Markus Ra
![Mtproto Telegram Mtproto Telegram](https://www.tecmint.com/wp-content/uploads/2015/03/Telegram-Mobile-Interface.png)
![Telegram proxy Telegram proxy](https://image.winudf.com/v2/image1/aXIuZGlhbW9uZGFwcHMudGVsZXZwbl9zY3JlZW5fMl8xNTY3MjgzMTk1XzA5NA/screen-2.jpg?fakeurl=1&type=.jpg)
- Oct 03, 2019 mtproto-proxy calls setuid to drop privilegies. 443 is the port, used by clients to connect to the proxy. 8888 is the local port. You can use it to get statistics from mtproto-proxy. Like wget localhost:8888/stats. You can only get this stat via loopback. Is the secret generated at step 3.
- Payload: MTProto payload; crc: 4 CRC32 bytes computed using length, sequence number, and payload together. Transport features. Additionally, the following transport features can be used: Quick ack. These MTProto transport protocols have support for quick acknowledgment.
FAST MTPROTO PROXIES FOR TELEGRAM Desktop v1.2.18+ macOS v3.8.3+ Android v4.8.8+ X Android v0.20.10.931+ iOS v4.8.2+ Send proxy: ارسال. # MadelineProto, a PHP MTProto telegram client Created by Daniil Gentili. Do join the official channel, @MadelineProto and the support groups! Now with Telegram TON blockchain integration! Approved by Telegram! This library can be used to easily interact with Telegram without the bot API, just like the official apps.
Some users asked me about a post on medium that claimed Telegram was not secure to use. The author cited this as the reason:
In 2015, a security researcher published a paper revealing several major exploits in MTProto and concluded that Telegram shouldn’t have tried to roll their own encryption.
This statement is simply false. No known ways of undermining MTProto encryption exist today.
Jakob Jakobsen's thesis (it was a university project) indeed used unacademically strong language that could confuse non-specialists into thinking that he was on to something serious, but he didn't discover any 'major exploits' at all.
In fact, his only actual finding was summed up by him and his teacher in a much more cautious article [1] and has to do with a property called IND-CCA. The deviation from this property in MTProto is purely technical and doesn't allow for any wrongdoing.
To put the case into familiar terms:
A postal worker can write ‘Haha’ (using invisible ink!) on the outside of a sealed package that he delivers to you. It doesn‘t stop the package from being delivered, it doesn’t allow them to change the contents of the package, and it doesn't allow them to see what was inside.
This analogy was confirmed by Jakob Jakobsen as correct. [2]
So, far from being a 'major exploit', his 'attack' is rather like saying 'Boo!' to a passing train. Yes, you did it. But it didn't change anything, nobody heard you, and you got nothing in return.
For a detailed explanation of how the attack works and why it is harmless, please see Telegram's Technical FAQ.
Note: MTProto 2.0 satisfies the IND-CCA criteria.
What else was in that paper?
Jakobsen's thesis also mentioned a list of 'known attacks' that may look scary to a non-specialist but are irrelevant for Telegram.
What he dubbed the 'Malicious server MiTM attack' is the only prominent one among them, even though it's part of Telegram’s ancient history. This theoretical possibility was discovered and fixed on the second day of Telegram's first crypto contest in December 2013. A bounty of 100,000 USD was paid to the person who pointed it out. This remains the only noteworthy flaw to have been discovered in Telegram’s protocol. You can read more about it on the Telegram blog: Crowdsourcing a more secure future.
Aside from this, the author also mentions:
- Replay and mirroring attacks which areconfirmed by Jakobsen to be negated by Telegram's sequence number checks.
- A 'Naive third-party MiTM attack' which is common for any end-to-end encrypted messaging system and is exactly the reason why every app, including Telegram, offers a way of verifying the encryption keys.
- And an 'Undetected third-party MiTM attack' that was prohibitively expensive even at the time of writing and is completely impossible now.
Jakobsen also criticized Telegram's use of SHA-1 based on the fact that it 'enabled' his IND-CCA 'Boo' attack on the passing train we've already discussed and the impossible third-party MiTM attack.
And that was it.
So is MTProto secure?
Yes, no known ways of undermining MTProto encryption exist today. Telegram is continuously working with its worldwide community of developers and security specialists to keep it this way.
Telegram's protocol specification is open. The app code is also open. Together with the docs, this allows researchers to fully evaluate the end-to-end encryption implementation. Telegram offers bug bounties and periodical contests to attract attention and scrutiny to its security. Any comments on the security of Telegram's apps and protocol are welcome here: [email protected]
Mtproto Telegram Channel
Notes
Pinboard for pinterest 1 4 3. [1] – 'We stress that this is a theoretical attack on the definition of security and we do not see any way of turning the attack into a full plaintext-recovery attack.'Jakobsen, Orlandi
[2] – 'Jakobsen acknowledged that this was a fair analogy for the flaw he and Orlandi found.'The Atlantic
Here's a list of MTProto transport protocols (see the ISO/OSI recap for a full explanation):
The server recognizes these different protocols (and distinguishes them from HTTP, too) by the header.Additionally, the following transport features can be used:
Example implementations for these protocols can be seen in tdlib and MadelineProto.
Abridged
The lightest protocol available.
- Overhead: Very small
- Minimum envelope length: 1 byte
- Maximum envelope length: 4 bytes
Payload structure:
Before sending anything into the underlying socket (see transports), the client must first send
Then, payloads are wrapped in the following envelope:
0xef
as the first byte (the server will not send 0xef
as the first byte in the first reply).Then, payloads are wrapped in the following envelope:
- Length: payload length, divided by four, and encoded as a single byte, only if the resulting packet length is a value between
0x01.0x7e
. - Payload: the MTProto payload
If the packet length divided by four is bigger than or equal to 127 (>=
0x7f
), the following envelope must be used, instead:- Header: A single byte of value
0x7f
- Length: payload length, divided by four, and encoded as 3 length bytes (little endian)
- Payload: the MTProto payload
Intermediate
In case 4-byte data alignment is needed, an intermediate version of the original protocol may be used.
- Overhead: small
- Minimum envelope length: 4 bytes
- Maximum envelope length: 4 bytes
Payload structure:
Before sending anything into the underlying socket (see transports), the client must first send
Then, payloads are wrapped in the following envelope:
0xeeeeeeee
as the first int (four bytes, the server will not send 0xeeeeeeee
as the first int in the first reply).Then, payloads are wrapped in the following envelope:
- Length: payload length encoded as 4 length bytes (little endian)
- Payload: the MTProto payload
![Mtproto Telegram Mtproto Telegram](https://www.tecmint.com/wp-content/uploads/2015/03/Telegram-Mobile-Interface.png)
Padded intermediate
Padded version of the intermediate protocol, to use with obfuscation enabled to bypass ISP blocks.
- Overhead: small-medium
- Minimum envelope length: random
- Maximum envelope length: random
Before sending anything into the underlying socket (see transports), the client must first send
Then, payloads are wrapped in the following envelope:
0xdddddddd
as the first int (four bytes, the server will not send 0xdddddddd
as the first int in the first reply).Then, payloads are wrapped in the following envelope:
Envelope description:
- Total length: payload+padding length encoded as 4 length bytes (little endian)
- Payload: the MTProto payload
- Padding: A random padding string of length
0-15
Full
The basic MTProto transport protocol
- Overhead: medium
- Minimum envelope length: 12 bytes (length+seqno+crc)
- Maximum envelope length: 12 bytes (length+seqno+crc)
Payload structure:
Envelope description:
- Length: length+seqno+payload+crc length encoded as 4 length bytes (little endian, the length of the length field must be included, too)
- Seqno: the TCP sequence number for this TCP connection (different from the MTProto sequence number): the first packet sent is numbered 0, the next one 1, etc.
- payload: MTProto payload
- crc: 4 CRC32 bytes computed using length, sequence number, and payload together.
Transport features
Additionally, the following transport features can be used:
Quick ack
These MTProto transport protocols have support for quick acknowledgment.In this case, the client sets the highest-order length bit in the query packet, and the server responds with a special 4 bytes as a separate packet. They are the 32 higher-order bits of SHA256 of the encrypted portion of the packet prepended by 32 bytes from the authorization key (the same hash as computed for verifying the message key), with the most significant bit set to make clear that this is not the length of a regular server response packet; if the abridged version is used, bswap is applied to these four bytes.
Transport errors
In the event of a transport error (missing auth key, transport flood, etc.), the server may send a packet with a signed little-endian number of 4 bytes, whose absolute value contains the error code (the error itself is actually negative).
For example, error Code 403 corresponds to situations where the corresponding HTTP error would have been returned by the HTTP protocol.
Error 404 (auth key not found) is returned when the specified auth key ID cannot be found by the DC.
Error 429 (transport flood) is returned when too many transport connections are established to the same IP in a too short lapse of time, or if any of the container/service message limits are reached.
Transport obfuscation
Transport obfuscation is required to use the websocket transports.
Transport obfuscation to prevent ISP blocks is implemented using the following protocol, situated under the MTProto transport in the ISO/OSI stack, see the recap; this means that the payload is first wrapped in the MTProto transport envelope (all transports are supported), and then obfuscated:
Prior to establishing the connection (and eventually sending the protocol header of a specific MTProto transport), a 64-byte (512-bit) random initialization payload is generated.During the generation process, special care must be taken in order to avoid a situation where that the first int (first four bytes) of the random string are equal to one of the known protocol identifiers (see above).
In particular, the first four bytes must not be equal to
The first byte must also not be equal to
In particular, the first four bytes must not be equal to
0xdddddddd
(padded intermediate), 0xeeeeeeee
(intermediate), POST
, GET
, HEAD
, or any of the HTTP methods that are accepted by the MTProto servers.The first byte must also not be equal to
0xef
(abridged).Bytes 4-8
must also not be equal to 0x00000000
, since that would indicate use of the full transport with the initial TCP sequence number (0). Navicat premium 15 0 11 percent.The protocol identifier, if present, must be inserted in the initialization payload at byte offset
56
: if its length is less than 4, it must be padded using the protocol identifier itself, to make its length 4 (0xef
=> 0xefefefef
): the standalone protocol identifier must be not be sent aftwerwards.This protocol is also (but not exclusively) used when connecting to MTProxies: only in this case, the DC ID in a specially encoded form must also be inserted in the initialization payload at offset
60
.The encoding simply consist of the DC ID in two-byte signed little-endian form; 10000
has to be added to the DC ID to connect to the test servers; it has to be made negative if the DC we're connecting to is a media (not CDN) DC. Next, a secondary initialization payload is generated by reversing the primary intialization payload.
Mtproto Telegram Proxy
Two keys are extracted from both initialization payloads, using bytes at offsets
8-40
: the key extracted from the primary payload is used as encryption key, the key extracted from the secondary payload is used as decryption key.Two IVs are extracted from both initialization payloads, using bytes at offsets
40-56
: the IV extracted from the primary payload is used as encryption IV, the IV extracted from the secondary payload is used as decryption IV.Mtproto Telegram List
Only if using MTProxy, the secret is used to provide connection with the MTProxy server.The secret is a 16-byte string, usually distributed in its hexadecimal form along with the MTProxy host and port.
![Telegram proxy Telegram proxy](https://image.winudf.com/v2/image1/aXIuZGlhbW9uZGFwcHMudGVsZXZwbl9zY3JlZW5fMl8xNTY3MjgzMTk1XzA5NA/screen-2.jpg?fakeurl=1&type=.jpg)
Often, a 17-byte version of the secret can be found: this simply indicates that the client should use a specific MTProto transport (based on the first byte, usually it's
0xdd
, to indicate that the padded intermediate protocol should be used 0xdddddddd
; however, clients should default to the padded intermediate transport whenever an additional byte in the secret is encountered).The extracted encryption and decryption keys must be concatenated with the secret (the first byte of which should be ignored if it's the 17-byte version), and the SHA256 hash of such string should be used as encryption/decryption key.
The obtained encryption and decryption key/IV pairs must then be used with AES-256-CTR to encrypt and decrypt all outgoing and incoming payloads.
The first thing that must be encrypted using the encryption key is the initialization payload itself.Then bytes
56-64
of the encrypted initialization payload are substituted in the original initialization payload: this is the part that contains the constant MTProto transport protocol identifier and the DC ID (only for MTProxies).The final initialization payload must then be sent in the socket as first 64 bytes after the TCP handshake.
Example pseudocode for the generation of an MTProxy connection payload (media DC 4) using the obfuscated padded intermediate transport.Warning: do not use the specified proxy secret in any MTProxy exposed on the internet.