I guess if you use enough Saran Wrap you could build a pretty secure submarine; it doesn’t mean that it’s going to sink.But it does mean it’s not something I would want to trust with my life.”The more novel an approach to encryption is, the less time researchers have had to spot vulnerabilities; older algorithms wear the scars of past decryption attempts like armor.They do so because they know who they’re up against.A finite number of men and women are trying to guard sprawling mathematical terrain against the predation of nation-states. Setting aside Telegram’s own speed and reliability explanation, then, none of the experts I spoke to could guess why the organization chose MTProto instead of an established protocol.“Attacks only get better.”That debate over Telegram highlights just how differently security researchers and law-enforcement officials view the cryptographic balance of power.As the rules of the IND-CCA game highlight, cryptographers often test their protocols against what they assume will be a nearly-omnipotent adversary, one with what amounts to a Magic 8-Ball.In MTProto, it turns out that an attacker could fiddle with the encrypted message to create a new version, one that would look different on its face but that would still decrypt to the same underlying text.Under the somewhat literal-minded rules of the IND-CCA game, the adversary could then feed this doctored message to its handy oracle, since it isn’t technically the encrypted text that it was originally challenged to identify.
“A postal worker can write ‘Haha’ (using invisible ink!
“They came up with something totally new, and a little weird, and mysterious,” the Johns Hopkins University professor Matthew Green said.
“It’s like coming up and finding a submarine where the doors are made out of Saran Wrap.
While the application claims on its website that MTProto helps “achieve reliability on weak mobile connections as well as speed when dealing with large files,” Jakobsen was skeptical that the security tradeoff made any sense.
“There should be lots of provably secure approaches that work just as nicely on a smartphone,” he said in a phone interview.