15/02/2016

MD5Wikipedia,thefreeencyclopedia

MD5
FromWikipedia,thefreeencyclopedia

TheMD5messagedigestalgorithmisawidelyused
cryptographichashfunctionproducinga128bit(16
byte)hashvalue,typicallyexpressedintextformatas
a32digithexadecimalnumber.MD5hasbeen
utilizedinawidevarietyofcryptographic
applications,andisalsocommonlyusedtoverifydata
integrity.
MD5wasdesignedbyRonaldRivestin1991to
replaceanearlierhashfunction,MD4.[3]Thesource
codeinRFC1321containsa"byattribution"RSA
license.

MD5
General
Designers

RonaldRivest

Firstpublished April1992
Series

MD2,MD4,MD5,MD6
Detail

Digestsizes

128bit

Structure

MerkleDamgrdconstruction

Rounds

4 [1]

In1996aflawwasfoundinthedesignofMD5.
Bestpubliccryptanalysis
Whileitwasnotdeemedafatalweaknessatthetime,
A2013attackbyXieTao,FanbaoLiu,and
cryptographersbeganrecommendingtheuseofother
DengguoFengbreaksMD5collisionresistancein
algorithms,suchasSHA1whichhassincebeen
218time.Thisattackrunsinlessthanasecondona
foundtobevulnerableaswell.[4]In2004itwas
regularcomputer. [2]
shownthatMD5isnotcollisionresistant.[5]Assuch,
MD5isnotsuitableforapplicationslikeSSL
certificatesordigitalsignaturesthatrelyonthispropertyfordigitalsecurity.Alsoin2004moreserious
flawswerediscoveredinMD5,makingfurtheruseofthealgorithmforsecuritypurposesquestionable
specifically,agroupofresearchersdescribedhowtocreateapairoffilesthatsharethesameMD5
checksum.[6][7]FurtheradvancesweremadeinbreakingMD5in2005,2006,and2007.[8]InDecember
2008,agroupofresearchersusedthistechniquetofakeSSLcertificatevalidity.[9][10]Asof2010,the
CMUSoftwareEngineeringInstituteconsidersMD5"cryptographicallybrokenandunsuitablefor
furtheruse",[11]andmostU.S.governmentapplicationsnowrequiretheSHA2familyofhash
functions.[12]In2012,theFlamemalwareexploitedtheweaknessesinMD5tofakeaMicrosoftdigital
signature.

Contents
1 Historyandcryptanalysis
2 Security
2.1 Collisionvulnerabilities
2.2 Preimagevulnerability
2.3 Othervulnerabilities
3 Applications
4 Algorithm

https://en.wikipedia.org/wiki/MD5

1/10

15/02/2016

MD5Wikipedia,thefreeencyclopedia

4 Algorithm
4.1 Pseudocode
5 MD5hashes
6 Seealso
7 References
7.1 Furtherreading
8 Externallinks

Historyandcryptanalysis
MD5isoneinaseriesofmessagedigestalgorithmsdesignedbyProfessorRonaldRivestofMIT
(Rivest,1992).WhenanalyticworkindicatedthatMD5'spredecessorMD4waslikelytobeinsecure,
RivestdesignedMD5in1991asasecurereplacement.(HansDobbertindidindeedlaterfind
weaknessesinMD4.)
In1993,DenBoerandBosselaersgaveanearly,althoughlimited,resultoffindinga"pseudocollision"
oftheMD5compressionfunctionthatis,twodifferentinitializationvectorswhichproduceanidentical
digest.
In1996,DobbertinannouncedacollisionofthecompressionfunctionofMD5(Dobbertin,1996).While
thiswasnotanattackonthefullMD5hashfunction,itwascloseenoughforcryptographersto
recommendswitchingtoareplacement,suchasSHA1orRIPEMD160.
Thesizeofthehashvalue(128bits)issmallenoughtocontemplateabirthdayattack.MD5CRKwasa
distributedprojectstartedinMarch2004withtheaimofdemonstratingthatMD5ispracticallyinsecure
byfindingacollisionusingabirthdayattack.
MD5CRKendedshortlyafter17August2004,whencollisionsforthefullMD5wereannouncedby
XiaoyunWang,DengguoFeng,XuejiaLai,andHongboYu.[7][13]Theiranalyticalattackwasreported
totakeonlyonehouronanIBMp690cluster.[14]
On1March2005,ArjenLenstra,XiaoyunWang,andBennedeWegerdemonstratedconstructionof
twoX.509certificateswithdifferentpublickeysandthesameMD5hashvalue,ademonstrably
practicalcollision.[15]Theconstructionincludedprivatekeysforbothpublickeys.Afewdayslater,
VlastimilKlimadescribedanimprovedalgorithm,abletoconstructMD5collisionsinafewhoursona
singlenotebookcomputer.[16]On18March2006,Klimapublishedanalgorithmthatcouldfinda
collisionwithinoneminuteonasinglenotebookcomputer,usingamethodhecallstunneling.[17]
VariousMD5relatedRFCerratahavebeenpublished.[18]In2009,theUnitedStatesCyberCommand
usedanMD5hashvalueoftheirmissionstatementasapartoftheirofficialemblem.[19]
On24December2010,TaoXieandDengguoFengannouncedthefirstpublishedsingleblock(512bit)
MD5collision.[20](Previouscollisiondiscoverieshadreliedonmultiblockattacks.)For"security
reasons",XieandFengdidnotdisclosethenewattackmethod.Theyissuedachallengetothe
https://en.wikipedia.org/wiki/MD5

2/10

15/02/2016

MD5Wikipedia,thefreeencyclopedia

cryptographiccommunity,offeringaUS$10,000rewardtothefirstfinderofadifferent64bytecollision
before1January2013.MarcStevensrespondedtothechallengeandpublishedcollidingsingleblock
messagesaswellastheconstructionalgorithmandsources.[21]
In2011aninformationalRFC6151[22]wasapprovedtoupdatethesecurityconsiderationsinMD5[23]
andHMACMD5.[24]

Security
ThesecurityoftheMD5hashfunctionisseverelycompromised.Acollisionattackexiststhatcanfind
collisionswithinsecondsonacomputerwitha2.6GHzPentium4processor(complexityof224.1).[25]
Further,thereisalsoachosenprefixcollisionattackthatcanproduceacollisionfortwoinputswith
specifiedprefixeswithinhours,usingofftheshelfcomputinghardware(complexity239).[26]Theability
tofindcollisionshasbeengreatlyaidedbytheuseofofftheshelfGPUs.OnanNVIDIAGeForce
8400GSgraphicsprocessor,1618millionhashespersecondcanbecomputed.AnNVIDIAGeForce
8800Ultracancalculatemorethan200millionhashespersecond.[27]
Thesehashandcollisionattackshavebeendemonstratedinthepublicinvarioussituations,including
collidingdocumentfiles[28][29]anddigitalcertificates.[9]Asof2015howeverMD5wasdemonstratedto
bestillquitewidelyused,mostnotablybysecurityresearchandantiviruscompanies.[30]

Collisionvulnerabilities
In1996,collisionswerefoundinthecompressionfunctionofMD5,andHansDobbertinwroteinthe
RSALaboratoriestechnicalnewsletter,"Thepresentedattackdoesnotyetthreatenpracticalapplications
ofMD5,butitcomesratherclose...inthefutureMD5shouldnolongerbeimplemented...wherea
collisionresistanthashfunctionisrequired."[31]
In2005,researcherswereabletocreatepairsofPostScriptdocuments[32]andX.509certificates[33]with
thesamehash.Laterthatyear,MD5'sdesignerRonRivestwrote,"md5andsha1arebothclearlybroken
(intermsofcollisionresistance)."[34]
On30December2008,agroupofresearchersannouncedatthe25thChaosCommunicationCongress
howtheyhadusedMD5collisionstocreateanintermediatecertificateauthoritycertificatewhich
appearedtobelegitimatewhencheckedviaitsMD5hash.[9]TheresearchersusedaclusterofSony
PlayStation3unitsattheEPFLinLausanne,Switzerland[35]tochangeanormalSSLcertificateissued
byRapidSSLintoaworkingCAcertificateforthatissuer,whichcouldthenbeusedtocreateother
certificatesthatwouldappeartobelegitimateandissuedbyRapidSSL.VeriSign,theissuersof
RapidSSLcertificates,saidtheystoppedissuingnewcertificatesusingMD5astheirchecksum
algorithmforRapidSSLoncethevulnerabilitywasannounced.[36]AlthoughVerisigndeclinedtorevoke
existingcertificatessignedusingMD5,theirresponsewasconsideredadequatebytheauthorsofthe
exploit(AlexanderSotirov,MarcStevens,JacobAppelbaum,ArjenLenstra,DavidMolnar,DagArne
Osvik,andBennedeWeger).[9]BruceSchneierwroteoftheattackthat"wealreadyknewthatMD5isa
brokenhashfunction"andthat"nooneshouldbeusingMD5anymore".[37]TheSSLresearcherswrote,
"OurdesiredimpactisthatCertificationAuthoritieswillstopusingMD5inissuingnewcertificates.We
alsohopethatuseofMD5inotherapplicationswillbereconsideredaswell."[9]

https://en.wikipedia.org/wiki/MD5

3/10

15/02/2016

MD5Wikipedia,thefreeencyclopedia

In2012,accordingtoMicrosoft,theauthorsoftheFlamemalwareusedanMD5collisiontoforgea
Windowscodesigningcertificate.[38]
MD5usestheMerkleDamgrdconstruction,soiftwoprefixeswiththesamehashcanbeconstructed,
acommonsuffixcanbeaddedtobothtomakethecollisionmorelikelytobeacceptedasvaliddataby
theapplicationusingit.Furthermore,currentcollisionfindingtechniquesallowtospecifyanarbitrary
prefix:anattackercancreatetwocollidingfilesthatbothbeginwiththesamecontent.Alltheattacker
needstogeneratetwocollidingfilesisatemplatefilewitha128byteblockofdata,alignedona64byte
boundarythatcanbechangedfreelybythecollisionfindingalgorithm.AnexampleMD5collision,with
thetwomessagesdifferingin6bits,is:
d131dd02c5e6eec4693d9a0698aff95c2fcab58712467eab4004583eb8fb7f89
55ad340609f4b30283e488832571415a085125e8f7cdc99fd91dbdf280373c5b
d8823e3156348f5bae6dacd436c919c6dd53e2b487da03fd02396306d248cda0
e99f33420f577ee8ce54b67080a80d1ec69821bcb6a8839396f9652b6ff72a70

d131dd02c5e6eec4693d9a0698aff95c2fcab50712467eab4004583eb8fb7f89
55ad340609f4b30283e4888325f1415a085125e8f7cdc99fd91dbd7280373c5b
d8823e3156348f5bae6dacd436c919c6dd53e23487da03fd02396306d248cda0
e99f33420f577ee8ce54b67080280d1ec69821bcb6a8839396f965ab6ff72a70

BothproducetheMD5hash79054025255fb1a26e4bc422aef54eb4.[39]Thedifferencebetweenthetwo
samplesistheleadingbitineachnibblehasbeenflipped.Forexample,the20thbyte(offset0x13)inthe
topsample,0x87,is10000111inbinary.Theleadingbitinthebyte(alsotheleadingbitinthefirst
nibble)isflippedtomake00000111,whichis0x07asshowninthelowersample.
Lateritwasalsofoundtobepossibletoconstructcollisionsbetweentwofileswithseparatelychosen
prefixes.ThistechniquewasusedinthecreationoftherogueCAcertificatein2008.Anewvariantof
parallelizedcollisionsearchingusingMPIwasproposedbyAntonKuznetsovin2014whichallowedto
findacollisionin11hoursonacomputingcluster.[40]

Preimagevulnerability
InApril2009,apreimageattackagainstMD5waspublishedthatbreaksMD5'spreimageresistance.
Thisattackisonlytheoretical,withacomputationalcomplexityof2123.4forfullpreimage.[41][42]

Othervulnerabilities
AnumberofprojectshavepublishedMD5rainbowtablesonline,whichcanbeusedtoreversemany
MD5hashesintostringsthatcollidewiththeoriginalinput,usuallyforthepurposesofpassword
cracking.
TheuseofMD5insomewebsites'URLsmeansthatsearchenginessuchasGooglecanalsosometimes
functionasalimitedtoolforreverselookupofMD5hashes.[43]
Boththesetechniquesarerenderedineffectivebytheuseofasufficientlylongsalt.

Applications

https://en.wikipedia.org/wiki/MD5

4/10

15/02/2016

MD5Wikipedia,thefreeencyclopedia

MD5digestshavebeenwidelyusedinthesoftwareworldtoprovidesomeassurancethatatransferred
filehasarrivedintact.Forexample,fileserversoftenprovideaprecomputedMD5(knownasmd5sum)
checksumforthefiles,sothatausercancomparethechecksumofthedownloadedfiletoit.Mostunix
basedoperatingsystemsincludeMD5sumutilitiesintheirdistributionpackagesWindowsusersmay
installaMicrosoftutility,[44][45]orusethirdpartyapplications.AndroidROMsalsoutilizethistypeof
checksum.

However,nowthatitiseasytogenerateMD5collisions,itispossibleforthepersonwhocreatedthefile
tocreateasecondfilewiththesamechecksum,sothistechniquecannotprotectagainstsomeformsof
malicioustampering.Also,insomecases,thechecksumcannotbetrusted(forexample,ifitwas
obtainedoverthesamechannelasthedownloadedfile),inwhichcaseMD5canonlyprovideerror
checkingfunctionality:itwillrecognizeacorruptorincompletedownload,whichbecomesmorelikely
whendownloadinglargerfiles.
MD5canbeusedtostoreaonewayhashofapassword,oftenwithkeystretching.[46][47]Alongwith
otherhashfunctions,itisalsousedinthefieldofelectronicdiscovery,inordertoprovideaunique
identifierforeachdocumentthatisexchangedduringthelegaldiscoveryprocess.Thismethodcanbe
usedtoreplacetheBatesstampnumberingsystemthathasbeenusedfordecadesduringtheexchangeof
paperdocuments.

Algorithm
MD5processesavariablelengthmessageintoafixedlengthoutputof128bits.Theinputmessageis
brokenupintochunksof512bitblocks(sixteen32bitwords)themessageispaddedsothatitslength
isdivisibleby512.Thepaddingworksasfollows:firstasinglebit,1,isappendedtotheendofthe
message.Thisisfollowedbyasmanyzerosasarerequiredtobringthelengthofthemessageupto64
bitsfewerthanamultipleof512.Theremainingbitsarefilledupwith64bitsrepresentingthelengthof
theoriginalmessage,modulo264.
https://en.wikipedia.org/wiki/MD5

5/10

15/02/2016

MD5Wikipedia,thefreeencyclopedia

ThemainMD5algorithmoperatesona128bit
state,dividedintofour32bitwords,denotedA,B,
C,andD.Theseareinitializedtocertainfixed
constants.Themainalgorithmthenuseseach512
bitmessageblockinturntomodifythestate.The
processingofamessageblockconsistsoffour
similarstages,termedroundseachroundis
composedof16similaroperationsbasedonanon
linearfunctionF,modularaddition,andleft
rotation.Figure1illustratesoneoperationwithina
round.TherearefourpossiblefunctionsFa
differentoneisusedineachround:

denotetheXOR,AND,ORandNOT
operationsrespectively.

Figure1.OneMD5operation.MD5consistsof64
oftheseoperations,groupedinfourroundsof16
operations. Fisanonlinearfunctiononefunction
isusedineachround.Midenotesa32bitblockof

Pseudocode

themessageinput,andKidenotesa32bitconstant,
differentforeachoperation.

TheMD5hashiscalculatedaccordingtothis
algorithm.Allvaluesareinlittleendian.

sdenotesaleftbit

rotationby splaces svariesforeachoperation.

denotesadditionmodulo232.

//Note:Allvariablesareunsigned32bitandwrapmodulo2^32whencalculating
varint[64]s,K
//sspecifiestheperroundshiftamounts
s[0..15]:={7,12,17,22,7,12,17,22,7,12,17,22,7,12,17,22}
s[16..31]:={5,9,14,20,5,9,14,20,5,9,14,20,5,9,14,20}
s[32..47]:={4,11,16,23,4,11,16,23,4,11,16,23,4,11,16,23}
s[48..63]:={6,10,15,21,6,10,15,21,6,10,15,21,6,10,15,21}
//Usebinaryintegerpartofthesinesofintegers(Radians)asconstants:
forifrom0to63
K[i]:=floor(232abs(sin(i+1)))
endfor
//(Orjustusethefollowingprecomputedtable):
K[0..3]:={0xd76aa478,0xe8c7b756,0x242070db,0xc1bdceee}
K[4..7]:={0xf57c0faf,0x4787c62a,0xa8304613,0xfd469501}
K[8..11]:={0x698098d8,0x8b44f7af,0xffff5bb1,0x895cd7be}
K[12..15]:={0x6b901122,0xfd987193,0xa679438e,0x49b40821}
K[16..19]:={0xf61e2562,0xc040b340,0x265e5a51,0xe9b6c7aa}
K[20..23]:={0xd62f105d,0x02441453,0xd8a1e681,0xe7d3fbc8}
K[24..27]:={0x21e1cde6,0xc33707d6,0xf4d50d87,0x455a14ed}
K[28..31]:={0xa9e3e905,0xfcefa3f8,0x676f02d9,0x8d2a4c8a}
K[32..35]:={0xfffa3942,0x8771f681,0x6d9d6122,0xfde5380c}
K[36..39]:={0xa4beea44,0x4bdecfa9,0xf6bb4b60,0xbebfbc70}
K[40..43]:={0x289b7ec6,0xeaa127fa,0xd4ef3085,0x04881d05}
K[44..47]:={0xd9d4d039,0xe6db99e5,0x1fa27cf8,0xc4ac5665}
K[48..51]:={0xf4292244,0x432aff97,0xab9423a7,0xfc93a039}
K[52..55]:={0x655b59c3,0x8f0ccc92,0xffeff47d,0x85845dd1}
K[56..59]:={0x6fa87e4f,0xfe2ce6e0,0xa3014314,0x4e0811a1}
K[60..63]:={0xf7537e82,0xbd3af235,0x2ad7d2bb,0xeb86d391}
//Initializevariables:
varinta0:=0x67452301//A
varintb0:=0xefcdab89//B
https://en.wikipedia.org/wiki/MD5

6/10

15/02/2016

MD5Wikipedia,thefreeencyclopedia

varintc0:=0x98badcfe//C
varintd0:=0x10325476//D
//Preprocessing:addingasingle1bit
append"1"bittomessage
/*Notice:theinputbytesareconsideredasbitsstrings,
wherethefirstbitisthemostsignificantbitofthebyte.

//Preprocessing:paddingwithzeros
append"0"bituntilmessagelengthinbits448(mod512)
appendoriginallengthinbitsmod(2pow64)tomessage
//Processthemessageinsuccessive512bitchunks:
foreach512bitchunkofmessage
breakchunkintosixteen32bitwordsM[j],0j15
//Initializehashvalueforthischunk:
varintA:=a0
varintB:=b0
varintC:=c0
varintD:=d0
//Mainloop:
forifrom0to63
if0i15then
F:=(BandC)or((notB)andD)
g:=i
elseif16i31
F:=(DandB)or((notD)andC)
g:=(5i+1)mod16
elseif32i47
F:=BxorCxorD
g:=(3i+5)mod16
elseif48i63
F:=Cxor(Bor(notD))
g:=(7i)mod16
dTemp:=D
D:=C
C:=B
B:=B+leftrotate((A+F+K[i]+M[g]),s[i])
A:=dTemp
endfor
//Addthischunk'shashtoresultsofar:
a0:=a0+A
b0:=b0+B
c0:=c0+C
d0:=d0+D
endfor
varchardigest[16]:=a0appendb0appendc0appendd0//(Outputisinlittleendian)
//leftrotatefunctiondefinition
leftrotate(x,c)
return(x<<c)binaryor(x>>(32c));

Note:InsteadoftheformulationfromtheoriginalRFC1321shown,thefollowingmaybeusedfor
improvedefficiency(usefulifassemblylanguageisbeingusedotherwise,thecompilerwillgenerally
optimizetheabovecode.Sinceeachcomputationisdependentonanotherintheseformulations,thisis
oftenslowerthantheabovemethodwherethenand/andcanbeparallelised):
(0i15):F:=Dxor(Band(CxorD))
(16i31):F:=Cxor(Dand(BxorC))

MD5hashes
https://en.wikipedia.org/wiki/MD5

7/10

15/02/2016

MD5Wikipedia,thefreeencyclopedia

The128bit(16byte)MD5hashes(alsotermedmessagedigests)aretypicallyrepresentedasasequence
of32hexadecimaldigits.Thefollowingdemonstratesa43byteASCIIinputandthecorresponding
MD5hash:
MD5("Thequickbrownfoxjumpsoverthelazydog")=
9e107d9d372bb6826bd81d3542a419d6

Evenasmallchangeinthemessagewill(withoverwhelmingprobability)resultinamostlydifferent
hash,duetotheavalancheeffect.Forexample,addingaperiodtotheendofthesentence:
MD5("Thequickbrownfoxjumpsoverthelazydog.")=
e4d909c290d0fb1ca068ffaddf22cbd0

Thehashofthezerolengthstringis:
MD5("")=
d41d8cd98f00b204e9800998ecf8427e

TheMD5algorithmisspecifiedformessagesconsistingofanynumberofbitsitisnotlimitedto
multiplesofeightbit(octets,bytes)asshownintheexamplesabove.SomeMD5implementationssuch
asmd5summightbelimitedtooctets,ortheymightnotsupportstreamingformessagesofaninitially
undeterminedlength

Seealso
Comparisonofcryptographichashfunctions
HashClash
md5deep
md5sum
MD6

References
1.RFC1321,section3.4,"Step4.ProcessMessagein16WordBlocks",page5.
2.XieTao,FanbaoLiu,andDengguoFeng(2013)."FastCollisionAttackonMD5."(PDF).
3.Ciampa,Mark(2009).CompTIASecurity+2008indepth.AustraliaUnitedStates:Course
Technology/CengageLearning.p.290.
4.HansDobbertin(Summer1996)."TheStatusofMD5AfteraRecentAttack"(PDF).CryptoBytes.Retrieved
22October2013.
5.XiaoyunWangandHongboYu(2005)."HowtoBreakMD5andOtherHashFunctions"(PDF).Advancesin
CryptologyLectureNotesinComputerScience.pp.1935.Retrieved21December2009.
6.XiaoyunWang,Dengguo,k.,m.,m,HAVAL128andRIPEMD,CryptologyePrintArchiveReport2004/199,
16August2004,revised17August2004.Retrieved27July2008.
7.J.Black,M.Cochran,T.Highland:AStudyoftheMD5Attacks:InsightsandImprovements
(http://www.cs.colorado.edu/~jrblack/papers/md5efull.pdf),3March2006.Retrieved27July2008.
8.MarcStevens,ArjenLenstra,BennedeWeger:Vulnerabilityofsoftwareintegrityandcodesigning
applicationstochosenprefixcollisionsforMD5(http://www.win.tue.nl/hashclash/SoftIntCodeSign/),30
November2007.Retrieved27July2008.
9.Sotirov,AlexanderMarcStevensJacobAppelbaumArjenLenstraDavidMolnarDagArneOsvikBenne
deWeger(30December2008)."MD5consideredharmfultoday".Retrieved30December2008.Announced
(http://events.ccc.de/congress/2008/Fahrplan/events/3023.en.html)atthe25thChaosCommunication
https://en.wikipedia.org/wiki/MD5

8/10

15/02/2016

MD5Wikipedia,thefreeencyclopedia

Congress.
10.Stray,Jonathan(30December2008)."Webbrowserflawcouldputecommercesecurityatrisk".CNET.com.
Retrieved24February2009.
11."CERTVulnerabilityNoteVU#836068".Kb.cert.org.Retrieved9August2010.
12."NIST.govComputerSecurityDivisionComputerSecurityResourceCenter".Csrc.nist.gov.Retrieved
9August2010.
13.PhilipHawkesandMichaelPaddonandGregoryG.Rose:MusingsontheWangetal.MD5Collision
(http://eprint.iacr.org/2004/264),13October2004.Retrieved27July2008.
14.BishopFox(26September2013)."FastMD5andMD4CollisionGenerators".Retrieved10February2014.
"FasterimplementationoftechniquesinHowtoBreakMD5andOtherHashFunctions,byXiaoyunWang,et
al.Old(2006)averageruntimeonIBMP690supercomputer:1hour.NewaverageruntimeonP41.6ghz
PC:45minutes."
15.ArjenLenstra,XiaoyunWang,BennedeWeger:CollidingX.509Certificates
(http://eprint.iacr.org/2005/067),CryptologyePrintArchiveReport2005/067,1March2005,revised6May
2005.Retrieved27July2008.
16.VlastimilKlima:FindingMD5CollisionsaToyForaNotebook(http://eprint.iacr.org/2005/075),
CryptologyePrintArchiveReport2005/075,5March2005,revised8March2005.Retrieved27July2008.
17.VlastimilKlima:TunnelsinHashFunctions:MD5CollisionsWithinaMinute
(http://eprint.iacr.org/2006/105),CryptologyePrintArchiveReport2006/105,18March2006,revised17
April2006.Retrieved27July2008.
18."MD5testsuite".17January2013.Retrieved10February2014.
19."CodeCracked!CyberCommandLogoMysterySolved".USCYBERCOM.WiredNews.8July2010.
Retrieved29July2011.
20.TaoXie,DengguoFeng(2010)."ConstructMD5CollisionsUsingJustASingleBlockOfMessage"(PDF).
Retrieved28July2011.
21."MarcStevensResearchSingleblockcollisionattackonMD5".Marcstevens.nl.2012.Retrieved
10April2014.
22."RFC6151UpdatedSecurityConsiderationsfortheMD5MessageDigestandtheHMACMD5
Algorithms".InternetEngineeringTaskForce.March2011.Retrieved11November2013.
23."RFC1321TheMD5MessageDigestAlgorithm".InternetEngineeringTaskForce.April1992.Retrieved
5October2013.
24."RFC2104HMAC:KeyedHashingforMessageAuthentication".InternetEngineeringTaskForce.
February1997.Retrieved5October2013.
25.M.M.J.Stevens(June2007)."OnCollisionsforMD5"(PDF)."[...]weareabletofindcollisionsforMD5in
about224.1compressionsforrecommendedIHV'swhichtakesapprox.6secondsona2.6GHzPentium4."
26.MarcStevens,ArjenLenstra,BennedeWeger(16June2009)."ChosenprefixCollisionsforMD5and
Applications"(PDF).
27."NewGPUMD5crackercracksmorethan200millionhashespersecond..".
28.MagnusDaum,StefanLucks."HashCollisions(ThePoisonedMessageAttack)".Eurocrypt2005rump
session.
29.MaxGebhardt,GeorgIllies,WernerSchindler."ANoteonthePracticalValueofSingleHashCollisionsfor
SpecialFileFormats"(PDF).
30."PoisonousMD5WolvesAmongtheSheep|SilentSignalTechblog".Retrieved20150610.
31.Dobbertin,Hans(Summer1996)."TheStatusofMD5AfteraRecentAttack"(PDF).RSALaboratories
CryptoBytes2(2):1.Retrieved10August2010."Thepresentedattackdoesnotyetthreatenpractical
applicationsofMD5,butitcomesratherclose.....[sic]inthefutureMD5shouldnolongerbe
implemented...[sic]whereacollisionresistanthashfunctionisrequired."
32."SchneieronSecurity:MoreMD5Collisions".Schneier.com.Retrieved9August2010.
33."CollidingX.509Certificates".Win.tue.nl.Retrieved9August2010.
34."[PythonDev]hashlibfastermd5/sha,addssha256/512support".Mail.python.org.Retrieved9August
2010.
35."ResearchersUsePlayStationClustertoForgeaWebSkeletonKey".Wired.31December2008.Retrieved
31December2008.
36.Callan,Tim(31December2008)."Thismorning'sMD5attackresolved".Verisign.Retrieved
31December2008.
37.BruceSchneier(31December2008)."ForgingSSLCertificates".SchneieronSecurity.Retrieved10April
2014.
https://en.wikipedia.org/wiki/MD5

9/10

15/02/2016

MD5Wikipedia,thefreeencyclopedia

38."Flamemalwarecollisionattackexplained".
39.EricRescorla(20040817)."ArealMD5collision".EducatedGuesswork(blog).Archivedfromtheoriginal
on20140815.Retrieved20150413.
40.AntonA.Kuznetsov."AnalgorithmforMD5singleblockcollisionattackusinghighperformancecomputing
cluster"(PDF).IACR.Retrieved20141103.
41.YuSasaki,KazumaroAoki(16April2009)."FindingPreimagesinFullMD5FasterThanExhaustive
Search".SpringerBerlinHeidelberg.
42.MingMaoandShaohuiChenandJinXu(2009)."ConstructionoftheInitialStructureforPreimageAttackof
MD5".InternationalConferenceonComputationalIntelligenceandSecurity(IEEEComputerSociety)1:
442445.doi:10.1109/CIS.2009.214.ISBN9780769539317.
43.StevenJ.Murdoch:Googleasapasswordcracker(http://www.lightbluetouchpaper.org/2007/11/16/googleas
apasswordcracker/),LightBlueTouchpaperBlogArchive,16November2007.Retrieved27July2008.
44."AvailabilityanddescriptionoftheFileChecksumIntegrityVerifierutility".MicrosoftSupport.17June
2013.Retrieved10April2014.
45."HowtocomputetheMD5orSHA1cryptographichashvaluesforafile".MicrosoftSupport.23January
2007.Retrieved10April2014.
46."FreeBSDHandbook,SecurityDES,Blowfish,MD5,andCrypt".Retrieved20141019.
47."Synopsismanpagessection4:FileFormats".Docs.oracle.com.1January2013.Retrieved10April2014.
48.RFC1321,section2,"TerminologyandNotation",Page2.

Furtherreading
Berson,ThomasA.(1992)."DifferentialCryptanalysisMod232withApplicationstoMD5".
EUROCRYPT.pp.7180.ISBN3540564136.
BertdenBoerAntoonBosselaers(1993).CollisionsfortheCompressionFunctionofMD5.
BerlinLondon:Springer.pp.293304.ISBN3540576002.
HansDobbertin,CryptanalysisofMD5compress.AnnouncementonInternet,May1996.
"CiteSeerX".Citeseer.ist.psu.edu.Retrieved9August2010.
Dobbertin,Hans(1996)."TheStatusofMD5AfteraRecentAttack"(PDF).CryptoBytes2(2).
XiaoyunWangHongboYu(2005)."HowtoBreakMD5andOtherHashFunctions"(PDF).
EUROCRYPT.ISBN3540259104.

Externallinks
W3CrecommendationonMD5(http://www.w3.org/TR/1998/RECDSiglabel/MD51_0)
Retrievedfrom"https://en.wikipedia.org/w/index.php?title=MD5&oldid=701581428"
Categories: Cryptographichashfunctions Checksumalgorithms Brokenhashfunctions
Thispagewaslastmodifiedon25January2016,at10:46.
TextisavailableundertheCreativeCommonsAttributionShareAlikeLicenseadditionalterms
mayapply.Byusingthissite,youagreetotheTermsofUseandPrivacyPolicy.Wikipediaisa
registeredtrademarkoftheWikimediaFoundation,Inc.,anonprofitorganization.

https://en.wikipedia.org/wiki/MD5

10/10