NIST SP 800-102, Recommendation for Digital Signature Timeliness
Total Page:16
File Type:pdf, Size:1020Kb
NIST Special Publication 800-102 Recommendation for Digital Signature Timeliness Elaine Barker Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y September 2009 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Deputy Director Abstract Establishing the time when a digital signature was generated is often a critical consideration. A signed message that includes the (purported) signing time provides no assurance that the private key was used to sign the message at that time unless the accuracy of the time can be trusted. With the appropriate use of digital signature-based timestamps from a Trusted Timestamp Authority (TTA) and/or verifier-supplied data that is included in the signed message, the signatory can provide some level of assurance about the time that the message was signed. KEY WORDS: digital signatures, timeliness, timestamp, Trusted Timestamp Authority ii Acknowledgements The National Institute of Standards and Technology (NIST) gratefully acknowledges and appreciates contributions by Rich Davis from the National Security Agency concerning the many security issues associated with this Recommendation. NIST also thanks the many contributions by the public and private sectors whose thoughtful and constructive comments improved the quality and usefulness of this publication. iii Table of Contents 1 Introduction................................................................................................ 5 2 Authority.................................................................................................... 5 3 Definitions, Acronyms and Symbols......................................................... 6 3.1 Definitions............................................................................................................ 6 3.2 Acronyms............................................................................................................. 8 3.3 Symbols................................................................................................................ 8 4 Using Timestamps from a Trusted Timestamp Authority......................... 9 4.1 Notation................................................................................................................ 9 4.2 Timestamp Provision by a TTA......................................................................... 10 4.3 Signatory Provision of a Timestamp with a Signed Message............................ 10 4.3.1 Optional (or No) User Information Provided to the TTA by Entity A .. 11 4.3.2 A Hash of M is Provided to the TTA by Entity A ................................. 13 4.3.3 A Digital Signature on M is Provided to the TTA by Entity A ............. 15 4.3.4 A Digital Signature on M is Provided to the TTA by Entity B.............. 17 4.4 Using an Additional Timestamp ........................................................................ 18 4.4.1 Entity A Requests the Second Timestamp............................................. 19 4.4.2 Entity B Requests the Second Timestamp............................................. 21 5 Evidence of Timeliness Using Verifier-Supplied Data........................... 24 5.1 The Basic Scheme.............................................................................................. 25 5.2 Using a Timestamp to Obtain More Precision................................................... 25 5.2.1 Entity A Requests the Timestamp.......................................................... 25 5.2.2 Entity B Requests the Timestamp.......................................................... 27 Appendix A: References............................................................................... 30 iv Recommendation for Digital Signature Timeliness 1 Introduction A digital signature is an electronic analogue of a written signature; the digital signature can be used to provide assurance that the claimed signatory signed the information. In addition, a digital signature may be used to detect whether or not the information was modified after it was signed (i.e., to detect the integrity of the signed data). Establishing the time when a digital signature was generated is often a critical consideration. A signed message that includes the (purported) signing time provides no assurance that the private key was used to sign the message at that time unless the accuracy of the time can be trusted. With the appropriate use of 1) timestamps that are digitally signed by a Trusted Timestamp Authority (TTA), and/or 2) verifier-supplied data that is included in the signed message, some level of assurance about the time that the message was signed can be provided. A discussion of the establishment and management of a TTA is outside the scope of this Recommendation. For further information about TTAs, see [3], [4], and [5]. 2 Authority This document has been developed by the National Institute of Standards and Technology (NIST) in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems. This recommendation is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A-130, Appendix III. This Recommendation has been prepared for use by Federal agencies. It may be used by non-governmental organizations on a voluntary basis and is not subject to copyright (attribution would be appreciated by NIST). Nothing in this Recommendation should be taken to contradict standards and guidelines made mandatory and binding on Federal agencies by the Secretary of Commerce under statutory authority. Nor should this Recommendation be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. Conformance testing for implementations of this Recommendation will be conducted within the framework of the Cryptographic Module Validation Program (CMVP), a joint effort of NIST and the Communications Security Establishment Canada. The requirements of this Recommendation are indicated by the word “shall.” 5 3 Definitions, Acronyms and Symbols 3.1 Definitions Approved FIPS-approved and/or NIST-recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST Recommendation or 3) specified in a list of NIST-approved security functions. Digital signature The result of a cryptographic transformation of data that, when properly implemented, provides origin authentication, assurance of data integrity and signatory non-repudiation. Entity An individual (person), organization, device or process. Used interchangeably with “party”. Hash value The result of applying a hash function to data. Key A parameter used in conjunction with a cryptographic algorithm that determines its operation. Examples applicable to this Recommendation include: 1. The computation of a digital signature from data, and 2. The verification of a digital signature. Message The data that is signed. Nonce A time-varying value that has at most a negligible chance of repeating, for example, a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these. Party An individual (person), organization, device or process. Used interchangeably with “entity”. Private key/private A cryptographic key that is used with an asymmetric (public signature key key) cryptographic algorithm and is associated with a public key. The private key is uniquely associated with the owner and is not made public. This key is used to compute a digital signature that may be verified using the corresponding public key. 6 Public key/public A cryptographic key that is used with an asymmetric (public signature verification key) cryptographic algorithm and is associated with a private key key. The public key is associated with an owner and may be made public. In the case of digital signatures, the public key is used to verify a digital signature that was signed using the corresponding private key. Relying party A party that depends on the validity of the digital signature process. Security strength A number associated with the amount of work (e.g., the number of operations) that is required to break a cryptographic algorithm or system. Shall Used to indicate a requirement of this Recommendation. Signatory The entity that generates a digital signature on data using a private key. Signature generation The process of using a digital signature algorithm and a private key to generate a digital signature on data. Signature verification The process of using a digital signature algorithm and a public key to verify a digital signature on data. Timestamp A token or packet of information that is used to provide assurance of timeliness; the timestamp contains timestamped data, including a time, and a signature generated by a Trusted Timestamp Authority (TTA). timestamp Contains the time and, possibly, other information; a component of timestamped_data. timestamped_data The data on which a digital signature is generated by a TTA. timestamp_packet