Digital Signature Standard (DSS)

2y ago
8 Views
2 Downloads
3.59 MB
130 Pages
Last View : 1m ago
Last Download : 2m ago
Upload by : Luis Waller
Transcription

FIPS PUB 186-4FEDERAL INFORMATION PROCESSING STANDARDSPUBLICATIONDigital Signature Standard (DSS)CATEGORY: COMPUTER SECURITYSUBCATEGORY: CRYPTOGRAPHYInformation Technology LaboratoryNational Institute of Standards and TechnologyGaithersburg, MD 20899-8900Issued July 2013U.S. Department of CommerceCameron F. Kerry, Acting SecretaryNational Institute of Standards and TechnologyPatrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director

FOREWORDThe Federal Information Processing Standards Publication Series of the National Instituteof Standards and Technology (NIST) is the official series of publications relating tostandards and guidelines adopted and promulgated under the provisions of the FederalInformation Security Management Act (FISMA) of 2002.Comments concerning FIPS publications are welcomed and should be addressed to theDirector, Information Technology Laboratory, National Institute of Standards andTechnology, 100 Bureau Drive, Stop 8900, Gaithersburg, MD 20899-8900.Charles Romine, DirectorInformation Technology LaboratoryAbstractThis Standard specifies a suite of algorithms that can be used to generate a digital signature.Digital signatures are used to detect unauthorized modifications to data and to authenticate theidentity of the signatory. In addition, the recipient of signed data can use a digital signature asevidence in demonstrating to a third party that the signature was, in fact, generated by theclaimed signatory. This is known as non-repudiation, since the signatory cannot easily repudiatethe signature at a later time.Key words: computer security, cryptography, digital signatures, Federal Information ProcessingStandards, public key cryptography.

Federal Information Processing Standards Publication 186-4July 2013Announcing theDIGITAL SIGNATURE STANDARD (DSS)Federal Information Processing Standards Publications (FIPS PUBS) are issued by the NationalInstitute of Standards and Technology (NIST) after approval by the Secretary of Commercepursuant to Section 5131 of the Information Technology Management Reform Act of 1996(Public Law 104-106), and the Computer Security Act of 1987 (Public Law 100-235).1. Name of Standard: Digital Signature Standard (DSS) (FIPS 186-4).2. Category of Standard: Computer Security. Subcategory. Cryptography.3. Explanation: This Standard specifies algorithms for applications requiring a digitalsignature, rather than a written signature. A digital signature is represented in a computer as astring of bits. A digital signature is computed using a set of rules and a set of parameters thatallow the identity of the signatory and the integrity of the data to be verified. Digital signaturesmay be generated on both stored and transmitted data.Signature generation uses a private key to generate a digital signature; signature verification usesa public key that corresponds to, but is not the same as, the private key. Each signatorypossesses a private and public key pair. Public keys may be known by the public; private keysare kept secret. Anyone can verify the signature by employing the signatory’s public key. Onlythe user that possesses the private key can perform signature generation.A hash function is used in the signature generation process to obtain a condensed version of thedata to be signed; the condensed version of the data is often called a message digest. Themessage digest is input to the digital signature algorithm to generate the digital signature. Thehash functions to be used are specified in the Secure Hash Standard (SHS), FIPS 180. FIPSapproved digital signature algorithms shall be used with an appropriate hash function that isspecified in the SHS.The digital signature is provided to the intended verifier along with the signed data. Theverifying entity verifies the signature by using the claimed signatory’s public key and the samehash function that was used to generate the signature. Similar procedures may be used togenerate and verify signatures for both stored and transmitted data.4. Approving Authority: Secretary of Commerce.i

5. Maintenance Agency: Department of Commerce, National Institute of Standards andTechnology, Information Technology Laboratory, Computer Security Division.6. Applicability: This Standard is applicable to all Federal departments and agencies for theprotection of sensitive unclassified information that is not subject to section 2315 of Title 10,United States Code, or section 3502 (2) of Title 44, United States Code. This Standard shall beused in designing and implementing public key-based signature systems that Federaldepartments and agencies operate or that are operated for them under contract. The adoption anduse of this Standard is available to private and commercial organizations.7. Applications: A digital signature algorithm allows an entity to authenticate the integrity ofsigned data and the identity of the signatory. The recipient of a signed message can use a digitalsignature as evidence in demonstrating to a third party that the signature was, in fact, generatedby the claimed signatory. This is known as non-repudiation, since the signatory cannot easilyrepudiate the signature at a later time. A digital signature algorithm is intended for use inelectronic mail, electronic funds transfer, electronic data interchange, software distribution, datastorage, and other applications that require data integrity assurance and data originauthentication.8. Implementations: A digital signature algorithm may be implemented in software, firmware,hardware or any combination thereof. NIST has developed a validation program to testimplementations for conformance to the algorithms in this Standard. Information about thevalidation program is available at http://csrc.nist.gov/cryptval. Examples for each digitalsignature algorithm are available at ml.Agencies are advised that digital signature key pairs shall not be used for other purposes.9. Other Approved Security Functions: Digital signature implementations that comply withthis Standard shall employ cryptographic algorithms, cryptographic key generation algorithms,and key establishment techniques that have been approved for protecting Federal governmentsensitive information. Approved cryptographic algorithms and techniques include those that areeither:a. specified in a Federal Information Processing Standard (FIPS),b. adopted in a FIPS or a NIST Recommendation, orc. specified in the list of approved security functions for FIPS 140.10. Export Control: Certain cryptographic devices and technical data regarding them aresubject to Federal export controls. Exports of cryptographic modules implementing this Standardand technical data regarding them must comply with these Federal regulations and be licensed bythe Bureau of Industry and Security of the U.S. Department of Commerce. Information aboutexport regulations is available at: http://www.bis.doc.gov.11. Patents: The algorithms in this Standard may be covered by U.S. or foreign patents.ii

12. Implementation Schedule: This Standard becomes effective immediately uponapproval by the Secretary of Commerce. A transition strategy for validating algorithmsand cryptographic modules will be posted on NIST’s Web page athttp://csrc.nist.gov/groups/STM/cmvp/index.html under Notices. The transition planaddresses the transition by Federal agencies from modules tested and validated forcompliance to previous versions of this Standard to modules tested and validated forcompliance to FIPS 186-4 under the Cryptographic Module Validation Program. Thetransition plan allows Federal agencies and vendors to make a smooth transition to FIPS186-4.13. Specifications: Federal Information Processing Standard (FIPS) 186-4 Digital SignatureStandard (affixed).14. Cross Index: The following documents are referenced in this Standard. Unless a specificversion or date is indicated with the document number, the latest version of the given documentis intended as the reference.a. FIPS PUB 140, Security Requirements for Cryptographic Modules.b. FIPS PUB 180 Secure Hash Standard.c. ANS X9.31-1998, Digital Signatures Using Reversible Public Key Cryptography for theFinancial Services Industry (rDSA).d. ANS X9.62-2005, Public Key Cryptography for the Financial Services Industry: TheElliptic Curve Digital Signature Algorithm (ECDSA).e. ANS X9.80, Prime Number Generation, Primality Testing and Primality Certificates.f. Public Key Cryptography Standard (PKCS) #1, RSA Encryption Standard.g. Special Publication (SP) 800-57, Recommendation for Key Management.h. Special Publication (SP) 800-89, Recommendation for Obtaining Assurances for DigitalSignature Applications.i. Special Publication (SP) 800-90A, Recommendation for Random Number GenerationUsing Deterministic Random Bit Generators.j. Special Publication (SP) 800-102, Recommendation for Digital Signature Timeliness.k. Special Publication (SP) 800-131A, Transitions: Recommendation for Transitioning theUse of Cryptographic Algorithms and Key Lengths.l. IEEE Std. 1363-2000, Standard Specifications for Public Key Cryptography.15. Qualifications: The security of a digital signature system is dependent on maintaining thesecrecy of the signatory’s private keys. Signatories shall, therefore, guard against the disclosureof their private keys. While it is the intent of this Standard to specify general securityrequirements for generating digital signatures, conformance to this Standard does not assure thatiii

a particular implementation is secure. It is the responsibility of an implementer to ensure thatany module that implements a digital signature capability is designed and built in a securemanner.Similarly, the use of a product containing an implementation that conforms to this Standard doesnot guarantee the security of the overall system in which the product is used. The responsibleauthority in each agency or department shall assure that an overall implementation provides anacceptable level of security.Since a standard of this nature must be flexible enough to adapt to advancements andinnovations in science and technology, this Standard will be reviewed every five years in orderto assess its adequacy.16. Waiver Procedure: The Federal Information Security Management Act (FISMA) does notallow for waivers to Federal Information Processing Standards (FIPS) that are made mandatoryby the Secretary of Commerce.17. Where to Obtain Copies of the Standard: This publication is available by accessinghttp://csrc.nist.gov/publications/. Other computer security publications are available at the sameweb site.iv

Table of Contents1. INTRODUCTION . 12. GLOSSARY OF TERMS, ACRONYMS AND MATHEMATICAL SYMBOLS . 22.12.22.3TERMS AND DEFINITIONS . 2ACRONYMS . 5MATHEMATICAL SYMBOLS . 63. GENERAL DISCUSSION . 93.13.23.34INITIAL SETUP . 11DIGITAL SIGNATURE GENERATION . 12DIGITAL SIGNATURE VERIFICATION AND VALIDATION . 13THE DIGITAL SIGNATURE ALGORITHM (DSA) . 154.14.24.3DSA PARAMETERS . 15SELECTION OF PARAMETER SIZES AND HASH FUNCTIONS FOR DSA . 15DSA DOMAIN PARAMETERS. 164.3.1 Domain Parameter Generation . 174.3.24.4KEY PAIRS . 174.4.1 DSA Key Pair Generation . 174.4.24.54.64.7Domain Parameter Management . 17Key Pair Management . 18DSA PER-MESSAGE SECRET NUMBER . 18DSA SIGNATURE GENERATION . 19DSA SIGNATURE VERIFICATION AND VALIDATION . 195. THE RSA DIGITAL SIGNATURE ALGORITHM. 225.15.25.35.45.5RSA KEY PAIR GENERATION . 22KEY PAIR MANAGEMENT . 23ASSURANCES . 23ANS X9.31 . 24PKCS #1 . 246. THE ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM (ECDSA) . 266.1ECDSA DOMAIN PARAMETERS. 266.1.1 Domain Parameter Generation . 266.1.26.2PRIVATE/PUBLIC KEYS . 286.2.1 Key Pair Generation . 296.2.26.36.46.5Domain Parameter Management . 28Key Pair Management . 29SECRET NUMBER GENERATION. 29ECDSA DIGITAL SIGNATURE GENERATION AND VERIFICATION . 29ASSURANCES . 30APPENDIX A: GENERATION AND VALIDATION OF FFC DOMAIN PARAMETERS . 31v

A.1GENERATION OF THE FFC PRIMES P AND Q . 31A.1.1Generation and Validation of Probable Primes . 31A.1.2A.2Construction and Validation of the Provable Primes p and q. 36GENERATION OF THE GENERATOR G . 41A.2.1 Unverifiable Generation of the Generator g . 41A.2.2Assurance of the Validity of the Generator g . 42A.2.3Verifiable Canonical Generation of the Generator g . 42A.2.4Validation Routine when the Canonical Generation of the Generator g Routine WasUsed . 44APPENDIX B: KEY PAIR GENERATION . 46B.1FFC KEY PAIR GENERATION. 46B.1.1 Key Pair Generation Using Extra Random Bits . 46B.1.2B.2FFC PER-MESSAGE SECRET NUMBER GENERATION . 48B.2.1 Per-Message Secret Number Generation Using Extra Random Bits . 49B.2.2B.3B.4Per-Message Secret Number Generation by Testing Candidates . 49IFC KEY PAIR GENERATION . 50B.3.1 Criteria for IFC Key Pairs . 50B.3.2Generation of Random Primes that are Provably Prime . 53B.3.3Generation of Random Primes that are Probably Prime . 55B.3.4Generation of Provable Primes with Conditions Based on Auxiliary Provable Primes . 56B.3.5Generation of Probable Primes with Conditions Based on Auxiliary Provable Primes . 58B.3.6Generation of Probable Primes with Conditions Based on Auxiliary Probable Primes . 60ECC KEY PAIR GENERATION . 61B.4.1 Key Pair Generation Using Extra Random Bits . 62B.4.2B.5Key Pair Generation by Testing Candidates . 47Key Pair Generation by Testing Candidates . 63ECC PER-MESSAGE SECRET NUMBER GENERATION . 64B.5.1 Per-Message Secret Number Generation Using Extra Random Bits . 64B.5.2Per-Message Secret Number Generation by Testing Candidates . 65APPENDIX C: GENERATION OF OTHER QUANTITIES. 67C.1C.2COMPUTATION OF THE INVERSE VALUE . 67CONVERSION BETWEEN BIT STRINGS AND INTEGERS . 68C.2.1 Conversion of a Bit String to an Integer . 68C.2.2C.3Conversion of an Integer to a Bit String . 68PROBABILISTIC PRIMALITY TESTS . 69C.3.1 Miller-Rabin Probabilistic Primality Test . 71C.3.2Enhanced Miller-Rabin Probabilistic Primality Test . 72vi

C.3.3C.4C.5C.6C.7C.8C.9C.10(GENERAL) LUCAS PROBABILISTIC PRIMALITY TEST . 74CHECKING FOR A PERFECT SQUARE . 75JACOBI SYMBOL ALGORITHM. 76SHAWE-TAYLOR RANDOM PRIME ROUTINE . 77TRIAL DIVISION . 80SIEVE PROCEDURE . 80COMPUTE A PROBABLE PRIME FACTOR BASED ON AUXILIARY PRIMES . 81CONSTRUCT A PROVABLE PRIME (POSSIBLY WITH CONDITIONS), BASED ON CONTEMPORANEOUSLYCONSTRUCTED AUXILIARY PROVABLE PRIMES . 83APPENDIX D: RECOMMENDED ELLIPTIC CURVES FOR FEDERAL GOVERNMENT USE . 87D.1D.2D.3D.4D.5D.6D.7D.8D.9D.10NIST RECOMMENDED ELLIPTIC CURVES . 87D.1.1 Choices . 87D.1.2Curves over Prime Fields . 89D.1.3Curves over Binary Fields . 92IMPLEMENTATION OF MODULAR ARITHMETIC. 101D.2.1 Curve P-192 . 101D.2.2Curve P-224 . 102D.2.3Curve P-256 . 102D.2.4Curve P-384 . 103D.2.5Curve P-521 . 104NORMAL BASES . 104SCALAR MULTIPLICATION ON KOBLITZ CURVES . 106GENERATION OF PSEUDO-RANDOM CURVES (PRIME CASE) . 109VERIFICATION OF CURVE PSEUDO-RANDOMNESS (PRIME CASE) . 110GENERATION OF PSEUDO-RANDOM CURVES (BINARY CASE). 111VERIFICATION OF CURVE PSEUDO-RANDOMNESS (BINARY CASE). 111POLYNOMIAL BASIS TO NORMAL BASIS CONVERSION . 112NORMAL BASIS TO POLYNOMIAL BASIS CONVERSION . 113APPENDIX E: A PROOF THAT V R IN THE DSA . 115APPENDIX F: CALCULATING THE REQUIRED NUMBER OF ROUNDS OF TESTING USING THEMILLER-RABIN PROBABILISTIC PRIMALITY TEST . 117F.1F.2F.3THE REQUIRED NUMBER OF ROUNDS OF THE MILLER-RABIN PRIMALITY TESTS . 117GENERATING DSA PRIMES . 118GENERATING PRIMES FOR RSA SIGNATURES . 119APPENDIX G: REFERENCES . 121vii

Federal Information Processing Standards Publication 186-4July 2013Specifications for theDIGITAL SIGNATURE STANDARD (DSS)1.IntroductionThis Standard defines methods for digital signature generation that can be used for the protectionof binary data (commonly called a message), and for the verification and validation of thosedigital signatures. Three techniques are approved.(1) The Digital Signature Algorithm (DSA) is specified in this Standard. The specificationincludes criteria for the generation of domain parameters, for the generation of public andprivate key pairs, and for the generation and verification of digital signatures.(2) The RSA digital signature algorithm is specified in American National Standard (ANS)X9.31 and Public Key Cryptography Standard (PKCS) #1. FIPS 186-4 approves the useof implementations of either or both of these standards and specifies additionalrequirements.(3) The Elliptic Curve Digital Signature Algorithm (ECDSA) is specified in ANS X9.62.FIPS 186-4 approves the use of ECDSA and specifies additional requirements.Recommended elliptic curves for Federal Government use are provided herein.This Standard includes requirements for obtaining the assurances necessary for valid digitalsignatures. Methods for obtaining these assurances are provided in NIST Special Publication(SP) 800-89, Recommendation for Obtaining Assurances for Digital Signature Applications.1

2.Glossary of Terms, Acronyms and Mathematical Symbols2.1Terms and DefinitionsApprovedFIPS-approved and/or NIST-recommended. An algorithm or techniquethat is either 1) specified in a FIPS or NIST Recommendation, or 2)adopted in a FIPS or NIST Recommendation or 3) specified in a list ofNIST approved security functions.Assurance of domainparameter validityConfidence that the domain parameters are arithmetically correct.Assurance ofpossessionConfidence that an entity possesses a private key and any associatedkeying material.Assurance of publickey validityConfidence that the public key is arithmetically correct.Bit stringAn ordered sequence of 0’s and 1’s. The leftmost bit is the mostsignificant bit of the string. The rightmost bit is the least significant bitof the string.CertificateA set of data that uniquely identifies a key pair and an owner that isauthorized to use the key pair. The certificate contains the owner’spublic key and possibly other information, and is digitally signed by aCertification Authority (i.e., a trusted party), thereby binding thepublic key to the owner.Certification Authority(CA)The entity in a Public Key Infrastructure (PKI) that is responsible forissuing certificates and exacting compliance with a PKI policy.Claimed signatoryFrom the verifier’s perspective, the claimed signatory is the entity thatpurportedly generated a digital signature.Digital signatureThe result of a cryptographic transformation of data that, whenproperly implemented, provides a mechanism for verifying originauthentication, data integrity and signatory non-repudiation.Domain parameter seedA string of bits that is used as input for a domain parameter generationor validation process.Domain parametersParameters used with cryptographic algorithms that are usuallycommon to a domain of users. A DSA or ECDSA cryptographic keypair is associated with a specifc set of domain parameters.2

EntityAn individual (person), organization, device or process. Usedinterchangeably with “party”.Equivalent processTwo processes are equivalent if, when the same values are input toeach process (either as input parameters or as values made availableduring the process or both), the same output is produced.Hash functionA function that maps a bit string of arbitrary length to a fixed lengthbit string. Approved hash functions are specified in FIPS 180 and aredesigned to satisfy the following properties:1. (One-way) It is computationally infeasible to find any input thatmaps to any new pre-specified output, and2. (Collision resistant) It is computationally infeasible to find anytwo distinct inputs that map to the same output.Hash valueSee “message digest”.Intended signatoryAn entity that intends to generate digital signatures in the future.KeyA parameter used in conjunction with a cryptographic algorithm thatdetermines its operation. Examples applicable to this Standardinclude:1. The computation of a digital signature from data, and2. The verification of a digital signature.Key pairA public key and its corresponding private key.MessageThe data that is signed. Also known as “signed data” during thesignature verification and validation process.Message digestThe result of applying a hash function to a message. Also known as“hash value”.Non-repudiationA service that is used to provide assurance of the integrity and originof data in such a way that the integrity and origin can be verified andvalidated by a third party as having originated from a specific entity inpossession of the private key (i.e., the signatory).OwnerA key pair owner is the entity that is authorized to use the private keyof a key pair.PartyAn individual (person), organization, device or process. Usedinterchangeably with “entity”.Per-message secretnumberA secret random number that is generated prior to the generation ofeach digital signature.3

Public KeyInfrastructure (PKI)A framework that is established to issue, maintain and revoke publickey certificates.Prime numbergeneration seedA string of random bits that is used to determine a prime number withthe required characteristics.Private keyA cryptographic key that is used with an asymmetric (public key)cryptographic algorithm. For digital signatures, the private key isuniquely associated with the owner and is not made public. Theprivate key is used to compute a digital signature that may be verifiedusing the corre

The recipient of a signed message can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory. This is known as non-repudiation, since the signatory cannot easily repudiate the signature at a later t

Related Documents:

The DSS-8 is expandable by cascading two or more DSS-8 s together. As all ports support 200Mbps, the DSS-8 can be cascaded from any port and to any number of DSS-8 s. The DSS-8 is a perfect choice for sites planning to upgrade to Fast Ethernet in the future. Ethernet workgroups can connect to the DSS-

o PCI DSS - Summary of Changes from PCI DSS version 2.0 to 3.0 o PCI DSS Quick Reference Guide o PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms o Information Supplements and Guidelines o Prioritized Approach for PCI DSS o Report on Compliance (ROC) Reporting Template and Reporting Instructions

Digital Signature Digital Signature [10] is one of the major development in network security . The need for Digital Signature has arisen with the rapid growth of digital communications. A Digital Signature algorithm authenticates the integrity of the signed data and identity of the signatory. Authentication in a Digital Signature is a

This document is intended for use with version 3.0 of the PCI Data Security Standard. July 2014 PCI DSS 3.0, Revision 1.1 Errata - Minor edits made to address typos and general errors, slight addition of content April 2015 PCI DSS 3.1, Revision1.0 Revision to align with changes from PCI DSS 3.0 to PCI DSS 3.1 (see PCI DSS - Summary of

Hard Drive Capacity 100G free for DSS Control Client Ethernet port 1000Mbps DSS Pro Comprehensive and Expandable Dahua VMS Introduction DSS Pro, Comprehensive and Expandable Dahua VMS, is a flexible, scalable, high reliable and powerful central management system. With client-server architecture, DSS

over some of the responsibility for PCI DSS compliance to someone else. It also means that you, through your hosting provider, automatically reach some of the requirements in PCI DSS. It should be noted that moving to the cloud and choosing a PCI DSS certified cloud provider doesn't automatically make you PCI DSS compliant.

Each digital signature in a PDF document is associated with a signature handler. The signature is placed in a PDF signature dictionary which contains the name of the signature handler which will be used to process that signature (Figure 3). The signature handler built into Adobe Acrobat lever

Manual 36598 DSS-2 Two-Channel Digital Speed Switch Woodward 1 Chapter 1. General Information Introduction DSS-2 (Digital Speed Switch, 2-Channel) is a two-channel electronic speed switch that combines the convenience of manual adjustments with the flexibility of a computer-based calibration tool. DSS-2 was