The IT Law Wiki
The IT Law Wiki

Definitions[]

Computer security[]

Nonrepudiation means:

the assurance that the sender is provided with proof of delivery and that the recipient is provided with proof of the sender's identity so that neither can later deny having processed the data.[1]
[t]he use of audit trails or secure messaging techniques to ensure the origin and validity of source and destination targets (i.e., senders and recipients of information cannot deny their actions).[2]
[a] service that is used to provide assurance of the integrity and origin of data in such a way that the integrity and origin can be verified and validated by a third party as having originated from a specific entity in possession of the private key (i.e., the signatory).[3]
[a] technique used to ensure that someone performing an action on a computer cannot falsely deny that they performed that action. Nonrepudiation provides undeniable proof that a user took a specific action, such as transferring money, authorizing a purchase, or sending a message.[4]
the security service by which the entities involved in a communication cannot deny having participated. Specifically, the sending entity cannot deny having sent a message (non-repudiation with proof of origin), and the receiving entity cannot deny having received a message (non-repudiation with proof of delivery).[5]

Contract law[]

Non-repudiation means that a party to a contract cannot deny the authenticity of their signature on a document.

Data[]

Non-repudiation is

[a] property achieved through cryptographic methods to protect against an individual or entity falsely denying having performed a particular action related to data.[6]
A service that is used to provide assurance of the integrity and origin of data in such a way that the integrity and origin can be verified and validated by a third party as having originated from a specific entity in possession of the private key (i.e., the signatory).[7]

General[]

Non-repudiation is

[p]rotection against an individual falsely denying having performed a particular action. Provides the capability to determine whether a given individual took a particular action such as creating information, sending a message, approving information, and receiving a message.[8]

Overview (Computer security)[]

Non-repudiation provides protection against an individual falsely denying having performed a particular action. It provides the capability to determine whether a given individual took a particular action such as creating information, sending a message, approving information, and receiving a message. For example, non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document.

A mechanism that provides a non-repudiation service is a digital signature combining public key cryptography and a timestamp with the message to be secured.

Vulnerabilities[]

Nonrepudiation relies on the assumption that the signer alone has access to the private key and password. However, an attacker can use malware to potentially subvert the computer on which the private key and password is stored and hijack the signing process without the knowledge or authorization of the owner of the key. In this way, the nonrepudiation mechanism can be subverted.

References[]

See also[]