Entrust Enables Antel to Build Digital Identity and Signing Infrastructure for Uruguay

The primary objective of the project was to construct a secure nationwide electronic identity and signing infrastructure that Uruguayans would trust and use. This required the system to be safe, secure, reliable, and easy to use and access. Antel saw two main challenges:

• Identifying human users in the digital context and being confident the user was whom they said they were (identify and authenticate)
• Encouraging mass adoption of the system through ease of use, and establishing trust in digital identification replacing physical presence and electronic signatures as valid and viable alternatives to traditional pen and ink signatures

The solution to the first challenge was to build an electronic identification service (mapped to local and international standards) that could authenticate the identity of the applicant and generate a digital identity.

Because some ways of applying for digital credentials are more secure than others, the electronic identification service Antel deployed is able to grant credentials with different security levels. For example, a person might apply in person with paper credentials, such as a passport, and provide an electronic fingerprint. The system would grant this kind of application the highest level of security, which would enable the online equivalent of signing a document in front of a public notary. Another individual might apply online and authenticate using their national ID card and a simultaneous computer-generated photograph. This would receive a lower security level.

According to Daniel Fuentes, Vice President at Antel, when the project began, the advanced electronic signature was already legislated in Uruguay and under serious consideration by the majority of public and private organizations that interact digitally with each other and their stakeholders. However, users did not want to use physical devices like smart cards with readers, nor download drivers and plugins to perform a digital signature. Instead, they wanted a more simple and straightforward process using their computer, smartphone, or tablet for digital signing in multiple places and situations without installing anything.

To address this, the system incorporates the electronic signature with centralized custody of keys. The keys are housed, but in the cloud by a TSP. TSPs, as defined by Uruguay law and eIDAS, are responsible for assuring the electronic identification of signatories and services by using strong mechanisms for authentication, digital certificates, and electronic signatures. The TSP uses the cryptographic keys to apply authorized signatures whenever they are expressly requested by the owner. Access to this highly secure signing system requires the electronic identification of the individual who wishes to sign, and this relies on the verified identification system described above.

The central challenge for this entire project was to build a trust service provider (TSP) in the cloud where Uruguayans could establish and authenticate their identities and then use those identities to access digital services and sign digital documents. Antel project managers and consultants knew this TSP would require the use of hardware security modules (HSMs) to protect the keys and create signatures. They chose the Entrust Remote Signing Engine with Entrust nShield HSMs because of their long-standing reputation for quality, value, and support.

In addition, the Entrust Remote Signing Engine complies with all the requirements for TSPs in Uruguay (PSCo, by its Spanish acronym), and is also a qualified signature creation device (QSCD). It uses Entrust nShield HSM devices as cryptographic modules for the generation and protection of the signature creation data (SCD) under the European Union’s electronic Identification, Authentication, and Trust Services (eIDAS) standards.

Entrust nShield HSMs are hardened, tamper-resistant hardware devices that strengthen encryption practices by generating keys, encrypting and decrypting data, and creating and verifying digital signatures. Besides being certified as QSCDs under the eIDAS standard, the Entrust nShield Connect HSMs that Antel employs are also certified to FIPS 140-2 Level 3 and Common Criteria EAL4+. The use of HSMs is considered a best practice among security professionals, enabling organizations to meet and exceed established regulatory standards for cybersecurity. HSMs achieve higher levels of data security and trust. They also maintain high service levels and business agility.

Antel created a cryptographic platform using Entrust’s Remote Signing Engine and PKI solutions, deployed in several EMEA and LATAM TSPs. This platform:

• Incorporates a public key infrastructure (PKI), which generates digital certificates and manages them as identity attributes
• Validates user identities using multiple authentication methods and manages trust identity levels according to local and international standards (NIST and eIDAS)
• Includes an electronic signature provider, allowing the users to remotely sign documents with their digital certificate and keys in the central HSM infrastructure
• Provides web services APIs for integrating authentication and electronic signature user methods

Entrust is a leading provider of security software for PKI, multi-factor authentication, electronic signature, and data encryption, and for the protection of electronic transactions.

Interfase Uruguay, the system integrator that implemented the solution based on the Entrust Remote Signing Engine and PKI with Antel, has been supported by Neodata local nShield certified systems engineers. Together, they have developed a unique value proposition as a trusted security adviser in applied HSM cryptography for this type of project.