| > The consensus seems to be that you're doing.. Now, again, could I somehow direct your attention away from speculations and to what we are ACTUALLY doing (as, again, documented here [0], and now here as well [1]). 1. We are not doing plain encrypt-and-mac. 2. The SHA1 in question is for raw unencrypted data. 3. The message key is SHA1-dependent. 4. Note that the AES key and iv depends on that SHA1. This can be described as a generic composition of cipher with ciphertext, encrypted by a MAC. The resulting data-dependant variable key denies all common attacks. As for KDF, what particular solution do you have in mind? And even then — certainly, alternative solutions exist, but we do not see how changing this point would affect our system as whole. [1]
As stated before, we'd welcome any information on attacks that could in reality threaten the actual setup. [0] - http://core.telegram.org/mtproto/description
[1] - https://core.telegram.org/img/mtproto_encryption.png |
