/[cvs]/joko/TestArea/vb/DigestMD5/resources/md5bas/Rivest-MD5.txt
ViewVC logotype

Annotation of /joko/TestArea/vb/DigestMD5/resources/md5bas/Rivest-MD5.txt

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.1 - (hide annotations)
Mon Jan 20 17:24:07 2003 UTC (21 years, 10 months ago) by joko
Branch: MAIN
CVS Tags: HEAD
File MIME type: text/plain
+ initial check-in

1 joko 1.1
2    
3    
4    
5    
6     Network Working Group R. Rivest
7     Request for Comments: 1321 MIT Laboratory for Computer Science
8     and RSA Data Security, Inc.
9     April 1992
10    
11    
12     The MD5 Message-Digest Algorithm
13    
14     Status of this Memo
15    
16     This memo provides information for the Internet community. It does
17     not specify an Internet standard. Distribution of this memo is
18     unlimited.
19    
20     Acknowlegements
21    
22     We would like to thank Don Coppersmith, Burt Kaliski, Ralph Merkle,
23     David Chaum, and Noam Nisan for numerous helpful comments and
24     suggestions.
25    
26     Table of Contents
27    
28     1. Executive Summary 1
29     2. Terminology and Notation 2
30     3. MD5 Algorithm Description 3
31     4. Summary 6
32     5. Differences Between MD4 and MD5 6
33     References 7
34     APPENDIX A - Reference Implementation 7
35     Security Considerations 21
36     Author's Address 21
37    
38     1. Executive Summary
39    
40     This document describes the MD5 message-digest algorithm. The
41     algorithm takes as input a message of arbitrary length and produces
42     as output a 128-bit "fingerprint" or "message digest" of the input.
43     It is conjectured that it is computationally infeasible to produce
44     two messages having the same message digest, or to produce any
45     message having a given prespecified target message digest. The MD5
46     algorithm is intended for digital signature applications, where a
47     large file must be "compressed" in a secure manner before being
48     encrypted with a private (secret) key under a public-key cryptosystem
49     such as RSA.
50    
51    
52    
53    
54    
55    
56    
57     Rivest [Page 1]
58    
59     RFC 1321 MD5 Message-Digest Algorithm April 1992
60    
61    
62     The MD5 algorithm is designed to be quite fast on 32-bit machines. In
63     addition, the MD5 algorithm does not require any large substitution
64     tables; the algorithm can be coded quite compactly.
65    
66     The MD5 algorithm is an extension of the MD4 message-digest algorithm
67     1,2]. MD5 is slightly slower than MD4, but is more "conservative" in
68     design. MD5 was designed because it was felt that MD4 was perhaps
69     being adopted for use more quickly than justified by the existing
70     critical review; because MD4 was designed to be exceptionally fast,
71     it is "at the edge" in terms of risking successful cryptanalytic
72     attack. MD5 backs off a bit, giving up a little in speed for a much
73     greater likelihood of ultimate security. It incorporates some
74     suggestions made by various reviewers, and contains additional
75     optimizations. The MD5 algorithm is being placed in the public domain
76     for review and possible adoption as a standard.
77    
78     For OSI-based applications, MD5's object identifier is
79    
80     md5 OBJECT IDENTIFIER ::=
81     iso(1) member-body(2) US(840) rsadsi(113549) digestAlgorithm(2) 5}
82    
83     In the X.509 type AlgorithmIdentifier [3], the parameters for MD5
84     should have type NULL.
85    
86     2. Terminology and Notation
87    
88     In this document a "word" is a 32-bit quantity and a "byte" is an
89     eight-bit quantity. A sequence of bits can be interpreted in a
90     natural manner as a sequence of bytes, where each consecutive group
91     of eight bits is interpreted as a byte with the high-order (most
92     significant) bit of each byte listed first. Similarly, a sequence of
93     bytes can be interpreted as a sequence of 32-bit words, where each
94     consecutive group of four bytes is interpreted as a word with the
95     low-order (least significant) byte given first.
96    
97     Let x_i denote "x sub i". If the subscript is an expression, we
98     surround it in braces, as in x_{i+1}. Similarly, we use ^ for
99     superscripts (exponentiation), so that x^i denotes x to the i-th
100     power.
101    
102     Let the symbol "+" denote addition of words (i.e., modulo-2^32
103     addition). Let X <<< s denote the 32-bit value obtained by circularly
104     shifting (rotating) X left by s bit positions. Let not(X) denote the
105     bit-wise complement of X, and let X v Y denote the bit-wise OR of X
106     and Y. Let X xor Y denote the bit-wise XOR of X and Y, and let XY
107     denote the bit-wise AND of X and Y.
108    
109    
110    
111    
112    
113     Rivest [Page 2]
114    
115     RFC 1321 MD5 Message-Digest Algorithm April 1992
116    
117    
118     3. MD5 Algorithm Description
119    
120     We begin by supposing that we have a b-bit message as input, and that
121     we wish to find its message digest. Here b is an arbitrary
122     nonnegative integer; b may be zero, it need not be a multiple of
123     eight, and it may be arbitrarily large. We imagine the bits of the
124     message written down as follows:
125    
126     m_0 m_1 ... m_{b-1}
127    
128     The following five steps are performed to compute the message digest
129     of the message.
130    
131     3.1 Step 1. Append Padding Bits
132    
133     The message is "padded" (extended) so that its length (in bits) is
134     congruent to 448, modulo 512. That is, the message is extended so
135     that it is just 64 bits shy of being a multiple of 512 bits long.
136     Padding is always performed, even if the length of the message is
137     already congruent to 448, modulo 512.
138    
139     Padding is performed as follows: a single "1" bit is appended to the
140     message, and then "0" bits are appended so that the length in bits of
141     the padded message becomes congruent to 448, modulo 512. In all, at
142     least one bit and at most 512 bits are appended.
143    
144     3.2 Step 2. Append Length
145    
146     A 64-bit representation of b (the length of the message before the
147     padding bits were added) is appended to the result of the previous
148     step. In the unlikely event that b is greater than 2^64, then only
149     the low-order 64 bits of b are used. (These bits are appended as two
150     32-bit words and appended low-order word first in accordance with the
151     previous conventions.)
152    
153     At this point the resulting message (after padding with bits and with
154     b) has a length that is an exact multiple of 512 bits. Equivalently,
155     this message has a length that is an exact multiple of 16 (32-bit)
156     words. Let M[0 ... N-1] denote the words of the resulting message,
157     where N is a multiple of 16.
158    
159     3.3 Step 3. Initialize MD Buffer
160    
161     A four-word buffer (A,B,C,D) is used to compute the message digest.
162     Here each of A, B, C, D is a 32-bit register. These registers are
163     initialized to the following values in hexadecimal, low-order bytes
164     first):
165    
166    
167    
168    
169     Rivest [Page 3]
170    
171     RFC 1321 MD5 Message-Digest Algorithm April 1992
172    
173    
174     word A: 01 23 45 67
175     word B: 89 ab cd ef
176     word C: fe dc ba 98
177     word D: 76 54 32 10
178    
179     3.4 Step 4. Process Message in 16-Word Blocks
180    
181     We first define four auxiliary functions that each take as input
182     three 32-bit words and produce as output one 32-bit word.
183    
184     F(X,Y,Z) = XY v not(X) Z
185     G(X,Y,Z) = XZ v Y not(Z)
186     H(X,Y,Z) = X xor Y xor Z
187     I(X,Y,Z) = Y xor (X v not(Z))
188    
189     In each bit position F acts as a conditional: if X then Y else Z.
190     The function F could have been defined using + instead of v since XY
191     and not(X)Z will never have 1's in the same bit position.) It is
192     interesting to note that if the bits of X, Y, and Z are independent
193     and unbiased, the each bit of F(X,Y,Z) will be independent and
194     unbiased.
195    
196     The functions G, H, and I are similar to the function F, in that they
197     act in "bitwise parallel" to produce their output from the bits of X,
198     Y, and Z, in such a manner that if the corresponding bits of X, Y,
199     and Z are independent and unbiased, then each bit of G(X,Y,Z),
200     H(X,Y,Z), and I(X,Y,Z) will be independent and unbiased. Note that
201     the function H is the bit-wise "xor" or "parity" function of its
202     inputs.
203    
204     This step uses a 64-element table T[1 ... 64] constructed from the
205     sine function. Let T[i] denote the i-th element of the table, which
206     is equal to the integer part of 4294967296 times abs(sin(i)), where i
207     is in radians. The elements of the table are given in the appendix.
208    
209     Do the following:
210    
211     /* Process each 16-word block. */
212     For i = 0 to N/16-1 do
213    
214     /* Copy block i into X. */
215     For j = 0 to 15 do
216     Set X[j] to M[i*16+j].
217     end /* of loop on j */
218    
219     /* Save A as AA, B as BB, C as CC, and D as DD. */
220     AA = A
221     BB = B
222    
223    
224    
225     Rivest [Page 4]
226    
227     RFC 1321 MD5 Message-Digest Algorithm April 1992
228    
229    
230     CC = C
231     DD = D
232    
233     /* Round 1. */
234     /* Let [abcd k s i] denote the operation
235     a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s). */
236     /* Do the following 16 operations. */
237     [ABCD 0 7 1] [DABC 1 12 2] [CDAB 2 17 3] [BCDA 3 22 4]
238     [ABCD 4 7 5] [DABC 5 12 6] [CDAB 6 17 7] [BCDA 7 22 8]
239     [ABCD 8 7 9] [DABC 9 12 10] [CDAB 10 17 11] [BCDA 11 22 12]
240     [ABCD 12 7 13] [DABC 13 12 14] [CDAB 14 17 15] [BCDA 15 22 16]
241    
242     /* Round 2. */
243     /* Let [abcd k s i] denote the operation
244     a = b + ((a + G(b,c,d) + X[k] + T[i]) <<< s). */
245     /* Do the following 16 operations. */
246     [ABCD 1 5 17] [DABC 6 9 18] [CDAB 11 14 19] [BCDA 0 20 20]
247     [ABCD 5 5 21] [DABC 10 9 22] [CDAB 15 14 23] [BCDA 4 20 24]
248     [ABCD 9 5 25] [DABC 14 9 26] [CDAB 3 14 27] [BCDA 8 20 28]
249     [ABCD 13 5 29] [DABC 2 9 30] [CDAB 7 14 31] [BCDA 12 20 32]
250    
251     /* Round 3. */
252     /* Let [abcd k s t] denote the operation
253     a = b + ((a + H(b,c,d) + X[k] + T[i]) <<< s). */
254     /* Do the following 16 operations. */
255     [ABCD 5 4 33] [DABC 8 11 34] [CDAB 11 16 35] [BCDA 14 23 36]
256     [ABCD 1 4 37] [DABC 4 11 38] [CDAB 7 16 39] [BCDA 10 23 40]
257     [ABCD 13 4 41] [DABC 0 11 42] [CDAB 3 16 43] [BCDA 6 23 44]
258     [ABCD 9 4 45] [DABC 12 11 46] [CDAB 15 16 47] [BCDA 2 23 48]
259    
260     /* Round 4. */
261     /* Let [abcd k s t] denote the operation
262     a = b + ((a + I(b,c,d) + X[k] + T[i]) <<< s). */
263     /* Do the following 16 operations. */
264     [ABCD 0 6 49] [DABC 7 10 50] [CDAB 14 15 51] [BCDA 5 21 52]
265     [ABCD 12 6 53] [DABC 3 10 54] [CDAB 10 15 55] [BCDA 1 21 56]
266     [ABCD 8 6 57] [DABC 15 10 58] [CDAB 6 15 59] [BCDA 13 21 60]
267     [ABCD 4 6 61] [DABC 11 10 62] [CDAB 2 15 63] [BCDA 9 21 64]
268    
269     /* Then perform the following additions. (That is increment each
270     of the four registers by the value it had before this block
271     was started.) */
272     A = A + AA
273     B = B + BB
274     C = C + CC
275     D = D + DD
276    
277     end /* of loop on i */
278    
279    
280    
281     Rivest [Page 5]
282    
283     RFC 1321 MD5 Message-Digest Algorithm April 1992
284    
285    
286     3.5 Step 5. Output
287    
288     The message digest produced as output is A, B, C, D. That is, we
289     begin with the low-order byte of A, and end with the high-order byte
290     of D.
291    
292     This completes the description of MD5. A reference implementation in
293     C is given in the appendix.
294    
295     4. Summary
296    
297     The MD5 message-digest algorithm is simple to implement, and provides
298     a "fingerprint" or message digest of a message of arbitrary length.
299     It is conjectured that the difficulty of coming up with two messages
300     having the same message digest is on the order of 2^64 operations,
301     and that the difficulty of coming up with any message having a given
302     message digest is on the order of 2^128 operations. The MD5 algorithm
303     has been carefully scrutinized for weaknesses. It is, however, a
304     relatively new algorithm and further security analysis is of course
305     justified, as is the case with any new proposal of this sort.
306    
307     5. Differences Between MD4 and MD5
308    
309     The following are the differences between MD4 and MD5:
310    
311     1. A fourth round has been added.
312    
313     2. Each step now has a unique additive constant.
314    
315     3. The function g in round 2 was changed from (XY v XZ v YZ) to
316     (XZ v Y not(Z)) to make g less symmetric.
317    
318     4. Each step now adds in the result of the previous step. This
319     promotes a faster "avalanche effect".
320    
321     5. The order in which input words are accessed in rounds 2 and
322     3 is changed, to make these patterns less like each other.
323    
324     6. The shift amounts in each round have been approximately
325     optimized, to yield a faster "avalanche effect." The shifts in
326     different rounds are distinct.
327    
328    
329    
330    
331    
332    
333    
334    
335    
336    
337     Rivest [Page 6]
338    
339     RFC 1321 MD5 Message-Digest Algorithm April 1992
340    
341    
342     References
343    
344     [1] Rivest, R., "The MD4 Message Digest Algorithm", RFC 1320, MIT and
345     RSA Data Security, Inc., April 1992.
346    
347     [2] Rivest, R., "The MD4 message digest algorithm", in A.J. Menezes
348     and S.A. Vanstone, editors, Advances in Cryptology - CRYPTO '90
349     Proceedings, pages 303-311, Springer-Verlag, 1991.
350    
351     [3] CCITT Recommendation X.509 (1988), "The Directory -
352     Authentication Framework."
353    
354     APPENDIX A - Reference Implementation
355    
356     This appendix contains the following files taken from RSAREF: A
357     Cryptographic Toolkit for Privacy-Enhanced Mail:
358    
359     global.h -- global header file
360    
361     md5.h -- header file for MD5
362    
363     md5c.c -- source code for MD5
364    
365     For more information on RSAREF, send email to <rsaref@rsa.com>.
366    
367     The appendix also includes the following file:
368    
369     mddriver.c -- test driver for MD2, MD4 and MD5
370    
371     The driver compiles for MD5 by default but can compile for MD2 or MD4
372     if the symbol MD is defined on the C compiler command line as 2 or 4.
373    
374     The implementation is portable and should work on many different
375     plaforms. However, it is not difficult to optimize the implementation
376     on particular platforms, an exercise left to the reader. For example,
377     on "little-endian" platforms where the lowest-addressed byte in a 32-
378     bit word is the least significant and there are no alignment
379     restrictions, the call to Decode in MD5Transform can be replaced with
380     a typecast.
381    
382     A.1 global.h
383    
384     /* GLOBAL.H - RSAREF types and constants
385     */
386    
387     /* PROTOTYPES should be set to one if and only if the compiler supports
388     function argument prototyping.
389     The following makes PROTOTYPES default to 0 if it has not already
390    
391    
392    
393     Rivest [Page 7]
394    
395     RFC 1321 MD5 Message-Digest Algorithm April 1992
396    
397    
398     been defined with C compiler flags.
399     */
400     #ifndef PROTOTYPES
401     #define PROTOTYPES 0
402     #endif
403    
404     /* POINTER defines a generic pointer type */
405     typedef unsigned char *POINTER;
406    
407     /* UINT2 defines a two byte word */
408     typedef unsigned short int UINT2;
409    
410     /* UINT4 defines a four byte word */
411     typedef unsigned long int UINT4;
412    
413     /* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
414     If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it
415     returns an empty list.
416     */
417     #if PROTOTYPES
418     #define PROTO_LIST(list) list
419     #else
420     #define PROTO_LIST(list) ()
421     #endif
422    
423     A.2 md5.h
424    
425     /* MD5.H - header file for MD5C.C
426     */
427    
428     /* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
429     rights reserved.
430    
431     License to copy and use this software is granted provided that it
432     is identified as the "RSA Data Security, Inc. MD5 Message-Digest
433     Algorithm" in all material mentioning or referencing this software
434     or this function.
435    
436     License is also granted to make and use derivative works provided
437     that such works are identified as "derived from the RSA Data
438     Security, Inc. MD5 Message-Digest Algorithm" in all material
439     mentioning or referencing the derived work.
440    
441     RSA Data Security, Inc. makes no representations concerning either
442     the merchantability of this software or the suitability of this
443     software for any particular purpose. It is provided "as is"
444     without express or implied warranty of any kind.
445    
446    
447    
448    
449     Rivest [Page 8]
450    
451     RFC 1321 MD5 Message-Digest Algorithm April 1992
452    
453    
454     These notices must be retained in any copies of any part of this
455     documentation and/or software.
456     */
457    
458     /* MD5 context. */
459     typedef struct {
460     UINT4 state[4]; /* state (ABCD) */
461     UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */
462     unsigned char buffer[64]; /* input buffer */
463     } MD5_CTX;
464    
465     void MD5Init PROTO_LIST ((MD5_CTX *));
466     void MD5Update PROTO_LIST
467     ((MD5_CTX *, unsigned char *, unsigned int));
468     void MD5Final PROTO_LIST ((unsigned char [16], MD5_CTX *));
469    
470     A.3 md5c.c
471    
472     /* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
473     */
474    
475     /* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
476     rights reserved.
477    
478     License to copy and use this software is granted provided that it
479     is identified as the "RSA Data Security, Inc. MD5 Message-Digest
480     Algorithm" in all material mentioning or referencing this software
481     or this function.
482    
483     License is also granted to make and use derivative works provided
484     that such works are identified as "derived from the RSA Data
485     Security, Inc. MD5 Message-Digest Algorithm" in all material
486     mentioning or referencing the derived work.
487    
488     RSA Data Security, Inc. makes no representations concerning either
489     the merchantability of this software or the suitability of this
490     software for any particular purpose. It is provided "as is"
491     without express or implied warranty of any kind.
492    
493     These notices must be retained in any copies of any part of this
494     documentation and/or software.
495     */
496    
497     #include "global.h"
498     #include "md5.h"
499    
500     /* Constants for MD5Transform routine.
501     */
502    
503    
504    
505     Rivest [Page 9]
506    
507     RFC 1321 MD5 Message-Digest Algorithm April 1992
508    
509    
510     #define S11 7
511     #define S12 12
512     #define S13 17
513     #define S14 22
514     #define S21 5
515     #define S22 9
516     #define S23 14
517     #define S24 20
518     #define S31 4
519     #define S32 11
520     #define S33 16
521     #define S34 23
522     #define S41 6
523     #define S42 10
524     #define S43 15
525     #define S44 21
526    
527     static void MD5Transform PROTO_LIST ((UINT4 [4], unsigned char [64]));
528     static void Encode PROTO_LIST
529     ((unsigned char *, UINT4 *, unsigned int));
530     static void Decode PROTO_LIST
531     ((UINT4 *, unsigned char *, unsigned int));
532     static void MD5_memcpy PROTO_LIST ((POINTER, POINTER, unsigned int));
533     static void MD5_memset PROTO_LIST ((POINTER, int, unsigned int));
534    
535     static unsigned char PADDING[64] = {
536     0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
537     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
538     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
539     };
540    
541     /* F, G, H and I are basic MD5 functions.
542     */
543     #define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
544     #define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
545     #define H(x, y, z) ((x) ^ (y) ^ (z))
546     #define I(x, y, z) ((y) ^ ((x) | (~z)))
547    
548     /* ROTATE_LEFT rotates x left n bits.
549     */
550     #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
551    
552     /* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
553     Rotation is separate from addition to prevent recomputation.
554     */
555     #define FF(a, b, c, d, x, s, ac) { \
556     (a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
557     (a) = ROTATE_LEFT ((a), (s)); \
558    
559    
560    
561     Rivest [Page 10]
562    
563     RFC 1321 MD5 Message-Digest Algorithm April 1992
564    
565    
566     (a) += (b); \
567     }
568     #define GG(a, b, c, d, x, s, ac) { \
569     (a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
570     (a) = ROTATE_LEFT ((a), (s)); \
571     (a) += (b); \
572     }
573     #define HH(a, b, c, d, x, s, ac) { \
574     (a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
575     (a) = ROTATE_LEFT ((a), (s)); \
576     (a) += (b); \
577     }
578     #define II(a, b, c, d, x, s, ac) { \
579     (a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
580     (a) = ROTATE_LEFT ((a), (s)); \
581     (a) += (b); \
582     }
583    
584     /* MD5 initialization. Begins an MD5 operation, writing a new context.
585     */
586     void MD5Init (context)
587     MD5_CTX *context; /* context */
588     {
589     context->count[0] = context->count[1] = 0;
590     /* Load magic initialization constants.
591     */
592     context->state[0] = 0x67452301;
593     context->state[1] = 0xefcdab89;
594     context->state[2] = 0x98badcfe;
595     context->state[3] = 0x10325476;
596     }
597    
598     /* MD5 block update operation. Continues an MD5 message-digest
599     operation, processing another message block, and updating the
600     context.
601     */
602     void MD5Update (context, input, inputLen)
603     MD5_CTX *context; /* context */
604     unsigned char *input; /* input block */
605     unsigned int inputLen; /* length of input block */
606     {
607     unsigned int i, index, partLen;
608    
609     /* Compute number of bytes mod 64 */
610     index = (unsigned int)((context->count[0] >> 3) & 0x3F);
611    
612     /* Update number of bits */
613     if ((context->count[0] += ((UINT4)inputLen << 3))
614    
615    
616    
617     Rivest [Page 11]
618    
619     RFC 1321 MD5 Message-Digest Algorithm April 1992
620    
621    
622     < ((UINT4)inputLen << 3))
623     context->count[1]++;
624     context->count[1] += ((UINT4)inputLen >> 29);
625    
626     partLen = 64 - index;
627    
628     /* Transform as many times as possible.
629     */
630     if (inputLen >= partLen) {
631     MD5_memcpy
632     ((POINTER)&context->buffer[index], (POINTER)input, partLen);
633     MD5Transform (context->state, context->buffer);
634    
635     for (i = partLen; i + 63 < inputLen; i += 64)
636     MD5Transform (context->state, &input[i]);
637    
638     index = 0;
639     }
640     else
641     i = 0;
642    
643     /* Buffer remaining input */
644     MD5_memcpy
645     ((POINTER)&context->buffer[index], (POINTER)&input[i],
646     inputLen-i);
647     }
648    
649     /* MD5 finalization. Ends an MD5 message-digest operation, writing the
650     the message digest and zeroizing the context.
651     */
652     void MD5Final (digest, context)
653     unsigned char digest[16]; /* message digest */
654     MD5_CTX *context; /* context */
655     {
656     unsigned char bits[8];
657     unsigned int index, padLen;
658    
659     /* Save number of bits */
660     Encode (bits, context->count, 8);
661    
662     /* Pad out to 56 mod 64.
663     */
664     index = (unsigned int)((context->count[0] >> 3) & 0x3f);
665     padLen = (index < 56) ? (56 - index) : (120 - index);
666     MD5Update (context, PADDING, padLen);
667    
668     /* Append length (before padding) */
669     MD5Update (context, bits, 8);
670    
671    
672    
673     Rivest [Page 12]
674    
675     RFC 1321 MD5 Message-Digest Algorithm April 1992
676    
677    
678     /* Store state in digest */
679     Encode (digest, context->state, 16);
680    
681     /* Zeroize sensitive information.
682     */
683     MD5_memset ((POINTER)context, 0, sizeof (*context));
684     }
685    
686     /* MD5 basic transformation. Transforms state based on block.
687     */
688     static void MD5Transform (state, block)
689     UINT4 state[4];
690     unsigned char block[64];
691     {
692     UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16];
693    
694     Decode (x, block, 64);
695    
696     /* Round 1 */
697     FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
698     FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
699     FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
700     FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
701     FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
702     FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
703     FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
704     FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
705     FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
706     FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
707     FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
708     FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
709     FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
710     FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
711     FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
712     FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
713    
714     /* Round 2 */
715     GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
716     GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
717     GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
718     GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
719     GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
720     GG (d, a, b, c, x[10], S22, 0x2441453); /* 22 */
721     GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
722     GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
723     GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
724     GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
725     GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
726    
727    
728    
729     Rivest [Page 13]
730    
731     RFC 1321 MD5 Message-Digest Algorithm April 1992
732    
733    
734     GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
735     GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
736     GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
737     GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
738     GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
739    
740     /* Round 3 */
741     HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
742     HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
743     HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
744     HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
745     HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
746     HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
747     HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
748     HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
749     HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
750     HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
751     HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
752     HH (b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */
753     HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
754     HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
755     HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
756     HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
757    
758     /* Round 4 */
759     II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
760     II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
761     II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
762     II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
763     II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
764     II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
765     II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
766     II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
767     II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
768     II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
769     II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
770     II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
771     II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
772     II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
773     II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
774     II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
775    
776     state[0] += a;
777     state[1] += b;
778     state[2] += c;
779     state[3] += d;
780    
781     /* Zeroize sensitive information.
782    
783    
784    
785     Rivest [Page 14]
786    
787     RFC 1321 MD5 Message-Digest Algorithm April 1992
788    
789    
790     */
791     MD5_memset ((POINTER)x, 0, sizeof (x));
792     }
793    
794     /* Encodes input (UINT4) into output (unsigned char). Assumes len is
795     a multiple of 4.
796     */
797     static void Encode (output, input, len)
798     unsigned char *output;
799     UINT4 *input;
800     unsigned int len;
801     {
802     unsigned int i, j;
803    
804     for (i = 0, j = 0; j < len; i++, j += 4) {
805     output[j] = (unsigned char)(input[i] & 0xff);
806     output[j+1] = (unsigned char)((input[i] >> 8) & 0xff);
807     output[j+2] = (unsigned char)((input[i] >> 16) & 0xff);
808     output[j+3] = (unsigned char)((input[i] >> 24) & 0xff);
809     }
810     }
811    
812     /* Decodes input (unsigned char) into output (UINT4). Assumes len is
813     a multiple of 4.
814     */
815     static void Decode (output, input, len)
816     UINT4 *output;
817     unsigned char *input;
818     unsigned int len;
819     {
820     unsigned int i, j;
821    
822     for (i = 0, j = 0; j < len; i++, j += 4)
823     output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) |
824     (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24);
825     }
826    
827     /* Note: Replace "for loop" with standard memcpy if possible.
828     */
829    
830     static void MD5_memcpy (output, input, len)
831     POINTER output;
832     POINTER input;
833     unsigned int len;
834     {
835     unsigned int i;
836    
837     for (i = 0; i < len; i++)
838    
839    
840    
841     Rivest [Page 15]
842    
843     RFC 1321 MD5 Message-Digest Algorithm April 1992
844    
845    
846     output[i] = input[i];
847     }
848    
849     /* Note: Replace "for loop" with standard memset if possible.
850     */
851     static void MD5_memset (output, value, len)
852     POINTER output;
853     int value;
854     unsigned int len;
855     {
856     unsigned int i;
857    
858     for (i = 0; i < len; i++)
859     ((char *)output)[i] = (char)value;
860     }
861    
862     A.4 mddriver.c
863    
864     /* MDDRIVER.C - test driver for MD2, MD4 and MD5
865     */
866    
867     /* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All
868     rights reserved.
869    
870     RSA Data Security, Inc. makes no representations concerning either
871     the merchantability of this software or the suitability of this
872     software for any particular purpose. It is provided "as is"
873     without express or implied warranty of any kind.
874    
875     These notices must be retained in any copies of any part of this
876     documentation and/or software.
877     */
878    
879     /* The following makes MD default to MD5 if it has not already been
880     defined with C compiler flags.
881     */
882     #ifndef MD
883     #define MD MD5
884     #endif
885    
886     #include <stdio.h>
887     #include <time.h>
888     #include <string.h>
889     #include "global.h"
890     #if MD == 2
891     #include "md2.h"
892     #endif
893     #if MD == 4
894    
895    
896    
897     Rivest [Page 16]
898    
899     RFC 1321 MD5 Message-Digest Algorithm April 1992
900    
901    
902     #include "md4.h"
903     #endif
904     #if MD == 5
905     #include "md5.h"
906     #endif
907    
908     /* Length of test block, number of test blocks.
909     */
910     #define TEST_BLOCK_LEN 1000
911     #define TEST_BLOCK_COUNT 1000
912    
913     static void MDString PROTO_LIST ((char *));
914     static void MDTimeTrial PROTO_LIST ((void));
915     static void MDTestSuite PROTO_LIST ((void));
916     static void MDFile PROTO_LIST ((char *));
917     static void MDFilter PROTO_LIST ((void));
918     static void MDPrint PROTO_LIST ((unsigned char [16]));
919    
920     #if MD == 2
921     #define MD_CTX MD2_CTX
922     #define MDInit MD2Init
923     #define MDUpdate MD2Update
924     #define MDFinal MD2Final
925     #endif
926     #if MD == 4
927     #define MD_CTX MD4_CTX
928     #define MDInit MD4Init
929     #define MDUpdate MD4Update
930     #define MDFinal MD4Final
931     #endif
932     #if MD == 5
933     #define MD_CTX MD5_CTX
934     #define MDInit MD5Init
935     #define MDUpdate MD5Update
936     #define MDFinal MD5Final
937     #endif
938    
939     /* Main driver.
940    
941     Arguments (may be any combination):
942     -sstring - digests string
943     -t - runs time trial
944     -x - runs test script
945     filename - digests file
946     (none) - digests standard input
947     */
948     int main (argc, argv)
949     int argc;
950    
951    
952    
953     Rivest [Page 17]
954    
955     RFC 1321 MD5 Message-Digest Algorithm April 1992
956    
957    
958     char *argv[];
959     {
960     int i;
961    
962     if (argc > 1)
963     for (i = 1; i < argc; i++)
964     if (argv[i][0] == '-' && argv[i][1] == 's')
965     MDString (argv[i] + 2);
966     else if (strcmp (argv[i], "-t") == 0)
967     MDTimeTrial ();
968     else if (strcmp (argv[i], "-x") == 0)
969     MDTestSuite ();
970     else
971     MDFile (argv[i]);
972     else
973     MDFilter ();
974    
975     return (0);
976     }
977    
978     /* Digests a string and prints the result.
979     */
980     static void MDString (string)
981     char *string;
982     {
983     MD_CTX context;
984     unsigned char digest[16];
985     unsigned int len = strlen (string);
986    
987     MDInit (&context);
988     MDUpdate (&context, string, len);
989     MDFinal (digest, &context);
990    
991     printf ("MD%d (\"%s\") = ", MD, string);
992     MDPrint (digest);
993     printf ("\n");
994     }
995    
996     /* Measures the time to digest TEST_BLOCK_COUNT TEST_BLOCK_LEN-byte
997     blocks.
998     */
999     static void MDTimeTrial ()
1000     {
1001     MD_CTX context;
1002     time_t endTime, startTime;
1003     unsigned char block[TEST_BLOCK_LEN], digest[16];
1004     unsigned int i;
1005    
1006    
1007    
1008    
1009     Rivest [Page 18]
1010    
1011     RFC 1321 MD5 Message-Digest Algorithm April 1992
1012    
1013    
1014     printf
1015     ("MD%d time trial. Digesting %d %d-byte blocks ...", MD,
1016     TEST_BLOCK_LEN, TEST_BLOCK_COUNT);
1017    
1018     /* Initialize block */
1019     for (i = 0; i < TEST_BLOCK_LEN; i++)
1020     block[i] = (unsigned char)(i & 0xff);
1021    
1022     /* Start timer */
1023     time (&startTime);
1024    
1025     /* Digest blocks */
1026     MDInit (&context);
1027     for (i = 0; i < TEST_BLOCK_COUNT; i++)
1028     MDUpdate (&context, block, TEST_BLOCK_LEN);
1029     MDFinal (digest, &context);
1030    
1031     /* Stop timer */
1032     time (&endTime);
1033    
1034     printf (" done\n");
1035     printf ("Digest = ");
1036     MDPrint (digest);
1037     printf ("\nTime = %ld seconds\n", (long)(endTime-startTime));
1038     printf
1039     ("Speed = %ld bytes/second\n",
1040     (long)TEST_BLOCK_LEN * (long)TEST_BLOCK_COUNT/(endTime-startTime));
1041     }
1042    
1043     /* Digests a reference suite of strings and prints the results.
1044     */
1045     static void MDTestSuite ()
1046     {
1047     printf ("MD%d test suite:\n", MD);
1048    
1049     MDString ("");
1050     MDString ("a");
1051     MDString ("abc");
1052     MDString ("message digest");
1053     MDString ("abcdefghijklmnopqrstuvwxyz");
1054     MDString
1055     ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");
1056     MDString
1057     ("1234567890123456789012345678901234567890\
1058     1234567890123456789012345678901234567890");
1059     }
1060    
1061     /* Digests a file and prints the result.
1062    
1063    
1064    
1065     Rivest [Page 19]
1066    
1067     RFC 1321 MD5 Message-Digest Algorithm April 1992
1068    
1069    
1070     */
1071     static void MDFile (filename)
1072     char *filename;
1073     {
1074     FILE *file;
1075     MD_CTX context;
1076     int len;
1077     unsigned char buffer[1024], digest[16];
1078    
1079     if ((file = fopen (filename, "rb")) == NULL)
1080     printf ("%s can't be opened\n", filename);
1081    
1082     else {
1083     MDInit (&context);
1084     while (len = fread (buffer, 1, 1024, file))
1085     MDUpdate (&context, buffer, len);
1086     MDFinal (digest, &context);
1087    
1088     fclose (file);
1089    
1090     printf ("MD%d (%s) = ", MD, filename);
1091     MDPrint (digest);
1092     printf ("\n");
1093     }
1094     }
1095    
1096     /* Digests the standard input and prints the result.
1097     */
1098     static void MDFilter ()
1099     {
1100     MD_CTX context;
1101     int len;
1102     unsigned char buffer[16], digest[16];
1103    
1104     MDInit (&context);
1105     while (len = fread (buffer, 1, 16, stdin))
1106     MDUpdate (&context, buffer, len);
1107     MDFinal (digest, &context);
1108    
1109     MDPrint (digest);
1110     printf ("\n");
1111     }
1112    
1113     /* Prints a message digest in hexadecimal.
1114     */
1115     static void MDPrint (digest)
1116     unsigned char digest[16];
1117     {
1118    
1119    
1120    
1121     Rivest [Page 20]
1122    
1123     RFC 1321 MD5 Message-Digest Algorithm April 1992
1124    
1125    
1126     unsigned int i;
1127    
1128     for (i = 0; i < 16; i++)
1129     printf ("%02x", digest[i]);
1130     }
1131    
1132     A.5 Test suite
1133    
1134     The MD5 test suite (driver option "-x") should print the following
1135     results:
1136    
1137     MD5 test suite:
1138     MD5 ("") = d41d8cd98f00b204e9800998ecf8427e
1139     MD5 ("a") = 0cc175b9c0f1b6a831c399e269772661
1140     MD5 ("abc") = 900150983cd24fb0d6963f7d28e17f72
1141     MD5 ("message digest") = f96b697d7cb7938d525a2f31aaf161d0
1142     MD5 ("abcdefghijklmnopqrstuvwxyz") = c3fcd3d76192e4007dfb496cca67e13b
1143     MD5 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =
1144     d174ab98d277d9f5a5611c2c9f419d9f
1145     MD5 ("123456789012345678901234567890123456789012345678901234567890123456
1146     78901234567890") = 57edf4a22be3c955ac49da2e2107b67a
1147    
1148     Security Considerations
1149    
1150     The level of security discussed in this memo is considered to be
1151     sufficient for implementing very high security hybrid digital-
1152     signature schemes based on MD5 and a public-key cryptosystem.
1153    
1154     Author's Address
1155    
1156     Ronald L. Rivest
1157     Massachusetts Institute of Technology
1158     Laboratory for Computer Science
1159     NE43-324
1160     545 Technology Square
1161     Cambridge, MA 02139-1986
1162    
1163     Phone: (617) 253-5880
1164     EMail: rivest@theory.lcs.mit.edu
1165    
1166    
1167    
1168    
1169    
1170    
1171    
1172    
1173    
1174    
1175    
1176    
1177     Rivest [Page 21]
1178    
1179    

MailToCvsAdmin">MailToCvsAdmin
ViewVC Help
Powered by ViewVC 1.1.26 RSS 2.0 feed