Skip to content

SHA-384 Hash Generator (TLS Suite B Hash)

Generate SHA-384 hashes online — 96-character hex output, length-extension immune, NSA Suite B compliant. Paired with AES-256-GCM in TLS. All hashing runs in your browser via Web Crypto API.

No Tracking Runs in Browser Free
All hashing is performed locally in your browser. No data is transmitted to any server.
Algorithm
Reviewed for SHA-384 correctness against NIST FIPS 180-4 test vectors; Suite B framing verified against CNSSP-15 and CNSA Suite documentation — Go Tools Engineering Team · May 28, 2026

What Is SHA-384?

SHA-384 is a 384-bit cryptographic hash function in the SHA-2 family, published by NIST in 2001 as part of FIPS 180-2. It is architecturally a truncated variant of SHA-512: both algorithms use identical 64-bit word arithmetic, 80 compression rounds, and 1024-bit input blocks — the only differences are the initialization vector (IV) and the fact that SHA-384 discards the last 128 bits of SHA-512's 512-bit output, producing 384 bits (96 hexadecimal characters).

Why the truncation matters cryptographically: SHA-256 is vulnerable to length-extension attacks — given SHA-256(message), an attacker can compute SHA-256(message || padding || extension) without knowing the original message, by resuming the hash computation from the leaked internal state. SHA-384 eliminates this attack surface: the truncation discards 128 bits of internal state, so the published 384-bit hash does not carry enough information to resume the SHA-512 computation. This makes raw SHA-384 (without HMAC wrapping) safe for constructions where the hash output may be exposed to adversaries.

NSA Suite B and TLS role: SHA-384 was mandated by NSA Suite B (CNSSP-15, 2005) for TOP SECRET classification. It is the hash algorithm in the ciphersuite ECDHE-ECDSA-AES256-GCM-SHA384, which is the standard TLS 1.2 ciphersuite for Suite B compliant systems and remains widely deployed in U.S. government, financial, and defense networks. The NSA's CNSA Suite (2015) retained SHA-384 alongside SHA-256, and SHA-384 appears in TLS 1.3's signature algorithms list (ecdsa_secp384r1_sha384).

Performance: On 64-bit hardware SHA-384 and SHA-512 run at identical speed — both use 64-bit word operations exclusively. They are typically faster than SHA-256 (which uses 32-bit word operations and requires more passes for the same input) on modern x86-64 and ARM64 processors.

This tool computes SHA-384 entirely in your browser via crypto.subtle.digest('SHA-384', ...) from the Web Crypto API. The output is bit-for-bit identical to what sha384sum, openssl dgst -sha384, or Python's hashlib.sha384() produce.

When to use SHA-384: TLS ciphersuites mandating Suite B compliance, HMAC-SHA-384 for TLS 1.2 PRF, HKDF-SHA-384 key derivation, classified document fingerprinting, and any context where length-extension immunity is required without HMAC wrapping. When not to use SHA-384: general-purpose checksums and everyday integrity use — SHA-256 is the standard choice for those, with simpler library support and universal tool compatibility.

// Hash text using Web Crypto API (SHA-384)
async function sha384(text) {
  const data = new TextEncoder().encode(text);
  const hash = await crypto.subtle.digest('SHA-384', data);
  return Array.from(new Uint8Array(hash))
    .map(b => b.toString(16).padStart(2, '0'))
    .join('');
}

await sha384('Hello, World!');
// → '5485cc9b3365b4305dfb4e8337e0a598a574f8242bf17289e0dd6c20a3cd44a089de16ab4ab308f63e44b1170eb5f515'

SHA-384 Examples

TLS ciphersuite handshake fingerprint

ECDHE-ECDSA-AES256-GCM-SHA384

The ciphersuite name ECDHE-ECDSA-AES256-GCM-SHA384 is the canonical Suite B ciphersuite for TOP SECRET TLS sessions. The SHA-384 suffix refers to the PRF (Pseudo-Random Function) used in the TLS 1.2 handshake to derive session keys. Paste this string to generate the SHA-384 hash of the ciphersuite name itself — a quick way to verify your SHA-384 implementation is consistent across environments. In a real TLS session, the certificate chain, pre-master secret, and handshake transcript are all fed through HMAC-SHA-384 as part of the TLS 1.2 PRF.

HKDF-SHA-384 key derivation (TLS 1.2 PRF)

master secret || client random || server random

TLS 1.2's PRF (defined in RFC 5246) uses HMAC-SHA-384 for ciphersuites negotiated with SHA-384. The master secret is derived from the pre-master secret using P_SHA384(pre_master_secret, 'master secret' || ClientHello.random || ServerHello.random). HKDF-SHA-384 (RFC 5869) extends this pattern for general key derivation, and is used in TLS 1.3's key schedule as well as IKEv2 (IPsec). Paste any seed material here to generate the SHA-384 fingerprint before applying HMAC — a first step in debugging a key-derivation pipeline.

NSA Suite B classified document fingerprint

CLASSIFIED//TS//SI//NF — Document ID: TSC-2026-0001

The NSA's Suite B cryptography profile (CNSSP-15, superseded by the CNSA Suite in 2018) mandated SHA-384 for TOP SECRET document integrity. Intelligence community systems fingerprint classified documents with SHA-384 to detect tampering. The resulting 96-character hex string is stored in the document manifest alongside the AES-256-GCM-encrypted payload. Paste any document header or ID string here to generate the SHA-384 fingerprint — useful when auditing legacy Suite B compliant archives or when validating that a CNSA-transitioning system still produces correct SHA-384 outputs.

HMAC-SHA-384 message authentication

POST /api/v2/transfer
Content-Type: application/json
{"amount":10000,"to":"account-XYZ"}

HMAC-SHA-384 is used in high-assurance APIs to authenticate request bodies. The server computes HMAC-SHA-384(secret_key, canonical_request) and includes the hex digest in an Authorization header; the client reproduces the computation and compares. Because SHA-384 is length-extension immune even in raw (non-HMAC) form, it provides an extra margin of safety over HMAC-SHA-256 for scenarios where the raw hash might be exposed — for example, in distributed logging systems or signed URL schemes. Paste the request body here to inspect the SHA-384 hash before adding your HMAC key.

How to Generate SHA-384 Hashes

  1. 1

    Paste text or drop a file

    Select the Text tab and paste any string — a document ID, request body, or arbitrary input — into the input area. The SHA-384 hash updates as you type. For files, switch to the File tab and drag any file into the dropzone; the browser hashes it locally using the Web Crypto API with no upload. A progress indicator appears for large files (>10 MB).

  2. 2

    Copy the 96-character hash

    Click the Copy button next to the hash output. The full 96-character lowercase hex string goes to your clipboard — ready to paste into a TLS configuration, compliance report, or HMAC implementation. Use the Uppercase toggle if your target system requires uppercase hex.

  3. 3

    Compare against a known hash

    Switch to the Compare tab and paste two SHA-384 hashes side by side. The tool reports match or mismatch using constant-time comparison, which does not leak timing information. Useful for verifying Suite B compliance hashes, comparing HKDF-SHA-384 derived keys across implementations, or checking document fingerprints in classified archive audits.

Technical Details

Algorithm: SHA-512 with different IV, output truncated to 384 bits
SHA-384 is structurally identical to SHA-512 (FIPS 180-4 section 6.5). Both use 80 rounds of 64-bit operations (Ch, Maj, Σ0, Σ1 functions) with constants derived from the cube and square roots of the first 80 primes. The initialization vector (eight 64-bit words) differs from SHA-512's IV — SHA-384's IV is derived from the fractional parts of the square roots of the 9th through 16th primes. After processing, the first six 64-bit words of the eight-word state are output (384 bits); the final two words are discarded.
Output: 384 bits, 96 hex characters
Always exactly 96 lowercase hexadecimal characters (384 bits = 48 bytes, each byte encoded as 2 hex chars). Fixed-length regardless of input size. The 96-character length is the immediate fingerprint that distinguishes SHA-384 from SHA-256 (64 chars) and SHA-512 (128 chars). The discarded 128 bits — the last two 64-bit state words — are what make SHA-384 length-extension resistant.
Performance: identical to SHA-512 on 64-bit hardware
SHA-384 and SHA-512 execute the same instruction sequence on 64-bit CPUs. Both use 1024-bit (128-byte) input blocks, processed with 64-bit rotations and additions. Throughput is typically 500–900 MB/s in a browser using the Web Crypto API (which calls native C/Rust code outside the JS VM), and 1–3 GB/s in native tools with hardware SHA extensions. On 32-bit hardware or without hardware acceleration, SHA-384/512 are slower than SHA-256 due to 64-bit integer emulation.
Standards: FIPS 180-4, NSA Suite B legacy, CNSA current
Standardized in FIPS 180-2 (2001), current version FIPS 180-4 (2015). Required by NSA Suite B (CNSSP-15, 2005) for TOP SECRET, still present in the CNSA Suite (2015). Specified for TLS in RFC 5246 (TLS 1.2 PRF with SHA-384 ciphersuites), RFC 8446 (TLS 1.3 signature algorithm ecdsa_secp384r1_sha384), and RFC 5869 (HKDF). NIST-approved for all security strength levels through 2030 and beyond under NIST SP 800-131A Rev 2.

Best Practices

Use SHA-384 when length-extension immunity matters without HMAC
If your protocol exposes the raw hash output and an attacker could attempt to extend the message (e.g., certain signed-URL or challenge-response schemes), SHA-384 provides inherent length-extension immunity that SHA-256 does not. For all other keyed uses, apply HMAC regardless of the underlying hash — HMAC-SHA-256 and HMAC-SHA-384 are both safe, and HMAC eliminates length-extension attacks for any SHA-2 variant.
Pair with AES-256-GCM for Suite B / CNSA compliance
If you are building a system that must comply with NSA Suite B or CNSA requirements, the canonical pairing is AES-256-GCM for bulk encryption and SHA-384 for integrity and key derivation. TLS 1.2 with ECDHE-ECDSA-AES256-GCM-SHA384 is the reference ciphersuite. For TLS 1.3, the equivalent is TLS_AES_256_GCM_SHA384 with ecdsa_secp384r1_sha384 as the signature algorithm. Confirm your TLS library actually negotiates these ciphersuites — some defaults prefer AES-128 variants even on Suite B configured systems.
Use HMAC-SHA-384 for keyed MAC in TLS 1.2 PRF contexts
TLS 1.2's PRF uses HMAC-SHA-384 for ciphersuites where SHA-384 was negotiated (RFC 5246 section 5). If you are implementing or testing a TLS 1.2 PRF: PRF(secret, label, seed) = P_SHA384(secret, label + seed). Do not substitute HMAC-SHA-256 in a SHA-384 ciphersuite context — the ciphersuite negotiation determines the PRF hash, and mismatching them causes handshake failure. Verify with test vectors from RFC 5705 (keying material exporters) or RFC 6070 (PBKDF2).
Use constant-time comparison when verifying SHA-384 hashes in code
If you are comparing two SHA-384 hashes in code — verifying a document fingerprint, checking a MAC — use a constant-time equality check: Node.js crypto.timingSafeEqual(), Python hmac.compare_digest(), Go subtle.ConstantTimeCompare(). Naive string equality (=== or ==) leaks timing information that can allow an attacker to reconstruct the expected hash byte-by-byte in ~768 comparisons (96 chars × 8 bits). This is a critical defense-in-depth measure for any authentication system.

SHA-384 FAQ

Why use SHA-384 over SHA-256?
Two reasons: length-extension immunity and Suite B compliance. SHA-384 is immune to length-extension attacks because truncating SHA-512's 512-bit state to 384 bits discards 128 bits of internal state — an attacker who knows SHA-384(message) cannot compute SHA-384(message || extension) without knowing the full message. SHA-256 is vulnerable to length-extension attacks, which is why keyed use of SHA-256 requires HMAC construction. Additionally, SHA-384 was required by NSA Suite B at the TOP SECRET level and remains prevalent in TLS ciphersuites (ECDHE-ECDSA-AES256-GCM-SHA384) and government systems transitioning to the CNSA Suite.
Is SHA-384 as secure as SHA-512?
Yes, in terms of collision resistance. SHA-384 provides 192 bits of collision resistance (half of 384 bits) versus SHA-512's 256 bits — both are far beyond any foreseeable attack. SHA-384 provides the same second-preimage resistance as SHA-512 in practice. The only meaningful difference is output length: 96 hex chars vs 128 hex chars. If you need maximum collision resistance for extremely long-lived archives (beyond 50 years), SHA-512 provides a larger margin — but for any current system, SHA-384 is fully adequate.
Is SHA-384 the same speed as SHA-512?
Yes — they are literally the same algorithm. SHA-384 is SHA-512 with a different initialization vector (IV) and the output truncated to the first 384 bits. Because both use 64-bit word arithmetic throughout, they run at identical speed on 64-bit hardware. Counterintuitively, SHA-384 and SHA-512 are both typically faster than SHA-256 on 64-bit machines — SHA-256 uses 32-bit word arithmetic and processes 512-bit blocks, while SHA-512 processes 1024-bit blocks in fewer passes. Typical throughput: 500–900 MB/s in a browser, comparable to native tools.
When does HMAC-SHA-384 matter over HMAC-SHA-256?
In TLS 1.2 handshakes negotiated with SHA-384 ciphersuites, the PRF is HMAC-SHA-384 — this is a hard protocol requirement, not a choice. Outside of TLS, prefer HMAC-SHA-384 when: (1) you are targeting Suite B / CNSA compliance, (2) the system handles data classified above SECRET, or (3) you want an extra margin against future advances against 128-bit security. For general-purpose MACs where neither applies, HMAC-SHA-256 is standard and well-tested across libraries.
Should I use SHA-384 for general-purpose hashing?
Not unless you have a specific reason. SHA-256 is the industry default for file integrity, checksums, Git objects, JWT signatures, and certificate fingerprints — it is universally supported and provides 128 bits of collision resistance, more than enough for any practical use. SHA-384 makes sense when you need (1) length-extension immunity without HMAC wrapping, (2) Suite B / CNSA compliance, or (3) interoperability with TLS ciphersuites that mandate SHA-384. For everything else, SHA-256 is simpler and equally secure.
What is NSA Suite B and is it still used?
NSA Suite B was a set of cryptographic algorithms approved for protecting U.S. classified information, published by the NSA in 2005 (CNSSP-15). Suite B required SHA-256 for SECRET and SHA-384 for TOP SECRET. In 2015 the NSA announced a transition away from Suite B toward the Commercial National Security Algorithm Suite (CNSA), driven by post-quantum cryptography concerns — Suite B's elliptic curve algorithms (P-256, P-384) could eventually be broken by a sufficiently large quantum computer. However, SHA-384 was retained in CNSA alongside SHA-256. Many government and defense systems built for Suite B compliance still use SHA-384, and TLS ciphersuites originally required by Suite B (like ECDHE-ECDSA-AES256-GCM-SHA384) remain widely deployed in government networks.
How long is a SHA-384 hash?
Always exactly 96 hexadecimal characters — 384 bits divided into 48 bytes, each byte encoded as two hex characters. The output length is fixed regardless of input size; a 1-byte message and a 10 GB file both produce 96 hex chars. Compare: SHA-256 produces 64 hex chars, SHA-512 produces 128 hex chars, MD5 produces 32 hex chars. The 96-character output is the immediate signal that a hash was produced by SHA-384.
Is my data sent to a server when I use this tool?
No. SHA-384 is computed entirely in your browser using the Web Crypto API (crypto.subtle.digest('SHA-384', data)). Open DevTools → Network tab while hashing — you will see zero outgoing requests. Files you drop in are read via the FileReader API and hashed locally; the bytes never leave your machine. This makes the tool safe for hashing classified document fingerprints, TLS private key material, or any other sensitive input. The same privacy guarantee applies to the SHA-256 generator and SHA-512 generator.

Related Tools

View all tools →

JWT Decoder

Security Tools

Decode JWT tokens online with our free JWT decoder. Instantly inspect header, payload, signature, expiration, algorithm, and claims. 100% browser-based — your token never leaves your device. No signup, no tracking.

MD5 Hash Generator & File Checksum Tool

Security Tools

Generate MD5, SHA-256, SHA-1 & SHA-512 hashes online for free. Hash text or files in your browser, verify checksums and copy results. No signup needed.

Random Password Generator — Customizable, Strong & Secure

Security Tools

Generate strong random passwords instantly — free, 100% in your browser. Customize length & characters, batch up to 50 with entropy analysis.

SHA-1 Hash Generator (160-bit Legacy)

Security Tools

Generate SHA-1 hashes in your browser — 40-character hex output, no upload. Legacy tool for Git fingerprints, old certificate checks, and migration audits. Data never leaves your device.

SHA-256 Hash Generator & Checksum Tool

Security Tools

Generate SHA-256 hashes online for free. Hash text or files in your browser, verify checksums, and copy 64-character hex output. No signup; data never leaves the page.

SHA-3 Hash Generator (Keccak SHA3-256)

Security Tools

Generate SHA-3 hashes online free. NIST FIPS 202 sponge construction — the post-SHA-2 standard. SHA3-256 output in 64 hex chars. Browser-only via lazy-loaded js-sha3; zero uploads.