Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms
RFC 6151

Document Type RFC - Informational (March 2011; No errata)
Updates RFC 1321, RFC 2104
Was draft-turner-md5-seccon-update (individual in sec area)
Authors Lily Chen  , Sean Turner 
Last updated 2015-10-14
Stream IETF stream
Formats plain text html pdf htmlized (tools) htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 6151 (Informational)
Action Holders
Consensus Boilerplate Unknown
Telechat date
Responsible AD Alexey Melnikov
Send notices to (None)
Internet Engineering Task Force (IETF)                         S. Turner
Request for Comments: 6151                                          IECA
Updates: 1321, 2104                                              L. Chen
Category: Informational                                             NIST
ISSN: 2070-1721                                               March 2011

                  Updated Security Considerations for
           the MD5 Message-Digest and the HMAC-MD5 Algorithms


   This document updates the security considerations for the MD5 message
   digest algorithm.  It also updates the security considerations for

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Turner & Chen                 Informational                     [Page 1]
RFC 6151        MD5 and HMAC-MD5 Security Considerations      March 2011

1.  Introduction

   MD5 [MD5] is a message digest algorithm that takes as input a message
   of arbitrary length and produces as output a 128-bit "fingerprint" or
   "message digest" of the input.  The published attacks against MD5
   show that it is not prudent to use MD5 when collision resistance is
   required.  This document replaces the security considerations in RFC
   1321 [MD5].

   [HMAC] defined a mechanism for message authentication using
   cryptographic hash functions.  Any message digest algorithm can be
   used, but the cryptographic strength of HMAC depends on the
   properties of the underlying hash function.  [HMAC-MD5] defined test
   cases for HMAC-MD5.  This document updates the security
   considerations in [HMAC], which [HMAC-MD5] points to for its security

   [HASH-Attack] summarizes the use of hashes in many protocols and
   discusses how attacks against a message digest algorithm's one-way
   and collision-free properties affect and do not affect Internet
   protocols.  Familiarity with [HASH-Attack] is assumed.  One of the
   uses of message digest algorithms in [HASH-Attack] was integrity
   protection.  Where the MD5 checksum is used inline with the protocol
   solely to protect against errors, an MD5 checksum is still an
   acceptable use.  Applications and protocols need to clearly state in
   their security considerations what security services, if any, are
   expected from the MD5 checksum.  In fact, any application and
   protocol that employs MD5 for any purpose needs to clearly state the
   expected security services from their use of MD5.

2.  Security Considerations

   MD5 was published in 1992 as an Informational RFC.  Since that time,
   MD5 has been extensively studied and new cryptographic attacks have
   been discovered.  Message digest algorithms are designed to provide
   collision, pre-image, and second pre-image resistance.  In addition,
   message digest algorithms are used with a shared secret value for
   message authentication in HMAC, and in this context, some people may
   find the guidance for key lengths and algorithm strengths in
   [SP800-57] and [SP800-131] useful.

   MD5 is no longer acceptable where collision resistance is required
   such as digital signatures.  It is not urgent to stop using MD5 in
   other ways, such as HMAC-MD5; however, since MD5 must not be used for
   digital signatures, new protocol designs should not employ HMAC-MD5.
   Alternatives to HMAC-MD5 include HMAC-SHA256 [HMAC] [HMAC-SHA256] and
   [AES-CMAC] when AES is more readily available than a hash function.

Turner & Chen                 Informational                     [Page 2]
RFC 6151        MD5 and HMAC-MD5 Security Considerations      March 2011

2.1.  Collision Resistance

   Pseudo-collisions for the compress function of MD5 were first
Show full document text