Why chose SHA512 over SHA384?
https://stackoverflow.com/questions/10061532
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian题
SHA384 is a truncated version of SHA512. But why would anyone use it? And corollary: if SHA384 is just as good as SHA512, is there any rationale in using the 512 bit version?
I am planning to use one of the algorithms to verify file integrity, so I am mainly interested in colision security.
I would be happy to hear how anyone uses the SHA2 digests in practice and why would you chose one version over the other.
解决方案
For practical purposes and the foreseeable future, both SHA384 and SHA512 are good enough for almost any imaginable collision-resistance application. Generally, the primary determining factor of what hash you would use, once we're above 256 bits and collision resistance is infinite for practical purposes, is just how many bits of output you need. For example, if you need the hash to generate both a 256-bit HMAC key and a 128-bit encryption key, SHA384 is a natural choice. If you need as much output as possible for the computational cost, say for output of a PRNG or as random padding, then SHA512 makes sense.
其他提示
SHA512 also SHA256 SHA1 and MD5 are vulnerable to length extension attack SHA224 and SHA384 are not since reduced output to internal state, SHA3 is also not vulnerable. Having that in mind SHA512 is good cryptographic collision resistant hash function.
Certificates signed with SHA512 don't appear to work with TLS 1.2 on Windows (see here)
Therefore, I will be recreating my certificate chain using SHA-384 (or I suppose I could use SHA-256).
While thankfully, I have not released any certs yet, the thread in the linked page does propose a workaround/fix for those who are stuck with SHA-512.
HTH!
SHA512 is vulernable to length extension attack and SHA384 is not. [source]
Only reason I could think of using SHA-384 vs. SHA-512 is due to Digest need for signing. For example, if you are adopting ECDSA-384 signing, it requires 384 hash digest, not 512 bit. Ideally, you could throw out any 128-bit from 512-bit. But receiving end need know which 128-bit you throw out. So only difference between SHA384 and SHA512 is to define which 128-bit you need throw out.
