Non-repudiation (was RE: The PAIN mnemonic)

Carl Ellison cme at acm.org
Wed Dec 24 21:33:01 EST 2003 

Ian,

	re. your two definitions:

> -----Original Message-----
> From: iang at bob.cryptohill.net 
> [mailto:iang at bob.cryptohill.net] On Behalf Of Ian Grigg
> Sent: Tuesday, December 23, 2003 11:34 AM
> To: Amir Herzberg; cme at acm.org; Ben Laurie
> Cc: cryptography at metzdowd.com
> Subject: Re: Non-repudiation (was RE: The PAIN mnemonic)
> 
> FWIW, I understand there are two meanings:
> 
>    some form of legal inability to deny
>    responsibility for an event, and

This one has no place in either technology or law because we do not know how
to make computer systems that are honest witnesses to a person's behavior
(incapable of being misused, infected by hostile S/W, etc.). 

>    cryptographically strong and repeatable
>    evidence that a certain piece of data
>    was in the presence of a private key at
>    some point.
> 

This might apply, as long as the thing that is in the presence of the
private key is a hash value.  However, this is not what I read in the ISO
definitions of "non-repudiation".  Those definitions refer to human beings
and their behavior.


> Carl and Ben have rubbished "non-repudiation"
> without defining what they mean, making it
> rather difficult to respond.
> 
> Now, presumably, they mean the first, in
> that it is a rather hard problem to take the
> cryptographic property of public keys and
> then bootstrap that into some form of property
> that reliably stands in court.
> 
> But, whilst challenging, it is possible to
> achieve legal non-repudiability, depending
> on your careful use of assumptions.  Whether
> that is a sensible thing or a nice depends
> on the circumstances ... (e.g., the game that
> banks play with pin codes).

I reject assumptions (e.g., that a home user has kept his computer locked
away so that no one else could get to its keyboard and has kept it free of
all hostile software) that are required to map from the cryptographic action
back to the human action.

> 
> So, as a point of clarification, are we saying
> that "non-repudiability" is ONLY the first of
> the above meanings?  And if so, what do we call
> the second?  Or, what is the definition here?

I believe that the standard definitions (e.g., in ISO documents) refer to
the first.  This is certainly what the PKI community refers to.  That
definition is not only wrong, technically, it is a violation of consumer
rights if it were ever to be enforced.  As a cryptographic community we
should make sure that no one in the world still believes such nonsense.

What we call the property of public-key cryptography is an interesting
problem.  Spelled out, the only property here is that we can do the same
kind of MAC we've always done with symmetric keys, only the verifier doesn't
need to know the key capable of making the signature.  This is a security
advantage - and nothing more.

The logical fallacy that start with Diffie-Hellman is to say:

1. with symmetric key MACs, the verifier needed to know the secret key
2. therefore, the verifier could forge a MAC
3. therefore, you could not take a MAC into court to prove a claim against
the other party
4. with public key signatures, you don't need to know the secret key
(flawed step) 5: therefore, you can take a PK signature into court.

All these improper assumptions about the behavior of the keyholder are
back-peddling to cover up all the other ways that a PK signature could be
made without the express consent of the alleged keyholder.  That is not
appropriate.  We do not have step 5. We should rid our texts of any
reference to that notion - and work with what we do have.  It's good, but
it's not magic.

 - Carl


> 
> >From where I sit, it is better to term these
> as "legal non-repudiability" or "cryptographic
> non-repudiability" so as to reduce confusion.

To me, "repudiation" is the action only of a human being (not of a key) and
therefore there is no such thing as "cryptographic non-repudiability".  We
need a different, more precise term for that - and we need to rid our
literature and conversation of any reference to the former - except to
strongly discredit it if/when it ever appears again.

> iang
> 



+------------------------------------------------------------------+
|Carl M. Ellison         cme at acm.org      http://theworld.com/~cme |
|    PGP: 75C5 1814 C3E3 AAA7 3F31  47B9 73F1 7E3C 96E7 2B71       |
+---Officer, arrest that man. He's whistling a copyrighted song.---+ 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list