/[cvs]/joko/TestArea/vb/DigestMD5/resources/md5bas/Rivest-MD5.txt
ViewVC logotype

Contents of /joko/TestArea/vb/DigestMD5/resources/md5bas/Rivest-MD5.txt

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.1 - (show annotations)
Mon Jan 20 17:24:07 2003 UTC (21 years, 10 months ago) by joko
Branch: MAIN
CVS Tags: HEAD
File MIME type: text/plain
+ initial check-in

1
2
3
4
5
6 Network Working Group R. Rivest
7 Request for Comments: 1321 MIT Laboratory for Computer Science
8 and RSA Data Security, Inc.
9 April 1992
10
11
12 The MD5 Message-Digest Algorithm
13
14 Status of this Memo
15
16 This memo provides information for the Internet community. It does
17 not specify an Internet standard. Distribution of this memo is
18 unlimited.
19
20 Acknowlegements
21
22 We would like to thank Don Coppersmith, Burt Kaliski, Ralph Merkle,
23 David Chaum, and Noam Nisan for numerous helpful comments and
24 suggestions.
25
26 Table of Contents
27
28 1. Executive Summary 1
29 2. Terminology and Notation 2
30 3. MD5 Algorithm Description 3
31 4. Summary 6
32 5. Differences Between MD4 and MD5 6
33 References 7
34 APPENDIX A - Reference Implementation 7
35 Security Considerations 21
36 Author's Address 21
37
38 1. Executive Summary
39
40 This document describes the MD5 message-digest algorithm. The
41 algorithm takes as input a message of arbitrary length and produces
42 as output a 128-bit "fingerprint" or "message digest" of the input.
43 It is conjectured that it is computationally infeasible to produce
44 two messages having the same message digest, or to produce any
45 message having a given prespecified target message digest. The MD5
46 algorithm is intended for digital signature applications, where a
47 large file must be "compressed" in a secure manner before being
48 encrypted with a private (secret) key under a public-key cryptosystem
49 such as RSA.
50
51
52
53
54
55
56
57 Rivest [Page 1]
58
59 RFC 1321 MD5 Message-Digest Algorithm April 1992
60
61
62 The MD5 algorithm is designed to be quite fast on 32-bit machines. In
63 addition, the MD5 algorithm does not require any large substitution
64 tables; the algorithm can be coded quite compactly.
65
66 The MD5 algorithm is an extension of the MD4 message-digest algorithm
67 1,2]. MD5 is slightly slower than MD4, but is more "conservative" in
68 design. MD5 was designed because it was felt that MD4 was perhaps
69 being adopted for use more quickly than justified by the existing
70 critical review; because MD4 was designed to be exceptionally fast,
71 it is "at the edge" in terms of risking successful cryptanalytic
72 attack. MD5 backs off a bit, giving up a little in speed for a much
73 greater likelihood of ultimate security. It incorporates some
74 suggestions made by various reviewers, and contains additional
75 optimizations. The MD5 algorithm is being placed in the public domain
76 for review and possible adoption as a standard.
77
78 For OSI-based applications, MD5's object identifier is
79
80 md5 OBJECT IDENTIFIER ::=
81 iso(1) member-body(2) US(840) rsadsi(113549) digestAlgorithm(2) 5}
82
83 In the X.509 type AlgorithmIdentifier [3], the parameters for MD5
84 should have type NULL.
85
86 2. Terminology and Notation
87
88 In this document a "word" is a 32-bit quantity and a "byte" is an
89 eight-bit quantity. A sequence of bits can be interpreted in a
90 natural manner as a sequence of bytes, where each consecutive group
91 of eight bits is interpreted as a byte with the high-order (most
92 significant) bit of each byte listed first. Similarly, a sequence of
93 bytes can be interpreted as a sequence of 32-bit words, where each
94 consecutive group of four bytes is interpreted as a word with the
95 low-order (least significant) byte given first.
96
97 Let x_i denote "x sub i". If the subscript is an expression, we
98 surround it in braces, as in x_{i+1}. Similarly, we use ^ for
99 superscripts (exponentiation), so that x^i denotes x to the i-th
100 power.
101
102 Let the symbol "+" denote addition of words (i.e., modulo-2^32
103 addition). Let X <<< s denote the 32-bit value obtained by circularly
104 shifting (rotating) X left by s bit positions. Let not(X) denote the
105 bit-wise complement of X, and let X v Y denote the bit-wise OR of X
106 and Y. Let X xor Y denote the bit-wise XOR of X and Y, and let XY
107 denote the bit-wise AND of X and Y.
108
109
110
111
112
113 Rivest [Page 2]
114
115 RFC 1321 MD5 Message-Digest Algorithm April 1992
116
117
118 3. MD5 Algorithm Description
119
120 We begin by supposing that we have a b-bit message as input, and that
121 we wish to find its message digest. Here b is an arbitrary
122 nonnegative integer; b may be zero, it need not be a multiple of
123 eight, and it may be arbitrarily large. We imagine the bits of the
124 message written down as follows:
125
126 m_0 m_1 ... m_{b-1}
127
128 The following five steps are performed to compute the message digest
129 of the message.
130
131 3.1 Step 1. Append Padding Bits
132
133 The message is "padded" (extended) so that its length (in bits) is
134 congruent to 448, modulo 512. That is, the message is extended so
135 that it is just 64 bits shy of being a multiple of 512 bits long.
136 Padding is always performed, even if the length of the message is
137 already congruent to 448, modulo 512.
138
139 Padding is performed as follows: a single "1" bit is appended to the
140 message, and then "0" bits are appended so that the length in bits of
141 the padded message becomes congruent to 448, modulo 512. In all, at
142 least one bit and at most 512 bits are appended.
143
144 3.2 Step 2. Append Length
145
146 A 64-bit representation of b (the length of the message before the
147 padding bits were added) is appended to the result of the previous
148 step. In the unlikely event that b is greater than 2^64, then only
149 the low-order 64 bits of b are used. (These bits are appended as two
150 32-bit words and appended low-order word first in accordance with the
151 previous conventions.)
152
153 At this point the resulting message (after padding with bits and with
154 b) has a length that is an exact multiple of 512 bits. Equivalently,
155 this message has a length that is an exact multiple of 16 (32-bit)
156 words. Let M[0 ... N-1] denote the words of the resulting message,
157 where N is a multiple of 16.
158
159 3.3 Step 3. Initialize MD Buffer
160
161 A four-word buffer (A,B,C,D) is used to compute the message digest.
162 Here each of A, B, C, D is a 32-bit register. These registers are
163 initialized to the following values in hexadecimal, low-order bytes
164 first):
165
166
167
168
169 Rivest [Page 3]
170
171 RFC 1321 MD5 Message-Digest Algorithm April 1992
172
173
174 word A: 01 23 45 67
175 word B: 89 ab cd ef
176 word C: fe dc ba 98
177 word D: 76 54 32 10
178
179 3.4 Step 4. Process Message in 16-Word Blocks
180
181 We first define four auxiliary functions that each take as input
182 three 32-bit words and produce as output one 32-bit word.
183
184 F(X,Y,Z) = XY v not(X) Z
185 G(X,Y,Z) = XZ v Y not(Z)
186 H(X,Y,Z) = X xor Y xor Z
187 I(X,Y,Z) = Y xor (X v not(Z))
188
189 In each bit position F acts as a conditional: if X then Y else Z.
190 The function F could have been defined using + instead of v since XY
191 and not(X)Z will never have 1's in the same bit position.) It is
192 interesting to note that if the bits of X, Y, and Z are independent
193 and unbiased, the each bit of F(X,Y,Z) will be independent and
194 unbiased.
195
196 The functions G, H, and I are similar to the function F, in that they
197 act in "bitwise parallel" to produce their output from the bits of X,
198 Y, and Z, in such a manner that if the corresponding bits of X, Y,
199 and Z are independent and unbiased, then each bit of G(X,Y,Z),
200 H(X,Y,Z), and I(X,Y,Z) will be independent and unbiased. Note that
201 the function H is the bit-wise "xor" or "parity" function of its
202 inputs.
203
204 This step uses a 64-element table T[1 ... 64] constructed from the
205 sine function. Let T[i] denote the i-th element of the table, which
206 is equal to the integer part of 4294967296 times abs(sin(i)), where i
207 is in radians. The elements of the table are given in the appendix.
208
209 Do the following:
210
211 /* Process each 16-word block. */
212 For i = 0 to N/16-1 do
213
214 /* Copy block i into X. */
215 For j = 0 to 15 do
216 Set X[j] to M[i*16+j].
217 end /* of loop on j */
218
219 /* Save A as AA, B as BB, C as CC, and D as DD. */
220 AA = A
221 BB = B
222
223
224
225 Rivest [Page 4]
226
227 RFC 1321 MD5 Message-Digest Algorithm April 1992
228
229
230 CC = C
231 DD = D
232
233 /* Round 1. */
234 /* Let [abcd k s i] denote the operation
235 a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s). */
236 /* Do the following 16 operations. */
237 [ABCD 0 7 1] [DABC 1 12 2] [CDAB 2 17 3] [BCDA 3 22 4]
238 [ABCD 4 7 5] [DABC 5 12 6] [CDAB 6 17 7] [BCDA 7 22 8]
239 [ABCD 8 7 9] [DABC 9 12 10] [CDAB 10 17 11] [BCDA 11 22 12]
240 [ABCD 12 7 13] [DABC 13 12 14] [CDAB 14 17 15] [BCDA 15 22 16]
241
242 /* Round 2. */
243 /* Let [abcd k s i] denote the operation
244 a = b + ((a + G(b,c,d) + X[k] + T[i]) <<< s). */
245 /* Do the following 16 operations. */
246 [ABCD 1 5 17] [DABC 6 9 18] [CDAB 11 14 19] [BCDA 0 20 20]
247 [ABCD 5 5 21] [DABC 10 9 22] [CDAB 15 14 23] [BCDA 4 20 24]
248 [ABCD 9 5 25] [DABC 14 9 26] [CDAB 3 14 27] [BCDA 8 20 28]
249 [ABCD 13 5 29] [DABC 2 9 30] [CDAB 7 14 31] [BCDA 12 20 32]
250
251 /* Round 3. */
252 /* Let [abcd k s t] denote the operation
253 a = b + ((a + H(b,c,d) + X[k] + T[i]) <<< s). */
254 /* Do the following 16 operations. */
255 [ABCD 5 4 33] [DABC 8 11 34] [CDAB 11 16 35] [BCDA 14 23 36]
256 [ABCD 1 4 37] [DABC 4 11 38] [CDAB 7 16 39] [BCDA 10 23 40]
257 [ABCD 13 4 41] [DABC 0 11 42] [CDAB 3 16 43] [BCDA 6 23 44]
258 [ABCD 9 4 45] [DABC 12 11 46] [CDAB 15 16 47] [BCDA 2 23 48]
259
260 /* Round 4. */
261 /* Let [abcd k s t] denote the operation
262 a = b + ((a + I(b,c,d) + X[k] + T[i]) <<< s). */
263 /* Do the following 16 operations. */
264 [ABCD 0 6 49] [DABC 7 10 50] [CDAB 14 15 51] [BCDA 5 21 52]
265 [ABCD 12 6 53] [DABC 3 10 54] [CDAB 10 15 55] [BCDA 1 21 56]
266 [ABCD 8 6 57] [DABC 15 10 58] [CDAB 6 15 59] [BCDA 13 21 60]
267 [ABCD 4 6 61] [DABC 11 10 62] [CDAB 2 15 63] [BCDA 9 21 64]
268
269 /* Then perform the following additions. (That is increment each
270 of the four registers by the value it had before this block
271 was started.) */
272 A = A + AA
273 B = B + BB
274 C = C + CC
275 D = D + DD
276
277 end /* of loop on i */
278
279
280
281 Rivest [Page 5]
282
283 RFC 1321 MD5 Message-Digest Algorithm April 1992
284
285
286 3.5 Step 5. Output
287
288 The message digest produced as output is A, B, C, D. That is, we
289 begin with the low-order byte of A, and end with the high-order byte
290 of D.
291
292 This completes the description of MD5. A reference implementation in
293 C is given in the appendix.
294
295 4. Summary
296
297 The MD5 message-digest algorithm is simple to implement, and provides
298 a "fingerprint" or message digest of a message of arbitrary length.
299 It is conjectured that the difficulty of coming up with two messages
300 having the same message digest is on the order of 2^64 operations,
301 and that the difficulty of coming up with any message having a given
302 message digest is on the order of 2^128 operations. The MD5 algorithm
303 has been carefully scrutinized for weaknesses. It is, however, a
304 relatively new algorithm and further security analysis is of course
305 justified, as is the case with any new proposal of this sort.
306
307 5. Differences Between MD4 and MD5
308
309 The following are the differences between MD4 and MD5:
310
311 1. A fourth round has been added.
312
313 2. Each step now has a unique additive constant.
314
315 3. The function g in round 2 was changed from (XY v XZ v YZ) to
316 (XZ v Y not(Z)) to make g less symmetric.
317
318 4. Each step now adds in the result of the previous step. This
319 promotes a faster "avalanche effect".
320
321 5. The order in which input words are accessed in rounds 2 and
322 3 is changed, to make these patterns less like each other.
323
324 6. The shift amounts in each round have been approximately
325 optimized, to yield a faster "avalanche effect." The shifts in
326 different rounds are distinct.
327
328
329
330
331
332
333
334
335
336
337 Rivest [Page 6]
338
339 RFC 1321 MD5 Message-Digest Algorithm April 1992
340
341
342 References
343
344 [1] Rivest, R., "The MD4 Message Digest Algorithm", RFC 1320, MIT and
345 RSA Data Security, Inc., April 1992.
346
347 [2] Rivest, R., "The MD4 message digest algorithm", in A.J. Menezes
348 and S.A. Vanstone, editors, Advances in Cryptology - CRYPTO '90
349 Proceedings, pages 303-311, Springer-Verlag, 1991.
350
351 [3] CCITT Recommendation X.509 (1988), "The Directory -
352 Authentication Framework."
353
354 APPENDIX A - Reference Implementation
355
356 This appendix contains the following files taken from RSAREF: A
357 Cryptographic Toolkit for Privacy-Enhanced Mail:
358
359 global.h -- global header file
360
361 md5.h -- header file for MD5
362
363 md5c.c -- source code for MD5
364
365 For more information on RSAREF, send email to <rsaref@rsa.com>.
366
367 The appendix also includes the following file:
368
369 mddriver.c -- test driver for MD2, MD4 and MD5
370
371 The driver compiles for MD5 by default but can compile for MD2 or MD4
372 if the symbol MD is defined on the C compiler command line as 2 or 4.
373
374 The implementation is portable and should work on many different
375 plaforms. However, it is not difficult to optimize the implementation
376 on particular platforms, an exercise left to the reader. For example,
377 on "little-endian" platforms where the lowest-addressed byte in a 32-
378 bit word is the least significant and there are no alignment
379 restrictions, the call to Decode in MD5Transform can be replaced with
380 a typecast.
381
382 A.1 global.h
383
384 /* GLOBAL.H - RSAREF types and constants
385 */
386
387 /* PROTOTYPES should be set to one if and only if the compiler supports
388 function argument prototyping.
389 The following makes PROTOTYPES default to 0 if it has not already
390
391
392
393 Rivest [Page 7]
394
395 RFC 1321 MD5 Message-Digest Algorithm April 1992
396
397
398 been defined with C compiler flags.
399 */
400 #ifndef PROTOTYPES
401 #define PROTOTYPES 0
402 #endif
403
404 /* POINTER defines a generic pointer type */
405 typedef unsigned char *POINTER;
406
407 /* UINT2 defines a two byte word */
408 typedef unsigned short int UINT2;
409
410 /* UINT4 defines a four byte word */
411 typedef unsigned long int UINT4;
412
413 /* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
414 If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it
415 returns an empty list.
416 */
417 #if PROTOTYPES
418 #define PROTO_LIST(list) list
419 #else
420 #define PROTO_LIST(list) ()
421 #endif
422
423 A.2 md5.h
424
425 /* MD5.H - header file for MD5C.C
426 */
427
428 /* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
429 rights reserved.
430
431 License to copy and use this software is granted provided that it
432 is identified as the "RSA Data Security, Inc. MD5 Message-Digest
433 Algorithm" in all material mentioning or referencing this software
434 or this function.
435
436 License is also granted to make and use derivative works provided
437 that such works are identified as "derived from the RSA Data
438 Security, Inc. MD5 Message-Digest Algorithm" in all material
439 mentioning or referencing the derived work.
440
441 RSA Data Security, Inc. makes no representations concerning either
442 the merchantability of this software or the suitability of this
443 software for any particular purpose. It is provided "as is"
444 without express or implied warranty of any kind.
445
446
447
448
449 Rivest [Page 8]
450
451 RFC 1321 MD5 Message-Digest Algorithm April 1992
452
453
454 These notices must be retained in any copies of any part of this
455 documentation and/or software.
456 */
457
458 /* MD5 context. */
459 typedef struct {
460 UINT4 state[4]; /* state (ABCD) */
461 UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */
462 unsigned char buffer[64]; /* input buffer */
463 } MD5_CTX;
464
465 void MD5Init PROTO_LIST ((MD5_CTX *));
466 void MD5Update PROTO_LIST
467 ((MD5_CTX *, unsigned char *, unsigned int));
468 void MD5Final PROTO_LIST ((unsigned char [16], MD5_CTX *));
469
470 A.3 md5c.c
471
472 /* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
473 */
474
475 /* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
476 rights reserved.
477
478 License to copy and use this software is granted provided that it
479 is identified as the "RSA Data Security, Inc. MD5 Message-Digest
480 Algorithm" in all material mentioning or referencing this software
481 or this function.
482
483 License is also granted to make and use derivative works provided
484 that such works are identified as "derived from the RSA Data
485 Security, Inc. MD5 Message-Digest Algorithm" in all material
486 mentioning or referencing the derived work.
487
488 RSA Data Security, Inc. makes no representations concerning either
489 the merchantability of this software or the suitability of this
490 software for any particular purpose. It is provided "as is"
491 without express or implied warranty of any kind.
492
493 These notices must be retained in any copies of any part of this
494 documentation and/or software.
495 */
496
497 #include "global.h"
498 #include "md5.h"
499
500 /* Constants for MD5Transform routine.
501 */
502
503
504
505 Rivest [Page 9]
506
507 RFC 1321 MD5 Message-Digest Algorithm April 1992
508
509
510 #define S11 7
511 #define S12 12
512 #define S13 17
513 #define S14 22
514 #define S21 5
515 #define S22 9
516 #define S23 14
517 #define S24 20
518 #define S31 4
519 #define S32 11
520 #define S33 16
521 #define S34 23
522 #define S41 6
523 #define S42 10
524 #define S43 15
525 #define S44 21
526
527 static void MD5Transform PROTO_LIST ((UINT4 [4], unsigned char [64]));
528 static void Encode PROTO_LIST
529 ((unsigned char *, UINT4 *, unsigned int));
530 static void Decode PROTO_LIST
531 ((UINT4 *, unsigned char *, unsigned int));
532 static void MD5_memcpy PROTO_LIST ((POINTER, POINTER, unsigned int));
533 static void MD5_memset PROTO_LIST ((POINTER, int, unsigned int));
534
535 static unsigned char PADDING[64] = {
536 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
537 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
538 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
539 };
540
541 /* F, G, H and I are basic MD5 functions.
542 */
543 #define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
544 #define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
545 #define H(x, y, z) ((x) ^ (y) ^ (z))
546 #define I(x, y, z) ((y) ^ ((x) | (~z)))
547
548 /* ROTATE_LEFT rotates x left n bits.
549 */
550 #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
551
552 /* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
553 Rotation is separate from addition to prevent recomputation.
554 */
555 #define FF(a, b, c, d, x, s, ac) { \
556 (a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
557 (a) = ROTATE_LEFT ((a), (s)); \
558
559
560
561 Rivest [Page 10]
562
563 RFC 1321 MD5 Message-Digest Algorithm April 1992
564
565
566 (a) += (b); \
567 }
568 #define GG(a, b, c, d, x, s, ac) { \
569 (a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
570 (a) = ROTATE_LEFT ((a), (s)); \
571 (a) += (b); \
572 }
573 #define HH(a, b, c, d, x, s, ac) { \
574 (a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
575 (a) = ROTATE_LEFT ((a), (s)); \
576 (a) += (b); \
577 }
578 #define II(a, b, c, d, x, s, ac) { \
579 (a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
580 (a) = ROTATE_LEFT ((a), (s)); \
581 (a) += (b); \
582 }
583
584 /* MD5 initialization. Begins an MD5 operation, writing a new context.
585 */
586 void MD5Init (context)
587 MD5_CTX *context; /* context */
588 {
589 context->count[0] = context->count[1] = 0;
590 /* Load magic initialization constants.
591 */
592 context->state[0] = 0x67452301;
593 context->state[1] = 0xefcdab89;
594 context->state[2] = 0x98badcfe;
595 context->state[3] = 0x10325476;
596 }
597
598 /* MD5 block update operation. Continues an MD5 message-digest
599 operation, processing another message block, and updating the
600 context.
601 */
602 void MD5Update (context, input, inputLen)
603 MD5_CTX *context; /* context */
604 unsigned char *input; /* input block */
605 unsigned int inputLen; /* length of input block */
606 {
607 unsigned int i, index, partLen;
608
609 /* Compute number of bytes mod 64 */
610 index = (unsigned int)((context->count[0] >> 3) & 0x3F);
611
612 /* Update number of bits */
613 if ((context->count[0] += ((UINT4)inputLen << 3))
614
615
616
617 Rivest [Page 11]
618
619 RFC 1321 MD5 Message-Digest Algorithm April 1992
620
621
622 < ((UINT4)inputLen << 3))
623 context->count[1]++;
624 context->count[1] += ((UINT4)inputLen >> 29);
625
626 partLen = 64 - index;
627
628 /* Transform as many times as possible.
629 */
630 if (inputLen >= partLen) {
631 MD5_memcpy
632 ((POINTER)&context->buffer[index], (POINTER)input, partLen);
633 MD5Transform (context->state, context->buffer);
634
635 for (i = partLen; i + 63 < inputLen; i += 64)
636 MD5Transform (context->state, &input[i]);
637
638 index = 0;
639 }
640 else
641 i = 0;
642
643 /* Buffer remaining input */
644 MD5_memcpy
645 ((POINTER)&context->buffer[index], (POINTER)&input[i],
646 inputLen-i);
647 }
648
649 /* MD5 finalization. Ends an MD5 message-digest operation, writing the
650 the message digest and zeroizing the context.
651 */
652 void MD5Final (digest, context)
653 unsigned char digest[16]; /* message digest */
654 MD5_CTX *context; /* context */
655 {
656 unsigned char bits[8];
657 unsigned int index, padLen;
658
659 /* Save number of bits */
660 Encode (bits, context->count, 8);
661
662 /* Pad out to 56 mod 64.
663 */
664 index = (unsigned int)((context->count[0] >> 3) & 0x3f);
665 padLen = (index < 56) ? (56 - index) : (120 - index);
666 MD5Update (context, PADDING, padLen);
667
668 /* Append length (before padding) */
669 MD5Update (context, bits, 8);
670
671
672
673 Rivest [Page 12]
674
675 RFC 1321 MD5 Message-Digest Algorithm April 1992
676
677
678 /* Store state in digest */
679 Encode (digest, context->state, 16);
680
681 /* Zeroize sensitive information.
682 */
683 MD5_memset ((POINTER)context, 0, sizeof (*context));
684 }
685
686 /* MD5 basic transformation. Transforms state based on block.
687 */
688 static void MD5Transform (state, block)
689 UINT4 state[4];
690 unsigned char block[64];
691 {
692 UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16];
693
694 Decode (x, block, 64);
695
696 /* Round 1 */
697 FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
698 FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
699 FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
700 FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
701 FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
702 FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
703 FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
704 FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
705 FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
706 FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
707 FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
708 FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
709 FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
710 FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
711 FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
712 FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
713
714 /* Round 2 */
715 GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
716 GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
717 GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
718 GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
719 GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
720 GG (d, a, b, c, x[10], S22, 0x2441453); /* 22 */
721 GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
722 GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
723 GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
724 GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
725 GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
726
727
728
729 Rivest [Page 13]
730
731 RFC 1321 MD5 Message-Digest Algorithm April 1992
732
733
734 GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
735 GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
736 GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
737 GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
738 GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
739
740 /* Round 3 */
741 HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
742 HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
743 HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
744 HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
745 HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
746 HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
747 HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
748 HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
749 HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
750 HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
751 HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
752 HH (b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */
753 HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
754 HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
755 HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
756 HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
757
758 /* Round 4 */
759 II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
760 II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
761 II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
762 II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
763 II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
764 II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
765 II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
766 II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
767 II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
768 II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
769 II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
770 II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
771 II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
772 II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
773 II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
774 II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
775
776 state[0] += a;
777 state[1] += b;
778 state[2] += c;
779 state[3] += d;
780
781 /* Zeroize sensitive information.
782
783
784
785 Rivest [Page 14]
786
787 RFC 1321 MD5 Message-Digest Algorithm April 1992
788
789
790 */
791 MD5_memset ((POINTER)x, 0, sizeof (x));
792 }
793
794 /* Encodes input (UINT4) into output (unsigned char). Assumes len is
795 a multiple of 4.
796 */
797 static void Encode (output, input, len)
798 unsigned char *output;
799 UINT4 *input;
800 unsigned int len;
801 {
802 unsigned int i, j;
803
804 for (i = 0, j = 0; j < len; i++, j += 4) {
805 output[j] = (unsigned char)(input[i] & 0xff);
806 output[j+1] = (unsigned char)((input[i] >> 8) & 0xff);
807 output[j+2] = (unsigned char)((input[i] >> 16) & 0xff);
808 output[j+3] = (unsigned char)((input[i] >> 24) & 0xff);
809 }
810 }
811
812 /* Decodes input (unsigned char) into output (UINT4). Assumes len is
813 a multiple of 4.
814 */
815 static void Decode (output, input, len)
816 UINT4 *output;
817 unsigned char *input;
818 unsigned int len;
819 {
820 unsigned int i, j;
821
822 for (i = 0, j = 0; j < len; i++, j += 4)
823 output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) |
824 (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24);
825 }
826
827 /* Note: Replace "for loop" with standard memcpy if possible.
828 */
829
830 static void MD5_memcpy (output, input, len)
831 POINTER output;
832 POINTER input;
833 unsigned int len;
834 {
835 unsigned int i;
836
837 for (i = 0; i < len; i++)
838
839
840
841 Rivest [Page 15]
842
843 RFC 1321 MD5 Message-Digest Algorithm April 1992
844
845
846 output[i] = input[i];
847 }
848
849 /* Note: Replace "for loop" with standard memset if possible.
850 */
851 static void MD5_memset (output, value, len)
852 POINTER output;
853 int value;
854 unsigned int len;
855 {
856 unsigned int i;
857
858 for (i = 0; i < len; i++)
859 ((char *)output)[i] = (char)value;
860 }
861
862 A.4 mddriver.c
863
864 /* MDDRIVER.C - test driver for MD2, MD4 and MD5
865 */
866
867 /* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All
868 rights reserved.
869
870 RSA Data Security, Inc. makes no representations concerning either
871 the merchantability of this software or the suitability of this
872 software for any particular purpose. It is provided "as is"
873 without express or implied warranty of any kind.
874
875 These notices must be retained in any copies of any part of this
876 documentation and/or software.
877 */
878
879 /* The following makes MD default to MD5 if it has not already been
880 defined with C compiler flags.
881 */
882 #ifndef MD
883 #define MD MD5
884 #endif
885
886 #include <stdio.h>
887 #include <time.h>
888 #include <string.h>
889 #include "global.h"
890 #if MD == 2
891 #include "md2.h"
892 #endif
893 #if MD == 4
894
895
896
897 Rivest [Page 16]
898
899 RFC 1321 MD5 Message-Digest Algorithm April 1992
900
901
902 #include "md4.h"
903 #endif
904 #if MD == 5
905 #include "md5.h"
906 #endif
907
908 /* Length of test block, number of test blocks.
909 */
910 #define TEST_BLOCK_LEN 1000
911 #define TEST_BLOCK_COUNT 1000
912
913 static void MDString PROTO_LIST ((char *));
914 static void MDTimeTrial PROTO_LIST ((void));
915 static void MDTestSuite PROTO_LIST ((void));
916 static void MDFile PROTO_LIST ((char *));
917 static void MDFilter PROTO_LIST ((void));
918 static void MDPrint PROTO_LIST ((unsigned char [16]));
919
920 #if MD == 2
921 #define MD_CTX MD2_CTX
922 #define MDInit MD2Init
923 #define MDUpdate MD2Update
924 #define MDFinal MD2Final
925 #endif
926 #if MD == 4
927 #define MD_CTX MD4_CTX
928 #define MDInit MD4Init
929 #define MDUpdate MD4Update
930 #define MDFinal MD4Final
931 #endif
932 #if MD == 5
933 #define MD_CTX MD5_CTX
934 #define MDInit MD5Init
935 #define MDUpdate MD5Update
936 #define MDFinal MD5Final
937 #endif
938
939 /* Main driver.
940
941 Arguments (may be any combination):
942 -sstring - digests string
943 -t - runs time trial
944 -x - runs test script
945 filename - digests file
946 (none) - digests standard input
947 */
948 int main (argc, argv)
949 int argc;
950
951
952
953 Rivest [Page 17]
954
955 RFC 1321 MD5 Message-Digest Algorithm April 1992
956
957
958 char *argv[];
959 {
960 int i;
961
962 if (argc > 1)
963 for (i = 1; i < argc; i++)
964 if (argv[i][0] == '-' && argv[i][1] == 's')
965 MDString (argv[i] + 2);
966 else if (strcmp (argv[i], "-t") == 0)
967 MDTimeTrial ();
968 else if (strcmp (argv[i], "-x") == 0)
969 MDTestSuite ();
970 else
971 MDFile (argv[i]);
972 else
973 MDFilter ();
974
975 return (0);
976 }
977
978 /* Digests a string and prints the result.
979 */
980 static void MDString (string)
981 char *string;
982 {
983 MD_CTX context;
984 unsigned char digest[16];
985 unsigned int len = strlen (string);
986
987 MDInit (&context);
988 MDUpdate (&context, string, len);
989 MDFinal (digest, &context);
990
991 printf ("MD%d (\"%s\") = ", MD, string);
992 MDPrint (digest);
993 printf ("\n");
994 }
995
996 /* Measures the time to digest TEST_BLOCK_COUNT TEST_BLOCK_LEN-byte
997 blocks.
998 */
999 static void MDTimeTrial ()
1000 {
1001 MD_CTX context;
1002 time_t endTime, startTime;
1003 unsigned char block[TEST_BLOCK_LEN], digest[16];
1004 unsigned int i;
1005
1006
1007
1008
1009 Rivest [Page 18]
1010
1011 RFC 1321 MD5 Message-Digest Algorithm April 1992
1012
1013
1014 printf
1015 ("MD%d time trial. Digesting %d %d-byte blocks ...", MD,
1016 TEST_BLOCK_LEN, TEST_BLOCK_COUNT);
1017
1018 /* Initialize block */
1019 for (i = 0; i < TEST_BLOCK_LEN; i++)
1020 block[i] = (unsigned char)(i & 0xff);
1021
1022 /* Start timer */
1023 time (&startTime);
1024
1025 /* Digest blocks */
1026 MDInit (&context);
1027 for (i = 0; i < TEST_BLOCK_COUNT; i++)
1028 MDUpdate (&context, block, TEST_BLOCK_LEN);
1029 MDFinal (digest, &context);
1030
1031 /* Stop timer */
1032 time (&endTime);
1033
1034 printf (" done\n");
1035 printf ("Digest = ");
1036 MDPrint (digest);
1037 printf ("\nTime = %ld seconds\n", (long)(endTime-startTime));
1038 printf
1039 ("Speed = %ld bytes/second\n",
1040 (long)TEST_BLOCK_LEN * (long)TEST_BLOCK_COUNT/(endTime-startTime));
1041 }
1042
1043 /* Digests a reference suite of strings and prints the results.
1044 */
1045 static void MDTestSuite ()
1046 {
1047 printf ("MD%d test suite:\n", MD);
1048
1049 MDString ("");
1050 MDString ("a");
1051 MDString ("abc");
1052 MDString ("message digest");
1053 MDString ("abcdefghijklmnopqrstuvwxyz");
1054 MDString
1055 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");
1056 MDString
1057 ("1234567890123456789012345678901234567890\
1058 1234567890123456789012345678901234567890");
1059 }
1060
1061 /* Digests a file and prints the result.
1062
1063
1064
1065 Rivest [Page 19]
1066
1067 RFC 1321 MD5 Message-Digest Algorithm April 1992
1068
1069
1070 */
1071 static void MDFile (filename)
1072 char *filename;
1073 {
1074 FILE *file;
1075 MD_CTX context;
1076 int len;
1077 unsigned char buffer[1024], digest[16];
1078
1079 if ((file = fopen (filename, "rb")) == NULL)
1080 printf ("%s can't be opened\n", filename);
1081
1082 else {
1083 MDInit (&context);
1084 while (len = fread (buffer, 1, 1024, file))
1085 MDUpdate (&context, buffer, len);
1086 MDFinal (digest, &context);
1087
1088 fclose (file);
1089
1090 printf ("MD%d (%s) = ", MD, filename);
1091 MDPrint (digest);
1092 printf ("\n");
1093 }
1094 }
1095
1096 /* Digests the standard input and prints the result.
1097 */
1098 static void MDFilter ()
1099 {
1100 MD_CTX context;
1101 int len;
1102 unsigned char buffer[16], digest[16];
1103
1104 MDInit (&context);
1105 while (len = fread (buffer, 1, 16, stdin))
1106 MDUpdate (&context, buffer, len);
1107 MDFinal (digest, &context);
1108
1109 MDPrint (digest);
1110 printf ("\n");
1111 }
1112
1113 /* Prints a message digest in hexadecimal.
1114 */
1115 static void MDPrint (digest)
1116 unsigned char digest[16];
1117 {
1118
1119
1120
1121 Rivest [Page 20]
1122
1123 RFC 1321 MD5 Message-Digest Algorithm April 1992
1124
1125
1126 unsigned int i;
1127
1128 for (i = 0; i < 16; i++)
1129 printf ("%02x", digest[i]);
1130 }
1131
1132 A.5 Test suite
1133
1134 The MD5 test suite (driver option "-x") should print the following
1135 results:
1136
1137 MD5 test suite:
1138 MD5 ("") = d41d8cd98f00b204e9800998ecf8427e
1139 MD5 ("a") = 0cc175b9c0f1b6a831c399e269772661
1140 MD5 ("abc") = 900150983cd24fb0d6963f7d28e17f72
1141 MD5 ("message digest") = f96b697d7cb7938d525a2f31aaf161d0
1142 MD5 ("abcdefghijklmnopqrstuvwxyz") = c3fcd3d76192e4007dfb496cca67e13b
1143 MD5 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =
1144 d174ab98d277d9f5a5611c2c9f419d9f
1145 MD5 ("123456789012345678901234567890123456789012345678901234567890123456
1146 78901234567890") = 57edf4a22be3c955ac49da2e2107b67a
1147
1148 Security Considerations
1149
1150 The level of security discussed in this memo is considered to be
1151 sufficient for implementing very high security hybrid digital-
1152 signature schemes based on MD5 and a public-key cryptosystem.
1153
1154 Author's Address
1155
1156 Ronald L. Rivest
1157 Massachusetts Institute of Technology
1158 Laboratory for Computer Science
1159 NE43-324
1160 545 Technology Square
1161 Cambridge, MA 02139-1986
1162
1163 Phone: (617) 253-5880
1164 EMail: rivest@theory.lcs.mit.edu
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177 Rivest [Page 21]
1178
1179

MailToCvsAdmin">MailToCvsAdmin
ViewVC Help
Powered by ViewVC 1.1.26 RSS 2.0 feed