Non-repudiation (was RE: The PAIN mnemonic)
Anne & Lynn Wheeler
lynn at garlic.com
Sun Dec 28 16:24:55 EST 2003
At 01:34 AM 12/24/2003 -0800, Ed Gerck wrote:
>However, IMO non-repudiation refers to a useful and
>essential cryptographic primitive. It does not mean the
>affirmation of a truth (which is authentication). It means
>the denial of a falsity -- such as:
>
>(1) the ability to prevent the effective denial of an act (in
>other words, denying the act becomes a falsity); or
>
>(2) the ability to prevent the denial of the origin or delivery
>of transactions.
so another way of looking at it ... is that somebody repudiates, refutes,
and/or disavovs ... typically after the fact.
non-repudiation would be those things that would support countering claims
of repudiation, refuting, and/or disavowing.
authentication is typically demonstrating that an entity is allowed to do
something. authentication can include having a passphrase that is known by
everybody in the organization. knowing the passphrase is sufficient to
authenticate that somebody is allowed to do something. however, if somebody
refutes that they had done something .... showing that they knew the
passphrase (known by everybody in the organization) isn't sufficient to
counter the repudiation claim.
an infrastructure that requires a unique passphrase for every person would
help counter repudiation claims
public/private asymmetric cryptography systems where the infrastructure
requires that a single person only has access to a particular private key
would help counter repudiation claims. In that sense .... public/private
key system can be seen as addressing both privacy and non-repudiation
issues. the policies governing the determination of private key in a
asymmetric cryptography infrastructure can influence whether it just
pertains to just privacy and authentication and/or whether it can also be
used to counter repudiation claims.
while making sure that one & only one person has knowledge of a specific
private key, in no way impacts the asymmetric cryptography operations
... the process can be used to countering repudiation claims.
while repudiation tends to be a human act .... it is entirely possible to
have infrastructure and organizational implementation features that support
countering claims of repudiation when they occur.
say dozens of people know (the same) vault combination lock
(authentication) .... which doesn't do anything to counter a particular
person's claim that they didn't enter the vault,
however video surveillance and door badge access logs could be considered
as part of security taxonomy for countering repudiation claims.
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list