How Does Telegram's Identity Verification Work?

Question

Note: please refrain from commenting on Telegram's design of OTHER parts, as it will distract from the stem of the question.

Background:

Signal (Previously, "TextSecure" app) uses specific "Your identity / Their identity" type of verification to verify a secure channel.

Telegram, on the other hand, displays a picture of pixel-like array with different colors and a set of alpha-numeric characters under it, different from each secure channel (i.e. "Secret Chat"); if these pictures or alpha-numeric characters match on both ends of the parties' phones, then the Secret Chat is "200% secure" [sic].

---

QUESTION:

In Telegram, how is the verification picture generated? What makes it secure? And what makes MITM on key exchange "200%" impossible when that picture is matching on each phone?

---

Merit of question:

Signal clearly displays the fingerprint of my own key (which I have on my own phone) making this very sensible, as if it matched what THEY saw as my fingerprint, then it's physically and technically impossible that a MITM happened.

What in Telegram's design ensures this same outcome as with Signal?

---

UPDATE:

This question needs an answer as, indeed, now even Whatsapp (using "TextSecure" encryption protocol) displays ONE set of numbers that has to be matched on both ends of the conversing parties.

Answer 1

WhatsApp derives the QR code (and the numerical representation) from the user identifier and the 32-byte public Identity Key of both parties. I guess that some deterministic algorithm decides, witch of the two identifiers comes first (e.g. they could be sorted lexically).

This allows both clients to display the same image and numerical representation, whilst providing the same security as for example Signal, where both fingerprints are displayed individually.

Telegram uses a slightly different approach, because it computes a new secret chat key for each new secret chat (even if you are already participating in an active secret chat with the same person). Therefore, every secret chat with the same person should display a different 2D code and in my understanding it should also frequently change. This is due to the fact that the secret chat key is computed using Diffie-Hellman and is regenerated every 100 messages or at least every week, to provide some sort of forward secrecy. Both participants of the secret chat should see the same 2D code (which is some sort of graphical visualization of the secret chat key), since the secret chat key is a shared secret between both participants.

I am not completely certain about the Telegram part, because I don't use Telegram myself.

The information is taken from the WhatsApp security white paper (April 2016) [1, page 8] and the Telegram API documentation [2].

[1] https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf

[2] https://core.telegram.org/api/end-to-end

Answer 2

Before the details : Telegram's server side code is not available as open source and hence can't be reviewed.

Telegram uses Diffie-Hellman for key exchange and AES-IGE encryption.

The basic principle of understanding in DH key exchange is that

No entity can effectively intercept the key generation while simultaneously making sure that the parties generate the same key.

Which would mean, if Eve attempts an MITM attack while Alice and Bob are attempting the key exchange Eve can't simultaneously get both Alice and Bobo to agree on a same key between them.

Situation would be:

Alice (Key A) <------->(Key A) Eve (Key B)<------->(Key B) Bob1

Instead of

Alice (Key A) <------->(Key A) Eve (Key A)<------->(Key A) Bob1

So now if Alice and Bob compare their keys they will find out the keys that have are different.

The graphical pixel block Telegram displays is nothing but just a graphical representation of the hash of the key. If they match the keys are same. Else they are not, in which case we understand a MITM took place.