MD2 is the slowest of the three; MD4 is the fastest. MD5 has been dubbed
``MD4 with safety belts'' by Rivest, since it has a more conservative
design than MD4; the design gives it increased security against attack, but
at a cost of being approximately 33% slower than MD4. MD5 is the most
commonly used of the three algorithms. MD4 and MD5 are publicly available
for unrestricted use; MD2 is available for use with PEM (see Question
3.8.7). Details of MD2, MD4, and MD5 with sample C code are
available in Internet RFCs (Requests For Comments) 1319, 1320, and 1321,
respectively.
No feasible attacks on any of the MD algorithms have been discovered, although some recent theoretical work has found some interesting structural properties.