14

Telegram recently updated its symmetric-key encryption scheme MTProto, which seems to fix some known vulnerabilities. Nevertheless, I still do not understand why they roll their own crypto. What properties/advantages do they gain from their homemade MTProto encryption scheme beyond those already provided by the standard key derivation and authenticated encryption schemes?

Shan Chen
  • 2,715
  • 1
  • 12
  • 17
  • 4
    Why don't ask you Telegram directly? – mentallurg Jun 19 '18 at 23:04
  • Are you referring to AES' IGE mode? – Paul Uszak Jun 19 '18 at 23:56
  • 2
    @PaulUszak Yes, I think the current MTProto scheme is still using AES IGE, but it also has key derivation and message authentication components. So, I am referring to the whole MTProto encryption scheme vs authenticated encryption scheme. But we can assume the DH result has been properly shared between the end users. – Shan Chen Jun 20 '18 at 00:16
  • 2
    @mentallurg Thanks for reminding me of this option. I just sent an email to their security feedback, but I doubt getting any meaningful response. – Shan Chen Jun 20 '18 at 00:18
  • 3
    I don't know why, but probably a combination of naivete, ignorance and arrogance. Everything I've read says that its crypto is terrible. – Swashbuckler Jun 24 '18 at 13:19
  • @ShanChen Did you ever receive a reply to your email? – Ella Rose Jan 26 '19 at 16:30
  • 1
    @EllaRose No. I doubt they would reply whatsoever. It seems that their MTProto scheme is not designed by cryptographers and not surprisingly had suffered from several bugs. Although some of them are fixed, their scheme is still not provably secure. – Shan Chen Jan 26 '19 at 19:20
  • 2
    The "why" is always hard to answer. They do seem to be using standard primitives (although you can argue that IGE modes are not that standard) and try and implement their own protocol. That's possibly not as bad as inventing your own primitives (algorithms) such as variants of RSA or AES but it leaves enough room for mistakes - as their implementation clearly seems to show, yes. – Maarten Bodewes Jan 27 '19 at 17:46
  • I'm voting to close this question as off-topic because the only way to answer this question is from input by the Telegram team - the information doesn't seem to be publicly available. If anybody can get them to answer then please flag this question for reopening... – Maarten Bodewes Sep 09 '19 at 09:22
  • @Swashbuckler what have you read? – Kröw Dec 02 '21 at 02:53

0 Answers0