MTProto 2.0 is a suite of cryptographic protocols for instant messaging at the core of the popular Telegram messenger application. In this paper we analyse MTProto 2.0 using the symbolic verifier ProVerif. We provide fully automated proofs of the soundness of MTProto 2.0's authentication, normal chat, end-to-end encrypted chat, and rekeying mechanisms with respect to several security properties, including authentication, integrity, secrecy and perfect forward secrecy; at the same time, we discover that the rekeying protocol is vulnerable to an unknown key-share (UKS) attack. We proceed in an incremental way: each protocol is examined in isolation, relying only on the guarantees provided by the previous ones and the robustness of the basic cryptographic primitives. Our research proves the formal correctness of MTProto 2.0 w.r.t. most relevant security properties, and it can serve as a reference for implementation and analysis of clients and servers.
翻译:MTProto 2. 0 是一套用于在广受欢迎的电讯信使应用程序核心进行即时通讯的加密协议。 在本文中, 我们使用符号验证器 ProVerif 分析 MTProto 2. 0。 我们提供完全自动化的证明, 证明MTProto 2. 0 的认证、 正常聊天、 端对端加密聊天, 以及若干安全特性的重置机制, 包括认证、 完整性、 保密和完美的前方保密 ; 同时, 我们发现重订协议很容易受到未知的钥匙共享( UKS) 攻击 。 我们以渐进的方式行事: 每项协议都被孤立地审查, 仅依赖先前协议提供的保障和基本加密原始特征的坚固性。 我们的研究证明MTProto 2. 0 (w.r.t.) 最相关的安全特性的正式正确性, 它可以作为客户和服务器实施和分析的参考。