As part of the global drive for digital transformation, legally binding digital signatures are at the forefront of many businesses’ ambitions to provide an enhanced and complete digital customer journey. Even though most people can understand the general concept of digital signatures, reaching the highest level of assurance with a Qualified Electronic Signature contains quite a few things to consider.

Here we provide a high-level comparison between Cryptomathic Signer and other eIDAS remote signing solutions available in the market.

Let’s start with the certification

Cryptomathic Signer is one of the few (if not only) remote signing solutions that has been Common Criteria Certified according to the “composite” evaluation. This evaluation requires the audits to review both the Signature Activation Module (SAM) and the underlying cryptographic module together. This means that a single evaluation covers both the SAM and the Hardware Security Module (HSM). The alternative is that the HSM and SAM are evaluated separately – in this case, the security guarantees provided by the HSM may not match the requirements of the SAM (and vice-versa). That “compatibility” of the composed system will then have to be evaluated in some other way.

Read White PaperFor this reason, the exact model of the HSM is stated in the Security Target for the CC certification of Cryptomathic Signer. Additionally, for security reasons, we strongly advise that the SAM should be hosted in the HSM. Our composite evaluation made it possible to do just that: have the SAM inside the HSM and thus take full advantage of the CC certification of the HSM 

Other signing solutions do not explicitly mention the cryptographic module nor the tamper protection hardware.  Since our certification explicitly mentions the HSM, the customer is guaranteed (by the CC certificate) that the SAM and HSM are both secure when the SAM is installed on the HSM.

Vendors that do not mention the HSM model cannot give the same guarantee: it is not clear how they can ensure that the composition of SAM and HSM is secure.

There are currently several easier audit approaches on the eIDAS requirements, which other vendors have taken. We are proud that the attestation for Cryptomathic Signer is more comprehensive and has the most detailed assessment of the security of the system.

By taking the more secure and technically advanced approach for certification, Cryptomathic Signer is likely to be better aligned with future changes to the eIDAS certification requirements and, thereby, a more future-proof option for our clients. 

Flexibility for leveraging existing IT security infrastructure  

Cryptomathic can leverage all kinds of strong authentication methods from clients as we only ask for a SAML assertion. Whereas others force users to install an app on a smartphone as the only way to authenticate. And with only a mobile phone (“something you have”) and a PIN code (“Something you know”) or a fingerprint (“Something you are”) on the same physical mobile phone we would question if this is enough to protect against eavesdropping or theft.

New Call-to-action

Cryptomathic can work with any existing authentication method from the clients which comply to the eIDAS regulation, so no additional installation at end clients is needed. 

In regards to databases, we support a variety of types which gives more freedom to work with already known technology on the client-side. Other providers force clients to adapt as they bring their system with a built-in database.

In summary, we commit ourselves to always provide the highest security level and to be as flexible as possible. And we are proud that our inventions, e.g. “What You See Is What You Sign” (WYSIWYS), have been copied by our competitors and are also referred to within ETSI standards for eIDAS compliance.

To say it with the words of Oscar Wilde: “They say imitation is the sincerest form of flattery.”

 

Download white paper

References

Other Related Articles: # Digital Signatures # eIDAS # HSM

Want to know how we can help ?

Get in touch to better understand how our solutions secure ecommerce and billions of transactions worldwide.