Non-repudiation: what is non-deniability and how to ensure its guarantee

Today, in environments where security and trust in electronic transactions are of utmost importance, non-repudiation is one of the pillars of these. Non-deniability and non-repudiation have become essential to ensure that actions performed online cannot be denied by the parties involved.

As digital transactions and communications become more voluminous and automated by AI systems, it is crucial to understand how to protect the integrity and authenticity of these interactions. From digital signatures to certified emails, there are multiple tools and technologies designed to ensure that parties cannot disavow their participation in a transaction. 

In this article, we will explore in depth what non-repudiation means, its importance in IT security and how it can be ensured in various applications and contexts, and we will also examine concrete examples of non-repudiation and how they are applied in different industries and operational areas.

In addition, we will discuss the role of trusted third parties (TTPs) and Qualified Trust Service Providers (QTSPs) in implementing non-repudiation in all types of transactions. These entities play a vital role in identity verification and transaction authentication, providing a solid framework for digital security. Join us on this journey to better understand how you can protect your electronic transactions and ensure non-repudiation in your digital communications

What is non-repudiation

Non-repudiation is the ability to ensure that a sender cannot deny having sent a message or performed an action, nor can a receiver deny having received such a message or performed any kind of intervention in relation to a transaction. In other words, none of the parties involved can repudiate, deny or renounce their participation in the transaction in question.

The term "non-repudiation" refers to this ability to ensure that an action or transaction cannot be denied by the parties involved when it is desired to argue the fact with hard evidence. In digital and IT security, non-repudiation is crucial to ensure the integrity and authenticity of communications and transactions. This concept is used to ensure that, for example, once a party has signed a document or entered into a transaction, it cannot later deny having done so. Non-repudiation is therefore a fundamental principle for trust in electronic systems and is synonymous with the phrase and concept "non-deniability" and opposite to plausible deniability.

Non-repudiation consists of two main aspects:

1. Non-repudiation at source: The sender cannot deny having sent a message.
2. Non-repudiation at destination: The receiver cannot deny having received a message.

Previously, the ISO-7498-2 standard was used to understand this concept and its standards as was the originating standard for electronic security services, most recently supported by the UNE-ISO/IEC 27000:2014 standard. Other related models are NIST-SP800-53:2013 and RFC4949:2007 for services for sending and receiving classified information. For two-way exchanges (NRI) of exchange, ISO-13888-1:2004 and NIST-SP800-60V2:2004 standards were developed at the time.

The implementation of non-repudiation is crucial in several scenarios, such as:

• Electronic contracts or smart contracts: Allows verification of the signature and authenticity of the parties involved in a digital contract of any kind.
• Financial transactions: Guarantees the integrity and origin of payment orders or electronic transfers.
• Certified communications and e-notices: Ensures the authenticity and origin of notifications, messages, information, summons or legal documents sent by traceable electronic means.

On the principle of non-deniability or non-repudiation

The principle of non-deniability has its roots in legal doctrine and makes it possible to establish conclusive proof of the authorship and integrity of information transmitted or of an action taken. It ensures that a previous statement, a commitment made or an action taken cannot be refuted, thus protecting the interests and rights of all parties involved and ensuring that they fulfill their responsibilities and obligations.

In the field of computer security and digital communications, non-repudiation (also known as non-deniability) refers to a fundamental principle that guarantees the impossibility for one of the parties involved in an electronic transaction to deny having participated in it and to alter what happened or was sent without record. This principle applies to both the sender and the receiver of the message (or the executor and the affected party in an action or transaction), ensuring that both can reliably prove their participation in the communication.

How is non-repudiation guaranteed?

Unwaivability is implemented through various security techniques and digital tools, including electronic signatures, timestamps and third-party services that act as guarantors of the authenticity and integrity of documents and transactions. These techniques ensure that any modification or attempt to deny a transaction can be easily detected and proven.

The principle of non-repudiation is based on the implementation of cryptographic and computer security mechanisms that allow the generation of irrefutable and legally binding evidence that can be presented in a trial or legal dispute of the participation of the parties in an electronic communication. This evidence can be of diverse nature, such as:

• Digital signatures: They use cryptographic algorithms to link a message to the identity of the sender, guaranteeing its authenticity and integrity.
• Timestamps: These allow verification of the exact date and time a message was sent or received.
• Audit trails and behavioral analysis: Document the actions taken by the parties involved in an electronic transaction.
• Use of secure communication protocols: Protocols such as HTTPS, TLS or SSH guarantee the confidentiality, integrity and authenticity of electronic communications.
• Implementing access controls and auditing: It is essential to establish strict access controls to protect systems and data, and to maintain audit trails documenting actions taken by users.
• User awareness and training: It is crucial to educate users about the risks associated with electronic communications and the security measures needed to protect themselves.

The effective implementation of non-repudiation requires the use of public key infrastructures (PKI) and trusted certification authorities (CA). These entities are responsible for issuing and managing digital certificates that bind an identity to a public key, enabling the authentication and digital signature of electronic messages.

Benefits and why to guarantee the non-repudiation of your transactions

Ensuring non-repudiation is essential to:

• Protecting commercial and legal transactions online and in person
• Safeguarding the validity of contracts 
• Endow electronic communications and transactions of all kinds with full legal value.
• Preserving trust and security in critical business and organizational processes

Ensuring non-repudiation in electronic transactions and digital communications is a complex process involving multiple technologies and practices. This capability is essential to prevent fraud and disputes in a variety of contexts, from e-commerce to government communications.

Examples of non-repudiation

Non-repudiation can be found in any situation and application, in all industries and in all circumstances. It is the willingness of companies to establish secure means for an action or sending of information to be properly recorded. Below are some prominent examples of non-repudiation:

• Legally binding signatures in digital contracts
• Online banking and stock exchange transactions
• Sending confidential data by e-mail
• Transmission of orders, invoices or delivery notes
• Activation or cancellation of products and services
• Official communications between government agencies or between customers and companies or suppliers
• Settlements and other commercial transactions
• Electronic health records and medical records

Digital signature, certified e-mail and electronic communication

Digital signatures are one of the most effective tools to guarantee non-repudiation. They use public key cryptography to create a unique signature linked to the document and the signer's identity. The process involves the generation of two keys: a private key, which is used to create the digital signature, and a public key, which is used to verify it. The security of a digital signature lies in the difficulty of forging the private key and the ability of the public key to verify the authenticity of the signature.

When a person digitally signs a document, the digital signature software creates a hash (cryptographic summary) of the document and encrypts it with the signer's private key. This encrypted hash is attached to the document as the digital signature. Any attempt to alter the document after signing will result in a different hash, invalidating the signature and providing evidence of the alteration. If any data in the signed document is altered after the signature, the digital signature will be invalidated, providing an additional layer of security.

Certified mail or registered email is another mechanism that guarantees non-repudiation, as is another very similar medium such as certified SMS. This type of service and channels not only confirm the delivery of the email but also its content and the exact time of sending, receiving or reading. Certified email and SMS providers issue an acknowledgement of receipt (full audit report with evidentiary traceability and audit trail E2E), which serves as legal proof in case of disputes.

To ensure non-repudiation in electronic communications, it is essential to use protocols and services that ensure the authenticity, integrity and confidentiality of messages. Examples of these services include the use of HTTPS, TLS and other encryption methods that protect data in transit.

IT security and non-repudiation

In computer security, non-repudiation plays a critical role in the protection of data and the integrity of computer transactions. Computer security systems must be able to provide irrefutable evidence of the authenticity and integrity of electronic transactions. This includes the ability to trace and verify the origin of messages and transactions, as well as ensure that they have not been altered in transit.

Security technologies such as public key cryptography (blockchain), digital certificates and trusted third-party services are essential to implement non-repudiation. These technologies provide the means to create, verify and store unalterable records of electronic transactions, which can be used as evidence in case of disputes.

In addition, the use of detailed IT security logs and audits is crucial to ensure non-repudiation. Systems must maintain detailed records of all transactions and activities, including timestamps and authentication data, which can be reviewed and verified at any time.

How to achieve non-repudiation in your operations: Trusted Third Parties TTP and QTSP

To ensure non-repudiation in electronic transactions, it is common to use the services of trusted third parties (TTPs) and Qualified Trust Service Providers (QTSPs).

TTPs are independent entities that act as trusted intermediaries in electronic transactions. They provide services such as issuing digital certificates, authentication systems, identity verification and digital signatures. By using the services of a TTP, parties to a transaction can have confidence that their communications and documents are authentic and cannot be repudiated.

QTSPs are entities that comply with the requirements established by the European eIDAS (electronic IDentification, Authentication and trust Services) regulation. These providers offer qualified trust services, including the issuance of qualified certificates for electronic signatures and electronic seals, which guarantee a higher level of security and non-repudiation. Services provided by QTSP include:

• Electronic Signature Platforms and Digital Onboarding: They guarantee that the electronic signature is created by a secure signature creation device and that the signer's identity has been verified according to the highest standards.
• Qualified Electronic Seals: They ensure the authenticity and integrity of electronic documents issued by legal entities.
• Qualified Time Stamps in business management platforms such as Customer Hub: They provide irrefutable proof of the exact time a document was signed or issued, a customer was signed up, a phone line was activated or a bank account was opened, adding an additional layer of non-repudiation.
• Electronic Delivery Services: Guarantee the secure delivery and integrity of data sent electronically, ensuring that the sender and recipient cannot deny having sent or received the data.

Implementation of system for non-deniability and non-repudiation

To implement non-repudiation in transactions, it is essential to follow certain steps to ensure non-repudiation and to use the appropriate technologies provided by QTSPs validated by the EU or other counterpart bodies:

1. Strong Authentication: Ensure that all parties involved in a transaction are authenticated using strong methods, such as multi-factor authentication.
2. Use of Digital Signatures: Implement digital signatures for all major transactions, ensuring that signatures are verifiable and linked to the signer's identity.
3. Records and Audits: Maintain detailed records and audits of all transactions, including timestamps and authentication data, to provide evidence in case of disputes.
4. TTP and QTSP services: Use TTP and QTSP services to guarantee the issuance of digital certificates and identity verification, ensuring that all transactions are secure and non-repudiable.
5. Training and Awareness: Educate all users and employees on the importance of non-repudiation and best practices for maintaining the security and integrity of electronic transactions.

In short, non-repudiation is an essential component of IT security and trust in electronic transactions and business operations of all kinds. By using advanced technologies and trusted third-party services, it is possible to ensure that all transactions are authentic, integral and non-repudiable, protecting both organizations and individuals in the digital world.

Tags