	WHAT IS MD5?

This directory contains source code for the MD5 message-digest algorithm.
Essentially, MD5 reads data and calculates a cryptographic "checksum" that is,
as far as anyone knows today, very hard to duplicate.  Just as traditional
checksums are used to gain confidence that a file has not been accidentally
modified, say when transmitted over a phone line, MD5 is used to gain
confidence that a file has not been *intentionally* modified, say to install
a Trojan horse.

"Very hard" in this case means that currently no one knows how to
modify an arbitrary file without changing its MD5 checksum.
Researchers continues to try, of course, and are making some progress
towards the eventual goal of "breaking" MD5, but it is still considered
quite strong enough for most uses.  If the data you are protecting is
highly valuable then, as always, you should enlist the services of a
competent cryptographer to identify the precise risks from using this or
any other cryptographic algorithm.

MD5.tar.Z is a compressed tar file of all the other files in this directory.


	IS MD5 PATENTED?  DO I NEED A LICENSE TO USE IT?

"No" and "no".

"md5-announcement.txt" is the announcement from RSA Data Security that
MD5 is being placed in the public domain for free general use.
Anyone may write a program implementing the MD5 algorithm for any purpose.

RSA has written a reference implementation which is the source code in
this directory.  This source code is copyrighted by RSA.  Here are the
few copyright restrictions *with using this source code*.  There is no
restriction on any code which implements MD5 that you write yourself.

> Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
> rights reserved.
>  
> License to copy and use this software is granted provided that it
> is identified as the "RSA Data Security, Inc. MD5 Message-Digest
> Algorithm" in all material mentioning or referencing this software
> or this function.
>  
> License is also granted to make and use derivative works provided
> that such works are identified as "derived from the RSA Data
> Security, Inc. MD5 Message-Digest Algorithm" in all material
> mentioning or referencing the derived work.
>  
> RSA Data Security, Inc. makes no representations concerning either
> the merchantability of this software or the suitability of this
> software for any particular purpose. It is provided "as is"
> without express or implied warranty of any kind.
>  
> These notices must be retained in any copies of any part of this
> documentation and/or software.


	WHY ARE THESE FILES HERE?  WHAT CHANGES HAVE YOU MADE?

"rfc1321.txt" is the RFC that describes in detail the MD5 message-digest
algorithm.  (MD2 is described in RFC1319 and MD4 in RFC1320.)
Unfortunately, the text is formatted for printing so is not directly
compilable (due to page numbers, etc.).  Years ago, to encourage
the use of MD5, I collected these files into a form that could
easily be compiled.  Because one intended use of MD5 is to help detect
modified code, I intentionally made as few modifications to the
original code in the RFC as possible so that it could be easily
compared to the RFC.  There are now other more efficient versions of
MD5 available from other sources and I have taken the liberty to
incorporate a few selected modifications as described below.

The *.[ch] files were taken directly from RFC 1321.
Since the RFC did not include a makefile, I wrote a simple one to
build and test the md5 executable.  Run "make" to just make the
MD5 binary or "make test" to make and test it.

There is a typo in the RFC Appendix A.4 (mddriver.c).
Line 20 sets MD to "MD5" by default, but the code wants
MD to be set to one of "2", "4", or "5".
I put a -DMD=5 in the Makefile to mask this problem so that that
portion of the code itself remains unchanged from what is in RFC 1321.

Ric Anderson, ric@Artisoft.COM, provided a bug fix to the timing test code
that caused a divide by zero aborts on a Sun sparc station-10 running
solaris 2.3.  This fix just corrects only a problem with the timing tests;
no change to the code that implements the actual checksum has been made.

Ric has also provided a man page - "md5.1".  A postscript version
of this man page is in "md5.1.ps" and a text version in "md5.1.txt".

Larry Schwimmer (schwim@cyclone.stanford.edu), Gyula Szokoly
(szgyula@skysrv.Pha.Jhu.EDU), and others sent in fixes to global.h and
mddriver.c so that it would work under OSF/1 and on 64-bit architecture
machines.  On these machines, a "long" is not 4 bytes so
the #define for UINT4 needs to be "int" instead of "long int".

	WHAT ABOUT EXPORT CONTROL?

A question I am often asked is whether or not MD5 can be exported
from the United States.  This is an understandable concern given
the export debate in this country.  The answer is, happily, "yes".
Here is the explanation from the US Department of State with a
reference for those whose lawyers require checking such things:

   "... MD-5, N-HASH, and SHS are 'hashing routines' that perform
   a data authentication function and, by themselves, are not
   controlled for export under the ITAR because cryptographic software
   that is solely limited to a data authentication function is excluded
   from Category XIII(b) of the United States Munitions List.
   See 22 C.F.R. Section 121.1 XIII(b)(vi)."

   Source: Karn v. US Department of State,
   "JOINT STATEMENT OF FACTS NOT IN DISPUTE",
   Civ. A. No. 95-1812(CRR), US District Court for the District of Columbia.


Enjoy!

				-- Jim Ellis (jte@cert.org)
				March 1998
