Non-repudiation

Source: Wikipedia, the free encyclopedia.

In law, non-repudiation is a situation where a statement's author cannot successfully dispute its authorship or the validity of an associated contract.[1] The term is often seen in a legal setting when the authenticity of a signature is being challenged. In such an instance, the authenticity is being "repudiated".[citation needed]

For example, Mallory buys a cell phone for $100, writes a paper

digital signatures
can be very hard to break.

In security

In general, non-repudiation involves associating actions or changes with a unique individual. For example, a secure area may use a key card access system where non-repudiation would be violated if key cards were shared or if lost and stolen cards were not immediately reported. Similarly, the owner of a computer account must not allow others to use it, such as by giving away their password, and a policy should be implemented to enforce this.[2]

In digital security

In digital security, non-repudiation means:[3]

  • A service that provides proof of the integrity and origin of data.
  • An authentication that can be said to be genuine with high confidence.
  • An authentication that the data is available under specific circumstances, or for a period of time: data availability.[4]

Proof of data integrity is typically the easiest of these requirements to accomplish. A data

SHA2 usually ensures that the data will not be changed undetectably. Even with this safeguard, it is possible to tamper with data in transit, either through a man-in-the-middle attack or phishing. Because of this, data integrity is best asserted when the recipient already possesses the necessary verification information, such as after being mutually authenticated.[5]

The common method to provide non-repudiation in the context of digital communications or storage is

Digital Signatures, one uses symmetric keys and the other asymmetric keys (provided by the CA). Note that the goal is not to achieve confidentiality: in both cases (MAC or digital signature), one simply appends a tag to the otherwise plaintext, visible message. If confidentiality is also required, then an encryption scheme can be combined with the digital signature, or some form of authenticated encryption could be used. Verifying the digital origin means that the certified/signed data likely came from someone who possesses the private key corresponding to the signing certificate. If the key used to digitally sign a message is not properly safeguarded by the original owner, digital forgery can occur.[7][8][9]

Trusted third parties (TTPs)

To mitigate the risk of people repudiating their own signatures, the standard approach is to involve a trusted third party.[10]

The two most common TTPs are

forensic analysts and notaries. A forensic analyst specializing in handwriting can compare some signature to a known valid signature and assess its legitimacy. A notary is a witness who verifies an individual's identity by checking other credentials and affixing their certification that the person signing is who they claim to be. A notary provides the extra benefit of maintaining independent logs of their transactions, complete with the types of credentials checked, and another signature that can be verified by the forensic analyst. This double security makes notaries the preferred form of verification.[citation needed
]

For digital information, the most commonly employed TTP is a certificate authority, which issues public key certificates. A public key certificate can be used by anyone to verify digital signatures without a shared secret between the signer and the verifier. The role of the certificate authority is to authoritatively state to whom the certificate belongs, meaning that this person or entity possesses the corresponding private key. However, a digital signature is forensically identical in both legitimate and forged uses. Someone who possesses the private key can create a valid digital signature. Protecting the private key is the idea behind some smart cards such as the United States Department of Defense's Common Access Card (CAC), which never lets the key leave the card. That means that to use the card for encryption and digital signatures, a person needs the personal identification number (PIN) code necessary to unlock it.[citation needed]

See also

References

  1. S2CID 209320279
    .
  2. ISBN 978-1-118-28690-6
    .
  3. ^ Non-Repudiation in the Digital Environment (Adrian McCullagh)
  4. S2CID 204749727
    .
  5. S2CID 218934756
    .
  6. PMID 36798451
    .
  7. doi:10.1016/j.jcss.2013.03.001
    .
  8. ^ "What are the differences between a digital signature, a MAC and a hash?".
  9. ProQuest 2178518357
    .
  10. ISBN 978-3-540-70707-3
    .

External links
Retrieved from "https://en.wikipedia.org/w/index.php?title=Non-repudiation&oldid=1185618815"