Device Centric Cloud Signature Solution under eIDAS Regulation

Abstract

Digital Object Identifier 10.32754/JMT.2020.2.08 49 1Abstract—Under the new eIDAS Regulation qualified electronic signatures are equivalent, from a legal stand, to handwritten signature. Traditional signature solutions make use of cryptographic materials stored in secure devices in possession of clients, while remote or cloud signatures solutions rely on a trusted service provider which manages the private keys and produces signatures in a remote manner. This shifts the weight of dealing with the keys off clients and moves this duty to a specialist in the field. As opposed to a classical Qualified Electronic Signature, a cloud-based solution has to solve a set of specific problems: the integrity of the data submitted must be ensured, the user’s intent of creating a digital signature must be demonstrated and the owner of the cryptographic key must be the only entity capable of using this cryptographic material. A device centric solution based on a simple mobile device application is proposed. This solution leverages the advancements in device technology such as the inclusion of Trusted Execution Environments (TEEs) on end user terminals. Furthermore, in comparison to similar solutions, the costs have been reduced by replacing cryptographic solutions based on SMS messages or cryptographic tokens with a device native implementation.