WDIFF

draft-ietf-pkix-sha224-01.txt --> rfc3874.txt

PKIX

Network Working Group R. Housley
Internet Draft
Request for Comments: 3874 Vigil Security
Expires in six months March
Category: Informational September 2004

A 224-bit One-way Hash Function: SHA-224

<draft-ietf-pkix-sha224-01.txt>

Status of this Memo

This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC 2026. Internet-Drafts are
working documents of memo provides information for the Internet Engineering Task Force (IETF), its
areas, and its working groups. Note that other groups may also
distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum community. It does
not specify an Internet standard of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

The list kind. Distribution of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. this
memo is unlimited.

Copyright (C) The list of Internet-Drafts Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. Internet Society (2004).

Abstract

This document specifies a 224-bit one-way hash function, called
SHA-224. A SHA-224 is based on SHA-256, but it uses an a different
initial value and the result is truncated to 224 bits.

Housley [Page 1]

INTERNET DRAFT March 2004

1. Introduction

This document specifies a 224-bit one-way hash function, called
SHA-224. The National Institute of Standards and Technology (NIST)
announced on February 28, 2004 the standard FIPS 180-2 Change Notice, Notice on February 28, 2004 which
specifies the SHA-224 one-way hash function. One-way hash functions
are also known as message digests. SHA-224 is based on SHA-256, the
256-bit one-way hash function already specified by NIST [SHA2].
Computation of a SHA-224 hash value is two steps. First, the SHA-256
hash value is computed, except that a different initial value is
used. Second, the resulting 256-bit hash value is truncated to 224
bits.

NIST is developing guidance on cryptographic key management, and NIST
recently published a draft for comment [NISTGUIDE]. Five security
levels are discussed in the guidance: 80, 112, 128, 192, and 256 bits
of security. One-way hash functions are available for all of these
levels except one. SHA-224 fills this void. SHA-224 is a one-way
hash function that provides 112 bits of security, which is the
generally accepted strength of Triple-DES [3DES].

1.1

This document makes the SHA-224 one-way hash function specification
available to the Internet community, and it publishes the object
identifiers for use in ASN.1-based protocols.

Housley Informational [Page 1]

RFC 3874 A 224-bit One-way Hash Function: SHA-224 September 2004

1.1. Usage Considerations

Since SHA-224 is based on SHA-256, roughly the same amount of effort
is consumed to compute a SHA-224 or a SHA-256 digest message digest
value. Even though SHA-224 and SHA-256 have roughly equivalent
computational complexity, SHA-224 is an appropriate choice for a one-
way
one-way hash function that provides 112 bits of security. The use of
a different initial value ensures that a truncated SHA-256 message
digest value cannot be mistaken for a SHA-224 message digest value
computed on the same data.

Some usage environments are sensitive to every octet that is
transmitted. In these cases, the smaller (by 4 octets) message
digest value provided by SHA-224 is important.

These observations lead to the following guidance:

* When selecting a suite of cryptographic algorithms that all offer
112 bits of security strength, SHA-224 is an appropriate choice
for one-way hash function.

* When terseness is not a selection criteria, the use of SHA-256 as is
a preferred alternative to SHA-224.

Housley [Page 2]

INTERNET DRAFT March 2004

1.2

1.2. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [STDWORDS].

2. SHA-224 Description

SHA-224 may be used to compute a one-way hash value on a message
whose length less than 2^64 bits.

SHA-224 makes use of SHA-256 [SHA2]. To compute a one-way hash
value, SHA-256 uses a message schedule of sixty-four 32-bit words,
eight 32-bit working variables, and produces a hash value of eight
32-bit words.

The function is defined in the exact same manner as SHA-256, with the
following two exceptions:

First, for SHA-224, the initial hash value of the eight 32-bit
working variables, collectively called H, shall consist of the
following eight 32-bit words (in hex):

Housley Informational [Page 2]

RFC 3874 A 224-bit One-way Hash Function: SHA-224 September 2004

H_0 = c1059ed8 H_4 = ffc00b31
H_1 = 367cd507 H_5 = 68581511
H_2 = 3070dd17 H_6 = 64f98fa7
H_3 = f70e5939 H_7 = befa4fa4

Second, SHA-224 simply makes use of the first seven 32-bit words
in the SHA-256 result, discarding the remaining 32-bit word words in
the SHA-256 result. That is, the final value of H is used as
follows, where || denotes concatenation:

H_0 || H_1 || H_2 || H_3 || H_4 || H_5 || H_6

3. Test Vectors

This section includes three test vectors. These test vectors can be
used to test implementations of SHA-224.

Housley [Page 3]

INTERNET DRAFT March 2004

3.1

3.1. Test Vector #1

Let the message to be hashed be the 24-bit ASCII string "abc", which
is equivalent to the following binary string:

01100001 01100010 01100011

The SHA-224 hash value (in hex):

23097d22 3405d822 8642a477 bda255b3 2aadbce4 bda0b3f7 e36c9da7

3.2

3.2. Test Vector #2

Let the message to be hashed be the 448-bit ASCII string
"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq".

The SHA-224 hash value is (in hex):

75388b16 512776cc 5dba5da1 fd890150 b0c6455c b4f58b19 52522525

3.3

3.3. Test Vector #3

Let the message to be hashed be the binary-coded form of the ASCII
string which consists of 1,000,000 repetitions of the character "a".

The SHA-224 hash value is (in hex):

20794655 980c91d8 bbb4c1ea 97618a4b f03f4258 1948b2ee 4ee7ad67

Housley Informational [Page 3]

RFC 3874 A 224-bit One-way Hash Function: SHA-224 September 2004

4. Object Identifier

NIST has assigned an ASN.1 [X.208-88, X.209-88] object identifier for
SHA-224. Some protocols use object identifiers to name one-way hash
functions. One example is CMS [CMS]. Implementations of such
protocols that make use of SHA-224 MUST use the following object
identifier.

id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101)
csor(3) nistalgorithm(4) hashalgs(2) sha224(4) }

5. Security Considerations

One-way hash functions are typically used with other cryptographic
algorithms, such as digital signature algorithms and keyed-hash
message authentication codes, or in the generation of random values.
When a one-way hash function is used in conjunction with another
algorithm, there may be requirements specified elsewhere that require

Housley [Page 4]

INTERNET DRAFT March 2004
the use of a one-way hash function with a certain number of bits of
security. For example, if a message is being signed with a digital
signature algorithm that provides 128 bits of security, then that
signature algorithm may require the use of a one-way hash algorithm
that also provides the same number of bits of security. SHA-224 is
intended to provide 112 bits of security, which is the generally
accepted strength of Triple-DES [3DES].

This document is intended to provide the SHA-224 specification to the
Internet community. No independent assertion of the security of this
one-way hash function is intended by the author for any particular use is
intended.
use. However, as long as SHA-256 provides the expected security,
SHA-224 will also provide its expected level of security.

6. References

6.1. Normative References

[SHA2] Federal Information Processing Standards Publication
(FIPS PUB) 180-2, Secure Hash Standard, 1 August 2002.

[STDWORDS] Bradner, S., "Key Words words for Use use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.

Housley Informational [Page 4]

RFC 3874 A 224-bit One-way Hash Function: SHA-224 September 2004

6.2. Informative References

[3DES] American National Standards Institute. ANSI X9.52-1998,
Triple Data Encryption Algorithm Modes of Operation.
1998.

[CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3369, August 2002.
3852, July 2004.

[NISTGUIDE] National Institute of Standards and Technology. Second
Draft: "Key Management Guideline, Part 1: General
Guidance." June 2002.
[http://csrc.nist.gov/encryption/kms/guideline-1.pdf]

[X.208-88] CCITT Recommendation X.208: Specification of Abstract
Syntax Notation One (ASN.1). 1988.

[X.209-88] CCITT Recommendation X.209: Specification of Basic
Encoding Rules for Abstract Syntax Notation One (ASN.1).
1988.

8 Acknowledgment

7. Acknowledgments

Many thanks to Jim Schaad for generating the test vectors. A second
implementation by Brian Gladman was used to confirm that the test
vectors are correct.

8. Author's Address

Russell Housley
Vigil Security, LLC
918 Spring Knoll Drive
Herndon, VA 20170
USA

EMail: housley@vigilsec.com

Housley Informational [Page 5]

INTERNET DRAFT March

RFC 3874 A 224-bit One-way Hash Function: SHA-224 September 2004

9 Intellectual Property Rights

9. Full Copyright Statement

Copyright (C) The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain Internet Society (2004).

This document is subject to the implementation or use of the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.

This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/S HE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither nor does it represent that it has
made any independent effort to identify any such rights. Information
on the IETF's procedures with respect to rights in standards-track and
standards-related documentation IETF Documents can
be found in BCP-11. BCP 78 and BCP 79.

Copies of
claims of rights IPR disclosures made available for publication to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementors implementers or users of this
specification can be obtained from the IETF Secretariat.

10 Author's Address

Russell Housley
Vigil Security, LLC
918 Spring Knoll Drive
Herndon, VA 20170
USA
housley@vigilsec.com

Housley [Page 6]

INTERNET DRAFT March 2004

Full Copyright Statement

This document and translations of it may be copied and furnished IETF invites any interested party to
others, and derivative works that comment on bring to its attention any
copyrights, patents or otherwise explain it patent applications, or assist in its implementation other proprietary
rights that may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided cover technology that the above copyright notice and this paragraph are
included on all such copies and derivative works. In addition, the
ASN.1 modules presented in Appendices A and B may be used in whole or
in part without inclusion of the copyright notice. However, required to implement
this
document itself may not be modified in any way, such as by removing standard. Please address the copyright notice or references information to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures IETF at ietf-
ipr@ietf.org.

Acknowledgement

Funding for
copyrights defined in the Internet Standards process shall be
followed, or as required to translate it into languages other than
English.

The limited permissions granted above are perpetual and will not be
revoked RFC Editor function is currently provided by the
Internet Society or its successors or assigns. This
document and the information contained herein is provided on an "AS
IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK
FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL
NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY
OR FITNESS FOR A PARTICULAR PURPOSE. Society.

Housley Informational [Page 7] 6]

----