Internet Engineering Task Force (IETF)                         S. Turner
Request for Comments: 6151                                          IECA
Updates: 1321, 2104                                              L. Chen
Category: Informational                                             NIST
ISSN: 2070-1721                                               March 2011
Internet Engineering Task Force (IETF)                         S. Turner
Request for Comments: 6151                                          IECA
Updates: 1321, 2104                                              L. Chen
Category: Informational                                             NIST
ISSN: 2070-1721                                               March 2011

Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms




This document updates the security considerations for the MD5 message digest algorithm. It also updates the security considerations for HMAC-MD5.


Status of This Memo


This document is not an Internet Standards Track specification; it is published for informational purposes.


This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at


Copyright Notice


Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents ( in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

1. Introduction
1. 介绍

MD5 [MD5] is a message digest algorithm that takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. The published attacks against MD5 show that it is not prudent to use MD5 when collision resistance is required. This document replaces the security considerations in RFC 1321 [MD5].

MD5[MD5]是一种消息摘要算法,它将任意长度的消息作为输入,并生成输入的128位“指纹”或“消息摘要”作为输出。已发布的针对MD5的攻击表明,在需要抗碰撞时使用MD5是不谨慎的。本文件取代了RFC 1321[MD5]中的安全注意事项。

[HMAC] defined a mechanism for message authentication using cryptographic hash functions. Any message digest algorithm can be used, but the cryptographic strength of HMAC depends on the properties of the underlying hash function. [HMAC-MD5] defined test cases for HMAC-MD5. This document updates the security considerations in [HMAC], which [HMAC-MD5] points to for its security considerations.


[HASH-Attack] summarizes the use of hashes in many protocols and discusses how attacks against a message digest algorithm's one-way and collision-free properties affect and do not affect Internet protocols. Familiarity with [HASH-Attack] is assumed. One of the uses of message digest algorithms in [HASH-Attack] was integrity protection. Where the MD5 checksum is used inline with the protocol solely to protect against errors, an MD5 checksum is still an acceptable use. Applications and protocols need to clearly state in their security considerations what security services, if any, are expected from the MD5 checksum. In fact, any application and protocol that employs MD5 for any purpose needs to clearly state the expected security services from their use of MD5.


2. Security Considerations
2. 安全考虑

MD5 was published in 1992 as an Informational RFC. Since that time, MD5 has been extensively studied and new cryptographic attacks have been discovered. Message digest algorithms are designed to provide collision, pre-image, and second pre-image resistance. In addition, message digest algorithms are used with a shared secret value for message authentication in HMAC, and in this context, some people may find the guidance for key lengths and algorithm strengths in [SP800-57] and [SP800-131] useful.


MD5 is no longer acceptable where collision resistance is required such as digital signatures. It is not urgent to stop using MD5 in other ways, such as HMAC-MD5; however, since MD5 must not be used for digital signatures, new protocol designs should not employ HMAC-MD5. Alternatives to HMAC-MD5 include HMAC-SHA256 [HMAC] [HMAC-SHA256] and [AES-CMAC] when AES is more readily available than a hash function.


2.1. Collision Resistance
2.1. 抗碰撞

Pseudo-collisions for the compress function of MD5 were first described in 1993 [denBBO1993]. In 1996, [DOB1995] demonstrated a collision pair for the MD5 compression function with a chosen initial value. The first paper that demonstrated two collision pairs for MD5 was published in 2004 [WFLY2004]. The detailed attack techniques for MD5 were published at EUROCRYPT 2005 [WAYU2005]. Since then, a lot of research results have been published to improve collision attacks on MD5. The attacks presented in [KLIM2006] can find MD5 collision in about one minute on a standard notebook PC (Intel Pentium, 1.6GHz). [STEV2007] claims that it takes 10 seconds or less on a 2.6Ghz Pentium4 to find collisions. In [STEV2007], [SLdeW2007], [SSALMOdeW2009], and [SLdeW2009], the collision attacks on MD5 were successfully applied to X.509 certificates.

1993年首次描述了MD5压缩函数的伪碰撞[denBBO1993]。1996年,[1995]演示了MD5压缩函数的碰撞对,并选择了初始值。第一篇演示MD5的两个碰撞对的论文发表于2004年[WFLY2004]。MD5的详细攻击技术发表在EUROCRYPT 2005[WAYU2005]上。从那时起,已经发表了许多研究成果来改进MD5上的碰撞攻击。[KLIM2006]中提出的攻击可以在标准笔记本电脑(英特尔奔腾,1.6GHz)上在大约一分钟内发现MD5碰撞。[STEV2007]声称在2.6Ghz奔腾4上查找碰撞只需10秒或更短时间。在[STEV2007]、[SLdeW2007]、[SSALMOdeW2009]和[SLdeW2009]中,MD5上的碰撞攻击成功应用于X.509证书。

Notice that the collision attack on MD5 can also be applied to password-based challenge-and-response authentication protocols such as the APOP (Authenticated Post Office Protocol) option in POP [POP] used in post office authentication as presented in [LEUR2007].

请注意,MD5上的冲突攻击也可应用于基于密码的质询和响应身份验证协议,如[LEUR2007]中所述的邮局身份验证中使用的POP[POP]中的APOP(Authenticated Post Office Protocol)选项。

In fact, more delicate attacks on MD5 to improve the speed of finding collisions have been published recently. However, the aforementioned results have provided sufficient reason to eliminate MD5 usage in applications where collision resistance is required such as digital signatures.


2.2. Pre-Image and Second Pre-Image Resistance
2.2. 预成像和第二预成像电阻

Even though the best result can find a pre-image attack of MD5 faster than exhaustive search, as presented in [SAAO2009], the complexity 2^123.4 is still pretty high.


2.3. HMAC
2.3. HMAC

The cryptanalysis of HMAC-MD5 is usually conducted together with NMAC (Nested MAC) since they are closely related. NMAC uses two independent keys K1 and K2 such that NMAC(K1, K2, M) = H(K1, H(K2, M), where K1 and K2 are used as secret initialization vectors (IVs) for hash function H(IV, M). If we re-write the HMAC equation using two secret IVs such that IV2 = H(K Xor ipad) and IV1 = H(K Xor opad), then HMAC(K, M) = NMAC(IV1, IV2, M). Here it is very important to notice that IV1 and IV2 are not independently selected.

HMAC-MD5的密码分析通常与NMAC(嵌套MAC)一起进行,因为它们密切相关。NMAC使用两个独立的密钥K1和K2,使得NMAC(K1,K2,M)=H(K1,H(K2,M),其中K1和K2被用作哈希函数H(IV,M)的秘密初始化向量(IVs)。如果我们使用两个秘密IVs重写HMAC方程,使得IV2=H(kxor ipad)和IV1=H(kxor opad),那么HMAC(K,M)=NMAC(IV1,IV2,M).这里需要注意的是,IV1和IV2不是独立选择的。

The first analysis was explored on NMAC-MD5 using related keys in [COYI2006]. The partial key recovery attack cannot be extended to HMAC-MD5, since for HMAC, recovering partial secret IVs can hardly lead to recovering (partial) key K. Another paper presented at


Crypto 2007 [FLN2007] extended results of [COYI2006] to a full key recovery attack on NMAC-MD5. Since it also uses related key attack, it does not seem applicable to HMAC-MD5.

Crypto 2007[FLN2007]将[COYI2006]的结果扩展到NMAC-MD5上的完全密钥恢复攻击。由于它还使用相关的密钥攻击,因此它似乎不适用于HMAC-MD5。

A EUROCRYPT 2009 paper presented a distinguishing attack on HMAC-MD5 [WYWZZ2009] without using related keys. It can distinguish an instantiation of HMAC with MD5 from an instantiation with a random function with 2^97 queries with probability 0.87. This is called distinguishing-H. Using the distinguishing attack, it can recover some bits of the intermediate status of the second block. However, as it is pointed out in [WYWZZ2009], it cannot be used to recover the (partial) inner key H(K Xor ipad). It is not obvious how the attack can be used to form a forgery attack either.

EUROCRYPT 2009年的一篇论文在不使用相关密钥的情况下对HMAC-MD5[WYWZZ2009]提出了一种独特的攻击。它可以区分带有MD5的HMAC实例化和带有概率为0.87的2^97个查询的随机函数实例化。这称为区分-H。使用区分攻击,它可以恢复第二个块中间状态的一些位。但是,正如[WYWZZ2009]中指出的,它不能用于恢复(部分)内部密钥H(K Xor)。也不清楚如何利用该攻击形成伪造攻击。

The attacks on HMAC-MD5 do not seem to indicate a practical vulnerability when used as a message authentication code. Considering that the distinguishing-H attack is different from a distinguishing-R attack, which distinguishes an HMAC from a random function, the practical impact on HMAC usage as a pseudorandom function (PRF) such as in a key derivation function is not well understood.


Therefore, it may not be urgent to remove HMAC-MD5 from the existing protocols. However, since MD5 must not be used for digital signatures, for a new protocol design, a ciphersuite with HMAC-MD5 should not be included. Options include HMAC-SHA256 [HMAC] [HMAC-SHA256] and [AES-CMAC] when AES is more readily available than a hash function.


3. Acknowledgements
3. 致谢

Obviously, we have to thank all the cryptographers who produced the results we refer to in this document. We'd also like to thank Wesley Eddy, Sam Hartman, Alfred Hoenes, Martin Rex, Benne de Weger, and Lloyd Wood for their comments.


4. Informative References
4. 资料性引用

[AES-CMAC] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The AES-CMAC Algorithm", RFC 4493, June 2006.

[AES-CMAC]Song,JH.,Poovendran,R.,Lee,J.,和T.Iwata,“AES-CMAC算法”,RFC 4493,2006年6月。

[COYI2006] S. Contini, Y.L. Yin. Forgery and partial key-recovery attacks on HMAC and NMAC using hash collisions. ASIACRYPT 2006. LNCS 4284, Springer, 2006.

[COYI2006]S.Contini,Y.L.Yin。使用哈希冲突对HMAC和NMAC进行伪造和部分密钥恢复攻击。亚洲展翅2006。LNCS 4284,斯普林格,2006年。

[denBBO1993] den Boer, B. and A. Bosselaers, "Collisions for the compression function of MD5", Eurocrypt 1993.

[denBBO1993]den Boer,B.和A.Bosselaers,“MD5压缩功能的碰撞”,Eurocrypt 1993。

[DOB1995] Dobbertin, H., "Cryptanalysis of MD5 Compress", Eurocrypt 1996.

[Dobbertin,H.,“MD5压缩的密码分析”,Eurocrypt 1996。

[FLN2007] Fouque, P.-A., Leurent, G., Nguyen, P.Q.: Full key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5. CRYPTO 2007. LNCS 4622, Springer, 2007.

[FLN2007]Fouque,P.-A.,Leurent,G.,Nguyen,P.Q.:对HMAC/NMAC-MD4和NMAC-MD5的全密钥恢复攻击。加密2007。LNCS 4622,斯普林格,2007年。

[HASH-Attack] Hoffman, P. and B. Schneier, "Attacks on Cryptographic Hashes in Internet Protocols", RFC 4270, November 2005.

[散列攻击]Hoffman,P.和B.Schneier,“对互联网协议中加密散列的攻击”,RFC 42702005年11月。

[HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997.

[HMAC]Krawczyk,H.,Bellare,M.,和R.Canetti,“HMAC:用于消息身份验证的键控哈希”,RFC 2104,1997年2月。

[HMAC-MD5] Cheng, P. and R. Glenn, "Test Cases for HMAC-MD5 and HMAC-SHA-1", RFC 2202, September 1997.

[HMAC-MD5]Cheng,P.和R.Glenn,“HMAC-MD5和HMAC-SHA-1的测试案例”,RFC 2202,1997年9月。

[HMAC-SHA256] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", RFC 4231, December 2005.

[HMAC-SHA256]Nystrom,M.“HMAC-SHA-224、HMAC-SHA-256、HMAC-SHA-384和HMAC-SHA-512的标识符和测试向量”,RFC 42312005年12月。

[KLIM2006] V. Klima. Tunnels in Hash Functions: MD5 Collisions within a Minute. Cryptology ePrint Archive, Report 2006/105 (2006),


[LEUR2007] G. Leurent, Message freedom in MD4 and MD5 collisions: Application to APOP. Proceedings of FSE 2007. Lecture Notes in Computer Science 4715. Springer, 2007.

[LEUR2007]G.Leurent,MD4和MD5碰撞中的消息自由:APOP的应用。FSE 2007年会议记录。计算机科学课堂讲稿4715。斯普林格,2007年。

[MD5] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April 1992.

[MD5]Rivest,R.,“MD5消息摘要算法”,RFC 13211992年4月。

[POP] Myers, J. and M. Rose, "Post Office Protocol - Version 3", STD 53, RFC 1939, May 1996.

[POP]迈尔斯,J.和M.罗斯,“邮局协议-第3版”,STD 53,RFC 1939,1996年5月。

[SAAO2009] Y. Sasaki and K. Aoki. Finding preimages in full MD5 faster than exhaustive search. Advances in Cryptology - EUROCRYPT 2009, LNCS 5479 of Lecture Notes in Computer Science, Springer, 2009.

[SAAO2009]Y.Sasaki和K.Aoki。在完整MD5中查找前图像比穷举搜索更快。密码学进展-EUROCRYPT 2009,LNCS 5479计算机科学课堂讲稿,Springer,2009。

[SLdeW2007] Stevens, M., Lenstra, A., de Weger, B., Chosen-prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities. EuroCrypt 2007.

[SLdeW2007]Stevens,M.,Lenstra,A.,de Weger,B.,为MD5选择前缀冲突,并为不同身份选择冲突的X.509证书。欧洲密码2007。

[SLdeW2009] Stevens, M., Lenstra, A., de Weger, B., "Chosen-prefix Collisions for MD5 and Applications", Journal of Cryptology, 2009.

[SLdeW2009]Stevens,M.,Lenstra,A.,de Weger,B.,“MD5和应用程序的选择前缀冲突”,密码学杂志,2009年。

[SSALMOdeW2009] Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D., and B. de Weger. Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate, Crypto 2009.

[SSALMOdeW2009]Stevens,M.,Sotirov,A.,Appelbaum,J.,Lenstra,A.,Molnar,D.,Osvik,D.,和 Weger。MD5的短前缀冲突和恶意CA证书的创建,Crypto 2009。

[SP800-57] National Institute of Standards and Technology (NIST), Special Publication 800-57: Recommendation for Key Management - Part 1 (Revised), March 2007.


[SP800-131] National Institute of Standards and Technology (NIST), Special Publication 800-131: DRAFT Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes, June 2010.


[STEV2007] Stevens, M., "On Collisions for MD5", Master's Thesis, Eindhoven University of Technology, On%20Collisions%20for%20MD5%20-%20M.M.J.%20Stevens.pdf.

史蒂文斯,M.,《关于MD5的碰撞》,硕士论文,埃因霍温理工大学, 对于%20MD5%20-%20M.M.J.%20Stevens.pdf,在%20碰撞%20上。

[WAYU2005] X. Wang and H. Yu. How to Break MD5 and other Hash Functions. LNCS 3494. Advances in Cryptology - EUROCRYPT2005, Springer, 2005.

[WAYU2005]X.Wang和H.Yu。如何中断MD5和其他哈希函数。LNCS 3494。密码学进展-欧洲密码2005,斯普林格,2005。

   [WFLY2004]    X. Wang, D. Feng, X. Lai, H. Yu, Collisions for Hash
                 Functions MD4, MD5, HAVAL-128 and RIPEMD, 2004,
   [WFLY2004]    X. Wang, D. Feng, X. Lai, H. Yu, Collisions for Hash
                 Functions MD4, MD5, HAVAL-128 and RIPEMD, 2004,

[WYWZZ2009] X. Wang, H. Yu, W. Wang, H. Zhang, and T. Zhan. Cryptanalysis of HMAC/NMAC-MD5 and MD5-MAC. LNCS 5479. Advances in Cryptology - EUROCRYPT2009, Springer, 2009.

[WYWZZ2009]X.Wang,H.Yu,W.Wang,H.Zhang,T.Zhan。HMAC/NMAC-MD5和MD5-MAC的密码分析。LNCS 5479。密码学进展-欧洲密码2009,斯普林格,2009。

Authors' Addresses


Sean Turner IECA, Inc. 3057 Nutley Street, Suite 106 Fairfax, VA 22031 USA

Sean Turner IECA,Inc.美国弗吉尼亚州费尔法克斯市努特利街3057号106室,邮编22031


Lily Chen National Institute of Standards and Technology 100 Bureau Drive, Mail Stop 8930 Gaithersburg, MD 20899-8930 USA

美国马里兰州盖瑟斯堡邮政站8930号,美国马里兰州盖瑟斯堡市局道100号,Lily Chen国家标准与技术研究所,邮编20899-8930