Q: Why did you go for a custom protocol?
In order to achieve reliability on weak mobile connections as well as speed when dealing with large files (such as photos, large videos and files up to 2 GB each), MTProto uses an original approach. This document is intended to clarify certain details of our setup, as well as address some important points that might be overlooked at first glance.
Q: Where can I read more about the protocol?
-Detailed protocol documentation is available here. Please note that MTProto supports two layers: client-server encryption that is used in Telegram cloud chats and end-to-end encryption that is used in Telegram Secret Chats. See below for more information.
-If you have any comments, hit us up on Twitter.
+Detailed protocol documentation is available here. Please note that MTProto supports two layers: client-server encryption that is used in Telegram cloud chats and end-to-end encryption that is used in Telegram Secret Chats. See below for more information.
+If you have any comments, feel free to reach out to security@telegram.org
Q: How does server-client encryption work in MTProto?
-Server-client encryption is used in Telegram cloud chats. Here's a brief overview of the setup:
+Server-client encryption is used in Telegram Cloud Chats. Here's a brief overview of the setup:
Note 3
Telegram's End-to-end encrypted Secret Chats are using an additional layer of encryption on top of the described above.
Q: How does end-to-end encryption work in MTProto?
-End-to-end encryption is used in Telegram Secret Chats. You can read more about it here: Secret Chats, End-to-End encryption. Here's a brief overview of the setup:
+End-to-end encryption is used in Telegram Secret Chats, as well as voice and video calls. You can read more about it here: Secret Chats, End-to-End encryption. Here's a brief overview of the setup:
While other ways of achieving the same cryptographic goals, undoubtedly, exist, we feel that the present solution is both robust and also sucсeeds at our secondary task of beating unencrypted messengers in terms of delivery time and stability.
Q: Why are you mostly relying on classical crypto algorithms?
We prefer to use well-known algorithms, created in the days when bandwidth and processing power were both a much rarer commodity. This has valuable side-effects for modern-day mobile development and sending large files, provided one takes care of the known drawbacks.
-The weakspots of such algorithms are also well-known, and have been exploited for decades. We use these algorithms in such a combination that, to our best knowledge, prevents any known attack from possibly succeeding. Although we’d be grateful to see any evidence of the contrary (so far absent) and update our system accordingly.
-Q: I'm a security expert and I think your protocol is not secure.
-If you have any comments, we would be happy to hear them at security@telegram.org. We award bounties to those who help us discover and fix vulnerabilities in our clients and protocol.
-You are also welcome to join in our competition — we are offering $300,000 to the first person to break Telegram encryption. Check out the contest announcement.
+The weakspots of such algorithms are also well-known, and have been exploited for decades. We use these algorithms in such a combination that, to the best of our knowledge, prevents any known attacks.
+Q: I'm a security expert and I have comments about your setup.
+Any comments on Telegram's security are welcome at security@telegram.org. All submissions which result in a change of code or configuration are eligible for bounties, ranging from $100 to $100,000 or more, depending on the severity of the issue.
+Please note that we can not offer bounties for issues that are disclosed to the public before they are addressed.
Encryption
Q: How are MTProto messages authenticated?
All Telegram apps ensure that msg_key is equal to SHA-256 of a fragment of the auth_key concatenated with the decrypted message (including 12…1024 bytes of random padding). It is important that the plaintext always contains message length, server salt, session_id and other data not known to the attacker.