The MD4 Message-Digest Algorithm is a
cryptographic hash function
A cryptographic hash function (CHF) is a hash algorithm (a map (mathematics), map of an arbitrary binary string to a binary string with a fixed size of n bits) that has special properties desirable for a cryptography, cryptographic application: ...
developed by
Ronald Rivest
Ronald Linn Rivest (;
born May 6, 1947) is an American cryptographer and computer scientist whose work has spanned the fields of algorithms and combinatorics, cryptography, machine learning, and election integrity.
He is an Institute Professo ...
in 1990.
The digest length is 128 bits. The algorithm has influenced later designs, such as the
MD5
The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function MD4, and was specified in 1992 as Request for Comments, RFC 1321.
MD5 ...
,
SHA-1
In cryptography, SHA-1 (Secure Hash Algorithm 1) is a hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as 40 hexadecimal digits. It was designed by the United States ...
and
RIPEMD algorithms. The initialism "MD" stands for "Message Digest".
The security of MD4 has been severely compromised. The first full
collision attack against MD4 was published in 1995, and several newer attacks have been published since then. As of 2007, an attack can generate collisions in less than two MD4 hash operations.
A theoretical
preimage attack
In cryptography, a preimage attack on cryptographic hash functions tries to find a message that has a specific hash value. A cryptographic hash function should resist attacks on its preimage (set of possible inputs).
In the context of attack, the ...
also exists.
A variant of MD4 is used in the
ed2k URI scheme
In computing, eD2k links (''ed2k://'') are hyperlinks used to denote files stored on computers connected to the eDonkey filesharing P2P network.
General
Many programs, such as eMule, MLDonkey and the original eDonkey2000 client by '' MetaMach ...
to provide a unique identifier for a file in the popular eDonkey2000 / eMule P2P networks. MD4 was also used by the
rsync
rsync (remote sync) is a utility for transferring and synchronizing files between a computer and a storage drive and across networked computers by comparing the modification times and sizes of files. It is commonly found on Unix-like opera ...
protocol (prior to version 3.0.0).
MD4 is used to compute
NTLM
In a Windows network, NT (New Technology) LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft ...
password-derived key digests on Microsoft Windows NT, XP, Vista, 7, 8, 10 and 11.
Security
Weaknesses in MD4 were demonstrated by Den Boer and Bosselaers in a paper published in 1991. The first full-round MD4
collision attack was found by
Hans Dobbertin in 1995, which took only seconds to carry out at that time. In August 2004,
Wang
Wang may refer to:
Names
* Wang (surname)
Wang () is the pinyin romanization of Chinese, romanization of the common Chinese surname (''Wáng''). It has a mixture of various origin with uncertain lineage of family history, however it is c ...
et al. found a very efficient collision attack, alongside attacks on later hash function designs in the MD4/MD5/SHA-1/RIPEMD family. This result was improved later by Sasaki et al., and generating a collision is now as cheap as verifying it (a few microseconds).
In 2008, the
preimage resistance of MD4 was also broken by Gaëtan Leurent, with a 2
102 attack. In 2010 Guo et al published a 2
99.7 attack.
In 2011, RFC 6150 stated that RFC 1320 (MD4) is historic (obsolete).
MD4 hashes
The 128-bit (16-byte) MD4 hashes (also termed ''message digests'') are typically represented as 32-digit
hexadecimal
Hexadecimal (also known as base-16 or simply hex) is a Numeral system#Positional systems in detail, positional numeral system that represents numbers using a radix (base) of sixteen. Unlike the decimal system representing numbers using ten symbo ...
numbers. The following demonstrates a 43-byte
ASCII
ASCII ( ), an acronym for American Standard Code for Information Interchange, is a character encoding standard for representing a particular set of 95 (English language focused) printable character, printable and 33 control character, control c ...
input and the corresponding MD4 hash:
MD4("The quick brown fox jumps over the lazy og")
= 1bee69a46ba811185c194762abaeae90
Even a small change in the message will (with overwhelming probability) result in a completely different hash, e.g. changing
d
to
c
:
MD4("The quick brown fox jumps over the lazy og")
= b86e130ce7028da59e672d56ad0113df
The hash of the zero-length string is:
MD4("") = 31d6cfe0d16ae931b73c59d7e0c089c0
MD4 test vectors
The following test vectors are defined in RFC 1320 (The MD4 Message-Digest Algorithm)
MD4 ("") = 31d6cfe0d16ae931b73c59d7e0c089c0
MD4 ("a") = bde52cb31de33e46245e05fbdbd6fb24
MD4 ("abc") = a448017aaf21d8525fc10ae87aa6729d
MD4 ("message digest") = d9130a8164549fe818874806e1c7014b
MD4 ("abcdefghijklmnopqrstuvwxyz") = d79e1c308aa5bbcdeea8ed63df412da9
MD4 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") = 043f8582f241db351ce627e153e7f0e4
MD4 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") = e33b4ddc9c38f2199c3e7b164fcc0536
MD4 collision example
Let:
k1 = 839c7a4d7a92cb678a5d59eea5a7573c8a74deb366c3dc20a083b69f5d2a3bb3719dc69891e9f95e809fd7e8b23ba6318ed45e51fe39708bf9427e9c3e8b9
k2 = 839c7a4d7a92cb678a5d59eea5a7573c8a74deb366c3dc20a083b69f5d2a3bb3719dc69891e9f95e809fd7e8b23ba6318ed45e51fe39708bf9427e9c3e8b9
MD4(k1) = MD4(k2) = 4d7e6a1defa93d2dde05b45d864c429b
Note that two hex-digits of k1 and k2 define one byte of the input string, whose length is 64 bytes .
See also
*
Hash function security summary
*
Comparison of cryptographic hash functions
*
MD2
*
MD5
The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function MD4, and was specified in 1992 as Request for Comments, RFC 1321.
MD5 ...
*
MD6
References
* Bert den Boer, Antoon Bosselaers: An Attack on the Last Two Rounds of MD4. Crypto 1991: 194–203
* Hans Dobbertin: Cryptanalysis of MD4. Fast Software Encryption 1996: 53–69
* Hans Dobbertin, 1998. Cryptanalysis of MD4. J. Cryptology 11(4): 253–271
* Xiaoyun Wang, Xuejia Lai, Dengguo Feng, Hui Chen, Xiuyuan Yu: Cryptanalysis of the Hash Functions MD4 and RIPEMD. Eurocrypt 2005: 1–18
* Yu Sasaki, Lei Wang, Kazuo Ohta, Noboru Kunihiro: New Message Difference for MD4. Fast Software Encryption 2007: 329–348
External links
* - Description of MD4 by Ron Rivest
* - MD4 to Historic Status
*
Collision attacks
An Attack on the Last Two Rounds of MD4Improved Collision Attack on MD4
{{Cryptography navbox , hash
Broken hash functions