ISO/IEC IEC 29167-17 — IT Security — Part 17: DSA Digital Signature Suite for RFID

Digital signature authentication protocol for RFID tags using the Digital Signature Algorithm with SHA-based hashing

1. Overview of ISO/IEC 29167-17

ISO/IEC 29167-17 defines the Digital Signature Algorithm (DSA) cryptographic suite for RFID systems operating under the ISO/IEC 18000 series air-interface standards. Unlike symmetric-key-based suites, DSA provides asymmetric authentication where the tag uses a private key to generate signatures and any reader with the corresponding public key can verify them. This property is invaluable in open-loop supply chains where many different readers must authenticate tags without sharing secret keys.

The standard supports DSA key sizes of 1024, 2048, and 3072 bits, paired with SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 hash functions respectively. The DSA suite defined in this standard is compatible with FIPS 186-4 and provides both tag authentication (signature generation) and data integrity (signature verification of command parameters).

DSA signatures provide non-repudiation — a tag cannot deny having generated a response because only the tag possesses its private key. This property is essential for applications requiring proof of origin, such as pharmaceutical pedigree verification.

2. Signature Generation and Verification

The DSA signature process in ISO/IEC 29167-17 consists of three phases. First, the tag generates a random per-message secret k and computes the signature component r = (g^k mod p) mod q. Second, it computes the hash H(m) of the message using the agreed hash function. Third, it computes s = k^(-1) * (H(m) + x*r) mod q, where x is the tag’s private key. The signature (r, s) is returned to the reader along with the message.

Verification at the reader side involves computing w = s^(-1) mod q, u1 = H(m)*w mod q, u2 = r*w mod q, and checking whether v = ((g^u1 * y^u2) mod p) mod q equals r, where y is the tag’s public key. The standard specifies that the reader MUST reject signatures where r = 0 or s = 0, as these indicate invalid signature generation.

DSA Key Size Hash Function Signature Size Security Level Tag Computation Typical Application
1024 bits SHA-1 / SHA-224 40 bytes 80-bit ~50 ms @ 1 MHz Low-cost tags, basic auth
2048 bits SHA-256 56 bytes 112-bit ~200 ms @ 1 MHz Supply chain, pharmaceuticals
3072 bits SHA-512 64 bytes 128-bit ~500 ms @ 1 MHz High-security, government
The per-message secret k in DSA MUST be unique, secret, and unpredictable for every signature. Reusing k across two signatures with different messages allows an attacker to compute the private key by solving a simple system of linear equations. This vulnerability has been exploited in real-world attacks including the 2010 Sony PS3 incident.

3. Implementation Challenges and Solutions

DSA on passive RFID tags presents significant implementation challenges due to the large operand sizes (up to 3072 bits) and the computational cost of modular exponentiation. Unlike ECC-based suites which operate on 160-521 bit operands, DSA requires arithmetic on operands of 1024-3072 bits. This directly impacts silicon area: a DSA 2048-bit modular multiplier requires approximately 4x the logic of an ECC-256 multiplier.

To mitigate the computational burden, the standard allows for pre-computation of the exponentiation component r before the message is known. Since r = (g^k mod p) mod q depends only on the random k and not on the message, a tag can pre-compute r during idle periods and store it in volatile memory. When a signature request arrives, only the modular inversion and multiplication for s need to be computed in real-time, reducing response latency by approximately 70%.

Pre-computation of the DSA r component during tag idle periods reduces on-request signature generation time from approximately 200 ms to under 60 ms for DSA-2048, making DSA feasible for time-critical supply chain applications.
The random number generator supplying k for DSA signatures must be rigorously validated. Statistical weaknesses in the RNG can lead to k-value collisions across tags or across signatures from the same tag, enabling large-scale private key recovery. Implementations should use a hardware TRNG backed by a NIST SP 800-90A DRBG.

4. Frequently Asked Questions

Q: How does DSA-1024 compare to ECC-224 in terms of security?
A: DSA-1024 provides approximately 80-bit security equivalent while ECC-224 provides 112-bit security. For new designs, ECC-based suites are generally preferred due to smaller signatures and faster computation.
Q: Can DSA signatures be used for encrypting tag memory?
A: No. DSA only provides digital signatures for authentication and integrity. Memory encryption requires a separate encryption suite such as AES-GCM (29167-21) or a key agreement + encryption combination.
Q: What happens to a DSA tag when its battery fails?
A: Passive tags (harvesting energy from the reader field) do not have batteries. For semi-passive or active tags, the private key is typically stored in non-volatile EEPROM or flash, which persists regardless of power state.
Q: Is DSA post-quantum resistant?
A: No. DSA security relies on the discrete logarithm problem, which is broken by Shor’s algorithm on sufficiently large quantum computers. For systems requiring 20+ year security, consider hash-based or lattice-based post-quantum signatures.
© 2026 TNLab — This article is for educational and technical reference purposes.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

IEC 60300-3-7: Reliability Stress Screening — Exposing Hidden Defects Before They Reach Your Customer
IEC 60309-4: Industrial Plugs and Sockets — How Colour Coding and Keying Prevent Fatal Wiring Errors
IEC 60310: Traction Transformers — The Heartbeat Device Powering High-Speed Trains and Metros
IEC 60318-2: Acoustic Couplers — The “Artificial Ear” Calibrating Hearing Aids and Headphones