What are some examples of non-repudiation techniques?

Cyber SecurityAnti VirusSafe & Security

The certainty that someone cannot dispute the legitimacy of anything is known as non-repudiation. Non-repudiation is a regulatory notion commonly used in cybersecurity and refers to the service that confirms the origin and integrity of data. It assures that no party can deny sending or receiving a communication using encryption and digital signatures. It cannot also contest the legitimacy of its digital signature on a document.

Non-repudiation provides evidence of data's origin, authenticity, and integrity. It verifies the sender that the information is sent and the recipient's identity to the receiver. Neither side can dispute that communication happened or was processed in this manner.

Non-repudiation uses cryptography, similar to digital signatures, and comprises authentication, auditing, and logging services. Non-repudiation can be accomplished in a variety of methods, such as the digital signing of log data as a checksum during collection or using secured storage media.

In Data Audit Logs

Typically, a digital signature supplied in a hash algorithm is computed against the log file at the time of collection. The output of this computation is a checksum that is used to verify that the files have not been manipulated. If the file is updated in any manner, the hash generates a different value, and the log file fails the integrity check. If the checksum is correct, the log is confirmed to be in its original state.

In Online Transactions

In online transactions, Digital signatures guarantee that a party cannot subsequently dispute delivering information or question the legitimacy of its signature in online transactions. A digital signature is formed by pairing an encrypted key and a public key. Only the holder of the encrypted key has access to this key and can generate this signature, confirming that that holder electronically signed a document, which assures that a person cannot subsequently dispute supplying the signature, hence ensuring non-repudiation.

In Cryptography

Message authentication code (MAC), also called a tag in cryptography, is used for authentication of messages or to certify that the message originated from the specified sender and was not altered along the route. MAC values, unlike digital signatures, are created and confirmed using the same private key, on which the sender and receiver must agree before commencing interactions.

A MAC can prevent message forging by anybody who does not have access to the shared secret key, ensuring both integrity and authenticity. Non-repudiation cannot be provided by MAC methods such as block cipher-based MAC (CMAC) and hash-based MAC (HMAC).

In Digital Contracts and Email

A signatory of an email on one side of communication cannot deny sending the message, and the receiver cannot deny receiving it. Email non-repudiation entails techniques such as email monitoring.

In E-commerce

To aid in conflict resolutions of any kind, Non-repudiation is implemented. It gives confirmation that a message was received and recognised by the receiver. E-Commerce site security is crucial for a variety of reasons, including protecting consumers' privacy and sensitive data on a website, securing an online business's funds, and avoiding fraud and financial scams.

In Business-to-Business Transactions

Non-repudiation is also used in B2B transactions. Non-repudiation allows your business to verify that it received or sent a message from or to a trade partner if a trading partner repudiates the transmission or receiving of messages or receipts. Non-repudiation entails two degrees of security, which are as follows −

• Non-repudiation of received or sent communications - Both the transmitting and receiving parties keep the message exchanged (the business document and any attachments) in its original format. The transmitting message service handler (MSH) saves a message before sending it, and the receiving MSH saves a message before processing it.

• Non-repudiation of receipts issued after a message is received - A receipt is sent by the receiver of a message to acknowledge receipt of a message. You can exchange a signed receipt, which adds another layer of protection. Signed receipts allow you to confirm the legitimacy of the replying company or individual as well as the content integrity.

A Non-Repudiation-Information element is included in the receipt when signed communications are exchanged with a trade partner. The non-repudiation element includes the message digest transmitted to the trade partner. The sender compares the digest to the original message to verify that the message content was not altered during transmission by an attacker.

Updated on 04-May-2022 13:49:38

In today’s blog, we are going to take a look at a key concept in information security: nonrepudiation. Simply put, nonrepudiation is the assurance that someone cannot deny an action they took. This can apply to an email, for example. If the sender sends the message with a digital signature, this proves that the sender is the one holding the signature (it also proves the email has not been altered in transit, which is its integrity). With a digital signature, the author cannot later deny that the email was sent from their email account (although their account could have been compromised).

Another example of nonrepudiation is the use of unique user accounts. Most logging solutions are configured to log actions taken by users on a centralized server. Equally important, the logging solution captures the userid of the user who made a change or took a particular action. These logs should be protected such that they can’t be altered. If that is the case, then you have nonrepudiation for the actions taken on a logged server. It can be proven that someone with access to a particular account performed the action in question.

Nonrepudiation is important for two main reasons. First, by being able to prove which user took an action, you can act to prevent it from happening again. Let’s say an employee commits fraud. Nonrepudiation will be critical if you pursue legal action against that employee and also to prevent a wrongful termination lawsuit. However, nonrepudiation can also be a deterrent control. When users know that their actions are being recorded, they are less likely to act maliciously. This is why casinos have cameras pointing all over the dealers, not just the players. They want to deter them from any illegal or unauthorized actions.

So in summary, nonrepudiation is the concept in information security of being able to prove that a user took an action. This can apply to an action they took on a host on the network, an email they sent, or any other important action. This concept is vital because it can help you understand how to deter malicious activity and provide assurance that a user did take a particular action.

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock (

) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Definition(s):

  Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information.
Source(s):
NIST SP 800-18 Rev. 1 under Non-repudiation from CNSSI 4009
NIST SP 800-60 Vol. 1 Rev. 1 under Non-repudiation from CNSSI 4009 - Adapted
NIST SP 800-60 Vol. 2 Rev. 1 under Non-repudiation from CNSSI 4009 - Adapted

  Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data.
Source(s):
NIST SP 800-59 under Non-repudiation from CNSSI 4009

  Protection against an individual falsely denying having performed a particular action. Provides the capability to determine whether a given individual took a particular action such as creating information, sending a message, approving information, and receiving a message.
Source(s):
CNSSI 4009-2015

  A service using a digital signature that is used to support a determination of whether a message was actually signed by a given entity.
Source(s):
NIST SP 800-175B Rev. 1 under Non-repudiation
NIST SP 800-57 Part 2 Rev.1 under Non-repudiation

  In a general information security context, assurance that the sender of information is provided with proof of delivery, and the recipient is provided with proof of the sender's identity, so neither can later deny having process the information .
Source(s):
NIST SP 800-57 Part 2 Rev.1 under Non-repudiation

  A service using a digital signature that is used to support a determination by a third party of whether a message was actually signed by a given entity.
Source(s):
NIST SP 800-57 Part 1 Rev. 5 under Non-repudiation

  Protection against an individual who falsely denies having performed a certain action and provides the capability to determine whether an individual took a certain action, such as creating information, sending a message, approving information, or receiving a message.
Source(s):
NIST SP 800-53 Rev. 5

  The inability to deny responsibility for performing a specific act.
Source(s):
NISTIR 4734 under Non-repudiation