Qualified Certificates as a Foundation for Digital Transformation

By Alen Beganovic, CISM, CGEIT

The Nexus  |  Monday, 08 July 2019

Human tasks such as handwritten signing are an obstacle to digital transformation. These human tasks interrupt process digitalization and create the need for the implementation of expensive processes such as accessing, storing and archiving paper-based documentation. On the other hand, handwritten signatures are a traditional security measure to ensure the integrity and authenticity of documents. Qualified electronic signatures based on qualified certificates can ensure the integrity and authenticity of a document on a more advanced level than a handwritten signature and have the same legal value. However, complex IT infrastructures for qualified electronic signature demand the implementation of a robust cybersecurity framework (including organization, people, processes and technology) to prevent theft and misuse of electronic identities.

eIDAS

Electronic Identification and Trust Services (eIDAS) is an EU regulation on and a set of standards for electronic identification and trust services for electronic transactions in the EU’s internal market. Its goal is to build trust in electronic business and establish a security framework for qualified electronic signatures. In addition to qualified electronic signatures, eIDAS introduces additional qualified trust services (QTS) such as electronic seals, time stamps, registered mail and website authentication.

Remote Electronic Signature

Implementation of QTS can be on premise, externalized or a combination of those 2. These implementation options bring challenges, one of the most crucial being integration into business processes.

Some ways qualified electronic signatures can be implemented include:

  • Internal processes—Consents and contracts in the human resources (HR) or procurement processes
  • External processes—Payments, signing contracts and legal consents for clients

Private keys for qualified certificates must be stored on qualified electronic signature creation devices (QSCD). Using personal QSCD such as smart cards or universal serial bus (USB) keys can be optimal for a small number of users. In most cases, these are implementations for employees, when their workstations can be fully centrally managed to reduce issues with devices, firmware and client software.

One of the key improvements introduced by eIDAS is remote electronic signatures. These enable the QTS provider to securely manage qualified certificates and private keys for clients in their environment and overcome challenges related to client devices, software and certificates. It results in significant acceleration of QTS deployments and an improved customer experience.

Secure Storage for Certificates and Private Keys

How do practitioners securely store clients’ private keys in their environment and ensure sole control for signers?

The European Committee for Standardization (CEN) standards for remote signing systems and the ETSI EN 419 241-1,1 ETSI EN 419 241-22 and ETSI EN 419 221-53 for cryptographic modules regulate security requirements for key components of remote signing solutions (figure 1).

Figure 1—Remote Signing Solution and Applicable Standards

Source: Adapted from Röck, A.; ETSI ESI and Signature Validation Services, ETSI, 24 October 2018 p. 9, and the European Committee for Standardization (CEN) CEN TC 224, Trustworthy Systems Supporting Server Signing Part 2: Protection Profile for QSCD for Server Signing, 11 May 2018, p. 12

The implementation of a remote signing solution brings new threats and requires additional security controls to respond to those new threats (figure 2).

Figure 2—Examples of Security Controls

Environment

Threats

Security Controls

User

Mostly, service providers will reuse existing 2-factor authentication solutions and threats will be the same as those that already exist.

All existing controls

Update of transaction risk monitoring—new rules for transactions using qualified electronic signatures

Provider

Impersonation during all phases of remote signing: enrollment, usage and storage

Attackers: external and internal

Targets: regular and privileged users

ETSI EN certification

eIDAS conformity assessment

Tamper-resistant controls (i.e., dual control, split knowledge)

Update of transaction risk monitoring—new rules for transactions using qualified electronic signatures


Conclusion

eIDAS and technology development provide a solution to the biggest challenges in (qualified) electronic certificates adoption:

  • Business process integration—Using application programming interfaces (APIs) to integrate qualified trust services into business processes
  • Customer experience—Remote electronic signature enables easy-to-use, mostly already deployed 2-factor authentication solutions for access to qualified electronic certificates and private keys for clients

CEN standards for remote signing systems and eIDAS certification programs create a framework that helps organizations find the most suitable and secure solution for remote electronic signature implementation.

Alen Beganovic, CISM, CGEIT

Is security consultant with more than 20 years of experience in IT and security. During that period, he served 12 years as chief security officer in the biggest bank in Croatia. Currently, he is director and founder of Ethernaut Information Technologies, an IT company focused on cybersecurity and security compliance (specifically, EU Payment Security Directive 2 [PSD2], eIDAS, EU General Data Protection Regulation [GDPR], EU Directive on Security of Network and Information Systems [NIS Directive]).

Endnotes

1 Röck, A.; ETSI ESI and Signature Validation Services, ETSI, 24 October 2018
2 Ibid.
3 Ibid.