Geek Answers Handbook

Is continuity duplicated?

When we talk about security, we make the following demands:

  • Authentication
  • integrity
  • Non-repudiation

Is not a third requirement included in the first two? If we know that A sent a message (authentication), and it has not been changed since A sent it (integrity), then how can A refuse to send it?

Please do not talk about dig-sig as a technical level. I am talking about business requirements.

+4
source share
4 answers

Neither authentication nor integrity protection prevents replay attacks. An attacker can capture a signed and encrypted message and publish it several times. Therefore, a party may refuse to send the same message several times.

The creation of each message is unique using timestamps and / or nonce addresses and is therefore used for non-repudiation combined with signature and encryption.

+5
source

A disclaimer is different from integrity and authentication because it implies that the sender is responsible for the contents of the message.

There are many systems that use the key for authentication and integrity, but authenticated content means nothing. For example, suppose that to authenticate you on my system, I send an unpredictable call and ask you to sign it and send it back. If the signature is valid, I hope you know some secret, and therefore you claim to be. I need a key that you use to sign these tasks, to signify digital signatures, but not necessarily to refuse the refusal.

Now suppose, instead of choosing a random task, I am trying to trick you by sending a challenge: "I will pay erickson for a million dollars." If your system signs this, do I have a million dollar claim? The signed message is genuine and not tampered with, but if you did not sign it with a key marked for refusal (for example, by setting this flag in the key usage extension for the X.509 certificate), you can deny that you know its contents and reject my requirement.

Non-negativity makes sense for things like signatures on documents in a business transaction, cases where you commit to perform an action or payment.

+1
source

Thanks to authentication and integrity, you can achieve the authenticity of the message, i.e. the recipient can be sure that the sender ID and message content are genuine.

Refusal of refusal, on the other hand, ensures that none of the parties involved can refuse to send or receive a message. In the previous diagram:

  • Although the recipient can prove that the sender did send the message,
  • The sender himself does not have evidence that the recipient actually received it.

Waiver systems will therefore include some kind of evidence to provide this evidence.

+1
source

Usually the three security requirements are the CIA, i.e.

Confidentiallity Integrity Authenticity

But with respect to non-repudiation, authentication, and integrity, a refusal is optionally provided, since integrity indicates that some message did not change when moving from point X to Y. Authentication can tell you that any message was sent to anybody with there is information about some (common) secret sign that should only be known to man.

Imaging is a virus that steals Aliceโ€™s private keys, in this case you can have the integrity of message X and authenticate that the message belongs to Alice (although it can be argued that this is real authentication), but some have overheard the use of the stolen private key to send the message.

0
source

More articles:


All Articles