Confirmed in 2026: Telegram MTProto's auth_key_id is exposed in plaintext. Combined with Iran's Shahkar+SIAM+DPI system, it enables long-term device tracking. This paper provides VLESS+Reality, MTProto proxy, and mandatory key reset solutions.
In Iran, the moment you open a Telegram chat, your device has already handed its identity card to the surveillance system.
This is not alarmist โ it stems from a design feature of Telegram's underlying MTProto encryption protocol called "auth_key_id" (authorization key identifier). In May 2026, a technical assessment report published by independent cybersecurity firm Symbolic Software confirmed that Telegram clients transmit MTProto messages over unencrypted TCP connections, causing auth_key_id to be exposed in plaintext in network traffic. Any entity with passive network access can easily extract this identifier.
This article combines Iran's unique surveillance architecture to analyze the specific risks of auth_key_id exposure, evaluates the effectiveness of various VPNs and proxies, and finally provides a practical defense plan for users.
The core advantage of Iran's surveillance system lies in its integration of network layer, mobile network layer, and identity authentication layer. Even if you successfully connect to a proxy server, the surveillance system can still identify you and your device through multiple means, and Telegram's auth_key_id exposure provides these systems with an additional, precise identifier.
Iran has built the National Information Network (NIN), which separates domestic internet from the international internet. Authorities have shifted from a "blacklist" blocking model to a "whitelist" model, using SHAHKAR and HAMTA databases to track users' identity documents and devices, easily cutting off public access to the international internet while reserving privileged access for specific groups.
On top of this architecture, Iran's Communications Regulatory Authority, in cooperation with the largest domestic operator, has established the Legal Intercept System (LIS), which mainly includes four subsystems: Legal Interception (LI), Illegal Device Control (CID), SHAHKAR system, and SHAMSA system. Among them:
Once your device generates traffic, the surveillance system collects information from multiple layers: DPI devices analyze network traffic in real time, identify protocols, and extract metadata; the SIAM system can obtain phone numbers and IMSI from the mobile network layer; the SHAHKAR database binds SIM cards to real identities. When these systems associate with auth_key_id, a complete identity anchoring chain is formed. The scariest part of Iran's system is not individual technical capabilities, but this cross-layer integrated architecture: Shahkar links SIM cards to national IDs, SIAM can manipulate devices, HAMTA registers device models โ combined, auth_key_id becomes the final key to unlock this door.
auth_key_id is a 64-bit identifier in the MTProto protocol. When a Telegram client first logs into a device, it generates a 2048-bit authorization key (auth_key) through Diffie-Hellman key exchange, and auth_key_id is the lower 64-bit SHA-1 hash of that key. It sits at the very front of the MTProto outer header in every message transmission, indicating to the server "which key to use to decrypt the following content."
Symbolic Software's technical assessment confirms: auth_key_id remains unchanged across sessions, IP changes, network switches, and geographic moves, making it a powerful tool for passive network observers to track a single device long-term. Any network intermediary โ ISP, network administrator, government surveillance system โ can collect auth_key_id values through passive network monitoring, without man-in-the-middle attacks, certificate cracking, or protocol manipulation. Simple packet capture and de-obfuscation suffice.
Facing Iran's multi-layered surveillance system, auth_key_id faces multiple exposure risks. Whether using direct connection or VPN, it may leak at several key nodes:
| Surveillance Layer | Technical Mechanism | Exposure Risk |
|---|---|---|
| Network Layer (DPI) | ISP analyzes packets via DPI devices | Even if VPN encrypts content, auth_key_id as an application-layer identifier may be extracted; if Telegram uses unencrypted TCP, it's completely exposed. |
| Mobile Network Layer (SIAM) | SIAM can force downgrade to insecure 2G, collect metadata | Records auth_key_id and links it with IMSI/phone number, locking identity precisely to a personal device. |
| Identity Layer (Shahkar) | SIM card bound to national ID, can target specific numbers | If a certain connection (e.g., hotel WiFi login) associates auth_key_id with your real identity, the surveillance system can use Shahkar to trace all your past auth_key_id connection records. |
| Physical Layer (IMSI catcher) | Deploys fake base stations at protest sites | Captures phone IMSI, device model, and auth_key_id simultaneously, forming a complete device identity profile. |
| Passive Retrospection | Operators keep long-term logs | Once an identity anchor links to auth_key_id, the surveillance system can search historical logs to reconstruct communication patterns and behavior traces over months or even years. |
The risk of auth_key_id exposure lies in its persistence and linkability. It's not a session-level temporary marker, but a fixed identifier tied to the device's long-term authorization key. If a single connection (e.g., registering on hotel WiFi) associates your auth_key_id with your real identity, the surveillance system can use this "anchor" to search all historical traffic logs โ your communication records from the past several months across different networks could be traced at once, even if you used a VPN or changed networks at the time.
Conclusion: Relying on these protocols to self-build VPN servers from scratch is no longer a sustainable solution.
Shadowsocks was originally created by Chinese developers to bypass the "Great Firewall," using non-standard obfuscation methods. DPI systems cannot clearly classify its traffic as proxy/VPN, giving it a relative advantage in Iran's censorship environment. But Shadowsocks is not a panacea. It lacks simulation of advanced features like TLS handshakes, and after long-term use, its traffic patterns may be classified and recognized by machine learning systems.
The VLESS protocol is designed specifically to evade DPI detection, wrapping routing information in standard TLS, making the generated traffic at packet level indistinguishable from ordinary HTTPS connections. With REALITY transport technology, it can borrow legitimate websites' TLS certificates to mask the real target. Iran's active probing systems, when probing a VLESS+Reality server, receive the same response as a genuine website, and the server does not reveal its proxy function. Operators who correctly configure VLESS servers inside Iran report detection rates below 5%. A server that would be blocked within days under WireGuard standards can run for months under correct VLESS+Reality configuration.
MTProto proxy is designed specifically for Telegram and works only for Telegram; it cannot proxy browser or other app traffic. In the 2026 censorship environment, only third-generation MTProto proxies starting with "ee" (enabling Fake TLS) remain effective.
However, even Fake TLS MTProto proxies cannot hide auth_key_id. Telegram clients use unencrypted TCP at the transport layer, and auth_key_id exposure is a fundamental design issue of the protocol โ no matter how much the proxy obfuscates, auth_key_id is exposed to network intermediate nodes before reaching the proxy server. On April 1, 2026, multiple Russian ISPs began selectively identifying Telegram MTProto/FakeTLS handshakes via TLS fingerprint analysis, causing widespread failure of many MTProto proxies, while VLESS Reality services on the same servers continued working normally.
Facing Iran's comprehensive surveillance, no single tool is sufficient to guarantee absolute security. You need a multi-layer defense strategy.
| Layer | Strategy | Implementation Points |
|---|---|---|
| Layer 1: Anti-censorship Proxy | Use VLESS + Reality protocol | Deploy with Xray-core or Sing-box, choose proper disguise domain (e.g., api.github.com, update.microsoft.com), enable REALITY, preferably with P2P decentralized routing. |
| Layer 2: Telegram-specific Channel | Third-gen MTProto proxy (Fake TLS) | Use ee-prefix secret, port 443, with reputable disguise domain; as Telegram inbound channel. Note: MTProto proxy works only for Telegram and cannot solve auth_key_id exposure. |
| Layer 3: Periodic auth_key_id Reset | Regularly reset authorization key, stop long-term tracking (mandatory core) | Most thorough: Go to Telegram Settings โ Devices, terminate all suspicious sessions; use official logout and login to generate a brand new auth_key_id. Using PFS cannot prevent identifier exposure but can limit traceability period. Perform reset every 1-3 months to greatly reduce long-term tracking risk. |
| Layer 4: Identity Isolation | Strictly separate real identity from sensitive communication | Do not use the same Telegram account for sensitive activities on authenticated networks (hotel WiFi, corporate network). For sensitive communication, use Tor or a trusted overseas VPS tunnel. Avoid registering sensitive accounts with SIM-linked phone numbers. |
| Layer 5: Multi-layer VPN/Proxy Chain | Combine anti-censorship protocols | Pass Telegram traffic first through MTProto proxy (ee Fake TLS) then wrap inside VLESS tunnel, so auth_key_id is protected by multiple encryption layers throughout transmission. |
| Layer 6: Decentralized P2P Network | Avoid single point dependency | Using a decentralized P2P network prevents complete service outage if a single IP gets blocked. |
Since auth_key_id's persistence is the biggest risk, periodic resetting is the most effective way to break long-term tracking.
Recommended to deploy VLESS + Reality protocol on a VPS. Using Xray as an example, brief steps:
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ installxray x25519Under Iran's current surveillance architecture, auth_key_id exposure constitutes a significant and persistent privacy risk. Key conclusions:
โ VLESS+Reality is currently the most robust anti-censorship protocol inside Iran; combined with periodic auth_key_id resets, it greatly reduces identity association risk.
โ TGV paying users get third-generation ee-prefix MTProto proxies and professional VLESS tunnel configuration guidance.
โ Always obtain proxy keys and configurations through official channels; avoid free nodes of unknown origin.
โ High-risk users are advised to perform "Logout โ Login again" monthly to completely change the authorization key.