MTProto Analysis: Accessible Overview
The Telegram TeamA group of researchers from the University of London and ETH Zurich conducted a formal analysis of the Telegram MTProto protocol.
The central result of the investigation was that MTProto can provide a confidential and integrity-protected channel if special care is taken when implementing the protocol.
The researchers also highlighted several traits of MTProto that were changed as the result of our discussions before the paper was published. This document provides an accessible overview of these changes. For more technical details, see here.
The latest versions of official Telegram apps already contain the changes that make the four observations made by the researchers no longer relevant. Overall, none of the changes were critical, as no ways of deciphering or tampering with messages were discovered.
Telegram welcomes any research that helps make the MTProto protocol and the Telegram apps even more secure — and offers bounties for meaningful contributions.
Changes in Telegram Apps
1. Reordering messages
("reorder messages coming from a client to the server")
The researchers discovered a way to reorder messages as they were being sent. This could only affect outgoing messages, and only before they were delivered.
It did not provide an opportunity to reorder messages that were sent to a chat as a reaction to one another. It did not provide any knowledge about the content of messages that were being reordered.
The researchers used a "no to pizza — yes to crime" example in their paper and press release. Unfortunately, this example is misleading because it implies knowledge of what is being reordered — in reality, the actual content of messages remained unknown.
Correct example: You sent several messages one after another, they arrived in random order.
Does this work now? No. The latest versions of Telegram apps do not allow reordering messages sent into one chat.
2. Re-sending of unacknowledged messages
("detect which of two special messages was encrypted by a client or a server under some special conditions")
This is a purely theoretical point that has no bearing on the security of messages but is inconvenient for researchers who want to formally analyze the protocol. The latest versions of Telegram apps use improved behavior that simplifies such analysis.
3. Implementation of Telegram clients
("recover some plaintext")
Several Telegram apps contained non-ideal code. The researchers did not find any ways of using this to read your messages.
For an analogy, imagine a door with multiple locks. One of these locks could be unlocked — but the door to your messages could still not be opened because it had more than one lock. The researchers said "assuming that all the other locks were also open, you could open the door".
They did suggest a way for opening the other locks, but it would not work (see the "bags of sand" explanation below).
Does this work now? No. This is irrelevant for the latest versions of Telegram apps (since version 7.8).
4. RSA decryption on the server
("mount an "attacker-in-the-middle" attack on the initial key negotiation between the client and the server by exploiting side-channel leakage from RSA decryption on the server")
This may sound scary but was not possible in practice.
For an analogy, imagine you have a billion bags of sand. One of these bags has one grain of sand less than the others — and you must find out which one (in 30 minutes or less).
To do this, you are allowed to pour the sand from any bag into a measuring device. But — in practice! — each time you do this, you lose more than one grain of sand from the bag. And you do not see how many exactly you lost. So, no matter how precise the measuring device, you can't know which bag was the one you were looking for.
Does this work now? No. The latest versions of Telegram apps use an even better way of preventing anyone from "measuring the amount of sand in your bags".
In case you missed it, this document provides an accessible overview — for a more technical take, see here.
Any comments on Telegram's security are welcome at security@telegram.org. All submissions which result in a change of code or configuration are eligible for bounties, ranging from $100 to $100,000 or more, depending on the nature of the changes.