Security Contest Winter 2013-2014 FAQ

This contest has ended. Check out our new contest »

Q: Why did you launch this contest?

The goal of this contest is to solve a real-life problem. The question at hand is whether your internet-provider or another entity that intercepts your traffic would be able to decrypt your conversations over Telegram. We are inviting hackers and security experts to find ways of decrypting Telegram traffic. As a result we will either find a vulnerability in our encryption algorithm and fix it, or or get indirect evidence that decrypting our traffic is no easy task.

Q: What happens if someone wins?

If we have a winner in the current competition, we will start a new competition with an even larger prize. Of course, before launching a new competition we will have to fix the vulnerability that allowed the winner to decipher the traffic of Telegram.

Q: What do I have access to?

You have access to a detailed description of the encryption system we use, app source code, as well as complete traffic logs for the target ‘Paul’ (+79112317383) from the day he signed up for Telegram, updated in real time.

You need to decipher the secret email address, that Paul sends daily in one of the messages to ‘Nick’ (+79218944725), and describe the successful attack in an email to that address.

Q: What is the structure of your traffic log?

The structure of the traffic log is as follows:

    Unixtime Length-in-bytes Direction (in/out) ServerIP:Port Hexdump.

For your convenience, only high-level TCP stream bytes are shown, ignoring IP packet boundaries and omitting TCP/IP headers.

Q: Does Paul send the same message to Nick every day?

No, just as in real life, Paul‘s messages to Nick can be different each time. The only thing that doesn’t change is the secret email address in his daily messages.

Q: Could you provide an example of a Paul's message to Nick?

Sure. The message may look like “Hey Nick, so here is the secret email address for the bounty hunters – {here goes the email}”.

Q: I want to try active attacks in the current contest, how can I do that?

At this stage, it is possible to analyze the traffic and send modified packets to the server, therefore perfoming length extension attacks, replay attacks etc. In case nobody achieves the goal of the current contest (deciphering intercepted Telegram traffic) by March 2014, we are willing to facilitate the task and provide the contestants with tools for performing more complicated active attacks.

Q: What if I don‘t trust bitcoins and don’t want them as a prize?

If the winner prefers conventional money over bitcoin, we will be happy to transfer them 200,000 regular USD instead of BTC.

Q: It is only 2,5 months. I need more time to find bugs in your protocol!

The contests to crack Telegram's encrypted protocol are a permanent feature of our project. We will always be launching a new contest after the end of the previous one, and the amount of the prize money is likely to increase. So whenever you are the first person to find vulnerabilities in our encryption system, you will be able to claim a prize — even after the current competition is over.