SecurITyCerts dot Org

       Navigating Security Certifications

Cryptography: Nonrepudiation

CISSP, GIAC GSEC, Security+ Review

Nonrepudiation is the term used to describe the inability of a person to deny or repudiate the origin of a signature or document, or receipt of a message or document.

In plain language, this means you can't reasonable say "I didn't do it"  after you did.

Nonrepudiation is most commonly used in the verification and trust of signatures.

For example, if a user has manually (like with paper and pen) or digitally signed a document, it is difficult for the user to claim they didn't sign it. Of course they could claim they were coerced or tricked or it's a forgery . . . and the burden of proof becomes a legal issue for the court to resolve.

For a manual signature, a forensic handwriting analyst may be called upon to help determine the validity of the signature.

For digital signatures, usually digital certificates, often based on the X.509V3 standard, and a Public Key Infrastructure (PKI), are involved.

This is based on public key cryptography algorithms. Only the signer possess their "private key" which is used for digital signatures. Assuming they have safeguarded their private key, the algorithm used is reasonably secure, and their are no operation or other flaws, we can be reasonably sure that anything digitally signed by them is legitimate.