Add a note about the insecurity of MD4 and potential vulnerability of

MD5 to similar attacks.

1 files changed, 24 insertions, 4 deletions

diff --git a/lib/libmd/mdX.3 b/lib/libmd/mdX.3
index 21e4d45875e2..b4ddba9636f9 100644
--- a/lib/libmd/mdX.3
+++ b/lib/libmd/mdX.3
@@ -6,9 +6,9 @@
 .\" this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
 .\" ----------------------------------------------------------------------------
 .\"
-.\" 	$Id: mdX.3,v 1.12 1998/03/19 07:34:12 charnier Exp $
+.\" 	$Id: mdX.3,v 1.13 1998/03/27 10:22:07 phk Exp $
 .\"
-.Dd October 9, 1996
+.Dd February 11, 1999
 .Dt MDX 3
 .Os FreeBSD 2
 .Sh NAME
@@ -47,8 +47,13 @@ input.
 .Pp
 MD2 is the slowest, MD4 is the fastest and MD5 is somewhere in the middle.
 MD2 can only be used for Privacy-Enhanced Mail.
-MD4 has been criticized for being too weak, so MD5 was developed in
-response as ``MD4 with safety-belts''.  When in doubt, use MD5.
+MD4 has now been broken; it should only be used where necessary for
+backward compatibility.
+MD5 has not yet (1999-02-11) been broken, but sufficient attacks have been
+made that its security is in some doubt.  The attacks on both MD4 and MD5
+are both in the nature of finding ``collisions'' \- that is, multiple
+inputs which hash to the same value; it is still unlikely for an attacker
+to be able to determine the exact original input given a hash value.
 .Pp
 The
 .Fn MDXInit ,
@@ -124,6 +129,21 @@ argument is non-null it must point to at least 33 characters of buffer space.
 .Rs
 .%A RSA Laboratories 
 .%T Frequently Asked Questions About today's Cryptography
+.%O \&<http://www.rsa.com/rsalabs/faq/>
+.Re
+.Rs
+.%A H. Dobbertin
+.%T Alf Swindles Ann
+.%J CryptoBytes
+.%N 1(3):5
+.%D 1995
+.Re
+.Rs
+.%A MJ. B. Robshaw
+.%T On Recent Results for MD2, MD4 and MD5
+.%J RSA Laboratories Bulletin
+.%N 4
+.%D November 12, 1996
 .Re
 .Sh AUTHORS
 The original MDX routines were developed by