"Arnold G. Reinhold" wrote:
In public-key cryptography "Non-Repudiation" means that that the probability that a particular result could have been produced without access to the secret key is vanishingly small, subject to the assumption that the underlying public-key problem is difficult. If that property had be called "the key binding property" or "condition Z," or some other matheze name, we would all be able to look at this notion more objectively. "Non-repudiation," has too powerful a association with the real world.
Your definition is not standard. The Cryptography Handbook by Menezes defines non-repudiation as a service that prevents the denial of an act. The same is the current definition in PKIX, as well as in X.509. This does not mean, however as some may suppose, that the act cannot be denied -- for example, it can be denied by a counter authentication that presents an accepted proof. Thus, non-repudiation is not a stronger authentication -- neither a long lived authentication. Authentication is an assertion that something is true. Non- repudiation is a negation that something is false. Neither are absolute. And they are quite different when non-boolean variables (ie, real-world variables) are used. They are complementary concepts and *both* need to be used or we lose expressive power in protocols, contracts, etc.. Cheers, Ed Gerck
To transfer the cryptographic meaning of "non-repudiation" to a legal presumption against repudiation requires legislative acceptance four things:
1. the mathematically unproven assumptions in public key cryptography
2. the binding of a particular public key to a person
3. the ability of an ordinary individual to keep a private key secret
4. holding the individual responsible for failure to do so.
As for 1, note that at the moment there is not even consensus as to the long term security of , say, a 1024-bit RSA key. As to 2., read the Verisign certification practice statement. As to 4. not that in the US we do not presently hold individuals responsible for loss of a credit card.
The most problematic assumption is 3. McCullagh lists a couple of attacks, but there are many more. Here is my incomplete list:
1. Planting a program on the user's computer to capture their keyring and passphrase.
2. Replacing the users copy of the cryptographic program with a doctored version
3. Planting a bug in their keyboard to capture key strokes
4.* Using a microTV camera to capture passwords and PIN numbers
5.* Substituting documents. (You think you are buying a pizza but you are actually signing a deed to your house.
6. Public/private key pairs generated by a third party who's security is less than perfect
7. Poor or deliberately weak random number generation at key creation
8.* Algorithm substitution (e.g. multiprime) that weakens security to reduce computation times
9. Guessable passphrases and PINs
10.* Allowing someone else to use your key (does the president of World Wide Widget really hold the key token, or does he give it to his secretary?)
11.* Con artist techniques ("I'm an field agent from CyberSec -- here's my ID card -- and we'd like your help in tracking down child pornography dealers on the Internet. We'll need your key token and PIN. ")
12.* Finding ways to penetrate "tamper proof" mechanisms, e.g. power fluctuation attacks.
McCullagh believes that "trusted systems," which he defines as "at least Bl (TCSEC)/E3(ITSEC)/ or even possibly B2(TCSEC)/E4( ITSEC)" can provide a basis for non-repudiation in the legal sense. He is under the apprehension that "A trusted computing system performs in accordance with its documented specification and will prevent any unauthorised activity." Since Mr. McCullagh background is in law, let me provide an equivalent statement: "Laws reflect the public's consensus of what is right and wrong and the judicial system fairly and accurately enforces those laws." Both are statements of a lofty goal, not a reality that anyone has been able to achieve.
Well designed cryptographic tokens can counter some of the attacks I listed, but not all. The ones I marked with an asterisk are still applicable and there is still the problem of verifying and auditing the token manufacturer, a lucrative target for organized crime.
I can't address the legal arguments he makes since he is in Australia, but my understanding of the recently enacted electronic signature law in the US is that it attempts to put electronic signatures on exactly the same legal footing as paper signatures. It has no special status for PKC signatures. Clicking an http "I Accept" button is just as valid, as I understand the law.
The term "non-repudiation" should be retired. The best that one can say about public key signature systems for use by the general public is that they can make forgery much more difficult. That difficulty should result in reduced rates of attempted fraud, but should never be a valid pretext for changing the legal burden of proof.
Arnold Reinhold