/Logo%202023.svg "Logo 2023"){kind=small}
/Group.svg "Group"){kind=small}
Thomas Pedersen
As part of the global drive for digital transformation, legally binding digital signatures are at the forefront of many businesses’ ambitions to provide an enhanced and complete digital customer journey. Even though most people can understand the general concept of digital signatures, reaching the highest level of assurance with a Qualified Electronic Signature contains quite a few things to consider.
Here we provide a high-level comparison between Cryptomathic Signer and other eIDAS remote signing solutions available in the market.
Let’s start with the certification
Cryptomathic Signer is one of the few (if not only) remote signing solutions that has been Common Criteria Certified according to the “composite” evaluation. This evaluation requires the audits to review both the Signature Activation Module (SAM) and the underlying cryptographic module together. This means that a single evaluation covers both the SAM and the Hardware Security Module (HSM). The alternative is that the HSM and SAM are evaluated separately – in this case, the security guarantees provided by the HSM may not match the requirements of the SAM (and vice-versa). That “compatibility” of the composed system will then have to be evaluated in some other way.
For this reason, the exact model of the HSM is stated in the Security Target for the CC certification of Cryptomathic Signer. Additionally, for security reasons, we strongly advise that the SAM should be hosted in the HSM. Our composite evaluation made it possible to do just that: have the SAM inside the HSM and thus take full advantage of the CC certification of the HSM
Other signing solutions do not explicitly mention the cryptographic module nor the tamper protection hardware. Since our certification explicitly mentions the HSM, the customer is guaranteed (by the CC certificate) that the SAM and HSM are both secure when the SAM is installed on the HSM.
Vendors that do not mention the HSM model cannot give the same guarantee: it is not clear how they can ensure that the composition of SAM and HSM is secure.
There are currently several easier audit approaches on the eIDAS requirements, which other vendors have taken. We are proud that the attestation for Cryptomathic Signer is more comprehensive and has the most detailed assessment of the security of the system.
By taking the more secure and technically advanced approach for certification, Cryptomathic Signer is likely to be better aligned with future changes to the eIDAS certification requirements and, thereby, a more future-proof option for our clients.
Flexibility for leveraging existing IT security infrastructure
Cryptomathic can leverage all kinds of strong authentication methods from clients as we only ask for a SAML assertion. Whereas others force users to install an app on a smartphone as the only way to authenticate. And with only a mobile phone (“something you have”) and a PIN code (“Something you know”) or a fingerprint (“Something you are”) on the same physical mobile phone we would question if this is enough to protect against eavesdropping or theft.
Cryptomathic can work with any existing authentication method from the clients which comply to the eIDAS regulation, so no additional installation at end clients is needed.
In regards to databases, we support a variety of types which gives more freedom to work with already known technology on the client-side. Other providers force clients to adapt as they bring their system with a built-in database.
In summary, we commit ourselves to always provide the highest security level and to be as flexible as possible. And we are proud that our inventions, e.g. “What You See Is What You Sign” (WYSIWYS), have been copied by our competitors and are also referred to within ETSI standards for eIDAS compliance.
To say it with the words of Oscar Wilde: “They say imitation is the sincerest form of flattery.”
References
- Selected articles on eIDAS (2014-today), by Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner, and more
- CEN/TC 224 - Trustworthy Systems Supporting Server Signing Part 2: Protection Profile for QSCD for Server Signing (05.2018), by AFNOR
- Conformity assessment of Trust Service Providers - Technical guidelines on trust services (2017), by the European Agency for Cyber Security
- Mutual Recognition Agreement of Information Technology Security Evaluation Certificates, VERSION 3.0 (Jan, 2010), SOG-IS
- Trustworthy Systems Supporting Server Signing Part 2: Protection
Profile for QSCD for Server Signing (2019) by CEN/TC 224 - About The Common Criteria (retrieved October 2020), by Common Criteria
- Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 1) (2018), by Gaurav Sharma
- Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 2) (2018), by Gaurav Sharma
- Digital Trade and Trade Financing - Embracing and Shaping the Transformation (2018), by SWIFT & OPUS Advisory Services International Inc
- REGULATION (EU) No 1316/2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010(12/2013), by the European Parliament and the European Council
- Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, and more
- The European Interoperability Framework - Implementation Strategy (2017), by the European Commission