Skip to main content

A 224-bit One-way Hash Function: SHA-224

The information below is for an old version of the document that is already published as an RFC.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 3874.
Author Russ Housley
Last updated 2017-10-13 (Latest revision 2004-03-31)
Replaces draft-ietf-pkix-sha244
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status Informational
Additional resources Mailing list discussion
Stream WG state (None)
Document shepherd (None)
IESG IESG state Became RFC 3874 (Informational)
Action Holders
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD Steven M. Bellovin
Send notices to
PKIX Working Group                                           R. Housley
Internet Draft                                           Vigil Security
Expires in six months                                        March 2004

                A 224-bit One-way Hash Function: SHA-224


Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC 2026.  Internet-Drafts are
   working documents of the Internet Engineering Task Force (IETF), its
   areas, and its working groups.  Note that other groups may also
   distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Drafts Shadow Directories can be accessed at


   This document specifies a 224-bit one-way hash function, called
   SHA-224.  A SHA-224 is based on SHA-256, but it uses an different
   initial value and the result is truncated to 224 bits.

Housley                                                         [Page 1]
INTERNET DRAFT                                                March 2004

1  Introduction

   This document specifies a 224-bit one-way hash function, called
   SHA-224.  The National Institute of Standards and Technology (NIST)
   announced on February 28, 2004 the standard FIPS 180-2 Change Notice,
   which specifies the SHA-224 one-way hash function.  One-way hash
   functions are also known as message digests.  SHA-224 is based on
   SHA-256, the 256-bit one-way hash function already specified by NIST
   [SHA2].  Computation of a SHA-224 hash value is two steps.  First,
   the SHA-256 hash value is computed, except that a different initial
   value is used.  Second, the resulting 256-bit hash value is truncated
   to 224 bits.

   NIST is developing guidance on cryptographic key management, and NIST
   recently published a draft for comment [NISTGUIDE].  Five security
   levels are discussed in the guidance: 80, 112, 128, 192, and 256 bits
   of security.  One-way hash functions are available for all of these
   levels except one.  SHA-224 fills this void.  SHA-224 is a one-way
   hash function that provides 112 bits of security, which is the
   generally accepted strength of Triple-DES [3DES].

1.1  Usage Considerations

   Since SHA-224 is based on SHA-256, roughly the same amount of effort
   is consumed to compute a SHA-224 or a SHA-256 digest message digest
   value.  Even though SHA-224 and SHA-256 have roughly equivalent
   computational complexity, SHA-224 is an appropriate choice for a one-
   way hash function that provides 112 bits of security.  The use of a
   different initial value ensures that a truncated SHA-256 message
   digest value cannot be mistaken for a SHA-224 message digest value
   computed on the same data.

   Some usage environments are sensitive to every octet that is
   transmitted.  In these cases, the smaller (by 4 octets) message
   digest value provided by SHA-224 is important.

   These observations lead to the following guidance:

    * When selecting a suite of cryptographic algorithms that all offer
      112 bits of security strength, SHA-224 is an appropriate choice
      for one-way hash function.

    * When terseness is not a selection criteria, the use of SHA-256 as
      a preferred alternative to SHA-224.

Housley                                                         [Page 2]
INTERNET DRAFT                                                March 2004

1.2  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [STDWORDS].

2  SHA-224 Description

   SHA-224 may be used to compute a one-way hash value on a message
   whose length less than 2^64 bits.

   SHA-224 makes use of SHA-256 [SHA2].  To compute a one-way hash
   value, SHA-256 uses a message schedule of sixty-four 32-bit words,
   eight 32-bit working variables, and produces a hash value of eight
   32-bit words.

   The function is defined in the exact same manner as SHA-256, with the
   following two exceptions:

      First, for SHA-224, the initial hash value of the eight 32-bit
      working variables, collectively called H, shall consist of the
      following eight 32-bit words (in hex):

         H_0 = c1059ed8               H_4 = ffc00b31
         H_1 = 367cd507               H_5 = 68581511
         H_2 = 3070dd17               H_6 = 64f98fa7
         H_3 = f70e5939               H_7 = befa4fa4

      Second, SHA-224 simply makes use of the first seven 32-bit words
      in the SHA-256 result, discarding the remaining 32-bit word in the
      SHA-256 result.  That is, the final value of H is used as follows,
      where || denotes concatenation:

         H_0 || H_1 || H_2 || H_3 || H_4 || H_5 || H_6

3  Test Vectors

   This section includes three test vectors.  These test vectors can be
   used to test implementations of SHA-224.

Housley                                                         [Page 3]
INTERNET DRAFT                                                March 2004

3.1  Test Vector #1

   Let the message to be hashed be the 24-bit ASCII string "abc", which
   is equivalent to the following binary string:

      01100001 01100010 01100011

   The SHA-224 hash value (in hex):

      23097d22 3405d822 8642a477 bda255b3 2aadbce4 bda0b3f7 e36c9da7

3.2  Test Vector #2

   Let the message to be hashed be the 448-bit ASCII string

   The SHA-224 hash value is (in hex):

      75388b16 512776cc 5dba5da1 fd890150 b0c6455c b4f58b19 52522525

3.3  Test Vector #3

   Let the message to be hashed be the binary-coded form of the ASCII
   string which consists of 1,000,000 repetitions of the character "a".

   The SHA-224 hash value is (in hex):

      20794655 980c91d8 bbb4c1ea 97618a4b f03f4258 1948b2ee 4ee7ad67

4  Object Identifier

   NIST has assigned an ASN.1 [X.208-88, X.209-88] object identifier for
   SHA-224.  Some protocols use object identifiers to name one-way hash
   functions.  One example is CMS [CMS].  Implementations of such
   protocols that make use of SHA-224 MUST use the following object

      id-sha224  OBJECT IDENTIFIER  ::=  { joint-iso-itu-t(2)
                      country(16) us(840) organization(1) gov(101)
                      csor(3) nistalgorithm(4) hashalgs(2) sha224(4) }

5  Security Considerations

   One-way hash functions are typically used with other cryptographic
   algorithms, such as digital signature algorithms and keyed-hash
   message authentication codes, or in the generation of random values.
   When a one-way hash function is used in conjunction with another
   algorithm, there may be requirements specified elsewhere that require

Housley                                                         [Page 4]
INTERNET DRAFT                                                March 2004

   the use of a one-way hash function with a certain number of bits of
   security.  For example, if a message is being signed with a digital
   signature algorithm that provides 128 bits of security, then that
   signature algorithm may require the use of a one-way hash algorithm
   that also provides the same number of bits of security.  SHA-224 is
   intended to provide 112 bits of security, which is the generally
   accepted strength of Triple-DES [3DES].

   This document is intended to provide the SHA-224 specification to the
   Internet community.  No independent assertion of the security of this
   one-way hash function by the author for any particular use is
   intended.  However, as long as SHA-256 provides the expected
   security, SHA-224 will also provide its expected level of security.

6  Normative References

   [SHA2]     Federal Information Processing Standards Publication
              (FIPS PUB) 180-2, Secure Hash Standard, 1 August 2002.

   [STDWORDS] Bradner, S., "Key Words for Use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

7  Informative References

   [3DES]      American National Standards Institute.  ANSI X9.52-1998,
               Triple Data Encryption Algorithm Modes of Operation.

   [CMS]       Housley, R., "Cryptographic Message Syntax (CMS)",
               RFC 3369, August 2002.

   [NISTGUIDE] National Institute of Standards and Technology.  Second
               Draft: "Key Management Guideline, Part 1:  General
               Guidance."  June 2002.

   [X.208-88] CCITT Recommendation X.208: Specification of Abstract
                   Syntax Notation One (ASN.1). 1988.

   [X.209-88] CCITT Recommendation X.209: Specification of Basic
              Encoding Rules for Abstract Syntax Notation One (ASN.1).

8  Acknowledgment

   Many thanks to Jim Schaad for generating the test vectors.  A second
   implementation by Brian Gladman was used to confirm that the test
   vectors are correct.

Housley                                                         [Page 5]
INTERNET DRAFT                                                March 2004

9  Intellectual Property Rights

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights. Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11. Copies of
   claims of rights made available for publication and any assurances of
   licenses to be made available, or the result of an attempt made to
   obtain a general license or permission for the use of such
   proprietary rights by implementors or users of this specification can
   be obtained from the IETF Secretariat.

10  Author's Address

   Russell Housley
   Vigil Security, LLC
   918 Spring Knoll Drive
   Herndon, VA 20170

Housley                                                         [Page 6]
INTERNET DRAFT                                                March 2004

Full Copyright Statement

   Copyright (C) The Internet Society (2004). All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  In addition, the
   ASN.1 modules presented in Appendices A and B may be used in whole or
   in part without inclusion of the copyright notice.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process shall be
   followed, or as required to translate it into languages other than

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns. This
   document and the information contained herein is provided on an "AS

Housley                                                         [Page 7]