Vigil Security
September 2004
A 224bit Oneway Hash Function: SHA224
Status of this Memo

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
Copyright Notice

Copyright © The Internet Society (2004).
Abstract

This document specifies a 224bit oneway hash function, called SHA224. SHA224 is based on SHA256, but it uses a different initial value and the result is truncated to 224 bits.
1. Introduction

This document specifies a 224bit oneway hash function, called SHA224. The National Institute of Standards and Technology (NIST) announced the FIPS 1802 Change Notice on February 28, 2004 which specifies the SHA224 oneway hash function. Oneway hash functions are also known as message digests. SHA224 is based on SHA256, the 256bit oneway hash function already specified by NIST [SHA2]. Computation of a SHA224 hash value is two steps. First, the SHA256 hash value is computed, except that a different initial value is used. Second, the resulting 256bit hash value is truncated to 224 bits.
NIST is developing guidance on cryptographic key management, and NIST recently published a draft for comment [NISTGUIDE]. Five security levels are discussed in the guidance: 80, 112, 128, 192, and 256 bits of security. Oneway hash functions are available for all of these levels except one. SHA224 fills this void. SHA224 is a oneway hash function that provides 112 bits of security, which is the generally accepted strength of TripleDES [3DES].
This document makes the SHA224 oneway hash function specification available to the Internet community, and it publishes the object identifiers for use in ASN.1based protocols.
1.1. Usage Considerations

Since SHA224 is based on SHA256, roughly the same amount of effort is consumed to compute a SHA224 or a SHA256 digest message digest value. Even though SHA224 and SHA256 have roughly equivalent computational complexity, SHA224 is an appropriate choice for a oneway hash function that provides 112 bits of security. The use of a different initial value ensures that a truncated SHA256 message digest value cannot be mistaken for a SHA224 message digest value computed on the same data.
Some usage environments are sensitive to every octet that is transmitted. In these cases, the smaller (by 4 octets) message digest value provided by SHA224 is important.
These observations lead to the following guidance:
 When selecting a suite of cryptographic algorithms that all offer 112 bits of security strength, SHA224 is an appropriate choice for oneway hash function.
 When terseness is not a selection criteria, the use of SHA256 is a preferred alternative to SHA224.
1.2. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [STDWORDS].
2. SHA224 Description

SHA224 may be used to compute a oneway hash value on a message whose length less than 2^64 bits.
SHA224 makes use of SHA256 [SHA2]. To compute a oneway hash value, SHA256 uses a message schedule of sixtyfour 32bit words, eight 32bit working variables, and produces a hash value of eight 32bit words.
The function is defined in the exact same manner as SHA256, with the following two exceptions:

First, for SHA224, the initial hash value of the eight 32bit working variables, collectively called H, shall consist of the following eight 32bit words (in hex):
H_0 = c1059ed8 H_4 = ffc00b31 H_1 = 367cd507 H_5 = 68581511 H_2 = 3070dd17 H_6 = 64f98fa7 H_3 = f70e5939 H_7 = befa4fa4

Second, SHA224 simply makes use of the first seven 32bit words in the SHA256 result, discarding the remaining 32bit words in the SHA256 result. That is, the final value of H is used as follows, where  denotes concatenation:
H_0  H_1  H_2  H_3  H_4  H_5  H_6

3. Test Vectors

This section includes three test vectors. These test vectors can be used to test implementations of SHA224.
3.1. Test Vector #1

Let the message to be hashed be the 24bit ASCII string "abc", which is equivalent to the following binary string:


 01100010 01100011

The SHA224 hash value (in hex):

23097d22 3405d822 8642a477 bda255b3 2aadbce4 bda0b3f7 e36c9da7

3.2. Test Vector #2

Let the message to be hashed be the 448bit ASCII string "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq".
The SHA224 hash value is (in hex):

75388b16 512776cc 5dba5da1 fd890150 b0c6455c b4f58b19 52522525

3.3. Test Vector #3

Let the message to be hashed be the binarycoded form of the ASCII string which consists of 1,000,000 repetitions of the character "a".
The SHA224 hash value is (in hex):


 980c91d8 bbb4c1ea 97618a4b f03f4258 1948b2ee 4ee7ad67


4. Object Identifier

NIST has assigned an ASN.1 [X.20888, X.20988] object identifier for SHA224. Some protocols use object identifiers to name oneway hash functions. One example is CMS [CMS]. Implementations of such protocols that make use of SHA224 MUST use the following object identifier.
idsha224 OBJECT IDENTIFIER ::= { jointisoitut(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) sha224(4) }
5. Security Considerations

Oneway hash functions are typically used with other cryptographic algorithms, such as digital signature algorithms and keyedhash message authentication codes, or in the generation of random values. When a oneway hash function is used in conjunction with another algorithm, there may be requirements specified elsewhere that require the use of a oneway hash function with a certain number of bits of security. For example, if a message is being signed with a digital signature algorithm that provides 128 bits of security, then that signature algorithm may require the use of a oneway hash algorithm that also provides the same number of bits of security. SHA224 is intended to provide 112 bits of security, which is the generally accepted strength of TripleDES [3DES].
This document is intended to provide the SHA224 specification to the Internet community. No independent assertion of the security of this oneway hash function is intended by the author for any particular use. However, as long as SHA256 provides the expected security, SHA224 will also provide its expected level of security.
6. References
6.1. Normative References

[SHA2] Federal Information Processing Standards Publication (FIPS PUB) 1802, Secure Hash Standard, 1 August 2002. [STDWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
6.2. Informative References

[3DES] American National Standards Institute. ANSI X9.521998, Triple Data Encryption Algorithm Modes of Operation. 1998. [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3852, July 2004.
[NISTGUIDE] National Institute of Standards and Technology. Second
Draft: "Key Management Guideline, Part 1: General Guidance." June 2002. [http://csrc.nist.gov/encryption/kms/guideline1.pdf] [X.20888] CCITT Recommendation X.208: Specification of Abstract Syntax Notation One (ASN.1). 1988. [X.20988] CCITT Recommendation X.209: Specification of Basic Encoding Rules for Abstract Syntax Notation One (ASN.1). 1988.
7. Acknowledgments

Many thanks to Jim Schaad for generating the test vectors. A second implementation by Brian Gladman was used to confirm that the test vectors are correct.
8. Author's Address

Russell Housley
Vigil Security, LLC
918 Spring Knoll Drive
Herndon, VA 20170
USAEMail:
housley@vigilsec.com
9. Full Copyright Statement

Copyright © The Internet Society (2004).
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/S HE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the IETF's procedures with respect to rights in IETF Documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF online IPR repository at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf ipr@ietf.org.
Acknowledgement

Funding for the RFC Editor function is currently provided by the Internet Society.