Remote Signing/Signature is a new concept introduced after eIDAS regulation (910/2014) and has been updating since then. eIDAS defines open concept and technical standards for Remote Signature, where user’s signing keys are held under user’s sole control and all signature operations are done in a remote Hardware Security Module (HSM). eIDAS has also defined a mechanism to certify products based on the regulation. This makes it possible to create secure cost efficient and open standard based products.
Remote Signature Solution provides a scalable and high available service, which offers a mechanism to securely authenticate and perform signature. The solution is a modular platform which can be used by organizations to offer, implement and deliver managed digital signature services to application providers and end-users.
Remote Signature implementation enables users to perform signature from their smartphone devices which act as Qualified or Secure Signature Creation Devices (QSCD/SSCD) to receive/send authentication/signature request on behalf of the user. Methics provide reference implementation and SDK of our QSCD called Alauda PBY app. The functionality and security features of the solution are centered around protecting this operation, the signer, and the keys used for the signature generation.
Kiuru Signature Activation Module (SAM) alongside a CryptoModule or commonly known as Hardware Security Modeule (HSM) are placed in a tamper-protected environment, where user keys are generated whenever a new user in onboarded. Kiuru SAM monitors the HSM connection. Moreover, when connected with Kiuru Mobile Signature Service Provider (MSSP), it uses Signature Activation protocol (a.k.a Alauda PBY protocol or B17 key splitting) and SRP6(b) protocols to send/receive request from Alauda PBY app.
Remote Signing solution manages the protection of user’s signing key and signing process with sophisticated technology and open standards. In compliance with eIDAS standards (EN 419 421-1 and EN 419 241-2), an electronic signature creation data can be managed remotely by a trust service provider on behalf of the signatory.
Kiuru Remote Signature Solution which produces Remote Signatures is certified for Common Criteria Standards EAL 4+ by EN 419241-2:2019 and ISO 15408. Authentication and remote signing can be integrated via REST or SOAP API. API libraries are also available in SDK format for integration in your existing app. Methics has a long experience of working with leading HSM providers of the world (such as Thales, Utimaco, Entrust, Securosys, etc), making the solution compatible with external hardware.
Methics also provides the opportunity of implementing Remote Signing with SIM cards by installing B17 applet in SIM cards (older version of cards which do not have PKI components). Read here about how Methics is implementing eIDAS compliant Remote Signing through SIM cards.
Feel free to get in touch with us if you want a user-friendly software for your TSP, implement authentication/sign in service, document signing solution, or want to increase your user adoption of PKI services.
References:
- ETSI: ETSI TS 119 432 Electronic Signatures and Infrastructures (ESI);Protocols for remote digital signature creation:
- EN 419 241-1: Trustworthy Systems Supporting Server Signing – Part 1: General System Security Requirements
- EN 419 241-2: Trustworthy Systems Supporting Server Signing – Part 2: Protection profile for QSCD for Server Signing