As defined by Regulation (EU) No 910/2014 (eIDAS), which took effect on 1 July 2016, an electronic signature creation device is software or hardware that has been configured to generate an electronic signature. However, for such a device to be considered a secure signature creation device (SSCD), it must meet the specifications that are stipulated in Annex II of eIDAS
Requirements for Secure Signature Creation Devices
Annex II of eIDAS lists the minimal requirements that must be followed in order to consider an electronic signature creation device as an SSCD. These requirements include that the device, by way of appropriate technical and procedural means must reasonably assure the confidentiality of the signatory’s private signing key that will be used to create an electronic signature. This data used for electronic signature creation must be unique and kept under the sole control of the user.
To be considered secure, the signature creation data (SCD) used to create the electronic signature must provide reasonable protection through technology that is currently available against duplication or forgery of the SCD. The SCD used to create the secure signature must be capable of remaining under the sole control of the signatory to prevent unauthorized use by others. A SSCD is not permitted to alter the data that is accompanying the signature or prevent presenting this data to the signatory before signing has occurred.
Types of Secure Signature Creation Devices
There are different approaches to providing SSCDs. Local SSCDs may include smart cards or USB tokens that must remain under the control of the signatory. There are advantages and disadvantages to using these types of SSCDs. They are portable, yet may present a problem if their specific hardware driver is not available on the platform the device is used from. A smart card reader is required to use a smart card, which not all electronic devices possess. A USB token can be read from almost any USB drive. Another consideration with a local SSCD is the risk of losing that device.
Another type of SSCD is a software solution that is operated from a central server, such as the Cryptomathic Signer. One of the biggest benefits of using a central solution is that it can be run from almost anywhere there is a connection to the Internet regardless of the client’s platform, provided that strong authentication is available. Central signing can be seamlessly integrated with user-side mobile devices, web browsers or client PC applications. Instead of supplying a private signing key on a smart card or USB token, the key is generated and used centrally while remaining under the sole control of its signatory. As there is no dedicated signing hardware needed on the user-side, central signing is cost effective for large scale deployments.
Preparing Secure Signature Creation Devices
When a local SSCD is issued, it must done securely, as required under the guidelines set by eIDAS.
- The service provider must securely control the preparation of the SSCD.
- The SSCD must be kept secure when in use and while in storage.
- Deactivation and reactivation of the SSCD must be securely controlled
- User activation data, such as a PIN code must be securely prepared and delivered separately from the SSCD
With a central SSCD solution, which can be operated by a trust service provider, strong authentication is key to protecting users’ information. Cryptomathic Signer, for example, builds upon 2-factor authentication, and requires users to be authenticated before signing their messages. Using PKI, a private/public key pair and a certificate are created for the user. The private keys and certificates are stored centrally and secured using hardware security modules (HSMs). Using Strong authentication combined with a secure signature activation protocol between the user and the HSM helps ensure non-repudiation and provides the level of security that secures legally binding consent.
The international standard for computer security certification is ISO/IEC 15408, known as the Common Criteria for Information Technology Security Evaluation (Common Criteria). This framework allows computer system users to specify their security functional requirements (SFRs) and assurance requirements (SARs) by using Protection Profiles (PPs). The vendor, which in the case of SSCD certificate authorities, are then required to implement said requirements and attest to the security attribute of their product. A testing laboratory can then evaluate the product to ensure that the level of security is as claimed.
In order for an electronic signature to achieve a Qualified Electronic Signature status, the SSCD must be tested and certified as meeting the security requirements of a Qualified Signature Creation Device (QSCD). A QSCD qualifies a digital signature through its software and hardware to ensure that the signatory has sole control over their private key, that the signature creation data is generated and managed by a qualified trust service provider, and that the signature creation data is unique, confidential and protected from forgery.
Governments rely on Common Criteria as the basis for certifying SSCDs and critical infrastructure. Many countries, including EU Member States have agreed through the Common Criteria Recognition Arrangement (CCRA) to recognize Common Criteria standard evaluations performed by other parties.
The use of SSCDs to provide secure electronic signatures helps facilitate business processes online that save both time and money for private and public sector transactions.
References and Further Reading
- Selected articles on Authentication (2014-16), by Heather Walker, Luis Balbas, Guillaume Forget,and Dawn M. Turner
- Selected articles on Electronic Signing and Digital Signatures (2014-16), by Ashiq JA, Guillaume Forget, Peter Landrock, Torben Pedersen, Dawn M. Turner and Tricia Wittig
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
- Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
- Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
- NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
- Security Controls Related to Internet Banking Services (2016), Hong Kong Monetary Authority
Image: "Server Room", courtesy of Torkild Retvedt, (CC BY-SA 2.0)