Under the Computer Security Act of 1987, the National Institute of Standards and Technology (NIST) was authorized to approve standards and set guidelines to ensure the security and confidentiality of sensitive data that is processed on the government’s computer systems. In 1994, the National Institute of Standards and Technology (NIST) adopted the Digital Signature Standard (DSS) FIPS 186, which specifies algorithms that are used in creating digital signatures. Currently, a revised DSS, FIPS 186-4 is awaiting its final release and there is controversy regarding whether the DSS should be considered legally binding.
Why is There Controversy?
Part of the controversy surrounding the proposed implementation of the revised standard relates to FIPS 140-1 and 140-2. FIPS 140-1 was the original standard that was signed into effect on January 11, 1994 when DSS was adopted. FIPS 140-2 was to supersede FIPS 140-1. However, agencies were permitted to continue to use the FIPS 140-1 module, but doing so raises an issue. As FIPS 140-2 is specified, continued use of FIPS 140-1 could jeopardize the security of the digital signature being produced.
According to Article 15. Qualifications in FIPS 186-4, it is stated that
While it is the intent of this Standard to specify general security requirements for generating digital signatures, conformance to this Standard does not assure that a particular implementation is secure. It is the responsibility of an implementer to ensure that any module that implements a digital signature capability is designed and built in a secure manner.
There is additional concern from industry experts as to whether the current elliptic-curve cryptography (ECC) specified in FIPS 186-4 poses a vulnerability threat that would allow hackers access to secure keys via back-door keys. Many have voiced that the specified ECC does not meet current industry network security standards. Other commentators suggest the introduction of qualified digital certificates provided by accredited trust service providers to enhance the level of non-repudiation.
ConclusionWhile DSS addresses the legal effect of the digital signature that may be considered comparable to an advanced electronic signature, it does not provide the same probative value as a qualified electronic signature in the eIDAS regulation or ZertES regulation, where non-repudiation is well cemented with the author’s qualified certificate.
References and Further Reading
- Selected articles on Digital Signatures (2014-16), by Ashiq JA, Dawn M. Turner, Guillaume Forget, Peter Landrock and Torben Pedersen
- Trust Services and eID (retrieved 11.01.2016) by the European Commission
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC(2014) by the European Parliament and the European Commission
- Electronic Signatures and Infrastructures (ESI) - CMS Advanced Electronic Signature (CAdES). (2007) by the European Telecommunications Standards Institute
Cover image: courtesy of Markus Spiske, Flickr