| < draft-ietf-pkix-sha224-00.txt | draft-ietf-pkix-sha224-01.txt > | |||
|---|---|---|---|---|
| PKIX Working Group R. Housley | PKIX Working Group R. Housley | |||
| Internet Draft Vigil Security | Internet Draft Vigil Security | |||
| Expires in six months December 2003 | Expires in six months March 2004 | |||
| A 224-bit One-way Hash Function: SHA-224 | A 224-bit One-way Hash Function: SHA-224 | |||
| <draft-ietf-pkix-sha224-00.txt> | <draft-ietf-pkix-sha224-01.txt> | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft and is in full conformance with | This document is an Internet-Draft and is in full conformance with | |||
| all provisions of Section 10 of RFC 2026. Internet-Drafts are | all provisions of Section 10 of RFC 2026. Internet-Drafts are | |||
| working documents of the Internet Engineering Task Force (IETF), its | working documents of the Internet Engineering Task Force (IETF), its | |||
| areas, and its working groups. Note that other groups may also | areas, and its working groups. Note that other groups may also | |||
| distribute working documents as Internet-Drafts. | distribute working documents as Internet-Drafts. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| skipping to change at page 2, line 8 ¶ | skipping to change at page 2, line 8 ¶ | |||
| Abstract | Abstract | |||
| This document specifies a 224-bit one-way hash function, called | This document specifies a 224-bit one-way hash function, called | |||
| SHA-224. A SHA-224 is based on SHA-256, but it uses an different | SHA-224. A SHA-224 is based on SHA-256, but it uses an different | |||
| initial value and the result is truncated to 224 bits. | initial value and the result is truncated to 224 bits. | |||
| 1 Introduction | 1 Introduction | |||
| This document specifies a 224-bit one-way hash function, called | This document specifies a 224-bit one-way hash function, called | |||
| SHA-224. One-way hash functions are also known as message digests. | SHA-224. The National Institute of Standards and Technology (NIST) | |||
| SHA-224 is based on SHA-256, the 256-bit one-way hash function | announced on February 28, 2004 the standard FIPS 180-2 Change Notice, | |||
| already specified by the National Institute of Standards and | which specifies the SHA-224 one-way hash function. One-way hash | |||
| Technology (NIST) [SHA2]. Computation of a SHA-224 hash value is two | functions are also known as message digests. SHA-224 is based on | |||
| steps. First, the SHA-256 hash value is computed, except that a | SHA-256, the 256-bit one-way hash function already specified by NIST | |||
| different initial value is used. Second, the resulting 256-bit hash | [SHA2]. Computation of a SHA-224 hash value is two steps. First, | |||
| value is truncated to 224 bits. | the SHA-256 hash value is computed, except that a different initial | |||
| value is used. Second, the resulting 256-bit hash value is truncated | ||||
| to 224 bits. | ||||
| NIST is developing guidance on cryptographic key management, and NIST | NIST is developing guidance on cryptographic key management, and NIST | |||
| recently published a draft for comment [NISTGUIDE]. Five security | recently published a draft for comment [NISTGUIDE]. Five security | |||
| levels are discussed in the guidance: 80, 112, 128, 192, and 256 bits | levels are discussed in the guidance: 80, 112, 128, 192, and 256 bits | |||
| of security. One-way hash functions are available for all of these | of security. One-way hash functions are available for all of these | |||
| levels except one. SHA-224 fills this void. SHA-224 is a one-way | levels except one. SHA-224 fills this void. SHA-224 is a one-way | |||
| hash function that provides 112 bits of security, which is the | hash function that provides 112 bits of security, which is the | |||
| generally accepted strength of Triple-DES [3DES]. | generally accepted strength of Triple-DES [3DES]. | |||
| 1.1 Terminology | 1.1 Usage Considerations | |||
| Since SHA-224 is based on SHA-256, roughly the same amount of effort | ||||
| is consumed to compute a SHA-224 or a SHA-256 digest message digest | ||||
| value. Even though SHA-224 and SHA-256 have roughly equivalent | ||||
| computational complexity, SHA-224 is an appropriate choice for a one- | ||||
| way hash function that provides 112 bits of security. The use of a | ||||
| different initial value ensures that a truncated SHA-256 message | ||||
| digest value cannot be mistaken for a SHA-224 message digest value | ||||
| computed on the same data. | ||||
| Some usage environments are sensitive to every octet that is | ||||
| transmitted. In these cases, the smaller (by 4 octets) message | ||||
| digest value provided by SHA-224 is important. | ||||
| These observations lead to the following guidance: | ||||
| * When selecting a suite of cryptographic algorithms that all offer | ||||
| 112 bits of security strength, SHA-224 is an appropriate choice | ||||
| for one-way hash function. | ||||
| * When terseness is not a selection criteria, the use of SHA-256 as | ||||
| a preferred alternative to SHA-224. | ||||
| 1.2 Terminology | ||||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [STDWORDS]. | document are to be interpreted as described in [STDWORDS]. | |||
| 2 SHA-224 Description | 2 SHA-224 Description | |||
| SHA-224 may be used to compute a one-way hash value on a message | SHA-224 may be used to compute a one-way hash value on a message | |||
| whose length less than 2^64 bits. | whose length less than 2^64 bits. | |||
| skipping to change at page 4, line 14 ¶ | skipping to change at page 4, line 43 ¶ | |||
| 4 Object Identifier | 4 Object Identifier | |||
| NIST has assigned an ASN.1 [X.208-88, X.209-88] object identifier for | NIST has assigned an ASN.1 [X.208-88, X.209-88] object identifier for | |||
| SHA-224. Some protocols use object identifiers to name one-way hash | SHA-224. Some protocols use object identifiers to name one-way hash | |||
| functions. One example is CMS [CMS]. Implementations of such | functions. One example is CMS [CMS]. Implementations of such | |||
| protocols that make use of SHA-224 MUST use the following object | protocols that make use of SHA-224 MUST use the following object | |||
| identifier. | identifier. | |||
| id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | |||
| country(16) us(840) organization(1) gov(101) | country(16) us(840) organization(1) gov(101) | |||
| csor(3) nistalgorithm(4) hashalgs(2) sha224(4) } | csor(3) nistalgorithm(4) hashalgs(2) sha224(4) } | |||
| 5 Normative References | 5 Security Considerations | |||
| One-way hash functions are typically used with other cryptographic | ||||
| algorithms, such as digital signature algorithms and keyed-hash | ||||
| message authentication codes, or in the generation of random values. | ||||
| When a one-way hash function is used in conjunction with another | ||||
| algorithm, there may be requirements specified elsewhere that require | ||||
| the use of a one-way hash function with a certain number of bits of | ||||
| security. For example, if a message is being signed with a digital | ||||
| signature algorithm that provides 128 bits of security, then that | ||||
| signature algorithm may require the use of a one-way hash algorithm | ||||
| that also provides the same number of bits of security. SHA-224 is | ||||
| intended to provide 112 bits of security, which is the generally | ||||
| accepted strength of Triple-DES [3DES]. | ||||
| This document is intended to provide the SHA-224 specification to the | ||||
| Internet community. No independent assertion of the security of this | ||||
| one-way hash function by the author for any particular use is | ||||
| intended. However, as long as SHA-256 provides the expected | ||||
| security, SHA-224 will also provide its expected level of security. | ||||
| 6 Normative References | ||||
| [SHA2] Federal Information Processing Standards Publication | [SHA2] Federal Information Processing Standards Publication | |||
| (FIPS PUB) 180-2, Secure Hash Standard, 1 August 2002. | (FIPS PUB) 180-2, Secure Hash Standard, 1 August 2002. | |||
| [STDWORDS] Bradner, S., "Key Words for Use in RFCs to Indicate | [STDWORDS] Bradner, S., "Key Words for Use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| 6 Informative References | 7 Informative References | |||
| [3DES] American National Standards Institute. ANSI X9.52-1998, | [3DES] American National Standards Institute. ANSI X9.52-1998, | |||
| Triple Data Encryption Algorithm Modes of Operation. | Triple Data Encryption Algorithm Modes of Operation. | |||
| 1998. | 1998. | |||
| [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", | [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", | |||
| RFC 3369, August 2002. | RFC 3369, August 2002. | |||
| [NISTGUIDE] National Institute of Standards and Technology. Second | [NISTGUIDE] National Institute of Standards and Technology. Second | |||
| Draft: "Key Management Guideline, Part 1: General | Draft: "Key Management Guideline, Part 1: General | |||
| Guidance." June 2002. | Guidance." June 2002. | |||
| [http://csrc.nist.gov/encryption/kms/guideline-1.pdf] | [http://csrc.nist.gov/encryption/kms/guideline-1.pdf] | |||
| [X.208-88] CCITT Recommendation X.208: Specification of Abstract | [X.208-88] CCITT Recommendation X.208: Specification of Abstract | |||
| Syntax Notation One (ASN.1). 1988. | Syntax Notation One (ASN.1). 1988. | |||
| [X.209-88] CCITT Recommendation X.209: Specification of Basic | [X.209-88] CCITT Recommendation X.209: Specification of Basic | |||
| Encoding Rules for Abstract Syntax Notation One (ASN.1). | Encoding Rules for Abstract Syntax Notation One (ASN.1). | |||
| 1988. | 1988. | |||
| 7 Security Considerations | 8 Acknowledgment | |||
| One-way hash functions are typically used with other cryptographic | ||||
| algorithms, such as digital signature algorithms and keyed-hash | ||||
| message authentication codes, or in the generation of random values. | ||||
| When a one-way hash function is used in conjunction with another | ||||
| algorithm, there may be requirements specified elsewhere that require | ||||
| the use of a one-way hash function with a certain number of bits of | ||||
| security. For example, if a message is being signed with a digital | ||||
| signature algorithm that provides 128 bits of security, then that | ||||
| signature algorithm may require the use of a one-way hash algorithm | ||||
| that also provides the same number of bits of security. SHA-224 is | ||||
| intended to provide 112 bits of security, which is the generally | ||||
| accepted strength of Triple-DES [3DES]. | ||||
| This document is intended to provide the SHA-224 specification to the | Many thanks to Jim Schaad for generating the test vectors. A second | |||
| Internet community. No independent assertion of the security of this | implementation by Brian Gladman was used to confirm that the test | |||
| one-way hash function by the author for any particular use is | vectors are correct. | |||
| intended. However, as long as SHA-256 provides the expected | ||||
| security, SHA-224 will also provide its expected level of security. | ||||
| 8 Intellectual Property Rights | 9 Intellectual Property Rights | |||
| The IETF takes no position regarding the validity or scope of any | The IETF takes no position regarding the validity or scope of any | |||
| intellectual property or other rights that might be claimed to | intellectual property or other rights that might be claimed to | |||
| pertain to the implementation or use of the technology described in | pertain to the implementation or use of the technology described in | |||
| this document or the extent to which any license under such rights | this document or the extent to which any license under such rights | |||
| might or might not be available; neither does it represent that it | might or might not be available; neither does it represent that it | |||
| has made any effort to identify any such rights. Information on the | has made any effort to identify any such rights. Information on the | |||
| IETF's procedures with respect to rights in standards-track and | IETF's procedures with respect to rights in standards-track and | |||
| standards-related documentation can be found in BCP-11. Copies of | standards-related documentation can be found in BCP-11. Copies of | |||
| claims of rights made available for publication and any assurances of | claims of rights made available for publication and any assurances of | |||
| licenses to be made available, or the result of an attempt made to | licenses to be made available, or the result of an attempt made to | |||
| obtain a general license or permission for the use of such | obtain a general license or permission for the use of such | |||
| proprietary rights by implementors or users of this specification can | proprietary rights by implementors or users of this specification can | |||
| be obtained from the IETF Secretariat. | be obtained from the IETF Secretariat. | |||
| 7 Acknowledgment | 10 Author's Address | |||
| Many thanks to Jim Schaad for generating the test vectors. | ||||
| 8 Author's Address | ||||
| Russell Housley | Russell Housley | |||
| Vigil Security, LLC | Vigil Security, LLC | |||
| 918 Spring Knoll Drive | 918 Spring Knoll Drive | |||
| Herndon, VA 20170 | Herndon, VA 20170 | |||
| USA | USA | |||
| housley@vigilsec.com | housley@vigilsec.com | |||
| Full Copyright Statement | Full Copyright Statement | |||
| Copyright (C) The Internet Society (2003). All Rights Reserved. | Copyright (C) The Internet Society (2004). All Rights Reserved. | |||
| This document and translations of it may be copied and furnished to | This document and translations of it may be copied and furnished to | |||
| others, and derivative works that comment on or otherwise explain it | others, and derivative works that comment on or otherwise explain it | |||
| or assist in its implementation may be prepared, copied, published | or assist in its implementation may be prepared, copied, published | |||
| and distributed, in whole or in part, without restriction of any | and distributed, in whole or in part, without restriction of any | |||
| kind, provided that the above copyright notice and this paragraph are | kind, provided that the above copyright notice and this paragraph are | |||
| included on all such copies and derivative works. In addition, the | included on all such copies and derivative works. In addition, the | |||
| ASN.1 modules presented in Appendices A and B may be used in whole or | ASN.1 modules presented in Appendices A and B may be used in whole or | |||
| in part without inclusion of the copyright notice. However, this | in part without inclusion of the copyright notice. However, this | |||
| document itself may not be modified in any way, such as by removing | document itself may not be modified in any way, such as by removing | |||
| End of changes. 12 change blocks. | ||||
| 40 lines changed or deleted | 68 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||