Cryptography Reference
In-Depth Information
•
N-Hash
: This function originates from Japan, from the inventors of the
FEAL symmetric method. It is just as insecure as FEAL itself (see
Section 5.7.3).
•
GOST
: Insiders will know immediately that this has to be a Russian
standard (they are generally called GOST). According to Schneier
[SchnCr, 18.11 and 20.3], the GOST function is probably secure, though
its description is somewhat confusing.
•
MD2
: This function was developed by Ron Rivest and published in
RFC 1319 in 1992. It computes a 128-bit hash value and is shown in
Figure 6.3. ('MD' stands for 'Message Digest'.) The only cryptanalytic
attack against MD2 currently known to RSA Laboratories was found in
1995: when the checksum appended to the text (Step 3 in Figure 6.3) is
omitted, you can construct a collision [RogChMD2]. That already suf-
fices to advise you against long-term use of MD2. The major benefit of
MD2 is its simple implementation, its major drawback is the relatively
slow computation of the hash value (Schneier [SchnCr] mentions 23 KB/s
on a PC-486SX/33 MHz). This shouldn't come as a surprise since it was
designed for 8-bit computers, while the MD4 and MD5 functions men-
tioned below were designed for 32-bit computers. MD2 is (still) used
together with MD5 in PEM (see Section 7.2.1).
•
MD4
: MD4 was designed by Ron Rivest in 1990; it creates a 128-bit
hash value. Successful attacks had been known against the first and last
two rounds of the algorithm for some time. Later on, Dobbertin computed
a collision on a regular PC [DobMD4] within one minute. He even man-
aged to compute the reversion of a 2-round MD4. In [DobMD4inv], he
states the archetype of hash value 0, i.e., he constructs a byte sequence
with a hash value of 0. Together with the successful cryptanalysis of
MD5 (see below), MD4 was attacked very successfully: collisions can
meanwhile be calculated by hand. This is why I strongly recommend
not to use this function any more. Nevertheless, its design serves as a
template for many other hash functions.
•
MD5
: This is one of the best known one-way hash functions. It is sup-
posed to remove the weaknesses of MD4, and was also developed by
Ron Rivest (in 1991). MD5 is the hash function exclusively used in PGP
up to Version 2.6, and produces a 128-bit hash value, like MD4. You can
find an implementation in C on our Web site.
Serious flaws were found in MD5, too. In 2004, somebody even suc-
ceeded in computing collisions (see below). This function should, there-
fore, no longer be used for critical purposes.
