PreprintPDF Available

Automated Symbolic Verification of Telegram's MTProto 2.0

Authors:
Preprints and early-stage research may not have been peer reviewed yet.

Abstract and Figures

MTProto 2.0 is a suite of cryptographic protocols for instant messaging at the core of the popular Telegram messenger application, which is currently used by more than 400 millions of people. In this paper we analyse MTProto 2.0 using ProVerif, a symbolic cryptographic protocol verifier based on the Dolev-Yao model. In particular, we provide a fully automated proof of the soundness of MTProto 2.0's authentication, normal chat, end-to-end encrypted chat, and re-keying mechanisms with respect to several security properties, including authentication, integrity, confidentiality and perfect forward secrecy. To prove these results we proceed in a modular way: each protocol is examined in isolation, relying only on the guarantees provided by the previous ones and the robustness of the basic cryptographic primitives. Our research proves the formal correctness of MTProto 2.0 in the symbolic model, and it can serve as a reference for implementation and analysis of clients and servers.
Content may be subject to copyright.
Automated Symbolic Verification of
Telegram’s MTProto 2.0
Marino Miculan
Department of Mathematics, Computer Science and Physics, University of Udine, Italy
marino.miculan@uniud.it
Nicola Vitacolonna
Department of Mathematics, Computer Science and Physics, University of Udine, Italy
nicola.vitacolonna@uniud.it
Abstract
MTProto 2.0 is a suite of cryptographic protocols for instant messaging at the core of the popular
Telegram messenger application, which is currently used by more than 400 millions of people.
In this paper we analyse MTProto 2.0 using ProVerif, a symbolic cryptographic protocol verifier
based on the Dolev-Yao model. In particular, we provide a fully automated proof of the soundness
of MTProto 2.0’s authentication, normal chat, end-to-end encrypted chat, and re-keying mechanisms
with respect to several security properties, including authentication, integrity, confidentiality and
perfect forward secrecy. To prove these results we proceed in a modular way: each protocol is
examined in isolation, relying only on the guarantees provided by the previous ones and the robustness
of the basic cryptographic primitives.
Our research proves the formal correctness of MTProto 2.0, and it can serve as a reference for
implementation and analysis of clients and servers. Moreover, we isolate the aspects of cryptographic
primitives that require further investigation, in order to deem this protocol suite definitely secure.
2012 ACM Subject Classification
Security and privacy
Security protocols; Security and privacy
Logic and verification; Security and privacy Formal security models
Keywords and phrases
Specification, Verification and Synthesis; Security protocols; Practical veri-
fication; Privacy; Formal methods.
1 Introduction
Telegram [
20
] is a very popular instant messaging application, with more than 400 million
monthly active users (as of April 2020). Besides user-to-user and group communication,
Telegram channels are widely adopted by newspapers, financial institutions, and even
government agencies for broadcasting official news, in particular during emergency situations.
Moreover, Telegram offers an open API to third party developers, allowing for a range of
(possibly commercial) services by means of bots.
At the core of this ecosystem lies MTProto 2.0 [
19
], a suite of cryptographic protocols
designed for implementing fast, scalable, secure message exchange without relying on the
security of the underlying transport protocol. To this end, MTProto is composed by several
(sub)protocols handling the initial authentication of the client with the creation of a shared
keys between client and server, the creation of shared keys between two clients for end-to-end
encryption in secret chats, the rekeying of secret chats, and of course the encryption of all
messages, before being transmitted over a (possibly insecure) network.
Although MTProto 2.0 is completely open and client’s code is open-source, Telegram’s
security model has received wide criticism. First and foremost, the choice of the non-standard,
ad hoc protocol and encryption scheme has been objected, because the lack of scrutiny could
expose the system to vulnerabilities, potentially undermining its security [
13
]. Moreover, all
messages (even those of “secret chats”) pass through (a cloud of) proprietary, closed-source
servers, where they can be stored for any amount of time. This architecture is convenient
arXiv:2012.03141v1 [cs.CR] 5 Dec 2020
2 Automated Symbolic Verification of Telegram’s MTProto 2.0
for users, who can access and synchronise their messages from several devices and send and
receive messages also when the peer is not present, but from a security perspective it means
that the server must be considered as an untrusted party.
This situation raises the need for a practical verification of the MTProto 2.0 protocol suite.
However, in spite of the criticisms above, most research has focused on the previous version
MTProto 1.0, deprecated since December 2017. To our knowledge, no formal, in-depth
verification of MTProto 2.0 has been carried out, so far. This is the scope of this work.
In this paper we formalise and analyse MTProto 2.0 using ProVerif [
6
], a symbolic
cryptographic protocol verifier based on the Dolev-Yao model. In particular, we provide
a fully automated proof of the soundness of MTProto 2.0’s protocols for authentication,
normal chat, end-to-end encrypted chat, and re-keying mechanisms with respect to several
security properties, including authentication, integrity, confidentiality and perfect forward
secrecy. These properties are verified also in presence of malicious servers.
In order to prove these results we proceed in a modular way. Each protocol of the suite
is examined in isolation, specifying which guarantees it requires from previous protocols and
which ones it provides; separation between protocols is guaranteed by the typing discipline
enforced on messages: “out of sequence” messages are simply discarded. For each protocol
we provide its formalisation in ProVerif’s specification language (the applied
π
-calculus), the
formalisation of its security properties, and the results of the formal verification.
This modular approach allows us to cope with the complexity of the suite: on one
hand the concatenation of these analyses yields the formal correctness of the whole suite;
on the other, it allows us to isolate the security properties required on the underlying
message encryption scheme. Namely, the only assumption we make is that the latter is an
authenticated encryption scheme, guaranteeing both integrity of ciphertext (INT-CTXT) and
indistinguishability of chosen plaintext (IND-CPA). These properties are difficult to prove in
asymbolic model like ProVerif’s, but can be proved in a computational model, e.g. using
tools like CryptoVerif or EasyCrypt [
5
,
2
]. This assumption may appear strong, especially
considering that Telegram has been widely criticized for its design choices (such as ad hoc
cryptographic primitives and an unusual encryption mode), and vulnerabilities have been
found in MTProto v1.0 (but actually, none of these attacks have been replicated on the new
MTProto 2.0). Still, proving the logical correctness of the protocol under a fairly general
threat model is very important because, if a weakness in the protocol exists, it must be
looked for in the “lower-level” part of the protocol, among the chosen cryptographic functions
and other implementation choices. We remark that, thanks to the modular approach, in
order to fix any vulnerability that could be found in the message encryption scheme, it will
be enough to replace the scheme only, without modifying the protocols. Thus, in this paper
we focus on the symbolic verification of MTProto 2.0, leaving the analysis of the encryption
scheme in the computational model to future work.
Besides the relevance for Telegram users, the formalisation we present can serve as a
reference documentation for the implementations of other MTProto 2.0 clients and servers.
Synopsis. In Section 2 we recall previous related work. The security model adopted in the
present work is described in Section 3. In Section 4 we recall the structure of MTProto 2.0.
In the successive sections we analyze the subprotocols of MTProto 2.0: initial authorization
key creation (Section 5), key exchange for secret chats (Section 6), re-keying in secret chats
(Section 7). Conclusions and directions for future work are in Section 8.
We assume the reader confident with ProVerif; for an introduction we refer to [
6
] and
several tutorials online. The code of our formalisation is available at
https://github.com/
miculan/telegram-mtproto2-verification.
M. Miculan, N. Vitacolonna 3
2 Related Work
All the published research on MTProto that we are aware of, as well as most online art-
icles, refer to the now deprecated MTProto v1.0 and do not directly apply to the current
MTProto 2.0, deployed in Telegram clients as of v4.6 (December 2017).
Arguably, the closest work to ours is [
13
], where the Signal protocol is formalised in
ProVerif. In loc.cit. MTProto v1.0 is also briefly discussed, but not at the formal level. The
Signal protocol has been studied rigorously in [10, 8, 17], but without a formal verification.
Several issues have been pointed out in MTProto v1.0. Its encryption scheme added a
random padding to the message prior to encryption but after the msg_key was computed,
leading to a couple of theoretical CCA attacks [
12
,
11
]. Besides, earlier versions of the
protocol did not provide forward secrecy, and message sequence numbers were managed by
the server, so that a malicious server could easily perform replay attacks [
12
]. Another form
of replay attack was discovered in Android’s Telegram client v3.13.1 [
18
], where the same
message could be accepted twice by a client after 300 more messages had been sent. This was
due to a flaw in the implementation, which did not abide by Telegram’s Security Guidelines
for Client Developers; in particular, the app did not check that the message ID of the received
message was greater than any of the stored IDs. This was fixed in Telegram v3.16 [18].
The above mentioned issues were addressed in MTProto 2.0, which is claimed by its
developers to be IND-CCA and INT-CTXT secure and to provide perfect forward secrecy
for secret chats. In fact, at the moment no attacks of this kind on MTProto 2.0 are known.
A theoretical MITM attack to MTProto 1.0 has been described in [
16
]. As we will see in
Section 6, the DH exchange used to establish a shared key before initiating a secret chat is
not authenticated by the two ends. Clients are supposed to verify a hash of the shared secret
through an external secure channel. In MTProto v1.0, the first 128 bits of the SHA1 of the
key are used as the fingerprint. A malicious server might social engineer two clients to both
initiate a conversation with each other; since the server forwards all the messages, it might
act as a MITM and try to find two keys whose fingerprints coincide, using a birthday attack
and approximately 2
65
computations [
16
]. In MTProto 2.0 (starting with the so-called “layer
46” of secret chat protocol), the fingerprint is 288 bits long (additional 160 bits are extracted
from the prefix of the SHA256 of the key), thus making this MITM attack likely infeasible.
3 Security Model
We model Telegram protocols in ProVerif [
6
], which is a symbolic cryptographic verifier.
Protocols and security properties are specified in a variant of the applied
π
-calculus, a
formalism designed for representing cryptographic processes, and translated into a Horn
theory. Cryptographic primitives are represented by means of a suitable term theory, by
means of constructors and reduction rules or equations; thus, cryptographic primitives are
modeled as “perfect”, e.g., there is no way to recover a clear text nor the key from ciphertexts.
Following this approach, in our model we consider the message encryption scheme used
in MTProto 2.0 as a robust authenticated-encryption scheme, abstracting from its actual
implementation. An authenticated-encryption scheme, is composed by
an encryption scheme
aenc
that takes key
k
from some fixed keyspace
K
, a nonce
n
, a
message mand returns a string C=aenck(n, m),
a decryption scheme
adec
that takes key
k
from
K
and a string
C
, such that, for all
C, k :adeck(C) = (mif C=aenck(n, m)for some n, m
error otherwise.
4 Automated Symbolic Verification of Telegram’s MTProto 2.0
In practice,
adec
extracts
n
from
C
first (e.g. from the initial part of
C
), then uses it to
decrypt the remaining part of the message.
Formally, in ProVerif the authenticated encryption and decryption primitives are governed
by the following reduction rule:
fun aenc(Bitstring,SharedKey,Nonce) : Bitstring
reduc forall m:Bitstring, k :SharedKey, n :Nonce;adec(aenc(m, k, n), k) = m.
A detailed verification of these cryptographic functions in the computational model is left to
future work.
Threat Model.
We adopt the classical symbolic Dolev-Yao model [
9
], which is the one used
by ProVerif. More specifically, we assume that all messages are transmitted over a public
network, and that an active intruder can intercept, modify, forward, drop, replay or reflect
any message. Besides, we assume that an attacker may also exfiltrate secret data, such as
pre-shared keys, during or after the execution of a protocol. As mentioned above, we assume
that encrypted messages are unbreakable unless the key becomes available to the attacker.
The model for hash functions is also quite strong, being close to the random oracle model.
Timing attacks and guessing attacks are not modeled.
All communication among Telegram clients pass through Telegram servers. Hence, such
servers have access to the plaintext of cloud-based chats and to the ciphertext of secret chats.
Servers are also responsible for choosing the Diffie-Hellman parameters used to derive clients’
long-term authorization keys. Therefore, a server should not be considered as trusted.
Security Goals.
Each part of MTProto has different security goals, which we will define in
later sections. In general, we will consider the following, informally described, goals:
Secrecy:
if a message
m
is exchanged in a session
S
between two honest principals
A
and
B
then
m
is kept confidential (i.e., known only to
A
and
B
) unless an attacker can break
some cryptographic construction or recover the encryption keys before or during S.
Forward secrecy:
confidentiality of
m
is preserved even if the attacker recovers the encryption
keys after Sis completed.
Authentication:
if
B
receives a message
m
which is supposed to come from
A
, then it was
really sent by A.
Integrity:
if
m
is sent from
A
to
B
then
B
receives
m
and not some forged
m06
=
m
instead.
4 The MTProto 2.0 protocol
In this section we provide a high-level overview of MTProto 2.0. For a deeper (albeit informal)
description, we refer the reader to the official web page [19].
MTProto 2.0 is a client/server protocol suite designed for accessing a (MTProto) server
1
from applications running on desktop computers or mobile devices, through an insecure
network. This suite can be divided into three main components (see Figure 1):
High-level API and type language:
defines how API queries and responses are converted
to binary messages. This component fits OSI layers 7 (application) and 6 (presentation).
Cryptographic and authorization components:
defines how applications are authenticated
with the server, and messages are encrypted before being transmitted through the
transport protocol. These components fit OSI layers 5 (session) and 4 (transport).
1
Actually, Telegram employs a network (a “cloud”) of servers in multiple data centers, spread worldwide
for scalability and availability. However, for our aims, we can consider this network as a single server.
M. Miculan, N. Vitacolonna 5
MTProto 2.0
Transport component
Underlying network transport (TCP, UDP, HTTP(S), Websocket…)
Message Encryption
Type language
Message Encryption
Secret chat key
exchange and
rekeying
Authorization
High-level API
Application
Secret
Message
AK
SK
Cloud
Message
C&A
Figure 1
The MTProto 2.0 suite (light blue box). The subject of the present work is the
“Cryptography and Authorization” (C&A) component, here represented by the light green box. AK
(yellow key) is the Authorization Key, established once at the first run. SK (blue key) is the Secret
Chat Session Key, established at the beginning of each secret chat (and changed often). Cloud
messages are encrypted only from client to server (and vice versa), with the AK. Secret messages
are encrypted twice: with the SK, and then with the AK. In this picture the Message Encryption
module is duplicated, but actually it is the same, with different keys.
Transport component:
defines how the client and the server actually exchange messages,
via some existing transport protocol such as UDP, TCP, HTTP, HTTPS, Websocket over
HTTP(S). Notice that also insecure, connectionless protocols are supported.
In this work we focus on the component handling cryptographic transformations and author-
ization. This component can be divided further in the following modules:
Authorization:
this module provides the functionalities for the initial client authorization
and server authentication. It is called on the first run of the application, for deriving
the authorization key (AK), a long-term “master” secret shared with the server only. In
order to establish the Authorization Key, this module executes a cryptographic protocol
(basically a DH exchange) with the server. We will analyse this protocol in Section 5.
Secret chat key exchange and re-keying:
this module provides the functionalities for es-
tablishing a session shared secret key (SK) between two clients. It is executed once
at the beginning of a secret chat and after 100 exchanged messages between the two
parties (or over a week) for installing a new key. In both cases, this module executes a a
Diffie-Hellman exchange with the peer client (through the server). We will analyse this
protocol in Sections 6 and 7.
Message encryption:
All messages between client and server are encrypted with a symmetric
cypher, using an ephemeral key derived from the AK. Moreover, messages in secret chats
are encrypted also with an ephemeral key derived from the SK. The encryption scheme is
the same, but it is use twice (with different keys) in the case of messages in secret chats.
It is important to notice that peer clients never communicate directly: messages always go
through the server, where are stored for being retrieved in a second moment. Messages are
stored in clear in the case of cloud chats, or encrypted in the case of secure chats.
6 Automated Symbolic Verification of Telegram’s MTProto 2.0
Figure 2
MTProto 2.0’s Authentication Protocol. In this and the next diagrams,
{m}pk
represents
the asymmetric encryption of
m
with public key
pk
, and
{m}(k,iv)
is the symmetric encryption with
shared key kand initialization vector iv.
5 Creation of an Authorization Key
On its first run, each Telegram client must negotiate a long-term secret with a Telegram
server. Such authorization key is created through a Diffie-Hellman (DH) exchange, it is
never transmitted over the network, it is used for all subsequent communication between
the client
C
and the server
S
and it is almost never changed (basically, only when the client
application is uninstalled and installed again).
5.1 Informal description
The protocol, shown in Figure 2, consists of three rounds.
Round 1: C
and
S
exchange a pair of randomly generated nonces
nc
,
ns
, which are sent
along with all subsequent messages, both in plaintext and in the encrypted part of each
message. Such pair is used to identify a run of the protocol.
1. Csends a nonce ncto the server.
2. S
replies with a message that contains
nc
, a fresh nonce
ns
generated by
S
, a challenge
pq <
2
63
(to prevent DoS attacks against Telegram servers) product of two primes
p
and q, and a list of fingerprints fp(1)
s,...,fp(`)
s, with ` > 0, of public keys accepted by S.
M. Miculan, N. Vitacolonna 7
Round 2:
The client decomposes
pq
into its factors
p
and
q
, and retrieves the public
key
pk(i)
s
corresponding to some fingerprint
fp(i)
s
. It also generates a new 256-bit random
secret nonce
nk
, which, together with the public
ns
, is used by both parties to derive a
temporary symmetric key
k
and initialization vector
iv
via the public functions gen_key and
gen_iv (basically, by concatenating hashes of substrings of
ns
and
nk
). These data are used
for encrypting the subsequent messages.
3. C
serializes (
pq, p, q, nc, ns, nk
)and encrypts with
pk(i)
s
both this serialized data and its
hash; then it sends nc, ns, p, q, fp(i)
salong with the encrypted payload to S.
4. S
chooses DH parameters
g
and
m
and computes
ga
=
gamod m
for some random
2048-bit number
a
. Then,
S
serializes (
nc, ns, g, e, ga, t
), where
t
is the server’s current
time, and encrypts both such serialized data and its hash using a temporary symmetric
key
k
derived from
ns
and
nk
. It then sends
nc, ns
along with the encrypted payload
to C.
Round 3:
After deriving
k
using the same algorithm as the server,
C
decrypts the received
message and checks that these DH parameters are safe (see below). Then
C
computes
gb
=
gb
mod mfor some random 2048-bit number band derives the shared key gab =gb
amod m.
5. C
serializes (
nc, ns, r, gb
), where
r
is zero at the first attempt to send this message, and it
is equal to a hash of the previous authorization key if the server later asks to renegotiate
the key (within the same session).
C
hashes the serialized data and encrypts both the
hash and the data using k. It then sends nc, nsalong with the encrypted payload to S.
6. S
derives the shared key as
gab
=
ga
bmod m
, then verifies that
gab
is unique by comparing
a hash of
gab
to the hashes of already known keys. If the key hash is unique,
S
sends an
acknowledgment (nc, ns,hash(nk)) to C, otherwise Sreplies with an error message.
All encrypted messages include a SHA1 hash of the content, which the recipient uses after
decryption to verify the integrity of the message against network transmission errors. The
client is required to check that both
m
and (
m
1)
/
2are prime, that 2
2047 <m<
2
2048
and that
g
generates a cyclic subgroup of prime order (
m
1)
/
2. Both parties must also
verify that 1
< g, ga, gb< m
1. Telegram also recommends that both the client and server
check that 2
204864 ga, gbm
2
204864
. Such checks should prevent the use of small
subgroups and malicious primes, but it has already been noted that they could be made
optional if Telegram used standardized values [13].
5.2 Formalisation in ProVerif
For this protocol, public-key encryption is modelled in the standard way using a reduction of
the form
adec
(
aenc
(
x, pk
(
k
))
, k
) =
x
, where
aenc
() is the encryption function,
adec
() is the
decryption function and
pk
(
k
)is the public key corresponding to private key
k
. Thus, the
message encryption scheme is assumed to be a secure authentication encryption scheme.
We assume that both parties behave as mandated by the protocol, except for the following
misbehaviour:
a client may fail to verify that the received DH parameters are good, as explained in
Section 5.1;
the server may reuse the same nonce nsin different sessions.
Client and server process macros are parametrised over their type (good or broken) and
misbehaving processes are executed in parallel with correct processes.
8 Automated Symbolic Verification of Telegram’s MTProto 2.0
Weak DH parameters are modelled as in [3]. The relevant declaration is as follows:
fun dhExp(Group,Elem,Exp) : Elem
reduc forall g:Group, e:Elem, x :Exp;dhExp(WeakDH, e, x) = BadElem
otherwise forall g:Group, e:Elem, x :Exp;dhExp(StrongDH,BadElem, x) = BadElem
otherwise forall g:Group, e:Elem, x :Exp;dhExp(StrongDH, e, x) = exp(e, x).
where
exp
() is governed by the standard equation
exp
(
exp
(
g, x
)
, y
) =
exp
(
exp
(
g, y
)
, x
). In this
way, we model a possibly bad choice of parameters by the server by letting the environment
(i.e., the attacker) choose them and inject them into the server via the public channel. In
other words, the server initially executes
in
(
c,
(
g, m
)), where
c
is the public channel,
g
is a
group generator, and
m
is a group. A weak calculation always returns the same element,
thus conservatively modeling subgroups of size 1. Each computation involving a weak group
(symbolized by the constant
WeakDH
) or a bad element (symbolized by the constant
BadElem
)
is reduced to the same bad value (
BadElem
). It is worth stressing that other equalities that
hold in groups are not modelled (that is difficult or impossible in ProVerif).
Finally, process macros are interleaved with event markers, which can be used to check
whether a certain point in a process is reachable (hence, whether a certain event has happened).
That allows us to specify some stringent correspondences (see Section 5.3). Events are also
used to signal when a secret leaks: for instance, registering and possibly compromising the
server’s private key is modelled by a process run in parallel with the clients and the server:
let RSAKeys() =
new k:PrivKey;insert RSAServerKeyTable(k, pk(k)); out (c, pk(k));
in(c, attack(=ATTACK)); event CompromisedRSAKey(k); out (c, k).
After registering a key pair (whose private details are inserted into a table owned by the
server) and publishing the public key, the private key may be compromised, in which case
the corresponding event is recorded. The choice is left to the environment (i.e., the intruder),
who can inject the term attack(ATTACK)to exfiltrate the key.
5.3 Security properties verification
Authentication.
The protocol for generating an authorization key does not prevent an
intruder to act as a man-in-the-middle (MITM) during a registration session between a
client
C
and a server
S
and impersonate
C
in subsequent exchanges with
S
. In other
words, the protocol does not guarantee the authentication of the client to the server. This is
formalized with the following query:
query nc:Nonce, ns:Nonce;
event(ServerAcceptsClient(nc, ns)) event(ClientRequestsDHParameters(nc, ns)),
for which ProVerif can find a counterexample. The query asserts that, if the server accepts a
client in a session identified by (nc, ns), then it was that client who started session (nc, ns).
Failing authentication should not adversely affect the outcome of a session (except that
C
must possibly restart the protocol in a new session). The only result the intruder could
achieve is a negotiation of an authorization key between the intruder and
S
, unrelated to
C
.
Vice versa, it is important that
C
knows with certainty that she has engaged with
S
and
M. Miculan, N. Vitacolonna 9
not with an attacker. Assuming that
C
possesses untampered server’s public keys
2
(i.e.,
the public keys that
C
has access to really belong to
S
), authentication of the server for the
client is proved by ProVerif. The relevant query is the following:
query sks:PrivKey, nc, ns, nk:Nonce, g, ga:Elem, G :Group;
event(ClientReceivesDHParameters(nc, ns, nk, g, G, ga))
event(ServerSendsDHParameters(nc, ns, nk, g, G, ga))
|| event(CompromisedRSAKey(sks)) |event(CompromisedNonce(nk)).
Unless the
S
’s private key
sks
is compromised before or during the session identified by (
nc, ns
)
or the secret nonce
nk
is leaked, if
C
accepts Diffie-Hellman parameters (
G, g, ga
)in ses-
sion (
nc, ns
)after sending
nk
then
C
is sure that it was the server who accepted
nk
and
sent (
G, g, ga
)in session (
nc, ns
). This holds even if the server reuses
ns
in different sessions,
because only
S
can decrypt
nk
and derive the proper temporary key with which DH paramet-
ers are transmitted. Note that, since authentication events are registered before
C
verifies
the values received from
S
, for authentication it does not matter whether the client checks
that DH parameters are strong or weak.
Secrecy and forward secrecy.
The authorization protocol provides secrecy for the messages
subsequently exchanged between the client and the server (in this context, we consider the
server a trusted party), which are encrypted using the shared authorization key. Namely,
ProVerif proves the following query:
query sks:PrivKey,auth_key:SharedKey, nk:Nonce;
attacker(m)event(CompromisedRSAKey(sks)) || event(CompromisedNonce(nk))
|| event(ChecksDHParameters()) || event(PostSessionCompromisedKey(auth_key)).
In words, under the assumptions of our model, the confidentiality of message
m
is guaranteed
unless:
1.
the server’s private key is compromised before or during the session that establishes the
shared authorization key, or
2. the secret nonce nkgenerated by the client is leaked during such session, or
3. the client fails to validate the DH parameters received from the server, or
4. the authorization key is compromised at any later time.
This result holds even if the server reuses the same nonce
ns
in multiple sessions with different
clients. Besides, the result is strict, in the sense that removing any event from the query
above leads to a counterexample. Since in our formalization the private key of the server
and the secret nonce
nk
are always leaked in a separate phase following the completion
of the authorization protocol (so that the impact of such leakage of information can be
formally assessed), we may also conclude that leaking the server’s key or the secret nonce
after a session has been completed does not violate the secrecy of subsequent client-server
communication. Note also that (4) means that there is no guarantee of forward secrecy for
messages encrypted with an authorization key: any previously intercepted message contains a
corresponding msg_key, which, together with the leaked authorization key, allows an attacker
to recover the encrypted payload.
2
In actual implementations, the public keys of the server are embedded in the application: it is possible
that a malicious client embeds a different key without the user to notice.
10 Automated Symbolic Verification of Telegram’s MTProto 2.0
After two clients have negotiated their authorization keys with a server, they may start
to exchange messages within so-called cloud-based chats. Every such message is encrypted by
the sender using the sender’s authorization key and forwarded to the server, who deciphers
it and re-encrypts it with the recipient’s authorization key. In this context, the server can
trivially read (and even modify) every message. The previous result shows that, under the
hypothesis that the server is trusted, communication can at least be kept confidential against
an external attacker. Cloud-based chats do not provide forward secrecy, though: if, at any
time, the authorization key of one of the clients is leaked then all the messages exchanged by
that client can be deciphered.
Integrity.
The last property we have tried to prove is a basic property of Diffie-Hellman,
i.e., key agreement, which can be expressed as follows:
query nc, ns:Nonce, k, k0:SharedKey;
event(C-AcceptsAuthKey(nc, ns, k) && event(S-AcceptsAuthKey(nc, ns, k0)) k=k0.
If client and server generate authorization keys
k
and
k0
during the same session identified
by (
nc, ns
), then they obtain the same key. Unfortunately, ProVerif could neither prove
nor disprove such query, even assuming that there are no leaks of private data. A manual
inspection of the trace output by ProVerif, however, did not reveal any potential attack. In
fact, we do believe that the query holds true.
6 Secret Chats
An end-to-end encrypted chat between two clients
A
and
B
can be established after negotiating
a session key through a Diffie-Hellman exchange using server
S
as a forwarder. Each message
exchanged between
A
and
B
is encrypted with such session key by the sender, then the
resulting ciphertext
c
is in turn encrypted with the sender’s long-term authorization key (see
Section 5) and sent to
S
. Both layers of encryption use the same encryption scheme, which
we treat symbolically as a cryptographic primitive. Upon receiving a message,
S
uses the
sender’s authorization key, uniquely determined based on the 64-bit key fingerprint included
in the message to decipher the encrypted payload and recover the ciphertext
c
, which is then
encrypted again with the receiver’s authorization key and forwarded to the receiver.
6.1 Informal Description
The protocol, in Fig. 3, is as follows:
1.
the initiator
A
obtains DH parameters (
g, p
)from
S
, generates a random session identi-
fier id and a half-key
ga
, and sends a request to start an encrypted chat with
B
including
id and gain the message;
2.
after
B
has accepted the request,
B
receives the DH parameters from
S
and computes
a half-key
gb
, the shared key
gab
and a 64-bit fingerprint
fp
(
gab
)of the key. The values
gb
and
fp
(
gab
)are then sent to
A
, who can compute
gab
as well. The fingerprint
fp
(
gab
)
is not cryptographically strong: its purpose is only to prevent certain bugs in software
implementations, especially during development.
This exchange is unauthenticated, so it is trivial for the server to act as a MITM and establish
two different keys with
A
and
B
, respectively. To detect such attacks, after the DH exchange
M. Miculan, N. Vitacolonna 11
Figure 3
A slightly simplified version of MTProto 2.0’s protocol for secret chats. All messages
are forwarded by
S
: each message between
X∈ {A, B}
and
S
is encrypted using
X
’s authorization
key (not shown in the figure). Note that gab ,kand iv are not known to S.
12 Automated Symbolic Verification of Telegram’s MTProto 2.0
is completed, the clients are required to compare their respective key fingerprints
3
using
a secure out-of-band channel. Under this assumption, the protocol should guarantee the
secrecy of the messages subsequently exchanged by
A
and
B
, which are encrypted using
gab
as the shared key. The clients are also supposed to perform suitable checks on the DH
parameters, as described in Section 5.
6.2 Formalisation in ProVerif
Each client involved in the secret chat protocol is modelled as a distinct process (an initiator
A
and a responder
B
), and communication happens via a common public channel. As the
server controls the DH configuration used by the clients to derive their shared key, if the
clients do not validate the obtained values then the server might be able to force both clients
to use an easily guessable key. For instance, if the server sends a subgroup generator equal
to 1and the clients do not perform any check, the derived session key will be 1and the
server will easily decrypt all the messages.
To model the out-of-band verification that users are asked to perform on a newly generated
session key, we use a separate secure channel
˜c
available only to
A
and
B
, through which
a private message
QR
(
A, k
)is sent by
A
and accepted by
B
through pattern matching
with
in
(
˜c, QR
(
=A, =k
)). We assume that clients behave as mandated by the protocol, except
for the following deviations:
a client may fail to verify the DH parameters, as in the authorization protocol (Section 5.2);
a client may skip the out-of-band validation of the shared key.
In this protocol, the server acts simply as a forwarder and it must be treated as an
adversary. Rather than modeling it explicitly as a distinct process, we include the server
in the attacker’s model by equipping the attacker with the same knowledge as the server
(essentially, all the authorization keys) and let the attacker implicitly perform the forwarding.
That allows the attacker to receive, manipulate, and resend the exchanged messages in the
same way as the server could do, or impersonate a client when the clients do not perform
the necessary checks on the received parameters or on the generated key.
6.3 Security properties verification
Secrecy.
The main requirement of an end-to-end encrypted chat is, obviously, secrecy:
messages exchanged by
A
and
B
must be known only to
A
and
B
. MTProto’s secret chats
guarantee secrecy conditional to the strong assumption that clients do validate their keys
through a separate private channel. Formally, the secrecy query, which ProVerif is able to
prove, can be formulated as follows:
query a:Principal;
attacker(m)event(ChecksDHConfig(a, )) || event(SkipsKeyCheck(a, >)).
In words, under the assumptions of our model, message
m
exchanged between two clients
is kept confidential unless one of the clients does not perform the mandatory checks of DH
parameters or ignores the “manual” authentication of the key via an external secure channel.
Note that confidentiality does not rely on the privacy of the authorization keys, i.e., the
above query is true even if the authorization keys of the parties involved are leaked before
3
These are different from
fp
(
gab
); in MTProto 2.0, they are 288-bit hashes that are typically displayed
both as hexadecimal strings and QR-codes, suitable for visual comparison, by Telegram clients.
M. Miculan, N. Vitacolonna 13
the secret chat protocol starts. Secrecy, however, relies in an essential way on a step that
requires active human interaction, at least in the currently available implementations.
Integrity and authentication.
The integrity of a message
m
exchanged by two clients during
a secret chat session is also preserved if the clients abide by the rules. The relevant query,
proved by Proverif, is as follows:
query id,id0:ChatID, A, B :Principal, k :SharedKey, m :Message;
inj-event(ReceivesMessage(id, A, B, m, k)) inj-event(SendsMessage(id0, A, B, m, k))
|| event(ChecksDHConfig(A, )) || event(ChecksDHConfig(B, ))
|| event(SkipsKeyCheck(A, k, >)) || event(SkipsKeyCheck(B, k, >)).
This means that, whenever client
B
receives a message
m
that appears to come from
A
and
is encrypted with the shared key
k
, a message
m
encrypted with
k
was indeed previously
sent by
A
and addressed to
B
, unless one of the clients behaves incorrectly by skipping some
essential checks. Note that we cannot prove that the message was sent in the same session in
which it is received, because the server might send
B
a chat id different from the one received
from
A
. This does not seem to pose security risks, though: it is rather a correctness issue
related to session management. Anyway, a similar result additionally requiring
id
=
id0
can
be proved if the clients also compare their respective id’s during the out-of-band confirmation
step, i.e., if QR(id, A, k)is sent instead of just QR(A, k).
7 Re-keying and Perfect Forward Secrecy
The key used in secret chats is replaced every 100 messages or every week (provided that at
least one message has been sent) using the protocol shown in Fig. 4. Old keys should be
destroyed and never reused.
The exchange uses the same DH parameters obtained when the secret chat was first
established (Section 6). The messages are transmitted through the secret channel already
in place between the clients, so the server, who acts as a forwarder, can observe only the
ciphertexts. As for other client-server communication, each message exchanged between a
client and the server is also encrypted using the corresponding authorization key.
7.1 Informal Description
This protocol is simpler to analyse than the previous ones, because it is essentially a run of
standard Diffie-Hellman through a secure channel. The claim that the channel is secure relies
on the assumptions and results of Section 6.3. Both clients possess the DH parameters (
g, p
)
from their initial run of the secret chat protocol. The new shared key is derived as follows
(see Fig. 4):
1.
Client
A
generates a random session id and a random
aZp
, computes a half-key
ga
and sends the pair (id, ga)to B.
2.
Client
B
generates a random
bZp
and computes its half-key
gb
and the new shared
key
gab
. The half-key and a fingerprint of the shared key (64 bits of the SHA1 of the key)
are sent to A.
3.
Client
A
computes
gab
, checks that the fingerprint of
gab
matches the received fingerprint,
and sends the fingerprint back to Bas an acknowledgment.
The previous key is no longer needed and can be deleted.
14 Automated Symbolic Verification of Telegram’s MTProto 2.0
Figure 4
The re-keying protocol. Exchanged messages are end-to-end encrypted using the current
secret key shared between Aand B.
7.2 Formalisation in ProVerif
The formalisation of the re-keying protocol is a textbook implementation of Diffie-Hellman
with minor variations. In particular, the computed fingerprints do not play any security role,
but are meant only as a sanity check for the implementations. The only important difference
is that all the messages exchanged during re-keying are end-to-end encrypted with the current
session key. As in secret chats, the server is untrusted and modelled as the attacker.
7.3 Security properties verification
Secrecy and forward secrecy.
With the guarantees provided by the analysis of the secret
chat protocol (Section 6), messages exchanged between
A
and
B
after re-rekeying is completed
are kept secret, even if the authorization keys of both parties are compromised before the
re-keying protocol is executed. This can be proved in ProVerif by running the re-keying
protocol without encrypting the messages with the authorization keys so that they are
accessible to the adversary (which models the untrusted server), then letting
A
and
B
exchange a message
m
encrypted with the new key, and finally verifying that the attacker
cannot obtain mby testing the following query:
query attacker(m).
A form of forward secrecy is provided by the periodic rotation of the keys. If a session key
is recovered by an attacker, it can be used to decrypt at most 100 messages or a week worth
of messages. While older messages cannot be deciphered, in some circumstances this might
still be considered an excessive amount of information to leak. Given the above, leaking an
authorization key at any time does not compromise the secrecy of any message.
M. Miculan, N. Vitacolonna 15
Integrity and authentication.
Each party can be confident that the messages received
from the other party are authentic if the secret chat protocol (Section 6) has been executed
correctly; in particular, if the clients have validated their first session key through a secure
channel. Under the perfect cryptography assumption of our model it is also guaranteed that
the messages cannot be tampered.
8 Conclusions
In this paper we have presented the formalisation of the MTProto 2.0 protocol suite in the
applied
π
-calculus, and its analysis using the cryptographic protocol verifier ProVerif. This
approach adopts the symbolic Dolev-Yao threat mode: an active intruder can intercept,
modify, forward, drop, replay or reflect any message. Within this model, we have provided a
fully automated proof of the soundness of MTProto 2.0’s protocols for first authentication,
normal chat, end-to-end encrypted chat, and re-keying mechanisms with respect to several
security properties, including authentication, integrity, confidentiality and perfect forward
secrecy. These properties are verified also in presence of malicious servers. Our formalization
covers also the behaviour of the users, when relevant; for instance, we have proved that if
the users do not check the fingerprints of their shared keys, a MITM attack is possible.
In the light of these results, we can affirm that MTProto 2.0 does not present any logical
flaw. Vulnerabilities can arise only from the cryptographic primitives, from implementation
flaws (e.g. insufficient checks), from side-channels exfiltration (such as timing or traffic
analysis), or from incorrect user behaviour. Hence, these are the aspects which deserve
further investigation and particular care in the implementation and use of this protocol.
The basic encryption primitive of MTProto 2.0 is assumed to be a perfect authenticated
encryption scheme (IND-CCA and INT-CTXT). Although no attack on this scheme is known
to date, these properties need to be formally proved in order to deem MTProto 2.0 definitely
secure. This proof cannot be done in a symbolic model like ProVerif’s, but it can be achieved
in a computational model, using tools like CryptoVerif or EasyCrypt [
5
,
2
], which we leave to
future work. However, even in the very unlikely case that a flaw is found in the encryption
scheme, the results in this paper would be still valid: the protocol could be used just by
replacing the encryption scheme, and no other changes would be required.
Concerning implementation flaws, our formalisation can be used as a reference for the
correct implementation of MTProto 2.0 clients (and servers). Tools like Spi2Java or FS2PV
can be useful to this end [
4
,
15
]. Also, particular attention must be paid to side-channel
attacks, such as on timing or traffic analysis. A potential issue concerning the correct
implementation of clients is about the fact that a server can craft malicious DH parameters,
e.g., choosing generators that make discrete logarithms significantly easier to compute [
13
]
or choosing non-primes that pass the 15-round Miller-Rabin test. To prevent the first attack,
MTProto prescribes that clients verify that the values received from the server are valid
(see Section 5.3). However, as far as we can see, MTProto 2.0 still suffers from the latter
vulnerability. A possible improvement is to require clients to check the proposed primes by
means of deterministic primality algorithms, such as AKS and Lenstra-Pomerance [1, 14].
Correct user behaviour is crucial in order to prevent MITM attacks in secret chats. As
we have seen, to this end users must check the fingerprint of their authorization keys through
an external safe channel (actually, this issue concerns not only MTProto 2.0 but any protocol
whose keys are defined by means of an insecure DH exchange—including the Signal protocol.)
However, it is plausible that in practice such checks are rarely performed, or are performed
through the very same (supposedly secure) chat. Hence, users seriously concerned about
privacy must be educated about the correct procedure to follow.
16 Automated Symbolic Verification of Telegram’s MTProto 2.0
References
1
Manindra Agrawal, Neeraj Kayal, and Nitin Saxena. Primes is in p. Annals of mathematics,
pages 781–793, 2004.
2
Gilles Barthe, François Dupressoir, Benjamin Grégoire, César Kunz, Benedikt Schmidt, and
Pierre-Yves Strub. Easycrypt: A tutorial. In Foundations of security analysis and design VII,
pages 146–166. Springer, 2013.
3
Karthikeyan Bhargavan, Bruno Blanchet, and Nadim Kobeissi. Verified models and reference
implementations for the TLS 1.3 standard candidate. In 2017 IEEE Symposium on Security
and Privacy (SP), pages 483–502. IEEE, 2017.
4
Karthikeyan Bhargavan, Cédric Fournet, and Andrew D Gordon. Modular verification of
security protocol code by typing. ACM Sigplan Notices, 45(1):445–456, 2010.
5
Bruno Blanchet. Cryptoverif: Computationally sound mechanized prover for cryptographic
protocols. In Dagstuhl seminar “Formal Protocol Verification Applied, volume 117, 2007.
6
Bruno Blanchet. Modeling and verifying security protocols with the Applied Pi Calculus and
ProVerif. Foundations and Trends®in Privacy and Security, 1(1–2):1–135, 2016.
7
Carl Campbell. Design and specification of cryptographic capabilities. IEEE Communications
Society Magazine, 16(6):15–19, 1978.
8
Katriel Cohn-Gordon, Cas Cremers, Benjamin Dowling, Luke Garratt, and Douglas Stebila. A
formal security analysis of the Signal messaging protocol. In 2017 IEEE European Symposium
on Security and Privacy (EuroS&P), pages 451–466. IEEE, 2017.
9
Danny Dolev and Andrew Yao. On the security of public key protocols. IEEE Transactions
on Information Theory, 29(2):198–208, 1983.
10
Tilman Frosch, Christian Mainka, Christoph Bader, Florian Bergsma, Jörg Schwenk, and
Thorsten Holz. How secure is textsecure? In 2016 IEEE European Symposium on Security
and Privacy (EuroS&P), pages 457–472. IEEE, 2016.
11
Jakob Jakobsen and Claudio Orlandi. On the CCA (in)security of MTProto. In Proceedings of
the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices, pages 113–116,
2016.
12
Jakob Bjerre Jakobsen. A practical cryptanalysis of the Telegram messaging protocol. Master’s
thesis, Aarhus University, September 2015.
13
Nadim Kobeissi, Karthikeyan Bhargavan, and Bruno Blanchet. Automated verification for
secure messaging protocols and their implementations: A symbolic and computational approach.
In 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pages 435–450. 2017.
14
Hendrik W Lenstra Jr and Carl B Pomerance. Primality testing with gaussian periods. Journal
of the European Mathematical Society, 21(4):1229–1269, 2019.
15
Davide Pozza, Riccardo Sisto, and Luca Durante. Spi2java: Automatic cryptographic pro-
tocol java code generation from spi calculus. In 18th International Conference on Advanced
Information Networking and Applications, 2004, volume 1, pages 400–405. IEEE, 2004.
16
Alex Rad and Juliano Rizzo. A 2
64
attack on Telegram, and why a super villain doesn’t need
it to read your telegram chats. (last accessed on April 9, 2020), 2015.
17
Paul Rösler, Christian Mainka, and Jörg Schwenk. More is less: on the end-to-end security
of group chats in Signal, Whatsapp, and Threema. In 2018 IEEE European Symposium on
Security and Privacy (EuroS&P), pages 415–429. IEEE, 2018.
18
Tomáš Sušánka and Josef Kokeš. Security analysis of the Telegram IM. In Proceedings of the
1st Reversing and Offensive-Oriented Trends Symposium (ROOTS 2017), pages 1–8, 2017.
19
Telegram. MTProto mobile protocol.
https://core.telegram.org/mtproto/
(last accessed
on May 3rd, 2020), 2020.
20 Telegram. Telegram FAQ. https://telegram.org/faq (last accessed on April 9th, 2020).
ResearchGate has not been able to resolve any citations for this publication.
Article
We exhibit a deterministic algorithm that, for some effectively computable real number c, decides whether a given integer n > 1 is prime within time (log n) ⁶ · (2 + log log n) c . The same result, with 21/2 in place of 6, was proved by Agrawal, Kayal, and Saxena. Our algorithm follows the same pattern as theirs, performing computations in an auxiliary ring extension of Z/nZ. We allow our rings to be generated by Gaussian periods rather than by roots of unity, which leaves us greater freedom in the selection of the auxiliary parameters and enables us to obtain a better run time estimate. The proof depends on results in analytic number theory and on the following theorem from additive number theory, which was provided by D. Bleichenbacher: if t is a real number with 0 < t ≤ 1, and S is an open subset of the interval (0, t) with RS dx/x > t, then each real number greater than or equal to 1 is in the additive semigroup generated by S. A byproduct of our main result is an improved algorithm for constructing finite fields of given characteristic and approximately given degree.
Conference Paper
Telegram is a popular instant messaging service, a self-described fast and secure solution. It introduces its own home-made cryptographic protocol MTProto instead of using already known solutions, which was criticised by a significant part of the cryptographic community [2, 8]. In this article we will briefly introduce the protocol to provide context to the reader and then present two major findings we discovered as part of our security analysis performed in late 2016. First, the undocumented obfuscation method Telegram uses, and second, a replay attack vulnerability we discovered. The analysis was mainly focused on the MTProto protocol and the Telegram's official client for Android.
Conference Paper
Telegram is a popular messaging app which supports end-to-end encrypted communication. In Spring 2015 we performed an audit of Telegram's Android source code. This short paper summarizes our findings. Our main discovery is that the symmetric encryption scheme used in Telegram -- known as MTProto -- is not IND-CCA secure, since it is possible to turn any ciphertext into a different ciphertext that decrypts to the same message. We stress that this is a theoretical attack on the definition of security and we do not see any way of turning the attack into a full plaintext-recovery attack. At the same time, we see no reason why one should use a less secure encryption scheme when more secure (and at least as efficient) solutions exist. The take-home message (once again) is that well-studied, provably secure encryption schemes that achieve strong definitions of security (e.g., authenticated-encryption) are to be preferred to home-brewed encryption schemes.
Article
Cryptography plays a key role in the security of modern communication and computer infrastructures; therefore, it is of paramount importance to design cryptographic systems that yield strong security guarantees. To achieve this goal, cryptographic systems are supported by security proofs that establish an upper bound for the probability that a resource-constrained adversary is able to break the cryptographic system. In most cases, security proofs are reductionist, i.e. they construct from an (arbitrary but computationally bounded) adversary that would break the security of the cryptographic construction with some reasonable probability another computationally bounded adversary that would break a hardness assumption with reasonable probability. This approach, known as provable security, is in principle able to deliver rigorous and detailed mathematical proofs. However, new cryptographic designs (and consequently their security analyses) are increasingly complex, and there is a growing emphasis on shifting from algorithmic descriptions to implementation-level descriptions that account for implementation details, recommendations from standards when they exist, and possibly side-channels. As a consequence, cryptographic proofs are becoming increasingly error-prone and difficult to check. One promising solution to address these concerns is to develop machine-checked frameworks that support the construction and automated verification of cryptographic systems. Although many such frameworks exist for the symbolic model of cryptography, comparatively little work has been done to develop machine-checked frameworks to reason directly in the computational model commonly used by cryptographers