The intent of eIDAS is to create a portfolio of technical and legal standards that enhance the security, legal validity and acceptance of electronic transactions that are used to conduct business online or to conduct official business across EU member state borders. The use of qualified electronic signatures is one such standard, which requires the use of a Qualified Signature Creation Device (QSCD).
Here is an explanation of the benefits of QSCDs and why Cryptomathic Signer has the strongest security credentials for use with these devices.
What is a Qualified Electronic Signature (QES), and what is a QSCD?
In simple terms, a Qualified Electronic Signature (QES) is an advanced electronic signature that has a qualified digital certificate attached to it. On top of this, a QES must be created by a Qualified Signature Creation Device. The QSCD’s responsibility is to generate digital signatures using specific hardware and software that ensures the signatory has complete control of their private (signing) key.
Additionally, a qualified trust service provider must manage the signature creation data that is produced, which must continue to be unique, confidential, and tamperproof.
QSCD’s provide a vital service for ensuring the irrefutability and security of a qualified electronic signature. Such signatures are considered as the equivalent to a handwritten signature under EU law. Because of this, international governmental and legal processes can be completed entirely over the internet , whilst greatly reducing risks of fraud and the need for in-person meetings.
Cryptomathic Signer for QSCDs
As previously mentioned, QSCDs rely on both specific hardware and software to assure their secure functions. On the QSCD software front, Cryptomathic Signer has the strongest security credentials. It has undergone more security reviews than any other security solution of its type, including depth, coverage, functional tests, and independent testing.
Cryptomathic Signer is designed and certified to meet the highest standards required by:
- EN 419 241-1: Trustworthy Systems Supporting Server Signing Part 1, General System Security Requirements, CEN February 2018.
- EN 419 241-2: Trustworthy Systems Supporting Server Signing Part 2, Protection Profile for QSCD for Server Signing, CEN April 2019.
Importance of Common Criteria Certification
Cryptomathic Signer is certified using the Common Criteria Certification method. Both its CC EAL 4+ with AVA-VAN.5 certificate and full certification report are available for viewing. These documents may also be retrieved from the Common Criteria Portal.
Common Criteria product certification ensures that Cryptographic Signer clients can be confident that this software has gone through a rigorous product development process.
Cryptomathic Signer is the only QSCD that is certified under the SO-GIS agreement using the CCRA agreement. Its security target is written in strict conformance with the EN 419 241-2 certified protection profile. In opting for SO-GIS, Cryptomathic Signer:
- Makes a stricter interpretation of the Common Criteria requirements and does not allow the environment to enforce SFRs
- Has harmonized additional requirements for specific technical domains e.g., smartcards and for hardware devices in the HSM domain
- Has extensive experience with the composite evaluation approach that was originally created for smartcards’ technical domain
- Understands the consequences of not covering integrations between software and underlying platforms from the perspective of potential vulnerabilities.
Advantages that Signer Has Over Other Products
As a result of its extensive testing, Cryptomathic Signer has been found to have an advantage over other products, including:
- Offering the only QSCD certification using a “composite” evaluation that is necessary when interpreting EN 419 241-2
- No need to harden the Signer server when the SAM runs inside the HSM as a firmware extension
- Better performance as latency is reduced
- Key activation using SAML assertion bound to the data to be signed with “bound hashes” that offer:
- True authentication delegation
- An agnostic authentication method
- True compliance against Annex II and [CEN EN 419 24101] (Section 2.4, “Authentication”)
- Offering a high performance solution that supports both RSA and ECC, thereby making key generation significantly faster
- Using reputable labs and Common Criteria certifier, namely Brightsight and Tüv Rheinland Nederland
References and Further Reading
- Selected articles on eIDAS (2014-today), by Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner, and more
- Trustworthy Systems Supporting Server Signing Part 2: Protection
Profile for QSCD for Server Signing (2019) by CEN/TC 224
- About The Common Criteria (retrieved October 2020), by Common Criteria
- Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 1) (2018), by Gaurav Sharma
- Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 2) (2018), by Gaurav Sharma
- Digital Trade and Trade Financing - Embracing and Shaping the Transformation (2018), by SWIFT & OPUS Advisory Services International Inc
- REGULATION (EU) No 1316/2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010(12/2013), by the European Parliament and the European Council
- Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, and more
- The European Interoperability Framework - Implementation Strategy (2017), by the European Commission