MD4 is a hash function which was designed to be cryptographically secure. Designed by Ron Rivest, MD4 was published in RFC 1186 in October 1990, and later republished in RFC 1320 in 1992 (to coincide with the release of the MD5 specification). MD4 produces a 128 bit hash and is quite similar in structure to MD5. MD4 is very fast, probably one of the fastest cryptographic hash functions in existence. Unfortunately, it is not very secure; several people have demonstrated attacks sufficiently damaging that nobody uses MD4 in security conscious applications. In fact, MD5 is simply a "beefed up" version of MD4, produced because there were worries as early as 1991 that MD4 wouldn't be secure enough.

MD4 is heavily biased towards x86 processors: little-endian byte orderings are used throughout, everything is done in terms of 32 bit words, and the algorithm is set up to allow good scheduling on x86 machines.

Some places where MD4 is or has been used:

  • rsync uses MD4 to find if two files are the same
  • Windows NT hashes user passwords with MD4
  • PKCS #1 supported using MD4 with RSA for a brief time, so theoretically you could create an X.509 certificate that used MD4. That would be a very bad idea security-wise, and most implementations would reject it anyway (though it looks like OpenSSL does know about using MD4 and RSA together).

To some extent, MD4 is still usable if all you need is a one way function, because while it is definitely possible to generate collisions in MD4, nobody (so far) knows how to invert it in any meaningful way. However, the speed gains from using MD4 probably do not make up for the high risk in using the algorithm for anything, so if you're thinking about using MD4, think again.

For all of the wonderful and amazing details of this algorithm, read RFC 1320, which is the definitive source.