CC eIDAS for CryptoServer General Purpose HSMs
- Specifically designed for eIDAS-compliant qualified signatures and seals, remote signing and the issuing of qualified certificates
- Common Criteria-certified according to the eIDAS Protection Profile (PP) EN 419 221-5 “Cryptographic Module for Trust Services”
- Supports Trust Service Providers (TSPs) in fulfilling policy and security requirements by deploying and maintaining HSMs to be used as qualified devices for electronic signature creation
- Includes a software simulator for evaluation and integration testing
Key Benefits
Details
CC eIDAS for CryptoServer General Purpose HSM – eIDAS Qualified Signing, Sealing and Certificate Issuing
CC eIDAS running on CryptoServer General Purpose HSM supports Trust Service Providers (TSPs) in fulfilling policy and security requirements defined in various technical standards (ETSI EN 319 401, EN 319 411, EN 319 421).
With key authorization functionalities, it is ideally suited for eIDAS-compliant qualified signature creation and remote signing. Other applications include (qualified) certificate issuance, OCSP (Online Certificate Status Protocol) and time stamping. This compliance version enables CryptoServer General Purpose HSM to be Common Criteria-certified according to the eIDAS Protection Profile (PP) EN 419 221-5 “Cryptographic Module for Trust Services”.
Deployed as a Qualified Signature/ Seal Creation Device operating in the secure environment of a QTSP it provides users with a remote signing func-tionality. When used in conjunction with qualified certificates, the QSCD gen-erates qualified electronic signatures or seals as defined in eIDAS. The eIDAS compliant Hardware Security Module provides the highest level of assurance and conformity for efficient signing transactions, as a part of an eIDAS-compliant solution.
For further customization, it can be extended with a Signature Activation Mod-ule (SAM) that runs within the certified HSM boundary and meets the require-ments of the EN 419 241-2 protection profile using the Software Development Kit. This combined solution enables Trust Service Providers to offer server signing for remote signatures and seals.
The included software simulator enables evaluation and testing of all CC eIDAS use cases for integration with business applications prior to produc-tion deployment.
Features
High security for regulated use cases
- Can be used for additional applications such as Timestamping and OCSP (Online Certificate Status Protocol)
- Secure key storage and processing inside the hardened boundary of the HSM
- High-quality true random number generator to ensure uniqueness of keys
- Configurable role-based access control and separation of functions
- 2-factor authentication with smartcards
- “m of n” quorum authentication
- Extensive remote management and monitoring
Efficient key management and HSM administration including firmware up-dates via remote access
- Automation of remote diagnosis via Simple Network Management Protocol (SNMP)
- Software Simulator Included
HSM Simulator with all functionalities
- Fully functional runtime including all administration and configura-tion tools
- For evaluation and integration testing prior to deployment in production
Technical Specifications
Supported Cryptographic Algorithms
- RSA, ECDSA with NIST and Brainpool curves
- ECDH with NIST and Brainpool curves
- AES
- CMAC, HMAC
- SHA-2, SHA-3
- Hash-based deterministic random number generator (DRG.4 acc. AIS 31)
- True random number generator (PTG.2 acc. AIS 31)
- up to 3,000 RSA or 2,500 ECDSA signing operations
Support for various Application Interfaces (APIs)
- PKCS #11
- Cryptography Next Generation (CNG)
- Key authorization API and tool
- Utimaco‘s comprehensive Cryptographic eXtended services Interface (CXI)
Fulfills Various Security Compliance Mandates
- Common Criteria EAL4+ certified according to Protection Profile EN 419 221-5 (further information is available on the Common Criteria Portal) as well as to point 23 and 32 of Article 2 of Regulation 910/2014 (eIDAS) (further information is available on the EU Trust Services Dashboard)
- Server Signing acc. EN 419 241-2
- ETSI Policy and Security Requirements (e. g. EN 319 401, EN 319 411, EN 319 421, C-ITS)
Fulfills Various Environmental Compliance Requirements
- CE, FCC Class B
- RoHS III, WEEE
- UL, IEC/EN 60950-1, IEC/EN 62368-1
- CB certificate