Skip to main content

Entrust nShield 5 Hardware Security Module Achieves Common Criteria EAL4+ Certification

Jun

27

2024

Time to read

Read so far

Written by: 

Maria Fravventura
  &  
Andrew Tweedie

Time to read

Written by: 

 & 
FFY25_Q1_dss-nshield-hsm-blog-1200x627

The certifications that cybersecurity products have achieved should be an important consideration when evaluating which products to include in your IT infrastructure. Examples of these certifications include the globally recognized Common Criteria certification.

Entrust nShield hardware security modules (HSMs) have long been trusted to deliver a secure root of trust for organizations. We are excited to share that nShield 5, the most recent addition to the nShield family of HSMs, has received Common Criteria EAL4+ (augmented with ALC_FLR.2 and AVA_VAN.5) certification against requirements in EN 419 221-5:2018, Protection Profile for Trusted Service Provider Cryptographic Modules – Part 5 Cryptographic Module for Trust Services. These industry standards for HSMs are specifically designed to meet eIDAS requirements.

Achieving this milestone attests that the nShield 5 HSM has been evaluated, tested, and certified against the rigorous and internationally recognized Common Criteria standard, helping you comply with regulations while also giving you the confidence you need in your security solution.

In particular, our Common-Criteria-certified product ensures:

  • Use of approved cryptographic algorithms (following the NIST and SOG-IS recommendations)
  • Generation of high-quality random numbers (compliant with AIS 20/31, and with SP 800-90B and SP 800-90Arev1)
  • Strict user authorization requirements to access keys, as well secure key import and export
  • Tamper resistance of the PCIe card as provided by the hard epoxy potting
  • Tamper detection and secure zeroization
  • Secure booting and self-tests
  • Detection of hardware or software failures (out-of-range environmental conditions, RNG hardware failure, software corruption)
  • Generation of integrity-protected audit records
  • Compliance with eIDAS requirements for local signing and sealing, as well as suitability of nShield 5 to be used as part of an eIDAS-approved solution for remote signing and sealing

Coverage of the technical requirements listed above has been achieved during the certification process through formal and rigorous assurance activities, aiming at demonstrating the:

  • Soundness of the product’s architecture and correctness of the implementation
  • Effectiveness of security features, as verified with extensive testing
  • Sufficiency of security policies, user guidance, and manuals
  • Resistance of the product against a highly skilled and highly motivated attacker, as demonstrated through a detailed independent vulnerability analysis of overall architecture as well as open-source and proprietary components
  • Maturity of development processes and manufacturing practices, resulting from a well-established security posture throughout the entire product lifecycle

eIDAS Regulation and Compliance

In addition to the Common Criteria EAL4+ certification, the nShield 5 HSM is also approved against the requirements of the European Union’s eIDAS (electronic identification, authentication and trust services) Regulation. This means that the nShield 5 can be used as part of an eIDAS-compliant solution for digital signatures and seals, available here. eIDAS compliance is required in the European Union and has been adopted by many other countries around the world for government-to-government and government-to-citizen services, provision of public services and website certificates, and regulated markets such as banking, financial services, and healthcare. eIDAS can be applied to any cross-border services such as car rental, or whenever a business wants to ensure the legal validity of an electronic signature.

nShield 5 products

Figure 1: The Common Criteria certified nShield 5s PCIe HSM (on the right) and nShield 5c network appliance with embedded PCIe HSM (on the left)

About Common Criteria

The international Common Criteria standard was developed to unify and supersede national IT security certification schemes from several different countries, including the U.S., Canada, Germany, United Kingdom, France, Australia, and New Zealand. Common-Criteria-certified solutions are required by governments and enterprises around the world to protect their mission-critical infrastructures. Common Criteria is often a prerequisite for qualified digital signatures under the European Union digital signature laws. Under Common Criteria, a product is evaluated to one of seven specific Evaluation Assurance Levels (EALs).

About eIDAS

The eIDAS Regulation is an EU-wide regulation introduced in 2014, defining a legal framework and criteria for standardization and protection (among others) of electronic signatures and seals, with a particular focus on Qualified Electronic Signatures, i.e. signatures and seals under the sole control of the signatory and with the usage of Qualified Signature/Seal Creation Devices (QSCDs) operated in a trusted environment by Qualified Trust Service Providers (QTSPs).

All approved QSCDs are publicly listed here. Qualified Trust Service Providers are mandated to source their QSCD solutions from this list to comply with the eIDAS regulation.

The goal of the eIDAS Regulation is to encourage the creation of a single European market for secure, efficient, and harmonized e-commerce, establishing trust in electronic transactions between individuals, organizations, and government entities across European Member States. Under eIDAS, citizens and businesses can use their native national electronic identification schemes (eIDs) when accessing public services within other EU Member States that use eIDs. This regulation implements standards for electronic signatures, timestamps, electronic seals, and other proof of authentication, including electronic certification and registered delivery services that give those electronic transactions the same legal status as if they were conducted on paper.

About Entrust nShield HSMs

Entrust nShield HSMs are hardened, tamper-resistant devices that protect your company’s most sensitive data. They perform cryptographic functions such as generating, managing, and storing encryption and signing keys, as well as executing sensitive functions within their protected boundaries.

Learn more here.