Under the Computer Security Act of 1987, the National Institute of Standards and Technology (NIST) was authorized to approve standards and set guidelines to ensure the security and confidentiality of sensitive data that is processed on the government’s computer systems. In 1994, the National Institute of Standards and Technology (NIST) adopted the Digital Signature Standard (DSS) FIPS 186, which specifies algorithms that are used in creating digital signatures. Currently, a revised DSS, FIPS 186-4 is awaiting its final release and there is controversy regarding whether the DSS should be considered legally binding.
Part of the controversy surrounding the proposed implementation of the revised standard relates to FIPS 140-1 and 140-2. FIPS 140-1 was the original standard that was signed into effect on January 11, 1994 when DSS was adopted. FIPS 140-2 was to supersede FIPS 140-1. However, agencies were permitted to continue to use the FIPS 140-1 module, but doing so raises an issue. As FIPS 140-2 is specified, continued use of FIPS 140-1 could jeopardize the security of the digital signature being produced.
According to Article 15. Qualifications in FIPS 186-4, it is stated that
While it is the intent of this Standard to specify general security requirements for generating digital signatures, conformance to this Standard does not assure that a particular implementation is secure. It is the responsibility of an implementer to ensure that any module that implements a digital signature capability is designed and built in a secure manner.
There is additional concern from industry experts as to whether the current elliptic-curve cryptography (ECC) specified in FIPS 186-4 poses a vulnerability threat that would allow hackers access to secure keys via back-door keys. Many have voiced that the specified ECC does not meet current industry network security standards. Other commentators suggest the introduction of qualified digital certificates provided by accredited trust service providers to enhance the level of non-repudiation.
Cover image: courtesy of Markus Spiske, Flickr