eIDAS

eIDAS – EU regulation on electronic identification and trust services

Hardware Security Modules as Root of Trust for trust service providers

The eIDAS regulation is meant to boost economic growth by encouraging trust in the digital world and the European digital single market. Transparency and the highest security standards are at the basis of creating such a trusted environment. As an HSM manufacturer, Utimaco is at the forefront of defining the related security requirements. The CryptoServer Se-Series Gen2 achieves conformity with eIDAS via a Common Criteria certification acc. EN 419221-5.

Listen to Alexander Eßer from Bank-Verlag speak about Bank-Verlag as a Trust Service Provider (TSP), regulatory requirements set forward by eIDAS to offer qualified signatures and the role of cryptography and Utimaco HSMs.

Challenges addressed by eIDAS

Adopted in July 2016, EU Regulation N°910/2014 on electronic identification (eID) and trust services (eTS) set a milestone for access to public services and secure online transactions across EU state borders. At the core of the so-called eIDAS regulation, electronic interactions between citizens, businesses (especially SMEs) and public authorities shall be facilitated. Major challenges that the regulation addresses mainly derive from trust services previously regulated on a national level. The preceding EU eSignature Directive focused on certificates for electronic signatures only. This created systems with numerous differences in compliance requirements, legal status and validity of trust services.

Electronic trust services across borders consist of [acc. eIDAS Art. 3 (16)]:

• “the creation, verification, and validation of electronic signatures, electronic seals or electronic timestamps, electronic registered delivery services and certificates related to these services, or
• the creation, verification and validation of certificates for website authentication, or
• the preservation of electronic signatures, seals or certificates related to these services.”

For the future, common technical standards, as well as data protection and privacy standards are key to ensuring a transparent and sufficiently secure environment for online transactions across borders.

The role of a Hardware Security Module for trust service providers

For the secure execution of their operations and services, trust service providers can rely on cryptographic modules to be used as qualified electronic signature creation devices, such as smart cards or Hardware Security Modules (HSMs). “Conformity of qualified electronic signature creation devices with [EU] requirements […] shall be certified by appropriate public or private bodies designated by Member States” (acc. eIDAS Art. 30 & 31).

At this point in time, the definition of the detailed technical requirements is still in progress (see current requirements in the information box below). The Common Criteria Protection Profiles EN 419221-5 “Cryptographic Modules for Trust Services” and EN 419241-2 “Protection Profile for QSCD for Server Signing” – which mandates a cryptographic module certified to EN 419221-5 – play a major role in fulfilling these requirements.

As an HSM manufacturer, Utimaco is at the forefront of

• defining these technical requirements by participating in the working group CEN TC 224 WG17 and thus
• achieves conformity with eIDAS requirements.

The Common Criteria certification for Utimaco CryptoServer Se-Series Gen2 acc. EN 419221-5 anticipates the upcoming regulatory changes as well as related partner and customer requirements.

Want to know what eIDAS is, why it is important and understand the timeline of implementation? Take a look at our blog post.

Requirements for qualified electronic signature creation devices [acc. eIDAS Annex II]

1. Qualified electronic signature creation devices shall ensure, by appropriate technical and procedural means, that at least:
   1. the confidentiality of the electronic signature creation data used for electronic signature creation is reasonably assured;
   2. the electronic signature creation data used for electronic signature creation can practically occur only once;
   3. the electronic signature creation data used for electronic signature creation cannot, with reasonable assurance, be derived and the electronic signature is reliably protected against forgery using currently available technology;
   4. the electronic signature creation data used for electronic signature creation can be reliably protected by the legitimate signatory against use by others.
2. Qualified electronic signature creation devices shall not alter the data to be signed or prevent such data from being presented to the signatory prior to signing.
3. Generating or managing electronic signature creation data on behalf of the signatory may only be done by a qualified trust service provider.
4. Without prejudice to point (d) of point 1, qualified trust service providers managing electronic signature creation data on behalf of the signatory may duplicate the electronic signature creation data only for back-up purposes provided the following requirements are met:
   1. the security of the duplicated datasets must be at the same level as for the original datasets;
   2. the number of duplicated datasets shall not exceed the minimum needed to ensure continuity of the service.