- Input: arbitrary length data, Output: 256-bit digest
- Built from a compression function h with Merkle-Damgard Construction
- Pad input m to a multiple of 512 bits, then split into blocks
- Length extension attacks
- Given y = SHA-256(content), An attacker can produce: z = SHA-256(content+pad+value)
- [[HMAC]]