Is it cryptographicly broken or not? Can I read the plain text of the traffic I ...

CiPHPerCoder · on April 19, 2016

https://tonyarcieri.com/all-the-crypto-code-youve-ever-writt...

The word "broken" means susceptible to practical attack, and attacks aren't always of the "cryptanalyze the ciphertext and read the plaintext because you're a clever mathematician" variety.

For example: Padding Oracle Attacks. This is the most accessible explanation on-hand: https://twitter.com/SoatokDhole/status/720435675401744385

A padding oracle attack lets you decrypt a message by studying how the cryptosystem responds to garbage input. Without recovering the key.

iMessage had a compression oracle attack recently: http://blog.cryptographyengineering.com/2016/03/attack-of-we...

They didn't merely "read the plain text of the traffic [they] capture[d]". But these systems were still, quite badly, broken.

So what's my point? Telegram's protocol is susceptible to the same class of active attack. Thus, it is broken.

ianmiers · on April 19, 2016

To add, Telegram's crypto is completely and totally off the walls crazy in terms of design. Add to that the fact that there are cryptographic breaks (though not we can read your ciphertext breaks), and you should be careful.

iMessage would have been reasonably secure had they used AEC-GCM or a MAC. The design at least made sense: compose a scheme out of known primitives. They just missed (very important) details. Telegram is just turtles all the way down.