MD2 and MD4

We strongly advise that MD2 and MD4 should not be used.

While support for MD2 and MD4 algorithms is provided, their use should be avoided.

Collision of MD2 can be found with 216 computational time. This will reduce the strength of any signature scheme that MD2 is used in. As well, a 73-bit level preimage attack is known which will reduce the secrecy of messages hashed using MD2.

Use of MD2 should be limited to handling legacy certificates, and these certificates should be replaced with SHA-1– or SHA-2–based certificates as soon as possible.

It has been shown that collisions on MD4 can be hand calculated.

Use of MD4 should be limited to handling legacy certificates, and these certificates should be replaced with SHA-1– or SHA-2–based certificates as soon as possible.

Parent topic: Recommendation on the use of Hash Algorithms