Editing MD2 (hash function) (section)

==Security==
Rogier and Chauvaud presented in 1995<ref name="Rogier Chauvaud 1995" /> collisions of MD2's [[One-way compression function|compression function]], although they were unable to extend the attack to the full MD2. The described collisions was published in 1997.<ref name="Rogier Chauvaud 1997" />

In 2004, MD2 was shown to be vulnerable to a [[preimage attack]] with [[time complexity]] equivalent to 2<sup>104</sup> applications of the compression function.<ref name="Muller 2004" /> The author concludes, "MD2 can no longer be considered a secure one-way hash function".

In 2008, MD2 has further improvements on a [[preimage attack]] with [[time complexity]] of 2<sup>73</sup> compression function evaluations and memory requirements of 2<sup>73</sup> message blocks.<ref name="Thomsen 2008" />

In 2009, MD2 was shown to be vulnerable to a [[collision attack]] with [[time complexity]] of 2<sup>63.3</sup> compression function evaluations and memory requirements of 2<sup>52</sup> hash values.  This is slightly better than the [[birthday attack]] which is expected to take 2<sup>65.5</sup> compression function evaluations.<ref name="Knudsen et al 2009" />

In 2009, security updates were issued disabling MD2 in [[OpenSSL]], [[GnuTLS]], and [[Network Security Services]].<ref>{{CVE|2009-2409}}</ref>