

$200,000 to the first person to break Telegram - helgidub
https://telegram.org/crypto_contest
Telegram backer, Pavel Durov, will give $200,000 in BTC to the first person to break the Telegram encrypted protocol. Starting today, each day Paul (+79112317383) will be sending a message containing a secret email address to Nick (+79218944725). In order to prove that Telegram crypto was indeed deciphered and claim your prize, send an email to the secret email address from Paul’s message.<p>Your email must contain:
- The entire text of the message that contained the secret email.
- Your Bitcoin address to receive the $200,000 in BTC.
- A detailed explanation of the attack.<p>Encrypted Telegram traffic from and to Paul’s account is publicly available for download from this page. You can send Telegram messages to Paul and view his traffic in real time.<p>To prove that the competition was fair, we will publish the participating keys necessary to decrypt the traffic as soon as a winner is announced. In case there is no winner by March 1, 2014, encryption keys will be published at that date.
======
mds
Cryptography Snake Oil Warning Sign #9: Cracking contests.

[https://www.schneier.com/crypto-
gram-9902.html](https://www.schneier.com/crypto-gram-9902.html) (1999)

~~~
sillysaurus2
_Our Twofish cryptanalysis contest offers a $10K prize for the best negative
comments on Twofish that aren 't written by the authors. There are no
arbitrary definitions of what a winning analysis is. There is no ciphertext to
break or keys to recover. We are simply rewarding the most successful
cryptanalysis research result, whatever it may be and however successful it is
(or is not). Again, the contest is fair because 1) the algorithm is completely
specified, 2) there are no arbitrary definition of what winning means, and 3)
the algorithm is public domain._

This Telegram contest may seem superficially similar to that fair contest, but
it differs in some important ways. First, this contest isn't rewarding "best
effort". Second, this contest doesn't meet those criteria, because their
central server isn't being tested here. The goal of a product like Telegram is
to defend against adversaries like governments, and hence governments will be
able to probe their servers for weaknesses. You may say that we, too, can do
the same, but if that's the case, a test server should be made available and
the contest should explicitly try to get as many people as possible to break
it.

This contest is interesting, but it's too artificial. As just one example of
why that's the case: breaking real-world crypto often relies on side channel
attacks, for instance timing attacks, and there's no opportunity of employing
those attacks here due to the artificial nature of the contest.

Once again, if people here are interested in a secure alternative to Telegram
that doesn't rely on public stunts for cryptanalysis, then check out
TextSecure. It was designed by cryptographers, is open-source, and has been
studied in detail for years.
[https://whispersystems.org/](https://whispersystems.org/)

EDIT: It appears Telegram is also vulnerable to MITM attacks. This is the
NSA's preferred method of gathering info, so this is the most likely attack
vector against Telegram. Due to the design of the protocol, there seems to be
no defense.
[https://news.ycombinator.com/item?id=6931892](https://news.ycombinator.com/item?id=6931892)

Telegram's response is "we protect against this because if you've initiated a
secret chat previously, then you're protected." However, this isn't true. 1) a
global adversary like the NSA can (and will, if they become interested in
Telegram) simply MITM every secret chat session when they're first initiated;
therefore if you use Telegram, you should assume the government has your data
anyway, since this protocol offers no protection against mass snooping. 2)
Secret chats aren't even the default type of chat in Telegram anyway, making
it very unlikely that users will be protected by it. The defaults need to be
secure.

References:

[https://news.ycombinator.com/item?id=6931892](https://news.ycombinator.com/item?id=6931892)

[https://news.ycombinator.com/item?id=6931961](https://news.ycombinator.com/item?id=6931961)
(Telegram's response, which seems to verify that secret chats can be MITM'd on
first initiation.)

[https://news.ycombinator.com/item?id=6931903](https://news.ycombinator.com/item?id=6931903)
(Demonstrates that Telegram seems to be misunderstanding why someone breaking
into the central server can MITM your chats.)

~~~
warsheep
Moxie is a great researcher and WhisperSystems seem serious. However, I don't
understand why you claim that TextSecure is designed by cryptographers.

From what I've seen, they use something called the "Axolotl Ratchet",
developed by Trevor Perrin. A quick search of his name didn't yield any crypto
papers / research by him.

Also, you write " _and has been studied in detail for years_ "

There are no links/references to code/protocol reviews in the WhisperSystems
website.

Again, I have the utmost respect for their research, it's just that from the
side of a non-crypto-versed user/coder, Telegram and TextSecure look the same.

~~~
moxie
Trevor Perrin worked at Cryptography Research (I mean, the domain name is
cryptography.com!) for six years, which alone should probably be enough to
call yourself a cryptographer. His other work outside of CRI is also really
quite prolific.

> Again, I have the utmost respect for their research, it's just that from the
> side of a non-crypto-versed user/coder, Telegram and TextSecure look the
> same.

Yep, it's frustrating to be the quixotically genuine seller in a market for
lemons.

~~~
conradev
I have a question about TextSecure. Do you plan on implementing something like
SMP from OTRv3 in the TextSecure protocol?

------
earthrise
This is a bullshit challenge. The attack model in which it is set is nothing
like the theoretical models cryptographic systems are designed to be secure
against, and even less like how crypto software is actually attacked in
practice. There is no possibility for known plaintext, chosen plaintext,
chosen ciphertext, side channels, etc.

If they just encrypted their communications with AES-128 in ECB mode with a
fixed random secret key, the challenge could not be won. And that's not even
semantically secure. So we will learn absolutely nothing about the security of
their software from the results of this challenge. Whoever designed this
challenge is either extremely dishonest or knows nothing about cryptography.

If they really want to improve their software, they should offer a $200,000
bounty for a proof of concept implementation of an attack within their threat
model.

Edit: I originally started this post with "...probably designed to get press
rather than to actually improve the software...", which I have removed, since
I have no evidence to support the claim.

~~~
tptacek
I think this is exactly right. In the model proposed here, TLS has never been
broken either.

------
x0054
I have a better challenge! From today until March 1, 2014, I will SSH into my
server and type a secret email address on the command prompt. Send me an email
to that address and tell me my crypto key, and I will allow you to pet my dog
for 5 minutes. (Sorry, I do not have $200k in BTC, or any other currency, for
that matter :(, but my dog is totally cute.)

The point is, the above challenge is impossible without a MITM attack, and
that MITM attack has to take place when I first save the server keys on my
computer. The point is that there are numerous cryptographic protocols
available which can not be broken using currently available technology.

This contest will prove one thing, and one thing only, the cryptographic
algorithm they are using is secure. And it SHOULD be, considering that there
are a lot of publicly available secure algorithms. This contest, however, will
not prove that the Telegram service is secure.

~~~
vinceguidry
Your challenge isn't at all hard. An attacker could get into your server using
some other method besides breaking SSH then simply look at your bash history.

~~~
hengheng
Break into his house, install a key logger. Real world security is fun.

~~~
x0054
At that point you might as well steal the dog :)

------
nwh
Most of the concerns people had were Telegram's servers acting maliciously or
being coerced into acting maliciously, which is obviously not covered by this
contest or the protocol they have designed. It's a bit disingenuous that
Telegram is broken but not in a way that this bounty could pay for.

~~~
jacquesc
Yeah, it's probably against the rules of the competition and will get you
arrested if you try. But I think if someone does break into their central
server and wins the competition that way, they should still be paid out.

~~~
paveldurov
I'm afraid breaking into Telegram's central server (by the way, there is no
such thing) will hardly enable you to decipher end-to-end encrypted secret
chats. But certainly worth trying anyway.

~~~
nwh
It will allow you to conduct a man-in-the-middle attack on all encrypted
traffic though, which would certainly be enough to read messages in plaintext.

~~~
paveldurov
[http://core.telegram.org/techfaq#q-how-are-telegram-users-
pr...](http://core.telegram.org/techfaq#q-how-are-telegram-users-protected-
against-mitm-attacks)

~~~
sneak
This is irrelevant - the "secret chat" mode is not the default (according to
someone else in this thread) and you're just shoving the key verification
process off on to the user with these silly graphic patterns (which, if OTR is
any indication, the user won't verify anyway).

This is still vulnerable to server-side _key_ MITM. It's the
hushmail/iMessage/etc silent escrow key attack.

~~~
nwh
The interesting thing with the graphic patterns is that they're lossy. If you
assume that a person will just describe the pattern or show a picture of them
to one another, it becomes fairly easy to forge them.

[http://telegram.org/img/key_image.jpg](http://telegram.org/img/key_image.jpg)

Blue in the top and bottom, white line through the middle. So little
information that anybody could simply brute force the keys until they found
one that matched the description well enough.

I'd happily write a little attack for that, but it's clearly not "breaking"
the system enough for the bounty.

~~~
sneak
Someone did exactly this "fuzzy fingerprint" attack for ssh host keys in 2003:

[https://www.thc.org/papers/ffp.html](https://www.thc.org/papers/ffp.html)

~~~
nwh
That was a very good read that I wasn't aware of, thanks for the URL.

------
abcd_f
Pavel, since you are here,

Don't you think that you are basically fighting a needless uphill battle here?
I mean, people _crave_ a good encrypted communication system and you have the
intent and the infrastructure in place, but you are shooting yourselves in the
foot with your cryptographic design indulgence. This animosity _will_
continue, because Telegram crew comes across as cocky and arrogant know-it-
alls, and not because people think you cannot design a crypto protocol. The
contest doesn't help a bit, it only further enforces the impression of
arrogance on your end. This is not what you would've done if you in fact
allowed for the existence of flaws in your design. You would've released an
RFC instead.

I have all the sympathy for you. I don't doubt your motives, but you are
setting yourselves up against skilled technical crowd. It has already started
off on the wrong foot and this unfortunate dynamic will continue.

Perhaps consider offering an alternative crypto suite based on standard
protocols? In parallel with what you have. Just reuse an existing crypto
framework and redo transport layer to your needs.

~~~
paveldurov
abcd_f, I'm not part of the Telegram team, nor am I a cryptographer. However,
I do support these guys, and for the last 3 days I saw the Telegram team
diligently reply tech questions in Twitter, HN and blogs. I saw them collect
questions from security experts and put up FAQs based on them
[http://core.telegram.org/techfaq](http://core.telegram.org/techfaq) or
[http://core.telegram.org/contestfaq](http://core.telegram.org/contestfaq) as
well as update the obscure parts of their documentation.

>> Perhaps consider offering an alternative crypto suite based on standard
protocols? In parallel with what you have. Just reuse an existing crypto
framework and redo transport layer to your needs.

Again, I am not cryptographer. But as a person who wants his data to be secure
I don't see anything wrong with different teams trying different approaches. I
100% agree that people crave a good encrypted communication system, but I'm
not sure it can be achieved in a world where everybody uses similar methods.
What if some of the common "best practices" are intentionally promoted in the
crypto-community as the best ones _exactly_ because they contain flaws and
backdoors?

Please allow me to give you an example of something that could be just that.

The Telegram team was criticized by some NH critics for their custom auth key
exchange protocol. People asked – why take a random value from server and a
random value from client and combine both with a creepy function? Why not,
e.g., just generate a random value on the client and use RSA instead? Well,
the answer is simple – the Telegram guys did not trust that the random value
generated on the client-side was really random.

In August 2013 it turned out that their custom approach to protocol enabled
Telegram to stay more secure when multiple other secure apps using more
conventional solutions were hacked ([http://android-
developers.blogspot.ru/2013/08/some-secureran...](http://android-
developers.blogspot.ru/2013/08/some-securerandom-thoughts.html)). Many Bitcoin
apps were cracked and people lost money, Open Whisper Systems (I noticed these
guys are aggressively promoted here in the NH community as the epitome of best
security) had to hasten to patch their RedPhone app to avoid that
vulnerability.

So I'm kind of suspicious when I see strong pressure to enforce the use of
common techniques and get rid of uncommon ones just because they are uncommon.
I think the Telegram guys have the right to choose their own path, and I'm
sure our society will only benefit from it.

Of course, building custom solutions is no easy task and requires a lot of
effort. But I've seen some of the Telegram guys (yes, the "6 ACM champions")
create things that I'd thought were impossible. Maybe I am wrong in putting my
trust in their abilities, and I will be fined $200K+ for my naivete. However,
I am willing to continue financing such contests, and I do hope that
eventually we'll all get something much more valuable than $200K.

~~~
abcd_f
Well, to prove my point of you guys coming across as cocky know-it-alls. Here
you just did it again, perhaps without realizing it -

> People asked – why take a random value from server and a random value from
> client and combine both with a creepy function?

People well-versed in applied crypto would never ask this question, because
all standard key exchange protocols most certainly use both sides as a source
of randomness. Furthermore - "creepy"? That's all you got away from all those
comments that said your KDF was unproven, not peer-reviewed and _weak_ in
comparison? You basically cherry-picked a dumb question (I assume you haven't
made it up) and then proceeded to demonstrate how clever you are. Guess what?
You just reiterated basic facts, but assigned them to yourself.

Let me repeat what I said. Your problem is not your crypto. Your problem is
the attitude.

~~~
paveldurov
> Your problem is not your crypto. Your problem is the attitude.

OK, now I can see your point. Thank you for taking the time to reply and share
advice.

------
sdevlin
This is really chickenshit, which is completely in line with everything else
these guys have said or done.

Just so we're clear, this rules out:

    
    
      * Chosen plaintext attacks
      * Chosen ciphertext attacks
      * Adaptive chosen ciphertext attacks
      * EDIT: Also any kind of side channel
    

If you're keeping score at home, that's just about everything.

The only thing that would fail to meet this definition of security is
repeating key XOR. And RC4.

~~~
warfangle
If you were able to exploit vulnerabilities in the server, the software
distribution, and the client... but that's not testing Telegram itself, it's
testing everything in between -- including what's between the chair and
keyboard.

Which is where the weaknesses (as witnessed by bitcoin shenanigans) lie,
anyhow.

------
mikeyouse
At least they'll put their money where their mouth is. I'm excited to see
someone call out the naysaying masses on HN and stand by their product in this
regard.

~~~
StavrosK
Unfortunately, this doesn't mean that it's secure. If someone breaks it, it
means it's broken, but if nobody breaks it, it doesn't mean someone else can't
break it (or hasn't already).

~~~
mikeyouse
Agreed, but the tone of the previous discussion was definitely more along the
lines of "This could never work, you guys don't know what you're doing."

If it proves resilient over 2.5 months of highly motivated attacks (motivated
by both the money / "I-Told-You-So" factor), I think that's a fairly strong
statement in their favor.

~~~
killertypo
i have a day job and i'm not going to drop everything for the chance i won't
make any money at all... told-you-so factor or not.

~~~
saraid216
I feel obligated to point out that it may be worth it if you make less than
$200k in 2.5 months.

------
xerophtye
Ok so here's what i understand what's going on here from reading the challenge
and people's responses.

1) A classical crypto-challenge where you are given a cipher text and the
algorithm and told to crack it is somewhat useless Because that would just
prove strength of the primitive algorithm, not the system. Here you are given
a scenario and told to use whatever attack is at your disposal to hijack the
conversation and somehow retrieve the plain text. So while it is similar to in
someways, but not exactly the same case.

2) People are not amused because they seem to find the vulnerability that upon
initiation of the secret chat, the first time, the server can perform a MITM
attack. Because apparently they use a Deffie-Helman key exchange where the
server connects them to each other. So the server is in the best position to
do the MITM. And since this contest does not allow to make that attack (even
if u had the server in your control, the secret chat has been initiated
already).

And hence everyone is frustrated because they seem to KNOW the system is weak,
but they cant prove it right now. And this will lead to Telegram boasting in
March.

------
h0cked
This is like putting messages encrypted with ANY encryption algorithm, and ask
people to guess the key. This has nothing to do with whether the communication
protocol is secure or not.

~~~
utnick
They are providing the entire log of the protocol communication

------
CJefferson
The problem with this test is that there are many encryption systems I would
consider fundamentally broken where I could not claim this prize.

To make this a slightly fair challenge, we should at least be allowed to get
the clear text of our choice also encrypted with the same key.

~~~
piokuc
I understand they reveal the algorithm so you should be able to encrypt any
text of your choice if that helps.

~~~
mintplant
But not with the same key.

------
MichaelGG
This is such a sham. Here, I'll offer $2000 to break my plaintext crypto.
Every morning, in the shower, I'll say a secret word. Email me the secret word
and I'll send you $2000 in BTC.

~~~
vacri
I'll need to narrow it down further, but I'm pretty sure it's one of "Oh",
"god", " _groan_ ", "I'm", "running", "late", "for", "work", "again". Hrm,
does _groan_ count as a word? How many guesses am I allowed?

------
r-s
Travel to russia, get big wrench and hit Durov with it until he gives up his
password. Win 200k.

In all seriousness, im interested to see if anyone can crack this.

~~~
helgidub
He is in US now.

~~~
carmaa
Yep, in San Jose.

------
helgidub
So yeah guys, Pavel Durov saw your comments regarding security of Telegram
messenger. Go for it.

~~~
pstuart
All the haters here can go pound sand. It's a cool project, and I like the
mindset behind it: [https://telegram.org/faq#q-how-are-you-going-to-make-
money-o...](https://telegram.org/faq#q-how-are-you-going-to-make-money-out-of-
this)

------
mullingitover
This would be an easy contest to win: bribe someone at Telegram $100k to help
you MITM.

------
josephlord
The problem with such a test is that it is a limited attack surface compared
with the real app in use. There is a log of messages that are encrypted but
there are no possibilities of active attacks such as man in the middle attacks
and others that attack the protocol rather than the encryption.

------
sergiotapia
Of all the software branches out there in the world, crypto's are by far the
coolest and scariest in my opinion. They wield obscure knowledge, have long
beards, a white van full of tech, communicate in some obscure protocol with
each other - oh man. :)

I'm really excited to see if this is cracked!

~~~
igindin
And what if not?

------
d0m
Someone will probably break an employee's computer and will just access
private information, good game 200k. And then they will say it's unfair and
I'm not paying you. And then HN will go crazy. Mark my word HN.

------
legierski
How is that supposed to be secure? All I need to snoop on your conversations
is access to your phone for 1 minute to receive the activation code and delete
message about new device connected to the account.

------
poolpool
This is $200,000 in bitcoins, not actually $200,000.

~~~
logicallee
what do you think the definition of "$200,000 in bitcoins" is?

~~~
poolpool
I think it means its 200k in "bitcoin" thats near impossible to cash out at
such volumes. So I think this is a PR stunt and nothing more.

Rolling your own encryption has always been proven to be the worst idea.

~~~
paveldurov
If you don't like BTC and other cryptocurrencies, we will be happy to transfer
regular 200,000 USD to you after you win. It's up to you.

~~~
vasilipupkin
Вы офигенно придумали. Молодцы!

I personally think it's great that people are trying various solutions.
Disclaimer: I know little about cryptography

------
feronull
> 100% FREE & NO ADS: Telegram is free and will always be free. We do not plan
> to sell ads or introduce subscription fees.

how you are then going to make a money ?

~~~
helgidub
Paid features, like stickers and etc.

~~~
peter_tonoli
Sorry, but how does Google ads mediation have anything to do with stickers and
the like? I fail to see the connection.

------
jd007
Is that $200,000 in BTC valued at the time that the award will be given, or
valued now? With the way things are going, not sure which would be better...

~~~
asperous
At the time of the reward. This is implicitly stated by the fact that he
didn't specify the number of BTC. $500 is still a ton btw, two months ago a
Bitcoin was worth $200.

------
cypherpnks
This contest is a sham. Crypto has to be secure against things like known-
plaintext attacks and similar. That's typical in any real-world setting.

------
patmcc
Does the secret email address change every day? Or is it the same one from now
until the close of the contest?

------
eof
to do this "right" shouldn't they release a hash _now_ of the keys that will
be exposed in march; as well as sign a message from a bitcoin address
containing ~500btc?

~~~
Dylan16807
Why a hash now, do you think they're going to be able to release fake keys
that somehow decrypt the cyphertext to email addresses?

And converting into bitcoin months preemptively is a speculative gamble, not a
verification of anything.

------
kul_
Although i have limited knowledge of crypto, but the algorithm seems pretty
similar to what is used in SSL with key exchange via DH and encryption via
AES. Although i notice that instead of a server clients are doing key creation
and exchange which is why Telegram may be calling the architecture
'decentralized'. What is new here, how is it Telegram's own encryption method?
Just having a ssl like client to client security model is what is being coined
as MTProto?

------
exit
so the winner is allowed to remain completely anonymous, receiving 200k usd
payment in btc?

~~~
damian2000
Enabling an insider who knows how it works to win and not be discovered?
Although having to the detail the attack method may prevent that.

------
xentronium
I find it amusing how first this genuinely benevolent side project puts Pavel
in trouble with his investors and then HN crowd hates it too.

------
nullc
Is anyone able to determine whos running this company? All the records seem to
be anonymized.

~~~
11001
Pavel Durov and his brother. Pavel Durov got rich by copying facebook for the
Russians. His brother is supposed to be a mathematician/computer scientist.

------
GigabyteCoin
Surprising they didn't prove that they actually control $200k worth of BTC
when it's so gosh darned simple to do so.

How do I know they are being honest?

They should have signed that blog post with their BTC wallet.

~~~
nilkn
[http://en.wikipedia.org/wiki/Pavel_Durov](http://en.wikipedia.org/wiki/Pavel_Durov)

[http://www.complex.com/tech/2012/08/the-25-richest-tech-
entr...](http://www.complex.com/tech/2012/08/the-25-richest-tech-
entrepreneurs-under-30/pavel-durov)

I don't think money is going to be a problem here.

------
zooko_LeastAuth
Could you show us examples of the actual message sent each day from Paul to
Nick, except with the secret email address XXX'ed out? Is it the same message
each day, or different?

------
fegu
I love how Telegram, at the beginning of a secret chat, says og is "200%
secure". Right below the graphical representation of the cryptokey.

~~~
tromp
Only 200%? That's not good enough for me. I need it 300% secure at a
minimum...

------
nnx
I find it cute that the server's IP address as available in the logs is
assigned to an organization named "Digital Fortress Corp"

------
memracom
Judging by the phone numbers, I would say that this is likely to be some form
of elliptic curve cryptography with domain parameters different from the NIST
and GOST standards.

I don't personally have the depth of experience with elliptic curves to go
about cracking this crypto, but others have cracked elliptic curve algorithms.
Perhaps one of those people will find this tidbit useful in narrowing the
field.

Also, I would expect that at least some of the plain text is Unicode, probably
the plane from 0400-04FF.

------
Justsignedup
while the contest itself not wonderful, they do offer the source code, they
offer constant traffic, they claim the contest is ongoing, so even if you
don't win now, you might later.

The last point Schneider made of them winning but not telling you until they
feel it's worth it is still valid.

------
swami1984
inb4 post about Schneier and snake oil contests - oh wait!

------
negamax
This is their protocol header

<Magic Number (Nonce?)> . <Magic Number> <Number of bytes + 1> IN/OUT <Ip
Address>

~~~
joyeuse6701
More like epoch time followed by bytes and then IP address

------
mattbarrie
This can only end badly.

------
blahbl4hblahtoo
Note to everyone in technology...Hacker News isn't the crowd that you need to
impress.

The cryptanalysis community, in particular, has a small group of experts that
can credibly critique your ideas. They would probably love to pick apart a new
system...seriously in the hopes that it advances the art, but critically in
the case that it doesn't.

Claims of some kind of "tightly knit" cabal of closed minded people excluding
you would be a warning sign. (It sounds like creationism. Not that this is
what these guys did. I'm just saying.)

Maybe instead of a competition they could have just approached some of the
cryptanalysis community for an early look? Those guys could kick the tires and
pass it on to others that they know. That really seems to be how this area
works.

~~~
mynameisvlad
Did I miss somewhere where it stated this was HN-specific? This could just as
easily have (and probably has) been posted to multiple communities, including
ones that are more crypto-focused.

Just because it appears here does not in any way shape or form indicate that
they're trying to impress the HN community, nor that they're specifically
targeting HN.

~~~
blahbl4hblahtoo
This contest is a direct result of some arguments that happened on HN when
they announced their product.

------
uonyx
Shots fired.

------
suyash
PLEASE edit the title saying $200K in Bitcoins and not real $.Otherwise it
seems link-bait (misleading).

~~~
paveldurov
If the winner prefers regular USD over BTC, we will provide USD.

