md5算法.docx
《md5算法.docx》由会员分享,可在线阅读,更多相关《md5算法.docx(26页珍藏版)》请在冰豆网上搜索。
md5算法
NetworkWorkingGroupR.Rivest
RequestforComments:
1321MITLaboratoryforComputerScience
andRSADataSecurity,Inc.
April1992
TheMD5Message-DigestAlgorithm
StatusofthisMemo
ThismemoprovidesinformationfortheInternetcommunity.ItdoesnotspecifyanInternetstandard.Distributionofthismemoisunlimited.
Acknowlegements
WewouldliketothankDonCoppersmith,BurtKaliski,RalphMerkle,DavidChaum,andNoamNisanfornumeroushelpfulcommentsandsuggestions.
TableofContents
1.ExecutiveSummary1
2.TerminologyandNotation2
3.MD5AlgorithmDescription3
4.Summary6
5.DifferencesBetweenMD4andMD56
References7
APPENDIXA-ReferenceImplementation7
SecurityConsiderations21
Author'sAddress21
1.ExecutiveSummary
ThisdocumentdescribestheMD5message-digestalgorithm.Thealgorithmtakesasinputamessageofarbitrarylengthandproducesasoutputa128-bit"fingerprint"or"messagedigest"oftheinput.Itisconjecturedthatitiscomputationallyinfeasibletoproducetwomessageshavingthesamemessagedigest,ortoproduceanymessagehavingagivenprespecifiedtargetmessagedigest.TheMD5algorithmisintendedfordigitalsignatureapplications,wherealargefilemustbe"compressed"inasecuremannerbeforebeingencryptedwithaprivate(secret)keyunderapublic-keycryptosystem
suchasRSA.
Rivest[Page1]
RFC1321MD5Message-DigestAlgorithmApril1992
TheMD5algorithmisdesignedtobequitefaston32-bitmachines.Inaddition,theMD5algorithmdoesnotrequireanylargesubstitutiontables;thealgorithmcanbecodedquitecompactly.
TheMD5algorithmisanextensionoftheMD4message-digestalgorithm1,2].MD5isslightlyslowerthanMD4,butismore"conservative"indesign.MD5wasdesignedbecauseitwasfeltthatMD4wasperhapsbeingadoptedforusemorequicklythanjustifiedbytheexistingcriticalreview;becauseMD4wasdesignedtobeexceptionallyfast,itis"attheedge"intermsofriskingsuccessfulcryptanalyticattack.MD5backsoffabit,givingupalittleinspeedforamuchgreaterlikelihoodofultimatesecurity.Itincorporatessomesuggestionsmadebyvariousreviewers,andcontainsadditionaloptimizations.TheMD5algorithmisbeingplacedinthepublicdomainforreviewandpossibleadoptionasastandard.
ForOSI-basedapplications,MD5'sobjectidentifieris
md5OBJECTIDENTIFIER:
:
=
iso
(1)member-body
(2)US(840)rsadsi(113549)digestAlgorithm
(2)5}
IntheX.509typeAlgorithmIdentifier[3],theparametersforMD5shouldhavetypeNULL.
2.TerminologyandNotation
Inthisdocumenta"word"isa32-bitquantityanda"byte"isaneight-bitquantity.Asequenceofbitscanbeinterpretedinanaturalmannerasasequenceofbytes,whereeachconsecutivegroupofeightbitsisinterpretedasabytewiththehigh-order(mostsignificant)bitofeachbytelistedfirst.Similarly,asequenceofbytescanbeinterpretedasasequenceof32-bitwords,whereeachconsecutivegroupoffourbytesisinterpretedasawordwiththelow-order(leastsignificant)bytegivenfirst.
Letx_idenote"xsubi".Ifthesubscriptisanexpression,wesurrounditinbraces,asinx_{i+1}.Similarly,weuse^forsuperscripts(exponentiation),sothatx^idenotesxtothei-thpower.
Letthesymbol"+"denoteadditionofwords(i.e.,modulo-2^32addition).LetX<<Rivest[Page2]
RFC1321MD5Message-DigestAlgorithmApril1992
3.MD5AlgorithmDescription
Webeginbysupposingthatwehaveab-bitmessageasinput,andthatwewishtofinditsmessagedigest.Herebisanarbitrarynonnegativeinteger;bmaybezero,itneednotbeamultipleofeight,anditmaybearbitrarilylarge.Weimaginethebitsofthemessagewrittendownasfollows:
m_0m_1...m_{b-1}
Thefollowingfivestepsareperformedtocomputethemessagedigestofthemessage.
3.1Step1.AppendPaddingBits
Themessageis"padded"(extended)sothatitslength(inbits)iscongruentto448,modulo512.Thatis,themessageisextendedsothatitisjust64bitsshyofbeingamultipleof512bitslong.Paddingisalwaysperformed,evenifthelengthofthemessageisalreadycongruentto448,modulo512.
Paddingisperformedasfollows:
asingle"1"bitisappendedtothemessage,andthen"0"bitsareappendedsothatthelengthinbitsofthepaddedmessagebecomescongruentto448,modulo512.Inall,atleastonebitandatmost512bitsareappended.
3.2Step2.AppendLength
A64-bitrepresentationofb(thelengthofthemessagebeforethepaddingbitswereadded)isappendedtotheresultofthepreviousstep.Intheunlikelyeventthatbisgreaterthan2^64,thenonlythelow-order64bitsofbareused.(Thesebitsareappendedastwo32-bitwordsandappendedlow-orderwordfirstinaccordancewiththepreviousconventions.)
Atthispointtheresultingmessage(afterpaddingwithbitsandwithb)hasalengththatisanexactmultipleof512bits.Equivalently,thismessagehasalengththatisanexactmultipleof16(32-bit)words.LetM[0...N-1]denotethewordsoftheresultingmessage,whereNisamultipleof16.
3.3Step3.InitializeMDBuffer
Afour-wordbuffer(A,B,C,D)isusedtocomputethemessagedigest.HereeachofA,B,C,Disa32-bitregister.Theseregistersareinitializedtothefollowingvaluesinhexadecimal,low-orderbytesfirst):
Rivest[Page3]
RFC1321MD5Message-DigestAlgorithmApril1992
wordA:
01234567
wordB:
89abcdef
wordC:
fedcba98
wordD:
76543210
3.4Step4.ProcessMessagein16-WordBlocks
Wefirstdefinefourauxiliaryfunctionsthateachtakeasinputthree32-bitwordsandproduceasoutputone32-bitword.
F(X,Y,Z)=XYvnot(X)Z
G(X,Y,Z)=XZvYnot(Z)
H(X,Y,Z)=XxorYxorZ
I(X,Y,Z)=Yxor(Xvnot(Z))
IneachbitpositionFactsasaconditional:
ifXthenYelseZ.ThefunctionFcouldhavebeendefinedusing+insteadofvsinceXYandnot(X)Zwillneverhave1'sinthesamebitposition.)ItisinterestingtonotethatifthebitsofX,Y,andZareindependentandunbiased,theeachbitofF(X,Y,Z)willbeindependentandunbiased.
ThefunctionsG,H,andIaresimilartothefunctionF,inthattheyactin"bitwiseparallel"toproducetheiroutputfromthebitsofX,Y,andZ,insuchamannerthatifthecorrespondingbitsofX,Y,andZareindependentandunbiased,theneachbitofG(X,Y,Z),H(X,Y,Z),andI(X,Y,Z)willbeindependentandunbiased.NotethatthefunctionHisthebit-wise"xor"or"parity"functionofitsinputs.
Thisstepusesa64-elementtableT[1...64]constructedfromthesinefunction.LetT[i]denotethei-thelementofthetable,whichisequaltotheintegerpartof4294967296timesabs(sin(i)),whereiisinradians.Theelementsofthetablearegivenintheappendix.
Dothefollowing:
/*Processeach16-wordblock.*/
Fori=0toN/16-1do
/*CopyblockiintoX.*/
Forj=0to15do
SetX[j]toM[i*16+j].
end/*oflooponj*/
/*SaveAasAA,BasBB,CasCC,andDasDD.*/
AA=A
BB=B
Rivest[Page4]
RFC1321MD5Message-DigestAlgorithmApril1992
CC=C
DD=D
/*Round1.*/
/*Let[abcdksi]denotetheoperation
a=b+((a+F(b,c,d)+X[k]+T[i])<</*Dothefollowing16operations.*/
[ABCD071][DABC1122][CDAB2173][BCDA3224]
[ABCD475][DABC5126][CDAB6177][BCDA7228]
[ABCD879][DABC91210][CDAB101711][BCDA112212]
[ABCD12713][DABC131214][CDAB141715][BCDA152216]
/*Round2.*/
/*Let[abcdksi]denotetheoperation
a=b+((a+G(b,c,d)+X[k]+T[i])<</*Dothefollowing16operations.*/
[ABCD1517][DABC6918][CDAB111419][BCDA02020]
[ABCD5521][DABC10922][CDAB151423][BCDA42024]
[ABCD9525][DABC14926][CDAB31427][BCDA82028]
[ABCD13529][DABC2930][CDAB71431][BCDA122032]
/*Round3.*/
/*Let[abcdkst]denotetheoperation
a=b+((a+H(b,c,d)+X[k]+T[i])<</*Dothefollowing16operations.*/
[ABCD5433][DABC81134][CDAB111635][BCDA142336]
[ABCD1437][DABC41138][CDAB71639][BCDA102340]
[ABCD13441][DABC01142][CDAB31643][BCDA62344]
[ABCD9445][DABC121146][CDAB151647][BCDA22348]
/*Round4.*/
/*Let[abcdkst]denotetheoperation
a=b+((a+I(b,c,d)+X[k]+T[i])<</*Dothefollowing16operations.*/
[ABCD0649][DABC71050][CDAB141551][BCDA52152]
[ABCD12653][DABC31054][CDAB101555][BCDA12156]
[ABCD8657][DABC151058][CDAB61559][BCDA132160]
[ABCD4661][DABC111062][CDAB21563][BCDA92164]
/*Thenperformthefollowingadditions.(Thatisincrementeach
ofthefourregistersbythevalueithadbeforethisblock
wasstarted.)*/
A=A+AA
B=B+BB
C=C+CC
D=D+DD
end/*oflooponi*/
Rivest[Page5]
RFC1321MD5Message-DigestAlgorithmApril1992
3.5Step5.Output
ThemessagedigestproducedasoutputisA,B,C,D.Thatis,webeginwiththelow-orderbyteofA,andendwiththehigh-orderbyteofD.
ThiscompletesthedescriptionofMD5.AreferenceimplementationinCisgivenintheappendix.
4.Summary
TheMD5message-digestalgorithmissimpletoimplement,andprovidesa"fingerprint"ormessagedigestofamessageofarbitrarylength.Itisconjecturedthatthedifficultyofcomingupwithtwomessageshavingthesamemessagedigesti
升级会员 