this paper, we analyze the security of Telegram’s end-to-end encryption (E2EE) protocol in presence of mass-surveillance. Specifically, we show >that Telegram’s E2EE protocol is susceptible to fairly efficient algorithm substitution attacks. While official Telegram clients should be protected against this type of attack due their open-source nature and reproducible builds, this could potentially lead to a very efficient state sponsored surveillance of private communications over Telegram, either on individuals through a targeted attack or massively through some compromised third-party clients. We provide an efficient algorithm substitution attack against MTProto2.0 — the underlying authenticated encryption scheme — that recovers significant amount of encryption key material with a very high probability with few queries and fairly low latency. This could potentially lead to a very efficient state sponsored surveillance of private communications over Telegram, either through a targeted attack or a compromised third-party app. Our attack exploits MTProto2.0’s degree of freedom in choosing the random padding length and padding value. Accordingly, we strongly recommend that Telegram should revise MTProto2.0’s padding methodology. In particular, we show that a minor change in the padding description of MTProto2.0 makes it subversion-resistant in most of the practical scenarios. As a side-effect, we generalize the underlying mode of operation in MTProto2.0, as MTProto-G, and show that this generalization is a multi-user secure deterministic authenticated encryption scheme.
BibTeX
@article{tosc-2023-33052,
  title={Subverting Telegram’s End-to-End Encryption},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universität Bochum},
  volume={2023, Issue 1},
  pages={5-40},
  url={https://tosc.iacr.org/index.php/ToSC/article/view/10302},
  doi={10.46586/tosc.v2023.i1.5-40},
  author={Benoît Cogliati and Jordan Ethan and Ashwin Jha},
  year=2023
}