QSCD | LuxTrust S.A. | LuxTrust Crypto Box device

Certification Report SRC.00065.QSCD.03.2025
Type of certificationQSCD | Certification of qualified signature and seal creation devices
SRC certificate registration numberSRC.00065.QSCD.03.2025
Valid from11 March, 2025
Valid until10 March, 2030
Certificate holderLuxTrust S.A.
Certified productQualified Signature / Seal Creation Device LuxTrust Crypto Box device
Test method

According to the requirements of article 30 (3) b) of Regulation (EU) No. 910 / 2014, an alternative method was used for the certification process by the conformity assessment body of SRC. A description of the method can be found under the following link:

https://src-zert.de/wp-content/uploads/2020/11/SRC-Notification-of-a-QSCD-security-evaluation-process-server-signing-v1.0.pdf

The audit includes
  • The evaluation of the used Hardware Security Module CryptoServer CP5 according to the protection profile CEN EN 419 221-5,
  • the evaluation of the used Signature Activation Module LuxTrust Crypto-Box SAM according to the protection profile CEN EN 419 241-2 and
  • the certification of the overall product pursuant to the requirements of article 30 (3) b) of Regulation (EU) No. 910 / 2014.
Description

The product “LuxTrust Crypto Box device” is a qualified Signature Creation Device and Seal Creation Device (QSCD), consisting of the Signature Activation Module (SAM) “LuxTrust Crypto-Box SAM”, which is integrated as Firmware-Module in the Hardware Security Module “CryptoServer CP5 version 5.1” of Utimaco.

A Trust Service Provider, which wants to offer a service for generating qualified remote signatures and qualified remote seals compliant to Regulation (EU) No. 910 / 2014, has to technically ensure that the signer’s cryptographic key can be used under the sole control of the signer only. This is ensured by the Signature Activation Module LuxTrust Crypto-Box SAM as follows:

  • The signer is located in his local environment and interacts using a device (e.g. laptop, smartphone) with the Server Signing Application (SSA) in the remote environment, which invokes the external functions provided by the LuxTrust Crypto-Box SAM.
  • The signature operation is performed using the Signature Activation Protocol (SAP), which requires that Signature Activation Data (SAD) is provided by the signer in his local environment. The SAD consists of the digital confirmation of the authentication of the signer including a reference to his signature key and a representation of the data to be signed (DTBS/R).
  • To ensure that the signer has sole control of his signing key, the signing operation must be authorized. Therefore, the LuxTrust Crypto-Box SAM, which handles one endpoint of the SAP, verifies the SAD and activates the signer’s signing key within the cryptographic module CryptoServer CP5 which is mentioned above.

The connected Hardware Security Module is used exclusively for generating signing or sealing keys and for generating qualified electronic signatures or qualified electronic seals.

SRC confirms that the product “LuxTrust Crypto Box device” of LuxTrust S.A. fulfills the requirements of Article 29 (1a) and Annex II of the Regulation (EU) No. 910 / 2014 (eIDAS-Regulation) on qualified Signature Creation Devices and Qualified Seal Creation Devices.