Security Analysis of Telegram's MTProto2.0 Encryption Protocol Reveals Algorithm Substitution Vulnerabilities
By
pona-a
7mo ago· 2 min readenInsight
65/100
Toasty
Bagelometer↗
Toasted to a respectable shade. No regrets, no crumbs left.
Score65TypeanalysisSentimentneutral
Summary
This academic paper analyzes Telegram's MTProto2.0 encryption protocol and demonstrates it is vulnerable to algorithm substitution attacks that could enable state-sponsored surveillance. The attack exploits the protocol's flexibility in choosing random padding length and values, allowing recovery of significant encryption key material with high probability using few queries and low latency. While official Telegram clients are protected due to open-source nature, third-party clients could be compromised. The paper recommends revising MTProto2.0's padding methodology and shows that minor changes can make it subversion-resistant.
Key quotes
· 5 pulledTelegram's E2EE protocol is susceptible to fairly efficient algorithm substitution attacks.
This could potentially lead to a very efficient state sponsored surveillance of private communications over Telegram, either on individuals through a targeted attack or massively through some compromised third-party clients.
Our attack exploits MTProto2.0's degree of freedom in choosing the random padding length and padding value.
We provide an efficient algorithm substitution attack against MTProto2.0 that recovers significant amount of encryption key material with a very high probability with few queries and fairly low latency.
A minor change in the padding description of MTProto2.0 makes it subversion-resistant in most of the practical scenarios.
Telegram is a popular secure messaging service with third biggest user base as of 2021. In this paper, we analyze the security of Telegram’s end-to-end encryption (E2EE) protocol in presence of mass-surveillance. Specifically, we show >that Telegram’s E2E
