The MD5 MessageDigest Algorithm
RFC 1321
Document  Type 
RFC  Informational
(April 1992; Errata)
Updated by RFC 6151



Last updated  20200121  
Stream  IETF  
Formats  plain text html pdf htmlized with errata bibtex  
Stream  WG state  (None)  
Document shepherd  No shepherd assigned  
IESG  IESG state  RFC 1321 (Informational)  
Consensus Boilerplate  Unknown  
Telechat date  
Responsible AD  (None)  
Send notices to  (None) 
Network Working Group R. Rivest Request for Comments: 1321 MIT Laboratory for Computer Science and RSA Data Security, Inc. April 1992 The MD5 MessageDigest Algorithm Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard. Distribution of this memo is unlimited. Acknowlegements We would like to thank Don Coppersmith, Burt Kaliski, Ralph Merkle, David Chaum, and Noam Nisan for numerous helpful comments and suggestions. Table of Contents 1. Executive Summary 1 2. Terminology and Notation 2 3. MD5 Algorithm Description 3 4. Summary 6 5. Differences Between MD4 and MD5 6 References 7 APPENDIX A  Reference Implementation 7 Security Considerations 21 Author's Address 21 1. Executive Summary This document describes the MD5 messagedigest algorithm. The algorithm takes as input a message of arbitrary length and produces as output a 128bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a publickey cryptosystem such as RSA. Rivest [Page 1] RFC 1321 MD5 MessageDigest Algorithm April 1992 The MD5 algorithm is designed to be quite fast on 32bit machines. In addition, the MD5 algorithm does not require any large substitution tables; the algorithm can be coded quite compactly. The MD5 algorithm is an extension of the MD4 messagedigest algorithm 1,2]. MD5 is slightly slower than MD4, but is more "conservative" in design. MD5 was designed because it was felt that MD4 was perhaps being adopted for use more quickly than justified by the existing critical review; because MD4 was designed to be exceptionally fast, it is "at the edge" in terms of risking successful cryptanalytic attack. MD5 backs off a bit, giving up a little in speed for a much greater likelihood of ultimate security. It incorporates some suggestions made by various reviewers, and contains additional optimizations. The MD5 algorithm is being placed in the public domain for review and possible adoption as a standard. For OSIbased applications, MD5's object identifier is md5 OBJECT IDENTIFIER ::= iso(1) memberbody(2) US(840) rsadsi(113549) digestAlgorithm(2) 5} In the X.509 type AlgorithmIdentifier [3], the parameters for MD5 should have type NULL. 2. Terminology and Notation In this document a "word" is a 32bit quantity and a "byte" is an eightbit quantity. A sequence of bits can be interpreted in a natural manner as a sequence of bytes, where each consecutive group of eight bits is interpreted as a byte with the highorder (most significant) bit of each byte listed first. Similarly, a sequence of bytes can be interpreted as a sequence of 32bit words, where each consecutive group of four bytes is interpreted as a word with the loworder (least significant) byte given first. Let x_i denote "x sub i". If the subscript is an expression, we surround it in braces, as in x_{i+1}. Similarly, we use ^ for superscripts (exponentiation), so that x^i denotes x to the ith power. Let the symbol "+" denote addition of words (i.e., modulo2^32 addition). Let X <<< s denote the 32bit value obtained by circularly shifting (rotating) X left by s bit positions. Let not(X) denote the bitwise complement of X, and let X v Y denote the bitwise OR of X and Y. Let X xor Y denote the bitwise XOR of X and Y, and let XY denote the bitwise AND of X and Y. Rivest [Page 2] RFC 1321 MD5 MessageDigest Algorithm April 1992 3. MD5 Algorithm Description We begin by supposing that we have a bbit message as input, and that we wish to find its message digest. Here b is an arbitrary nonnegative integer; b may be zero, it need not be a multiple of eight, and it may be arbitrarily large. We imagine the bits of theShow full document text