Reference Guide

ManualsBrandsDell ManualsBSAFEBSAFE Micro Edition Suite

38 Secure Operation of Crypto-C ME

RSA BSAFE Crypto-C Micro Edition 4.1.4 Security Policy Level 1

with Level 2 Roles, Services and Authentication

2.1.2 Crypto User Guidance on Obtaining Assurances for

Digital Signature Applications

The module provides support for the FIPS 186-4 standard for digital signatures. The

following gives an overview of the assurances required by FIPS 186-4. SP 800-89

provides the methods to obtain these assurances.

The tables below describe the FIPS 186-4 requirements for signatories and verifiers

and the corresponding module capabilities and recommendations.

Table 8 Signatory Requirements

FIPS 186-4 Requirement Module Capabilities and Recommendations

Obtain appropriate DSA and

ECDSA parameters when

using DSA or ECDSA.

The generation of DSA parameters is in accordance with the

FIPS 186-4 standard for the generation of probable primes.

For ECDSA, use the NIST recommended curves as defined

in section

2.1.1.

Obtain assurance of the

validity of those parameters.

The module provides the API

R_CR_validate_key() to

validate DSA parameters for probable primes as described

in FIPS 186-4.

For ECDSA, use the NIST recommended curves as defined

in section

2.1.1.

Obtain a digital signature key

pair that is generated as

specified for the appropriate

digital signature algorithm.

The module generates the digital signature key pair

according to the required standards.

Choose a FIPS-Approved DRBG like HMAC DRBG to

generate the key pair.

Obtain assurance of the

validity of the public key.

The module provides the API

R_CR_validate_key() to

explicitly validate the public key according to SP 800-89.

Obtain assurance that the

signatory actually possesses

the associated private key.

The module verifies the signature created using the private

key, but all other assurances are outside the scope of the

module.

Table 9 Verifier Requirements

FIPS 186-4 Requirement Module Capabilities and Recommendations

Obtain assurance of the

signatory’s claimed identity.

The module verifies the signature created using the private

key, but all other assurances are outside the scope of the

module.

Obtain assurance of the

validity of the domain

parameters for DSA and

ECDSA.

The module provides the API

R_CR_validate_key()to

validate DSA parameters for probable primes as described in

FIPS 186-4.

For ECDSA, use the NIST recommended curves as defined

in section

2.1.1.

Obtain assurance of the

validity of the public key.

The module provides the API

R_CR_validate_key() to

explicitly validate the public key according to SP 800-89.