In 1994 the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) released a collaborative standard to specify a suite of algorithms that could be used to generate a digital signature.

A digital signature is defined as a tool to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory.

The new NIST and NSA standard was to be built on the previously proposed NSA-designed Digital Signature Algorithm (DSA), a public-key cryptosystem. The result was the release of the Federal Information Processing Standard 186, otherwise referred to as FIPS 186. Since that time, FIPS 186 has gone through many iterations, changing the approved algorithms, and adding requirements. The following is a brief history of the versioning and changes, including the recent release in February of 2023:

1994: Release of FIPS 186
1996: Change to FIPS 186 for precomputing
1998: Release of FIPS 186-1, approves the use of RSA
2000: Release of FIPS 186-2, approves the use of ECDSA and elliptical curves associated with ECDSA
2009: Release of FIPS 186-3:

• • Increases the key sizes for DSA
  • Provides additional requirements for the use of RSA and ECDSA
  • Allows the use of the RSA algorithm specified in Public Key Cryptography Standard (PKCS) #1
  • Includes requirements for obtaining the assurances necessary for valid digital signatures
  • Replaces the random number generators specified in previous versions of the FIPS with a reference to NIST Special Publication (SP) 800-90 (Recommendation for Random Number Generation Using Deterministic Random Bit Generators)

2013: Release of FIPS 186-4:

• • Reduces restrictions on the use of random number generators and the retention and use of prime number generation seeds
  • Aligns the specification for the use of a random salt value in the RSASSA-PSS digital signature scheme with PKCS #1.

2023:  Release of FIPS 186-5 (see below for the changes)

What is Significant About the Latest Release?

NIST’s Visiting Committee on Advanced Technology (VCAT), which conducts reviews of NIST’s cryptographic standards program, recently recommended that NIST “generate a new set of elliptic curves for use with ECDSA in the form of FIPS 186”. This recommendation led NIST to change the standard to specify three techniques for the generation and verification of digital signatures that can be used for the protection of data: the Rivest-Shamir-Adleman (RSA) Algorithm, the Elliptic Curve Digital Signature Algorithm (ECDSA), and the Edwards Curve Digital Signature Algorithm (EdDSA).

Notably, FIPS 186-5 removes DSA as an approved digital signature algorithm “due to a lack of use by industry and based on academic analyses that observed that implementations of DSA may be vulnerable to attacks if domain parameters are not properly generated. DSA is retained only for the purposes of verifying existing signatures.”

To facilitate a transition to the new standard, FIPS 186-4 will remain in effect alongside FIPS 186-5 for a period of one year. During the transition period (02/03/2023 – 02/03/2024) vendors may elect to comply with FIPS 186-4 or FIPS 186-5. After the one-year transition period vendors must comply with the new FIPS 186-5 standards.

The Correlation to FIPS 140-3 & The Impact to Vendors

In order to achieve a FIPS 140-3 validation vendors must comply with FIPS 186 if using digital signatures in their cryptographic module(s).

During the one-year transition period, vendors may elect to conform to either FIPS 186-4 or FIPS 186-5 for FIPS 140-3 validations. The Cryptographic Module Validation Program (CMVP) will adopt FIPS 186-5 for Cryptographic Algorithm Validation Program (CAVP) testing and is already offering production-level testing for the new FIPS 186-5 standard. Additionally, NIST SP 800-131A and the CMVP will provide transition guidance concerning the use of DSA and the binary elliptic curves.

The FIPS 186-5 transition is a “soft” transition and will not result in modules conforming to FIPS 186-4 being moved to the CMVP Historical List. However, all FIPS 140-3 submissions conforming to FIPS 186-4 must be submitted to the CMVP no later than 12 months after the publication of FIPS 186-5 (02/03/2024). Modules conforming to the FIPS 186-4 standard and submitted prior to 02/03/2024 will remain valid until their sunset date. Modules that modify their sunset date (resubmission of validated module for modifications or updates) and that were originally submitted with FIPS 186-4 will need to conform to FIPS 186-5 if being resubmitted after a certain date. This date has yet to be determined by CMVP.

The CMVP is still working to release the following: transition guidance, implementation guidance, and updates to the NIST special publication which defines CMVP approved security functions. The implementation guidance for FIPS 186-5 is planned to be sent out for a four-week review period by the end of March 2023.

After the transition date, no modules conforming to the FIPS 186-4 standard can be submitted. To avoid having to retest and conform to FIPS 186-5 later if modifications are made, it would be best to proceed with conforming to FIPS 186-5 from the project’s start. FIPS 186-5 testing was made available on the CAVP production server on 02/03/2023*.

*Note: X25519 and X448 curves are not currently approved key agreement schemes, therefore no testing will be provided by CAVP at this time.

New guidance from the National Institute of Standards and Technology (NIST) regarding the use of Digital Signatures (FIPS 186-2) will be impacting a number of FIPS 140-2 validations in the near future. This guidance will send many vendor certifications to the dreaded Historical list; NIST specifically outlines that Federal agencies should not include products listed on the Historical site for new procurements.

Background

Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In January of 2000, NIST published the FIPS 186-2, Digital Signature Standard (DSS) which specified a suite of algorithms which could be used to generate a digital signature. In 2009 FIPS 186-2 was replaced by FIPS 186-3 which was in turn replaced by FIPS 186-4 in 2013. The latest iteration raises the minimum modulus size for most signature function to 2048 bits but continued to allow for a 1024-bit modulus for digital signature verification as a legacy function.

Because of this legacy function, algorithm testing against FIPS 186-2 has continued along with testing against the newer standard.

To ensure the cryptographic modules adhere to the newer standard, NIST has issued Implementation Guidance (IG) G.18 – Limiting the Use of FIPS 186-2. This IG extended the transition date to two months after ACVP Transition Date and clarified which modules will be moved to the historical list, and the methods to remain on (or be moved back to) the active list.

IG G.18 Impact

NIST has released the following information which will impact those companies leveraging FIPS 186-2:

1. Algorithm testing of signature verification implementations for their compliance with FIPS 186-2 will continue to be allowed for legacy purposes. The CAVP will stop validation testing to all other functions of FIPS 186-2 (including key generation and signature generation) on July 1, 2020.
2. On September 1, 2020, the CMVP will place modules on the historical list that were CAVP tested for the following:
   • FIPS 186-2 RSA SigGen when the modulus size is lower than 4096 – Modules that support testing to FIPS 186-4 SigGen at 2048 and/or 3072 bits and FIPS 186-2 RSA SigGen at 4096 bits only will not be moved to the historical list. It will be assumed to be done as an added assurance rather than claiming compliance to FIPS 186-2.
   • FIPS 186-2 RSA KeyGen at all modulus sizes – Modules that support testing to FIPS 186-2 RSA KeyGen will be moved to the historical list on the date referenced above

Products that leverage an internal FIPS module which support FIPS 186-2 KeyGen / SigGen will either need to be updated by the owner of the validation or the module will need to be replaced.

This guidance also relates to some of the confusion surrounding archiving of FIPS 140-2 validations that utilize OpenSSL FIPS Object Modules. It has been announced that support for these modules will not continue and they will be retired.

Solution

The good news is there are ways to correct the issue and keep your certification on the validated modules list. Depending on your scenario, you could correct the issue through a 1SUB or 3SUB.

Contact Corsec to discuss your resolution path.