Just as the news of Telegram’s Passport service hit the newsstands, a blunt critique of the service came forward from the Chief Product Security Officer at Virgil Security, Inc., Alexey Ermishkin. Ermishkin shed light on “several key” faults in the Passport’s security highlighting the wish-washy encryption and password protection through a weak SHA-512 hashing algorithm. This heavy critique came as no surprise as Virgil Security specializes in end-to-end encryption with its Twilio’s End-to-End Encrypted messaging and its breach-proof password solutions Pythia and BrainKey.
Telegram, a company known for its heavily encrypted and self-destructible messenger platform, recently announced the release of its newest service Telegram Passport which allows users to store all of their identification documents as well as important travel / financial statements and licenses in one place digitally. The application is built to store this information securely and then supply it to third party applications and services such as crypto wallets upon the user’s discretion.
In the critique published on Virgil Security’s website, Ermishkin set the tone right off the cuff by stating that “Passport’s security disappoints in several key ways.” He explained that the greatest concern surrounded Passport’s method of password protection which was faulty along all three ways of its process: encrypting data with a password, generating data encryption key, and encrypting data and uploading it to the cloud.
The hashing algorithm used by Passport is SHA-512, an “algorithm that is not meant for hashing passwords.” The report cites that LivingSocial compromised 50 million passwords in 2013 with SHA-1 and LinkedIn compromised 8 million passwords in 2012 the same way. Despite the salting process in the code, this mechanism leaves passwords vulnerable and according to the report, 1.5 billion SHA-512 hashes can be performed every second in top-level GPUs. This is an attack that can easily be carried out by a small cryptocurrency mining farm.
Telegram has not included SCrypt, BCrypt, Argon 2, or the like in its password encryption process. These hardening techniques were not used by LivingSocial or LinkedIn either who suffered at the hands of attackers that stole millions of their passwords. The lack of such protection methods as the ones mentioned before as well as the likes of Pythia or BrainKey as used by Virgil Security prevents brute force attack vulnerabilities in password systems but unfortunately Passport doesn’t seem to have any of this.
In addition to this initial stage vulnerability, the process that Passport uses to generate its encryption key uses the firm’s own invented method of randomizing the first byte of a random array such that the sum is 0 mod 239. This method is far quicker to decrypt as opposed to the traditionally used Hash Message Authentication Code (HMAC) and Authenticated Encryption with Associated Data (AEAD) cipher methods which Telegram chose not to employ.
As explained by Ermishkin, a brute force attacker must only calculate SHA-512 using salt for the next password, decrypt the intermediate key (AES-NI), find the sum match that is 0 mod 239, find the data decryption key using SHA-512 as done initially, and verify the decryption of the data by attempting the first segment to check its first padding byte.
Ermishkin raises these security flaws to rally awareness for the very real threat posed by an all confidential passport’s compromise. Years ago, large corporations saw password losses and failures in their systems. A few years on and with a service that is more valuable at stake, Telegram’s current methods of password protection for its Passport are not nearly enough to keep its users’ data safe.