Blog - Cryptomathic

Is non-repudiation really non-repudiable with digital signatures?

Written by Stefan Hansen | 14. June 2017

What does non-repudiation mean? Repudiation means to reject or deny the validity of something. Non-repudiation is a legal concept that is widely used in information security. It refers to any service, which provides proof of the origin of data and the integrity of the data. In other words, non-repudiation makes it very difficult to successfully deny who/where a message came from as well as the authenticity of that message.

Digital signatures (combined with other measures) can offer non-repudiation when it comes to online transactions, where it is crucial to ensure that a party to a contract or a communication can't deny the authenticity of their signature on a document or sending the message in the first place. Nevertheless, non-repudiation has turned into quite the head-scratcher, raising many questions across the security community, such as:

  • “Is it really non-repudiable?”
  • “Without providing a “wet signature” or being present in-person, can’t anyone deny anything?”
  • “Where does authentication fit in? Don’t you have to authenticate the person in order for non-repudiation to take place?”

When using e-signatures, we may argue on the fact that they create a higher probative value for a signed document or transaction when using the eIDAS standard for a Qualified Electronic Signature (as well as the Swiss ZertES standard) - and in turn provide strong non-repudiation.

What is the difference between non-repudiation and authentication?

While similar concepts, authentication can ultimately be considered as something that can lead to non-repudiation. Strong authentication is a measure that provides proof of the origin of data. It’s essentially a way to provide a high level of assurance that a message was sent by the said sender.

Non-repudiation in a court of law refers to the assurance that the document certainly came from the origin – e.g. it was not forged or corrupted in any way. While the term has always existed in the legal world, it was later adopted into information security as e-authentication solutions began to rise in use. As soon as the term became mainstream, people immediately began challenging the idea by pointing out numerous ways that non-repudiation could be actually repudiated!

eIDAS and Qualified Electronic Signatures (QES)

eIDAS sets out the requirements for the systems and procedures (including an audit trail) that trust service providers must put in place in order to provide Qualified Electronic Signatures (and thereby strong non-repudiation). Under eIDAS, e-signatures do not rely wholly on mathematics (cryptography) as the only proof for non-repudiation.

To provide non-repudiation, Qualified Electronic Signatures must:

  • Have the ability to uniquely identify and link its signatory to the electronic signature. This is done through KYC (know your customer) processes and qualified certificates.
  • Ensure the signatory to has sole control of the data (signing keys) used to create the electronic signature. Strong authentication is required for this.
  • Identify if the data has been tampered with after its accompanying message has been signed. This is standard for digital signatures.
  • Invalidate the signature of signed data if it has been altered in any way.

The European eIDAS-regulation creates a level of high legal security within the European Union, putting a Qualified Electronic Signature (QES) on the same level as a handwritten one. The regulation is implemented through a set of technical standards and operational requirements for remote QES, which is what Cryptomathic Signer offers. Remote signatures do not rely on a specific PC/laptop/device of the end-user to verify that they are who they say they are. The users must be strongly identified using official IDs before they are able to utilize QES. The users’ certificates and electronic signatures are stored in the trust center, whereas the user has sole control over their signing key by using strong authentication when they want to sign something. 

Switzerland provides a similar level of the legal security with the ZertES standard (largely aligned with eIDAS). In particular, the USA is lacking such a legal backing of technical standards.

So, is non-repudiation non-repudiable?

We can positively answer this question when it concerns the EU or Switzerland, as QES has the same legal effect as a handwritten signatureThere will always be arguments for how a system or process can be subverted or repudiated. However, with QES, the liability is shifted to the user if they wish to challenge the authenticity of their e-signature on a document or transaction. Meaning accepting a qualified signature in EU or Switzerland can be done with a high level of confidence that it can not be successfully repudiated. 

The USA does not have such regulation, meaning: there is no legally backed non-repudiation, leading to high levels of uncertainty when signing digitally.

Cryptomathic provides the optimized technical infrastructure for each area of jurisdiction, with a large success record with financial institutions, corporates and governments.

References and Further Reading

Image: Statue of Justice, courtesy of CAPTAIN ROGER FENTON, Flickr , (CC01.0 - Public Domain Dedication)