In this blog post, I want to limit myself to the essential basis of eIDAS, the HSM (Hardware Security Module).
If you want more information about eIDAS, please visit the websites mentioned at the end of this article.
eIDAS stands for “Electronic Identification and Trust Services for electronic transactions in the Internal Market”.
eIDAS is described in the EU Regulation 910/2014. With this, the EU regulates the market: The digital borders are disappearing and the means for electronic identification (eID)of the EU countries can be accepted by other countries.
A large part of this law concerns trust services, such as electronic signatures, electronic delivery, electronic seals and website authentication. The eIDAS regulation ensures that electronic signatures have the same legal validity as hand-drawn signatures, so that contracts can be digitally ratified.
This standard is maintained by the National Institute of Standards and Technology (NIST). NIST is a US government organization. The FIPS 140-2 standard has 4 levels for which a module can be evaluated.
- Level 1 – lowest level; basic security requirements are specified
- Level 2 – contains requirements for tamper evidence, user authentication
- Level 3 – contains requirements for tamper detection / security (tamper-proof), data zeroization, and recognizes different user roles
- Level 4 – the highest level; intrusion into the module is detected with high probability, requirements in the area of physical/environmental security.
Common Criteria Evaluation Assurance Levels (CC-EAL)
Common Criteria is an internationally recognized set of standards for the evaluation of security hardware and software. It is a tightly regulated process with the following characteristics:
- the product under evaluation is called “Target of Evaluation” or TOE
- the TOE is evaluated against a Protection Profile (PP); this is a profile defined by a user or user community, e.g. the SSCD (Secure Signature Creation Device) is a profile based on the European Digital Signature Directive.
- the evaluation is carried out on the basis of a so-called “Security Target” (ST), a detailed descriptive document of the security functions of the TOE, and refers to the Protection Profile.
- if a product has been evaluated, it is classified with an Evaluation Assurance Level (EAL) in the range of 1 to 7 where 1 is the lowest and 7 is the highest qualification (minimum level 4 for an HSM).
If an HSM has been evaluated in accordance with Common Criteria, it is recommended that the EAL is at least 4.
eIDAS compliant HSMs support new business opportunities
Such uniform standards give companies new opportunities to do business. They can tap into new markets and do business in other European countries in a very safe and compliant way. The most relevant Protection Profile for HSMs, “Cryptographic Module for Trust Services”, has recently been certified by an approved test laboratory. […] Please note that only the HSM of a German manufacturer is being evaluated in accordance with this Protection Profile where the definitive Common Criteria certification is expected in Q3 2018.
No HSM manufacturer has been certified so far! Do not be confused by the mentions at https://www.commoncriteriaportal.org/products/.
HSM manufacturers have an active role in drafting security requirements and Protection Profiles at the European Committee for Standardization (CEN).
The goal is set for secure qualified signatures, seals and timestamps in accordance with the EU eIDAS regulation.
Certification against the correct Protection Profile guarantees that you may use it for eIDAS applications. For this see mainly https://www.commoncriteriaportal.org/files/ppfiles/ANSSI-CC-PP-2016_05%20PP.pdf.
Some manufacturers like to refer to the website with approvals (https://www.commoncriteriaportal.org/products/) however, to this day, there is no HSM certified against the correct Protection Profile!
Note: Within the EU, the Protection Profile for Secure Signature Creation Devices (SSCD) (European standard CWA 14169) is a valuable profile for evaluation.
More Information about eIDAS:
The title of this piece, “Do not make the wrong choice”, is a warning for a divestment. At this moment, there is no HSM certified for eIDAS applications. It is also NOT possible to “upgrade” an already purchased HSM to CC EAL 4+ because certain conditions and requirements have to be met from production and logistics.
Who are the main players on the European market?
The HSM market is undergoing consolidation. There used to be three players, Thales (including nCipher), Gemalto (including SafeNet) and Utimaco. In the past year, Thales announced the intention to acquire Gemalto and Utimaco did the same for the payment HSM section of MicroFocus, Atalla. Utimaco is a real “runner-up” in the HSM market and is growing fast by supplying a very cost-effective, flexible and reliable complete system.
- This article has been first published by Ad Koolen in Feb 2018 in Dutch language.
About the author
Ulrich Scholten is an internationally active entrepreneur and scientist. He holds a PhD in information technology and owns several patents on cloud-based sensors. His research on cloud computing is regularly published in highly rated journals and conference papers. From 2008 - 2015, he was associated research scientist at the Karlsruhe Service Research Institute (KSRI), a partnership by KIT and IBM, where he researched network effects around web-platforms together with SAP Research.