On the cryptographic security of the “BotikKey” authentication protocol against attacks on MD5 hash function

In this paper vulnerabilities of the BotikKey network protocol are described. It is being used in the “Botik” telecommunication system of Pereslavl-Zalesskiy for secure subscribers' authentication. Protocol was developed as part of Botik-technologies initiative, according to which all software and hardware is based on open source, or on the inhouse developments. We outline the purpose and implementation details of the protocol and its pros and cons. It is pointed out that majority of the protocol's vulnerabilities arise from the weaknesses of MD5 cryptographic hash function being used. With a number of assumptions, the BotikKey protocol can be compromised by committing an APOP-attack on a subscriber. It is noted that “Botik” network service provider should use contemporary cryptographic methods for subscribers' authentication or avoid using the BotikKey system at all. (In Russian).