# PYTHON-LANG-SEC-033: SHA-224 or SHA3-224 Weak Hash Usage

> **Severity:** LOW | **CWE:** CWE-327 | **OWASP:** A02:2021

- **Language:** Python
- **Category:** Python Core
- **URL:** https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-033
- **Detection:** `pathfinder scan --ruleset python/PYTHON-LANG-SEC-033 --project .`

## Description

SHA-224 and SHA3-224 produce 224-bit digests, which provides 112-bit security against
collision attacks (due to the birthday bound). NIST SP 800-57 recommends a minimum of
128-bit security strength for new applications, which requires at least a 256-bit hash
function. NIST SP 800-131A deprecated the use of SHA-224 for digital signatures beyond 2030.

While SHA-224 and SHA3-224 are not as critically broken as MD5 or SHA-1, they fall below
current best-practice security levels and should not be used for long-lived data protection,
digital signatures in new systems, or applications requiring a security life beyond 2030.

For most security applications, SHA-256 or SHA3-256 are the appropriate replacements.
The SHA-256 or SHA3-256 variants are the same computational cost on most hardware and
provide 128-bit security strength.


## Vulnerable Code

```python
import hashlib

sha224_hash = hashlib.sha224(b"data")
```

## Secure Code

```python
import hashlib

# BELOW RECOMMENDED: SHA-224 provides only 112-bit security
# h = hashlib.sha224(data).hexdigest()
# h = hashlib.sha3_224(data).hexdigest()

# SECURE: SHA-256 provides 128-bit security at similar computational cost
def hash_content(data: bytes) -> str:
    return hashlib.sha256(data).hexdigest()

# SECURE: SHA3-256 for post-quantum forward security
def hash_document(data: bytes) -> str:
    return hashlib.sha3_256(data).hexdigest()

# SECURE: SHA-512 for applications requiring maximum security margin
def hash_sensitive_data(data: bytes) -> str:
    return hashlib.sha512(data).hexdigest()

```

## Detection Rule (Python SDK)

```python
from rules.python_decorators import python_rule
from codepathfinder import calls, QueryType

class HashlibModule(QueryType):
    fqns = ["hashlib"]


@python_rule(
    id="PYTHON-LANG-SEC-033",
    name="SHA-224 Weak Hash",
    severity="LOW",
    category="lang",
    cwe="CWE-327",
    tags="python,sha224,weak-hash,CWE-327",
    message="SHA-224 provides only 112-bit security. Consider SHA-256 or SHA-3.",
    owasp="A02:2021",
)
def detect_sha224():
    """Detects hashlib.sha224() and sha3_224() usage."""
    return HashlibModule.method("sha224", "sha3_224")
```

## How to Fix

- Replace hashlib.sha224() and hashlib.sha3_224() with hashlib.sha256() or hashlib.sha3_256() in all new code.
- For digital signatures and certificate operations, use SHA-256 or SHA-384 as required by current CA/Browser Forum baseline requirements.
- Prioritize migration of SHA-224 usage in long-lived digital signatures and certificates to SHA-256 before 2030.
- Document any remaining SHA-224 usage with an explanation of why the reduced security margin is acceptable.
- Consider SHA-384 or SHA-512 for applications with the highest security requirements or longest data lifetimes.

## Security Implications

- **Below Recommended Security Level:** 112-bit security against collision attacks is currently below the NIST-recommended
128-bit minimum for new systems. While not immediately breakable, this provides reduced
margin against advances in cryptanalysis and quantum computing.

- **Long-term Data Protection Risk:** Data protected by SHA-224 digests may need to remain secure for years or decades.
The 112-bit security margin may be insufficient for data whose integrity needs to be
verifiable in the long term as computing power increases.

- **Digital Signature Weakness:** NIST has deprecated SHA-224 for digital signatures beyond 2030. New signature schemes
should use SHA-256 or stronger to ensure signatures remain valid and secure for their
intended lifetime.

- **Quantum Computing Considerations:** Grover's algorithm halves the effective bit security of hash functions against quantum
computers. SHA-224's 112-bit collision resistance becomes effectively 56-bit under
quantum attack, which is well below any acceptable threshold.


## FAQ

**Q: Is SHA-224 broken like MD5 and SHA-1?**

No. SHA-224 has no known practical collision attacks and is not broken in the same sense
as MD5 or SHA-1. However, its 112-bit security level is below the current NIST minimum
recommendation of 128 bits for new applications. The risk is that future cryptanalytic
advances or increased computing power could reduce the effective security below
acceptable thresholds.


**Q: Why does SHA-224 have only 112-bit security despite a 224-bit output?**

The birthday bound means that collision attacks on an n-bit hash require approximately
2^(n/2) operations. For SHA-224, this is 2^112. NIST defines security strength in terms
of this birthday bound, so SHA-224's security strength is 112 bits, not 224 bits.


**Q: Is SHA3-224 safer than SHA-224?**

SHA3-224 uses a fundamentally different construction (Keccak sponge) than SHA-224
(Merkle-Damgård). This makes it immune to length-extension attacks that affect SHA-224.
However, both have the same 112-bit collision security from the birthday bound. For
applications requiring strong security, SHA3-256 is the preferred upgrade.


**Q: When is SHA-224 acceptable to use?**

SHA-224 is acceptable for non-security checksums, content addressing where collision
resistance is not a security requirement, and applications with short data lifetimes
where 112-bit security is sufficient. For digital signatures, certificates, and
long-lived security, use SHA-256 or stronger.


**Q: What is the performance difference between SHA-224 and SHA-256?**

SHA-256 and SHA-224 perform identical computations (SHA-224 is truncated SHA-256) and
have essentially the same performance. There is no performance reason to use SHA-224
over SHA-256. SHA-256 is strictly better and should always be preferred.


**Q: Does the FIPS 186-5 standard approve SHA-224 for digital signatures?**

FIPS 186-5 (Digital Signature Standard) approves SHA-256, SHA-384, SHA-512, SHA-512/224,
SHA-512/256, SHA3-256, SHA3-384, and SHA3-512 for digital signatures. SHA-224 is no
longer listed as approved for new signature schemes in FIPS 186-5.


## References

- [CWE-327: Use of a Broken or Risky Cryptographic Algorithm](https://cwe.mitre.org/data/definitions/327.html)
- [NIST SP 800-57 Part 1 Revision 5 - Key Management](https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final)
- [NIST SP 800-131A Revision 2 - Cryptographic Algorithm Transitions](https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final)
- [Python docs: hashlib module](https://docs.python.org/3/library/hashlib.html)
- [OWASP Cryptographic Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)

---

Source: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-033
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis