In Cryptography, MD5 (Message-Digest algorithm 5) is a widely-used cryptographic hash function with a 128-bit hash value. As an Internet standard (RFC 1321), MD5 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of files. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function, MD4. In 1996, a flaw was found with the design; while it was not a clearly fatal weakness, cryptographers began to recommend using other algorithms, such as SHA-1 (recent claims suggest that SHA-1 was broken, however). In 2004, more serious flaws were discovered making further use of the algorithm for security purposes questionable. It is now known how to, with a few hours' work, generate an MD5 collision. That is, to generate two byte strings with the same hash. Since there are a finite number of MD5 outputs (2128), but an infinite number of possible inputs, it has long been known that such collisions must exist, but it had been previously believed to be impractically difficult to find one. The result is that the MD5 hash of some information no longer uniquely identifies it. If I present you with information such as a public key, its MD5 hash might not uniquely identify it; I may have a second public key with the same MD5 hash. However, the present attacks require the ability to choose both messages of the collision. They do not make it easy to perform a preimage attack, finding a message with a specified MD5 hash, or a second preimage attack, finding a message with the same MD5 hash as a given message. Thus, old MD5 hashes, made before these attacks were known, are safe for now. In particular, old digital signatures can still be considered reliable. A user might not wish to generate or trust any new signatures using MD5 if there is any possibility that a small change to the text (the collisions being constructed involve flipping a few bits in a 128-byte section of hash input) would constitute a meaningful change. This assurance is based on the current state of cryptanalysis. The situation may change suddenly, but finding a collision with some pre-existing data is a much more difficult problem, and there should be time for an orderly transition.