InfoSec Notes
Understanding non-repudiation as a security service that provides undeniable proof of origin, delivery, or action, covering digital signatures, timestamps, and legal frameworks.
What is Non-Repudiation?
Non-repudiation is a security service that provides irrefutable evidence that a specific action was performed by a specific entity. It prevents a party from denying their involvement in a communication or transaction.
How Non-Repudiation Works
Digital Signatures — The Primary Mechanism
Non-Repudiation via Digital Signature
=========================================
Alice (Signer) Bob (Verifier)
| |
1. Creates document |
2. Hashes document (SHA-256) |
3. Encrypts hash with |
PRIVATE key → Signature |
4. Sends: document + signature |
| |
|------- document + signature -------->|
| |
| 5. Gets Alice's PUBLIC key
| 6. Decrypts signature → hash1
| 7. Hashes document → hash2
| 8. Compares: hash1 == hash2?
| |
| If MATCH:
| ✓ Alice signed this (non-repudiation)
| ✓ Document not modified (integrity)
| |
Alice CANNOT deny signing because
- Only her private key could produce this signature
- Private key is (assumed) known only to Alice
- Certificate authority vouches for key ownership
Python Implementation
Non-Repudiation vs Authentication vs Integrity
| Property | Question Answered | Mechanism | Provability |
|---|---|---|---|
| Authentication | "Who are you?" | Passwords, MFA | Internal only |
| Integrity | "Has data changed?" | Hashes, MACs | Detects tampering |
| Non-repudiation | "Can you deny doing this?" | Digital signatures | Legal/third-party |
Key distinction: MACs provide integrity but NOT non-repudiation because both parties share the secret key (either could have created the MAC). Digital signatures provide non-repudiation because only the private key holder can create the signature.
Applications of Non-Repudiation
Email (S/MIME and PGP)
S/MIME Signed Email
=====================
From: ceo@company.com
To: board@company.com
Subject: Q4 Results Approved
[Message body]
--- PKCS#7 Digital Signature ---
Signer: CN=CEO, O=Company Inc
Certificate: issued by DigiCert
Algorithm: RSA-SHA256
Timestamp: 2024-01-15T10:30:00Z
Signature: [base64 encoded signature]
---
The CEO cannot deny approving these results because
1. Only their private key could produce this signature
2. Their certificate (issued by trusted CA) binds key to identity
3. Timestamp proves when signature was created
Blockchain as Non-Repudiation
Blockchain provides inherent non-repudiation through:
- Transaction signing with private keys
- Immutable distributed ledger
- Consensus-based timestamp ordering
- Public verifiability
Legal Considerations
For non-repudiation to hold legally:
- Key management — Private key must be proven to be under sole control of signer
- Certificate validity — Certificate must be valid at time of signing
- Timestamp — Trusted timestamp proves when signature was created
- Revocation checking — Key must not have been revoked at signing time
- Algorithm strength — Cryptographic algorithms must be considered secure
Interview Questions
- What is non-repudiation and how does it differ from authentication?
- Non-repudiation provides proof that cannot be denied by the performing party, even to a third party or in court. Authentication only proves identity to the verifying system. You can authenticate with a shared password, but that doesn't provide non-repudiation since both parties know the password.
- Why do MACs not provide non-repudiation while digital signatures do?
- MACs use a shared secret key — both sender and receiver can create valid MACs, so neither can prove the other created it. Digital signatures use asymmetric keys — only the private key holder can sign, and anyone with the public key can verify, making denial impossible.
- What role does a Timestamp Authority play in non-repudiation?
- A TSA provides trusted proof of when a signature was created. This is crucial because it proves the signing key was valid at that time (not yet expired or revoked), establishes the timeline of events, and prevents backdating of signatures.
- Give an example where non-repudiation is legally required.
- Electronic contracts (eIDAS regulation in EU), financial trading confirmations (MiFID II), healthcare prescriptions (DEA requirements for e-prescribing), tax filings (IRS e-file signatures), and corporate board resolutions.
- What happens to non-repudiation if a signer claims their private key was stolen?
- This is why key management practices matter. Organizations must demonstrate proper key protection (HSMs, PIN-protected tokens). If key theft is claimed, the timestamp becomes crucial — signatures made before reported theft may still be valid, while those after the compromise report are not.
Summary
Non-repudiation is the strongest form of accountability — it provides mathematically verifiable proof that a specific entity performed a specific action. Through digital signatures, trusted timestamps, and proper certificate management, organizations can create evidence that holds up to legal scrutiny and prevents parties from denying their actions.
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Non-Repudiation in Information Security.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Information Security topic.
Search Terms
information-security, information security, information, security, fundamentals, non, repudiation, non-repudiation in information security
Related Information Security Topics