Facebook 将使用哪种 SHA-2 函数?

Which SHA-2 function will Facebook use?

我了解到 Facebook 将于 2015 年 10 月 1 日从 SHA-1 迁移到 SHA-2,我们必须更新我们的应用程序:https://developers.facebook.com/blog/post/2015/06/02/SHA-2-Updates-Needed/

你知道它会用到SHA-2的哪个函数吗?

我读到有几个(224、256、384 或 512),其中一个 (SHA-224) 不适用于我使用的 Windows XP SP3 (http://blogs.msdn.com/b/alejacma/archive/2009/01/23/sha-2-support-on-windows-xp.aspx )

您不必太在意,因为 SHA-224 的使用非常有限。

在此 CBroe中指出了一个重要的评论:

That blog post is about SSL connections when your app is making API requests. This is not about anything you do with data within your app, it is about the transport layer.

根据 https://crypto.stackexchange.com/questions/15151/sha-224-purpose

回答者Ilmari Karonen

Honestly, in practice, there are very few if any reasons to use SHA-224.

As fgrieu notes, SHA-224 is simply SHA-256 with a different IV and with 32 of the output bits thrown away. For most purposes, if you want a hash with more than 128 but less than 256 bits, simply using SHA-256 and truncating the output yourself to the desired bit length is simpler and just as efficient as using SHA-224. As you observe, SHA-256 is also more likely to be available on different platforms than SHA-224, making it the better choice for portability.

Why would you ever want to use SHA-224, then?

The obvious use case is if you need to implement an existing protocol that specifies the use of SHA-224 hashes. While, for the reasons described above, it's not a very common choice, I'm sure such protocols do exist.

Also, a minor advantage of SHA-224 over truncated SHA-256 is that, due to the different IV, knowing the SHA-224 hash of a given message does not reveal anything useful about its SHA-256 hash, or vice versa. This is really more of an "idiot-proofing" feature; since the two hashes have different names, careless users might assume that their outputs have nothing in common, so NIST changed the IV to ensure that this is indeed the case.

However, this isn't really something you should generally rely on. If you really need to compute multiple unrelated hashes of the same input string, what you probably want instead is a keyed PRF like HMAC, which can be instantiated using any common hash function (such as SHA-256).

如您所述,Windows SP3 XP 不支持 SHA-224,但支持 SHA-256

同时检查:https://security.stackexchange.com/questions/1751/what-are-the-realistic-and-most-secure-crypto-for-symmetric-asymmetric-hash

特别是:

并且:https://security.stackexchange.com/a/1755

Thomas Pornin 的部分回答:

ECDSA over a 256-bit curve already achieves an "unbreakable" level of security (i.e. roughly the same level than AES with a 128-bit key, or SHA-256 against collisions). Note that there are elliptic curves on prime fields, and curves on binary fields; which kind is most efficient depends on the involved hardware (for curves of similar size, a PC will prefer the curves on a prime field, but dedicated hardware will be easier to build with binary fields; the CLMUL instructions on the newer Intel and AMD processors may change that).

SHA-512 uses 64-bit operations. This is fast on a PC, not so fast on a smartcard. SHA-256 is often a better deal on small hardware (including 32-bit architectures such as home routers or smartphones)