ACTION: Notice; request for comments.
SUMMARY: The Secretary of Commerce approved an interim final standard, which will be known as Federal Information Processing Standard (FIPS) 186-1, Digital Signature Standard (DSS). This interim final standard allows for both the use of the Digital Signature Algorithm (DSA) and the American National Standards Institute X9.31 standard by federal organizations. The X9.31 standard describes the Rivest-Shamir-Adleman (RSA) digital signature technique.
This notice advises the public of the Secretary's decision and solicits comments from the public, academic and research communities, manufacturers, voluntary standards organizations, and Federal, state, and local government organizations. These comments will assist NIST in making a recommendation to the Secretary regarding a final decision.
ADDRESSES: Comments should be sent to:
Comments may also be sent electronically to:email@example.com.
Specifications of FIPS 186 (and FIPS 186-1) are available electronically.
Ordering information for the ANSI X9.31 standard is available from American Bankers Assoc./DC, X9 Customer Service Dept., P.O. Box 79064, Baltimore, MD 21279-0064, telephone 1-800-338-0626.
FOR FURTHER INFORMATION CONTACT: Edward Roback, National Institute of Standards and Technology, 100 Bureau Drive, STOP 8930, Gaithersburg, MD 20899-8930; TEL: (301) 975-3696 or FAX: (301) 948-1233.
SUPPLEMENTARY INFORMATION: Under Section 5131 of the Information Technology Management Reform Act of 1996 and the Computer Security Act of 1987, the Secretary of Commerce is authorized to approve standards and guidelines for the cost effective security and privacy of sensitive information processed by federal computer systems. On May 10, 1994, the Secretary of Commerce approved FIPS 186, "Digital Signature Standard," which specifies a single technique for the generation and verification of digital signatures. Recently, another technique, known as RSA, was approved as the X9.31 standard [X9.31-1998 Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry (rDSA)] by ANSI. A second standard, based upon a technique known as elliptic curve, is expected to be completed and approved by ANSI in the near future. Agencies have expressed considerable interest to NIST in using these technologies.
On May 13, 1997, NIST published a Federal Register notice soliciting comments on amending FIPS 186 to allow for the use of other techniques, specifically mentioning RSA and elliptic curve (but not with detailed specifications as now exist for RSA in the ANSI X9.31 standard). The public comments overwhelmingly supported revising FIPS 186 to include these additional algorithms. RSA, which has withstood widespread scrutiny by the cryptographic research community, is available in many commercial products. NIST believes it to be robust and sufficiently strong for use by federal agencies.
Following ANSI's recent approval of the ANSI X9.31 standard, the Secretary of Commerce approved an interim modification to FIPS 186 (FIPS 186-1) to approve use of the digital signature technique specified in X9.31 in addition to the algorithm currently specified in FIPS 186. The Secretary's decision revises the old FIPS 186 by adding the following statements into the new FIPS 186-1.
Add the following as the last sentence of the "Applications" paragraph: The technique specified in ANSI X9.31 may be used in addition to the Digital Signature Algorithm (DSA) specified herein.
Add the following as the last two sentences of the "Implementations" paragraph: Agencies are advised that separate keys should be used for signature and confidentiality purposes when using the X9.31 standard. This is because the RSA algorithm can be used for both data encryption and digital signature purposes.
To minimize any potential for spoofing digital signatures, keys used for signature purposes should not be recoverable. Using separate keys will allow agencies to recover confidentiality keys but not signature keys.
The standard has also been modified to reflect the availability of conformity testing for DSA implementations. (ANSI's conformity testing program for X9.31 implementations is not yet in place.) Minor language modifications (e.g., indicating that two algorithms are now approved) and other administrative updates have also been made to the standard.
Since ANSI's conformance testing program for the X9.31 standard is not yet in place, federal agencies are advised, in the interim, to acquire products that vendors hold out as in conformance with ANSI X9.31. Agencies will be advised by NIST when a conformance testing program is in effect.
Comments are sought by NIST so as to make a recommendation to the Secretary regarding a final FIPS.
Name of Standard: Digital Signature Standard (DSS).
Category of Standard: Computer Security, Cryptography.
Explanation: This Standard specifies algorithms appropriate for applications requiring a digital, rather than written, signature. A digital signature is represented in a computer as a string of binary digits. A digital signature is computed using a set of rules and a set of parameters such that the identity of the signatory and integrity of the data can be verified. An algorithm provides the capability to generate and verify signatures. Signature generation makes use of a private key to generate a digital signature. Signature verification makes use of a public key which corresponds to, but is not the same as, the private key. Each user possesses a private and public key pair. Public keys are assumed to be known to the public in general. Private keys are never shared. Anyone can verify the signature of a user by employing that user's public key. Signature generation can be performed only by the possessor of the user's private key.
A hash function is used in the signature generation process to obtain a condensed version of data, called a message digest (see Figure 1). The message digest is then input to the digital signature (ds) algorithm to generate the digital signature. The digital signature is sent to the intended verifier along with the signed data (often called the message). The verifier of the message and signature verifies the signature by using the sender's public key. The same hash function must also be used in the verification process. The hash function is specified in a separate standard, the Secure Hash Standard (SHS), FIPS 180-1. FIPS approved ds algorithms must be implemented with the SHS. Similar procedures may be used to generate and verify signatures for stored as well as transmitted data.
Approving Authority: Secretary of Commerce.
Maintenance Agency: U.S. Department of Commerce, National Institute of Standards and Technology (NIST), Information Technology Laboratory (ITL).
Applicability: This standard is applicable to all Federal departments and agencies for the protection of sensitive unclassified information that is not subject to section 2315 of Title 10, United States Code, or section 3502(2) of Title 44, United States Code. This standard shall be used in designing and implementing public-key based signature systems which Federal departments and agencies operate or which are operated for them under contract. Adoption and use of this standard is available to private and commercial organizations.
Applications: A digital signature (ds) algorithm authenticates the integrity of the signed data and the identity of the signatory. A ds algorithm may also be used in proving to a third party that data was actually signed by the generator of the signature. A ds algorithm is intended for use in electronic mail, electronic funds transfer, electronic data interchange, software distribution, data storage, and other applications which require data integrity assurance and data origin authentication. The technique specified in ANSI X9.31 may be used in addition to the Digital Signature Algorithm (DSA) specified herein. (NIST editorial note: Either DSA or RSA [ANSI X9.31] may be used; both do not have to be implemented.)
Implementations: A ds algorithm may be implemented in software, firmware, hardware, or any combination thereof. NIST is developing a validation program to test implementations for conformance to this standard. Currently, conformance tests for ANSI X9.31 have not been developed. These tests will be developed and made available in the future. Information about the planned validation program can be obtained from the National Institute of Standards and Technology, Information Technology Laboratory, Attn: DSS Validation, Gaithersburg, MD 20899.
Agencies are advised that separate keys should be used for signature and confidentiality purposes when using the X9.31 standard. This is because the RSA algorithm can be used for both data encryption and digital signature purposes.
Export Control: Implementations of this standard are subject to Federal Government export controls as specified in Title 15, Code of Federal Regulations, Parts 768 through 799. Exporters are advised to contact the Department of Commerce, Bureau of Export Administration for more information.
Patents: The algorithms in this standard may be covered by U.S. or foreign patents.
Implementation Schedule: This standard becomes effective December 15, 1998.
Specifications: Federal Information Processing Standard (FIPS 186-1) Digital Signature Standard (affixed).
Qualifications: The security of a digital signature system is dependent on maintaining the secrecy of users' private keys. Users must therefore guard against the unauthorized acquisition of their private keys. While it is the intent of this standard to specify general security requirements for generating digital signatures, conformance to this standard does not assure that a particular implementation is secure. The responsible authority in each agency or department shall assure that an overall implementation provides an acceptable level of security. This standard will be reviewed every five years in order to assess its adequacy.
Waiver Procedure: Under certain exceptional circumstances, the heads of Federal departments and agencies may approve waivers to Federal Information Processing Standards (FIPS). The head of such agency may redelegate such authority only to a senior official designated pursuant to section 3506(b) of Title 44, United States Code. Waiver shall be granted only when:
Agency heads may act upon a written waiver request containing the information detailed above. Agency heads may also act without a written waiver request when they determine that conditions for meeting the standard cannot be met. Agency heads may approve waivers only by a written decision which explains the basis on which the agency head made with required finding(s). A copy of each such decision, with procurement sensitive or classified portions clearly identified, shall be sent to: National Institute of Standards and Technology; ATTN: FIPS Waiver Decisions, Technology Building, Room B-154, Gaithersburg, MD 20899.
In addition, notice of each waiver granted and each delegation of authority to approve waivers shall be sent promptly to the Committee on Government Operations of the House of Representatives and the Committee on Governmental Affairs of the Senate and shall be published promptly in the Federal Register.
When the determination on a waiver applies to the procurement of equipment and/or services, a notice of the waiver determination must be published in the Commerce Business Daily as a part of the notice of solicitation for offers of an acquisition or, if the waiver determination is made after that notice is published, by amendment to such notice.
A copy of the waiver, any supporting documents, the document approving the waiver and any supporting and accompanying documents, with such deletions as the agency is authorized and decides to make under 5 U.S.C. Sec. 552(b), shall be part of the procurement documentation and retained by the agency.
Where to Obtain Copies of the Standard: Copies of this publication are for sale by the National Technical Information Service, U.S. Department of Commerce, Springfield, VA 22161. When ordering, refer to Federal Information Processing Standards Publication 186-1 (FIPS PUB 186-1), and identify the title. When microfiche is desired, this should be specified. Prices are published by NTIS in current catalogs and other issuances. Payment may be made by check, money order, deposit account or charged to a credit card accepted by NTIS.
Dated: December 9, 1998.
Robert E. Hebner,
Acting Deputy Director.
[FR Doc. 98-33167 Filed 12-14-98; 8:45 am]
BILLING CODE 3510-CN-M
Last Update: 12/2/1999
Computer Security Division
National Institute of Standards and Technology