Telegram Algorithm: Quick analysis (MTProto)

echelon

See my products
Seller
Language
🇺🇸
Joined
Jul 26, 2024
Messages
13
Reaction score
10
Points
3
Deals
3
Telegram Messenger is a cross-platform encrypted instant messaging application, available in a freemium model and hosted in a cloud. Based in Dubai, Telegram has more than 900 million users.

But.. Is that enough?

Sure, 75% of them are satisfied with their services but that is not argumentative.

I will explain to you how it works.

Before inquiring about the security of a platform, do not ask them themselves because they will do everything to rationalize you and ensure the "best".

Telegram uses their own encryption protocol called "MTProto", MTProto uses the AES (Advanced Encryption Standard) algorithm for symmetric encryption.

To ensure data integrity -> MTProto uses the SHA-256 hashing algorithm. This algorithm produces a 256-bit digest of the message, which makes it possible to check if the data has been modified.

For secure key exchange -> MTProto uses RSA (Rivest-Shamir-Adleman). RSA is an asymmetric encryption algorithm that uses a pair of keys (public and private) to secure the exchange of symmetric keys between the parties.

Communication Security Protocols -> MTProto also integrates protection mechanisms against common attacks, such as replay attacks or man-in-the-middle attacks. This includes the use of temporary keys and key generation protocols.

If we now look at these encryption techniques we can see that multiple vulnerabilities have been found in the archived past and in the present:

-> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45312

Here is a slightly more detailed source: https://cve.netmanageit.com/cve/CVE-2023-45312

-> Published : 2023-10-10 21:15

As the vulnerability code indicates this specific vulnerability is recent.

-> CWE-94
This CWE code means "Improper Control of Generation of Code ('Code Injection')"
And this is part of a severe level vulnerability.

Telegram makes multiple updates to its protocol but this is not enough because what is encrypted is decryptable and there will always be a vulnerability.

I'll stop there because otherwise I would have to write several paragraphs about the telegram encryption algorithm.

If you want to use a better encrypted messaging for anything else, use keybase or if you absolutely want to use telegram, encrypt your content yourself.
 

miner21

Don't buy from me
Resident
Language
🇺🇸
Joined
Sep 15, 2023
Messages
542
Reaction score
254
Points
63
Thanks for the write up. If you are going to use telegram, would encrypting messages with sensitive information yourself on a third app help? Telegram has kind of always given me a bad vibe
 

echelon

See my products
Seller
Language
🇺🇸
Joined
Jul 26, 2024
Messages
13
Reaction score
10
Points
3
Deals
3
Sure, you can very well use telegram encrypting your imports of yourself such as images, videos, etc..

Decrypting messages is not actually a problem except if they are very sensitive messages that could cause you problems, in this case I advise you to use an XOR encryptor or if you really want no one to access then encrypt in AES-256 or XChaCha20 (preferable)
 

echelon

See my products
Seller
Language
🇺🇸
Joined
Jul 26, 2024
Messages
13
Reaction score
10
Points
3
Deals
3
XChaCha20 is preferable for the speed, but the best is AES-256 if you want strong encryption but it will take more time.
 

hermano

Don't buy from me
Resident
Language
🇷🇺
Joined
Jun 18, 2023
Messages
52
Reaction score
50
Points
18
Telegram isnt safe
use something like appetize.io for registration of telegram accounts on 3-rd party phone number from sms activate services.
then run and operate it on emulators that can be optimizet on differents OS's
 
View previous replies…

hermano

Don't buy from me
Resident
Language
🇷🇺
Joined
Jun 18, 2023
Messages
52
Reaction score
50
Points
18
Also warm it up, make it seems like youre real user, or your account will be blocked shortly
 

hermano

Don't buy from me
Resident
Language
🇷🇺
Joined
Jun 18, 2023
Messages
52
Reaction score
50
Points
18
And use European e-sim or physical sim for it, they are better
 

echelon

See my products
Seller
Language
🇺🇸
Joined
Jul 26, 2024
Messages
13
Reaction score
10
Points
3
Deals
3
To correct, an e-sim can contain your information.
Even worse, a physical SIM... Even if it's temporary.
This is not ideal if you are wanted for a serious situation.
Instead, use a phone service to start with, such as onoff for example.
 

echelon

See my products
Seller
Language
🇺🇸
Joined
Jul 26, 2024
Messages
13
Reaction score
10
Points
3
Deals
3
You don't have to complicate things by using an emulator, just be safe.
 

KurtV989

Don't buy from me
Resident
Language
🇺🇸
Joined
May 13, 2024
Messages
126
Reaction score
102
Points
43
Thanks so much for the write-up I was looking for exactly this type of info. Was getting ready to start cold messaging legit Sellers I've been following for months on Tele asking them to come over to our Market. I have the message ready to go but am wary of sending for obvious reasons.
How can I go about encrypting in a way that is safe and simple enough for them to access?
 

echelon

See my products
Seller
Language
🇺🇸
Joined
Jul 26, 2024
Messages
13
Reaction score
10
Points
3
Deals
3
Hi, you don’t need to encrypt the message because they probably won’t want to decrypt it just for an ad.

Usefulness of encryption = preventing access to confidential data.
This may be confidential data that is harmful to your anonymity.

If it’s for an ad, then there’s no problem, an OpenVPN configuration should suffice to cover your IP on a computer.

However, if it’s for something riskier, consider using multiple layers of security.

If you consider your message confidential then encrypt it with the recipient PGP public key.
 

KurtV989

Don't buy from me
Resident
Language
🇺🇸
Joined
May 13, 2024
Messages
126
Reaction score
102
Points
43
Appreciate your prompt reply sir, I'll give it a re-read just to double check before sending, thanks again
 

miner21

Don't buy from me
Resident
Language
🇺🇸
Joined
Sep 15, 2023
Messages
542
Reaction score
254
Points
63
You could encrypt a message in a 3rd app like GNU Privacy assistant then paste the message into telegram I guess. You guys will have to exchange public keys and such to read each others messages
 
Top