Tech-invite3GPPspaceIETFspace
96959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 6234

US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)

Pages: 127
Informational
Errata
Obsoletes:  4634
Updates:  3174
Part 1 of 5 – Pages 1 to 12
None   None   Next

Top   ToC   RFC6234 - Page 1
Internet Engineering Task Force (IETF)                   D. Eastlake 3rd
Request for Comments: 6234                                        Huawei
Obsoletes: 4634                                                T. Hansen
Updates: 3174                                                  AT&T Labs
Category: Informational                                         May 2011
ISSN: 2070-1721


                       US Secure Hash Algorithms
                   (SHA and SHA-based HMAC and HKDF)

Abstract

The United States of America has adopted a suite of Secure Hash Algorithms (SHAs), including four beyond SHA-1, as part of a Federal Information Processing Standard (FIPS), namely SHA-224, SHA-256, SHA-384, and SHA-512. This document makes open source code performing these SHA hash functions conveniently available to the Internet community. The sample code supports input strings of arbitrary bit length. Much of the text herein was adapted by the authors from FIPS 180-2. This document replaces RFC 4634, fixing errata and adding code for an HMAC-based extract-and-expand Key Derivation Function, HKDF (RFC 5869). As with RFC 4634, code to perform SHA-based Hashed Message Authentication Codes (HMACs) is also included. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6234.
Top   ToC   RFC6234 - Page 2
Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.
Top   ToC   RFC6234 - Page 3

Table of Contents

1. Overview of Contents ............................................4 2. Notation for Bit Strings and Integers ...........................5 3. Operations on Words .............................................6 4. Message Padding and Parsing .....................................8 4.1. SHA-224 and SHA-256 ........................................8 4.2. SHA-384 and SHA-512 ........................................9 5. Functions and Constants Used ...................................10 5.1. SHA-224 and SHA-256 .......................................10 5.2. SHA-384 and SHA-512 .......................................11 6. Computing the Message Digest ...................................12 6.1. SHA-224 and SHA-256 Initialization ........................12 6.2. SHA-224 and SHA-256 Processing ............................13 6.3. SHA-384 and SHA-512 Initialization ........................14 6.4. SHA-384 and SHA-512 Processing ............................15 7. HKDF- and SHA-Based HMACs ......................................17 7.1. SHA-Based HMACs ...........................................17 7.2. HKDF ......................................................17 8. C Code for SHAs, HMAC, and HKDF ................................17 8.1. The Header Files ..........................................21 8.1.1. The .h file ........................................21 8.1.2. stdint-example.h ...................................29 8.1.3. sha-private.h ......................................29 8.2. The SHA Code ..............................................30 8.2.1. sha1.c .............................................30 8.2.2. sha224-256.c .......................................39 8.2.3. sha384-512.c .......................................51 8.2.4. usha.c .............................................73 8.3. The HMAC Code .............................................79 8.4. The HKDF Code .............................................84 8.5. The Test Driver ...........................................91 9. Security Considerations .......................................123 10. Acknowledgements .............................................123 11. References ...................................................124 11.1. Normative References ....................................124 11.2. Informative References ..................................124 Appendix: Changes from RFC 4634...................................126
Top   ToC   RFC6234 - Page 4

1. Overview of Contents

This document includes specifications for the United States of America (USA) Federal Information Processing Standard (FIPS) Secure Hash Algorithms (SHAs), code to implement the SHAs, code to implement HMAC (Hashed Message Authentication Code, [RFC2104]) based on the SHAs, and code to implement HKDF (HMAC-based Key Derivation Function, [RFC5869]) based on HMAC. Specifications for HMAC and HKDF are not included as they appear elsewhere in the RFC series [RFC2104] [RFC5869]. NOTE: Much of the text below is taken from [SHS], and the assertions of the security of the hash algorithms described therein are made by the US Government, the author of [SHS], not by the listed authors of this document. See also [RFC6194] concerning the security of SHA-1. The text below specifies Secure Hash Algorithms, SHA-224 [RFC3874], SHA-256, SHA-384, and SHA-512, for computing a condensed representation of a message or a data file. (SHA-1 is specified in [RFC3174].) When a message of any length < 2^64 bits (for SHA-224 and SHA-256) or < 2^128 bits (for SHA-384 and SHA-512) is input to one of these algorithms, the result is an output called a message digest. The message digests range in length from 224 to 512 bits, depending on the algorithm. Secure Hash Algorithms are typically used with other cryptographic algorithms, such as digital signature algorithms and keyed-hash authentication codes, the generation of random numbers [RFC4086], or in key derivation functions. The algorithms specified in this document are called secure because it is computationally infeasible to (1) find a message that corresponds to a given message digest, or (2) find two different messages that produce the same message digest. Any change to a message in transit will, with very high probability, result in a different message digest. This will result in a verification failure when the Secure Hash Algorithm is used with a digital signature algorithm or a keyed-hash message authentication algorithm. The code provided herein supports input strings of arbitrary bit length. SHA-1's sample code from [RFC3174] has also been updated to handle input strings of arbitrary bit length. Permission is granted for all uses, commercial and non-commercial, of this code. This document obsoletes [RFC4634], and the changes from that RFC are summarized in the Appendix.
Top   ToC   RFC6234 - Page 5
   ASN.1 OIDs (Object Identifiers) for the SHA algorithms, taken from
   [RFC4055], are as follows:

   id-sha1  OBJECT IDENTIFIER  ::=  { iso(1)
                         identified-organization(3) oiw(14)
                         secsig(3) algorithms(2) 26 }
    id-sha224  OBJECT IDENTIFIER  ::=  {{ joint-iso-itu-t(2)
                         country(16) us(840) organization(1) gov(101)
                         csor(3) nistalgorithm(4) hashalgs(2) 4 }
    id-sha256  OBJECT IDENTIFIER  ::=  { joint-iso-itu-t(2)
                         country(16) us(840) organization(1) gov(101)
                         csor(3) nistalgorithm(4) hashalgs(2) 1 }
    id-sha384  OBJECT IDENTIFIER  ::=  { joint-iso-itu-t(2)
                         country(16) us(840) organization(1) gov(101)
                         csor(3) nistalgorithm(4) hashalgs(2) 2 }
    id-sha512  OBJECT IDENTIFIER  ::=  { joint-iso-itu-t(2)
                         country(16) us(840) organization(1) gov(101)
                         csor(3) nistalgorithm(4) hashalgs(2) 3 }

   Section 2 below defines the terminology and functions used as
   building blocks to form these algorithms.  Section 3 describes the
   fundamental operations on words from which these algorithms are
   built.  Section 4 describes how messages are padded up to an integral
   multiple of the required block size and then parsed into blocks.
   Section 5 defines the constants and the composite functions used to
   specify the hash algorithms.  Section 6 gives the actual
   specification for the SHA-224, SHA-256, SHA-384, and SHA-512
   functions.  Section 7 provides pointers to the specification of HMAC
   keyed message authentication codes and to the specification of an
   extract-and-expand key derivation function based on HMAC.

   Section 8 gives sample code for the SHA algorithms, for SHA-based
   HMACs, and for HMAC-based extract-and-expand key derivation function.

2. Notation for Bit Strings and Integers

The following terminology related to bit strings and integers will be used: a. A hex digit is an element of the set {0, 1, ... , 9, A, ... , F}. A hex digit is the representation of a 4-bit string. Examples: 7 = 0111, A = 1010. b. A word equals a 32-bit or 64-bit string that may be represented as a sequence of 8 or 16 hex digits, respectively. To convert a word to hex digits, each 4-bit string is converted to its hex equivalent as described in (a) above. Example:
Top   ToC   RFC6234 - Page 6
         1010 0001 0000 0011 1111 1110 0010 0011 = A103FE23.

      Throughout this document, the "big-endian" convention is used when
      expressing both 32-bit and 64-bit words, so that within each word
      the most significant bit is shown in the leftmost bit position.

      c. An integer may be represented as a word or pair of words.

      An integer between 0 and 2^32 - 1 inclusive may be represented as
      a 32-bit word.  The least significant four bits of the integer are
      represented by the rightmost hex digit of the word representation.
      Example: the integer 291 = 2^8+2^5+2^1+2^0 = 256+32+2+1 is
      represented by the hex word 00000123.

      The same holds true for an integer between 0 and 2^64-1 inclusive,
      which may be represented as a 64-bit word.

      If Z is an integer, 0 <= z < 2^64, then z = (2^32)x + y where
      0 <= x < 2^32 and 0 <= y < 2^32.  Since x and y can be represented
      as words X and Y, respectively, z can be represented as the pair
      of words (X,Y).

      Again, the "big-endian" convention is used and the most
      significant word is in the leftmost word position for values
      represented by multiple-words.

      d. block = 512-bit or 1024-bit string.  A block (e.g., B) may be
      represented as a sequence of 32-bit or 64-bit words.

3. Operations on Words

The following logical operators will be applied to words in all four hash operations specified herein. SHA-224 and SHA-256 operate on 32-bit words while SHA-384 and SHA-512 operate on 64-bit words. In the operations below, x<<n is obtained as follows: discard the leftmost n bits of x and then pad the result with n zeroed bits on the right (the result will still be the same number of bits). Similarly, x>>n is obtained as follows: discard the rightmost n bits of x and then prepend the result with n zeroed bits on the left (the result will still be the same number of bits). a. Bitwise logical word operations X AND Y = bitwise logical "and" of X and Y. X OR Y = bitwise logical "inclusive-or" of X and Y.
Top   ToC   RFC6234 - Page 7
         X XOR Y  =  bitwise logical "exclusive-or" of X and Y.

         NOT X    =  bitwise logical "complement" of X.

         Example:
                  01101100101110011101001001111011
            XOR   01100101110000010110100110110111
                  --------------------------------
              =   00001001011110001011101111001100

   b. The operation X + Y is defined as follows: words X and Y represent
      w-bit integers x and y, where 0 <= x < 2^w and 0 <= y < 2^w.  For
      positive integers n and m, let

         n mod m

      be the remainder upon dividing n by m.  Compute

         z  =  (x + y) mod 2^w.

      Then 0 <= z < 2^w.  Convert z to a word, Z, and define Z = X + Y.

   c. The right shift operation SHR^n(x), where x is a w-bit word and n
      is an integer with 0 <= n < w, is defined by

         SHR^n(x) = x>>n

   d. The rotate right (circular right shift) operation ROTR^n(x), where
      x is a w-bit word and n is an integer with 0 <= n < w, is defined
      by

         ROTR^n(x) = (x>>n) OR (x<<(w-n))

   e. The rotate left (circular left shift) operation ROTL^n(x), where x
      is a w-bit word and n is an integer with 0 <= n < w, is defined by

         ROTL^n(X) = (x<<n) OR (x>>(w-n))

      Note the following equivalence relationships, where w is fixed in
      each relationship:

         ROTL^n(x) = ROTR^(w-n)(x)

         ROTR^n(x) = ROTL^(w-n)(x)
Top   ToC   RFC6234 - Page 8

4. Message Padding and Parsing

The hash functions specified herein are used to compute a message digest for a message or data file that is provided as input. The message or data file should be considered to be a bit string. The length of the message is the number of bits in the message (the empty message has length 0). If the number of bits in a message is a multiple of 8, for compactness we can represent the message in hex. The purpose of message padding is to make the total length of a padded message a multiple of 512 for SHA-224 and SHA-256 or a multiple of 1024 for SHA-384 and SHA-512. The following specifies how this padding shall be performed. As a summary, a "1" followed by m "0"s followed by a 64-bit or 128-bit integer are appended to the end of the message to produce a padded message of length 512*n or 1024*n. The appended integer is the length of the original message. The padded message is then processed by the hash function as n 512-bit or 1024-bit blocks.

4.1. SHA-224 and SHA-256

Suppose a message has length L < 2^64. Before it is input to the hash function, the message is padded on the right as follows: a. "1" is appended. Example: if the original message is "01010000", this is padded to "010100001". b. K "0"s are appended where K is the smallest, non-negative solution to the equation ( L + 1 + K ) mod 512 = 448 c. Then append the 64-bit block that is L in binary representation. After appending this block, the length of the message will be a multiple of 512 bits. Example: Suppose the original message is the bit string 01100001 01100010 01100011 01100100 01100101 After step (a) this gives 01100001 01100010 01100011 01100100 01100101 1
Top   ToC   RFC6234 - Page 9
      Since L = 40, the number of bits in the above is 41 and K = 407
      "0"s are appended, making the total now 448.  This gives the
      following in hex:

         61626364 65800000 00000000 00000000
         00000000 00000000 00000000 00000000
         00000000 00000000 00000000 00000000
         00000000 00000000

      The 64-bit representation of L = 40 is hex 00000000 00000028.
      Hence the final padded message is the following hex

         61626364 65800000 00000000 00000000
         00000000 00000000 00000000 00000000
         00000000 00000000 00000000 00000000
         00000000 00000000 00000000 00000028

4.2. SHA-384 and SHA-512

Suppose a message has length L < 2^128. Before it is input to the hash function, the message is padded on the right as follows: a. "1" is appended. Example: if the original message is "01010000", this is padded to "010100001". b. K "0"s are appended where K is the smallest, non-negative solution to the equation ( L + 1 + K ) mod 1024 = 896 c. Then append the 128-bit block that is L in binary representation. After appending this block, the length of the message will be a multiple of 1024 bits. Example: Suppose the original message is the bit string 01100001 01100010 01100011 01100100 01100101 After step (a) this gives 01100001 01100010 01100011 01100100 01100101 1
Top   ToC   RFC6234 - Page 10
      Since L = 40, the number of bits in the above is 41 and K = 855
      "0"s are appended, making the total now 896.  This gives the
      following in hex:

         61626364 65800000 00000000 00000000
         00000000 00000000 00000000 00000000
         00000000 00000000 00000000 00000000
         00000000 00000000 00000000 00000000
         00000000 00000000 00000000 00000000
         00000000 00000000 00000000 00000000
         00000000 00000000 00000000 00000000

      The 128-bit representation of L = 40 is hex 00000000 00000000
      00000000 00000028.  Hence the final padded message is the
      following hex:

         61626364 65800000 00000000 00000000
         00000000 00000000 00000000 00000000
         00000000 00000000 00000000 00000000
         00000000 00000000 00000000 00000000
         00000000 00000000 00000000 00000000
         00000000 00000000 00000000 00000000
         00000000 00000000 00000000 00000000
         00000000 00000000 00000000 00000028

5. Functions and Constants Used

The following subsections give the six logical functions and the table of constants used in each of the hash functions.

5.1. SHA-224 and SHA-256

SHA-224 and SHA-256 use six logical functions, where each function operates on 32-bit words, which are represented as x, y, and z. The result of each function is a new 32-bit word. CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z) MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) BSIG0(x) = ROTR^2(x) XOR ROTR^13(x) XOR ROTR^22(x) BSIG1(x) = ROTR^6(x) XOR ROTR^11(x) XOR ROTR^25(x) SSIG0(x) = ROTR^7(x) XOR ROTR^18(x) XOR SHR^3(x) SSIG1(x) = ROTR^17(x) XOR ROTR^19(x) XOR SHR^10(x)
Top   ToC   RFC6234 - Page 11
   SHA-224 and SHA-256 use the same sequence of sixty-four constant
   32-bit words, K0, K1, ..., K63.  These words represent the first 32
   bits of the fractional parts of the cube roots of the first sixty-
   four prime numbers.  In hex, these constant words are as follows
   (from left to right):

      428a2f98 71374491 b5c0fbcf e9b5dba5
      3956c25b 59f111f1 923f82a4 ab1c5ed5
      d807aa98 12835b01 243185be 550c7dc3
      72be5d74 80deb1fe 9bdc06a7 c19bf174
      e49b69c1 efbe4786 0fc19dc6 240ca1cc
      2de92c6f 4a7484aa 5cb0a9dc 76f988da
      983e5152 a831c66d b00327c8 bf597fc7
      c6e00bf3 d5a79147 06ca6351 14292967
      27b70a85 2e1b2138 4d2c6dfc 53380d13
      650a7354 766a0abb 81c2c92e 92722c85
      a2bfe8a1 a81a664b c24b8b70 c76c51a3
      d192e819 d6990624 f40e3585 106aa070
      19a4c116 1e376c08 2748774c 34b0bcb5
      391c0cb3 4ed8aa4a 5b9cca4f 682e6ff3
      748f82ee 78a5636f 84c87814 8cc70208
      90befffa a4506ceb bef9a3f7 c67178f2

5.2. SHA-384 and SHA-512

SHA-384 and SHA-512 each use six logical functions, where each function operates on 64-bit words, which are represented as x, y, and z. The result of each function is a new 64-bit word. CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z) MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) BSIG0(x) = ROTR^28(x) XOR ROTR^34(x) XOR ROTR^39(x) BSIG1(x) = ROTR^14(x) XOR ROTR^18(x) XOR ROTR^41(x) SSIG0(x) = ROTR^1(x) XOR ROTR^8(x) XOR SHR^7(x) SSIG1(x) = ROTR^19(x) XOR ROTR^61(x) XOR SHR^6(x) SHA-384 and SHA-512 use the same sequence of eighty constant 64-bit words, K0, K1, ... K79. These words represent the first 64 bits of the fractional parts of the cube roots of the first eighty prime numbers. In hex, these constant words are as follows (from left to right):
Top   ToC   RFC6234 - Page 12
   428a2f98d728ae22 7137449123ef65cd b5c0fbcfec4d3b2f e9b5dba58189dbbc
   3956c25bf348b538 59f111f1b605d019 923f82a4af194f9b ab1c5ed5da6d8118
   d807aa98a3030242 12835b0145706fbe 243185be4ee4b28c 550c7dc3d5ffb4e2
   72be5d74f27b896f 80deb1fe3b1696b1 9bdc06a725c71235 c19bf174cf692694
   e49b69c19ef14ad2 efbe4786384f25e3 0fc19dc68b8cd5b5 240ca1cc77ac9c65
   2de92c6f592b0275 4a7484aa6ea6e483 5cb0a9dcbd41fbd4 76f988da831153b5
   983e5152ee66dfab a831c66d2db43210 b00327c898fb213f bf597fc7beef0ee4
   c6e00bf33da88fc2 d5a79147930aa725 06ca6351e003826f 142929670a0e6e70
   27b70a8546d22ffc 2e1b21385c26c926 4d2c6dfc5ac42aed 53380d139d95b3df
   650a73548baf63de 766a0abb3c77b2a8 81c2c92e47edaee6 92722c851482353b
   a2bfe8a14cf10364 a81a664bbc423001 c24b8b70d0f89791 c76c51a30654be30
   d192e819d6ef5218 d69906245565a910 f40e35855771202a 106aa07032bbd1b8
   19a4c116b8d2d0c8 1e376c085141ab53 2748774cdf8eeb99 34b0bcb5e19b48a8
   391c0cb3c5c95a63 4ed8aa4ae3418acb 5b9cca4f7763e373 682e6ff3d6b2b8a3
   748f82ee5defb2fc 78a5636f43172f60 84c87814a1f0ab72 8cc702081a6439ec
   90befffa23631e28 a4506cebde82bde9 bef9a3f7b2c67915 c67178f2e372532b
   ca273eceea26619c d186b8c721c0c207 eada7dd6cde0eb1e f57d4f7fee6ed178
   06f067aa72176fba 0a637dc5a2c898a6 113f9804bef90dae 1b710b35131c471b
   28db77f523047d84 32caab7b40c72493 3c9ebe0a15c9bebc 431d67c49c100d4c
   4cc5d4becb3e42b6 597f299cfc657e2a 5fcb6fab3ad6faec 6c44198c4a475817



(page 12 continued on part 2)

Next Section