$200,000 to the first person to break Telegram (telegram.org)

342 points by helgidub ↗ HN
Telegram backer, Pavel Durov, will give $200,000 in BTC to the first person to break the Telegram encrypted protocol. Starting today, each day Paul (+79112317383) will be sending a message containing a secret email address to Nick (+79218944725). In order to prove that Telegram crypto was indeed deciphered and claim your prize, send an email to the secret email address from Paul’s message.

Your email must contain: - The entire text of the message that contained the secret email. - Your Bitcoin address to receive the $200,000 in BTC. - A detailed explanation of the attack.

Encrypted Telegram traffic from and to Paul’s account is publicly available for download from this page. You can send Telegram messages to Paul and view his traffic in real time.

To prove that the competition was fair, we will publish the participating keys necessary to decrypt the traffic as soon as a winner is announced. In case there is no winner by March 1, 2014, encryption keys will be published at that date.

175 comments

[ 4.5 ms ] story [ 301 ms ] thread
Of all the software branches out there in the world, crypto's are by far the coolest and scariest in my opinion. They wield obscure knowledge, have long beards, a white van full of tech, communicate in some obscure protocol with each other - oh man. :)

I'm really excited to see if this is cracked!

This is $200,000 in bitcoins, not actually $200,000.
what do you think the definition of "$200,000 in bitcoins" is?
I think it means its 200k in "bitcoin" thats near impossible to cash out at such volumes. So I think this is a PR stunt and nothing more.

Rolling your own encryption has always been proven to be the worst idea.

$200k in Bitcoin is relatively easy to cash out without affecting the market much these days.
You can easily cash that out today. $200k is not a huge deal.
200k USD will be paid in BTC
There's more than enough volume on any established exchange. $200,000 is roughly 380 BTC at the current price on Bitstamp (~$530). If you were to sell 380 BTC now on Bitstamp there are enough buy orders for the entire sell to be filled before the price got to $525.
If you don't like BTC and other cryptocurrencies, we will be happy to transfer regular 200,000 USD to you after you win. It's up to you.
Вы офигенно придумали. Молодцы!

I personally think it's great that people are trying various solutions. Disclaimer: I know little about cryptography

(comment deleted)
Well it's $200,000 today, $386,000 tomorrow, $120 the day after that...
Pick a good day for brilliance.
Apparently we don't read here on HN. From http://core.telegram.org/contestfaq:

> Q: What if I don‘t trust bitcoins and don’t want them as a prize?

>If the winner prefers conventional money over bitcoin, we will be happy to transfer them 200,000 regular USD instead of BTC.

Travel to russia, get big wrench and hit Durov with it until he gives up his password. Win 200k.

In all seriousness, im interested to see if anyone can crack this.

If I remeber correctly the Russians indeed have a special term of getting the crypto key in such manner: Thermorectal Cryptanalysis.
A Russian friend of mine mentioned playing in an MMO with another guy called 'Krusk' for a year or so before realising that the other guy was also Russian, and 'Krusk' was the anglicised version of the Russian word for "the sound bones make when you crush them"...
so the winner is allowed to remain completely anonymous, receiving 200k usd payment in btc?
One would assume that's the point of paying in Bitcoin rather than any other method.
Enabling an insider who knows how it works to win and not be discovered? Although having to the detail the attack method may prevent that.
At least they'll put their money where their mouth is. I'm excited to see someone call out the naysaying masses on HN and stand by their product in this regard.
Unfortunately, this doesn't mean that it's secure. If someone breaks it, it means it's broken, but if nobody breaks it, it doesn't mean someone else can't break it (or hasn't already).
It actually makes things worse really "no hackers can break this!" sounds good on paper, but it could just mean your adversary has more to gain by the system not being publicly broken.
I don't see how it makes things worse. Surely it shows more if you gave hackers a big incentive to crack your encryption and they still didn't, compared to them not cracking it when there was no incentive. It is evidence that the reason they did not crack it was the difficulty of the problem, not just indifference.
(comment deleted)
A 73 day deadline on no notice to crack the system in a very specific way with no pay for people who succeed after the first is not a very big incentive. How many highly compensated security experts do you expect to stop doing their jobs for the opportunity to work for free?
Agreed, but the tone of the previous discussion was definitely more along the lines of "This could never work, you guys don't know what you're doing."

If it proves resilient over 2.5 months of highly motivated attacks (motivated by both the money / "I-Told-You-So" factor), I think that's a fairly strong statement in their favor.

Excluding an entity like the NSA, who cares nothing for $200,000 (literally a rounding error in their budget), but everything for the information available for the taking.
While I agree with your point, immediately jumping to the NSA and their bottomless pool of resources and talent is kind of the new Godwin's law.

Logan's law: In any given discussion tangentially related to security, the thing presented as "secure" will be soon declared "definitely not secure"... because...NSA.

I actually agree with the motivation behind your argument -- it's ridiculous to pull out unknown NSA capabilities as a foil to every crypto argument.

I just wanted to point out that there were times when money was not a very good motivator for someone who could break a given encryption system.

Not quite 2.5 months.
How time flies.. I read it as Mar 31, 2014 originally and didn't realize it was already Dec 18.. Edited to reflect that it's not really 4 months.
i have a day job and i'm not going to drop everything for the chance i won't make any money at all... told-you-so factor or not.
I could imagine a lot of university math students (young, hungry, nothing to lose) would be highly motivated by this.
I feel obligated to point out that it may be worth it if you make less than $200k in 2.5 months.
Nobody's claiming it won't work; they're claiming it will work in a way that is dangerous to its users.
OK, but where the hell are they going to get 2.5 months of highly motivated attacks by highly skilled people? All the people I would want looking at this aren't going to waste such a huge chunk of their time analyzing some random phone app trying to make a name for themselves for a chance at a cash reward.

Bug bounties by big name companies that are actually after bugs rather than publicity haven't miraculously made all their software perfect. And they don't have an end date either.

I agree with you here. That is why such contests are going to be permanent in Telegram. New contests like this will be launched in March 2014 or earlier if anyone wins earlier. Consider the date for breaking Telegram open.
Your interest rings a bit hollow when you define a very narrow attack surface for the bounty, and dismiss architectural criticism beyond it.
This doesn't cover the areas that most people highlighted as probable weaknesses which were largely related to the protocol rather than the cipher. There may be sufficient weaknesses in the protocol to expose the data with a passive analysis of the log but there are many more options if you can perform man in the middle attacks or find ways to change messages even without fully decrypting that would not win this competition but that would be widely regarded as breaking their system.
Is that $200,000 in BTC valued at the time that the award will be given, or valued now? With the way things are going, not sure which would be better...
When you become sure what the future price of BTC will be, please, do tell.
At the time of the reward. This is implicitly stated by the fact that he didn't specify the number of BTC. $500 is still a ton btw, two months ago a Bitcoin was worth $200.
(comment deleted)
Most of the concerns people had were Telegram's servers acting maliciously or being coerced into acting maliciously, which is obviously not covered by this contest or the protocol they have designed. It's a bit disingenuous that Telegram is broken but not in a way that this bounty could pay for.
Yeah, it's probably against the rules of the competition and will get you arrested if you try. But I think if someone does break into their central server and wins the competition that way, they should still be paid out.
No, the goal of these security products is to defend against the government, not a random guy. In that context, it's extremely important that their server undergo the same level of cryptanalysis.
We already know the system is hopelessly vulnerable to server side MITM attacks, it makes no effort to defend against that attack model. It's mentioned in the comments that they might do manual key verification in the future, but that doesn't happen now. Compromise is silent.
Is that really the case? Would you mind linking to that? Because if that's true, then this contest is dangerously misleading.
Let me respectfully disagree with you here. Secret Chats in Telegram provide users with a way to detect a server-side MITM attack. http://core.telegram.org/techfaq#q-how-are-telegram-users-pr...
That only protects against a MITM between peers who have communicated with a "secret chat" previously, not two fresh peers. As "secret charts" are disabled by default it's not really a defence against infiltration; users will presumably only enabled the "secret chat" mode when they have something sensitive to talk about.

When they do enabled it for the first time, we can instantly MITM them using the attack against the "image verification" I mentioned lower down (https://news.ycombinator.com/item?id=6932053), and we can assume that the conversation is worth our while listening in on. The user will hopefully expose themselves in the belief that they are safe, and the game is over.

It's simple unauthenticated Diffie-Hellman key agreement, which is known for MITM attack. Yes, you ask A to accept B's identity upon key exchange, but to what extend A would know B is really B not the server playing along? A plausible method would have A and B exchange certificates separate from the Diffie-Hellman key exchange process, and use those as the identity verification mechanism.
Not only is it possible, they are doing it already. I installed telegram on two devices (android and ipad) and they somehow were both able to decrypt incoming messages. How did the second device get the key..?
Ah! You were mistaken in the functioning of the service (I thought this might happen). You have to specifically ask for a secure chat with a button press, normally everything is effectively plaintext.
I'm afraid breaking into Telegram's central server (by the way, there is no such thing) will hardly enable you to decipher end-to-end encrypted secret chats. But certainly worth trying anyway.
It will allow you to conduct a man-in-the-middle attack on all encrypted traffic though, which would certainly be enough to read messages in plaintext.
This is irrelevant - the "secret chat" mode is not the default (according to someone else in this thread) and you're just shoving the key verification process off on to the user with these silly graphic patterns (which, if OTR is any indication, the user won't verify anyway).

This is still vulnerable to server-side _key_ MITM. It's the hushmail/iMessage/etc silent escrow key attack.

The interesting thing with the graphic patterns is that they're lossy. If you assume that a person will just describe the pattern or show a picture of them to one another, it becomes fairly easy to forge them.

http://telegram.org/img/key_image.jpg

Blue in the top and bottom, white line through the middle. So little information that anybody could simply brute force the keys until they found one that matched the description well enough.

I'd happily write a little attack for that, but it's clearly not "breaking" the system enough for the bounty.

unauthenticated Diffie-Hellman key agreement is known for MITM attack.
Does the secret email address change every day? Or is it the same one from now until the close of the contest?
This is like putting messages encrypted with ANY encryption algorithm, and ask people to guess the key. This has nothing to do with whether the communication protocol is secure or not.
They are providing the entire log of the protocol communication
Cryptography Snake Oil Warning Sign #9: Cracking contests.

https://www.schneier.com/crypto-gram-9902.html (1999)

This contest isn't a great example of the kind of contests he is talking about.

1) They are giving you the source code, protocol, and a tcpdump of all traffic between the chatters. You can even send messages via the protocol to one of the participants. Its not just here is some encrypted data, decrypt it.

2) They are offering a significant amount of money.

Right, except for

2) there are no arbitrary definition of what winning means

The definition of winning in this contest creates a large class of potential vulnerabilities that would be paid $0.

From that page:

> [...] the contest is fair because 1) the algorithm is completely specified, 2) there are no arbitrary definition of what winning means, and 3) the algorithm is public domain

(comment deleted)
Somewhat sad to see people on HN posting the Schneier link to counter the post without even bothering to read what it is about. I mean, it's almost like people have already formed opinions without giving the Telegram people a try. This is not how science works.
When Telegram showed their product on HN a few days ago, they were given constructive criticism and asked to justify the way they implemented their system. They responded by bragging about how many mathematics PHDs worked on the product.

Not satisfied at leaving it there, they then claimed that their crypto system doesn't need to be justified, because their customers aren't concerned about the specifics of their implementation of known broken algorithms.

Finally, they placed the burden of proof on the public, which doesn't work when it comes to cryptography.

They were given the opportunity to explain their design decisions in an environment of mutual respect, and they responded to this offer by stonewalling two of HN's resident security gurus.

Our Twofish cryptanalysis contest offers a $10K prize for the best negative comments on Twofish that aren't written by the authors. There are no arbitrary definitions of what a winning analysis is. There is no ciphertext to break or keys to recover. We are simply rewarding the most successful cryptanalysis research result, whatever it may be and however successful it is (or is not). Again, the contest is fair because 1) the algorithm is completely specified, 2) there are no arbitrary definition of what winning means, and 3) the algorithm is public domain.

This Telegram contest may seem superficially similar to that fair contest, but it differs in some important ways. First, this contest isn't rewarding "best effort". Second, this contest doesn't meet those criteria, because their central server isn't being tested here. The goal of a product like Telegram is to defend against adversaries like governments, and hence governments will be able to probe their servers for weaknesses. You may say that we, too, can do the same, but if that's the case, a test server should be made available and the contest should explicitly try to get as many people as possible to break it.

This contest is interesting, but it's too artificial. As just one example of why that's the case: breaking real-world crypto often relies on side channel attacks, for instance timing attacks, and there's no opportunity of employing those attacks here due to the artificial nature of the contest.

Once again, if people here are interested in a secure alternative to Telegram that doesn't rely on public stunts for cryptanalysis, then check out TextSecure. It was designed by cryptographers, is open-source, and has been studied in detail for years. https://whispersystems.org/

EDIT: It appears Telegram is also vulnerable to MITM attacks. This is the NSA's preferred method of gathering info, so this is the most likely attack vector against Telegram. Due to the design of the protocol, there seems to be no defense. https://news.ycombinator.com/item?id=6931892

Telegram's response is "we protect against this because if you've initiated a secret chat previously, then you're protected." However, this isn't true. 1) a global adversary like the NSA can (and will, if they become interested in Telegram) simply MITM every secret chat session when they're first initiated; therefore if you use Telegram, you should assume the government has your data anyway, since this protocol offers no protection against mass snooping. 2) Secret chats aren't even the default type of chat in Telegram anyway, making it very unlikely that users will be protected by it. The defaults need to be secure.

References:

https://news.ycombinator.com/item?id=6931892

https://news.ycombinator.com/item?id=6931961 (Telegram's response, which seems to verify that secret chats can be MITM'd on first initiation.)

https://news.ycombinator.com/item?id=6931903 (Demonstrates that Telegram seems to be misunderstanding why someone breaking into the central server can MITM your chats.)

(comment deleted)
Moxie is a great researcher and WhisperSystems seem serious. However, I don't understand why you claim that TextSecure is designed by cryptographers.

From what I've seen, they use something called the "Axolotl Ratchet", developed by Trevor Perrin. A quick search of his name didn't yield any crypto papers / research by him.

Also, you write "and has been studied in detail for years"

There are no links/references to code/protocol reviews in the WhisperSystems website.

Again, I have the utmost respect for their research, it's just that from the side of a non-crypto-versed user/coder, Telegram and TextSecure look the same.

Trevor Perrin is a cryptographer.
Trevor Perrin worked at Cryptography Research (I mean, the domain name is cryptography.com!) for six years, which alone should probably be enough to call yourself a cryptographer. His other work outside of CRI is also really quite prolific.

> Again, I have the utmost respect for their research, it's just that from the side of a non-crypto-versed user/coder, Telegram and TextSecure look the same.

Yep, it's frustrating to be the quixotically genuine seller in a market for lemons.

I have a question about TextSecure. Do you plan on implementing something like SMP from OTRv3 in the TextSecure protocol?
1. register numbers close to the target.

2. wait until sender mistypes destination on one message.

3. claim prize.

Wouldn't legitimate cryptography products also tend to offer such challenges? It's not much different than bug bounties, which are common and (at least according to my impression) well-accepted as a legitimate practice.
In #5, Schneier says "For public-key cryptography, 2048-bit keys have same sort of property; longer is meaningless."

Back in September, he issued a new public key of 4096 bits[1].

1. https://news.ycombinator.com/item?id=6376954

If there's anything that's certain, it's the progress of compute power. The fact that his statement lasted 14 years is impressive. I mean, 640K ought to be enough for anyone.
No, not at all. Requiring an increase of 2048 bits over 14 years implies that computing power increases by a factor of 216 every year.
You need to factor in speedups due to advances in factoring algorithms, too. And it's possible that the software doesn't have any options between 2048 and 4096. (I have no idea, I didn't check.)
That would be true if RSA keys were brute forced, but they aren't - e.g. 512 bit RSA takes days/weeks to break on commodity hardware these days, whereas 512 bit brute force (as is essentially needed for ECC these days) takes significantly longer than the estimated age of the universe.

See http://en.wikipedia.org/wiki/Integer_factorization_records

Marketing Strategy #724: Create Controversy

(regardless of the product, they succeeded in a cheap way to get launched, very likely at a cost of $0)

Tarsnap has a bug-bounty program [1] which has uncovered numerous bugs, including a critical security bug [2]

It seems to me that offering a bug bounty can significantly improve the security of a system, even when the prize-money is relatively small.

[1] http://www.tarsnap.com/bugbounty.html

[2] http://www.daemonology.net/blog/2011-01-18-tarsnap-critical-...

the difference here is that there's no "fake-world" contest. Tarsnap is asking for a real-world hack of their system.

Telegram, on the other hand, is trying to prove that their algorithm is unbreakable. AES is pretty good too. As is noted in other comments, it's generally the system, not the algorithm, that gets broken.

The nonce-increment bug wasn't found as part of the bug bounty program; it was retroactively included when I set up the bug bounty program a few months later.
"Since key length and key structure vary and since the encryption engine does not use any mathematical algorithms, reverse engineering is impossible and guessing is not an option"

Gold :-)

This is such a sham. Here, I'll offer $2000 to break my plaintext crypto. Every morning, in the shower, I'll say a secret word. Email me the secret word and I'll send you $2000 in BTC.
The code is open. It's more or less the same if you tell us your address.
I'll need to narrow it down further, but I'm pretty sure it's one of "Oh", "god", "groan", "I'm", "running", "late", "for", "work", "again". Hrm, does groan count as a word? How many guesses am I allowed?
You say "cold". I use the same plaintext crypto =)
PLEASE edit the title saying $200K in Bitcoins and not real $.Otherwise it seems link-bait (misleading).
If the winner prefers regular USD over BTC, we will provide USD.
This is their protocol header

<Magic Number (Nonce?)> . <Magic Number> <Number of bytes + 1> IN/OUT <Ip Address>

More like epoch time followed by bytes and then IP address
> 100% FREE & NO ADS: Telegram is free and will always be free. We do not plan to sell ads or introduce subscription fees.

how you are then going to make a money ?

Paid features, like stickers and etc.
Sorry, but how does Google ads mediation have anything to do with stickers and the like? I fail to see the connection.
The problem with this test is that there are many encryption systems I would consider fundamentally broken where I could not claim this prize.

To make this a slightly fair challenge, we should at least be allowed to get the clear text of our choice also encrypted with the same key.

(comment deleted)
I understand they reveal the algorithm so you should be able to encrypt any text of your choice if that helps.
Someone will probably break an employee's computer and will just access private information, good game 200k. And then they will say it's unfair and I'm not paying you. And then HN will go crazy. Mark my word HN.
The problem with such a test is that it is a limited attack surface compared with the real app in use. There is a log of messages that are encrypted but there are no possibilities of active attacks such as man in the middle attacks and others that attack the protocol rather than the encryption.
Note to everyone in technology...Hacker News isn't the crowd that you need to impress.

The cryptanalysis community, in particular, has a small group of experts that can credibly critique your ideas. They would probably love to pick apart a new system...seriously in the hopes that it advances the art, but critically in the case that it doesn't.

Claims of some kind of "tightly knit" cabal of closed minded people excluding you would be a warning sign. (It sounds like creationism. Not that this is what these guys did. I'm just saying.)

Maybe instead of a competition they could have just approached some of the cryptanalysis community for an early look? Those guys could kick the tires and pass it on to others that they know. That really seems to be how this area works.

Did I miss somewhere where it stated this was HN-specific? This could just as easily have (and probably has) been posted to multiple communities, including ones that are more crypto-focused.

Just because it appears here does not in any way shape or form indicate that they're trying to impress the HN community, nor that they're specifically targeting HN.

This contest is a direct result of some arguments that happened on HN when they announced their product.
I love how Telegram, at the beginning of a secret chat, says og is "200% secure". Right below the graphical representation of the cryptokey.
Only 200%? That's not good enough for me. I need it 300% secure at a minimum...
Is anyone able to determine whos running this company? All the records seem to be anonymized.
Pavel Durov and his brother. Pavel Durov got rich by copying facebook for the Russians. His brother is supposed to be a mathematician/computer scientist.