eIDAS for Remote (Centralised Server) Signing

What is eIDAS?

Evaluation and certification of trustworthy systems and signature and seal creation devices becomes increasingly important due to the new eIDAS regulation (EU Regulation No. 910/2014) that entered into force in the 28 EU Member States in July 2016. eIDAS is an EU regulation on electronic identification (eID) and trust services (AS), which was established to promote economic growth in the European digital single market, by enhancing the convenience and security of online transactions across EU borders. This is accomplished by establishing a European internal market for Trust Services, including various types of electronic signatures and seals, time stamps, electronic delivery services and website authentication, provided by Trust Service Providers (TSPs).

How it is used?

Ultimately, under the eIDAS regulation, citizens and businesses are able to use their native electronic identification schemes (eIDs) when accessing public services within other EU Member States that use eIDs, and use trust services have the same legal status as traditional paper-based processes and signatures. Digital signatures and seals with different trust levels are specified under eIDAS:

• Electronic signatures or seals: anything which is used to sign to ensure origin and integrity of data (yet no trust in the identity is provided).
• Advanced electronic signatures or seals: an electronic signature or seal with sole control properties. The advanced electronic signature or seal is created with a signature (seal) creation device (i.e. a software key or smart card). 
• Qualified electronic signatures or seals: an advanced electronic signature or seal, which satisfies technical and security requirements as specified in the regulation. This type of signature or seal is created with a qualified signature creation device, which is certified against eIDAS requirements and standards.

Common Criteria?

International (technical) standards play a key role in ensuring transparency and high security for online transactions. The Common Criteria (ISO/IEC 15408) standard is one of the standards that supports eIDAS by providing assurance of, inter alia, the security of trustworthy systems, and signature (and seal) creation devices (International Organization for Standardization, 2009). Various Protection Profiles for Common Criteria evaluations and certification have been developed for local signature generation (i.e. on smart cards or USB tokens), such as the TS 419 211 part 1-6 (Protection Profiles for Secure Signature Creation Device).

Creation of signatures on Central Servers?

New Protection Profiles are being developed by the European Committee for Standardization 

(CEN). These will comprise the requirements for trustworthy systems supporting server signing, also known as central signing, server-side signing or cloud signing, which is employed to allow signatures (and seals) to be created remotely with the user’s signing keys. A Trustworthy Systems Supporting Server Signing is illustrated in the figure below. The remote protected environment, providing server signing capabilities, comprises a Server Signing Application (SSA) and a (Qualified) Signature Creation Device (QSCD). The user may use his mobile phone or any other personal device to remotely sign documents with qualified electronic signatures.

Summary

The new eIDAS regulation provides increased security and convenience for electronic identification and the use of trust services within the EU. Advantages of eIDAS include the recognition of native electronic identification schemes in all EU member states that use eIDs, and that trust services have the same legal status as paper-based processes and signatures. There are different types of signatures (and seals) with different trust levels, including electronic signatures or seals, advanced electronic signatures or seals and qualified electronic signatures or seals. Both local and remote signing, using qualified electronic signatures, require compliance to international standards in the eIDAS standards framework, including Common Criteria evaluations against Protection Profiles for, inter alia, Secure Signature Creation Devices (EN 419 211) and Trustworthy Systems Supporting Server Signing (EN 419 241 - draft).

Even though eIDAS entered into force more than a year ago, many aspects of the regulation are still under development. For instance, various standards for certification of components used for signing with qualified electronic signatures are still under drafting. It therefore remains to be seen what challenges will emerge in the future. Stay tuned for more information on eIDAS!

References and Further Reading

ANSSI (2016). Protection Profile for Trusted Signature Creation Module in TW4S (PP-RSCD-TSCM/TW4S v1.2).

DIN (n.d.). Trustworthy Systems Supporting Server Signing - Part 2: Protection profile for QSCD for Server Signing; German and English version prEN 419241-2:2017. [online] Available at: https://www.din.de/en/getting-involved/standards-committees/nia/projects/wdc-proj:din21:235880560 [Accessed 12 December 2017]

ETSI (2013). ETSI ESI Workshop: Signing in the Cloud. CEN Server Signing TS 419 241 part 1. [online] Available at: https://docbox.etsi.org/workshop/2013/201303_SIGNATURES_IN_CLOUD/3b-CEN-Server-Signing.pdf [Accessed 12 December 2017]

International Organization for Standardization (2009). ISO/IEC 15408: Information technology -- Security techniques -- Evaluation criteria for IT security.

Leroy, F. and Hernandez-Ardieta, J.L. (2012). Update from CEN TC 224 WG 17: Progress Status, Server Signing Standard and other related Protection Profiles. In 13^th International Common Criteria Conference (ICCC 2012), Paris.  

- Dorien Koelemeijer  &

Rasma Araby