MD5 Algorithm Analysis

MD5 's full name is Message-digest algorithm 5, developed by the MIT Computer Science Lab and RSA Data Security Inc in the early 90, with the development of MD2, MD3 and MD4.
MD5 transforms any length of "byte string" into a large integer of 128bit, and it is an irreversible string transformation algorithm, in other words, even if you see the source program and algorithm description, you can not transform a MD5 value back to the original string, mathematically speaking, This is because the original string has an infinite number, which is somewhat like a mathematical function that does not have an inverse function.

A typical application of MD5 is to generate fingerprint (fingerprints) on a message (byte string) to prevent "tampering". For example, you write a paragraph in a file called Readme.txt, and you create a MD5 value for the Readme.txt and record it, and then you can spread the file to someone else, and if someone modifies anything in the file, you'll find it when you recalculate the MD5. If there is a third-party certification body, with MD5 can also prevent the file author's "Repudiation", which is called Digital signature application.
MD5 is also widely used in encryption and decryption technology, in many operating systems, the user's password is MD5 value (or similar to other algorithms) to save the way, when the user login, the system is the user input password calculated as MD5 value, and then to the system to save the MD5 value to compare, and the system does not " Know "What the user's password is."

After some initialization, MD5 handles the input text in 512-bit groupings, and each grouping is divided into 16 32-bit sub-groupings. The output of the algorithm consists of four 32-bit groupings that cascade to form a 128-bit hash value.
The message is first populated with a number that is exactly 64 bits smaller than a multiple of 512 bits. The Fill method is appended with a 1 after the message, followed by the required number of 0, followed by a 64-bit message length (before padding). The effect of these two steps is to make the message length exactly 512-bit integer multiples (as the rest of the algorithm requires), while ensuring that different messages are not the same after they are populated.
The four 32-bit variables are initialized to:
a=0x01234567
B=0x89abcdef
C=0xfedcba98
d=0x76543210
They are called link variables (chaining variable)
The main loop of the algorithm is followed by the number of times the 512-bit message is grouped in the message.
Copy the above four variables into the other variables: A to A, B to B,c to C,d to D.
The main cycle has four rounds (MD4 only rounds), each round is very phase-fitting. The first round operates 16 times. Each operation makes a nonlinear function operation on three of A,b,c and D, and then adds the resulting result to the fourth variable, a sub-group of text, and a constant. The resulting result is then shifted to the right by an indefinite number, plus one of the a,b,c or D. Finally, replace one of A,b,c or D with this result.
Take a look at the four nonlinear functions (one per round) that are used in each operation.
F (x, y, Z) = (x&y) | ((~x) &z)
G (x, y, Z) = (x&z) | (y& (~z))
H (x, Y, z) =x^y^z
I (x, Y, z) =y^ (x| ( ~Z))
(& is with, | yes or, ~ right and wrong, ^ is XOR)
These functions are designed like this: if the corresponding bits of x, Y, and Z are independent and homogeneous, then each bit of the result should be independent and uniform.
The function f is operated in a bitwise manner: if x, then y, otherwise Z. The function h is a bitwise odd-even operator.
Set MJ to indicate that the J Sub-group of the message (from 0 to a),<<< s indicates that the loop moves left s bit, then four actions are:
FF (a,b,c,d,mj,s,ti) means a=b+ ((A + (F (b,c,d) +mj+ti) <<< s)
GG (a,b,c,d,mj,s,ti) means a=b+ ((A + (G (b,c,d) +mj+ti) <<< s)
HH (a,b,c,d,mj,s,ti) means a=b+ ((A + (H (b,c,d) +mj+ti) <<< s)
II (a,b,c,d,mj,s,ti) means a=b+ ((A + (I (b,c,d) +mj+ti) <<< s)
These four rounds (64 steps) are:
First round
FF (a,b,c,d,m0,7,0xd76aa478)
FF (d,a,b,c,m1,12,0xe8c7b756)
FF (c,d,a,b,m2,17,0x242070db)
FF (B,C,D,A,M3,22,0XC1BDCEEE)
FF (A,B,C,D,M4,7,0XF57C0FAF)
FF (D,A,B,C,M5,12,0X4787C62A)
FF (c,d,a,b,m6,17,0xa8304613)
FF (b,c,d,a,m7,22,0xfd469501)
FF (A,B,C,D,M8,7,0X698098D8)
FF (D,A,B,C,M9,12,0X8B44F7AF)
FF (C,D,A,B,M10,17,0XFFFF5BB1)
FF (B,C,D,A,M11,22,0X895CD7BE)
FF (a,b,c,d,m12,7,0x6b901122)
FF (d,a,b,c,m13,12,0xfd987193)
FF (c,d,a,b,m14,17,0xa679438e)
FF (b,c,d,a,m15,22,0x49b40821)
Second round
GG (a,b,c,d,m1,5,0xf61e2562)
GG (d,a,b,c,m6,9,0xc040b340)
GG (C,D,A,B,M11,14,0X265E5A51)
GG (B,C,D,A,M0,20,0XE9B6C7AA)
GG (A,B,C,D,M5,5,0XD62F105D)
GG (d,a,b,c,m10,9,0x02441453)
GG (c,d,a,b,m15,14,0xd8a1e681)
GG (B,C,D,A,M4,20,0XE7D3FBC8)
GG (A,B,C,D,M9,5,0X21E1CDE6)
GG (D,A,B,C,M14,9,0XC33707D6)
GG (c,d,a,b,m3,14,0xf4d50d87)
GG (b,c,d,a,m8,20,0x455a14ed)
GG (a,b,c,d,m13,5,0xa9e3e905)
GG (D,A,B,C,M2,9,0XFCEFA3F8)
GG (C,D,A,B,M7,14,0X676F02D9)
GG (B,C,D,A,M12,20,0X8D2A4C8A)
Third round
HH (a,b,c,d,m5,4,0xfffa3942)
HH (d,a,b,c,m8,11,0x8771f681)
HH (c,d,a,b,m11,16,0x6d9d6122)
HH (b,c,d,a,m14,23,0xfde5380c)
HH (A,B,C,D,M1,4,0XA4BEEA44)
HH (D,A,B,C,M4,11,0X4BDECFA9)
HH (C,D,A,B,M7,16,0XF6BB4B60)
HH (B,C,D,A,M10,23,0XBEBFBC70)
HH (A,B,C,D,M13,4,0X289B7EC6)
HH (D,A,B,C,M0,11,0XEAA127FA)
HH (c,d,a,b,m3,16,0xd4ef3085)
HH (B,C,D,A,M6,23,0X04881D05)
HH (a,b,c,d,m9,4,0xd9d4d039)
HH (D,A,B,C,M12,11,0XE6DB99E5)
HH (C,D,A,B,M15,16,0X1FA27CF8)
HH (b,c,d,a,m2,23,0xc4ac5665)
Fourth round
II (a,b,c,d,m0,6,0xf4292244)
II (D,A,B,C,M7,10,0X432AFF97)
II (C,D,A,B,M14,15,0XAB9423A7)
II (b,c,d,a,m5,21,0xfc93a039)
II (A,B,C,D,M12,6,0X655B59C3)
II (d,a,b,c,m3,10,0x8f0ccc92)
II (c,d,a,b,m10,15,0xffeff47d)
II (B,C,D,A,M1,21,0X85845DD1)
II (a,b,c,d,m8,6,0x6fa87e4f)
II (D,A,B,C,M15,10,0XFE2CE6E0)
II (c,d,a,b,m6,15,0xa3014314)
II (B,C,D,A,M13,21,0X4E0811A1)
II (a,b,c,d,m4,6,0xf7537e82)
II (d,a,b,c,m11,10,0xbd3af235)
II (C,D,A,B,M2,15,0X2AD7D2BB)
II (b,c,d,a,m9,21,0xeb86d391)
The constant TI can be selected as follows:
In step I, TI is an integral part of 4294967296*abs (sin (i)), and the unit of I is radians.
(2 of the 32-second party)
After all this is done, add the a,b,c,d to A,b,c,d respectively. Then the algorithm continues to run with the next packet of data, and the final output is the cascade of A,b,c and D.
　　

Safety of MD5

MD5 Relative MD4 improvements:
1. Added the fourth round.
2. Each step has a unique addition constant.
3. To weaken the symmetry of the function g in the second round from (x&y) | (x&z) | (y&z) becomes (x&z) | (y& (~z))
4. The first step adds to the result of the previous step, which will cause a faster avalanche effect.
5. Changed the order of the sub-groupings of access messages in the second and third rounds, making them more dissimilar.
6. Approximately optimizes the cyclic left shift in each round to achieve a faster avalanche effect. The displacement of each wheel is different.

MD5 Source

/* md5.h */#ifndef _md5_h_#define _md5_h_#define r_memset (x, Y, z) memset (x, Y, z)            #define R_MEMCPY (x, Y, z) memcpy (x, y, z) #define R_MEMCMP (x, Y, z) memcmp (x, Y, z) typedef unsigned long uint4;typedef unsigned char *pointer;/* MD5 contex T. */typedef struct {   /* State (ABCD) *///      * Four 32bits number for the final computed message digest. When the message length is 〉512bits, it is also used to store the intermediate results of each 512bits */    UINT4 state[4];      /* Number of bits, modulo 2^64 (LSB first)/*/////       * Stores the length of bits for the original information, not including the populated bits, up to 2^64 bits, because 2^64 is a 64-digit maximum value *   / UINT4 count[2];     /* Input buffer */    * buffers that store input information, 512bits*/   unsigned char buffer[64];  }  Md5_ctx;void md5init (MD5_CTX *), void md5update (MD5_CTX *, unsigned char *, unsigned int), void md5final (unsigned char [16], Md5_ctx *); #endif/* _md5_h_ * *

　　

/* Md5.cpp */#include "stdafx.h"/* Constants for Md5transform routine. *//*MD5 conversion constants, the algorithm itself specifies the */#define S11 7#define S12 12#define S13 17#define S14 22#define S21 5#define S22 9#define S23 14#de Fine S24 20#define S31 4#define S32 11#define S33 16#define S34 23#define S41 6#define S42 10#define S43 15#define S44 21s tatic void Md5transform (UINT4 [4], unsigned char [+]), static void Encode (unsigned char *, UINT4 *, unsigned int), static V OID Decode (UINT4 *, unsigned char *, unsigned int);/* buffer for bits padding, why 64 bytes? The maximum number of bits that needs to be populated is 512=64*8, because bits of the information to be encrypted are 512 apart from the remaining number 448. */static unsigned char padding[64] = {0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 , 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};/* the next Several macro definitions are defined by the MD5 algorithm, which is the operation of MD5 encryption of information. It is said that experienced masters follow the procedure according to these special operations can be concluded that is not used md5*//* F, G, H and I are basic MD5 functions.*/#define F (x, Y, Z) (((x) & (y)) | ((~x) & (z))) #define G (x, Y, Z) (((x) & (z)) | ((y) & (~z)) #define H (x, Y, z) ((x) ^ (y) ^ (z)) #define I (x, Y, z) ((y) ^ ((x) | (~z))) /* Rotate_left rotates x left n bits.*/#define ROTATE_LEFT (x, N) (((x) << (n)) |   ((x) >> (32-(n)))/* FF, GG, HH, and II transformations for Rounds 1, 2, 3, and 4. Rotation is separate from addition to prevent recomputation.*/#define FF (A, B, C, D, X, S, ac) {(a) + = F ((b), (c), (d    )) + (x) + (UINT4) (AC);    (a) = Rotate_left ((a), (s)); (a) + = (b);    } #define GG (A, B, C, D, X, S, ac) {(a) + = G ((b), (c), (d)) + (x) + (UINT4) (AC);    (a) = Rotate_left ((a), (s)); (a) + = (b);    } #define HH (A, B, C, D, X, S, ac) {(a) + = H ((b), (c), (d)) + (x) + (UINT4) (AC);    (a) = Rotate_left ((a), (s)); (a) + = (b);    } #define II (A, B, C, D, X, S, ac) {(a) + = I ((b), (c), (d)) + (x) + (UINT4) (AC);    (a) = Rotate_left ((a), (s)); (a) + = (b); }/* MD5 initialization. Begins an MD5 operation, writing a new context. *//* initializes the structure of the MD5 */void md5init (Md5_ctx *cOntext) {/* The length of the current valid information is set to 0, this is very simple, there is no valid information, the length of course is 0 */context->count[0] = context->count[1] = 0;   /* Load Magic Initialization constants.*//* Initialize the link variable, the algorithm requires this, this does not explain the */context->state[0] = 0x67452301;   CONTEXT-&GT;STATE[1] = 0xefcdab89;   CONTEXT-&GT;STATE[2] = 0x98badcfe; CONTEXT-&GT;STATE[3] = 0x10325476;} /* MD5 block update operation. Continues an MD5 message-digest operation, processing another message block, and updating the context. *//* will communicate with the encrypted information to the MD5 structure, you can call the context multiple times: initialized the MD5 structure input: To encrypt the information can be arbitrarily long inputlen: Specify the length of input */void md5update (MD5_CTX * context,unsigned char * input,unsigned int inputlen) {unsigned int i, index, partlen;/* Compute number of bytes MoD 64 */ /* Calculate the number of bits-length bytes of the information already in the modulus, 64bytes=512bits. Used to determine whether the total length of the existing information and the current transmission of information can reach 512bits, if you can reach the 512bits to do a processing */index = (unsigned int) ((context->count[0] >> 3) & 0x3F);/* Update number of bits *//* updates the bits length */if ((context->count[0] + = ((UINT4) Inputlen << 3) of the information available < ((UINT4) Inputlen << 3))  CONTEXT-&GT;COUNT[1]++;CONTEXT-&GT;COUNT[1] + = ((UINT4) Inputlen >> 29);/* Calculates the length of bytes that are already in the number of bytes that can be rounded up to 64 of the whole multiples */partlen   = 64-index;/* Transform As many times as possible.   *//* If the number of bytes currently entered is greater than the length of the number of bytes already in the byte count, the number of bytes in the 64-byte integer difference */if (inputlen >= partlen) {/* complements the contents of Context->buffer with the current input 512bits*/   r_memcpy ((POINTER) &context->buffer[index], (POINTER) input, Partlen); /* Use the basic function to convert filled 512bits (already saved to Context->buffer) and convert the results to Context->state */Md5transform (context->state, Context->buffer)/* Convert the remaining bytes of the current input (if the remaining bytes < in input buffer > greater than 512bits), the conversion result is saved to context->state */for (i = Partlen; i + < Inputlen;         i + = 64)//* Change I+63<inputlen to I+64<=inputlen easier to understand */Md5transform (context->state, &input[i]);     index = 0; } else I = 0;/* buffer remaining input *//* fills the remaining contents of the input buffer with insufficient fill 512bits into the context->buffer, leaving it for later processing */r_memcpy (point ER) &context->buffer[index], (POINTER) &input[i], inputlen-i);} /* MD5 finalization. Ends an MD5 message-dIgest operation, writing the message digest and zeroizing the context. *//* get the final result of the Encryption Digest: Save the final cryptographic string context: you initialized and filled in the information MD5 structure */void md5final (unsigned char digest[16],md5_ctx *context) { unsigned char bits[8];unsigned int index, padlen;/* Save number of bits *//* the information to be converted (all) bits length is copied to bits in */encode (Bits, CO Ntext->count, 8);/* Pad out to 64 mod. *//* calculates the modulus of bytes for all bits length, 64bytes=512bits*/index = (unsigned int) ((Context->count[0] >> 3) & 0x3f);/* Calculate the number of bytes that need to be populated, Padlen the value range between 1-64 */padlen = (Index < 56)? (56-index): (120-index);/* This time the function call will never again cause Md5transform to be called, because this time it will not fill 512bits*/md5update (context, PADDING, padlen);/* Append length (before padding) *//* to fill the original information bits length (bits length fixed with 64bits), this time can happen to gather enough 512bits, not much and not less */md5update (context, BITS, 8);/* Store State in Digest *//* saves the final result to digest. OK, finally finished */encode (Digest, context->state, +);/* Zeroize sensitive information. */r_memset ((POINTER) context, 0, sizeof (*context)); /* MD5 basic transformation. Transforms State Based on block. *//* 512bits information (that is, the block buffer) is processed one time, each processing including the four-wheel STATE[4]:MD5 structure state[4], for the preservation of 512bits information Encryption intermediate results or final results block[64] : 512bits information to encrypt */static void Md5transform (UINT4 state[4], unsigned char block[64]) {UINT4 a = state[0], B = state[1], C = s TATE[2], d = state[3], x[16];D Ecode (x, block, +);/* Round 1 */ff (A, B, C, D, x[0], S11, 0xd76aa478); /* 1 */ff (d, a, B, C, x[1], S12, 0xe8c7b756); /* 2 */FF (c, D, a, B, x[2], S13, 0x242070db); /* 3 */ff (b, C, D, A, x[3], S14, 0xc1bdceee); /* 4 */ff (A, B, C, D, x[4], S11, 0XF57C0FAF); /* 5 */ff (d, a, B, C, x[5], S12, 0x4787c62a); /* 6 */ff (c, D, a, B, x[6], S13, 0xa8304613); /* 7 */ff (b, C, D, A, x[7], S14, 0xfd469501); /* 8 */ff (A, B, C, D, x[8], S11, 0X698098D8); /* 9 */ff (d, a, B, C, x[9], S12, 0X8B44F7AF); /* */FF (c, D, a, B, x[10], S13, 0XFFFF5BB1); /* One */ff (b, C, D, A, x[11], S14, 0x895cd7be); /* */FF (A, B, C, D, X[12], S11, 0x6b901122); /* */FF (D, a, B, C, x[13], S12, 0xfd987193); /* */FF (c, D, a, B, x[14], S13, 0xa679438e); /* */FF (b, C, D, A, x[15], S14, 0x49b40821); /* *//* Round 2 */gg (A, B, C, D, x[1], S21, 0xf61e2562); /* */GG (D, a, B, C, x[6], S22, 0xc040b340); /* */GG (c, D, a, B, x[11], S23, 0x265e5a51); /* */GG (b, C, D, A, x[0], S24, 0XE9B6C7AA); /* */GG (A, B, C, D, x[5], S21, 0xd62f105d); /* */GG (D, a, B, C, x[10], S22, 0x2441453); /* */GG (c, D, a, B, x[15], S23, 0xd8a1e681); /* */GG (b, C, D, A, x[4], S24, 0XE7D3FBC8); /* */GG (A, B, C, D, x[9], S21, 0x21e1cde6); /* */GG (D, a, B, C, x[14], S22, 0XC33707D6); /* */GG (c, D, a, B, x[3], S23, 0xf4d50d87); /* */GG (b, C, D, A, x[8], S24, 0x455a14ed); /* */GG (A, B, C, D, X[13], S21, 0xa9e3e905); /* */GG (D, a, B, C, x[2], S22, 0XFCEFA3F8); /* */GG (c, D, a, B, x[7], S23, 0X676F02D9); /* */GG (b, C, D, A, x[12], S24, 0x8d2a4c8a); /* *//* Round 3 */hh (A, B, C, D, x[5], S31, 0xfffa3942); /* */HH (D, a, B, C, x[8], S32, 0x8771f681); /* */HH (c, D, a, B, x[11], S33, 0x6d9d6122); /* */hH (b, C, D, A, x[14], S34, 0xfde5380c); /* */HH (A, B, C, D, x[1], S31, 0xa4beea44); /* PNs */hh (d, a, B, C, x[4], S32, 0x4bdecfa9); /* */HH (c, D, a, B, x[7], S33, 0xf6bb4b60); /* */HH (b, C, D, A, x[10], S34, 0XBEBFBC70); /* */HH (A, B, C, D, X[13], S31, 0X289B7EC6); /* */HH (D, a, B, C, x[0], S32, 0XEAA127FA); /* */HH (c, D, a, B, x[3], S33, 0xd4ef3085); /* */HH (b, C, D, A, x[6], S34, 0X4881D05); /* */HH (A, B, C, D, x[9], S31, 0xd9d4d039); /* */HH (D, a, B, C, x[12], S32, 0xe6db99e5); /* */HH (c, D, a, B, x[15], S33, 0X1FA27CF8); /* */HH (b, C, D, A, x[2], S34, 0xc4ac5665); /* *//* Round 4 */ii (A, B, C, D, x[0], S41, 0xf4292244); /* */II (D, a, B, C, x[7], S42, 0X432AFF97); /* */II (c, D, a, B, x[14], S43, 0XAB9423A7); /* Wuyi */ii (b, C, D, A, x[5], S44, 0xfc93a039); /* */II (A, B, C, D, X[12], S41, 0X655B59C3); /* */II (D, a, B, C, x[3], S42, 0x8f0ccc92); /* */II (c, D, a, B, x[10], S43, 0xffeff47d); /* */II (b, C, D, A, x[1], S44,0X85845DD1); /* */II (A, B, C, D, x[8], S41, 0x6fa87e4f); /* */II (D, a, B, C, x[15], S42, 0XFE2CE6E0); /* */II (c, D, a, B, x[6], S43, 0xa3014314); /* */II (b, C, D, A, x[13], S44, 0X4E0811A1); /* */II (A, B, C, D, x[4], S41, 0xf7537e82); /* */II (D, a, B, C, x[11], S42, 0xbd3af235); /* */II (c, D, a, B, x[2], S43, 0X2AD7D2BB); /* */II (b, C, D, A, x[9], S44, 0xeb86d391); /* */state[0] + = a;state[1] + + b;state[2] + c;state[3] + = d;/* zeroize sensitive information. */r_memset ((POINTER) x, 0, sizeof (x)); /* encodes input (UINT4) into output (unsigned char). Assumes Len is a multiple of 4. *//* copy a 4-byte integer to a buffer in character form output: The character buffer for the input: the length of the array len:output buffer that is to be converted into an integer form of four bytes, which requires an integer multiple of 4 */static void Encode ( unsigned char *output, UINT4 *input,unsigned int len) {unsigned int i, j;for (i = 0, j = 0; j < Len; i++, J + = 4) {O   UTPUT[J] = (unsigned char) (Input[i] & 0xff);   OUTPUT[J+1] = (unsigned char) ((Input[i] >> 8) & 0xff); OUTPUT[J+2] = (unsigned char) ((Input[i] >>) & 0xff); OUTPUT[J+3] = (unsigned char) ((Input[i] >>) & 0xff);}} /* Decodes input (unsigned char) into output (UINT4). Assumes Len is a multiple of 4. *//* In contrast to the above function, the data in a string-like buffer is copied to a 4-byte integer (that is, saved as an integer) output: Save the converted integer input: the character buffer to convert Len: the length of the input character buffer, which requires an integer multiple of 4 */  static void Decode (UINT4 *output, unsigned char *input,unsigned int len) {unsigned int i, j;for (i = 0, j = 0; j < Len; i++, J + = 4) output[i] = ((UINT4) input[j]) |    (((UINT4) input[j+1]) << 8) | (((UINT4) input[j+2]) << 16) | (((UINT4) input[j+3]) << 24);}

　　

Md5test.cpp:Defines the entry point for the console application.//#include "stdafx.h" #include "string.h" int main (int ARGC, char* argv[]) {md5_ctx MD5; Md5init (&MD5);                          Initialize the structure for MD5 encryption unsigned char encrypt[200];      stored in encrypted information unsigned char decrypt[17];        Store the encrypted result scanf ("%s", encrypt);                  Enter the encrypted character md5update (&md5,encrypt,strlen ((char *) encrypt));    Encrypt the characters you want to encrypt md5final (DECRYPT,&MD5);                                             Get the final result printf ("Before Encryption:%s\n encrypted:", encrypt); for (int i=0;i<16;i++)   printf ("%2x", Decrypt[i]);p rintf ("\n\n\n encryption ends !\n "); return 0;}

　　

MD5 Algorithm Analysis