Page:Fips186-2-change1.pdf/11

From Wikisource
Jump to navigation Jump to search
This page has been proofread, but needs to be validated.

M, is reduced by means of the Secure Hash Algorithm (SHA-1) specified in FIPS 180-1. An adversary, who does not know the private key of the signatory, cannot generate the correct signature of the signatory. In other words, signatures cannot be forged. However, by using the signatory's public key, anyone can verify a correctly signed message. A means of associating public and private key pairs to the corresponding users is required. That is, there must be a binding of a user's identity and the user's public key. This binding may be certified by a mutually trusted party. For example, a certifying authority could sign credentials containing a user's public key and identity to form a certificate. Systems for certifying credentials and distributing certificates are beyond the scope of this standard. NIST intends to publish separate document(s) on certifying credentials and distributing certificates.


4. DSA PARAMETERS

The DSA makes use of the following parameters:

  1. p = a prime modulus, where 2L-1 < p < 2L for 512 ≤ L ≤ 1024 and L a multiple of 64
  2. q = a prime divisor of p - 1, where 2159 < q < 2160
  3. g = h(p-1)/q mod p, where h is any integer with 1 < h < p - 1 such that h(p-1)/q mod p > 1 (g has order q mod p)
  4. x = a randomly or pseudorandomly generated integer with 0 < x < q
  5. y = gx mod p
  6. k = a randomly or pseudorandomly generated integer with 0 < k < q

The integers p, q, and g can be public and can be common to a group of users. A user's private and public keys are x and y, respectively. They are normally fixed for a period of time. Parameters x and k are used for signature generation only, and must be kept secret. Parameter k must be regenerated for each signature.

Parameters p and q shall be generated as specified in Appendix 2, or using other FIPS approved security methods. Parameters x and k shall be generated as specified in Appendix 3, or using other FIPS approved security methods.


5. DSA SIGNATURE GENERATION

The signature of a message M is the pair of numbers r and's computed according to the equations below:

8

Retrieved from "https://en.wikisource.org/w/index.php?title=Page:Fips186-2-change1.pdf/11&oldid=7189291"