Secure signature creation device

Last updated February 06, 2025

A secure signature creation device (SSCD) is a specific type of computer hardware or software that is used in creating an electronic signature. To be put into service as a secure signature creation device, the device must meet the rigorous requirements laid out under Annex II of Regulation (EU) No 910/2014 (eIDAS), where it is referred to as a qualified (electronic) signature creation device (QSCD). Using secure signature creation devices helps in facilitating online business processes that save time and money with transactions made within the public and private sectors.^[1]^[2]^[3]

Description

The minimum requirements that must be met to elevate an electronic signature creation device to the level of a secure signature creation device are provided in Annex II of eIDAS. Through appropriate procedural and technical means, the device must reasonably assure the confidentiality of the data used to create an electronic signature. It further must ensure that the data used to create an electronic signature is unique and only used once. Lastly it shall only allow a qualified trust service provider or certificate authority to create or manage a signatory’s electronic signature data.^[2]

To ensure security, signature creation data used by the SSCD to create an electronic signature must provide reasonable protection through current technology to prevent forgery or duplication of the signature. The creation data must remain under the sole control of its signatory to prevent unauthorized use. The SSCD itself is prohibited from altering the signature’s accompanying data.^[1]

When a trust service provider or certificate authority places an SSCD into service, they must securely prepare the device according to Annex II of eIDAS in fully compliance to the following three conditions:^[4]^[1]

While in use or in storage, the SSCD must remain secure.
Further, a reactivation and deactivation of the SSCD must occur under secure conditions.
Any user activation data, include PIN codes be delivered separately from the SSCD after being prepared securely.

International security assurance requirements for SSCDs

The secure signature creation device must also meet the international standard for computer security certification, referred to as the Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408).^[5] This standard gives computer system users the ability to specify security requirements via Protection Profiles (PPs) for security functional requirements (SFRs) and security assurance requirements (SARs).^[1]^[3] The trust service provider or certificate authority is the required to implement the specified requirements and attest to their product’s security attributes. A third-party testing laboratory then evaluates the device to ensure that the level of security is as claimed by the provider.^[6]

Central authentication service

When a secure signature creation device is used as part of a central authentication service (CAS), it may act as a CAS server in multi-tier authentication scenarios. The CAS software protocol allows users to be authenticated when signing into a web application.

The common scheme for a CAS protocol includes the client’s web browser, an application requesting authentication and the CAS server. When authentication is needed, the application will send a request to the CAS server. The server will then compare the user’s credentials against its database. If the information matches, the CAS will respond that the user has been authenticated.^[1]^[3]

Legal implications regarding secure signature creation devices

eIDAS has provided a tiered approach to determining the legal implications of electronic signatures. A signature that has been created with a secure signature creation device is considered to have the strongest probative value. A document or message that has been signed with such a device is non-repudiable, meaning the signatory cannot deny they are responsible for the creation of the signature.^[2]

Regulation (EU) No 910/2014 (eIDAS) evolved from Directive 1999/93/EC, the Electronic Signatures Directive. The intent of the directive was to make EU Member States responsible for creating legislation that would allow for the creation of the European Union’s electronic signing system. The eIDAS Regulation required all Member States to follow its specifications for electronic signatures by its effective date of 1 July 2016.^[7]^[8]

Related Research Articles

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes the public key and information about it, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the device examining the certificate trusts the issuer and finds the signature to be a valid signature of that issuer, then it can use the included public key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

An electronic signature, or e-signature, is data that is logically associated with other data and which is used by the signatory to sign the associated data. This type of signature has the same legal standing as a handwritten signature as long as it adheres to the requirements of the specific regulation under which it was created.

Information security standards are techniques generally outlined in published materials that attempt to protect a user's or organization's cyber environment. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

A mobile signature is a digital signature generated either on a mobile phone or on a SIM card on a mobile phone.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

XAdES is a set of extensions to XML-DSig recommendation making it suitable for advanced electronic signatures. W3C and ETSI maintain and update XAdES together.

GlobalSign is a certificate authority and a provider of internet identity and security products. As of January 2015, Globalsign was the 4th largest certificate authority in the world, according to Netcraft.

The Revised Payment Services Directive (PSD2, Directive (EU) 2015/2366, which replaced the Payment Services Directive (PSD), Directive 2007/64/EC) is an EU Directive, administered by the European Commission (Directorate General Internal Market) to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). The PSD's purpose was to increase pan-European competition and participation in the payments industry also from non-banks, and to provide for a level playing field by harmonizing consumer protection and the rights and obligations of payment providers and users. The key objectives of the PSD2 directive are creating a more integrated European payments market, making payments more secure and protecting consumers.

CAdES is a set of extensions to Cryptographic Message Syntax (CMS) signed data making it suitable for advanced electronic signatures.

PAdES is a set of restrictions and extensions to PDF and ISO 32000-1 making it suitable for advanced electronic signatures (AdES). This is published by ETSI as EN 319 142.

Electronic signature allows users to electronically perform the actions for which they previously had to give a signature on paper. Estonia's digital signature system is the foundation for some of its most popular e-services including registering a company online, e-banks, the e-voting system and electronic tax filing – essentially any services that require signatures to prove their validity.

The eIDAS Regulation is an EU regulation with the stated purpose of governing "electronic identification and trust services for electronic transactions". It passed in 2014 and its provisions came into effect between 2016 and 2018.

An advanced electronic signature is an electronic signature that has met the requirements set forth under EU Regulation No 910/2014 (eIDAS-regulation) on electronic identification and trust services for electronic transactions in the European Single Market.

ZertES is a Swiss Federal law that regulates the conditions under which trust service providers may use certification services with electronic signatures. Additionally, this law provides a framework that outlines the provider’s obligations and rights as they apply to providing their certification services.

A qualified electronic signature is an electronic signature that is compliant with EU Regulation No 910/2014 for electronic transactions within the internal European market. It enables to verify the authorship of a declaration in electronic data exchange over long periods of time. Qualified electronic signatures can be considered as a digital equivalent to handwritten signatures.

A trust service provider (TSP) is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories as well as websites in general. Trust service providers are qualified certificate authorities required in the European Union and in Switzerland in the context of regulated electronic signing procedures.

In the context of Regulation (EU) No 910/2014 (eIDAS), a qualified digital certificate is a public key certificate issued by a trust service provider which has government-issued qualifications. The certificate is designed to ensure the authenticity and data integrity of an electronic signature and its accompanying message and/or attached data.

Banking as a service (BaaS) is the provision of banking products to non-bank third parties through APIs.

A qualified website authentication certificate is a qualified digital certificate under the trust services defined in the European Union eIDAS Regulation.

An electronic seal is a piece of data attached to an electronic document or other data, which ensures data origin and integrity. The term is used in the EU Regulation No 910/2014 for electronic transactions within the internal European market.

References

1 2 3 4 5 Turner, Dawn M. "What is a secure signature creation device". Cryptomathic. Retrieved 18 November 2016.
1 2 3 Turner, Dawn. "Understanding eIDAS". Cryptomathic. Retrieved 12 April 2016.
1 2 3 "Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC". EUR-Lex. The European Parliament and the Council of the European Union. Retrieved 18 March 2016.
↑ "Electronic Signatures and Infrastructures: Policy requirements for certification authorities issuing qualified certificates" (PDF). European Telecommunications Standards Institute. Retrieved 18 November 2016.
↑ "ISO/IEC 15408-1:2009 Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 1: Introduction and general model". International Organization for Standardization (ISO). Retrieved 18 November 2016.
↑ Turner, Dawn M. "Trust service providers according to eIDAS". Cryptomathic. Retrieved 18 November 2016.
↑ Turner, Dawn M. "eIDAS from Directive to Regulation - Legal Aspects". Cryptomathic. Retrieved 18 March 2016.
↑ "Regulations, Directives and other acts". Europa.eu. The European Union. Archived from the original on 12 December 2013. Retrieved 18 March 2016.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Turner-SSCD-1] 1 2 3 4 5 Turner, Dawn M. "What is a secure signature creation device". Cryptomathic. Retrieved 18 November 2016.

[Tuner_Understanding_eIDAS-2] 1 2 3 Turner, Dawn. "Understanding eIDAS". Cryptomathic. Retrieved 12 April 2016.

[eIDAS-EUR-Lex-3] 1 2 3 "Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC". EUR-Lex. The European Parliament and the Council of the European Union. Retrieved 18 March 2016.

[ETSI-SSCD-4] "Electronic Signatures and Infrastructures: Policy requirements for certification authorities issuing qualified certificates" (PDF). European Telecommunications Standards Institute. Retrieved 18 November 2016.

[ISO15408-5] "ISO/IEC 15408-1:2009 Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 1: Introduction and general model". International Organization for Standardization (ISO). Retrieved 18 November 2016.

[Turner-TrustServiceProviders-6] Turner, Dawn M. "Trust service providers according to eIDAS". Cryptomathic. Retrieved 18 November 2016.

[Turner-eIDAS-from-directive-to-reg-7] Turner, Dawn M. "eIDAS from Directive to Regulation - Legal Aspects". Cryptomathic. Retrieved 18 March 2016.

[EU-difference-regulation-directive-8] "Regulations, Directives and other acts". Europa.eu. The European Union. Archived from the original on 12 December 2013. Retrieved 18 March 2016.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]