This article explains the Signature Activation Protocol in the context of eIDAS-compliant central signing. It sheds lights on its purposes and outlines its implementation for remote/central signature servers.
With eIDAS repealing Directive 1999/93/EC, remote electronic signatures have finally received legal recognition. For an electronic signature with the strongest legal value, qualified electronic signature, the regulation describes requirements for the device that generates and operates the signing key.
Some of these requirements are obvious: an attacker shall not have an easy job deriving the signing key value and the signing device must protect the key in a highly secure environment. An important logical requirement is that the signing key shall only be usable by the legitimate owner.
The industry knows very well that using hardware security modules (HSMs), the obvious requirements can be achieved. The implications for the logical requirement are, however, not widely understood. How is the signatory supposed to securely access a remote HSM to approve a signature operation?
For remote electronic signatures, we use the example of a signatory who wants to sign a document on his/her online device (tablet or laptop). In this case, the user’s device communicates with a remote server that has access to the HSM protecting the signing key.
For physical protection of the signature keys, the keys are generated and used within the secure tamper protected boundaries of an HSM. To match this highly secure environment, in TS 419 241:2014, it is required that the authorization for activating the signature keys is also carried out inside the HSM. This is illustrated below with the blue arrow from the user device to the HSM.
The protocol that is used to provide a secure signature authorization and activation process from the user device to the server and HSM is known as the Signature Activation Protocol (SAP). The purpose of the protocol is to allow the signatory to activate the signing key in the HSM and generate a signature.
The requirements for the SAP are typical for a cryptographic protocol: Confidentiality and integrity of transmitted data must be guaranteed and it must be resistant to attacks like MIM, replay etc.
In the signature activation protocol, data for activating the signing key for signature operation is transmitted from the user’s device to the HSM. This signature activation data must be designed such that it links together information about:
The signatory specifies information, that the HSM can relate to the signatory account and identify the signatory. Authentication used for signature activation can be as simple as a username/password and an OTP, or more advanced data like a SAML assertion demonstrating the signatory has already been identified.
Regardless of the chosen authentication scheme, the HSM must verify the values; either password and OTP in the simple case or the SAML assertion in the advanced case.
The link is to be taken seriously and is not trivial to solve. The requirement is there to ensure that when the signatory provides his/her authentication credentials, they can only be used for authorizing a signature for the intended document. Without this requirement, one could imagine e.g. a SAML assertion to be used to sign other documents than the signatory intended.
In support of the European Committee for Standardization (CEN), Cryptomathic have participated in the working group CEN TC224 WG17 and played an active part to establish technical specifications and standards for remote electronic signatures. The published document TS 419 241:2014 describes security requirements for a trustworthy system supporting remote signing and it covers terms and requirements for how the logical requirement can be achieved.