Benefits of eIDAS Qualified Signature Creation Devices and Why Cryptomathic Signer has the Strongest Security Credentials

by Guillaume Forget on 13. October 2021

The intent of the eIDAS regulation is to create a portfolio of technical and legal standards that enhance the security, legal validity, and acceptance of electronic transactions used to conduct business online or official business across EU member state borders.

The use of qualified electronic signatures is one such standard, which requires the use of a Qualified Signature Creation Device (QSCD).

Here is an explanation of the advantages of QSCDs and the reason why Cryptomathic Signer has the strongest security credentials for use with these devices.


What is a Qualified Electronic Signature (QES), and what is a QSCD?

New call-to-action

In simple terms, a Qualified Electronic Signature (QES) is an advanced electronic signature with a qualified digital certificate. On top of this, a QES must be created by a Qualified Signature Creation Device. The QSCD’s responsibility is to generate digital signatures using specific hardware and software that ensures the signatory has complete control of their private (signing) key.

In addition, a qualified provider of trust services must manage the signature creation data, which must remain unique, confidential, and tamper-proof.

QSCDs provide a vital service for ensuring the irrefutability and security of a qualified electronic signature. Such signatures are considered the equivalent of a handwritten signature under EU law. Due to this, international governmental and legal processes can be completed entirely online, reducing fraud risks and the need for in-person meetings significantly.


Cryptomathic Signer for QSCDs

 Selected Signing Services

As previously mentioned, QSCDs rely on both hardware and software to ensure their security functions. Cryptomathic Signer has the strongest security credentials among QSCD software. It has undergone more security reviews than any other security solution of its type, including depth, coverage, functional tests, and independent testing.

Cryptomathic Signer is designed and certified to meet the highest standards required by:

  • EN 419 241-1: Trustworthy Systems Supporting Server Signing Part 1, General System Security Requirements, CEN February 2018.
  • EN 419 241-2: Trustworthy Systems Supporting Server Signing Part 2, Protection Profile for QSCD for Server Signing, CEN April 2019.

Importance of Common Criteria Certification

Cryptomathic Signer is certified using the Common Criteria Certification method. Both its CC EAL 4+ with AVA-VAN.5 Certificate and full certification report are available for viewing. These documents may also be retrieved from the Common Criteria Portal. 

New Call-to-action

Common Criteria product certification ensures that Cryptographic Signer clients can be confident that this software has gone through a rigorous product development process. 

Cryptomathic Signer is the only QSCD certified under the SO-GIS agreement utilizing the CCRA agreement. Its security target is written in strict conformance with the EN 419 241-2 certified protection profile. In opting for SO-GIS, Cryptomathic Signer:

  • Makes a stricter interpretation of the Common Criteria requirements and does not allow the environment to enforce SFRs
  • Has harmonized additional requirements for specific technical domains e.g., smartcards and for hardware devices in the HSM domain
  • Has extensive experience with the composite evaluation approach that was originally created for smartcards’ technical domain
  • Understands the consequences of not covering integrations between software and underlying platforms from the perspective of potential vulnerabilities.


Advantages that Signer Has Over Other Products

As a result of its extensive testing, Cryptomathic Signer has been found to have an advantage over other products, including:

  • Offering the only QSCD certification using a “composite” evaluation that is necessary when interpreting EN 419 241-2
  • No need to harden the Signer server when the SAM runs inside the HSM as a firmware extension
  • Better performance as latency is reduced
  • Key activation using SAML assertion bound to the data to be signed with “bound hashes” that offer:
    • True authentication delegation
    • An agnostic authentication method
    • True compliance against Annex II and [CEN EN 419 24101] (Section 2.4, “Authentication”)
  • Offering a high-performance solution that supports both RSA and ECC, making key generation significantly quicker.
  • Using reputable labs and Common Criteria certifiers, specifically Brightsight and Tüv Rheinland Nederland


Download white paper



References and Further Reading

Other Related Articles: # eIDAS # Banking # QSCD # QES

Want to know how we can help ?

Get in touch to better understand how our solutions secure ecommerce and billions of transactions worldwide.