Non-repudiation
A security principle ensuring that a party cannot deny having performed an action. Achieved through digital signatures, audit logs, timestamps, and other accountability mechanisms that provide undeniable proof.
Understanding Non-repudiation
Non-repudiation means you can't deny what you did. It provides undeniable proof that a specific person performed a specific action at a specific time. Once you digitally sign a document, you can't later claim you didn't sign it.
Think of it like signing a contract in ink. Your signature proves you agreed. Non-repudiation provides the digital equivalent—cryptographic proof that ties actions to identities.
Non-repudiation is often considered an extension of the CIA triad, supporting integrity and authentication. While integrity ensures data wasn't changed, non-repudiation proves WHO created or sent it. While authentication verifies identity at access time, non-repudiation provides ongoing proof of actions.
Why This Matters for the Exam
Non-repudiation is critical for legal and business transactions. Without it, someone could send a malicious email and claim they never sent it. A user could delete files and deny involvement. An employee could approve fraudulent transactions and claim their account was compromised.
The exam tests non-repudiation in the context of digital signatures and PKI (Public Key Infrastructure). Understanding that digital signatures provide non-repudiation—while encryption provides confidentiality—is a key distinction.
Domain 1.4 covers cryptographic solutions where digital signatures appear again. Understanding non-repudiation here builds foundation for those deeper cryptography questions.
Deep Dive
How Non-repudiation Works
Non-repudiation requires three elements: 1. Identity binding — Proof that a specific person performed the action 2. Action proof — Evidence of exactly what was done 3. Time proof — When the action occurred
Digital Signatures: The Primary Mechanism
Digital signatures provide non-repudiation through asymmetric cryptography:
1. User creates a hash of the document 2. User encrypts the hash with their PRIVATE key 3. The encrypted hash IS the digital signature 4. Anyone can verify using the user's PUBLIC key
Why this provides non-repudiation:
- •Only the private key holder could create that signature
- •The private key should only be known to one person
- •Therefore, that person must have signed it
Key Point: Encryption with private key = Digital signature = Non-repudiation
- •Encryption with public key = Confidentiality (anyone with public key can encrypt)
Other Non-repudiation Mechanisms
Audit Logs
- •Record user actions with timestamps
- •Include user identity, action performed, and target
- •Must be protected from tampering (integrity)
- •Should include source IP, session ID, and other context
Timestamps and Time Stamping Authorities (TSA)
- •Prove WHEN an action occurred
- •Trusted third-party timestamps
- •Important for legal and compliance requirements
Notarization Services
- •Digital notary services
- •Third-party verification of document signing
- •Blockchain-based proof of existence
Biometric Authentication Records
- •Fingerprint or retina scan at time of action
- •Ties physical person to digital action
Types of Non-repudiation
| Type | What It Proves | Example |
|---|---|---|
| Origin | Who sent/created something | Digital signature on email |
| Delivery | That something was received | Read receipt with signature |
| Submission | That something was submitted | Timestamped submission log |
| Approval | Who approved an action | Signed approval workflow |
Non-repudiation vs. Authentication
| Concept | When | Purpose |
|---|---|---|
| Authentication | At access time | Verify identity to grant access |
| Non-repudiation | After the fact | Prove who did what, undeniably |
Authentication asks: "Are you who you claim to be?" Non-repudiation states: "You definitely did this, and here's proof."
How CompTIA Tests This
Example Analysis
Scenario: An employee digitally signs a contract using their private key stored on a smart card. Later, they claim they never signed the contract and their account must have been compromised.
Analysis: This is a non-repudiation scenario: • The digital signature was created with the employee's private key • Only the employee should have access to that private key • The smart card adds additional proof (physical possession required) • The employee cannot reasonably deny signing
Key insight: Digital signatures provide non-repudiation BECAUSE the private key should be known only to the owner. If private keys are shared or compromised, non-repudiation fails.
What would weaken non-repudiation: • Shared private keys • Compromised key storage • Weak authentication to access the key • No timestamp proving when signing occurred
Key Terms to Know
Common Mistakes to Avoid
Exam Tips
Memory Trick
"Non-repudiation = NO DENYING what you did"
The word itself tells you: NON (cannot) + REPUDIATION (denial) = Cannot deny
- •The Ink Signature Analogy:
- •Physical signature on paper = Hard to deny you signed
- •Digital signature with private key = Cryptographically impossible to deny
- •Key Direction Memory:
- •Private key for Priving you did it (Signing = Non-repudiation)
- •Public key for Public secrecy (Encrypting = Confidentiality)
- •The Three Proofs:
- •WHO did it (identity binding)
- •WHAT they did (action proof)
- •WHEN they did it (timestamp)
All three together = Strong non-repudiation
Test Your Knowledge
Q1.A company requires employees to digitally sign all outgoing contracts using their personal certificates. What security principle does this PRIMARILY enforce?
Q2.Which of the following BEST provides non-repudiation for email communications?
Q3.An organization wants to ensure that administrators cannot deny performing specific actions on critical servers. Which control would BEST provide this capability?
Want more practice with instant AI feedback?
Practice with AIContinue Learning
Ready to test your knowledge?
Practice questions on non-repudiation and other Objective 1.2 concepts.