Non-repudiation
Encyclopedia
Non-repudiation refers to a state of affairs where the purported maker of a statement will not be able to successfully challenge the validity of the statement or contract
. The term is often seen in a legal setting wherein the authenticity of a signature is being challenged. In such an instance the authenticity is being "repudiated".
, the cryptological meaning and application of non-repudiation shifts to mean:
Proof of data integrity is typically the easiest of these requirements to accomplish. A data hash
, such as SHA2, is usually sufficient to establish that the likelihood of data being undetectably changed is extremely low. Even with this safeguard, it is still possible to tamper with data in transit, either through a man-in-the-middle attack
or phishing
. Due to this flaw, data integrity is best asserted when the recipient already possesses the necessary verification information.
The most common method of asserting the digital origin of data is through digital certificates, a form of public key infrastructure
, to which digital signatures belong. They can also be used for encryption
. The digital origin only means that the certified/signed data can be, with reasonable certainty, trusted to be from somebody who possesses the private key corresponding to the signing certificate. If the key is not properly safeguarded by the original owner, digital forgery can become a major concern.
The two most common TTPs are forensic analysts and notaries
. A forensic analyst specializing in handwriting can look at a signature, compare it to a known valid signature, and make a reasonable assessment of the legitimacy of the first signature. A notary provides a witness whose job is to verify the identity of an individual by checking other credentials and affixing their certification that the party signing is who they claim to be. Further, a notary provides the extra benefit of maintaining independent logs of their transactions, complete with the type of credential checked and another signature that can independently be verified by the preceding forensic analyst. For this double security, notaries are the preferred form of verification.
On the digital side, the only TTP is the repository for public key certificates. This provides the recipient with the ability to verify the origin of an item even if no direct exchange of the public information has ever been made. The digital signature, however, is forensically identical in both legitimate and forged uses - if someone possesses the private key they can create a "real" signature. The protection of the private key is the idea behind the United States Department of Defense
's Common Access Card
(CAC), which never allows the key to leave the card and therefore necessitates the possession of the card in addition to the personal identification number
(PIN) code necessary to unlock the card for permission to use it for encryption and digital signatures. No practical solution yet exists to the digital equivalent of the problem that notaries address with physical signatures.
Contract
A contract is an agreement entered into by two parties or more with the intention of creating a legal obligation, which may have elements in writing. Contracts can be made orally. The remedy for breach of contract can be "damages" or compensation of money. In equity, the remedy can be specific...
. The term is often seen in a legal setting wherein the authenticity of a signature is being challenged. In such an instance the authenticity is being "repudiated".
Non-repudiation in digital security
Regarding digital securityInformation security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
, the cryptological meaning and application of non-repudiation shifts to mean:
- A service that provides proof of the integrity and origin of data.
- An authentication that with high assurance can be asserted to be genuine.
Proof of data integrity is typically the easiest of these requirements to accomplish. A data hash
Hash function
A hash function is any algorithm or subroutine that maps large data sets to smaller data sets, called keys. For example, a single integer can serve as an index to an array...
, such as SHA2, is usually sufficient to establish that the likelihood of data being undetectably changed is extremely low. Even with this safeguard, it is still possible to tamper with data in transit, either through a man-in-the-middle attack
Man-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
or phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
. Due to this flaw, data integrity is best asserted when the recipient already possesses the necessary verification information.
The most common method of asserting the digital origin of data is through digital certificates, a form of public key infrastructure
Public key infrastructure
Public Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
, to which digital signatures belong. They can also be used for encryption
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
. The digital origin only means that the certified/signed data can be, with reasonable certainty, trusted to be from somebody who possesses the private key corresponding to the signing certificate. If the key is not properly safeguarded by the original owner, digital forgery can become a major concern.
Trusted third parties (TTPs)
The ways in which a party may attempt to repudiate a signature present a challenge to the trustworthiness of the signatures themselves. The standard approach to mitigating these risks is to involve a trusted third party.The two most common TTPs are forensic analysts and notaries
Notary
A notary is a lawyer or person with legal training who is licensed by the state to perform acts in legal affairs, in particular witnessing signatures on documents...
. A forensic analyst specializing in handwriting can look at a signature, compare it to a known valid signature, and make a reasonable assessment of the legitimacy of the first signature. A notary provides a witness whose job is to verify the identity of an individual by checking other credentials and affixing their certification that the party signing is who they claim to be. Further, a notary provides the extra benefit of maintaining independent logs of their transactions, complete with the type of credential checked and another signature that can independently be verified by the preceding forensic analyst. For this double security, notaries are the preferred form of verification.
On the digital side, the only TTP is the repository for public key certificates. This provides the recipient with the ability to verify the origin of an item even if no direct exchange of the public information has ever been made. The digital signature, however, is forensically identical in both legitimate and forged uses - if someone possesses the private key they can create a "real" signature. The protection of the private key is the idea behind the United States Department of Defense
United States Department of Defense
The United States Department of Defense is the U.S...
's Common Access Card
Common Access Card
The Common Access Card is a United States Department of Defense smart card issued as standard identification for active-duty military personnel, reserve personnel, civilian employees, other non-DoD government employees, state employees of the National Guard, and eligible contractor personnel.The...
(CAC), which never allows the key to leave the card and therefore necessitates the possession of the card in addition to the personal identification number
Personal identification number
A personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
(PIN) code necessary to unlock the card for permission to use it for encryption and digital signatures. No practical solution yet exists to the digital equivalent of the problem that notaries address with physical signatures.