CryptoServer CP5 - The certified HSM for Generation and Storage of Qualified Certificates for Electronic Signatures and Seals
- Specifically designed for eIDAS-compliant qualified signatures and seals, remote signing and the issuing of qualified certificates
- Common Criteria-certified according to the eIDAS Protection Profile (PP) EN 419 221-5 “Cryptographic Module for Trust Services”
- Supports Trust Service Providers (TSPs) in fulfilling policy and security requirements by deploying and maintaining HSMs to be used as qualified devices for electronic signature creation
- Includes a software simulator for evaluation and integration testing
Key Benefits
Qualified Signature/ Seal Creation Device (QSigCD & QSealCD)
The CryptoServer CP5 has received eIDAS certification as both a Qualified Signature and Qualified Seal Creation Device (QSCD) and can be used as a standalone QSCD or as a part of a combined QSCD with remote signing solutions
Signature Activation Module (SAM) Ready for eIDAS Server Signing
By utilizing an add-on product from UTIMACO - the CryptoServer SDK - for development of a Signature Activation Module (SAM), running inside the certified boundary of the HSM.
Strong Hardware Protection of Sensitive Assets
- Provides the option to be remotely managed by a qualified trust service provider (QTSP) and known as a “remote QSCD”.
- Rely on the highly secure root of trust that CryptoServer CP5 provides to securely store sensitive assets such as private keys and data.
- Available as a PCIe plug-in card or as a network-attached appliance
Details
CryptoServer CP5 - The certified HSM for Qualified Signing, Sealing and Certificate Issuing
To help facilitate interoperability and acceptance across borders, the eIDAS regulation created a common framework for secure electronic signatures, including standardized assurance levels.
Qualified certificates must be stored on a qualified signature creation device (QSCD or QSigCD) and in order to provide eSignature services, a qualified trust service provider (QTSP) is required.
UTIMACO’s CryptoServer CP5 is a Qualified Signature/ Seal Creation Device which is operated in the secure environment of a QTSP to provide users with a remote signing functionality. When used in combination with qualified certificates, the QSCD generates qualified electronic signatures or seals as defined in eIDAS. (QSigCD) and Qualified Seal Creation Device (QSealCD).
Depending on the technology and validation behind the signature, certain types of signatures are inherently more trustworthy than others, withstanding higher legal scrutiny. Therefore, for
use cases requiring qualified trust services such as government agencies, public administration, and enterprises; the CryptoServer CP5 provides the highest levels of assurance and conformity for efficient signing transactions, as a part of an eIDAS-compliant solution.
The CryptoServer CP5 offers various customization options such as extending it with a Signature Activation Module (SAM) running inside the certified HSM boundary and following the requirement of Protection Profile EN 419 241-2 by utilizing the CryptoServer SDK development kit.
This combined solution enables Trust Service Providers to provide server signing for remote signatures and seals.
The included Software Simulator enables evaluation and testing of all CryptoServer CP5 use case integration with business applications before the deployment into production.
High security for regulated use cases
- Can be used for additional applications such as Timestamping and OCSP (Online Certificate Status Protocol)
- Secure key storage and processing inside the hardened boundary of the HSM
- High-quality true random number generator to ensure uniqueness of keys
- Configurable role-based access control and separation of functions
- 2-factor authentication with smartcards
- “m of n” quorum authentication
Supported Cryptographic Algorithms
- RSA, ECDSA with NIST and Brainpool curves
- ECDH with NIST and Brainpool curves
- AES
- CMAC, HMAC
- SHA-2, SHA-3
- Hash-based deterministic random number generator (DRG.4 acc. AIS 31)
- True random number generator (PTG.2 acc. AIS 31
- up to 3,000 RSA or 2,500 ECDSA signing operations
Support for various Application Interfaces (APIs)
- PKCS #11
- Cryptography Next Generation (CNG)
- Key authorization API and tool
- Utimaco‘s comprehensive Cryptographic eXtended services Interface (CXI)
Extensive remote management and monitoring
- Efficient key management and HSM administration including firmware updates via remote access
- Automation of remote diagnosis via Simple Network Management Protocol (SNMP)
Fulfills Various Security Compliance Mandates
- Common Criteria EAL4+ certified according to Protection Profile EN 419 221-5 (further information is available on the Common Criteria Portal) as well as to point 23 and 32 of Article 2 of Regulation 910/2014 (eIDAS) (further information is available on the EU Trust Services Dashboard)
- Server Signing acc. EN 419 241-2
- ETSI Policy and Security Requirements (e. g. EN 319 401, EN 319 411, EN 319 421, C-ITS)
Fulfills Various Environmental Compliance Requirements
- CE, FCC Class B
- RoHS III, WEEE
- UL, IEC/EN 60950-1, IEC/EN 62368-1
- CB certificate
Software Simulator Included
- HSM Simulator with all CryptoServer CP5 functionalities
- Fully functional runtime including all administration and configuration tools
- For evaluation and integration testing of CryptoServer CP5 before deployment in production
CryptoServer SDK
UTIMACO’s professional development kit allows for implementing firmware extensions for SecurityServer and PaymentServer built on CryptoServer Se Gen2- and CryptoServer CSe-series.
u.trust 360
u.trust 360 is a hardware and software based management platform enabling centralized administration, monitoring and provisioning for Atalla AT1000 and CryptoServer LAN V5 HSMs.
