Keyed hash combining secret key with SHA-384. Used in JWT (HS384) and AWS Signature V4 for high-assurance APIs.

SHA-384 Hash Generator: 384-bit Digest [2026]

Q: Is SHA-384 stronger than SHA-256?

Yes — 192-bit vs 128-bit collision resistance. Both beyond brute-forceable today. SHA-384 matters for NSA Suite B / CNSA compliance.

Q: Why is SHA-384 sometimes faster than SHA-256?

SHA-384 uses 64-bit words via SHA-512's compression function. 30–50% faster on 64-bit CPUs than SHA-256.

Q: Is SHA-384 just truncated SHA-512?

Same compression function, different IVs. Truncating SHA-512 doesn't produce SHA-384. Compute specifically.

Q: Should I use SHA-384 or SHA-512?

Without compliance reason, SHA-256 is default. SHA-384 for 192-bit security needs. SHA-512 for 256-bit. Same internal work for 384/512.

Q: Is my input uploaded?

No. Runs browser's SubtleCrypto.digest API. Text and files processed locally.

TL;DR: SHA-384 produces a 384-bit (48-byte / 96 hex character) hash. It’s SHA-512 with a different starting state and a truncated 384-bit output. 192-bit collision resistance — overkill for most uses, but mandated in NSA Suite B / CNSA-compliant cryptography, TLS 1.3 cipher suites, and US government high-assurance systems. Faster than SHA-256 on 64-bit hardware. Our free SHA-384 hash generator uses the browser’s native WebCrypto API.

SHA-384 occupies the same family-niche as SHA-224: a SHA-2 hash with truncated output for compliance reasons. Where SHA-224 is the truncated SHA-256 for legacy 112-bit security, SHA-384 is the truncated SHA-512 for high-security applications that don’t need a full 512-bit hash but want more than SHA-256’s 128-bit collision resistance. Real-world use is concentrated in government and high-assurance crypto:

TLS 1.3: the TLS_AES_256_GCM_SHA384 cipher suite uses SHA-384 in HKDF for key derivation.
NSA Suite B / CNSA: the US National Security Agency’s commercial cryptography spec requires SHA-384 (or SHA-512) for top-secret data classifications.
PKI / X.509 certificates: ECDSA signatures over P-384 curves naturally pair with SHA-384.
Long-lived archive integrity: the extra 64 bits over SHA-256 add comfortable security margin.

Our SHA-384 hash generator uses the browser’s native SubtleCrypto.digest('SHA-384', ...) API — same code path that handles HTTPS certificate verification — and runs entirely on your device. This guide covers when SHA-384 is the right pick, the performance characteristics, and the gotchas with truncation.

SHA-2 family at a glance

Algorithm	Output	Collision security	Performance
SHA-224	224 bits	112-bit	Same as SHA-256
SHA-256	256 bits	128-bit	Slower on 64-bit
SHA-384	384 bits	192-bit	Same as SHA-512 (faster on 64-bit)
SHA-512	512 bits	256-bit	~30% faster than SHA-256 on 64-bit

Why SHA-384 is faster than SHA-256 on modern hardware

SHA-384 uses the SHA-512 compression function — operating on 64-bit words and 1024-bit blocks — and just truncates the output. On a 64-bit CPU each word fits in a single register. SHA-256, despite producing a smaller output, runs on 32-bit words requiring more operations per byte hashed.

Benchmark on a 2024 laptop:

SHA-256: ~600 MB/s
SHA-384: ~880 MB/s (≈47% faster)
SHA-512: ~880 MB/s (same internal work as SHA-384)

Counter-intuitively, picking SHA-384 over SHA-256 for new code can mean both more security and better performance on 64-bit hardware. The trade-off is 32 extra hex characters in output.

When you’d actually use SHA-384

NSA Suite B / CNSA-compliant systems. US government top-secret classification mandates SHA-384 minimum. If you’re in defence / intelligence contracting, this is the spec.
TLS 1.3 with AES-256-GCM. The TLS_AES_256_GCM_SHA384 cipher suite is one of TLS 1.3’s three default suites. Browsers negotiate it automatically; you don’t pick it manually.
PKI signatures with P-384 curves. ECDSA on the NIST P-384 curve naturally pairs with SHA-384 for matching security level.
Compliance frameworks specifying 192-bit security. Some financial regulations (PCI DSS in select profiles), ANSSI guidelines, BSI specs.
Long-lived archive integrity. The 64 extra bits over SHA-256 add margin for hashes verified decades from now.

For most everyday checksums and integrity verification, SHA-256 is the right default — universally supported, established, well-tested. SHA-384 is for compliance-driven cases.

How to compute SHA-384 in your browser

Open the SHA-384 generator
Type or paste text — the digest appears live
Or drop a file — bytes streamed through WebCrypto, no upload
Click Copy. Toggle UPPERCASE / lowercase output
For HMAC-SHA-384, click HMAC mode and paste a key

Common gotchas

SHA-384 is not truncated SHA-512. Like SHA-224 / SHA-256, the truncated variants use different initial hash values. sha512(x).substring(0, 96) !== sha384(x). Always compute SHA-384 specifically.
UTF-8 encoding before hashing. Same input, different encoding, different hash. Use UTF-8.
Don’t use for password storage. SHA-384 is too fast — use bcrypt / scrypt / argon2id for passwords.
HMAC-SHA-384 has different block size. SHA-384 / SHA-512 use 1024-bit (128-byte) blocks; SHA-256 uses 512-bit (64-byte) blocks. HMAC implementations need to use the matching block size — common bug in hand-rolled HMAC code.
Length-extension affects bare SHA-384 too. Use HMAC, not sha384(secret || data).
Some old systems don’t ship SHA-384. Older PHP, older Java, very old C libraries may lack SHA-384. Check support before specifying.

When NOT to use SHA-384

For everyday integrity checks (file checksums, deterministic IDs, message integrity in non-compliance contexts), SHA-256 is the right default — universally supported, smaller output, well-known. For password storage: use bcrypt / scrypt / argon2id; never plain SHA-384. For the longest possible security margin in archive integrity: SHA-512 (full output, same algorithm internally). For TLS 1.3 cipher suite selection: don’t manually pick — let the protocol negotiate. Use SHA-384 specifically when a spec mandates it.

Frequently asked questions

Is SHA-384 stronger than SHA-256?

Yes — 192-bit collision resistance vs SHA-256’s 128-bit. Both are far beyond what’s brute-forceable today; SHA-384 matters when compliance frameworks demand the higher security level (NSA Suite B / CNSA, certain financial standards).

Why is SHA-384 sometimes faster than SHA-256?

SHA-384 uses the SHA-512 compression function, which operates on 64-bit words. On 64-bit CPUs each word fits a single register, giving SHA-384 / SHA-512 a 30–50% throughput advantage over SHA-256. On 32-bit hardware (rare in 2026) the trade reverses.

Is SHA-384 just truncated SHA-512?

Same compression function, different initial hash values (IVs). Truncating SHA-512 to 96 hex characters does NOT produce the SHA-384 hash. Always compute SHA-384 specifically.

Should I use SHA-384 or SHA-512 for new code?

Without a specific compliance reason, SHA-256 is the default. If you need 192-bit collision resistance, SHA-384. If you need 256-bit, SHA-512. Don’t pick SHA-384 over SHA-512 for marginal output-size reasons — both run the same internal work.

Is my input uploaded?

No. The generator runs the browser’s native SubtleCrypto.digest API. Text and files are processed locally — never sent to our servers.

What’s HMAC-SHA-384 and when is it used?

HMAC-SHA-384 is a keyed hash combining a secret key with the SHA-384 algorithm. Used for message authentication where you need to verify both data integrity and that the sender knew the key. Common in JWT signatures (JOSE algorithm HS384) and AWS Signature Version 4 for high-assurance API calls.