1. Overview of Contents
This document includes specifications for the United States of America (USA) Federal Information Processing Standard (FIPS) Secure Hash Algorithms (SHAs), code to implement the SHAs, code to implement HMAC (Hashed Message Authentication Code, [RFC2104]) based on the SHAs, and code to implement HKDF (HMAC-based Key Derivation Function, [RFC5869]) based on HMAC. Specifications for HMAC and HKDF are not included as they appear elsewhere in the RFC series [RFC2104] [RFC5869].
NOTE: Much of the text below is taken from [SHS], and the assertions of the security of the hash algorithms described therein are made by the US Government, the author of [SHS], not by the listed authors of this document. See also [RFC6194] concerning the security of SHA-1.
The text below specifies Secure Hash Algorithms, SHA-224 [RFC3874], SHA-256, SHA-384, and SHA-512, for computing a condensed representation of a message or a data file. (SHA-1 is specified in [RFC3174].) When a message of any length < 2^64 bits (for SHA-224 and SHA-256) or < 2^128 bits (for SHA-384 and SHA-512) is input to one of these algorithms, the result is an output called a message digest. The message digests range in length from 224 to 512 bits, depending on the algorithm. Secure Hash Algorithms are typically used with other cryptographic algorithms, such as digital signature algorithms and keyed-hash authentication codes, the generation of random numbers [RFC4086], or in key derivation functions.
The algorithms specified in this document are called secure because it is computationally infeasible to (1) find a message that corresponds to a given message digest, or (2) find two different messages that produce the same message digest. Any change to a message in transit will, with very high probability, result in a different message digest. This will result in a verification failure when the Secure Hash Algorithm is used with a digital signature algorithm or a keyed-hash message authentication algorithm.
The code provided herein supports input strings of arbitrary bit length. SHA-1's sample code from [RFC3174] has also been updated to handle input strings of arbitrary bit length. Permission is granted for all uses, commercial and non-commercial, of this code.
This document obsoletes [RFC4634], and the changes from that RFC are summarized in the Appendix.
ASN.1 OIDs (Object Identifiers) for the SHA algorithms, taken from [RFC4055], are as follows:
id-sha1 OBJECT IDENTIFIER ::= { iso(1)
identified-organization(3) oiw(14)
secsig(3) algorithms(2) 26 }
id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101)
csor(3) nistalgorithm(4) hashalgs(2) 4 }
id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101)
csor(3) nistalgorithm(4) hashalgs(2) 1 }
id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101)
csor(3) nistalgorithm(4) hashalgs(2) 2 }
id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101)
csor(3) nistalgorithm(4) hashalgs(2) 3 }
Section 2 below defines the terminology and functions used as building blocks to form these algorithms. Section 3 describes the fundamental operations on words from which these algorithms are built. Section 4 describes how messages are padded up to an integral multiple of the required block size and then parsed into blocks. Section 5 defines the constants and the composite functions used to specify the hash algorithms. Section 6 gives the actual specification for the SHA-224, SHA-256, SHA-384, and SHA-512 functions. Section 7 provides pointers to the specification of HMAC keyed message authentication codes and to the specification of an extract-and-expand key derivation function based on HMAC.
Section 8 gives sample code for the SHA algorithms, for SHA-based HMACs, and for HMAC-based extract-and-expand key derivation function.