Approval of Federal Information Processing Standard Publication 186-3, Digital Signature Standard

Donate $25 for two DVDs of the Cryptome collection of files from June 1996 to the present
9 June 2009
[Federal Register: June 9, 2009 (Volume 74, Number 109)]
[Notices]
[Page 27287-27288]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr09jn09-24]


[[Page 27287]]

-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology

[Docket No.: 0810011295-81636-02]


Announcing Approval of Federal Information Processing Standard
(FIPS) Publication 186-3, Digital Signature Standard (DSS)

AGENCY: National Institute of Standards and Technology (NIST),
Department of Commerce.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: This notice announces the Secretary of Commerce's approval of
Federal Information Processing Standard (FIPS) Publication 186-3,
Digital Signature Standard (DSS). FIPS 186-3 is a revision of FIPS 186-
2. The FIPS specifies three techniques for the generation and
verification of digital signatures that can be used for the protection
of data: the Digital Signature Algorithm (DSA), the Elliptic Curve
Digital Signature Algorithm (ECDSA) and the Rivest-Shamir-Adelman (RSA)
algorithm. Although all three of these algorithms were approved in FIPS
186-2, FIPS 186-3 increases the key sizes allowed for DSA, provides
additional requirements for the use of RSA and ECDSA, and includes
requirements for obtaining the assurances necessary for valid digital
signatures. FIPS 186-2 contained specifications for random number
generators (RNGs); this revision does not include such specifications,
but refers to NIST Special Publication (SP) 800-90 for obtaining random
numbers. FIPS 186-3 is available at http://csrc.nist.gov/publications/
PubsFIPS.html; SP 800-90 is available at http://csrc.nist.gov/
publications/PubsSPs.html.

FOR FURTHER INFORMATION CONTACT: Elaine Barker, (301) 975-2911,
National Institute of Standards and Technology, 100 Bureau Drive, STOP
8930, Gaithersburg, MD 20899-8930, e-mail: elaine.barker@nist.gov.

SUPPLEMENTARY INFORMATION: FIPS 186, first published in 1994, specified
a digital signature algorithm (DSA) to generate and verify digital
signatures. Later revisions (FIPS 186-1 and FIPS 186-2, adopted in 1998
and 1999, respectively) adopted two additional algorithms specified in
American National Standards (ANS) X9.31 (Digital Signatures Using
Reversible Public Key Cryptography for the Financial Services Industry
(rDSA)), and X9.62 (The Elliptic Curve Digital Signature Algorithm
(ECDSA)).
    The original DSA algorithm, as specified in FIPS 186, 186-1 and
186-2, allows key sizes of 512 to 1024 bits. With advances in
technology, it is prudent to consider larger key sizes. FIPS 186-3
allows the use of 1024, 2048 and 3072-bit keys. Other requirements have
also been added concerning the use of ANS X9.31 and ANS X9.62. In
addition, the use of the RSA algorithm as specified in Public Key
Cryptography Standard (PKCS) 1 (RSA Cryptography Standard) is
allowed.
    A Federal Register Notice (73 FR 66842) was published on November
12, 2008 to request public comments on the draft FIPS 186-3. A total of
thirteen parties provided comments (six U.S. government agencies, one
university, five private organizations, and one individual). Three
parties indicated that the FIPS should be approved without changes. The
following is a summary of the remaining comments received and NIST's
responses to them:
    Comment: Seven commenters suggested a number of editorial changes.
    Response: NIST made the appropriate editorial changes, which
included correcting typographical errors, format changes, minor word
changes and clarifications.
    Comment: One commenter suggested relaxing the requirement for hash
algorithms to provide equivalent or stronger security than the public
key algorithm and key size.
    Response: NIST accepted the comment and substituted a requirement
that both the hash algorithm and the public key algorithm and key size
meet the security requirements for the application. This permits the
use of a public key algorithm and key size that is stronger in security
than a hash algorithm, so long as both provide sufficient security for
the digital signature process. The use of hash algorithms that provide
equivalent or stronger security than the public key algorithm and key
size is still encouraged as a general practice.
    Comment: One commenter suggested imposing additional restrictions
on the selection of the public exponent e when generating RSA key
pairs.
    Response: NIST studied the suggestion and decided not to impose
further restrictions on the selection of the public exponent e. Such
restrictions would negatively impact NIST's Cryptographic Module
Validation Program (CMVP) by precluding the validation of currently
accepted implementations without providing a significant increase in
security.
    Comment: One commenter suggested relaxing requirements on the
generation of the private exponent d to improve efficiency when
generating RSA key pairs.
    Response: NIST studied the suggestion and decided not to make the
change, due to a risk of reducing the level of security assurance
provided by the suggested method.
    Comment: One commenter requested the inclusion of an alternative
method for strong prime generation when generating RSA key pairs on
constrained computing devices.
    Response: NIST decided not to adopt the proposed method for strong
prime generation. NIST would need to perform significant further study
on any alternative methods before expanding the set of approved methods
for strong prime generation in the FIPS. In addition, NIST believes
that the methods specified in the standard can be implemented on
constrained devices. If implementation experience establishes the need
for alternative methods, NIST will conduct the further study necessary
and, if appropriate, will include alternative techniques in a later
version of the FIPS.
    Comment: One commenter requested changes to enhance alignment of
ECDSA domain parameter generation and management in the FIPS with
American National Standard X9.62.
    Response: NIST reviewed the comments and made the appropriate
changes to ensure alignment with respect to the generation and
management of ECDSA domain parameters. NIST deleted the statement
``ANSI X9.62 has no restriction on the maximum size of [the
cofactor]'', since the current version of X9.62 imposes limitations on
the size of the cofactor. NIST also revised statements regarding
elliptic curve domain parameter generation for purposes other than
digital signature generation.

    Authority: In accordance with the Information Technology
Management Reform Act of 1996 (Pub. L. 104-106) and the Federal
Information Security Management Act (FISMA) of 2002 (Pub. L. 107-
347), the Secretary of Commerce is authorized to approve Federal
Information Processing Standards (FIPS). NIST activities to develop
computer security standards to protect Federal sensitive
(unclassified) information systems are undertaken pursuant to
specific responsibilities assigned to NIST by section 20 of the
National Institute of Standards and Technology Act (15 U.S.C. 278g-
3), as amended by section 303 of the Federal Information Security
Management Act of 2002.

    E.O. 12866: This notice has been determined not to be significant
for the purposes of E.O. 12866.


[[Page 27288]]


    Dated: June 1, 2009.
Patrick Gallagher,
Deputy Director.
[FR Doc. E9-13513 Filed 6-8-09; 8:45 am]

BILLING CODE 3510-13-P