SHA
CryptographySecure Hash Algorithm -- a family of NIST-standardized one-way hash functions (SHA-1, SHA-256, SHA-384, SHA-512) used in smart cards for message integrity, digital signatures, and key derivation.
What Is SHA?
Secure Hash Algorithm (SHASHACryptographyNIST hash functions for smart card integrity and signatures.Click to view →) is a family of NIST-standardized cryptographic hash functions that produce fixed-size digests from arbitrary-length input data. In smart card systems, SHA hashes are fundamental to digital signatures, message authentication, key derivation, and data integrity verification. Every time a smart card signs a document, verifies a certificate, or computes a MAC, a SHA hash function is involved.
SHA Variants in Smart Cards
| Algorithm | Digest Size | Block Size | Status | Smart Card Usage |
|---|---|---|---|---|
| SHA-1 | 160-bit | 512-bit | Deprecated | Legacy EMV SDA, old certificates |
| SHA-224 | 224-bit | 512-bit | Approved | Rarely used |
| SHA-256 | 256-bit | 512-bit | Recommended | ePassport, PIV, SCP03, EMVEMVApplicationGlobal chip payment card standard.Click to view → CDA |
| SHA-384 | 384-bit | 1024-bit | Approved | High-assurance government cards |
| SHA-512 | 512-bit | 1024-bit | Approved | Specialized applications |
How SHA Is Used on Smart Cards
SHA appears at multiple layers of smart card security:
- Digital signatures -- when a card performs an RSA or ECC signature, it first hashes the data using SHA-256 (or SHA-384), then signs the hash. The small, fixed-size digest is what the asymmetric algorithm actually operates on.
- Certificate verification -- verifying a certificate chain requires hashing the certificate body and comparing it against the issuer's signature. The card performs this when validating CVC certificates during terminal authentication.
- Message authentication -- HMAC-SHA-256 and CMAC (which internally uses AES) are used to compute MACs for secure messaging integrity.
- Key derivation -- SCP03 and PACE use SHA-based key derivation functions (KDFs) to derive session keys from shared secrets.
Hardware Acceleration
Smart card crypto coprocessors typically include dedicated SHA accelerators that process data at 5-20 MB/s, far faster than software computation on the card's CPU. This is important because hash operations are frequently invoked -- a single EMV transaction may require 10-20 SHA-256 computations for certificate verification, data authentication, and MAC generation.
SHA-1 Deprecation
SHA-1 has been cryptographically broken (practical collision attacks since 2017) and is deprecated for all security-critical smart card applications:
- EMV -- migrating from SHA-1 to SHA-256 for offline data authentication
- ePassport -- ICAO recommends SHA-256 or higher for new document signing certificates
- FIPS 201 -- prohibits SHA-1 for PIVPIVIdentityUS federal identity card standard.Click to view → digital signatures
Legacy cards with SHA-1 certificates remain in circulation but are being replaced on natural lifecycle schedules.
Related Content
Smart Card Cryptography
Security…hardware for 3DES backward compatibility Hash engine — SHA-1 / SHA-256 / SHA-384 / SHA-512 hardware acceleration Key…
Key Management for Smart Cards
Security…Current card management NIST SP 800-108 counter-KDF HMAC-SHA-256 / AES-CMAC Modern multi-application PBKDF2…
PKCS#11 for Smart Cards
Programming…1, &found); C_FindObjectsFinal(hSession); // 3. Sign a SHA-256 digest CK_MECHANISM mech = { CKM_RSA_PKCS, NULL, 0 };…
Smart Card Web Authentication
Programming…INS P1 P2 Lc [hash bytes...] 00 2A 9E 9A 20 <32-byte SHA-256 digest> ──────────────────────── Response:…
ePassport Technology
Industry Applications…Yes The EF.SOD is the cryptographic anchor: it contains SHA hashes of all DGs, signed by the issuing State's Document…
Smart Cards in Healthcare
Industry Applications…C_Sign call mapped to: APDU: 00 2A 9E 9A 30 <48-byte SHA-384 digest> Resp: <signature bytes> 90 00 German…
FIPS 140 for Smart Card Products
Compliance…P-384, P-521) Key agreement ECDH, DH (2048+) Hashing SHA-256, SHA-384, SHA-512 Key derivation SP 800-108 (KBKDF,…
अक्सर पूछे जाने वाले प्रश्न
The smart card glossary is a comprehensive reference of technical terms, acronyms, and concepts used in smart card technology. It covers protocols (APDU, T=0, T=1), security (Common Criteria, EAL, HSM), hardware (SE, EEPROM, contact pad), and applications (EMV, ePassport, eSIM). It serves developers, product managers, and engineers.
Yes. SmartCardFYI provides glossary definitions in 15 languages including English, Korean, Japanese, Chinese, Spanish, Portuguese, Hindi, Arabic, French, Russian, German, Turkish, Vietnamese, Indonesian, and Thai.