What is Non-Repudiation?
Non-repudiation (also “nonrepudiation”) is the ability to prove beyond a shadow of doubt that a specific file, message or transaction was sent at particular time by a particular party from another party. This proof prevents anyone from “repudiating” the activity: later claiming that the file, message or transaction was not sent, that it was sent at a different time, sent by a different party or received by a different party. (“Repudiate” essentially means “reject”.)
Non-repudiation is important for legal situations where fraud through fake transactions could occur, such as a string of bad ATM transactions. However, it is also an important assumption behind most day-to-day processing: once a request occurs and is processed by an internal system, it’s often difficult and expensive to reverse.
The technology behind non-repudiation is often built on:
– Strong authentication, such as that performed with X.509 certificates, cryptographic keys or tokens.
– Cryptographic-quality hashes, such as SHA256, that ensure each file’s contents bear their own unique fingerprint. (The fingerprints are stored, even if the data isn’t.)
– Tamper-evident logs that retain date, access and other information about each file sent through the system.
Some file transfer protocols, notably the AS1, AS2 and AS3 protocols (when MDNs are in use), have non-repudiation capabilities built into the protocols themselves. Other protocols depend on proprietary protocol extensions (common in FTP/S and HTTP/S) or higher-level workflows (e.g., an exchange of PGP-encrypted metadata) to accomplish non-repudiation.