The MD2 MessageDigest Algorithm
RFC 1319
Document  Type 
RFC  Historic
(April 1992; Errata)
Obsoleted by RFC 6149



Author  Burt Kaliski  
Last updated  20200121  
Stream  IETF  
Formats  plain text html pdf htmlized with errata bibtex  
Stream  WG state  (None)  
Document shepherd  No shepherd assigned  
IESG  IESG state  RFC 1319 (Historic)  
Consensus Boilerplate  Unknown  
Telechat date  
Responsible AD  (None)  
Send notices to  (None) 
Network Working Group B. Kaliski Request for Comments: 1319 RSA Laboratories Updates: RFC 1115 April 1992 The MD2 MessageDigest Algorithm Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard. Distribution of this memo is unlimited. Acknowlegements The description of MD2 is based on material prepared by John Linn and Ron Rivest. Their permission to incorporate that material is greatly appreciated. Table of Contents 1. Executive Summary 1 2. Terminology and Notation 2 3. MD2 Algorithm Description 2 4. Summary 4 References 5 APPENDIX A  Reference Implementation 5 Security Considerations 17 Author's Address 17 1. Executive Summary This document describes the MD2 messagedigest algorithm. The algorithm takes as input a message of arbitrary length and produces as output a 128bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD2 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being signed with a private (secret) key under a publickey cryptosystem such as RSA. License to use MD2 is granted for noncommerical Internet Privacy Enhanced Mail [13]. This document is an update to the August 1989 RFC 1115 [3], which also gives a reference implementation of MD2. The main differences Kaliski [Page 1] RFC 1319 MD2 MessageDigest Algorithm April 1992 are that a textual description of MD2 is included, and that the reference implementation of MD2 is more portable. For OSIbased applications, MD2's object identifier is md2 OBJECT IDENTIFIER ::= iso(1) memberbody(2) US(840) rsadsi(113549) digestAlgorithm(2) 2} In the X.509 type AlgorithmIdentifier [4], the parameters for MD2 should have type NULL. 2. Terminology and Notation In this document, a "byte" is an eightbit quantity. Let x_i denote "x sub i". If the subscript is an expression, we surround it in braces, as in x_{i+1}. Similarly, we use ^ for superscripts (exponentiation), so that x^i denotes x to the ith power. Let X xor Y denote the bitwise XOR of X and Y. 3. MD2 Algorithm Description We begin by supposing that we have a bbyte message as input, and that we wish to find its message digest. Here b is an arbitrary nonnegative integer; b may be zero, and it may be arbitrarily large. We imagine the bytes of the message written down as follows: m_0 m_1 ... m_{b1} The following five steps are performed to compute the message digest of the message. 3.1 Step 1. Append Padding Bytes The message is "padded" (extended) so that its length (in bytes) is congruent to 0, modulo 16. That is, the message is extended so that it is a multiple of 16 bytes long. Padding is always performed, even if the length of the message is already congruent to 0, modulo 16. Padding is performed as follows: "i" bytes of value "i" are appended to the message so that the length in bytes of the padded message becomes congruent to 0, modulo 16. At least one byte and at most 16 16 bytes are appended. At this point the resulting message (after padding with bytes) has a length that is an exact multiple of 16 bytes. Let M[0 ... N1] denote Kaliski [Page 2] RFC 1319 MD2 MessageDigest Algorithm April 1992 the bytes of the resulting message, where N is a multiple of 16. 3.2 Step 2. Append Checksum A 16byte checksum of the message is appended to the result of the previous step. This step uses a 256byte "random" permutation constructed from the digits of pi. Let S[i] denote the ith element of this table. The table is given in the appendix. Do the following: /* Clear checksum. */ For i = 0 to 15 do: Set C[i] to 0. end /* of loop on i */ Set L to 0. /* Process each 16word block. */ For i = 0 to N/161 do /* Checksum block i. */ For j = 0 to 15 do Set c to M[i*16+j]. Set C[j] to S[c xor L].Show full document text