Rule Information
Tags
pythonsha224sha3-224insufficient-bit-lengthcryptographyhashlibCWE-327OWASP-A02
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-LANG-SEC-033 --project .1
2
3
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
About This Rule
Understanding the vulnerability and how it is detected
SHA-224 and SHA3-224 produce 224-bit digests, which provides 112-bit security against collision attacks (due to the birthday bound). NIST SP 800-57 recommends a minimum of 128-bit security strength for new applications, which requires at least a 256-bit hash function. NIST SP 800-131A deprecated the use of SHA-224 for digital signatures beyond 2030.
While SHA-224 and SHA3-224 are not as critically broken as MD5 or SHA-1, they fall below current best-practice security levels and should not be used for long-lived data protection, digital signatures in new systems, or applications requiring a security life beyond 2030.
For most security applications, SHA-256 or SHA3-256 are the appropriate replacements. The SHA-256 or SHA3-256 variants are the same computational cost on most hardware and provide 128-bit security strength.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
Below Recommended Security Level
112-bit security against collision attacks is currently below the NIST-recommended 128-bit minimum for new systems. While not immediately breakable, this provides reduced margin against advances in cryptanalysis and quantum computing.
2
Long-term Data Protection Risk
Data protected by SHA-224 digests may need to remain secure for years or decades. The 112-bit security margin may be insufficient for data whose integrity needs to be verifiable in the long term as computing power increases.
3
Digital Signature Weakness
NIST has deprecated SHA-224 for digital signatures beyond 2030. New signature schemes should use SHA-256 or stronger to ensure signatures remain valid and secure for their intended lifetime.
4
Quantum Computing Considerations
Grover's algorithm halves the effective bit security of hash functions against quantum computers. SHA-224's 112-bit collision resistance becomes effectively 56-bit under quantum attack, which is well below any acceptable threshold.
How to Fix
Recommended remediation steps
- 1Replace hashlib.sha224() and hashlib.sha3_224() with hashlib.sha256() or hashlib.sha3_256() in all new code.
- 2For digital signatures and certificate operations, use SHA-256 or SHA-384 as required by current CA/Browser Forum baseline requirements.
- 3Prioritize migration of SHA-224 usage in long-lived digital signatures and certificates to SHA-256 before 2030.
- 4Document any remaining SHA-224 usage with an explanation of why the reduced security margin is acceptable.
- 5Consider SHA-384 or SHA-512 for applications with the highest security requirements or longest data lifetimes.
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
This rule detects calls to hashlib.sha224() and hashlib.sha3_224() in Python source code. The rule reports LOW severity findings since these algorithms are not broken but are below current best-practice recommendations for new applications.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
NIST SP 800-57 Part 1 Revision 5
Minimum 128-bit security strength recommended for new systems (requires 256-bit hash)
NIST SP 800-131A Revision 2
SHA-224 deprecated for digital signatures beyond 2030
OWASP Top 10
A02:2021 - Cryptographic Failures
FIPS 186-5
SHA-256, SHA-384, SHA-512, and SHA-3 variants are approved; SHA-224 permitted with restrictions
References
External resources and documentation
Similar Rules
Explore related security rules for Python
MEDIUM
Insecure MD5 Hash Usage
MD5 is cryptographically broken and unsuitable for security-sensitive purposes. Use SHA-256 or SHA-3 instead.
MEDIUM
Insecure SHA-1 Hash Usage
SHA-1 is cryptographically weak due to practical collision attacks. Use SHA-256 or SHA-3 for security-sensitive hashing.
MEDIUM
Insecure Hash via hashlib.new()
hashlib.new() with an insecure algorithm name (MD5, SHA1, SHA-224) creates a cryptographically weak hash. Use SHA-256 or SHA-3.
Frequently Asked Questions
Common questions about SHA-224 or SHA3-224 Weak Hash Usage
No. SHA-224 has no known practical collision attacks and is not broken in the same sense
as MD5 or SHA-1. However, its 112-bit security level is below the current NIST minimum
recommendation of 128 bits for new applications. The risk is that future cryptanalytic
advances or increased computing power could reduce the effective security below
acceptable thresholds.
The birthday bound means that collision attacks on an n-bit hash require approximately
2^(n/2) operations. For SHA-224, this is 2^112. NIST defines security strength in terms
of this birthday bound, so SHA-224's security strength is 112 bits, not 224 bits.
SHA3-224 uses a fundamentally different construction (Keccak sponge) than SHA-224
(Merkle-Damgård). This makes it immune to length-extension attacks that affect SHA-224.
However, both have the same 112-bit collision security from the birthday bound. For
applications requiring strong security, SHA3-256 is the preferred upgrade.
SHA-224 is acceptable for non-security checksums, content addressing where collision
resistance is not a security requirement, and applications with short data lifetimes
where 112-bit security is sufficient. For digital signatures, certificates, and
long-lived security, use SHA-256 or stronger.
SHA-256 and SHA-224 perform identical computations (SHA-224 is truncated SHA-256) and
have essentially the same performance. There is no performance reason to use SHA-224
over SHA-256. SHA-256 is strictly better and should always be preferred.
FIPS 186-5 (Digital Signature Standard) approves SHA-256, SHA-384, SHA-512, SHA-512/224,
SHA-512/256, SHA3-256, SHA3-384, and SHA3-512 for digital signatures. SHA-224 is no
longer listed as approved for new signature schemes in FIPS 186-5.
New feature
Get these findings posted directly on your GitHub pull requests
The SHA-224 or SHA3-224 Weak Hash Usage rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.