In this blog post, I want to limit myself to the essential basis of eIDAS, the HSM (Hardware Security Module). If you want more information about eIDAS, please visit the websites mentioned at the end of this article.
eIDAS stands for “Electronic Identification and Trust Services for electronic transactions in the Internal Market”.
eIDAS is described in the EU Regulation 910/2014. With this, the EU regulates the market: The digital borders are disappearing and the means for electronic identification (eID)of the EU countries can be accepted by other countries.
A large part of this law concerns trust services, such as electronic signatures, electronic delivery, electronic seals and website authentication. The eIDAS regulation ensures that electronic signatures have the same legal validity as hand-drawn signatures, so that contracts can be digitally ratified.
Figure: federal Information Processing Standard (FIPS) 140-2
This standard is maintained by the National Institute of Standards and Technology (NIST). NIST is a US government organization. The FIPS 140-2 standard has 4 levels for which a module can be evaluated.
Common Criteria is an internationally recognized set of standards for the evaluation of security hardware and software. It is a tightly regulated process with the following characteristics:
If an HSM has been evaluated in accordance with Common Criteria, it is recommended that the EAL is at least 4.
Such uniform standards give companies new opportunities to do business. They can tap into new markets and do business in other European countries in a very safe and compliant way. The most relevant Protection Profile for HSMs, “Cryptographic Module for Trust Services”, has recently been certified by an approved test laboratory. […] Please note that only the HSM of a German manufacturer is being evaluated in accordance with this Protection Profile where the definitive Common Criteria certification is expected in Q3 2018.
No HSM manufacturer has been certified so far! Do not be confused by the mentions at https://www.commoncriteriaportal.org/products/.
HSM manufacturers have an active role in drafting security requirements and Protection Profiles at the European Committee for Standardization (CEN).
The goal is set for secure qualified signatures, seals and timestamps in accordance with the EU eIDAS regulation.
Certification against the correct Protection Profile guarantees that you may use it for eIDAS applications. For this see mainly https://www.commoncriteriaportal.org/files/ppfiles/ANSSI-CC-PP-2016_05%20PP.pdf.
Some manufacturers like to refer to the website with approvals (https://www.commoncriteriaportal.org/products/) however, to this day, there is no HSM certified against the correct Protection Profile!
Note: Within the EU, the Protection Profile for Secure Signature Creation Devices (SSCD) (European standard CWA 14169) is a valuable profile for evaluation.
The title of this piece, “Do not make the wrong choice”, is a warning for a divestment. At this moment, there is no HSM certified for eIDAS applications. It is also NOT possible to “upgrade” an already purchased HSM to CC EAL 4+ because certain conditions and requirements have to be met from production and logistics.
Who are the main players on the European market?
The HSM market is undergoing consolidation. There used to be three players, Thales (including nCipher), Gemalto (including SafeNet) and Utimaco. In the past year, Thales announced the intention to acquire Gemalto and Utimaco did the same for the payment HSM section of MicroFocus, Atalla. Utimaco is a real “runner-up” in the HSM market and is growing fast by supplying a very cost-effective, flexible and reliable complete system.