Manage Learn to apply best practices and optimize your operations.

MD5 vs. RC4

In this Ask the Expert Q&A our application security expert compares the MD5 encryption algorithm against its competitor RC4 and examines the security features of each.

I have to choose between two applications that use different encryption algorithms. Both use 128-bit encryption, but the one uses the MD5 algorithm and the other uses the RC4 algorithm. Which is more secure?
These two algorithms serve different purposes. MD5 (Message Digest 5) is a cryptographic one-way hash function, which produces a hash of a message. RC4 is a symmetric key stream cipher, which uses the same key for encryption and decryption. Confidence in the security of MD5 is on the wane and Microsoft banned its use in new products this year due to the increasing sophistication of cryptanalysis attacks. MD5 was developed at MIT in the early 1990s and is used to create digital signatures and verify the integrity of information to ensure that it hasn't been tampered with. However, it has been shown that collisions can be found in the MD5 function and with the resources available to a large botnet, a realistic attack could be launched in the near future.

The RC4 algorithm was designed by Ron Rivest of RSA Security in 1987 and is most commonly used to protect Internet...

traffic using the SSL (Secure Sockets Layer) protocol. Stream ciphers can be thought of as seeded random number generators -- the seed being the key -- with the random numbers being combined with the plain text to generate ciphertext. With RSA keys, it is important to use the 128-bit version, because the 40-bit version can be exploited. Also, ensure that the application follows the recommended practice for key generation. With stream ciphers, it's important to generate a new key for each piece of encrypted data, otherwise an attacker can mount a successful attack by analyzing a large number of messages encrypted with the same key. Poor implementation of key generation has resulted in successful attacks against WEP (Wired Equivalent Privacy) systems. The recommended solution to the flaws in WEP is to switch to Wi-Fi Protected Access (WPA or WPA2). WPA uses the Temporal Key Integrity Protocol (TKIP), which dynamically changes keys as the system is used.

This was last published in November 2005

Dig Deeper on Email and Messaging Threats-Information Security Threats