MTProto and the 'Jakobsen paper'



Some users asked me about a post on medium that claimed Telegram was not secure to use. The author cited this as the reason:

In 2015, a security researcher published a paper revealing several major exploits in MTProto and concluded that Telegram shouldn’t have tried to roll their own encryption.

This statement is simply false. No known ways of undermining MTProto encryption exist today.

Jakob Jakobsen's thesis (it was a university project) indeed used unacademically strong language that could confuse non-specialists into thinking that he was on to something serious, but he didn't discover any 'major exploits' at all.

In fact, his only actual finding was summed up by him and his teacher in a much more cautious article [1] and has to do with a property called IND-CCA. The deviation from this property in MTProto is purely technical and doesn't allow for any wrongdoing.

To put the case into familiar terms:

A postal worker can write ‘Haha’ (using invisible ink!) on the outside of a sealed package that he delivers to you. It doesn‘t stop the package from being delivered, it doesn’t allow them to change the contents of the package, and it doesn't allow them to see what was inside.

This analogy was confirmed by Jakob Jakobsen as correct. [2]

So, far from being a "major exploit", his "attack" is rather like saying "Boo!" to a passing train. Yes, you did it. But it didn't change anything, nobody heard you, and you got nothing in return.

For a detailed explanation of how the attack works and why it is harmless, please see Telegram's Technical FAQ.

Note: MTProto 2.0 satisfies the IND-CCA criteria.

What else was in that paper?

Jakobsen's thesis also mentioned a list of "known attacks" that may look scary to a non-specialist but are irrelevant for Telegram.

What he dubbed the "Malicious server MiTM attack" is the only prominent one among them, even though it's part of Telegram’s ancient history. This theoretical possibility was discovered and fixed on the second day of Telegram's first crypto contest in December 2013. A bounty of 100,000 USD was paid to the person who pointed it out. This remains the only noteworthy flaw to have been discovered in Telegram’s protocol. You can read more about it on the Telegram blog: Crowdsourcing a more secure future.

Aside from this, the author also mentions:

Replay and mirroring attacks which are confirmed by Jakobsen to be negated by Telegram's sequence number checks.

A 'Naive third-party MiTM attack' which is common for any end-to-end encrypted messaging system and is exactly the reason why every app, including Telegram, offers a way of verifying the encryption keys.

And an 'Undetected third-party MiTM attack' that was prohibitively expensive even at the time of writing and is completely impossible now.

Jakobsen also criticized Telegram's use of SHA-1 based on the fact that it "enabled" his IND-CCA "Boo" attack on the passing train we've already discussed and the impossible third-party MiTM attack.

And that was it.

So is MTProto secure?

Yes, no known ways of undermining MTProto encryption exist today. Telegram is continuously working with its worldwide community of developers and security specialists to keep it this way.

Telegram's protocol specification is open. The app code is also open. Together with the docs, this allows researchers to fully evaluate the end-to-end encryption implementation. Telegram offers bug bounties and periodical contests to attract attention and scrutiny to its security. Any comments on the security of Telegram's apps and protocol are welcome here: security@telegram.org





Notes

[1] – "We stress that this is a theoretical attack on the definition of security and we do not see any way of turning the attack into a full plaintext-recovery attack." Jakobsen, Orlandi

[2] – "Jakobsen acknowledged that this was a fair analogy for the flaw he and Orlandi found." The Atlantic