Changes proposed by the National Institute of Standards and Technology would clarify the transition to a new set of approved tools and correct some errors in the current version.
The National Institute of Standards and Technology has proposed changes to the federal standard for digital signatures, clarifying the transition to new requirements and correcting some errors in the current version.
Federal Information Processing Standard 186-3, the Digital Signature Standard, originally published in 1994, is now in its third iteration. It was last updated in 2009 to reflect advances in computing power that had made it easier to crack the keys originally specified in the standard.
Government cryptographic tools must comply with Federal Information Processing Standards written by NIST, and algorithms now approved in the Digital Signature Standard are the Digital Signature Algorithm, the Elliptic Curve Digital Signature Algorithm, and the RSA algorithm.
Proposed changes to FIPS 186-3 that have been released for comment reflect continuing efforts to strengthen the standard. The most substantive change is in the requirements for using random number generators and random bit generators that are used with the algorithms in the creation of cryptographic keys.
The security of the resulting digital signatures rests largely on these random seed numbers, and several random number and bit generators have been approved for use. Older, less reliable generators are being phased out of the approved set as new ones are introduced, and the revised standard would make clear which tools can be used and when they will be phased out.
A number of the generators that were acceptable in 2010 are now classed as “deprecated” but can still be used through 2015, after which they will be disallowed.
Digital signatures use cryptographic algorithms to create a code that is tied mathematically to the message being signed. That code can be used to verify electronic documents in much the same way a written signature is used with paper documents. They can be used to detect unauthorized modifications to data and to authenticate the identity of the person or entity signing it. It also can be used for non-repudiation, to prove to a third party that a document and signature were generated by a specific person.
Other proposed changes clarifies some of the terms used in the standard and corrects some errors and typos in the document.
Comments on the changes should be sent by May 25 to email@example.com, with “186-3 Change Notice” in the subject line.