PKIX Working Group R. Housley
Internet Draft Vigil Security
expires April, 2002 November 2003
A 224-bit One-way Hash Function: SHA-224
<draft-ietf-pkix-sha244-00.txt>
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC 2026. Internet-Drafts are
working documents of the Internet Engineering Task Force (IETF), its
areas, and its working groups. Note that other groups may also
distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Drafts Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This document specifies a 224-bit one-way hash function, called
SHA-224. A SHA-224 has value is simply the truncation of the SHA-256
hash value. SHA-256 is the 256-bit one-way hash function specified
by the National Institute of Standards and Technology (NIST).
Housley [Page 1]
�
INTERNET DRAFT November 2003
1 Introduction
This document specifies a 224-bit one-way hash function, called
SHA-224. One-way hash functions are also known as message digests.
SHA-224 is based on SHA-256, the 256-bit one-way hash function
already specified by the National Institute of Standards and
Technology (NIST) [SHA2]. Computation of a SHA-224 hash value is two
steps. First, the SHA-256 hash value is computed, and then the
resulting hash value is truncated to 224 bits.
NIST is developing guidance on cryptographic key management, and NIST
recently published a draft for comment [NISTGUIDE]. Five security
levels are discussed in the guidance: 80, 112, 128, 192, and 256 bits
of security. One-way hash functions are available for all of these
levels except one. SHA-224 fills this void. SHA-224 is a one-way
hash function that provides 112 bits of security, which is the
generally accepted strength of Triple-DES [3DES].
1.1 Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [STDWORDS].
2 SHA-224 Description
SHA-224 may be used to compute a one-way hash value on a message
whose length less than 2^64 bits.
SHA-224 makes use of SHA-256 [SHA2]. To compute a one-way hash
value, SHA-256 uses a message schedule of sixty-four 32-bit words,
eight 32-bit working variables, and produces a hash value of eight
32-bit words.
SHA-224 simply makes use of the first seven 32-bit words in the
SHA-256 result, discarding the remaining 32-bit word in the SHA-256
result.
3 Test Vectors
This section includes three test vectors. These test vectors can be
used to test implementations of SHA-224.
Housley [Page 2]
�
INTERNET DRAFT November 2003
3.1 Test Vector #1
Let the message to be hashed be the 24-bit ASCII string "abc", which
is equivalent to the following binary string:
01100001 01100010 01100011
The SHA-256 hash value is (in hex):
ba7816bf 8f01cfea 414140de 5dae2223
b00361a3 96177a9c b410ff61 f20015ad
Truncating this value to 224-bits yields the SHA-224 hash value:
ba7816bf 8f01cfea 414140de 5dae2223
b00361a3 96177a9c b410ff61
3.2 Test Vector #2
Let the message to be hashed be the 448-bit ASCII string
"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq".
The SHA-256 hash value is (in hex):
248d6a61 d20638b8 e5c02693 0c3e6039
a33ce459 64ff2167 f6ecedd4 19db06c1
Truncating this value to 224-bits yields the SHA-224 hash value:
248d6a61 d20638b8 e5c02693 0c3e6039
a33ce459 64ff2167 f6ecedd4
3.3 Test Vector #3
Let the message to hashed be the binary-coded form of the ASCII
string which consists of 1,000,000 repetitions of the character "a".
The SHA-256 hash value is (in hex):
cdc76e5c 9914fb92 81a1c7e2 84d73e67
f1809a48 a497200e 046d39cc c7112cd0
Truncating this value to 224-bits yields the SHA-224 hash value:
cdc76e5c 9914fb92 81a1c7e2 84d73e67
f1809a48 a497200e 046d39cc
Housley [Page 3]
�
INTERNET DRAFT November 2003
4 Object Identifier
NIST has assigned an ASN.1 [X.208-88, X.209-88] object identifier for
SHA-224. Some protocols use object identifiers to name one-way hash
functions. One example is CMS [CMS]. Implementations of such
protocols that make use of SHA-224 MUST use the following object
identifier.
id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101)
csor(3) nistalgorithm(4) hashalgs(2) sha224(4) }
5 Normative References
[SHA2] Federal Information Processing Standards Publication
(FIPS PUB) 180-2, Secure Hash Standard, 1 August 2002.
[STDWORDS] Bradner, S., "Key Words for Use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
6 Informative References
[3DES] American National Standards Institute. ANSI X9.52-1998,
Triple Data Encryption Algorithm Modes of Operation.
1998.
[CMS] Housley, R., "Cryptographic Message Syntax (CMS)",
RFC 3369, August 2002.
[NISTGUIDE] National Institute of Standards and Technology. Second
Draft: "Key Management Guideline, Part 1: General
Guidance." June 2002.
[http://csrc.nist.gov/encryption/kms/guideline-1.pdf]
[X.208-88] CCITT Recommendation X.208: Specification of Abstract
Syntax Notation One (ASN.1). 1988.
[X.209-88] CCITT Recommendation X.209: Specification of Basic
Encoding Rules for Abstract Syntax Notation One (ASN.1).
1988.
7 Security Considerations
One-way hash functions are typically used with other cryptographic
algorithms, such as digital signature algorithms and keyed-hash
message authentication codes, or in the generation of random values.
When a one-way hash function is used in conjunction with another
algorithm, there may be requirements specified elsewhere that require
Housley [Page 4]
�
INTERNET DRAFT November 2003
the use of a one-way hash function with a certain number of bits of
security. For example, if a message is being signed with a digital
signature algorithm that provides 128 bits of security, then that
signature algorithm may require the use of a one-way hash algorithm
that also provides the same number of bits of security. SHA-224 is
intended to provide 112 bits of security, which is the generally
accepted strength of Triple-DES [3DES].
This document is intended to provide the SHA-224 specification to the
Internet community. No independent assertion of the security of this
one-way hash function by the author for any particular use is
intended. However, as long as SHA-256 provides the expected
security, SHA-224 will also provide its expected level of security.
8 Intellectual Property Rights
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
7 Author's Address
Russell Housley
Vigil Security, LLC
918 Spring Knoll Drive
Herndon, VA 20170
USA
housley@vigilsec.com
Housley [Page 5]
�
INTERNET DRAFT November 2003
Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. In addition, the
ASN.1 modules presented in Appendices A and B may be used in whole or
in part without inclusion of the copyright notice. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process shall be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns. This
document and the information contained herein is provided on an "AS
IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK
FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL
NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY
OR FITNESS FOR A PARTICULAR PURPOSE.
Housley [Page 6]