This document specifies a 224-bit one-way hash function, called SHA-224. The National Institute of Standards and Technology (NIST) announced the FIPS 180-2 Change Notice on February 28, 2004 which specifies the SHA-224 one-way hash function. One-way hash functions are also known as message digests. SHA-224 is based on SHA-256, the 256-bit one-way hash function already specified by NIST [SHA2]. Computation of a SHA-224 hash value is two steps. First, the SHA-256 hash value is computed, except that a different initial value is used. Second, the resulting 256-bit hash value is truncated to 224 bits.
NIST is developing guidance on cryptographic key management, and NIST recently published a draft for comment [NISTGUIDE]. Five security levels are discussed in the guidance: 80, 112, 128, 192, and 256 bits of security. One-way hash functions are available for all of these levels except one. SHA-224 fills this void. SHA-224 is a one-way hash function that provides 112 bits of security, which is the generally accepted strength of Triple-DES [3DES].
This document makes the SHA-224 one-way hash function specification available to the Internet community, and it publishes the object identifiers for use in ASN.1-based protocols.
Housley Informational [Page 1]
RFC 3874 A 224-bit One-way Hash Function: SHA-224 September 2004
Since SHA-224 is based on SHA-256, roughly the same amount of effort is consumed to compute a SHA-224 or a SHA-256 digest message digest value. Even though SHA-224 and SHA-256 have roughly equivalent computational complexity, SHA-224 is an appropriate choice for a one-way hash function that provides 112 bits of security. The use of a different initial value ensures that a truncated SHA-256 message digest value cannot be mistaken for a SHA-224 message digest value computed on the same data.
Some usage environments are sensitive to every octet that is transmitted. In these cases, the smaller (by 4 octets) message digest value provided by SHA-224 is important.
These observations lead to the following guidance:
* When selecting a suite of cryptographic algorithms that all offer 112 bits of security strength, SHA-224 is an appropriate choice for one-way hash function.
* When terseness is not a selection criteria, the use of SHA-256 is a preferred alternative to SHA-224.
SHA-224 may be used to compute a one-way hash value on a message whose length less than 2^64 bits.
SHA-224 makes use of SHA-256 [SHA2]. To compute a one-way hash value, SHA-256 uses a message schedule of sixty-four 32-bit words, eight 32-bit working variables, and produces a hash value of eight 32-bit words.
The function is defined in the exact same manner as SHA-256, with the following two exceptions:
First, for SHA-224, the initial hash value of the eight 32-bit working variables, collectively called H, shall consist of the following eight 32-bit words (in hex):
Housley Informational [Page 2]
RFC 3874 A 224-bit One-way Hash Function: SHA-224 September 2004
Second, SHA-224 simply makes use of the first seven 32-bit words in the SHA-256 result, discarding the remaining 32-bit words in the SHA-256 result. That is, the final value of H is used as follows, where || denotes concatenation:
NIST has assigned an ASN.1 [X.208-88, X.209-88] object identifier for SHA-224. Some protocols use object identifiers to name one-way hash functions. One example is CMS [CMS]. Implementations of such protocols that make use of SHA-224 MUST use the following object identifier.
One-way hash functions are typically used with other cryptographic algorithms, such as digital signature algorithms and keyed-hash message authentication codes, or in the generation of random values. When a one-way hash function is used in conjunction with another algorithm, there may be requirements specified elsewhere that require the use of a one-way hash function with a certain number of bits of security. For example, if a message is being signed with a digital signature algorithm that provides 128 bits of security, then that signature algorithm may require the use of a one-way hash algorithm that also provides the same number of bits of security. SHA-224 is intended to provide 112 bits of security, which is the generally accepted strength of Triple-DES [3DES].
This document is intended to provide the SHA-224 specification to the Internet community. No independent assertion of the security of this one-way hash function is intended by the author for any particular use. However, as long as SHA-256 provides the expected security, SHA-224 will also provide its expected level of security.
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/S HE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the IETF's procedures with respect to rights in IETF Documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- firstname.lastname@example.org.
Funding for the RFC Editor function is currently provided by the Internet Society.