NIST Tweaks Digital Signature Standard

NIST has released a revision to its digital signature standard
NIST has released a revision to its digital signature standard

First published in 1994 and revised several times since then, the standard provides a means of guaranteeing authenticity in the digital world. It uses complex mathematical operations to encrypt and unscramble “signatures” that are highly difficult to forge.

The new document, snappily titled the Federal Information Processing Standard (FIPS) 186-4, retools the digital signature standard only slightly. The main change in this FIPS iteration concerns the use of prime number generators, which requires random initial values for searching for prime numbers. FIPS 186-3, in contrast, specifically allowed saving these “seeds” only for use as evidence that the generated values were determined in an arbitrary manner; FIPS 186-4 permits saving them for additional purposes, such as the regeneration of the values.

The way it works under the guidelines is this: A digital signature is represented in a computer as a string of bits. A digital signature is computed using a set of rules and a set of parameters that allow the identity of the signatory and the integrity of the data to be verified. Digital signatures may be generated on both stored and transmitted data.

Signature generation uses a private key to generate a digital signature; signature verification uses a public key that corresponds to, but is not the same as, the private key. Each signatory possesses a private and public key pair. Public keys may be known by the public; private keys are kept secret. Anyone can verify the signature by employing the signatory’s public key. Only the user that possesses the private key can perform signature generation.

A hash function is used in the signature generation process to obtain a condensed version of the data to be signed; the condensed version of the data is often called a message digest. The message digest is input to the digital signature algorithm to generate the digital signature. The hash functions to be used are specified in the Secure Hash Standard (SHS), FIPS 180. FIPS-approved digital signature algorithms shall be used with an appropriate hash function that is specified in the SHS.

The digital signature is provided to the intended verifier along with the signed data. The verifying entity verifies the signature by using the claimed signatory’s public key and the same hash function that was used to generate the signature. Similar procedures may be used to generate and verify signatures for both stored and transmitted data.

NIST noted that FIPS 186-4 otherwise contains no major revisions, but rather focuses on keeping the standard consistent with other NIST cryptographic guidelines. Other than clarifying a number of terms and correcting typographical errors, most of the changes aim to align the standard with other publications, such as NIST Special Publication 131A, so that all NIST documents offer consistent guidance regarding the use of random number generators.


What’s Hot on Infosecurity Magazine?