MD4: Difference between revisions

Browse history interactively ← Previous edit Next edit →Content deleted Content addedVisual WikitextInline

Revision as of 03:31, 20 September 2021 editJellyMan9001 (talk \| contribs)Extended confirmed users962 edits Reverting edit(s) by 2601:3C1:4100:36F0:C983:F7BB:1E32:C0E5 (talk) to rev. 1038892092 by Wdpp: Unexplained content removal (RW 16.1)Tags: RW Undo Reverted← Previous edit		Revision as of 03:32, 20 September 2021 edit undo2601:3c1:4100:36f0:c983:f7bb:1e32:c0e5 (talk) TyposTags: Reverted references removed Mobile edit Mobile web editNext edit →
Line 17:		Line 17:
	\| rounds = 3		\| rounds = 3
	\| cryptanalysis =		\| cryptanalysis =
			A collision attack published in 2007 can find collisions
	A collision attack published in 2007 can find collisions for full MD4 in less than 2 hash operations.<ref name=sasaki-2007>{{cite journal \|author=Yu Sasaki\|year=2007 \|title=New message difference for MD4 \|url=https://www.iacr.org/archive/fse2007/45930331/45930331.pdf\|display-authors=etal}}</ref>
	}}

	The '''MD4 Message-Digest Algorithm''' is a ] developed by ] in 1990.<ref name="drt">{{cite web \|url=http://www.rsa.com/rsalabs/node.asp?id=2253 \|title=What are MD2, MD4, and MD5? \|access-date=2011-04-29 \|publisher=RSA Laboratories \|work=Public-Key Cryptography Standards (PKCS): PKCS #7: Cryptographic Message Syntax Standard: 3.6 Other Cryptographic Techniques: 3.6.6 What are MD2, MD4, and MD5? \|url-status=dead \|archive-url=https://web.archive.org/web/20110901034903/http://www.rsa.com/rsalabs/node.asp?id=2253 \|archive-date=2011-09-01 }}</ref> The digest length is 128 bits. The algorithm has influenced later designs, such as the ], ] and ] algorithms. The initialism "MD" stands for "Message Digest."

	]

	The security of MD4 has been severely compromised. The first full ] against MD4 was published in 1995 and several newer attacks have been published since then. As of 2007, an attack can generate collisions in less than 2 MD4 hash operations.<ref name=sasaki-2007 /> A theoretical ] also exists.

	A variant of MD4 is used in the ] to provide a unique identifier for a file in the popular eDonkey2000 / eMule P2P networks. MD4 was also used by the ] protocol (prior to version 3.0.0.)

	MD4 is used to compute ] password-derived key digests on Microsoft Windows NT, XP, Vista, 7, 8, and 10.<ref name="ntlm">{{cite web \|url=http://msdn.microsoft.com/en-us/library/cc236715(v=PROT.10).aspx \|title=5.1 Security Considerations for Implementors \|access-date=2011-07-21 \|quote=Deriving a key from a password is as specified in and .}}</ref>

	==Security==		==Security==

Revision as of 03:32, 20 September 2021

{{Infobox cryptographic hash function | name = MD4 | image = | caption = | designers = Ronald Rivest | publish date = October 1990 | series = MD2, MD4, MD5, MD6 | derived from = | derived to = | related to = | certification = | digest size = 128 bits | block size = 512 bits | structure = | rounds = 3 | cryptanalysis = A collision attack published in 2007 can find collisions

Security

Weaknesses in MD4 were demonstrated by Den Boer and Bosselaers in a paper published in 1991. The first full-round MD4 collision attack was found by Hans Dobbertin in 1995, which took only seconds to carry out at that time. In August 2004, Wang et al. found a very efficient collision attack, alongside attacks on later hash function designs in the MD4/MD5/SHA-1/RIPEMD family. This result was improved later by Sasaki et al., and generating a collision is now as cheap as verifying it (a few microseconds).

In 2008, the preimage resistance of MD4 was also broken by Gaëtan Leurent, with a 2 attack. In 2010 Guo et al published a 2 attack.

In 2011, RFC 6150 stated that RFC 1320 (MD4) is historic (obsolete).

MD4 hashes

The 128-bit (16-byte) MD4 hashes (also termed message digests) are typically represented as 32-digit hexadecimal numbers. The following demonstrates a 43-byte ASCII input and the corresponding MD4 hash:

MD4("The quick brown fox jumps over the lazy dog")
= 1bee69a46ba811185c194762abaeae90

Even a small change in the message will (with overwhelming probability) result in a completely different hash, e.g. changing d to c:

MD4("The quick brown fox jumps over the lazy cog")
= b86e130ce7028da59e672d56ad0113df

The hash of the zero-length string is:

MD4("") = 31d6cfe0d16ae931b73c59d7e0c089c0

MD4 test vectors

The following test vectors are defined in RFC 1320 (The MD4 Message-Digest Algorithm)

MD4 ("") = 31d6cfe0d16ae931b73c59d7e0c089c0
MD4 ("a") = bde52cb31de33e46245e05fbdbd6fb24
MD4 ("abc") = a448017aaf21d8525fc10ae87aa6729d
MD4 ("message digest") = d9130a8164549fe818874806e1c7014b
MD4 ("abcdefghijklmnopqrstuvwxyz") = d79e1c308aa5bbcdeea8ed63df412da9
MD4 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") = 043f8582f241db351ce627e153e7f0e4
MD4 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") = e33b4ddc9c38f2199c3e7b164fcc0536

MD4 collision example

Let:

 k1 = 839c7a4d7a92cb5678a5d5b9eea5a7573c8a74deb366c3dc20a083b69f5d2a3bb3719dc69891e9f95e809fd7e8b23ba6318edd45e51fe39708bf9427e9c3e8b9
 k2 = 839c7a4d7a92cbd678a5d529eea5a7573c8a74deb366c3dc20a083b69f5d2a3bb3719dc69891e9f95e809fd7e8b23ba6318edc45e51fe39708bf9427e9c3e8b9

k1 ≠ k2, but MD4(k1) = MD4(k2) = 4d7e6a1defa93d2dde05b45d864c429b

Note that two hex-digits of k1 and k2 define one byte of the input string, whose length is 64 bytes .

References

Bert den Boer, Antoon Bosselaers: An Attack on the Last Two Rounds of MD4. Crypto 1991: 194–203
Hans Dobbertin: Cryptanalysis of MD4. Fast Software Encryption 1996: 53–69
Hans Dobbertin, 1998. Cryptanalysis of MD4. J. Cryptology 11(4): 253–271
Xiaoyun Wang, Xuejia Lai, Dengguo Feng, Hui Chen, Xiuyuan Yu: Cryptanalysis of the Hash Functions MD4 and RIPEMD. Eurocrypt 2005: 1–18
Yu Sasaki, Lei Wang, Kazuo Ohta, Noboru Kunihiro: New Message Difference for MD4. Fast Software Encryption 2007: 329–348

"The MD4 Message Digest Algorithm". Network Working Group. October 1990. Retrieved 2011-04-29.
Bert den Boer, Antoon Bosselaers (1991). "An Attack on the Last Two Rounds of MD4" (PDF). Archived from the original (PDF) on 2003-05-23. {{cite journal}}: Cite journal requires |journal= (help)
Hans Dobbertin (1995-10-23). "Cryptanalysis of MD4". Journal of Cryptology. 11 (4): 253–271. doi:10.1007/s001459900047. S2CID 7462235.
Cite error: The named reference sasaki-2007 was invoked but never defined (see the help page).
Gaëtan Leurent (2008-02-10). "MD4 is Not One-Way" (PDF). FSE 2008. {{cite journal}}: Cite journal requires |journal= (help)
https://www.academia.edu/20987202/Advanced_Meet-in-the-Middle_Preimage_Attacks_First_Results_on_Full_Tiger_and_Improved_Results_on_MD4_and_SHA-2

External links

RFC 1320 - Description of MD4 by Ron Rivest
RFC 6150 - MD4 to Historic Status
Rivest, Ronald (1991). "The MD4 Message Digest Algorithm". Lecture Notes in Computer Science. Vol. 537. Springer Berlin / Heidelberg. pp. 303–311. doi:10.1007/3-540-38424-3_22. ISBN 978-3-540-54508-8. {{cite book}}: |journal= ignored (help); Missing or empty |title= (help)

Collision attacks

v t e Cryptographic hash functions and message authentication codes
List Comparison Known attacks
Common functions	MD5 (compromised) SHA-1 (compromised) SHA-2 SHA-3 BLAKE2
SHA-3 finalists	BLAKE Grøstl JH Skein Keccak (winner)
Other functions	BLAKE3 CubeHash ECOH FSB Fugue GOST HAS-160 HAVAL Kupyna LSH Lane MASH-1 MASH-2 MD2 MD4 MD6 MDC-2 N-hash RIPEMD RadioGatún SIMD SM3 SWIFFT Shabal Snefru Streebog Tiger VSH Whirlpool
Password hashing/ key stretching functions	Argon2 Balloon bcrypt Catena crypt LM hash Lyra2 Makwa PBKDF2 scrypt yescrypt
General purpose key derivation functions	HKDF KDF1/KDF2
MAC functions	CBC-MAC DAA GMAC HMAC NMAC OMAC/CMAC PMAC Poly1305 SipHash UMAC VMAC
Authenticated encryption modes	CCM ChaCha20-Poly1305 CWC EAX GCM IAPM OCB
Attacks	Collision attack Preimage attack Birthday attack Brute-force attack Rainbow table Side-channel attack Length extension attack
Design	Avalanche effect Hash collision Merkle–Damgård construction Sponge function HAIFA construction
Standardization	CAESAR Competition CRYPTREC NESSIE NIST hash function competition Password Hashing Competition NSA Suite B CNSA
Utilization	Hash-based cryptography Merkle tree Message authentication Proof of work Salt Pepper

v t e Cryptography
General	History of cryptography Outline of cryptography Classical cipher Cryptographic protocol Authentication protocol Cryptographic primitive Cryptanalysis Cryptocurrency Cryptosystem Cryptographic nonce Cryptovirology Hash function Cryptographic hash function Key derivation function Secure Hash Algorithms Digital signature Kleptography Key (cryptography) Key exchange Key generator Key schedule Key stretching Keygen Machines Cryptojacking malware Ransomware Random number generation Cryptographically secure pseudorandom number generator (CSPRNG) Pseudorandom noise (PRN) Secure channel Insecure channel Subliminal channel Encryption Decryption End-to-end encryption Harvest now, decrypt later Information-theoretic security Plaintext Codetext Ciphertext Shared secret Trapdoor function Trusted timestamping Key-based routing Onion routing Garlic routing Kademlia Mix network
Mathematics	Cryptographic hash function Block cipher Stream cipher Symmetric-key algorithm Authenticated encryption Public-key cryptography Quantum key distribution Quantum cryptography Post-quantum cryptography Message authentication code Random numbers Steganography
Category

Category:

Broken hash functions

Misplaced Pages