$200,000 Competition To Break Telegram's Code
Written by Kay Ewbank   
Friday, 20 December 2013

Can you crack Telegram's encryption? If so you could win $200,000 but you have to do it before March next year and it looks like a difficult task. Updated

The open-source private messaging service Telegram has launched a competition to show off its encryption technology. The challenge is that the first person to break the protocol will win $200,000 in Bitcoins. How much the prize will be worth after a few minutes of being awarded is another matter!

telegraphicon3

Telegram is a relatively new company started in August 2013 by the founders of VKontakte, the largest European social network, and the prize money for the competition is being provided by VKontakte founder Pavel Durov.

The way the competition works is that each day Paul (+79112317383) will be sending a message containing a secret email address to Nick (+79218944725).

To win the prize, you need to decipher the message, find the secret email address, and send an email to it. Your email has to contain the entire text of the message that contained the secret email, your Bitcoin address to receive the $200,000 in BTC, and a detailed explanation of how you attacked and cracked the encryption.

 

telegraphicon2

In the announcement of the competition the Telegram team says that

“to prove that the competition was fair, we will publish the participating keys necessary to decrypt the traffic as soon as a winner is announced. In case there is no winner by March 1, 2014, encryption keys will be published at that date.”

Telegram is a cloud-based encrypted messaging service that lets you send messages, photos and videos to people who are in your phone contacts. It lets you access your messages from different devices and store an unlimited number of photos and videos in the cloud. The service is free and has no ads.

Asked how they intent to make money from the project, the company says

“We believe in fast and secure messaging that is also 100% free. Therefore Telegram is not a commercial project. It is not intended to sell ads, bring revenue or accept outside investment. If Telegram runs out of money, we'll invite our users to donate or add non-essential paid options.”

VKontakte founder Nikolai Durov developed a custom data protocol that Telegraph says is open, secure and optimized for work with multiple data-centers.

telegraphicon1

 

 

Telegram for iPhone was launched on August 14, 2013, and an alpha version of Telegram for Android was launched on October 20, 2013. Mac OS X and Windows versions are under development by independent developers using

The company has an open API for developers that can be used to build applications for other platforms. If you look through the documentation you will discover that the encryption uses AES with a 256 bit key with some additional steps to make it more secure:

 

telegraphcode

Given that AES 256 is still believed (rumours about the NSA aren't confirmed) to be uncrackable then the only real hope is that there is some flaw in the surrounding algorithmic steps involving the keys and the IGE. 

Update

An analysis  on the CryptoFails website of Telegram's challenge and its methods suggest that the encryption might not be as secure as it seems. To quote:

Some problems are immediately apparent:

 

  • They use the broken SHA1 hash function.
  • They include a hash of the plaintext message in the ciphertext. Essentially, they are trying to do “Mac and Encrypt” which is not secure. They should be doing “Encrypt then Mac” with HMAC-SHA512.
  • They rely on an obscure cipher mode called “Infinite Garble Extension.”
  • Some really weird stuff about factoring 64-bit integers as part of the protocol.
  • They do not authenticate public keys.

 

If their protocol is secure, it is so by accident, not because of good design. They claim the protocol was designed by “six ACM champions” and “Ph.Ds in math.” Quite frankly, the protocol looks like it was made by an amateur. The tight coupling between primitives suggests the designer was not familiar with basic constructs, like authenticated encryption, that you can find in any cryptography textbook.

Even so given that you can't use a known plaintext to challenge the encryption it is still a difficult task. If the cypher isn't cracked in the time it doesn't prove that it is secure only that it is secure under the restricted conditions of the competition. 

telegraphicon3

Banner


Microsoft Garage - What?
26/10/2014

The Garage is a place that Microsofties go to play with their pet projects. Now Microsoft has decided to make this into the stuff of myth and legend and let us get at the fruits of this unpaid labour. [ ... ]



Become A Web Developer With Udacity
01/10/2014

Last week Udacity opened its classroom doors on Front-End Web Developer, its first nanodegree. This credential, which is estimated to take six to nine months to complete at a cost of $200 per month, i [ ... ]


More News

 

Last Updated ( Friday, 20 December 2013 )
 
 

   
RSS feed of news items only
I Programmer News
Copyright © 2014 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.