Editing MD4 (section)

{{Short description|Cryptographic hash function}}
{{Infobox cryptographic hash function
| name = MD4
| image =
| caption =
<!-- General -->
| designers = [[Ronald Rivest]]
| publish date = October 1990<ref>{{cite web|url=http://tools.ietf.org/html/rfc1186 |title=The MD4 Message Digest Algorithm |publisher=Network Working Group |date=October 1990 |access-date=2011-04-29 |last1=Rivest |first1=Ronald L. }}</ref>
| series = [[MD2 (cryptography)|MD2]], MD4, [[MD5]], [[MD6]]
| derived from =
| derived to =
| related to =
| certification =
<!-- Detail -->
| digest size = 128 bits
| block size = 512 bits
| structure =
| rounds = 3
| cryptanalysis =
A collision attack published in 2007 can find collisions for full MD4 in less than two hash operations.<ref name=sasaki-2007 />
}}

The '''MD4 Message-Digest Algorithm''' is a [[cryptographic hash function]] developed by [[Ronald Rivest]] in 1990.<ref name="drt">{{cite web |url=http://www.rsa.com/rsalabs/node.asp?id=2253 |title=What are MD2, MD4, and MD5? |access-date=2011-04-29 |publisher=RSA Laboratories |work=Public-Key Cryptography Standards (PKCS): PKCS #7: Cryptographic Message Syntax Standard: 3.6 Other Cryptographic Techniques: 3.6.6 What are MD2, MD4, and MD5? |url-status=dead |archive-url=https://web.archive.org/web/20110901034903/http://www.rsa.com/rsalabs/node.asp?id=2253 |archive-date=2011-09-01 }}</ref> The digest length is 128 bits. The algorithm has influenced later designs, such as the [[MD5]], [[SHA-1]] and [[RIPEMD]] algorithms. The initialism "MD" stands for "Message Digest".

[[Image:MD4.svg|right|thumbnail|300px|One MD4 operation. MD4 consists of 48 of these operations, grouped in three rounds of 16 operations. ''F'' is a nonlinear function; one function is used in each round. ''M<sub>i</sub>'' denotes a 32-bit block of the message input, and ''K<sub>i</sub>'' denotes a 32-bit constant, different for each round.]]

The security of MD4 has been severely compromised. The first full [[collision attack]] against MD4 was published in 1995, and several newer attacks have been published since then. As of 2007, an attack can generate collisions in less than two MD4 hash operations.<ref name=sasaki-2007>{{cite journal |author=Yu Sasaki|year=2007 |title=New message difference for MD4 |url=https://www.iacr.org/archive/fse2007/45930331/45930331.pdf|display-authors=etal}}</ref> A theoretical [[preimage attack]] also exists.

A variant of MD4 is used in the [[Ed2k: URI scheme|ed2k URI scheme]] to provide a unique identifier for a file in the popular eDonkey2000 / eMule P2P networks. MD4 was also used by the [[rsync]] protocol (prior to version 3.0.0).

MD4 is used to compute [[NTLM]] password-derived key digests on Microsoft Windows NT, XP, Vista, 7, 8, 10 and 11.<ref name="ntlm">{{cite web |url=http://msdn.microsoft.com/en-us/library/cc236715(v=PROT.10).aspx |title=5.1 Security Considerations for Implementors |access-date=2011-07-21 |quote=Deriving a key from a password is as specified in [RFC1320] and [FIPS46-2].}}</ref>