<divid="dev_page_content"><p><ahref="https://telegram.org/blog/cryptocontest"><strong>« Back to Contest Announcement</strong></a></p>
<blockquote>
<p>The current round of the contest is over. <ahref="https://telegram.org/blog/cryptocontest-ends"><strong>Go to results »</strong></a></p>
</blockquote>
<p>In this contest you assume the role of a malicious entity in control of Telegram's servers. Your goal is to extract sensitive data (a secret email and password) from a conversation between two peers — Paul and Nick. They are represented by two virtual users that communicate via <ahref="https://core.telegram.org/api/end-to-end">Secret Chats</a> in Telegram.</p>
<p>Paul and Nick are both using clients that perform all the checks from <ahref="/mtproto/security_guidelines">Telegram Security Guidelines</a> and compare their key visualizations over an independent channel as soon as a new Secret Chat is established. If any of these checks fails, they stop accepting messages in that Secret Chat. You control the entire process by sending commands to the Telegram user <code>@CryptoContest</code>, used as an interface for this contest. This enables contestants to try CPA, KPA, MITM and other kinds of active attacks and data tampering.</p>
<p>The protocol used by Paul and Nick to establish Secret Сhats and exchange messages is identical to the one used for <ahref="https://core.telegram.org/api/end-to-end">Secret Chats</a> in Telegram. Since we assume that the attacker is already in full control of the Telegram servers, basic MTProto encryption is bypassed altogether. In order to further simplify the task for contestants, we have removed irrelevant parameters, such as user_id and random_id.</p>
<p>The following <ahref="/mtproto/TL">TL</a> scheme is used to establish Secret Chats in this contest: </p>
<p>For exchange of encrypted messages (see <ahref="/api/end-to-end#sending-and-receiving-messages-in-a-secret-chat">documentation</a>), the up-to-date layer 17 scheme with <ahref="/api/end-to-end/seq_no">sequence numbers</a> is used, but with plain text message support only.</p>
<p>Each plaintext message is first created as a layer 17 <ahref="/constructor/decryptedMessage">decryptedMessage</a>, then embedded in a <ahref="/constructor/decryptedMessageLayer">decryptedMessageLayer</a> and encrypted as explained in the <ahref="/api/end-to-end#serialization-and-encryption-of-outgoing-messages">Secret Chat documentation</a>. For the purpose of this contest, it is the result of this encryption <em>(ciphertext)</em> that is exchanged between the parties. </p>
<p>Notice that sending messages in an actual Telegram Secret Chat involves further embedding of that <em>ciphertext</em> into an API call and an additional layer of <ahref="/mtproto">MTProto</a> encryption for client-server interaction. This step is omitted here, since we assume the attacker to be in control of the Telegram servers, not just of the communication lines between the clients and Telegram servers.</p>
<p>To access the interface, find the Telegram user <code>@CryptoContest</code> using the Global Search by username in any of the <ahref="https://telegram.org/apps">Telegram apps</a>. This is a special bot we created for this contest. You can control communication between Paul and Nick by sending <ahref="#commands">particularly formed</a> text messages to this bot and processing automatically generated answers to these messages (you may find the unofficial <ahref="https://github.com/vysheng/tg">Linux CLI</a> convenient for mass automated queries).</p>
<p>You can create as many parallel Secret Chats between Paul and Nick as you like using the bot — each of them will have a separate <em>session_id</em>. All data is represented in hexadecimal format, with the exception of the <em>session_id</em>.</p>
<p>Below, <strong>A</strong> stands for the creator of the Secret Chat, <strong>B</strong> stands for the second party, <strong>S</strong> — the Telegram Server.</p>
<p>Each Secret Chat session in this contest is divided in two phases: </p>
<ul>
<li><ahref="#1-creating-a-secret-chat">Creating a Secret Chat</a></li>
<h5><aclass="anchor"name="1-creating-a-secret-chat"href="#1-creating-a-secret-chat"><iclass="anchor-icon"></i></a>1. Creating a Secret Chat</h5>
<p>In order to create a new Secret Chat, six messages need to be exchanged:</p>
<tableclass="table">
<thead>
<tr>
<th><strong>Source</strong></th>
<th><strong>Destination</strong></th>
<th><strong>Message</strong></th>
</tr>
</thead>
<tbody>
<tr>
<td>A</td>
<td>S</td>
<td>contest.getDhConfig</td>
</tr>
<tr>
<td>S</td>
<td>A</td>
<td>contest.DhConfig</td>
</tr>
<tr>
<td>A</td>
<td>B</td>
<td>contest.requestEncryption</td>
</tr>
<tr>
<td>B</td>
<td>S</td>
<td>contest.getDhConfig</td>
</tr>
<tr>
<td>S</td>
<td>B</td>
<td>contest.DhConfig</td>
</tr>
<tr>
<td>B</td>
<td>A</td>
<td>contest.acceptEncryption</td>
</tr>
</tbody>
</table>
<p>To create a Secret Chat in this contest:</p>
<ul>
<li>Send the <strong>START</strong> command to the user <code>@CryptoContest</code> in Telegram. You'll get the <strong>getDhConfig</strong> query, sent by A to the Server, and the answer that the server would normally send to A. You shall also receive the new <em>session_id</em> as the first 32-bit integer. All further messages related to this particular session (Secret Chat instance) must be prefixed with this <em>session_id</em> in decimal form.</li>
<li>After that, use the <strong>PASS</strong> command to pass the server's answer to A or <strong>ANSWER bytes</strong> to send a different answer instead. <strong>Bytes</strong> is represented by a string of an even number of hexadecimal digits. You'll receive the <strong>requestEncryption</strong> query as the result. </li>
<li>After that, use the <strong>PASS</strong> command to pass this query to B or <strong>ANSWER bytes</strong> to arbitrarily change it. You‘ll receive B’s <strong>getDhConfig</strong> to the server as the result.</li>
<li>As before, you can use either <strong>PASS</strong> or <strong>ANSWER bytes</strong>. You'll receive <strong>acceptEncryption</strong> as the result.</li>
<li>As before, you can use either <strong>PASS</strong> or <strong>ANSWER bytes</strong>. You'll receive “Ok” as the result.</li>
</ul>
<p>You will receive an error text as the result after any of these steps in case the participating clients perceive that something went wrong. This can happen if a security check is failed, or in the case that the first 128 bits of the SHA-1 of the newly created encryption key don‘t match on both parties’ clients when this stage is completed (this corresponds to Paul and Nick comparing the key visualizations for the Secret Chat in their Telegram apps).</p>
<p>If you obtain such an error, the session is failed and can no longer be used. You'll have to start new session. Note that the time to complete this phase is limited. Each step should not take longer than one hour, otherwise the Secret Chat will get cancelled.</p>
<h5><aclass="anchor"name="2-sending-text-messages"href="#2-sending-text-messages"><iclass="anchor-icon"></i></a>2. Sending Text Messages</h5>
<p>Once the Secret Chat has been established, you can use the following queries to make Paul and Nick exchange text messages inside the Secret Chat:</p>
<ul>
<li><strong>ASK [A|B]</strong> — asks A or B to send a random plaintext message to the other party. It is guaranteed that at least one of the first ten generated messages will contain the secret email and password that are the <ahref="#objectives">goal</a> of this contest. It is also guaranteed that apart from that, all messages will contain only dictionary English words, spaces, line breaks and punctuation marks. The result to this query is the ciphertext corresponding to the randomly generated plaintext.</li>
<li><strong>TXT [A|B] bytes</strong> — asks A or B to encrypt <strong>bytes</strong> as the (plaintext) contents of a text message and send it to the other party. Note that <strong>bytes</strong> can be any byte sequence, not necessarily a valid UTF-8 sequence. The result to this query is the ciphertext corresponding to the given plaintext.</li>
<li><strong>MSG [A|B] bytes</strong> — send a specified (ciphertext) message (for example, obtained as an answer to an <strong>ASK</strong> or <strong>TXT</strong> query) to A or B. You will receive ‘Ok’ if this message was decrypted successfully and accepted by the client, or ‘Fail’ otherwise.</li>
15 MSG B b1d4a6119278722b0309a8c1fee80000c877b80b3ef2cc3dc92104de4322d8ae374fbf38758091fe4c86bafffa792f7eb37d8431cf8f868319c3af005791b7c55f788e260b8fa6a96b6808d0d448abfdb49913160c5355ef2d4e439a676055e42de6b26dd7d0e06e3fb48981208449658aff63fd8262ef0669f8bb242ade401e1190d2f54f3896ac17c1b796cbe185d5b0166649d5bac25e4626c08c78527458fc7877ee2add14a8e7b1f9b56651b8264284aa2fd28de55f96bcec8075dd43bbc69f6c05c2428795e51a081e3995e4ede72d190d55d0b30d8215bf4ed13fde7c8f578993050280ec4a940e910eb182bd335e52e2a699d9b0
15 Fail
15 MSG B b1d4a6119278722b0309a8c1fee80000c877b80b3ef2cc3dc92104de4322d8ae374fbf38758091fe4c86bafffa792f7eb37d8431cf8f868319c3af005791b7c55f788e260b8fa6a96b6808d0d448abfdb49913160c5355ef2d4e439a676055e42de6b26dd7d0e06e3fb48981208449658aff63fd8262ef0669f8bb242ade401e1190d2f54f3896ac17c1b796cbe185d5b0166649d5bac25e4626c08c78527458fc7877ee2add14a8e7b1f9b56651b8264284aa2fd28de55f96bcec8075dd43bbc69f6c05c2428795e51a081e3995e4ede72d190d55d0b30d8215bf4ed13fde7c8f578993050280ec4a940e910eb182bd335e52e2a699d9b5
<p>We are offering a <strong>$300,000</strong> reward to the first person to break Telegram's encryption protocol in this contest.</p>
<p>Your goal is to extract a secret email address from one of the random messages that are exchanged between Nick and Paul when you use the <strong>ASK</strong> command. It is guaranteed that at least one of the first ten generated messages within a session will contain the secret address. It is also guaranteed that apart from that, all messages will contain only dictionary English words, spaces, line breaks and punctuation marks.</p>
<p>Once you have the address, you will need to send an email to it. That email must contain:<br>- The entire text of the message that contained the secret email.<br>- Session logs for the successful attempt with your user_id.<br>- A detailed explanation of the attack on the protocol.<br>- Your bank account details to receive the $300,000 prize.</p>
<p>To prove that the competition was fair, we will add a command that returns the keys used for a particular session by its <em>session_id</em> at the end of the contest. This will be done as soon as a winner is announced, or on February 4, 2015 in case no winner is announced to that date.</p>
<p>We are also offering an independent <strong>$100,000</strong> reward to the first person to make the bot accept a ciphertext message (i.e. the first person to send a message using <strong>MSG [A|B] bytes</strong> and receive the result ‘OK’), provided that that ciphertext deciphers to a plaintext that was never encrypted by the bot itself within this session.</p>
<p>Should you succeed at this, kindly send an email to security@telegram.org and include the following:<br>- Session logs for the successful attempt with your user_id.<br>- A detailed explanation of the attack on the protocol.<br>- Your bank account details to receive the $100,000 prize.</p>
</div>
</div>
</div>
</div>
<divclass="footer_wrap">
<divclass="footer_columns_wrap footer_desktop">
<divclass="footer_column footer_column_telegram">
<h5>Telegram</h5>
<divclass="footer_telegram_description"></div>
Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed.