Non-repudiation

Non-repudiation refers to a situation where a statement's author cannot successfully dispute its authorship or the validity of an associated contract. The term is often seen in a legal setting when the authenticity of a signature is being challenged. In such an instance, the authenticity is being "repudiated".

In security

In general, non-repudiation involves associating actions or changes with a unique individual. For example, a secure area may use a key card access system. Here, non-repudiation would be violated if key cards were shared or if lost and stolen cards were not immediately reported. Similarly, the owner of a computer account must not allow others to use it, such as by giving away their password, and a policy should be implemented to enforce this. This prevents the owner of the account from denying actions performed by the account.[1]

In digital security

In digital security, non-repudiation means:[2]

  • A service that provides proof of the integrity and origin of data.
  • An authentication that can be said to be genuine with high confidence.

Proof of data integrity is typically the easiest of these requirements to accomplish. A data hash such as SHA2 usually ensures that the data will not be changed undetectably. Even with this safeguard, it is possible to tamper with data in transit, either through a man-in-the-middle attack or phishing. Because of this, data integrity is best asserted when the recipient already possesses the necessary verification information.

The most common method of verifying the digital origin of data is through digital certificates, a form of public key infrastructure that includes digital signatures. Note that the public key scheme is not used for encryption in this form; the goal is not to achieve confidentiality since a message signed with a private key can be read by anyone using the public key. Verifying the digital origin means that the certified/signed data likely came from someone who possesses the private key corresponding to the signing certificate. If the key is not properly safeguarded by the original owner, digital forgery can occur.

Trusted third parties (TTPs)

To mitigate the risk of people repudiating their own signatures, the standard approach is to involve a trusted third party.

The two most common TTPs are forensic analysts and notaries. A forensic analyst specializing in handwriting can compare some signature to a known valid signature and assess its legitimacy. A notary is a witness who verifies an individual's identity by checking other credentials and affixing their certification that the person signing is who they claim to be. A notary provides the extra benefit of maintaining independent logs of their transactions, complete with the types of credentials checked, and another signature that can be verified by the forensic analyst. This double security makes notaries the preferred form of verification.

For digital information, the only TTP is the repository for public key certificates. This lets the recipient verify the origin of an item even if the public information has ever been directly exchanged. The digital signature, however, is forensically identical in both legitimate and forged uses - if someone possesses the private key they can create a "real" signature. Protecting the private key is the idea behind the United States Department of Defense's Common Access Card (CAC), which never lets the key leave the card. This means that, to use the card for encryption and digital signatures, a person needs the personal identification number (PIN) code necessary to unlock it.

See also

References

  1. Negus, Christopher (2012). Linux Bible. Contributions by Christine Bresnahan. John Wiley & Sons. p. 580. ISBN 9781118286906.
  2. Non-Repudiation in the Digital Environment (Adrian McCullagh)
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.