Secure signature creation device

A secure signature creation device (SSCD) is a specific type of computer hardware or software that is used in creating an electronic signature. To be put into service as a secure signature creation device, the device must meet the rigorous requirements laid out under Annex II of Regulation (EU) No 910/2014 (eIDAS), where it is referred to as a qualified (electronic) signature creation device (QSCD). Using secure signature creation devices helps in facilitating online business processes that save time and money with transactions made within the public and private sectors.

Description
The minimum requirements that must be met to elevate an electronic signature creation device to the level of a secure signature creation device are provided in Annex II of eIDAS. Through appropriate procedural and technical means, the device must reasonably assure the confidentiality of the data used to create an electronic signature. It further must ensure that the data used to create an electronic signature is unique and only used once. Lastly it shall only allow a qualified trust service provider or certificate authority to create or manage a signatory’s electronic signature data.

To ensure security, signature creation data used by the SSCD to create an electronic signature must provide reasonable protection through current technology to prevent forgery or duplication of the signature. The creation data must remain under the sole control of its signatory to prevent unauthorized use. The SSCD itself is prohibited from altering the signature’s accompanying data.

When a trust service provider or certificate authority places an SSCD into service, they must securely prepare the device according to Annex II of eIDAS in fully compliance to the following three conditions:
 * 1) While in use or in storage, the SSCD must remain secure.
 * 2) Further, a reactivation and deactivation of the SSCD must occur under secure conditions.
 * 3) Any user activation data, include PIN codes be delivered separately from the SSCD after being prepared securely.

International security assurance requirements for SSCDs
The secure signature creation device must also meet the international standard for computer security certification, referred to as the Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408). This standard gives computer system users the ability to specify security requirements via Protection Profiles (PPs) for security functional requirements (SFRs) and security assurance requirements (SARs). The trust service provider or certificate authority is the required to implement the specified requirements and attest to their product’s security attributes. A third-party testing laboratory then evaluates the device to ensure that the level of security is as claimed by the provider.

Central authentication service
When a secure signature creation device is used as part of a central authentication service (CAS), it may act as a CAS server in multi-tier authentication scenarios. The CAS software protocol allows users to be authenticated when signing into a web application.

The common scheme for a CAS protocol includes the client’s web browser, an application requesting authentication and the CAS server. When authentication is needed, the application will send a request to the CAS server. The server will then compare the user’s credentials against its database. If the information matches, the CAS will respond that the user has been authenticated.

Legal implications regarding secure signature creation devices
eIDAS has provided a tiered approach to determining the legal implications of electronic signatures. A signature that has been created with a secure signature creation device is considered to have the strongest probative value. A document or message that has been signed with such a device is non-reputable, meaning the signatory cannot deny they are responsible for the creation of the signature.

Regulation (EU) No 910/2014 (eIDAS) evolved from Directive 1999/93/EC, the Electronic Signatures Directive. The intent of the directive was to make EU Member States responsible for creating legislation that would allow for the creation of the European Union’s electronic signing system. The eIDAS Regulation required all Member States to follow its specifications for electronic signatures by its effective date of 1 July 2016.