Blog - Cryptomathic

Is the NIST Digital Signature Standard DSS legally binding?

Written by Dawn M. Turner (guest) | 15. February 2016

Under the Computer Security Act of 1987, the National Institute of Standards and Technology (NIST) was authorized to approve standards and set guidelines to ensure the security and confidentiality of sensitive data that is processed on the government’s computer systems. In 1994, the National Institute of Standards and Technology (NIST) adopted the Digital Signature Standard (DSS) FIPS 186, which specifies algorithms that are used in creating digital signatures. Currently, a revised DSS, FIPS 186-4 is awaiting its final release and there is controversy regarding whether the DSS should be considered legally binding.

Why is There Controversy?

Part of the controversy surrounding the proposed implementation of the revised standard relates to FIPS 140-1 and 140-2. FIPS 140-1 was the original standard that was signed into effect on January 11, 1994 when DSS was adopted. FIPS 140-2 was to supersede FIPS 140-1. However, agencies were permitted to continue to use the FIPS 140-1 module, but doing so raises an issue. As FIPS 140-2 is specified, continued use of FIPS 140-1 could jeopardize the security of the digital signature being produced.

According to Article 15. Qualifications in FIPS 186-4, it is stated that

While it is the intent of this Standard to specify general security requirements for generating digital signatures, conformance to this Standard does not assure that a particular implementation is secure. It is the responsibility of an implementer to ensure that any module that implements a digital signature capability is designed and built in a secure manner.

There is additional concern from industry experts as to whether the current elliptic-curve cryptography (ECC) specified in FIPS 186-4 poses a vulnerability threat that would allow hackers access to secure keys via back-door keys. Many have voiced that the specified ECC does not meet current industry network security standards. Other commentators suggest the introduction of qualified digital certificates provided by accredited trust service providers to enhance the level of non-repudiation.

Conclusion

While DSS addresses the legal effect of the digital signature that may be considered comparable to an advanced electronic signature, it does not provide the same probative value as a qualified electronic signature in the eIDAS regulation or ZertES regulation, where non-repudiation is well cemented with the author’s qualified certificate.

References and Further Reading

Cover image: courtesy of Markus Spiske, Flickr