1、 FIPS PUB 186-3 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Digital Signature Standard (DSS) CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8900 Issued June, 2009 U.S. Department o
2、f Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick Gallagher, Deputy Director Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-FOREWORD The Federal Information Processing Standards Publication Series of the Nationa
3、l Institute of Standards and Technology (NIST) is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of the Federal Information Security Management Act (FISMA) of 2002. Comments concerning FIPS publications are welcomed and should be
4、 addressed to the Director, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8900, Gaithersburg, MD 20899-8900. Cita Furlani, Director Information Technology Laboratory Abstract This Standard specifies a suite of algorithms that can be used to
5、 generate a digital signature. Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was, in fa
6、ct, generated by the claimed signatory. This is known as non-repudiation, since the signatory cannot easily repudiate the signature at a later time. Key words: computer security, cryptography, digital signatures, Federal Information Processing Standards, public key cryptography. Provided by IHSNot f
7、or ResaleNo reproduction or networking permitted without license from IHS-,-,-Federal Information Processing Standards Publication 186-3 June 2009 Announcing the DIGITAL SIGNATURE STANDARD (DSS) Federal Information Processing Standards Publications (FIPS PUBS) are issued by the National Institute of
8、 Standards and Technology (NIST) after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106), and the Computer Security Act of 1987 (Public Law 100-235). 1. Name of Standard: Digital Signature Standard (DSS) (F
9、IPS 186-3). 2. Category of Standard: Computer Security. Subcategory. Cryptography. 3. Explanation: This Standard specifies algorithms for applications requiring a digital signature, rather than a written signature. A digital signature is represented in a computer as a string of bits. A digital signa
10、ture is computed using a set of rules and a set of parameters that allow the identity of the signatory and the integrity of the data to be verified. Digital signatures may be generated on both stored and transmitted data. Signature generation uses a private key to generate a digital signature; signa
11、ture verification uses a public key that corresponds to, but is not the same as, the private key. Each signatory possesses a private and public key pair. Public keys may be known by the public; private keys are kept secret. Anyone can verify the signature by employing the signatorys public key. Only
12、 the user that possesses the private key can perform signature generation. A hash function is used in the signature generation process to obtain a condensed version of the data to be signed; the condensed version of the data is often called a message digest. The message digest is input to the digita
13、l signature algorithm to generate the digital signature. The hash functions to be used are specified in the Secure Hash Standard (SHS), FIPS 180-3. FIPS approved digital signature algorithms shall be used with an appropriate hash function that is specified in the SHS. The digital signature is provid
14、ed to the intended verifier along with the signed data. The verifying entity verifies the signature by using the claimed signatorys public key and the same hash function that was used to generate the signature. Similar procedures may be used to generate and verify signatures for both stored and tran
15、smitted data. 4. Approving Authority: Secretary of Commerce. i Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-5. Maintenance Agency: Department of Commerce, National Institute of Standards and Technology, Information Technology Laboratory, Computer
16、Security Division. 6. Applicability: This Standard is applicable to all Federal departments and agencies for the protection of sensitive unclassified information that is not subject to section 2315 of Title 10, United States Code, or section 3502 (2) of Title 44, United States Code. This Standard sh
17、all be used in designing and implementing public key-based signature systems that Federal departments and agencies operate or that are operated for them under contract. The adoption and use of this Standard is available to private and commercial organizations. 7. Applications: A digital signature al
18、gorithm allows an entity to authenticate the integrity of signed data and the identity of the signatory. The recipient of a signed message can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory. This is known as n
19、on-repudiation, since the signatory cannot easily repudiate the signature at a later time. A digital signature algorithm is intended for use in electronic mail, electronic funds transfer, electronic data interchange, software distribution, data storage, and other applications that require data integ
20、rity assurance and data origin authentication. 8. Implementations: A digital signature algorithm may be implemented in software, firmware, hardware or any combination thereof. NIST has developed a validation program to test implementations for conformance to the algorithms in this Standard. Informat
21、ion about the validation program is available at http:/csrc.nist.gov/cryptval. Examples for each digital signature algorithm are available at http:/csrc.nist.gov/groups/ST/toolkit/examples.html. Agencies are advised that digital signature key pairs shall not be used for other purposes. 9. Other Appr
22、oved Security Functions: Digital signature implementations that comply with this Standard shall employ cryptographic algorithms, cryptographic key generation algorithms, and key establishment techniques that have been approved for protecting Federal government sensitive information. Approved cryptog
23、raphic algorithms and techniques include those that are either: a. specified in a Federal Information Processing Standard (FIPS), b. adopted in a FIPS or a NIST Recommendation, or c. specified in the list of approved security functions for FIPS 140-2. 10. Export Control: Certain cryptographic device
24、s and technical data regarding them are subject to Federal export controls. Exports of cryptographic modules implementing this Standard and technical data regarding them must comply with these Federal regulations and be licensed by the Bureau of Industry and Security of the U.S. Department of Commer
25、ce. Information about export regulations is available at: http:/www.bis.doc.gov. 11. Patents: The algorithms in this Standard may be covered by U.S. or foreign patents. ii Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-12. Implementation Schedule: T
26、his Standard becomes effective immediately upon approval by the Secretary of Commerce. A transition strategy for validating algorithms and cryptographic modules will be posted on NISTs Web page at http:/csrc.nist.gov/groups/STM/cmvp/index.html under Notices. The transition plan addresses the transit
27、ion by Federal agencies from modules tested and validated for compliance to FIPS 186-2 to modules tested and validated for compliance to FIPS 186-3 under the Cryptographic Module Validation Program. The transition plan allows Federal agencies and vendors to make a smooth transition to FIPS 186-3. 13
28、. Specifications: Federal Information Processing Standard (FIPS) 186-3 Digital Signature Standard (affixed). 14. Cross Index: The following documents are referenced in this Standard. a. FIPS PUB 140-2, Security Requirements for Cryptographic Modules. b. FIPS PUB 180-3, Secure Hash Standard. c. ANS X
29、9.31-1998, Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry (rDSA). d. ANS X9.62-2005, Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA). e. ANS X9.80, Prime Number Generation, Primality
30、Testing and Primality Certificates. f. Public Key Cryptography Standard (PKCS) #1, RSA Encryption Standard. g. Special Publication (SP) 800-57, Recommendation for Key Management. h. Special Publication (SP) 800-89, Recommendation for Obtaining Assurances for Digital Signature Applications. i. Specia
31、l Publication (SP) 800-90, Recommendation for Random Number Generation Using Deterministic Random Bit Generators. j. Special Publication (SP) 800-102, Recommendation for Digital Signature Timeliness k. IEEE Std. 1363-2000, Standard Specifications for Public Key Cryptography. 15. Qualifications: The
32、security of a digital signature system is dependent on maintaining the secrecy of the signatorys private keys. Signatories shall, therefore, guard against the disclosure of their private keys. While it is the intent of this Standard to specify general security requirements for generating digital sig
33、natures, conformance to this Standard does not assure that a particular implementation is secure. It is the responsibility of an implementer to ensure that any module that implements a digital signature capability is designed and built in a secure manner. Similarly, the use of a product containing a
34、n implementation that conforms to this Standard does not guarantee the security of the overall system in which the product is used. The responsible iii Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-authority in each agency or department shall assur
35、e that an overall implementation provides an acceptable level of security. Since a standard of this nature must be flexible enough to adapt to advancements and innovations in science and technology, this Standard will be reviewed every five years in order to assess its adequacy. 16. Waiver Procedure
36、: The Federal Information Security Management Act (FISMA) does not allow for waivers to Federal Information Processing Standards (FIPS) that are made mandatory by the Secretary of Commerce. 17. Where to Obtain Copies of the Standard: This publication is available by accessing http:/csrc.nist.gov/pub
37、lications/. Other computer security publications are available at the same web site. iv Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-4 Table of Contents 1. INTRODUCTION 12. GLOSSARY OF TERMS, ACRONYMS AND MATHEMATICAL SYMBOLS . 22.1 TERMS AND DEFI
38、NITIONS 22.2 ACRONYMS . 52.3 MATHEMATICAL SYMBOLS 63. GENERAL DISCUSSION. 93.1 INITIAL SETUP . 113.2 DIGITAL SIGNATURE GENERATION 123.3 DIGITAL SIGNATURE VERIFICATION AND VALIDATION . 13THE DIGITAL SIGNATURE ALGORITHM (DSA) . 154.1 DSA PARAMETERS 154.2 SELECTION OF PARAMETER SIZES AND HASH FUNCTIONS
39、 FOR DSA 154.3 DSA DOMAIN PARAMETERS. 164.3.1 Domain Parameter Generation 174.3.2 Domain Parameter Management.174.4 KEY PAIRS 174.4.1 DSA Key Pair Generation 174.4.2 Key Pair Management .184.5 DSA PER-MESSAGE SECRET NUMBER. 184.6 DSA SIGNATURE GENERATION 194.7 DSA SIGNATURE VERIFICATION AND VALIDATI
40、ON 195. THE RSA DIGITAL SIGNATURE ALGORITHM 225.1 RSA KEY PAIR GENERATION . 225.2 KEY PAIR MANAGEMENT 235.3 ASSURANCES235.4 ANS X9.31 235.5 PKCS #1 . 246. THE ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM (ECDSA). 266.1 ECDSA DOMAIN PARAMETERS 266.1.1 Domain Parameter Generation 266.1.2 Domain Paramete
41、r Management.286.2 PRIVATE/PUBLIC KEYS 286.2.1 Key Pair Generation.286.2.2 Key Pair Management .296.3 SECRET NUMBER GENERATION 296.4 ECDSA DIGITAL SIGNATURE GENERATION AND VERIFICATION 296.5 ASSURANCES30APPENDIX A: GENERATION AND VALIDATION OF FFC DOMAIN PARAMETERS . 31v Provided by IHSNot for Resal
42、eNo reproduction or networking permitted without license from IHS-,-,-A.1 GENERATION OF THE FFC PRIMES P AND Q 31A.1.1 Generation and Validation of Probable Primes.31A.1.1.1 Validation of the Probable Primes p and q that were Generated Using SHA-1 as Specified in Prior Versions of this Standard 32 A
43、.1.1.2 Generation of the Probable Primes p and q Using an Approved Hash Function 33 A.1.1.3 Validation of the Probable Primes p and q that were Generated Using an Approved Hash Function . 35 A.1.2 Construction and Validation of the Provable Primes p and q.36A.1.2.1 Construction of the Primes p and q
44、 Using the Shawe-Taylor Algorithm. 36 A.1.2.1.1 Get the First Seed .37A.1.2.1.2 Constructive Prime Generation .38A.1.2.2 Validation of the DSA Primes p and q that were Constructed Using the Shawe-Taylor Algorithm 39 A.2 GENERATION OF THE GENERATOR G 41A.2.1 Unverifiable Generation of the Generator g
45、 .41A.2.2 Assurance of the Validity of the Generator g .41A.2.3 Verifiable Canonical Generation of the Generator g 42A.2.4 Validation Routine when the Canonical Generation of the Generator g Routine Was Used.43APPENDIX B: KEY PAIR GENERATION 46B.1 FFC KEY PAIR GENERATION 46B.1.1 Key Pair Generation
46、Using Extra Random Bits .46B.1.2 Key Pair Generation by Testing Candidates47B.2 FFC PER-MESSAGE SECRET NUMBER GENERATION. 48B.2.1 Per-Message Secret Number Generation Using Extra Random Bits 48B.2.2 Per-Message Secret Number Generation by Testing Candidates.49B.3 IFC KEY PAIR GENERATION. 50B.3.1 Cri
47、teria for IFC Key Pairs .50B.3.2 Generation of Random Primes that are Provably Prime53B.3.2.1 Get the Seed 53 B.3.2.2 Construction of the Provable Primes p and q . 54 B.3.3 Generation of Random Primes that are Probably Prime55B.3.4 Generation of Provable Primes with Conditions Based on Auxiliary Pro
48、vable Primes 56vi Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-B.3.5 Generation of Probable Primes with Conditions Based on Auxiliary Provable Primes58B.3.6 Generation of Probable Primes with Conditions Based on Auxiliary Probable Primes59B.4 ECC
49、KEY PAIR GENERATION . 61B.4.1 Key Pair Generation Using Extra Random Bits .61B.4.2 Key Pair Generation by Testing Candidates62B.5 ECC PER-MESSAGE SECRET NUMBER GENERATION 63B.5.1 Per-Message Secret Number Generation Using Extra Random Bits 64B.5.2 Per-Message Secret Number Generation by Testing Candidates.64APPENDIX C: GENERATION OF OTHER
