The intent of the eIDAS regulation is to create a portfolio of technical and legal standards that enhance the security, legal validity, and acceptance of electronic transactions used to conduct business online or official business across EU member state borders.
The use of qualified electronic signatures is one such standard, which requires the use of a Qualified Signature Creation Device (QSCD).
Here is an explanation of the advantages of QSCDs and the reason why Cryptomathic Signer has the strongest security credentials for use with these devices.
What is a Qualified Electronic Signature (QES), and what is a QSCD?
In simple terms, a Qualified Electronic Signature (QES) is an advanced electronic signature with a qualified digital certificate. On top of this, a QES must be created by a Qualified Signature Creation Device. The QSCD’s responsibility is to generate digital signatures using specific hardware and software that ensures the signatory has complete control of their private (signing) key.
In addition, a qualified provider of trust services must manage the signature creation data, which must remain unique, confidential, and tamper-proof.
QSCDs provide a vital service for ensuring the irrefutability and security of a qualified electronic signature. Such signatures are considered the equivalent of a handwritten signature under EU law. Due to this, international governmental and legal processes can be completed entirely online, reducing fraud risks and the need for in-person meetings significantly.
Cryptomathic Signer for QSCDs
As previously mentioned, QSCDs rely on both hardware and software to ensure their security functions. Cryptomathic Signer has the strongest security credentials among QSCD software. It has undergone more security reviews than any other security solution of its type, including depth, coverage, functional tests, and independent testing.
Cryptomathic Signer is designed and certified to meet the highest standards required by:
- EN 419 241-1: Trustworthy Systems Supporting Server Signing Part 1, General System Security Requirements, CEN February 2018.
- EN 419 241-2: Trustworthy Systems Supporting Server Signing Part 2, Protection Profile for QSCD for Server Signing, CEN April 2019.
Importance of Common Criteria Certification
Cryptomathic Signer is certified using the Common Criteria Certification method. Both its CC EAL 4+ with AVA-VAN.5 Certificate and full certification report are available for viewing. These documents may also be retrieved from the Common Criteria Portal.
Common Criteria product certification ensures that Cryptographic Signer clients can be confident that this software has gone through a rigorous product development process.
Cryptomathic Signer is the only QSCD certified under the SO-GIS agreement utilizing the CCRA agreement. Its security target is written in strict conformance with the EN 419 241-2 certified protection profile. In opting for SO-GIS, Cryptomathic Signer:
- Makes a stricter interpretation of the Common Criteria requirements and does not allow the environment to enforce SFRs
- Has harmonized additional requirements for specific technical domains e.g., smartcards and for hardware devices in the HSM domain
- Has extensive experience with the composite evaluation approach that was originally created for smartcards’ technical domain
- Understands the consequences of not covering integrations between software and underlying platforms from the perspective of potential vulnerabilities.
Advantages that Signer Has Over Other Products
As a result of its extensive testing, Cryptomathic Signer has been found to have an advantage over other products, including:
- Offering the only QSCD certification using a “composite” evaluation that is necessary when interpreting EN 419 241-2
- No need to harden the Signer server when the SAM runs inside the HSM as a firmware extension
- Better performance as latency is reduced
- Key activation using SAML assertion bound to the data to be signed with “bound hashes” that offer:
- True authentication delegation
- An agnostic authentication method
- True compliance against Annex II and [CEN EN 419 24101] (Section 2.4, “Authentication”)
- Offering a high-performance solution that supports both RSA and ECC, making key generation significantly quicker.
- Using reputable labs and Common Criteria certifiers, specifically Brightsight and Tüv Rheinland Nederland
References and Further Reading
- Selected articles on eIDAS (2014-today), by Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner, and more
- Trustworthy Systems Supporting Server Signing Part 2: Protection
Profile for QSCD for Server Signing (2019) by CEN/TC 224 - About The Common Criteria (retrieved October 2020), by Common Criteria
- Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 1) (2018), by Gaurav Sharma
- Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 2) (2018), by Gaurav Sharma
- Digital Trade and Trade Financing - Embracing and Shaping the Transformation (2018), by SWIFT & OPUS Advisory Services International Inc
- REGULATION (EU) No 1316/2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010(12/2013), by the European Parliament and the European Council
- Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, and more
- The European Interoperability Framework - Implementation Strategy (2017), by the European Commission
More Stories
