Consider the following cryptographic principle: In general, prefer SHA-224 and SHA-384 over SHA-256 and SHA-512.
The latter are vulnerable to a length extension attack while the former are not. It takes thought to know when a length extension attack might be possible, so don't think: just always use 224 or 384.
The principle behind the length extension attack, that SHA-512 and SHA-256 dump their entire internal state at the end, seems potentially vulnerable to other, perhaps yet unknown, attacks.
This advice goes against conventional wisdom that says that 224 and 384 should be rarely used because they take just as long to calculate as the longer versions but provide less output.
Other than hash length, are there any known ways 224 and 384 are weaker than their longer versions?
No comments :
Post a Comment