National Institute of Standards and Technology (NIST), Department of Commerce.
This notice announces the Secretary of Commerce's approval of Federal Information Processing Standard (FIPS) Publication 186-3, Digital Signature Standard (DSS). FIPS 186-3 is a revision of FIPS 186-2. The FIPS specifies three techniques for the generation and verification of digital signatures that can be used for the protection of data: the Digital Signature Algorithm (DSA), the Elliptic Curve Digital Signature Algorithm (ECDSA) and the Rivest-Shamir-Adelman (RSA) algorithm. Although all three of these algorithms were approved in FIPS 186-2, FIPS 186-3 increases the key sizes allowed for DSA, provides additional requirements for the use of RSA and ECDSA, and includes requirements for obtaining the assurances necessary for valid digital signatures. FIPS 186-2 contained specifications for random number generators (RNGs); this revision does not include such specifications, but refers to NIST Special Publication (SP) 800-90 for obtaining random numbers. FIPS 186-3 is available at http://csrc.nist.gov/publications/PubsFIPS.html; SP 800-90 is available at http://csrc.nist.gov/publications/PubsSPs.html.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Elaine Barker, (301) 975-2911, National Institute of Standards and Technology, 100 Bureau Drive, STOP 8930, Gaithersburg, MD 20899-8930, e-mail: email@example.com.End Further Info End Preamble Start Supplemental Information
FIPS 186, first published in 1994, specified a digital signature algorithm (DSA) to generate and verify digital signatures. Later revisions (FIPS 186-1 and FIPS 186-2, adopted in 1998 and 1999, respectively) adopted two additional algorithms specified in American National Standards (ANS) X9.31 (Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry (rDSA)), and X9.62 (The Elliptic Curve Digital Signature Algorithm (ECDSA)).
The original DSA algorithm, as specified in FIPS 186, 186-1 and 186-2, allows key sizes of 512 to 1024 bits. With advances in technology, it is prudent to consider larger key sizes. FIPS 186-3 allows the use of 1024, 2048 and 3072-bit keys. Other requirements have also been added concerning the use of ANS X9.31 and ANS X9.62. In addition, the use of the RSA algorithm as specified in Public Key Cryptography Standard (PKCS) #1 (RSA Cryptography Standard) is allowed.
A Federal Register Notice (73 FR 66842) was published on November 12, 2008 to request public comments on the draft FIPS 186-3. A total of thirteen parties provided comments (six U.S. government agencies, one university, five private organizations, and one individual). Three parties indicated that the FIPS should be approved without changes. The following is a summary of the remaining comments received and NIST's responses to them:
Comment: Seven commenters suggested a number of editorial changes.
Response: NIST made the appropriate editorial changes, which included correcting typographical errors, format changes, minor word changes and clarifications.
Comment: One commenter suggested relaxing the requirement for hash algorithms to provide equivalent or stronger security than the public key algorithm and key size.
Response: NIST accepted the comment and substituted a requirement that both the hash algorithm and the public key algorithm and key size meet the security requirements for the application. This permits the use of a public key algorithm and key size that is stronger in security than a hash algorithm, so long as both provide sufficient security for the digital signature process. The use of hash algorithms that provide equivalent or stronger security than the public key algorithm and key size is still encouraged as a general practice.
Comment: One commenter suggested imposing additional restrictions on the selection of the public exponent e when generating RSA key pairs.
Response: NIST studied the suggestion and decided not to impose further restrictions on the selection of the public exponent e. Such restrictions would negatively impact NIST's Cryptographic Module Validation Program (CMVP) by precluding the validation of currently accepted implementations without providing a significant increase in security.
Comment: One commenter suggested relaxing requirements on the generation of the private exponent d to improve efficiency when generating RSA key pairs.
Response: NIST studied the suggestion and decided not to make the change, due to a risk of reducing the level of security assurance provided by the suggested method.
Comment: One commenter requested the inclusion of an alternative method for strong prime generation when generating RSA key pairs on constrained computing devices.
Response: NIST decided not to adopt the proposed method for strong prime generation. NIST would need to perform significant further study on any alternative methods before expanding the set of approved methods for strong prime generation in the FIPS. In addition, NIST believes that the methods specified in the standard can be implemented on constrained devices. If implementation experience establishes the need for alternative methods, NIST will conduct the further study necessary and, if appropriate, will include alternative techniques in a later version of the FIPS.
Comment: One commenter requested changes to enhance alignment of ECDSA domain parameter generation and management in the FIPS with American National Standard X9.62.
Response: NIST reviewed the comments and made the appropriate changes to ensure alignment with respect to the generation and management of ECDSA domain parameters. NIST deleted the statement “ANSI X9.62 has no restriction on the maximum size of [the cofactor]”, since the current version of X9.62 imposes limitations on the size of the cofactor. NIST also revised statements regarding elliptic curve domain parameter generation for purposes other than digital signature generation.
E.O. 12866: This notice has been determined not to be significant for the purposes of E.O. 12866.Start Signature
Dated: June 1, 2009.
[FR Doc. E9-13513 Filed 6-8-09; 8:45 am]
BILLING CODE 3510-13-P