Qualified Signature Creation Devices (QSCD) under eIDAS – The example of the Bank-Verlag Signature Activation Module (SAM)

In our recent blog post series about the eIDAS regulation, we have addressed local signing and the difference with remote signing (or server signing), which relies on a Trust Service Provider (TSP) to remotely generate and manage the signing keys on the signatory’s behalf.

eIDAS requires a Qualified Signature (or Seal) Creation Devices (QSCD) for issuing and using qualified certificates for the generation of electronic signatures and seals. Today we would like to look into how the CC-certified and eIDAS-compliant Utimaco HSM integrates with the Bank-Verlag Signature Activation Module (SAM) and helps Bank-Verlag become a TSP.

Bank-Verlag and Utimaco HSMs

As a service provider for banks in Germany, Bank-Verlag has always been confronted with strict regulatory requirements. Their infrastructure and the products and services they offer to their customers, the banks, need to be highly secure and compliant with all current requirements. Hardware Security Modules (HSMs) are the cryptographic device of choice to manage the generation of qualified signatures and securely generate and store the related qualified certificates and cryptographic keys. Utimaco HSMs for this purpose are easy to implement and operate, provide all needed functionality and certifications and most importantly – work reliably to protect the crypto keys!

Listen to Alexander Eßer from Bank-Verlag speak about Bank-Verlag as a Trust Service Provider (TSP), regulatory requirements set forward by eIDAS to offer qualified signatures and the role of cryptography and Utimaco HSMs.

A Trust Service Provider offering remote signing services

Bank-Verlag is currently in the process of becoming a TSP. The aim, among others, is to provide end-customers with the possibility to apply qualified signatures remotely. Today, a lot of processes still involve media discontinuity, and there is no end-to-end digital processing flow. E.g. the signing of a contract often still involves printing, manually signing, then scanning and electronically sending it over for the next process step. For end-customers, remote signing means a service to apply a secure and legally valid digital signature without the need to own a card reader or other physical infrastructure on their side. Identification and authentication to remotely sign with a qualified digital signature at best involve strong customer authentication mechanisms.

The same applies to documents provided by a company, a bank e.g., which today often still requires a paper version that is signed and stamped to be valid.

The services offered by Bank-Verlag support numerous use cases, e.g. the signing or sealing of a document, one time sign (creation of qualified certificate and signing in one process step) and the PSD2-compliant certificates that Third Party Providers (TPPs) use to be able to access the bank customer’s accounts.

In detail – A look at Qualified Electronic Signatures (QES) with the Bank-Verlag QSCD

Let’s take a closer look at how a QES is applied, e.g. for a bank customer to sign a credit application form on his online banking platform. The bank customer confirms his identity by filling in the log-in form, then reviews the credit details which include an online form to sign at the end. For the signing process, the customer needs to use his/her qualified certificate, which – if not yet available – can be created directly during the signing process within the same front-end interface. The customer then needs to perform two-factor authentication (e.g. mTAN or token based on existing 2FA means available in the online banking platform) to proceed with the signing. In a banking environment, two advantages include the availability of complete customer data – which is required by the Anti-Money Laundering Directive (AML4) – and 2FA mechanisms in compliance with PSD2 already implemented for regular access to banking portals. For other companies (e.g. insurance companies), implementing these two crucial elements can be a challenge where Bank-Verlag can also help with their PSD2 compliant services.

In technical terms, this signing process requires:

• the Utimaco CryptoServer CP5 HSM certified according to eIDAS PP EN 419 221-5 “Cryptographic Module for Trust Services”, which is equipped with
• the Bank-Verlag SAM certified according to eIDAS Protection Profile EN 419 241-2 “QSCD for Server Signing” to enable fast, scalable & flexible registration (certificate creation) and signing,
• the signer (e.g. bank customer) to be registered and identified,
• his/her signing keys to have a qualified certificate attached,
• the signer to authorize a signature or operation (via the SAM) and
• the SAM to then activate the signing key stored in the HSM

The SAM module and integrated HSM ensure that the signer has the sole control of authorizing a signing process, initiating a transaction or an operation. All communication to the HSM goes through the SAM for authorization first, and then activation of the signing keys.