Secure signature creation device

Last updated

A secure signature creation device (SSCD) is a specific type of computer hardware or software that is used in creating an electronic signature. To be put into service as a secure signature creation device, the device must meet the rigorous requirements laid out under Annex II of Regulation (EU) No 910/2014 (eIDAS), where it is referred to as a qualified (electronic) signature creation device (QSCD). Using secure signature creation devices helps in facilitating online business processes that save time and money with transactions made within the public and private sectors. [1] [2] [3]

Contents

Description

The minimum requirements that must be met to elevate an electronic signature creation device to the level of a secure signature creation device are provided in Annex II of eIDAS. Through appropriate procedural and technical means, the device must reasonably assure the confidentiality of the data used to create an electronic signature. It further must ensure that the data used to create an electronic signature is unique and only used once. Lastly it shall only allow a qualified trust service provider or certificate authority to create or manage a signatory’s electronic signature data. [2]

To ensure security, signature creation data used by the SSCD to create an electronic signature must provide reasonable protection through current technology to prevent forgery or duplication of the signature. The creation data must remain under the sole control of its signatory to prevent unauthorized use. The SSCD itself is prohibited from altering the signature’s accompanying data. [1]

When a trust service provider or certificate authority places an SSCD into service, they must securely prepare the device according to Annex II of eIDAS in fully compliance to the following three conditions: [4] [1]

  1. While in use or in storage, the SSCD must remain secure.
  2. Further, a reactivation and deactivation of the SSCD must occur under secure conditions.
  3. Any user activation data, include PIN codes be delivered separately from the SSCD after being prepared securely.

International security assurance requirements for SSCDs

The secure signature creation device must also meet the international standard for computer security certification, referred to as the Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408). [5] This standard gives computer system users the ability to specify security requirements via Protection Profiles (PPs) for security functional requirements (SFRs) and security assurance requirements (SARs). [1] [3] The trust service provider or certificate authority is the required to implement the specified requirements and attest to their product’s security attributes. A third-party testing laboratory then evaluates the device to ensure that the level of security is as claimed by the provider. [6]

Central authentication service

When a secure signature creation device is used as part of a central authentication service (CAS), it may act as a CAS server in multi-tier authentication scenarios. The CAS software protocol allows users to be authenticated when signing into a web application.

The common scheme for a CAS protocol includes the client’s web browser, an application requesting authentication and the CAS server. When authentication is needed, the application will send a request to the CAS server. The server will then compare the user’s credentials against its database. If the information matches, the CAS will respond that the user has been authenticated. [1] [3]

eIDAS has provided a tiered approach to determining the legal implications of electronic signatures. A signature that has been created with a secure signature creation device is considered to have the strongest probative value. A document or message that has been signed with such a device is non-reputable, meaning the signatory cannot deny they are responsible for the creation of the signature. [2]

Regulation (EU) No 910/2014 (eIDAS) evolved from Directive 1999/93/EC, the Electronic Signatures Directive. The intent of the directive was to make EU Member States responsible for creating legislation that would allow for the creation of the European Union’s electronic signing system. The eIDAS Regulation required all Member States to follow its specifications for electronic signatures by its effective date of 1 July 2016. [7] [8]

Related Research Articles

Public key certificate Electronic document used to prove the ownership of a public key

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

An electronic signature, or e-signature, is data that is logically associated with other data and which is used by the signatory to sign the associated data. This type of signature has the same legal standing as a handwritten signature as long as it adheres to the requirements of the specific regulation under which it was created.

A mobile signature is a digital signature generated either on a mobile phone or on a SIM card on a mobile phone.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

XAdES is a set of extensions to XML-DSig recommendation making it suitable for advanced electronic signatures. W3C and ETSI maintain and update XAdES together.

The Revised Payment Services Directive is an EU Directive, administered by the European Commission to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). The PSD's purpose was to increase pan-European competition and participation in the payments industry also from non-banks, and to provide for a level playing field by harmonizing consumer protection and the rights and obligations for payment providers and users. The key objectives of the PSD2 directive are creating a more integrated European payments market, making payments more secure and protecting consumers.

CAdES is a set of extensions to Cryptographic Message Syntax (CMS) signed data making it suitable for advanced electronic signatures.

PAdES is a set of restrictions and extensions to PDF and ISO 32000-1 making it suitable for advanced electronic signatures. This is published by ETSI as EN 319 142.

Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. Physical card transactions already commonly have what could be termed strong customer authentication in the EU, but this has not generally been true for Internet transactions across the EU prior to the implementation of the requirement, and many contactless card payments do not use a second authentication factor.

Electronic signature allows users to electronically perform the actions for which they previously had to give a signature on paper. Estonia's digital signature system is the foundation for some of its most popular e-services including registering a company online, e-banks, the e-voting system and electronic tax filing – essentially any services that require signatures to prove their validity.

eIDAS electronic IDentification, Authentication and trust Services

eIDAS is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. It was established in EU Regulation 910/2014 of 23 July 2014 on electronic identification and repeals 1999/93/EC from 13 December 1999.

An advanced electronic signature (AdES) is an electronic signature that has met the requirements set forth under EU Regulation No 910/2014 (eIDAS-regulation) on electronic identification and trust services for electronic transactions in the European Single Market.

ZertES is a Swiss Federal law that regulates the conditions under which trust service providers may use certification services with electronic signatures. Additionally, this law provides a framework that outlines the provider’s obligations and rights as they apply to providing their certification services.

A qualified electronic signature is an electronic signature that is compliant with EU Regulation No 910/2014 for electronic transactions within the internal European market. It enables to verify the authorship of a declaration in electronic data exchange over long periods of time. Qualified electronic signatures can be considered as a digital equivalent to handwritten signatures.

A trust service provider (TSP) is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories as well as websites in general. Trust service providers are qualified certificate authorities required in the European Union and in Switzerland in the context of regulated electronic signing procedures.

In the context of Regulation (EU) No 910/2014 (eIDAS), a qualified digital certificate is a public key certificate issued by a qualified trust service provider that ensures the authenticity and data integrity of an electronic signature and its accompanying message and/or attached data.

Banking as a service

Banking as a service (BaaS) is an end-to-end process ensuring the overall execution of a financial service provided over the web. Such a digital banking service is available on-demand and operates within a set time-frame.

Qualified website authentication certificate

A qualified website authentication certificate is a qualified digital certificate under the trust services defined in the eIDAS Regulation.

An electronic seal is a piece of data attached to an electronic document or other data, which ensures data origin and integrity. The term is used in the EU Regulation No 910/2014 for electronic transactions within the internal European market.

References

  1. 1 2 3 4 5 Turner, Dawn M. "What is a secure signature creation device". Cryptomathic. Retrieved 18 November 2016.
  2. 1 2 3 Turner, Dawn. "Understanding eIDAS". Cryptomathic. Retrieved 12 April 2016.
  3. 1 2 3 "Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC". EUR-Lex. The European Parliament and the Council of the European Union. Retrieved 18 March 2016.
  4. "Electronic Signatures and Infrastructures: Policy requirements for certification authorities issuing qualified certificates" (PDF). European Telecommunications Standards Institute. Retrieved 18 November 2016.
  5. "ISO/IEC 15408-1:2009 Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 1: Introduction and general model". International Organization for Standardization (ISO). Retrieved 18 November 2016.
  6. Turner, Dawn M. "Trust service providers according to eIDAS". Cryptomathic. Retrieved 18 November 2016.
  7. Turner, Dawn M. "eIDAS from Directive to Regulation - Legal Aspects". Cryptomathic. Retrieved 18 March 2016.
  8. "Regulations, Directives and other acts". Europa.eu. The European Union. Archived from the original on 12 December 2013. Retrieved 18 March 2016.