[sweis]

I briefly looked at Telegram's crypto code a couple months ago. Here's a few funny things I spotted:

Telegram's message format uses ambiguous padding, so they have to try all padding lengths when validating a message: https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/...

That loop leaks timing information, as does the "Utilities.arraysEquals" method it uses. I'm not sure if it opens up a timing attack, but it's suspect: https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/...

There is another spot where they pad with zero bytes without any authentication. This may leave room to mess with the protocol: https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/...

There are also some weird things throughout the code, like using SecureRandom.nextDouble() all over: https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/... https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/...

[Kiro]

What does leaking timing information mean?

[sweis]

Nate Lawson has a good explanation of timing attacks (against my own code): http://rdist.root.org/2009/05/28/timing-attack-in-google-key...

[m_mueller]

Response timing can be indicative of the key, especially if you have the crypto algorithm's code (source/IR/machine code).