Benefits of eIDAS Qualified Signature Creation Devices and Why Cryptomathic Signer has the Strongest Security Credentials

by Guillaume Forget on 13. October 2020

The intent of eIDAS is to create a portfolio of technical and legal standards that enhance the security, legal validity and acceptance of electronic transactions that are used to conduct business online or to conduct official business across EU member state borders.

The use of qualified electronic signatures is one such standard, which requires the use of a Qualified Signature Creation Device (QSCD).

Here is an explanation of the benefits of QSCDs and why Cryptomathic Signer has the strongest security credentials for use with these devices.

What is a Qualified Electronic Signature (QES), and what is a QSCD?

In simple terms, a Qualified Electronic Signature (QES) is an advanced electronic signature that has a qualified digital certificate attached to it. On top of this, a QES must be created by a Qualified Signature Creation Device. The QSCD’s responsibility is to generate digital signatures using specific hardware and software that ensures the signatory has complete control of their private (signing) key.New call-to-action

Additionally, a qualified trust service provider must manage the signature creation data that is produced, which must continue to be unique, confidential, and tamperproof.

QSCD’s provide a vital service for ensuring the irrefutability and security of a qualified electronic signature. Such signatures are considered as the equivalent to a handwritten signature under EU law. Because of this, international governmental and legal processes can be completed entirely over the internet , whilst greatly reducing risks of fraud and the need for in-person meetings.

Cryptomathic Signer for QSCDs

 Selected Signing Services

As previously mentioned, QSCDs rely on both specific hardware and software to assure their secure functions. On the QSCD software front, Cryptomathic Signer has the strongest security credentials. It has undergone more security reviews than any other security solution of its type, including depth, coverage, functional tests, and independent testing.

Cryptomathic Signer is designed and certified to meet the highest standards required by:

  • EN 419 241-1: Trustworthy Systems Supporting Server Signing Part 1, General System Security Requirements, CEN February 2018.
  • EN 419 241-2: Trustworthy Systems Supporting Server Signing Part 2, Protection Profile for QSCD for Server Signing, CEN April 2019.

Importance of Common Criteria Certification

New Call-to-action

Cryptomathic Signer is certified using the Common Criteria Certification method. Both its CC EAL 4+ with AVA-VAN.5 certificate and full certification report are available for viewing. These documents may also be retrieved from the Common Criteria Portal.

Common Criteria product certification ensures that Cryptographic Signer clients can be confident that this software has gone through a rigorous product development process. 

Cryptomathic Signer is the only QSCD that is certified under the SO-GIS agreement using the CCRA agreement. Its security target is written in strict conformance with the EN 419 241-2 certified protection profile. In opting for SO-GIS, Cryptomathic Signer:

  • Makes a stricter interpretation of the Common Criteria requirements and does not allow the environment to enforce SFRs
  • Has harmonized additional requirements for specific technical domains e.g., smartcards and for hardware devices in the HSM domain
  • Has extensive experience with the composite evaluation approach that was originally created for smartcards’ technical domain
  • Understands the consequences of not covering integrations between software and underlying platforms from the perspective of potential vulnerabilities.

Advantages that Signer Has Over Other Products

As a result of its extensive testing, Cryptomathic Signer has been found to have an advantage over other products, including:

  • Offering the only QSCD certification using a “composite” evaluation that is necessary when interpreting EN 419 241-2
  • No need to harden the Signer server when the SAM runs inside the HSM as a firmware extension
  • Better performance as latency is reduced
  • Key activation using SAML assertion bound to the data to be signed with “bound hashes” that offer:
    • True authentication delegation
    • An agnostic authentication method
    • True compliance against Annex II and [CEN EN 419 24101] (Section 2.4, “Authentication”)
  • Offering a high performance solution that supports both RSA and ECC, thereby making key generation significantly faster
  • Using reputable labs and Common Criteria certifier, namely Brightsight and Tüv Rheinland Nederland

Download white paper

References and Further Reading

Other Related Articles: # eIDAS # Banking # QSCD # QES

Want to know how we can help ?

Get in touch to better understand how our solutions secure ecommerce and billions of transactions worldwide.