jump to navigation

Email, Meta Data and Non Repudation (“It wasn’t me!”…Shaggy) January 9, 2015

Posted by Chris Mark in Uncategorized.
Tags: , , , , ,
add a comment

SilverStarThis is a simple primer on email, authentication and ‘non repudiation.  To understand ‘non repudation’ as it applies to information security, it is important to understand repudiation. Repudiation is simply the act of denying or renouncing something.  A suspect stating that they did not commit a crime is repudiating the crime.  Non-repudiation is a concept in which a “..a party in a dispute cannot repudiate, or refute the validity of a statement or contract”  Within information security this means that a person cannot dispute that he or she was the origin of an action.  We will use email as an example.

Suppose a person (person A) sends an email to another person (person B) in 2011 in which they attach a document including claims to military heroics which resulted in the awarding of some honor..say a Bronze Star.  Later, after it was discovered that person A was not awarded the bronze star and people began to question them Person A decided to disavow any association with said email or reference to the Bronze Star. In short, they have repudiated the claim that they sent the email and created the document.  Person A goes a step further and claims that the document and the email were “forgeries” intended to sully their (Person’ A’s) good name.  Is it possible to demonstrate with a high degree of confidence (or even certainty) that Person A was indeed the originator of the email and the author of the document? YES!  This is where ‘non repudiation’ or the ability to prevent someone from disputing the action is important.

To understand how this can be achieved, there are a few concepts related to email that should be discussed.

1) Authentication– Authentication is is described on wikipedia as:the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true”.  You can read more in an earlier blog post titled Security 101; Authentication.  Authentication is an important part of access control and email.  Email access control is managed by two components.  1) the user who is assigned a username and 2) the password or other authentication mechanism used to ‘authenticate’ to the system.  By using the correct password that is only known to the user, the system ‘authenticates’ their access and allows them to access the email. The rigor of the authentication provides greater confidence that the person is the originator of the email.  While ‘multi factor’ authentication provides the greatest confidence, a password also provides very strong non-repudiation for most purposes.  (more…)

%d bloggers like this: