Qualified E-seal on hardware security modules for high performance in data center operation
secrypt GmbH offers a complete solution consisting of server software digiSeal server and certified HSM for high-performance E-Seal applications in business, administration and healthcare.
Berlin, 25.09.2019. For larger companies and organisations from business, administration and healthcare with their own computer centres, the use of a certified HSM in combination with digiSeal server now permits the implementation of extremely powerful and flexible eIDAS-compliant e-Seal processes, e.g. for digital account statements, official notices, hospital patient files, digital invoices or authentication for account access by FinTechs in accordance with PSD2 (Payment Services Directive 2). Digital documents and data, which are provided with a qualified e-seal in this way, can be checked for integrity and authenticity by independent third parties on the basis of uniform EU-wide standards – an essential prerequisite for creating trust in electronic business processes and workflows.
Server software digiSeal server integrates E-Siegel into IT processes
The digiSeal server enables the integration of e-Seal, e-Signature and timestamp for any data format, e.g. PDF or XML, in process-leading applications, such as DMS, ERP or other specialized processes via various interfaces, such as a web service. The role concept with differentiated access rights for administrator and user allows to assign and withdraw seal authorizations.
Hardware security modules for very high data throughput and flexibility
Especially for sealing processes that require a very high document or data throughput, a high degree of automation and/or the use of several parallel E-Seal certificates, sealing cards represent a technical and organizational bottleneck. While current sealing cards with the use of the RSA algorithm and 2,048 bit key length provide approximately one seal per second, i.e. 3,600 seals per hour, hardware security modules (HSM) currently available on the market, which are usually designed as a 19-inch rack, achieve up to 3,200 seals per second, i.e. approx. 11.5 million seals per hour. In addition, many different e-seal keys can be stored on an HSM and operated in parallel.
Requirements for HSM operation
For the storage of qualified E seals, the HSM must have a certification, e.g. according to “Common Criteria for Information Technology Security Evaluation (CC)”, for the “Protection Profile prEN 419 221-5 Protection Profiles for TSP Cryptographic Modules – Part 5: Cryptographic Module for Trust Services”. In addition, operation at the user’s site must take place in a secure data center (data center), which, for example, has an access control system.
ENISA (The European Union Agency for Cybersecurity) supports this use case in its publication “Assessment of Standards related to eIDAS – Recommendations to support the technical implementation of the eIDAS Regulation” from November 2018.
How does a legal entity receive an e-label?
The E-seal is an EU-wide recognized signature tool for legal entities such as a public limited company (AG), limited liability company (GmbH) or public limited company (AöR). It is the digital stamp for companies and organisations in the private sector, for public authorities and for health care institutions. The qualified E seal is issued by qualified trust service providers (VDA, also known as “trust centers”) that are subject to strict legal and regulatory requirements. The legal entity is securely identified by the VDA. As a rule, a natural person authorized to sign for the organization is identified personally, for example using the PostIdent procedure, including the necessary supporting documents, such as an extract from the commercial register. After successful identification, the VDA generates an individual E-Seal certificate including a secret private key with which the E-Seal is generated using strong cryptographic processes.
The e-seal key must be stored on secure certified hardware, so-called “Secure Seal Creation Units” (SSEE), so that it cannot be misused by unauthorized persons. The qualified VDAs offer sealing cards – smartcards with cryptochip – which can be used for both single seal and mass seal processes. To trigger an e-seal, proof of a PIN is required, which the VDA communicates by PIN letter.
More about Server software digiSeal server + HSM