WHAT IS HSM?
HSM stands for Hardware Security Module. It is a dedicated hardware device designed to securely manage cryptographic keys and perform cryptographic operations. HSM's provide a highly secure environment for key storage, generation, and management, offering protection against key theft,tampering, and unauthorized access.
CryptoServer CP5
The certified HSM for Generation and Storage of Qualified Certificates for Electronic Signatures and Seals
- Specifically designed for eIDAS-compliant qualified signatures and seals, remote signing and the issuing of qualified certificates.
- Common Criteria-certified according to the eIDAS Protection Profile (PP) EN 419 221-5 “Cryptographic Module for Trust Services”
- Supports Trust Service Providers (TSPs) in fulfilling policy and security requirements by deploying and maintaining HSMs to be used as qualified devices for electronic signature creation.
- Includes a software simulator for evaluation and integration testing
Product Description
To help facilitate interoperability and acceptance across borders, the eIDAS regulation created a common framework for secure electronic signatures, including standardized assurance levels.
Qualified certificates must be stored on a qualified signature creation device (QSCD or QSigCD) and in order to provide eSignature services, a qualified trust service provider (QTSP) is required.
UTIMACO’s CryptoServer CP5 is a Qualified Signature/ Seal Creation Device which is operated in the secure environment of a QTSP to provide users with a remote signing functionality. When used in combination with qualified certificates, the QSCD generates qualified electronic signatures or seals as defined in eIDAS. (QSigCD) and Qualified Seal Creation Device (QSealCD). It is Depending on the technology and validation behind the signature, certain types of signatures are inherently more trustworthy than others, withstanding higher legal scrutiny. Therefore, for use cases requiring qualified trust services such as government agencies, public administration, and enterprises; the CryptoServer CP5 provides the highest levels of assurance and conformity for efficient signing transactions, as a part of an eIDAS-compliant solution.
The CryptoServer CP5 offers various customization options such as extending it with a Signature Activation Module (SAM) running inside the certified HSM boundary and following the requirement of Protection Profile EN 419 241-2 by utilizing the CryptoServer SDK development kit.
This combined solution enables Trust Service Providers to provide server signing for remote signatures and seals.
The included Software Simulator enables evaluation and testing of all CryptoServer CP5 use case integration with business applications before the deployment into production.
- Can be used for additional applications such as Timestamping and OCSP (Online Certificate Status Protocol)
- Secure key storage and processing inside the hardened boundary of the HSM
- High-quality true random number generator to ensure uniqueness of keys
- Configurable role-based access control and separation of functions
- 2-factor authentication with smartcards
- “m of n” quorum authentication
- RSA, ECDSA with NIST and Brainpool curves
- ECDH with NIST and Brainpool curves
- AES
- CMAC, HMAC
- SHA-2, SHA-3
- Hash-based deterministic random number generator (DRG.4 acc. AIS 31)
- True random number generator (PTG.2 acc. AIS 31
- up to 3,000 RSA or 2,500 ECDSA signing operations
- PKCS #11
- Cryptography Next Generation (CNG)
- Key authorization API and tool
- Utimaco‘s comprehensive Cryptographic eXtended services Interface (CXI)
- Efficient key management and HSM administration including firmware updates via remote access
- Automation of remote diagnosis via Simple Network Management Protocol (SNMP)
- Common Criteria EAL4+ certified according to Protection Profile EN 419 221- 5 (further information is available on the Common Criteria Portal) as well as to point 23 and 32 of Article 2 of Regulation 910/2014 (eIDAS) (further information is available on the EU Trust Services Dashboard)
- Server Signing acc. EN 419 241-2
- ETSI Policy and Security Requirements (e. g. EN 319 401, EN 319 411, EN 319 421, C-ITS)
- CE, FCC Class B
- RoHS III, WEEE
- UL, IEC/EN 60950-1, IEC/EN 62368-1
- CB certificate
- HSM Simulator with all CryptoServer CP5 functionalities
- Fully functional runtime including all administration and configuration tools
- For evaluation and integration testing of CryptoServer CP5 before deployment in production