The NSA certifies secure products for the Qualified Electronic Signature according to methods initiated in point 6. The main requirement for successful finishing of the certification process is the product certification processing from renowned testing laboratory that is accredited by the NSA admitted by the National Accredited Institution or final statement of secure audit from independent auditor. The requirement appears from the fact that the NSA does not have a laboratory or testing institute that could be able to evaluate all secure products for the Qualified Electronic Signature. This requirement results from the Act [Article 24 (13)]. The audit performance for the Authority is the auditor's report on conformity. From the procedural viewpoint the audit should be performed before the application for the certification is submitted in order to fulfil the requirement of the Act [Article 24 (11), letter b] by the applicant.
We can include products for the Qualified Electronic Signature according to its type and purpose to the following categories
according to product purpose:
- products for Qualified Electronic Signature Users
- products for Certification Service Providers
- certificated products for e-Registries working in automatic mode
according to product type:
HW products
- Cryptographic hardware modules for key protection intended particularly for providers of accredited certification services with the supportive SW (e.g. HSM - Hardware Security Module)
- Products for saving private keys and for the creation of the qualified electronic signature intended for the signer or verifier of the qualified electronic signature with the supportive SW (e.g. SSCD - Secure Signature Creation Device)
Hardware Security Module (HSM)
Use:
Secure Signature Creation Device (SSCD)
Use:
SSCD can be divided in two categories from point of view of their use:
- Single-purpose SSCDs can be used only for QES creation and must not be used for key and data saving for different use than is QES creation. Basic common attribute of these devices is that by entering one password, they make operations with all keys accessible. It is caused by the fact that they do not allow setting a separate password for use of the key intended for QES creation and the other password for keys intended for different use.
- Multi-purpose SSCDs contain separate application for QES, for example SigG, which includes separate access setting independent from the other applications being located on SSCD. The user`s application for QES communicates with SSCD application for QES either directly through APDU commands or through certified PKC#11 interface that sends APDU commands directly to SSCD via chosen communication channel.
SSCD requirements used in the evaluation process are mentioned in the following international standards:
- CWA 14169 Secure Signature -Creation Devices „EAL 4+“,
- CWA 14890-1 Application Interface for smart cards used as Secure Signature Creation Devices. Part 1: Basic requirements,
- CWA 14890-2 Application Interface for smart cards used as Secure Signature-Creation Devices. Part 2: Additional Services.
It is not possible to use certificated HW products (SSCD – Secure Signature Creation Device) for Qualified Electronic Signature creation and verification without certificated application (SCVA - Signature Creation & Verification Application).
SW products
- Software products for the creation and verification of the qualified electronic signature (e.g. SCVA - Signature Creation & Verification Application, SCA - Signature Creation Application, SVA - Signature Verification Application)
- Certificate administration information systems intended particularly for providers of accredited certification services (e.g. SW TWS – Software for Trustworthy System)
Signature Creation & Verification Application (SCVA), Signature Creation Application (SCA), Signature Verification Application (SVA)
Use:
The product can be used for the Qualified Electronic Signature creation and/or verification in approved formats.
SCVA, SCA, SVA applications can create and/or verify two types of Qualified Electronic Signatures:
- CMS signature - CAdES (CMS Advanced Electronic Signature), that can have formats:
CAdES-EPES CMS signature without Time stamp,
CAdES-EPES-T CMS signature with Time stamp,
CAdES-EPES-C-X CMS signature with the complete information for validity verification,
CAdES-EPES-A CMS Archive signature or combinations of formats above, - XML signature - XAdES (XML Advanced Electronic Signatures), that can have formats:
XAdES-EPES XML signature without Time stamp,
XAdES-EPES-T XML signature with Time stamp,
XAdES-EPES-C-X XML signature with the complete information for validity verification,
XAdES-EPES-A XML Archive signature or combinations of formats above.
Archival signature is intended for a long- term archiving of files. To prevent the attacts in case the hash algorithm of the signed document is compromised, it is necessary to close the signature itself and the document being signed with Archival signature. Archival signature is verified by currently valid signer`s (not expired) certificate that is in the certification path towards currently trusted root certificate.
We decided to create audit’s method of SW applications for the Qualified Electronic Signature in SW product certification because of product development for the Qualified Electronic Signature in the Slovak Republic, especially because of secure application for the Qualified Electronic Signature creation and verification. KPMG Slovakia in co-operation with the NSA has created the audit’s method for certification of SW applications for the Qualified Electronic Signature. The method ensures uniform and repeatable method of secure applications certification for Qualified Electronic Signature according to legislative conditions in the Slovak Republic.
Audit’s method of SW applications for Qualified Electronic Signature (pdf, 339.7 kB)
As source codes of SW applications, which producer gave to auditor to perform an independent audit, are identical with source codes which were given to the NSA to certification, the NSA requests a creation of protocol about compilation of source code of the application and delivering of one copy. The compilatory process must be performed in attendance of producer, auditor and representatives of the NSA.
Example of protocol about compilation (Slovak version) (pdf, 109.8 kB)
The Qualified Electronic Signature can be created and verified only in the secure environment in SCVS - Signature Creation & Verification System that includes certificated secure HW product for the Qualified Electronic Signature verification (SSCD) and certificated SW application (SCVA) for fulfilling of supported functions for the Qualified Electronic Signature creation and verification.
If letter A is presented before indication of SW product (e. g. A-SCVA) then it is a product for the Qualified Electronic Signature working in automatic mode that is determined for co-operation with the Electronic Registry.
The method is determined even for SW applications working in the automatic mode that are determined for co-operation with the Electronic Registry.