MD5

From CryptoDox, The Online Encyclopedia on Cryptography and Information Security

The MD5 message-digest algorithm is a hash function that takes as input an arbitrary length message and produces a 128-bit fingerprint or "message digest".

MD5 was designed by Ronald Rivest in 1991.

It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.

Contents 1 Design 2 Pseudocode 3 Examples 4 Reference Implementations 4.1 C/C++ 4.2 Java 4.3 Perl 4.4 JavaScript 4.5 Cryptographic Libraries 5 Attacks against MD5 6 See Also 7 Books of Interest 8 References 9 External Links

Design

The MD5 algorithm is an extension of the MD4 message-digest algorithm. MD5 is slightly slower than MD4, but is more "conservative" in design. MD5 was designed because it was felt that MD4 was perhaps being adopted for use more quickly than justified by the existing critical review; because MD4 was designed to be exceptionally fast, it is "at the edge" in terms of risking successful cryptanalytic attack. MD5 backs off a bit, giving up a little in speed for a much greater likelihood of ultimate security. It incorporates some suggestions made by various reviewers, and contains additional optimizations. The MD5 algorithm is being placed in the public domain for review and possible adoption as a standard.

MD5 uses a buffer that is made up of four words that are each 32 bits long. These words are called A, B, C and D. They are initialized as

word A: 01 23 45 67
word B: 89 ab cd ef
word C: fe dc ba 98
word D: 76 54 32 10

MD5 uses a table K that has 64 elements. Element number i is indicated as Ki. The table is computed beforehand to speed up the computations. The elements are computed using the mathematical sine function:

Ki = abs(sin(i + 1)) * 232

MD5 uses four auxiliary functions that each take as input three 32-bit words and produce as output one 32-bit word. They apply the logical operators and, or, not and xor to the input bits.

F(X,Y,Z) = (X and Y) or (not(X) and Z)
G(X,Y,Z) = (X and Z) or (Y and not(Z))
H(X,Y,Z) = X xor Y xor Z
I(X,Y,Z) = Y xor (X or not(Z))

The contents of the four buffers (A, B, C and D) are now mixed with the words of the input, using the four auxiliary functions (F, G, H and I). There are four rounds, each involves 16 basic operations.

The figure shows how the auxiliary function F is applied to the four buffers (A, B, C and D), using message word Mi and constant Ki. The item "<<<s" denotes a binary left shift by s bits.

After all rounds have been performed, the buffers A, B, C and D contain the MD5 digest of the original input.

Pseudocode

The following pseudocode is derived from the MD5 RFC 1321.

//Initialize MD Buffer
word A: 01 23 45 67
word B: 89 ab cd ef
word C: fe dc ba 98
word D: 76 54 32 10
 
//Process Message in 16-Word Blocks
F(X,Y,Z) = XY v not(X) Z
G(X,Y,Z) = XZ v Y not(Z)
H(X,Y,Z) = X xor Y xor Z
I(X,Y,Z) = Y xor (X v not(Z))
 
/* Process each 16-word block. */
For i = 0 to N/16-1 do
     
     /* Copy block i into X. */
     For j = 0 to 15 do
       Set X[j] to M[i*16+j].
     end /* of loop on j */
 
     /* Save A as AA, B as BB, C as CC, and D as DD. */
     AA = A
     BB = B
 
     CC = C
     DD = D
 
     /* Round 1. */
     /* Let [abcd k s i] denote the operation
          a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s). */
     /* Do the following 16 operations. */
     [ABCD  0  7  1]  [DABC  1 12  2]  [CDAB  2 17  3]  [BCDA  3 22  4]
     [ABCD  4  7  5]  [DABC  5 12  6]  [CDAB  6 17  7]  [BCDA  7 22  8]
     [ABCD  8  7  9]  [DABC  9 12 10]  [CDAB 10 17 11]  [BCDA 11 22 12]
     [ABCD 12  7 13]  [DABC 13 12 14]  [CDAB 14 17 15]  [BCDA 15 22 16]
 
     /* Round 2. */
     /* Let [abcd k s i] denote the operation
          a = b + ((a + G(b,c,d) + X[k] + T[i]) <<< s). */
     /* Do the following 16 operations. */
     [ABCD  1  5 17]  [DABC  6  9 18]  [CDAB 11 14 19]  [BCDA  0 20 20]
     [ABCD  5  5 21]  [DABC 10  9 22]  [CDAB 15 14 23]  [BCDA  4 20 24]
     [ABCD  9  5 25]  [DABC 14  9 26]  [CDAB  3 14 27]  [BCDA  8 20 28]
     [ABCD 13  5 29]  [DABC  2  9 30]  [CDAB  7 14 31]  [BCDA 12 20 32]
 
     /* Round 3. */
     /* Let [abcd k s t] denote the operation
          a = b + ((a + H(b,c,d) + X[k] + T[i]) <<< s). */
     /* Do the following 16 operations. */
     [ABCD  5  4 33]  [DABC  8 11 34]  [CDAB 11 16 35]  [BCDA 14 23 36]
     [ABCD  1  4 37]  [DABC  4 11 38]  [CDAB  7 16 39]  [BCDA 10 23 40]
     [ABCD 13  4 41]  [DABC  0 11 42]  [CDAB  3 16 43]  [BCDA  6 23 44]
     [ABCD  9  4 45]  [DABC 12 11 46]  [CDAB 15 16 47]  [BCDA  2 23 48]
 
     /* Round 4. */
     /* Let [abcd k s t] denote the operation
          a = b + ((a + I(b,c,d) + X[k] + T[i]) <<< s). */
     /* Do the following 16 operations. */
     [ABCD  0  6 49]  [DABC  7 10 50]  [CDAB 14 15 51]  [BCDA  5 21 52]
     [ABCD 12  6 53]  [DABC  3 10 54]  [CDAB 10 15 55]  [BCDA  1 21 56]
     [ABCD  8  6 57]  [DABC 15 10 58]  [CDAB  6 15 59]  [BCDA 13 21 60]
     [ABCD  4  6 61]  [DABC 11 10 62]  [CDAB  2 15 63]  [BCDA  9 21 64]
 
     /* Then perform the following additions. (That is increment each
        of the four registers by the value it had before this block
        was started.) */
     A = A + AA
     B = B + BB
     C = C + CC
     D = D + DD
end /* of loop on i */
 
// Output
// The message digest produced as output is A, B, C, D. That is, we
// begin with the low-order byte of A, and end with the high-order byte
// of D. 

Examples

Unix comes with a command-line utility md5sum. Given below are some examples of the fingerprints generated by MD5.

 echo "Hello World!" | md5sum
 8ddd8be4b179a529afa5f2ffae4b9858 

 echo "hello world!" | md5sum
 c897d1410af8f2c74fba11b1db511e9e

As you can see, just changing H & W from upper to lower case has resulted in a completely different fingerprint.

Reference Implementations

C/C++

• MD5 RFC - Reference C implemenation
• Microsoft VC++ Implementation
• MD5 optimized for AMD64
• C Source Code for MD5
• C Source Code for MD5 - Another Implementation

Java

• Fast MD5 Implementation in Java

Perl

• MD5 in 8 lines of Perl 5

JavaScript

• Paj's Home - JavaScript implementation

Cryptographic Libraries

• Cryptix
• OpenSSL - The Open Source toolkit for SSL/TLS
• Crypto++ C++ Library

Attacks against MD5

• Hans Dobbertin: Cryptanalysis of MD5 Compress (1996)
• The Status of MD5 After a Recent Attack : Hans Dobbertin, CryptoBytes Vol 2 No 2 - 1996 PDF
• Collisions for the compression function of MD5 B. den Boer and A. Bosselaers, Proceedings Eurocrypt'93 PDF
• Parallel Collision Search with Cryptanalytic Applications P.C. van Oorschot and M.J. Wiener, Journal of Cryptology, vol. 12, no. 1, 1999
• Differential Cryptanalysis Mod 2^32 with Applications to MD5 Thomas A. Berson, Proceedings Eurocrypt'92

See Also

• Hash Functions

Books of Interest

References

• The MD5 cryptographic hash function - The CryptoDox MD5 page draws significant material from this site.
• MD5 RFC 1321

External Links

• MD5 at Wikipedia
• MD5 Homepage (unofficial)
• Cryptography: Algorithms: Message Digests (Open Directory)