Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
CAN/CSA-ISO/IEC 15945-04: Digital Signature Schemes Giving Message Recovery – General Framework
A Canadian Adoption of the International Standard for Secure Digital Signature Mechanisms
Scope and General Overview
CAN/CSA-ISO/IEC 15945-04 is the Canadian adoption of the international standard ISO/IEC 15945:2002, which specifies a general framework for digital signature schemes that provide message recovery. This standard is part of the ISO/IEC 15945 series of information technology security techniques and provides essential guidance for designing, implementing, and evaluating digital signature mechanisms where the original signed message can be recovered directly from the signature itself.
The standard applies to cryptographic systems used for entity authentication, data integrity verification, and non-repudiation in both commercial and government sectors. It defines the fundamental model for digital signatures with message recovery, distinguishing two primary categories: signatures giving total message recovery and those giving partial message recovery. The scope includes requirements for key generation, signature generation, signature verification, and security parameters.
Tip: CAN/CSA-ISO/IEC 15945-04 aligns with ISO/IEC 15945:2002 without technical deviations. Organizations that comply with ISO/IEC 15945 automatically meet the Canadian adoption requirements.
Relationship to Other Standards
This standard functions as a foundational part of the digital signature framework within the ISO/IEC 14888 series (which covers digital signatures with appendix) and complements ISO/IEC 9796-1. While ISO/IEC 9796-1 focuses on total message recovery using specific mechanisms, CAN/CSA-ISO/IEC 15945-04 provides the general model, definitions, and security level requirements that apply across all schemes falling under the message recovery category.
Technical Requirements and Cryptographic Mechanisms
The standard specifies strict technical requirements for digital signature schemes giving message recovery. These requirements cover three key areas: key pair generation, signature generation, and signature verification. All schemes must satisfy the security properties of existential unforgeability under adaptive chosen-message attacks (EUF-CMA).
Key Generation Requirements
Key pairs (private and public keys) must be generated using approved random number generators (RNGs) that comply with ANSI X9.17 or FIPS 140-2 criteria. The standard mandates minimum key sizes for asymmetric algorithms:
| Algorithm Type | Minimum Key Size (bits) | Security Level Equivalence |
|---|---|---|
| RSA (total recovery) | 2048 | 112 bits symmetric |
| Elliptic Curve (total recovery) | 224 | 112 bits symmetric |
| RSA (partial recovery) | 3072 | 128 bits symmetric |
| Elliptic Curve (partial recovery) | 256 | 128 bits symmetric |
Warning: Keys smaller than the minimum specified sizes are prohibited in any compliant implementation. Legacy systems using 1024-bit RSA keys must be upgraded to maintain compliance with CAN/CSA-ISO/IEC 15945-04.
Signature Generation and Verification Process
The standard defines a general process for generating a digital signature with message recovery:
- Data encoding: The original message is formatted with a predetermined redundancy field (either added or pre-existing) to allow recovery verification.
- Hash computation: A cryptographic hash function (SHA-256 or higher, as specified in FIPS 180-4) is applied to the formatted message to produce a hash value.
- Signature generation: The signer uses their private key to transform the hash and relevant data into a signature block from which the original message can be fully or partially reconstructed.
- Signature verification: The verifier uses the public key to extract the hash and message from the signature, then recomputes the hash and compares it with the extracted value to confirm authenticity.
For partial recovery schemes, only a portion of the message is embedded in the signature; the remaining data must be transmitted separately, and the verifier reconstructs the original message by combining the recovered part with the separately transmitted data.
Implementation Highlights and Security Considerations
Implementers must consider several practical aspects when deploying digital signature schemes compliant with CAN/CSA-ISO/IEC 15945-04:
Message Recovery Benefits
Unlike signature schemes with appendix (where the message must be kept separate), message recovery signatures allow the original message to be fully recovered even if storage or transmission of the original is lost. This is particularly advantageous in bandwidth-limited environments or for digital archives where storage efficiency is critical.
Hash Function Selection
The standard mandates the use of approved hash functions. Acceptable choices include SHA-256 (minimum), SHA-384, or SHA-512. The hash function must be collision-resistant at the security level corresponding to the key size.
Best Practice: For applications requiring long-term security (beyond 2030), implement signatures using 3072-bit RSA or 256-bit elliptic curves in total recovery mode, paired with SHA-384 hashing. This provides a robust security margin against future cryptanalytic advances.
Algorithm Agility and Migration
CAN/CSA-ISO/IEC 15945-04 encourages algorithm agility. Implementations should be designed to support multiple signature mechanisms and allow seamless migration when weaknesses are discovered in any given scheme. The standard does not prescribe a single algorithm but rather defines the general framework, enabling organizations to adopt standardized mechanisms such as RSA-PSS-R (for total recovery) or ECDSA variants adapted for message recovery.
Compliance Notes and Canadian Deviations
CAN/CSA-ISO/IEC 15945-04 is an identical adoption of ISO/IEC 15945:2002. The Canadian Standards Association has verified that no technical deviations exist; only editorial changes (e.g., language, references to Canadian standards bodies) have been applied. Therefore, any system meeting ISO/IEC 15945:2002 automatically satisfies the Canadian adoption.
Compliance Checklist
- Algorithm compliance: Use only approved asymmetric algorithms with key sizes meeting the minima in the table above.
- RNG compliance: Random number generators must be validated against recognized standards (ANSI X9.17, FIPS 140-2, or NIST SP 800-90A).
- Hash function compliance: Use only FIPS-approved hash functions at the required security level.
- Implementation testing: All components must pass the known-answer tests (KATs) provided in ISO/IEC 15945:2002 annex.
- Documentation: Clearly specify the recovery mode (total/partial) and the algorithm used in all system documentation.
Important: Non-compliant implementations that use deprecated algorithms (e.g., MD5, SHA-1) or insufficient key sizes (e.g., 1024-bit RSA) will not be accepted during audits for federal or regulated Canadian industries. Such systems must be upgraded immediately.
Future Revisions
As of the 2026 update cycle, the ISO/IEC 15945 series is under review for alignment with post-quantum cryptographic recommendations. Users maintaining long-lived systems should monitor for upcoming amendments expected by 2027–2028 that will address hybrid signature schemes with message recovery.
Q: What is the difference between a digital signature with message recovery and one with appendix?
A: In a signature with message recovery (covered by this standard), the original message can be extracted from the signature itself. In a signature with appendix, the message must be sent separately alongside the signature. Message recovery offers bandwidth savings and is ideal for short messages like transactions or authentication tokens.
A: In a signature with message recovery (covered by this standard), the original message can be extracted from the signature itself. In a signature with appendix, the message must be sent separately alongside the signature. Message recovery offers bandwidth savings and is ideal for short messages like transactions or authentication tokens.
Q: Is CAN/CSA-ISO/IEC 15945-04 mandatory for Canadian federal agencies?
A: While the standard is not inherently mandatory, the Government of Canada’s IT Security Policy requires the use of approved cryptographic algorithms. Since CAN/CSA-ISO/IEC 15945-04 references those algorithms, it is often adopted as a baseline requirement for systems handling sensitive data.
A: While the standard is not inherently mandatory, the Government of Canada’s IT Security Policy requires the use of approved cryptographic algorithms. Since CAN/CSA-ISO/IEC 15945-04 references those algorithms, it is often adopted as a baseline requirement for systems handling sensitive data.
Q: Can I use this standard for electronic signatures under European eIDAS regulation?
A: Yes. The EU eIDAS regulation recognizes technical standards from ISO/IEC as acceptable methods for advanced electronic signatures. However, local national schemes (e.g., BSI TR-03111 in Germany) may impose additional profile requirements. CAN/CSA-ISO/IEC 15945-04 can serve as a starting point but should be supplemented with relevant national profiles.
A: Yes. The EU eIDAS regulation recognizes technical standards from ISO/IEC as acceptable methods for advanced electronic signatures. However, local national schemes (e.g., BSI TR-03111 in Germany) may impose additional profile requirements. CAN/CSA-ISO/IEC 15945-04 can serve as a starting point but should be supplemented with relevant national profiles.
Last updated: 2026. This article reflects the current version of CAN/CSA-ISO/IEC 15945-04 (identical to ISO/IEC 15945:2002).