The National Institute of Standards and Technology has revised the digital signature standard (DSS), designed to secure the identity of an electronic document signer (document is FIPS 186-4). According to NIST spokesperson Elaine Barker, this isn't a major revision to the technology; this update ensures that the standard remains consistent with other NIST cryptographic guidelines (for example, NIST Special Publication 131A, "Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths").
FIPS 186-4 specifies a suite of algorithms that can be used to generate a digital signature that is then used to detect unauthorized modifications to data and to authenticate the identity of a signatory. Also, a recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was generated by the claimed signatory (known as non-repudiation).
The standard defines three methods for digital signature generation:
- The Digital Signature Algorithm specification (specified in FIPS 186-4) includes criteria for the generation of domain parameters, for the generation of public and private key pairs, and for the generation and verification of digital signatures.
- The RSA digital signature algorithm (specified in ANS X9.31 and PKCS #1).
- The Elliptic Curve Digital Signature Algorithm (specified in ANS X9.62), a variant of #1 that uses elliptic curve cryptography.
The goal with this release, according to Barker, is to align the standard so that all NIST documents offer consistent guidance regarding the use of random number generators. The changes will also allow users to save random initial values for searching for prime numbers for purposes such as regenerating the values; the previous version of the standard only allowed saving these values for use as evidence.
You can get a broader perspective on digital signature security by exploring the IBM CBT Digital Signature solutions offered by the IBM Crypto Competence Center Copenhagen, one of the original groups to create online encryption technologies for banking purposes in the 1980s.