SSCD devices

 

SSCE “Secure Signature-Creation Device”

 

Regulation (EU) 910/2014 of the European Parliament and of the Council, Article 29 states:

"1. Qualified devices for the creation of electronic signatures shall comply with the requirements set out in Annex II. "

 

ANNEX II

 

REQUIREMENTS FOR QUALIFIED ELECTRONIC SIGNATURE DEVICES

1.Equipped electronic signature creation devices shall ensure at least by appropriate technical and procedural means that:

 

A) the confidentiality of the electronic signature creation data used for the creation of electronic signatures is reasonably guaranteed;

B) the data of creation of electronic signature used for the creation of electronic signature can only appear once in practice;

C) there is reasonable assurance that the electronic signature creation data used for the creation of an electronic signature can not be found by deduction and that the signature is securely protected against counterfeiting using the technology available at the time;

 

REQUIREMENTS FOR QUALIFIED ELECTRONIC SIGNATURE DEVICES

 

1.Equipped electronic signature creation devices shall ensure at least by appropriate technical and procedural means that:

A) the confidentiality of the electronic signature creation data used for the creation of electronic signatures is reasonably guaranteed;

B) the data of creation of electronic signature used for the creation of electronic signature can only appear once in practice;

C) there is reasonable assurance that the electronic signature creation data used for the creation of an electronic signature can not be found by deduction and that the signature is securely protected against counterfeiting using the technology available at the time;

D) the data of creation of the electronic signature used for the creation of electronic signature can be protected by the legitimate signatory in a reliable way against its use by others.

 

2. Qualified electronic signature creation devices shall not alter the data to be signed or prevent such data from being displayed to the signatory prior to signing.

3. Generation or management of the data of creation of the electronic signature in the name of the signatory can only be carried out by a qualified provider of services of trust.

 

4. Without prejudice to point 1 (d), qualified providers of trusted services who manage electronic signature creation data on behalf of the signatory may duplicate signature creation data solely for the purposes of back-up Of the aforementioned data provided that the following requirements are met:

 

A) the security of the duplicate datasets is of the same level as for the original datasets;

B) the number of duplicate data sets does not exceed the minimum necessary to ensure continuity of service.

 

AENOR has published a series of standards UNE-EN 419211 'Protection profiles for secure signature creation devices'.

 

This rule consists of 6 parts that "deal with the different types of secure signature creation devices that exist, specific operational and functional requirements and objects for evaluation of the protection profiles of these devices."

AENOR - Protection profiles for secure signature creation devices.

 

UNE-EN 419211-1:2016

Part 1: General.

 

UNE-EN 419211-2:2016

Part 2: Device with key generation.

 

UNE-EN 419211-3:2016

Part 3: Device with key import.

 

UNE-EN 419211-4:2016

Part 4: Extension for the device with key generation and secure channel with the certificate generation application.

 

UNE-EN 419211-5:2016

Part 5: Extension for the device with key generation and secure channel with the signature creation application.

 

UNE-EN 419211-6:2016

Part 6: Extension for the device with key import and secure channel with the signature creation application.

 

Press NOTE of June, 22nd, 2016

 

In accordance with European Regulation (EU) No. 910/2014 on Electronic Identification and Trusted Services for Electronic Transactions in the Internal Market (eIDAS Regulation), the Implementing Decision (EU) 2016 / 650 of the Commission, which establishes the rules that are applicable to the signature devices, to be qualified as Secure Devices of Creation of Signature.

 

 

Standards for the evaluation of the security of information technology products that apply to the certification of qualified electronic signature creation devices or qualified electronic stamp creation devices in accordance with Article 30 (3) (a) Or with Article 39 (2) of Regulation (EU) No 910/2014, where electronic signature creation data or electronic stamp creation data are preserved entirely, but not necessarily exclusively, in a managed environment By the user.

 

- ISO / IEC 15408 - Information technology - Security techniques - Evaluation criteria for IT security, Parts 1 to 3 listed below:

 

- ISO / IEC 15408-1: 2009 - Information technology - Security techniques - Evaluation criteria for IT security - Part 1. (Information technology - Security techniques - Evaluation criteria for IT security. ISO, 2009.

 

- ISO / IEC 15408-2: 2008 - Information technology - Security techniques - Evaluation criteria for IT security - Part 2. (Information technology - Security techniques - Evaluation criteria for IT security. ISO, 2008.

 

- ISO / IEC 15408-3: 2008 Information technology - Security techniques - Evaluation criteria for IT security - Part 3 (Information technology - Security techniques - Evaluation criteria for IT security. ISO, 2008.

 

- ISO / IEC 18045: 2008: Information technology - Security techniques - Methodology for IT security evaluation (Information technology - Security techniques - Methodology for evaluating IT security).

 

- EN 419 211 - Protection profiles for secure signature creation devices, Parts 1 to 6 - if applicable - listed below:

 

- EN 419211-1: 2014 - Protection profiles for secure signature creation device - Part 1: Overview.

 

- EN 419211-2: 2013 - Protection profiles for secure signature creation device - Part 2: Device with key generation.

 

- EN 419211-3: 2013 - Protection profiles for secure signature creation device - Part 3: Device with key import.

 

- EN 419211-4: 2013 - Protection profiles for secure signature creation devices - Part 4: Extension for device with key generation and trusted channel to certificate generation application. The device with key generation and trusted communication with certificate generation application).

 

- EN 419211-5: 2013 - Protection profiles for secure signature creation devices - Part 5: Extension for device with key generation and trusted channel for signature creation application Key generation and trustful communication with signature creation application).

 

- EN 419211-6: 2014 - Protection profiles for secure signature creation devices - Part 6: Extension for device with key import and trusted channel for signature creation application. Key import and trusted communication with signature creation application).

 

Common Criteria defined, following the rules and formats of ISO 15408 Common Criteria version 2.1, the "Protection Profile - Secure Signature-Creation Device Type3 Version: 1.05, EAL 4+"

 

It determined in ISO / IEC 15408-3, confidence levels:

 

• EAL4 (methodically designed, tested and revised): This level allows a developer to achieve maximum positive engineering engineering assurance based on good business development practices, which, while rigorous, do not require substantial specialized knowledge, dexterity, or Other resources. In this case, the analysis is based on the low-level design of the product modules and vulnerability search is performed regardless of the tests performed by the developer. Development controls rely on a development lifecycle model, identification of tools used, and automated configuration management.

 

• EAL5 (semi-engineered and tested): Enables a developer to achieve maximum assurance of positive safety engineering through the moderate application of safety engineering techniques. Confidence is supported, in this case, in a formal model and a semiformal presentation of functional specification and high-level design. The search for vulnerabilities must ensure relative resistance to penetration attacks.

 

The HSM Devices homologated by ANF Autoridad de Certificación for end user, are homologated in ISO 15408 Common Criteria EAL 4+ (or higher).