Internet Engineering Task Force (IETF)                         S. Turner
Request for Comments: 6150                                          IECA
Obsoletes: 1320                                                  L. Chen
Category: Informational                                             NIST
ISSN: 2070-1721                                               March 2011
Internet Engineering Task Force (IETF)                         S. Turner
Request for Comments: 6150                                          IECA
Obsoletes: 1320                                                  L. Chen
Category: Informational                                             NIST
ISSN: 2070-1721                                               March 2011

MD4 to Historic Status




This document retires RFC 1320, which documents the MD4 algorithm, and discusses the reasons for doing so. This document moves RFC 1320 to Historic status.

本文档取消了RFC1320,它记录了MD4算法,并讨论了这样做的原因。本文件将RFC 1320移至历史状态。

Status of This Memo


This document is not an Internet Standards Track specification; it is published for informational purposes.


This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at


Copyright Notice


Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents ( in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

1. Introduction
1. 介绍

MD4 [MD4] is a message digest algorithm that takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. This document retires [MD4]. Specifically, this document moves RFC 1320 [MD4] to Historic status. The reasons for taking this action are discussed.

MD4[MD4]是一种消息摘要算法,它将任意长度的消息作为输入,并生成输入的128位“指纹”或“消息摘要”作为输出。本文档取消了[MD4]。具体而言,本文件将RFC 1320[MD4]移至历史状态。讨论了采取这一行动的原因。

[HASH-Attack] summarizes the use of hashes in many protocols and discusses how attacks against a message digest algorithm's one-way and collision-free properties affect and do not affect Internet protocols. Familiarity with [HASH-Attack] is assumed.


2. Rationale
2. 根本原因

MD4 was published in 1992 as an Informational RFC. Since its publication, MD4 has been under attack [denBORBOS1992] [DOBB1995] [DOBB1996] [GLRW2010] [WLDCY2005] [LUER2008]. In fact, RSA, in 1996, suggested that MD4 should not be used [RSA-AdviceOnMD4]. Microsoft also made similar statements [MS-AdviceOnMD4].


In Section 6, this document discusses attacks against MD4 that indicate use of MD4 is no longer appropriate when collision resistance is required. Section 6 also discusses attacks against MD4's pre-image and second pre-image resistance. Additionally, attacks against MD4 used in message authentication with a shared secret (i.e., HMAC-MD4) are discussed.


3. Documents that Reference RFC 1320
3. 参考RFC 1320的文件

Use of MD4 has been specified in the following RFCs:


Internet Standard (IS):


o [RFC2289] A One-Time Password System.

o [RFC2289]一次性密码系统。

Draft Standard (DS):


o [RFC1629] Guidelines for OSI NSAP Allocation in the Internet.

o [RFC1629]互联网上OSI NSAP分配指南。

Proposed Standard (PS):


o [RFC3961] Encryption and Checksum Specifications for Kerberos 5.

o [RFC3961]Kerberos 5的加密和校验和规范。

Best Current Practice (BCP):


o [RFC4086] Randomness Requirements for Security.

o [RFC4086]安全性的随机性要求。



o [RFC1760] The S/KEY One-Time Password System.

o [RFC1760]S/键一次性密码系统。

o [RFC1983] Internet Users' Glossary.

o [RFC1983]互联网用户词汇表。

o [RFC2433] Microsoft PPP CHAP Extensions.

o [RFC2433]Microsoft PPP CHAP扩展。

o [RFC2759] Microsoft PPP CHAP Extensions, Version 2.

o [RFC2759]Microsoft PPP CHAP扩展,第2版。

o [RFC3174] US Secure Hash Algorithm 1 (SHA1).

o [RFC3174]美国安全哈希算法1(SHA1)。

o [RFC4757] The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows.

o [RFC4757]Microsoft Windows使用的RC4-HMAC Kerberos加密类型。

o [RFC5126] CMS Advanced Electronic Signatures (CAdES).

o [RFC5126]CMS高级电子签名(CAdES)。

There are other RFCs that refer to MD2, but they have been either moved to Historic status or obsoleted by a later RFC. References and discussions about these RFCs are omitted. The notable exceptions are:


o [RFC2313] PKCS #1: RSA Encryption Version 1.5.

o [RFC2313]PKCS#1:RSA加密版本1.5。

o [RFC2437] PKCS #1: RSA Cryptography Specifications Version 2.0.

o [RFC2437]PKCS#1:RSA加密规范2.0版。

o [RFC3447] Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1.

o [RFC3447]公钥加密标准(PKCS)#1:RSA加密规范版本2.1。

4. Impact of Moving MD4 to Historic
4. 将MD4迁移到历史数据库的影响

The impact of moving MD4 to Historic is minimal with the one exception of Microsoft's use of MD4 as part of RC4-HMAC in Windows, as described below.


Regarding DS, PS, and BCP RFCs:


o The initial One-Time Password systems, based on [RFC2289], have ostensibly been replaced by HMAC-based mechanism, as specified in "HOTP: An HMAC-Based One-Time Password Algorithm" [RFC4226]. [RFC4226] suggests following recommendations in [RFC4086] for random input, and in [RFC4086] weaknesses of MD4 are discussed.

o 最初基于[RFC2289]的一次性密码系统表面上已被基于HMAC的机制所取代,如“HOTP:基于HMAC的一次性密码算法”[RFC4226]所述。[RFC4226]在[RFC4086]中提出了以下关于随机输入的建议,并在[RFC4086]中讨论了MD4的弱点。

o MD4 was used in the Inter-Domain Routing Protocol (IDRP); each IDRP message carries a 16-octet hash that is computed by applying the MD-4 algorithm (RFC 1320) to the context of the message itself. Over time, IDRP was replaced by BGP-4 [RFC4271], which required at least [MD5].

o MD4用于域间路由协议(IDRP);每个IDRP消息都携带一个16个八位组的散列,该散列是通过将MD-4算法(RFC 1320)应用于消息本身的上下文来计算的。随着时间的推移,IDRP被BGP-4[RFC4271]取代,后者至少需要[MD5]。

o Kerberos Version 5 [RFC3961] specifies the use of MD4 for DES encryption types and checksum types. They were specified, never really used, and are in the process of being deprecated by [DES-DIE]. Further, the mandatory-to-implement encrypted types and checksum types specified by Kerberos are based on AES-256 and HMAC-SHA1 [RFC3962].

o Kerberos版本5[RFC3961]指定将MD4用于DES加密类型和校验和类型。它们是指定的,从未真正使用过,并且正在被[DES-DIE]弃用。此外,实现Kerberos指定的加密类型和校验和类型的强制方法基于AES-256和HMAC-SHA1[RFC3962]。

Regarding Informational RFCs:


o PKCS#1 v1.5 [RFC2313] indicated that there was no reason to not use MD4. PKCS#1 v2.0 [RFC2437] and v2.1 [RFC3447] recommend against MD4 due to cryptoanalytic progress having uncovered weaknesses in the collision resistance of MD4.

o PKCS#1 v1.5[RFC2313]表示没有理由不使用MD4。PKCS#1 v2.0[RFC2437]和v2.1[RFC3447]建议不要使用MD4,因为密码分析的进展发现了MD4在抗冲突方面的弱点。

o Randomness Requirements [RFC4086] does mention MD4, but not in a good way; it explains how the algorithm works and that there have been a number of attacks found against it.

o 随机性需求[RFC4086]确实提到了MD4,但不是很好;它解释了算法是如何工作的,并且已经发现了许多针对它的攻击。

o The "Internet Users' Glossary" [RFC1983] provided a definition for Message Digest and listed MD4 as one example.

o “Internet用户词汇表”[RFC1983]提供了消息摘要的定义,并将MD4列为一个示例。

o The IETF OTP specification [RFC2289] was based on S/KEY technology. So S/KEY was replaced by OTP, at least in theory. Additionally, the S/KEY implementations in the wild have started to use MD5 in lieu of MD4.

o IETF OTP规范[RFC2289]基于S/KEY技术。因此,S/KEY被OTP取代,至少在理论上是这样。此外,野外的S/KEY实现已经开始使用MD5代替MD4。

o The CAdES document [RFC5126] lists MD4 as a hash algorithm, disparages it, and then does not mention it again.

o CAdES文档[RFC5126]将MD4列为哈希算法,对其进行了贬损,然后不再提及它。

o The SHA-1 document [RFC3174] mentions MD4 in the acknowledgements section.

o SHA-1文件[RFC3174]在确认部分提到了MD4。

o The three RFCs describing Microsoft protocols, [RFC2433], [RFC2759], and [RFC4757], are very widely deployed as MS-CHAP v1, MS-CHAP v2, and RC4-HMAC, respectively.

o 描述Microsoft协议的三个RFC[RFC2433]、[RFC2759]和[RFC4757]分别被广泛部署为MS-CHAP v1、MS-CHAP v2和RC4-HMAC。

o MS-CHAP Version 1 is supported in Microsoft's Windows XP, 2000, 98, 95, NT 4.0, NT 3.51, and NT 3.5, but support has been dropped in Vista. MS-CHAP Version 2 is supported in Microsoft's Windows 7, Vista, XP, 2000, 98, 95, and NT 4.0. Both versions of MS-CHAP are also supported by RADIUS [RFC2548] and the Extensible Authentication Protocol (EAP) [RFC5281]. In 2007, [RFC4962] listed MS-CHAP v1 and v2 as flawed and recommended against their use; these incidents were presented as a strong indication for the necessity of built-in crypto-algorithm agility in Authentication, Authorization, and Accounting (AAA) protocols.

o 微软的Windows XP、2000、98、95、NT 4.0、NT 3.51和NT 3.5都支持MS-CHAP版本1,但Vista已不再支持MS-CHAP版本1。微软的Windows7、Vista、XP、2000、98、95和NT4.0支持MS-CHAP版本2。RADIUS[RFC2548]和可扩展身份验证协议(EAP)[RFC5281]也支持MS-CHAP的两个版本。2007年,[RFC4962]将MS-CHAP v1和v2列为有缺陷的,建议不要使用;这些事件有力地说明了身份验证、授权和计费(AAA)协议中内置加密算法灵活性的必要性。

o The RC4-HMAC is supported in Microsoft's Windows 2000 and later versions of Windows for backwards compatibility with Windows 2000. As [RFC4757] stated, RC4-HMAC doesn't rely on the collision resistance property of MD4, but uses it to generate a key from a password, which is then used as input to HMAC-MD5. For an attacker to recover the password from RC4-HMAC, the attacker first needs to recover the key that is used with HMAC-MD5. As noted in [RFC6151], key recovery attacks on HMAC-MD5 are not yet practical.

o RC4-HMAC在Microsoft的Windows 2000和更高版本的Windows中受支持,以向后兼容Windows 2000。正如[RFC4757]所述,RC4-HMAC不依赖MD4的抗冲突属性,而是使用它从密码生成密钥,然后将其用作HMAC-MD5的输入。为了让攻击者从RC4-HMAC恢复密码,攻击者首先需要恢复HMAC-MD5使用的密钥。如[RFC6151]所述,对HMAC-MD5的密钥恢复攻击还不实用。

5. Other Considerations
5. 其他考虑

rsync [RSYNC], a non-IETF protocol, once specified the use of MD4, but as of version 3.0.0 published in 2008, it has adopted MD5 [MD5].


6. Security Considerations
6. 安全考虑

This section addresses attacks against MD4's collisions, pre-image, and second pre-image resistance. Additionally, attacks against HMAC-MD4 are discussed.


Some may find the guidance for key lengths and algorithm strengths in [SP800-57] and [SP800-131] useful.


6.1. Collision Resistance
6.1. 抗碰撞

A practical attack on MD4 was shown by Dobbertin in 1996 with complexity 2^20 of MD4 hash computations [DOBB1996]. In 2004, a more devastating result presented by Xiaoyun Wang showed that the complexity can be reduced to 2^8 of MD4 hash operations. At the Rump Session of Crypto 2004, Wang said that as a matter of fact, finding a collision of MD4 can be accomplished with a pen on a piece of paper. The formal result was presented at EUROCRYPT 2005 in [WLDCY2005].

Dobbertin在1996年展示了对MD4的实际攻击,MD4哈希计算的复杂性为2^20[DOBB1996]。2004年,王晓云提出的一个更具破坏性的结果表明,MD4哈希操作的复杂度可以降低到2^8。在Crypto 2004的尾声会议上,Wang说,事实上,找到MD4的碰撞可以用一支笔在一张纸上完成。正式结果在[WLDCY2005]的EUROCRYPT 2005上公布。

6.2. Pre-Image and Second Pre-Image Resistance
6.2. 预成像和第二预成像电阻

The first pre-image attack on full MD4 was accomplished in [LUER2008] with complexity 2^100. Some improvements are shown on pre-image attacks and second pre-image attacks of MD4 with certain pre-computations [GLRW2010], where complexity is reduced to 2^78.4 and 2^69.4 for pre-image and second pre-image, respectively. The pre-image attacks on MD4 are practical. It cannot be used as a one-way function. For example, it must not be used to hash a cryptographic key of 80 bits or longer.


6.3. HMAC
6.3. HMAC

The attacks on Hash-based Message Authentication Code (HMAC) algorithms [RFC2104] presented so far can be classified in three types: distinguishing attacks, existential forgery attacks, and key recovery attacks. Of course, among all these attacks, key recovery attacks are the most severe attacks.


The best results on key recovery attacks on HMAC-MD4 were published at EUROCRYPT 2008 with 2^72 queries and 2^77 MD4 computations [WOK2008].

关于HMAC-MD4的密钥恢复攻击的最佳结果发表在EUROCRYPT 2008上,其中包含2^72个查询和2^77个MD4计算[WOK2008]。

7. Recommendation
7. 正式建议

Despite MD4 seeing some deployment on the Internet, this specification obsoletes [MD4] because MD4 is not a reasonable candidate for further standardization and should be deprecated in favor of one or more existing hash algorithms (e.g., SHA-256 [SHS]).


RSA Security considers it appropriate to move the MD4 algorithm to Historic status.

RSA Security认为将MD4算法移动到历史状态是合适的。

It takes a number of years to deploy crypto and it also takes a number of years to withdraw it. Algorithms need to be withdrawn before a catastrophic break is discovered. MD4 is clearly showing signs of weakness, and implementations should strongly consider removing support and migrating to another hash algorithm.


8. Acknowledgements
8. 致谢

We'd like to thank RSA for publishing MD4. Obviously, we have to thank all the cryptographers who produced the results we refer to in this document. We'd also like to thank Ran Atkinson, Sue Hares, Sam Hartman, Alfred Hoenes, John Linn, Catherine Meadows, Magnus Nystrom, and Martin Rex for their input.

我们要感谢RSA发布MD4。显然,我们必须感谢所有产生我们在本文中提到的结果的密码学家。我们还要感谢Ran Atkinson、Sue Hares、Sam Hartman、Alfred Hoenes、John Linn、Catherine Meadows、Magnus Nystrom和Martin Rex的投入。

9. Informative References
9. 资料性引用

[denBORBOS1992] B. den Boer and A. Bosselaers. An attack on the last two rounds of MD4. In Advances in Cryptology - Crypto '91, pages 194-203, Springer-Verlag, 1992.

[denBORBOS1992]B.den Boer和A.Bosselaers。对MD4最后两轮的攻击。《密码学的进展——加密’91》,第194-203页,Springer Verlag,1992年。

[DES-DIE] Astrand, L., "Deprecate DES support for Kerberos", Work in Progress, July 2010.


[DOBB1995] H. Dobbertin. Alf swindles Ann. CryptoBytes, 1(3): 5, 1995.


[DOBB1996] H. Dobbertin. Cryptanalysis of MD4. In Proceedings of the 3rd Workshop on Fast Software Encryption, Cambridge, U.K., pages 53-70, Lecture Notes in Computer Science 1039, Springer-Verlag, 1996.

[DOBB1996]H.Dobbertin。MD4的密码分析。在快速软件加密第三届研讨会论文集,剑桥,英国,第53-70页,计算机科学讲义1039,Springer Verlag,1996。

[GLRW2010] Guo, J., Ling, S., Rechberger, C., and H. Wang, "Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2",


[HASH-Attack] Hoffman, P. and B. Schneier, "Attacks on Cryptographic Hashes in Internet Protocols", RFC 4270, November 2005.

[散列攻击]Hoffman,P.和B.Schneier,“对互联网协议中加密散列的攻击”,RFC 42702005年11月。

[LUER2008] G. Leurent. MD4 is Not One-Way. Fast Software Encryption 2008, Lausanne, Switzerland, February 10-13, 2008, LNCS 5086. Springer, 2008.

[LUER2008]G.Leurent。MD4不是一种方式。Fast Software Encryption 2008,瑞士洛桑,2008年2月10日至13日,LNCS 5086。斯普林格,2008年。

[MD4] Rivest, R., "The MD4 Message-Digest Algorithm", RFC 1320, April 1992.


[MD5] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April 1992.

[MD5]Rivest,R.,“MD5消息摘要算法”,RFC 13211992年4月。

[MS-AdviceOnMD4] Howard, M., "Secure Habits: 8 Simple Rules For Developing More Secure Code", en-us/magazine/cc163518.aspx#S6.

[MS-AdviceOnMD4]Howard,M.,“安全习惯:开发更安全代码的8条简单规则”, en us/magazine/cc163518.aspx#S6。

[RFC1629] Colella, R., Callon, R., Gardner, E., and Y. Rekhter, "Guidelines for OSI NSAP Allocation in the Internet", RFC 1629, May 1994.

[RFC1629]Colella,R.,Callon,R.,Gardner,E.,和Y.Rekhter,“互联网上OSI NSAP分配指南”,RFC 1629,1994年5月。

[RFC1760] Haller, N., "The S/KEY One-Time Password System", RFC 1760, February 1995.


[RFC1983] Malkin, G., Ed., "Internet Users' Glossary", FYI 18, RFC 1983, August 1996.

[RFC1983]Malkin,G.,Ed.,“互联网用户词汇表”,FYI 18,RFC 1983,1996年8月。

[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997.

[RFC2104]Krawczyk,H.,Bellare,M.,和R.Canetti,“HMAC:用于消息认证的键控哈希”,RFC 2104,1997年2月。

[RFC2289] Haller, N., Metz, C., Nesser, P., and M. Straw, "A One-Time Password System", STD 61, RFC 2289, February 1998.

[RFC2289]Haller,N.,Metz,C.,Nesser,P.,和M.Straw,“一次性密码系统”,STD 61,RFC 2289,1998年2月。

[RFC2313] Kaliski, B., "PKCS #1: RSA Encryption Version 1.5", RFC 2313, March 1998.

[RFC2313]Kaliski,B.,“PKCS#1:RSA加密版本1.5”,RFC 2313,1998年3月。

[RFC2433] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions", RFC 2433, October 1998.

[RFC2433]Zorn,G.和S.Cobb,“微软PPP CHAP扩展”,RFC 2433,1998年10月。

[RFC2437] Kaliski, B., and J. Staddon, "PKCS #1: RSA Cryptography Specifications Version 2.0", RFC 2437, October 1998.

[RFC2437]Kaliski,B.和J.Staddon,“PKCS#1:RSA加密规范2.0版”,RFC 2437,1998年10月。

[RFC2548] Zorn, G., "Microsoft Vendor-specific RADIUS Attributes", RFC 2548, March 1999.

[RFC2548]Zorn,G.,“微软特定于供应商的半径属性”,RFC 2548,1999年3月。

[RFC2759] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2", RFC 2759, January 2000.

[RFC2759]Zorn,G.,“微软PPP CHAP扩展,第2版”,RFC 2759,2000年1月。

[RFC3174] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm 1 (SHA1)", RFC 3174, September 2001.

[RFC3174]Eastlake 3rd,D.和P.Jones,“美国安全哈希算法1(SHA1)”,RFC 3174,2001年9月。

[RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1", RFC 3447, February 2003.

[RFC3447]Jonsson,J.和B.Kaliski,“公钥密码标准(PKCS)#1:RSA密码规范版本2.1”,RFC 3447,2003年2月。

[RFC3961] Raeburn, K., "Encryption and Checksum Specifications for Kerberos 5", RFC 3961, February 2005.

[RFC3961]Raeburn,K.,“Kerberos 5的加密和校验和规范”,RFC 3961,2005年2月。

[RFC3962] Raeburn, K., "Advanced Encryption Standard (AES) Encryption for Kerberos 5", RFC 3962, February 2005.

[RFC3962]Raeburn,K.,“Kerberos 5的高级加密标准(AES)加密”,RFC 3962,2005年2月。

[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, June 2005.

[RFC4086]Eastlake 3rd,D.,Schiller,J.,和S.Crocker,“安全的随机性要求”,BCP 106,RFC 4086,2005年6月。

[RFC4226] M'Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., and O. Ranen, "HOTP: An HMAC-Based One-Time Password Algorithm", RFC 4226, December 2005.

[RFC4226]M'Raihi,D.,Bellare,M.,Hoornaert,F.,Naccache,D.,和O.Ranen,“HOTP:基于HMAC的一次性密码算法”,RFC 42262005年12月。

[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, January 2006.

[RFC4271]Rekhter,Y.,Ed.,Li,T.,Ed.,和S.Hares,Ed.,“边境网关协议4(BGP-4)”,RFC 42712006年1月。

[RFC4757] Jaganathan, K., Zhu, L., and J. Brezak, "The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows", RFC 4757, December 2006.

[RFC4757]Jaganathan,K.,Zhu,L.,和J.Brezak,“微软Windows使用的RC4-HMAC Kerberos加密类型”,RFC 4757,2006年12月。

[RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication, Authorization, and Accounting (AAA) Key Management", BCP 132, RFC 4962, July 2007.

[RFC4962]Housley,R.和B.Aboba,“认证、授权和记帐(AAA)密钥管理指南”,BCP 132,RFC 4962,2007年7月。

[RFC5126] Pinkas, D., Pope, N., and J. Ross, "CMS Advanced Electronic Signatures (CAdES)", RFC 5126, March 2008.

[RFC5126]Pinkas,D.,Pope,N.,和J.Ross,“CMS高级电子签名(CAdES)”,RFC 5126,2008年3月。

[RFC5281] Funk, P. and S. Blake-Wilson, "Extensible Authentication Protocol Tunneled Transport Layer Security Authenticated Protocol Version 0 (EAP-TTLSv0)", RFC 5281, August 2008.

[RFC5281]Funk,P.和S.Blake Wilson,“可扩展认证协议隧道传输层安全认证协议版本0(EAP-TTLSv0)”,RFC 52812008年8月。

[RFC6151] Turner, S. and L. Chen, "Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms", RFC 6151, March 2011.

[RFC6151]Turner,S.和L.Chen,“MD5消息摘要和HMAC-MD5算法的更新安全注意事项”,RFC 61512011年3月。

[RSA-AdviceOnMD4] Robshaw, M.J.B., "On Recent Results for MD2, MD4 and MD5", November 1996,


[RSYNC] rsync web pages,


[SHS] National Institute of Standards and Technology (NIST), FIPS Publication 180-3: Secure Hash Standard, October 2008.


[SP800-57] National Institute of Standards and Technology (NIST), Special Publication 800-57: Recommendation for Key Management - Part 1 (Revised), March 2007.


[SP800-131] National Institute of Standards and Technology (NIST), Special Publication 800-131: DRAFT Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes, June 2010.


[WLDCY2005] X. Wang, X. Lai, D. Feng, H. Chen, and X. Yu, Cryptanalysis of Hash Functions MD4 and RIPEMD, LNCS 3944, Advances in Cryptology - EUROCRYPT2005, Springer, 2005.

[WLDCY2005]王X,赖X,冯D,陈H.和余X.散列函数MD4和RIPEMD的密码分析,LNCS 3944,密码学进展-欧洲密码2005,斯普林格,2005。

[WOK2008] L. Wang, K. Ohta, and N. Kunihiro, New Key-recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5, EUROCRYPT 2008, LNCS 4965, Springer, 2008.

[WOK2008]L.Wang,K.Ohta和N.Kunihiro,针对HMAC/NMAC-MD4和NMAC-MD5的新密钥恢复攻击,EUROCRYPT 2008,LNCS 4965,Springer,2008。

Authors' Addresses


Sean Turner IECA, Inc. 3057 Nutley Street, Suite 106 Fairfax, VA 22031 USA

Sean Turner IECA,Inc.美国弗吉尼亚州费尔法克斯市努特利街3057号106室,邮编22031


Lily Chen National Institute of Standards and Technology 100 Bureau Drive, Mail Stop 8930 Gaithersburg, MD 20899-8930 USA

美国马里兰州盖瑟斯堡邮政站8930号,美国马里兰州盖瑟斯堡市局道100号,Lily Chen国家标准与技术研究所,邮编20899-8930