MD2 (cryptography)

From Wikipedia, the free encyclopedia
Jump to: navigation, search
Designers Ronald Rivest
First published August 1989[1]
Series MD2, MD4, MD5, MD6
Digest sizes 128 bits
Rounds 18

The MD2 Message-Digest Algorithm is a cryptographic hash function developed by Ronald Rivest in 1989.[2] The algorithm is optimized for 8-bit computers. MD2 is specified in RFC 1319. Although MD2 is no longer considered secure, even as of 2014, it remains in use in public key infrastructures as part of certificates generated with MD2 and RSA. The MD2 hash function receives its acronym MD from its structure using Merkle–Damgård construction.


The 128-bit hash value of any message is formed by padding it to a multiple of the block length (128 bits or 16 bytes) and adding a 16-byte checksum to it. For the actual calculation, a 48-byte auxiliary block and a 256-byte S-table generated indirectly from the digits of the fractional part of pi are used (see nothing up my sleeve number). The algorithm runs through a loop where it permutes each byte in the auxiliary block 18 times for every 16 input bytes processed. Once all of the blocks of the (lengthened) message have been processed, the first partial block of the auxiliary block becomes the hash value of the message.

The S-table's values are derived from Pi,[3][4] and in hex are:

{ 0x29, 0x2E, 0x43, 0xC9, 0xA2, 0xD8, 0x7C, 0x01, 0x3D, 0x36, 0x54, 0xA1, 0xEC, 0xF0, 0x06, 0x13, 
  0x62, 0xA7, 0x05, 0xF3, 0xC0, 0xC7, 0x73, 0x8C, 0x98, 0x93, 0x2B, 0xD9, 0xBC, 0x4C, 0x82, 0xCA, 
  0x1E, 0x9B, 0x57, 0x3C, 0xFD, 0xD4, 0xE0, 0x16, 0x67, 0x42, 0x6F, 0x18, 0x8A, 0x17, 0xE5, 0x12, 
  0xBE, 0x4E, 0xC4, 0xD6, 0xDA, 0x9E, 0xDE, 0x49, 0xA0, 0xFB, 0xF5, 0x8E, 0xBB, 0x2F, 0xEE, 0x7A, 
  0xA9, 0x68, 0x79, 0x91, 0x15, 0xB2, 0x07, 0x3F, 0x94, 0xC2, 0x10, 0x89, 0x0B, 0x22, 0x5F, 0x21,
  0x80, 0x7F, 0x5D, 0x9A, 0x5A, 0x90, 0x32, 0x27, 0x35, 0x3E, 0xCC, 0xE7, 0xBF, 0xF7, 0x97, 0x03, 
  0xFF, 0x19, 0x30, 0xB3, 0x48, 0xA5, 0xB5, 0xD1, 0xD7, 0x5E, 0x92, 0x2A, 0xAC, 0x56, 0xAA, 0xC6, 
  0x4F, 0xB8, 0x38, 0xD2, 0x96, 0xA4, 0x7D, 0xB6, 0x76, 0xFC, 0x6B, 0xE2, 0x9C, 0x74, 0x04, 0xF1, 
  0x45, 0x9D, 0x70, 0x59, 0x64, 0x71, 0x87, 0x20, 0x86, 0x5B, 0xCF, 0x65, 0xE6, 0x2D, 0xA8, 0x02, 
  0x1B, 0x60, 0x25, 0xAD, 0xAE, 0xB0, 0xB9, 0xF6, 0x1C, 0x46, 0x61, 0x69, 0x34, 0x40, 0x7E, 0x0F, 
  0x55, 0x47, 0xA3, 0x23, 0xDD, 0x51, 0xAF, 0x3A, 0xC3, 0x5C, 0xF9, 0xCE, 0xBA, 0xC5, 0xEA, 0x26, 
  0x2C, 0x53, 0x0D, 0x6E, 0x85, 0x28, 0x84, 0x09, 0xD3, 0xDF, 0xCD, 0xF4, 0x41, 0x81, 0x4D, 0x52, 
  0x6A, 0xDC, 0x37, 0xC8, 0x6C, 0xC1, 0xAB, 0xFA, 0x24, 0xE1, 0x7B, 0x08, 0x0C, 0xBD, 0xB1, 0x4A, 
  0x78, 0x88, 0x95, 0x8B, 0xE3, 0x63, 0xE8, 0x6D, 0xE9, 0xCB, 0xD5, 0xFE, 0x3B, 0x00, 0x1D, 0x39, 
  0xF2, 0xEF, 0xB7, 0x0E, 0x66, 0x58, 0xD0, 0xE4, 0xA6, 0x77, 0x72, 0xF8, 0xEB, 0x75, 0x4B, 0x0A, 
  0x31, 0x44, 0x50, 0xB4, 0x8F, 0xED, 0x1F, 0x1A, 0xDB, 0x99, 0x8D, 0x33, 0x9F, 0x11, 0x83, 0x14 }

MD2 hashes[edit]

The 128-bit (16-byte) MD2 hashes (also termed message digests) are typically represented as 32-digit hexadecimal numbers. The following demonstrates a 43-byte ASCII input and the corresponding MD2 hash:

 MD2("The quick brown fox jumps over the lazy dog") = 

As the result of the avalanche effect in MD2, even a small change in the input message will (with overwhelming probability) result in a completely different hash. For example, changing the letter d to c in the message results in:

 MD2("The quick brown fox jumps over the lazy cog") = 

The hash of the zero-length string is:

 MD2("") = 


Rogier and Chauvaud (1997) described collisions of MD2's compression function, although they were unable to extend the attack to the full MD2.

In 2004, MD2 was shown to be vulnerable to a preimage attack with time complexity equivalent to 2104 applications of the compression function (Muller, 2004). The author concludes, "MD2 can no longer be considered a secure one-way hash function".

In 2008, MD2 has further improvements on a preimage attack with time complexity of 273 compression function evaluations and memory requirements of 273 message blocks.[5]

In 2009, MD2 was shown to be vulnerable to a collision attack with time complexity of 263.3 compression function evaluations and memory requirements of 252 hash values. This is slightly better than the birthday attack which is expected to take 265.5 compression function evaluations.[6]

In 2009, security updates were issued disabling MD2 in OpenSSL, GnuTLS, and Network Security Services.[7]

See also[edit]


  • Burt Kaliski, RFC 1319 - MD2 Message Digest Algorithm, April 1992.
  • N. Rogier, Pascal Chauvaud, The compression function of MD2 is not collision free, Selected Areas in Cryptography - SAC'95 Ottawa, Canada, May 18–19, 1995 (workshop record).
  • N. Rogier, Pascal Chauvaud, MD2 is not Secure without the Checksum Byte, Designs, Codes and Cryptography, 12(3), pp245–251, 1997.
  • Frédéric Muller, The MD2 Hash Function is Not One-Way, ASIACRYPT 2004, pp214–229.
  • Lars R. Knudsen and John Erik Mathiassen, Preimage and Collision Attacks on MD2. FSE 2005.
  1. ^ John Linn, RFC 1115 - Privacy Enhancement for Internet Electronic Mail: Part III—Algorithms, Modes, and Identifiers, Section 4.2, August 1989, Source by Ron L. Rivest October, 1988.
  2. ^ "What are MD2, MD4, and MD5?". Public-Key Cryptography Standards (PKCS): PKCS #7: Cryptographic Message Syntax Standard: 3.6 Other Cryptographic Techniques: 3.6.6 What are MD2, MD4, and MD5?. RSA Laboratories. Retrieved 2011-04-29. 
  3. ^ Kaliski, Burt (April 1992). "RFC 1319 - The MD2 Message-Digest Algorithm". RSA Laboratories. p. 3. Retrieved 22 November 2014. 
  4. ^ "How is the MD2 hash function S-table constructed from Pi?". Cryptography Stack Exchange. Stack Exchange. 2 August 2014. Retrieved 22 November 2014. 
  5. ^ Søren S. Thomsen (2008). "An improved preimage attack on MD2" (PDF). 
  6. ^
  7. ^ CVE-2009-2409

External links[edit]