summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc3874.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc3874.txt')
-rw-r--r--doc/rfc/rfc3874.txt339
1 files changed, 339 insertions, 0 deletions
diff --git a/doc/rfc/rfc3874.txt b/doc/rfc/rfc3874.txt
new file mode 100644
index 0000000..7c3c550
--- /dev/null
+++ b/doc/rfc/rfc3874.txt
@@ -0,0 +1,339 @@
+
+
+
+
+
+
+Network Working Group R. Housley
+Request for Comments: 3874 Vigil Security
+Category: Informational September 2004
+
+
+ A 224-bit One-way Hash Function: SHA-224
+
+Status of this Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2004).
+
+Abstract
+
+ This document specifies a 224-bit one-way hash function, called
+ SHA-224. SHA-224 is based on SHA-256, but it uses a different
+ initial value and the result is truncated to 224 bits.
+
+1. Introduction
+
+ This document specifies a 224-bit one-way hash function, called
+ SHA-224. The National Institute of Standards and Technology (NIST)
+ announced the FIPS 180-2 Change Notice on February 28, 2004 which
+ specifies the SHA-224 one-way hash function. One-way hash functions
+ are also known as message digests. SHA-224 is based on SHA-256, the
+ 256-bit one-way hash function already specified by NIST [SHA2].
+ Computation of a SHA-224 hash value is two steps. First, the SHA-256
+ hash value is computed, except that a different initial value is
+ used. Second, the resulting 256-bit hash value is truncated to 224
+ bits.
+
+ NIST is developing guidance on cryptographic key management, and NIST
+ recently published a draft for comment [NISTGUIDE]. Five security
+ levels are discussed in the guidance: 80, 112, 128, 192, and 256 bits
+ of security. One-way hash functions are available for all of these
+ levels except one. SHA-224 fills this void. SHA-224 is a one-way
+ hash function that provides 112 bits of security, which is the
+ generally accepted strength of Triple-DES [3DES].
+
+ This document makes the SHA-224 one-way hash function specification
+ available to the Internet community, and it publishes the object
+ identifiers for use in ASN.1-based protocols.
+
+
+
+
+Housley Informational [Page 1]
+
+RFC 3874 A 224-bit One-way Hash Function: SHA-224 September 2004
+
+
+1.1. Usage Considerations
+
+ Since SHA-224 is based on SHA-256, roughly the same amount of effort
+ is consumed to compute a SHA-224 or a SHA-256 digest message digest
+ value. Even though SHA-224 and SHA-256 have roughly equivalent
+ computational complexity, SHA-224 is an appropriate choice for a
+ one-way hash function that provides 112 bits of security. The use of
+ a different initial value ensures that a truncated SHA-256 message
+ digest value cannot be mistaken for a SHA-224 message digest value
+ computed on the same data.
+
+ Some usage environments are sensitive to every octet that is
+ transmitted. In these cases, the smaller (by 4 octets) message
+ digest value provided by SHA-224 is important.
+
+ These observations lead to the following guidance:
+
+ * When selecting a suite of cryptographic algorithms that all offer
+ 112 bits of security strength, SHA-224 is an appropriate choice
+ for one-way hash function.
+
+ * When terseness is not a selection criteria, the use of SHA-256 is
+ a preferred alternative to SHA-224.
+
+1.2. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [STDWORDS].
+
+2. SHA-224 Description
+
+ SHA-224 may be used to compute a one-way hash value on a message
+ whose length less than 2^64 bits.
+
+ SHA-224 makes use of SHA-256 [SHA2]. To compute a one-way hash
+ value, SHA-256 uses a message schedule of sixty-four 32-bit words,
+ eight 32-bit working variables, and produces a hash value of eight
+ 32-bit words.
+
+ The function is defined in the exact same manner as SHA-256, with the
+ following two exceptions:
+
+ First, for SHA-224, the initial hash value of the eight 32-bit
+ working variables, collectively called H, shall consist of the
+ following eight 32-bit words (in hex):
+
+
+
+
+
+Housley Informational [Page 2]
+
+RFC 3874 A 224-bit One-way Hash Function: SHA-224 September 2004
+
+
+ H_0 = c1059ed8 H_4 = ffc00b31
+ H_1 = 367cd507 H_5 = 68581511
+ H_2 = 3070dd17 H_6 = 64f98fa7
+ H_3 = f70e5939 H_7 = befa4fa4
+
+ Second, SHA-224 simply makes use of the first seven 32-bit words
+ in the SHA-256 result, discarding the remaining 32-bit words in
+ the SHA-256 result. That is, the final value of H is used as
+ follows, where || denotes concatenation:
+
+ H_0 || H_1 || H_2 || H_3 || H_4 || H_5 || H_6
+
+3. Test Vectors
+
+ This section includes three test vectors. These test vectors can be
+ used to test implementations of SHA-224.
+
+3.1. Test Vector #1
+
+ Let the message to be hashed be the 24-bit ASCII string "abc", which
+ is equivalent to the following binary string:
+
+ 01100001 01100010 01100011
+
+ The SHA-224 hash value (in hex):
+
+ 23097d22 3405d822 8642a477 bda255b3 2aadbce4 bda0b3f7 e36c9da7
+
+3.2. Test Vector #2
+
+ Let the message to be hashed be the 448-bit ASCII string
+ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq".
+
+ The SHA-224 hash value is (in hex):
+
+ 75388b16 512776cc 5dba5da1 fd890150 b0c6455c b4f58b19 52522525
+
+3.3. Test Vector #3
+
+ Let the message to be hashed be the binary-coded form of the ASCII
+ string which consists of 1,000,000 repetitions of the character "a".
+
+ The SHA-224 hash value is (in hex):
+
+ 20794655 980c91d8 bbb4c1ea 97618a4b f03f4258 1948b2ee 4ee7ad67
+
+
+
+
+
+
+Housley Informational [Page 3]
+
+RFC 3874 A 224-bit One-way Hash Function: SHA-224 September 2004
+
+
+4. Object Identifier
+
+ NIST has assigned an ASN.1 [X.208-88, X.209-88] object identifier for
+ SHA-224. Some protocols use object identifiers to name one-way hash
+ functions. One example is CMS [CMS]. Implementations of such
+ protocols that make use of SHA-224 MUST use the following object
+ identifier.
+
+ id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
+ country(16) us(840) organization(1) gov(101)
+ csor(3) nistalgorithm(4) hashalgs(2) sha224(4) }
+
+5. Security Considerations
+
+ One-way hash functions are typically used with other cryptographic
+ algorithms, such as digital signature algorithms and keyed-hash
+ message authentication codes, or in the generation of random values.
+ When a one-way hash function is used in conjunction with another
+ algorithm, there may be requirements specified elsewhere that require
+ the use of a one-way hash function with a certain number of bits of
+ security. For example, if a message is being signed with a digital
+ signature algorithm that provides 128 bits of security, then that
+ signature algorithm may require the use of a one-way hash algorithm
+ that also provides the same number of bits of security. SHA-224 is
+ intended to provide 112 bits of security, which is the generally
+ accepted strength of Triple-DES [3DES].
+
+ This document is intended to provide the SHA-224 specification to the
+ Internet community. No independent assertion of the security of this
+ one-way hash function is intended by the author for any particular
+ use. However, as long as SHA-256 provides the expected security,
+ SHA-224 will also provide its expected level of security.
+
+6. References
+
+6.1. Normative References
+
+ [SHA2] Federal Information Processing Standards Publication
+ (FIPS PUB) 180-2, Secure Hash Standard, 1 August 2002.
+
+ [STDWORDS] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+
+
+
+
+
+
+
+
+Housley Informational [Page 4]
+
+RFC 3874 A 224-bit One-way Hash Function: SHA-224 September 2004
+
+
+6.2. Informative References
+
+ [3DES] American National Standards Institute. ANSI X9.52-1998,
+ Triple Data Encryption Algorithm Modes of Operation.
+ 1998.
+
+ [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC
+ 3852, July 2004.
+
+ [NISTGUIDE] National Institute of Standards and Technology. Second
+ Draft: "Key Management Guideline, Part 1: General
+ Guidance." June 2002.
+ [http://csrc.nist.gov/encryption/kms/guideline-1.pdf]
+
+ [X.208-88] CCITT Recommendation X.208: Specification of Abstract
+ Syntax Notation One (ASN.1). 1988.
+
+ [X.209-88] CCITT Recommendation X.209: Specification of Basic
+ Encoding Rules for Abstract Syntax Notation One (ASN.1).
+ 1988.
+
+7. Acknowledgments
+
+ Many thanks to Jim Schaad for generating the test vectors. A second
+ implementation by Brian Gladman was used to confirm that the test
+ vectors are correct.
+
+8. Author's Address
+
+ Russell Housley
+ Vigil Security, LLC
+ 918 Spring Knoll Drive
+ Herndon, VA 20170
+ USA
+
+ EMail: housley@vigilsec.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Housley Informational [Page 5]
+
+RFC 3874 A 224-bit One-way Hash Function: SHA-224 September 2004
+
+
+9. Full Copyright Statement
+
+ Copyright (C) The Internet Society (2004).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/S HE
+ REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
+ INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+ THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the IETF's procedures with respect to rights in IETF Documents can
+ be found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at ietf-
+ ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+Housley Informational [Page 6]
+