| General | |
|---|---|
| Designers | Ronald Rivest |
| First published | October 1990[1] |
| Series | MD2, MD4,MD5,MD6 |
| Cipher detail | |
| Digest sizes | 128 bits |
| Block sizes | 512 bits |
| Rounds | 3 |
| Best publiccryptanalysis | |
| A collision attack published in 2007 can find collisions for full MD4 in less than two hash operations.[2] | |
TheMD4 Message-Digest Algorithm is acryptographic hash function developed byRonald Rivest in 1990.[3] The digest length is 128 bits. The algorithm has influenced later designs, such as theMD5,SHA-1 andRIPEMD algorithms. The initialism "MD" stands for "Message Digest".
The security of MD4 has been severely compromised. The first fullcollision attack against MD4 was published in 1995, and several newer attacks have been published since then. As of 2007, an attack can generate collisions in less than two MD4 hash operations.[2] A theoreticalpreimage attack also exists.
A variant of MD4 is used in theed2k URI scheme to provide a unique identifier for a file in the popular eDonkey2000 / eMule P2P networks. MD4 was also used by thersync protocol (prior to version 3.0.0).
MD4 is used to computeNTLM password-derived key digests on Microsoft Windows NT, XP, Vista, 7, 8, 10 and 11.[4]
Weaknesses in MD4 were demonstrated by Den Boer and Bosselaers in a paper published in 1991.[5] The first full-round MD4collision attack was found byHans Dobbertin in 1995, which took only seconds to carry out at that time.[6] In August 2004,Wang et al. found a very efficient collision attack, alongside attacks on later hash function designs in the MD4/MD5/SHA-1/RIPEMD family. This result was improved later by Sasaki et al., and generating a collision is now as cheap as verifying it (a few microseconds).[2]
In 2008, thepreimage resistance of MD4 was also broken by Gaëtan Leurent, with a 2102 attack.[7] In 2010 Guo et al published a 299.7 attack.[8]
In 2011, RFC 6150 stated that RFC 1320 (MD4) ishistoric (obsolete).
The 128-bit (16-byte) MD4 hashes (also termedmessage digests) are typically represented as 32-digithexadecimal numbers. The following demonstrates a 43-byteASCII input and the corresponding MD4 hash:
MD4("The quick brown fox jumps over the lazydog")= 1bee69a46ba811185c194762abaeae90Even a small change in the message will (with overwhelming probability) result in a completely different hash, e.g. changingd toc:
MD4("The quick brown fox jumps over the lazycog")= b86e130ce7028da59e672d56ad0113dfThe hash of the zero-length string is:
MD4("") = 31d6cfe0d16ae931b73c59d7e0c089c0The following test vectors are defined in RFC 1320 (The MD4 Message-Digest Algorithm)
MD4 ("") = 31d6cfe0d16ae931b73c59d7e0c089c0MD4 ("a") = bde52cb31de33e46245e05fbdbd6fb24MD4 ("abc") = a448017aaf21d8525fc10ae87aa6729dMD4 ("message digest") = d9130a8164549fe818874806e1c7014bMD4 ("abcdefghijklmnopqrstuvwxyz") = d79e1c308aa5bbcdeea8ed63df412da9MD4 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") = 043f8582f241db351ce627e153e7f0e4MD4 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") = e33b4ddc9c38f2199c3e7b164fcc0536Let:
k1 = 839c7a4d7a92cb5678a5d5b9eea5a7573c8a74deb366c3dc20a083b69f5d2a3bb3719dc69891e9f95e809fd7e8b23ba6318edd45e51fe39708bf9427e9c3e8b9 k2 = 839c7a4d7a92cbd678a5d529eea5a7573c8a74deb366c3dc20a083b69f5d2a3bb3719dc69891e9f95e809fd7e8b23ba6318edc45e51fe39708bf9427e9c3e8b9
MD4(k1) = MD4(k2) = 4d7e6a1defa93d2dde05b45d864c429b
Note that two hex-digits of k1 and k2 define one byte of the input string, whose length is 64 bytes .
{{cite journal}}:Cite journal requires|journal= (help)Deriving a key from a password is as specified in [RFC1320] and [FIPS46-2].
{{cite journal}}:Cite journal requires|journal= (help)
