[Federal Register Volume 73, Number 219 (Wednesday, November 12, 2008)]
[Notices]
[Pages 66842-66844]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-26841]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. [0810011295-81297-01]]
Announcing DRAFT Federal Information Processing Standard (FIPS)
Publication 186-3, Digital Signature Standard (DSS) and Request for
Comments
AGENCY: National Institute of Standards and Technology (NIST), Commerce
Department.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: This notice announces a second public review and comment
period for Draft Federal Information Processing Standard 186-3, Digital
Signature Standard. The draft standard, designated ``Draft FIPS 186-
3,'' is proposed to revise and supersede FIPS 186-2. Draft FIPS 186-3
is a revision of FIPS 186-2, the Digital Signature Standard. The Draft
FIPS specifies three techniques for the generation and verification of
digital signatures that can be used for the protection of data: the
Digital Signature Algorithm (DSA), the Elliptic Curve Digital Signature
Algorithm (ECDSA) and the Rivest-Shamir-Adelman (RSA) algorithm.
Although all three of these algorithms were approved in FIPS 186-2,
this revision increases the key sizes allowed for DSA, provides
additional requirements for the use of RSA and ECDSA, and includes
requirements for obtaining the assurances necessary for valid digital
signatures. FIPS 186-2 contained specifications for random number
generators (RNGs); this revision does not include such specifications,
but refers to NIST Special Publication (SP) 800-90 for obtaining random
numbers.
Prior to the submission of this proposed standard to the Secretary
of Commerce for review and approval, it is essential that consideration
is given to the needs and views of the public, users, the information
technology industry, and Federal, State and local government
organizations. The purpose of this notice is to solicit such views.
DATES: Comments must be received on or before December 12, 2008.
ADDRESSES: Written comments may be sent to: Chief, Computer Security
Division, Information Technology Laboratory, Attention: Comments on
Draft FIPS 186-3, 100 Bureau Drive--Stop 8930, National Institute of
Standards and Technology, Gaithersburg, MD 20899-8930. Electronic
comments may also be sent to: [email protected].
FOR FURTHER INFORMATION CONTACT: Elaine Barker, (301) 975-2911,
National Institute of Standards and Technology, 100 Bureau Drive, STOP
8930, Gaithersburg, MD 20899-8930, e-mail: [email protected].
SUPPLEMENTARY INFORMATION: FIPS 186, first published in 1994, specified
a digital signature algorithm (DSA) to generate and verify digital
signatures. Later revisions (FIPS 186-1 and FIPS 186-2, adopted in 1998
and 1999, respectively) adopted two additional algorithms specified in
American National Standards (ANS) X9.31 (Digital Signatures Using
Reversible Public Key Cryptography for the Financial Services Industry
(rDSA)), and X9.62 (The Elliptic Curve Digital Signature Algorithm
(ECDSA)).
The original DSA algorithm, as specified in FIPS 186, 186-1 and
186-2, allows key sizes of 512 to 1024 bits. With advances in
technology, it is prudent to consider larger key sizes. Draft FIPS 186-
3 allows the use of 1024, 2048 and 3072-bit keys. Other requirements
have also been added concerning the use of ANS X9.31 and ANS X9.62. In
addition, the use of the RSA algorithm as specified in Public Key
Cryptography Standard (PKCS) 1 (RSA Cryptography Standard) is
allowed.
A request for public comments was published in the Federal Register
on March 13, 2006 (71 FR 12678). After receiving comments in response
to this notice, NIST incorporated the comments and posted a revised
version of the FIPS on its Web site. NIST received some additional
comments in response to this posting. In all, a total of 15 individuals
and organizations provided comments (two U.S. government agencies, a
foreign government agency, one university, eight private organizations,
and three from individuals). The following is a summary of the comments
received and NIST's responses to them:
Comment: Seven commenters suggested a number of editorial changes.
Response: NIST made the appropriate editorial changes, which
included correcting typographical errors; spelling, format and font
size changes; reference restrictions and updates, where appropriate;
minor word changes and clarifications.
[[Page 66843]]
Comment: One commenter requested that examples be provided for each
of the digital signatures algorithms and key sizes.
Response: Examples will be provided at http://csrc.nist.gov/groups/ST/toolkit/examples.html, and a link to this Web page has been included
in the implementation section of the announcement.
Comment: Eight commenters suggested a number of minor technical
changes.
Response: The appropriate changes were made, which included:
Corrections to the input to and pseudocode for defined functions;
Corrections to table entries;
Removal of the appendix on timestamping, and placing the contents
in a different document;
Allowing the use of the Chinese Remainder Theorem (CRT) for the
representation of the private key; and
Stating that the minimum lengths for the auxiliary primes for the
generation of RSA keys may be either fixed or randomly chosen.
Comment: Two commenters noted that the allowed values for the
public exponent e differ significantly from those allowed in ANS X9.31
and PKCS 1.
Response: The restricted values in the FIPS are a Federal
government choice to provide a higher level of security for its
agencies. Non-Federal government entities may voluntarily adopt these
restrictions.
Comment: One commenter asked why the new DSA domain parameter
validation method in A.1.1.3 is not compatible with the old
verification method in A.1.1.1, since the change breaks
interoperability with the FIPS 186-2 generation method.
Response: A.1.1.3 is intentionally different from A.1.1.1. The
change in the use of the hash function (no XORing) was in response to a
cryptanalytic attack that showed how to select a set of domain
parameters generated in the A.1.1.1 fashion in such a way that two
``messages'' with the same DSA signature could be found. Note that
A.1.1.1 still allows domain parameters generated using the older method
to be verified.
Comment: One commenter asked why the DSA key sizes are limited to
the smaller values?
Response: The length of the larger keys has a huge impact on
communications and storage requirements. The strategy of the U.S.
government is to transition to elliptic curve algorithms in order to
reduce the key sizes.
Comment: One commenter asked that a specification of the Shawe-
Taylor algorithm be included for use in the generation of RSA primes,
as well as for DSA primes.
Response: The Shawe-Taylor method was rewritten as a general
routine that is used for both DSA and RSA prime generation.
Comment: Two commenters provided comments with regard to the
inconsistencies in the number of iterations required for the
probabilistic primality tests.
Response: The number of iterations was taken from several FIPS and
ANSI standards. As a result of these comments, NIST reviewed the
methods used to calculate the number of iterations and calculated new
values for each digital signature method and prime length.
After the proposed values and associated explanatory text were
posted on the NIST Web site (in January 2007) the following five
comments were received:
Comment: One commenter stated the values in ANS X9.80 (Prime Number
Generation, Primality Testing, and Primality Certificates) should be
used for the number of iterations.
Response: The values ANS X9.80 were based on assumptions and
estimates that have been superseded by more recent considerations, and
these newer values have been included the FIPS.
Comment: One commenter suggested that fewer categories be provided
in the tables.
Response: NIST has chosen to base the number of tests on the key
sizes and provided separate requirements for each. An implementer can
choose to combine the requirements into fewer categories, as long as
the number of rounds for each key size are equal to or greater than the
numbers provided in the FIPS.
Comment: One commenter felt that the error probability should
always be 2-100 to align with the ANSI standards.
Response: The 2-100 error probability is included in
FIPS 186-3, along with others that are dependent on the security
strength, to allow an implementer to select the most suitable
probability for their application.
Comment: One commenter asked why the Lucas test is not required in
some cases?
Response: After extensive analysis by NIST, it was determined the
Lucas test is not required. However, the test can be performed after
the required number of iterations of the Miller-Rabin tests in order to
provide higher assurance. Wording has been included to clarify this.
Comment: One commenter suggested that the Frobenius-Grantham (FG)
method for prime candidate testing should be included, in addition to
the Miller-Rabin (MR) and Lucas tests.
Response: NIST has decided to remain with the testing methods used
in ANS X9.31, which includes the MR and Lucas tests, but not the FG
tests. In addition, the FG tests are more complex, so would be more
likely to be implemented incorrectly.
Comment: The criteria for the generation of strong primes in ASC
X9.31, upon which RSA key generation is based, does not agree with the
definition of strong primes in the Handbook of Applied Cryptography
(HAC).
Response: NIST researched and analyzed the requirements for RSA key
pair generation, including requirements for the use of strong primes,
and determined that strong primes as defined by the HAC are not
required. The RSA key pair generation methods were modified to include
a number of different methods that were not previously included in the
draft FIPS.
Comment: The draft FIPS refers to approved random number
generators. It is not clear whether SP 800-90 contains the only
approved methods for random number generation, or if other approved
methods can be used.
Response: The only other NIST document containing approved methods
for random number generation is FIPS 186-2. With the approval of FIPS
186-3, those methods will no longer be approved, subject to a
transition period posted by the Cryptographic Module Validation Program
(CMVP).
NIST has incorporated the comments previously received as described
above. NIST now seeks public comments on the revised draft of FIPS 186-
3. This second draft of FIPS 186-3 is available electronically from the
NIST Web site at: http://csrc.nist.gov/publications/drafts.html. The
current FIPS 186-2 is available electronically from the NIST Web site
at: http://csrc.nist.gov/publications/fips/index.html. The first draft
of FIPS 186-3 and comments received on that draft are available
electronically from the NIST Web site at: http://csrc.nist.gov/groups/ST/toolkit/digital_signatures.html, respectively. Comments received in
response to this notice will be published electronically at http://csrc.nist.gov/groups/ST/toolkit/digital_signatures.html.
Authority: In accordance the Federal Information Security
Management Act (FISMA) of 2002 (Pub. L. 107-347), the
[[Page 66844]]
Secretary of Commerce is authorized to approve Federal Information
Processing Standards (FIPS). NIST activities to develop computer
security standards to protect Federal sensitive (unclassified)
information systems are undertaken pursuant to specific
responsibilities assigned to NIST by section 20 of the National
Institute of Standards and Technology Act (5 U.S.C. 278g-3), as amended
by section 303 of the Federal Information Security Management Act of
2002.
Executive Order 12866: This notice has been determined not to be
significant for the purposes of Executive Order 12866.
Dated: November 5, 2008.
Patrick Gallagher,
Deputy Director.
[FR Doc. E8-26841 Filed 11-10-08; 8:45 am]
BILLING CODE 3510-13-P