$200,000 to the first person to break Telegram (telegram.org)
Telegram backer, Pavel Durov, will give $200,000 in BTC to the first person to break the Telegram encrypted protocol. Starting today, each day Paul (+79112317383) will be sending a message containing a secret email address to Nick (+79218944725). In order to prove that Telegram crypto was indeed deciphered and claim your prize, send an email to the secret email address from Paul’s message.
Your email must contain: - The entire text of the message that contained the secret email. - Your Bitcoin address to receive the $200,000 in BTC. - A detailed explanation of the attack.
Encrypted Telegram traffic from and to Paul’s account is publicly available for download from this page. You can send Telegram messages to Paul and view his traffic in real time.
To prove that the competition was fair, we will publish the participating keys necessary to decrypt the traffic as soon as a winner is announced. In case there is no winner by March 1, 2014, encryption keys will be published at that date.
175 comments
[ 4.5 ms ] story [ 301 ms ] threadI'm really excited to see if this is cracked!
Rolling your own encryption has always been proven to be the worst idea.
I personally think it's great that people are trying various solutions. Disclaimer: I know little about cryptography
> Q: What if I don‘t trust bitcoins and don’t want them as a prize?
>If the winner prefers conventional money over bitcoin, we will be happy to transfer them 200,000 regular USD instead of BTC.
In all seriousness, im interested to see if anyone can crack this.
If it proves resilient over 2.5 months of highly motivated attacks (motivated by both the money / "I-Told-You-So" factor), I think that's a fairly strong statement in their favor.
Logan's law: In any given discussion tangentially related to security, the thing presented as "secure" will be soon declared "definitely not secure"... because...NSA.
I just wanted to point out that there were times when money was not a very good motivator for someone who could break a given encryption system.
Bug bounties by big name companies that are actually after bugs rather than publicity haven't miraculously made all their software perfect. And they don't have an end date either.
> the server can perform a MITM attack. > you cannot detect MITM between you and your peers.
>> NOT true. You can compare key visualization in the clients.
The key is not shown in hex, so a MITM is quite simple.
When they do enabled it for the first time, we can instantly MITM them using the attack against the "image verification" I mentioned lower down (https://news.ycombinator.com/item?id=6932053), and we can assume that the conversation is worth our while listening in on. The user will hopefully expose themselves in the belief that they are safe, and the game is over.
This is still vulnerable to server-side _key_ MITM. It's the hushmail/iMessage/etc silent escrow key attack.
http://telegram.org/img/key_image.jpg
Blue in the top and bottom, white line through the middle. So little information that anybody could simply brute force the keys until they found one that matched the description well enough.
I'd happily write a little attack for that, but it's clearly not "breaking" the system enough for the bounty.
https://www.thc.org/papers/ffp.html
https://www.schneier.com/crypto-gram-9902.html (1999)
1) They are giving you the source code, protocol, and a tcpdump of all traffic between the chatters. You can even send messages via the protocol to one of the participants. Its not just here is some encrypted data, decrypt it.
2) They are offering a significant amount of money.
2) there are no arbitrary definition of what winning means
The definition of winning in this contest creates a large class of potential vulnerabilities that would be paid $0.
> [...] the contest is fair because 1) the algorithm is completely specified, 2) there are no arbitrary definition of what winning means, and 3) the algorithm is public domain
Not satisfied at leaving it there, they then claimed that their crypto system doesn't need to be justified, because their customers aren't concerned about the specifics of their implementation of known broken algorithms.
Finally, they placed the burden of proof on the public, which doesn't work when it comes to cryptography.
They were given the opportunity to explain their design decisions in an environment of mutual respect, and they responded to this offer by stonewalling two of HN's resident security gurus.
This Telegram contest may seem superficially similar to that fair contest, but it differs in some important ways. First, this contest isn't rewarding "best effort". Second, this contest doesn't meet those criteria, because their central server isn't being tested here. The goal of a product like Telegram is to defend against adversaries like governments, and hence governments will be able to probe their servers for weaknesses. You may say that we, too, can do the same, but if that's the case, a test server should be made available and the contest should explicitly try to get as many people as possible to break it.
This contest is interesting, but it's too artificial. As just one example of why that's the case: breaking real-world crypto often relies on side channel attacks, for instance timing attacks, and there's no opportunity of employing those attacks here due to the artificial nature of the contest.
Once again, if people here are interested in a secure alternative to Telegram that doesn't rely on public stunts for cryptanalysis, then check out TextSecure. It was designed by cryptographers, is open-source, and has been studied in detail for years. https://whispersystems.org/
EDIT: It appears Telegram is also vulnerable to MITM attacks. This is the NSA's preferred method of gathering info, so this is the most likely attack vector against Telegram. Due to the design of the protocol, there seems to be no defense. https://news.ycombinator.com/item?id=6931892
Telegram's response is "we protect against this because if you've initiated a secret chat previously, then you're protected." However, this isn't true. 1) a global adversary like the NSA can (and will, if they become interested in Telegram) simply MITM every secret chat session when they're first initiated; therefore if you use Telegram, you should assume the government has your data anyway, since this protocol offers no protection against mass snooping. 2) Secret chats aren't even the default type of chat in Telegram anyway, making it very unlikely that users will be protected by it. The defaults need to be secure.
References:
https://news.ycombinator.com/item?id=6931892
https://news.ycombinator.com/item?id=6931961 (Telegram's response, which seems to verify that secret chats can be MITM'd on first initiation.)
https://news.ycombinator.com/item?id=6931903 (Demonstrates that Telegram seems to be misunderstanding why someone breaking into the central server can MITM your chats.)
From what I've seen, they use something called the "Axolotl Ratchet", developed by Trevor Perrin. A quick search of his name didn't yield any crypto papers / research by him.
Also, you write "and has been studied in detail for years"
There are no links/references to code/protocol reviews in the WhisperSystems website.
Again, I have the utmost respect for their research, it's just that from the side of a non-crypto-versed user/coder, Telegram and TextSecure look the same.
Here are some resources:
https://www.hnsearch.com/search#request/all&q=by%3Atptacek+t...
https://www.whispersystems.org/blog/advanced-ratcheting/
https://pond.imperialviolet.org/
> Again, I have the utmost respect for their research, it's just that from the side of a non-crypto-versed user/coder, Telegram and TextSecure look the same.
Yep, it's frustrating to be the quixotically genuine seller in a market for lemons.
You might also try reading some of his more recent discussion comments on IETF working groups:
- http://www.ietf.org/mail-archive/web/websec/current/maillist...
- http://www.ietf.org/mail-archive/web/tls/current/maillist.ht...
- (from 2002): http://mhonarc.domainunion.de/archive/html/ietf-openpgp/2002...
Just a few things that turned up when I Googled him.
2. wait until sender mistypes destination on one message.
3. claim prize.
Back in September, he issued a new public key of 4096 bits[1].
1. https://news.ycombinator.com/item?id=6376954
See http://en.wikipedia.org/wiki/Integer_factorization_records
(regardless of the product, they succeeded in a cheap way to get launched, very likely at a cost of $0)
It seems to me that offering a bug bounty can significantly improve the security of a system, even when the prize-money is relatively small.
[1] http://www.tarsnap.com/bugbounty.html
[2] http://www.daemonology.net/blog/2011-01-18-tarsnap-critical-...
Telegram, on the other hand, is trying to prove that their algorithm is unbreakable. AES is pretty good too. As is noted in other comments, it's generally the system, not the algorithm, that gets broken.
Gold :-)
I'll take my $2k now.
<Magic Number (Nonce?)> . <Magic Number> <Number of bytes + 1> IN/OUT <Ip Address>
how you are then going to make a money ?
http://i.imgur.com/NA9bO0I.jpg
To make this a slightly fair challenge, we should at least be allowed to get the clear text of our choice also encrypted with the same key.
The cryptanalysis community, in particular, has a small group of experts that can credibly critique your ideas. They would probably love to pick apart a new system...seriously in the hopes that it advances the art, but critically in the case that it doesn't.
Claims of some kind of "tightly knit" cabal of closed minded people excluding you would be a warning sign. (It sounds like creationism. Not that this is what these guys did. I'm just saying.)
Maybe instead of a competition they could have just approached some of the cryptanalysis community for an early look? Those guys could kick the tires and pass it on to others that they know. That really seems to be how this area works.
Just because it appears here does not in any way shape or form indicate that they're trying to impress the HN community, nor that they're specifically targeting HN.