The non-repudiation or inalienability provides a guarantee to the recipient of a communication insofar as the message originated from the sender and not from someone who pretended to be the sender. In addition, it prevents the sender or sender of the message from claiming that he did not send the message.
In summary, non-repudiation in information security is the ability to demonstrate or prove the participation of the parties (source and destination, sender and receiver, sender and recipient), through their identification, in a communication or in carrying out a certain action.
To guarantee non-repudiation in computer security , the following mechanisms need to be established:
- Identification: mechanism or process that provides the ability to identify a user of a system.
- Authentication: allows verifying identity or ensuring that a user is who they say they are.
It is usually applied to:
- Formal contracts established electronically.
- Communication between two parties.
- Data transfer.
- User actions in a computer system.
Types of non-repudiation
- In origin: it consists of guaranteeing that a person sent a certain message. The sender cannot deny that he sent it, since the recipient has proof of the shipment.
- In destination: guarantees that someone received a certain message. In this case, the recipient will not be able to dispute that they did not receive it because the sender has proof of receipt.
The electronic signature
In computer security and cybersecurity , one of the most important non-repudiation mechanisms is the electronic signature. This is the set of data associated with an electronic document that identifies the signer and gives legal validity to the document being signed.
To guarantee non-repudiation, this signature must be linked exclusively to the person who signs and uniquely identify it . In addition, the signing must be done through an electronic or digital medium that the signatory has under his sole control and be linked to the data that is signed in such a way that they cannot be modified without the changes being detected.
Signatures must meet the following technical requirements to guarantee non-repudiation:
- The signing key is assigned to an identifiable person or organization.
- The private key is solely under the control of the person or organization that signs it.
Types of electronic signature
The different types of electronic signature are:
It is about accepting or rejecting the content of a document, they are typical in the general conditions of use, security or privacy policies…
- Advanced OTP
The signer receives a code through a communication channel other than the signature operation (eg mobile or email) at the time of signing. Its use in electronic purchases or electronic banking operations is typical.
The person physically signs on a tablet or electronic device. It is used, for example, in the mail or parcel transport service, in bank branches…
- Digital certificate
It is signed by means of a certificate that is supported by a pair of keys, one private and one public. It should be clarified that a digital certificate is not the same as an electronic signature. The digital certificate is a document that identifies us on the internet to be able to carry out online procedures and that allows the electronic signature. Examples of electronic signature would be the signature made by means of the electronic DNI or with the digital certificates of the natural person of the FNMT.
The signing of a document with a digital certificate of these characteristics guarantees that the person who signs the document is who they say they are and that they have signed it. It should be noted that due diligence is necessary in the custody of these digital certificates so that no one has access to them and can use them by supplanting the identity of the owner. Its operation is:
- The hash value (mathematical algorithm) of the document or message to be signed is calculated.
- The calculated hash of the document or message is encrypted with the private key of the sender’s digital certificate.
- It is transmitted along with the document or message.
- The receiver receives the transmission and calculates the hash of the received message or document and decrypts the transmitted hash with the public key . If they coincide, integrity is guaranteed (the message has not been changed) and non-repudiation, the sender has been the one who has signed the document or message.
here are other non-repudiation mechanisms such as email , which implements tracking mechanisms that ensure that a sender cannot deny that they sent an email and that the recipient cannot say that they have not received it.