Utimaco: Secure Transactions with eIDAS
Under eIDAS, the EU aims to facilitate cross-border digital transactions and pave the way for a Digital Single Market. Qualified electronic signatures and seals play a decisive role with this goal. Thanks to eIDAS, users can obtain both as a service via remote signing/sealing as well. How do users benefit from it? And what do trust service providers need to implement?
Europe’s Move to a Single Digital Market
As more online transactions take place, electronic identification and electronic signature capabilities are needed to do this safely. Previously, each EU country had its own individual specifications, so there was no uniform legal standard. This made cross-border digital transactions difficult. Documents had to be printed, signed by hand and then sent by post. This was costly, complicated and an anachronism in the age of digitization. Today, companies need continuous digital processes to compete internationally.
To make future cross-border digital transactions possible, the EU Commission adopted the eIDAS Regulation. Its purpose was to provide the foundation for a digital single European market, thereby improving the competitiveness of European companies and boost economic growth. On 17 September 2014, the EU Regulation 910/2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (eIDAS) was written into law. It has been in effect since 1 July 2016 and replaces the previous EU Signature Directive 1999/93/EC. The eIDAS Regulation includes EU-wide, uniform rules on two areas: electronic identification (eID) and trust services. Trust services include such services as the creation, verification and validation of electronic signatures, seals or electronic time stamps that are needed to guarantee the origin, trustworthiness and immutability of a document.
eIDAS standardizes these services across the EU and are now mandatory by the EU Commission for many transactions. To ensure authenticity and security, the Payment Services Directive PSD2 also explicitly refers to qualified certificates for website authentication and seals according to eIDAS.
As of 1 July 2016, companies can offer qualified trust services that are compliant with eIDAS and promote the European Trustmark. In Germany, the Federal Network Agency keeps a list of all these Trust Services Providers (TSPs). Throughout Europe, qualified TSPs are listed in the European List of Trusted Lists (LOTL) of the European Commission.
In the future, a Trusted Service List (TSL) will replace the certificates previously stored in the operating systems of computers or in web browsers. With those certificates, a system decides whether it should trust another. The problem with this is that which certificates are implemented depends on American manufacturers. However, a European TSL is independent, constantly updated and provided as a signed XML file.
In the field of electronic identification many EU member states had already introduced an individual solution. In Germany e.g., this is the online ID function of the ID card. Therefore, eIDAS does not intend to standardize the identification systems. However, the Member States must cooperate across borders and, since 29 September 2018, have been required to recognize each other’s electronic identification documents. The Dutch eIDAS 2018 Municipalities Project was one of the very early adopters of mutual, cross-border recognition of European eID cards. It provides access to public services for foreigners e.g. Austrian, German and Belgian eID holders. The high percentage of foreign nationals in many Dutch municipalities makes this a valuable project to create a seamless, efficient and comfortable user experience.
Trust Services According to eIDAS at a Glance
The eIDAS Regulation provides for the following trust services:
- Creation, verification and validation of
- electronic signatures, seals and timestamps and related certificates
- electronic registered delivery services and related certificates
- certificates for website authentication
- Preservation of electronic signatures, seals and related certificates
For trust service providers, the qualified electronic remote signature creates an important new business area. Recital 52 of the eIDAS Regulation states that providers of electronic remote-signature services should “apply specific management and administrative security procedures and use trustworthy systems and products […] in order to guarantee that the electronic signature creation environment is reliable and is used under the sole control of the signatory.” This requires a qualified signature/seal creation device (QSCD). It consists of a certified signature activation module (SAM) and a certified hardware security module (HSM) as a cryptography unit. Both must be operated in a tamper-proof environment. The SAM is used to authorize the signature process. It verifies the data to trigger the signature process and activates the associated signature key in the cryptographic module. The HSM in turn creates, manages and stores the keys securely and uses them for the actual signature process.
The SAM can either be operated externally on a standard server next to the HSM. But it can also be loaded into the HSM where it runs within the secure environment of the cryptographic module. For developers, this has the distinct advantage that they can continue to use parts of the HSM certification and benefit from existing security measures.
CryptoServer CP5 is the First Fully eIDAS-Compliant HSM
To comply with the eIDAS requirements both SAM and HSM have to be Common Criteria certified. For the SAM, the eIDAS Protection Profile (PP) EN 419 241-2 „QSCD for Server Signing“ applies whereas the HSM must be certified according to eIDAS PP EN 419 221-5 „Cryptographic Module for Trust Services“.
The Utimaco CryptoServer CP5 is the first hardware security module certified according to the specifications of PP EN 419 221-5 to enable future-proof eIDAS-compliant remote signature services. Additionally, the CryptoServer CP5 offers the most flexible way to integrate a SAM into the HSM. Developers can use the CryptoServer Software Development Kit (SDK) to implement their own firmware modules running inside a CryptoServer HSM.
Trust service providers can evaluate the CryptoServer CP5 using the free CryptoServer CP5 Simulator. It offers the full functionality of the HSM to test applications such as signing documents or issuing certificates.
Remote Signing Solution or QSCD On-Site?
For providers of trust services, the operation of a qualified signature creation device is a must. However, it can also be interesting for companies and government authorities to operate their own local solution. Whether this is worthwhile depends on the signing/sealing volume. For electronically signing or sealing tens of thousands of documents every day, it makes sense to invest in an own local QSCD.
If a user only needs to sign or seal a few documents a day, we recommend the remote signing service offered by trust service providers. eIDAS entitles companies and authorities to commission a trust service provider to remotely sign a document in their name. The trusted service provider then holds the certificates and keys on their secure servers. He handles both the creation and management of the keys and keeps them in a tamper-proof environment. This makes it much easier for consumers to sign documents electronically as they can trigger the signature process for example via an app on their smartphone.
Electronic Seals for fully Digital Processes and the Internet of Things
Some European countries had already introduced electronic seals before eIDAS came into force, but not all had adopted these into their national signature laws. This changed with eIDAS and both signatures and seals are now on a par. Companies and authorities now have the opportunity to consistently establish digital processes. An electronic seal guarantees that the organization indicated as the sender has indeed issued the document. It also ensures that the document was not changed afterwards. The value of digital seals should not be underestimated, given the big amount of new opportunities they create – especially in areas where previously only signed paper documents were permitted. Educational institutions can, for example, issue graduation certificates digitally and seal them. As a result, application procedures can run completely digitally and it is no longer necessary to go through the cumbersome process of authenticating copies. In the Internet of Things as another example, communication between the company servers and the remotely operating devices can now happen in a more secure way and with legal assertion.
Application Scenarios for eIDAS
eIDAS is relevant for all companies that want to electronically sign and send documents. In the future, this will be possible across Europe without media discontinuity, saving companies time and money.
eIDAS has a special significance for the financial sector. Since 13 January, the new EU Payment Services Directive PSD2 applies in the member states. It stipulates that banks must provide other financial service providers with API access to their customers’ account data. This opens up the market for new business models, such as payments via smartphone. As a prerequisite, third party payment service providers must clearly authenticate themselves to the bank.
Financial institutions can also use eID and trust services to implement onboarding mechanisms such as the required “Know Your Customer” (KYC). KYC is a process for identifying and verifying a customer’s identity. Companies run it to assess potential risks to the business relationship, such as money laundering.
For governments, eIDAS for example brings advantages for EU wide public tenders. The EU Commission has shown that an end-to-end electronic workflow only takes a few hours or days instead of weeks compared to the previously used paper processes. Costs can be reduced to one-fifth to one-tenth of previously engaged expenditures.
Doctors and hospitals can use qualified electronic signatures to sign medical reports and in future, they can also be used when admitting patients. Each patient must sign several documents during the hospital admission process. The patient might receive this electronically in the future and sign with a signature app on his/her smartphone.
A challenge for the healthcare sector is long term archiving of documents because electronic signatures do not remain valid for the entire legal retention period. Therefore, in the past, clinics would have had to re-sign the documents themselves at regular intervals to ensure their authenticity and integrity. According to the eIDAS regulation, this re-signing can now be outsourced to a preservation service, which hugely facilitates this process for the healthcare sector.
Future of eIDAS in Europe
Although the eIDAS regulation was passed in 2014 already, its implementation across Europe started slowly and is now speeding up. Since 2016, trust service providers have been able to qualify for the EU trustmark by demonstrating their eIDAS compliance. Since then, trust centers have begun to change their way of working.
As the eIDAS implementation across Europe continues to gain momentum, it is meant to improve processes across all industries in the future. A certified HSM is essential for the creation of eIDAS-compliant qualified electronic signatures, seals and time stamps.