Unkeyed cryptographic
SHA-224
A 224-bit hash function in the SHA-2 family, standardized by NIST alongside SHA-256 in FIPS 180-2 (2004). SHA-224 is SHA-256 with a different initial hash value, truncated to 224 bits. The truncation makes it immune to length-extension , the dropped 32 bits are exactly what an attacker would need.
At a glance
| Output | 224 bits (28 bytes, 56 hex chars) |
|---|---|
| Block size | 512 bits |
| Rounds | 64 |
| Standard | NIST FIPS 180-4 |
| Collision security | 2112 generic |
| Length extension | No (truncated) |
| Status | Recommended for new designs in 112-bit-security regimes |
Where it shows up
- DNSSEC , one of the supported digest algorithms.
- Some legacy FIPS-evaluated contexts requiring 112-bit security level.
- Educational examples , "the smallest standardized SHA-2 variant."
Why it’s rare
Most production cryptography uses 128-bit-security primitives, which requires 256-bit hash output. SHA-224 sits in an awkward 112-bit slot that doesn’t align with common security parameter choices. SHA-512/224 is a more performant alternative on 64-bit CPUs and is the recommended choice when the 112-bit security level is genuinely what you need.
References
Visualize
SHA-224 on your input
11 bytes · 0-bit digest
Hex digest
Bit grid (0 bits, teal = 1, slate = 0)
Byte pixel art (0 bytes, hue = byte value mod 360°)
Avalanche , flipping the lowest bit of the first input byte changed 0 of 0 output bits
Quick quiz
Test yourself on sha-224
10 multiple-choice questions. Pick an answer for each, then submit to see explanations.
Q1.SHA-224 output size:
Q2.SHA-224 is SHA-256 with...
Q3.Block size of SHA-224:
Q4.Is SHA-224 vulnerable to length-extension?
Q5.Where is SHA-224 used?
Q6.Generic collision security of SHA-224:
Q7.Which is the more performant 112-bit-security drop-in on 64-bit CPUs?
Q8.Standard:
Q9.Year SHA-224 was added:
Q10.RFC that defines a SHA-224 reference implementation: