DEV Community

Will Morgan
Will Morgan

Posted on • Originally published at explorer.testnet.mesg.com

Telegram isn't really encrypted, but you can easily encrypt chats with this service

Originally published at: http://explorer.testnet.mesg.com/services/cTPFWWc4WULrqdwgXMN8461mGTbowQ1vFiMRGjy2X5V?utm_source=devto&utm_medium=blog&utm_campaign=encryption_service

Encrypt & Decrypt (ID: encrypt)

Contents

Installation

MESG SDK

This service requires MESG SDK to be installed first.

You can install MESG SDK by running the following command or follow the installation guide.

npm install -g @mesg/cli

Deploy the Service

To deploy this service, go to this service page on the MESG Explorer.

Definitions

Tasks

encrypt

Task key: encrypt

Inputs
Name Key Type Description
publicKey publicKey String
data data String
Outputs
Name Key Type Description
encryptedData encryptedData String

decrypt

Task key: decrypt

Inputs
Name Key Type Description
privateKey privateKey String
passphrase passphrase String
encryptedData encryptedData String
Outputs
Name Key Type Description
data data String

generate

Task key: generate

Inputs
Name Key Type Description
passphrase passphrase String
Outputs
Name Key Type Description
publicKey publicKey String
privateKey privateKey String

Top comments (6)

Collapse
 
defman profile image
Sergey Kislyakov

What are the benefits over p2p chats which are implemented in Telegram?

Collapse
 
williamzmorgan profile image
Will Morgan • Edited

This is a discrete service that handles encryption and decryption only. It can be used with any chat service like Telegram.

There is an encrypted 'secret chat' feature on Telegram, but since Telegram handles the encryption keys (even if it doesn't officially run through their server), it could theoretically be decrypted via your device by Telegram as well.

This service gives full control of encryption and keys to the user rather than trusting any companies in the middle. Telegram's proprietary protocol MTProto isn't open to developer scrutiny, whereas this service is fully open-source, and can be used locally or even in a decentralized manner.

Collapse
 
defman profile image
Sergey Kislyakov

This is a discrete service that handles encryption and decryption only. It can be used with any chat service like Telegram.

So, GPG?

it could theoretically be decrypted via your device by Telegram as well.

Could you elaborate on that statement? Do you mean Telegram can send some service message to me which will tell the app to decrypt my secret chats and send them back to Telegram? I'd doubt that. Their apps are open-source so if that would be the case, I'm sure there would be news about that. I haven't heard of anything like this, though.

Telegram's proprietary protocol MTProto

Server-side chat MTProto specification.
E2E MTProto specification.

Not sure how secure it is, though it does satisfy the conditions for IND-CCA, so I guess it's good?

Thread Thread
 
williamzmorgan profile image
Will Morgan • Edited

So, GPG?

Right now, this service just generates a couple of private/public keys, but could definitely use GPG.

Could you elaborate on that statement?

Telegram won't allow you to do that with your own encryption, but this could be done with a Telegram bot which could encrypt/decrypt your messages and connect your chat on Telegram with this service.

In this case, you control your own encryption, so you're your own middle man, not Telegram. This would be the user-friendly solution, but the better way would be to do this outside of Telegram, with manual encryption/decryption of the messages.

 +----------------+    2      +-------------------+    1     +----------+
 |                <-----------+                   <----------+          |
 |   Encryption   |    3      |    Telegram bot   |          |   User   |
 |                +----------->                   |          |          |
 +----------------+           +-------------------+          +----------+
                                         |
                                         |                   +----------+
                                         |         4         |          |
                                         +------------------>+  User 2  |
                                                             |          |
                                                             +----------+


+-----------+        1        +----------------+      2      +--------------+
|           +----------------->                +------------>+              |
|  User 2   |        4        |  Telegram bot  |      3      |  Decryption  |
|           +<----------------+                +<------------+              |
+-----------+                 +----------------+             +--------------+

Not sure how secure it is, though it does satisfy the conditions for IND-CCA, so I guess it's good?

Telegram security does seem quite open and safe, but it's a proprietary protocol, and many would prefer open-source protocols and encryptions because they have full control over it. Here's an example of that sentiment: abacusnews.com/digital-life/why-te...

Thread Thread
 
defman profile image
Sergey Kislyakov • Edited

That didn't answer my question about secret chats being decrypted somehow just because Telegram does the initial key exchange, which you stated there (if I misunderstood your sentence, please forgive me for that. English is not my native language):

since Telegram handles the encryption keys (even if it doesn't officially run through their server), it could theoretically be decrypted via your device by Telegram

Yes, you have to let Telegram do the exchange for you, but that's just trading user experience over security, I'm sure most people would accept this "trade" and those who don't - I doubt they use Telegram at all (they probably use GPG + E-mail or something like that).
Diffie–Hellman key exchange have been used for years, as long as Telegram clients use that algorithm, I'm fine with that.

As for the diagram provided, I guess it shows integration of your service with Telegram? I'd not trust any bot (except created by myself) to do the decryption of my messages. It must be done on the client side. Otherwise you're not controlling it at all. You can send/receive encrypted messages over Telegram, but that's not user friendly at all. At that point, I'd simply use GPG over e-mail with a plugin for Thunderbird that would encrypt/decrypt messages automatically.

The article you linked do not provide any valuable arguments either. I can take screenshot of any decrypted data and there's no protocol that wouldn't let me do that. As for MTProto, how is that proprietary? No one stops you from implementing it as a library so anyone could use it. The specification is open.

Collapse
 
tomhenry profile image
Tom Henry

Just what I was looking for!