Presentation is loading. Please wait.

Presentation is loading. Please wait.

Non-repudiation Robin Burke ECT 582. Midterm scores Ave: 69 Std. dev: 23 Median: 75 Max: 100 Min: 35.

Published byIris Cunningham Modified over 8 years ago

Similar presentations

Presentation on theme: "Non-repudiation Robin Burke ECT 582. Midterm scores Ave: 69 Std. dev: 23 Median: 75 Max: 100 Min: 35."— Presentation transcript:

1 Non-repudiation Robin Burke ECT 582

2 Midterm scores Ave: 69 Std. dev: 23 Median: 75 Max: 100 Min: 35

3 Approximate grade Mid 80s and up: As High 60s and to mid80s: Bs 50s to 60s: Cs 40s: Ds

4 Midterm Answers

5 Law and Business Legal systems make business possible (sorry libertarians) Law establishes conditions for contract validity venues for disinterested mediation and dispute resolution remedies for breach of contract mechanisms of enforcement

6 Law and E-Commerce E-Commerce also needs legal systems Complexities global scope / jurisdiction evolving technology landscape automation / liability

7 Evidence Legal systems require evidence evidentiary statutes predate digital era slowly catching up Non-repudiation maintaining digital evidence for e- commerce transactions

8 Legal structures Common law long-established precedents in US and UK Concepts writing signing notary competence presence negotiability

9 Problems for e-commerce Is a digital contract "written"? digital media impermanent Is a digital signature a "signature"? must be qualified with respect to key purpose, policy, etc. Who bears liability? private key compromise service disruption Who will archive and how? digital media volatile archives must be secure

10 Example Financial services law banks must retain canceled checks or facsimiles thereof (microfilm) pre-dates digital era If we define "digital representation" as equivalent to physical facsimile then banks can store electronic scans of canceled checks

11 Example Jurisdiction location where suit can be brought party must have "minimum contacts" with a jurisdiction to be summoned there US Constitutional law Does the availability of web site constitute "minimum contacts"?

12 Legal framework US Federal Federal law Federal E-Sign act provisions Technology-neutral Electronic signatures have same status as written ones limits applies mostly to sale and lease contracts, will, trusts and other transactions explicitly excluded)

13 Legal Framework US State Law Uniform Electronic Transactions Act More specific than Federal law Enacted by 43 states Still technology-neutral Doesn't mention certificates, PKI, etc. Uniform Computer Information Transactions Act Extremely controversial Enacted by 3 states: Maryland, Virginia, Iowa Major concern imposition of onerous license terms: self-help, reverse engineering, prevention of archiving, fair-use, etc.

14 UETA Provisions Electronic Signature "an electronic sound, symbol. or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record." Effect of Electronic Signature: A "signature may not be denied legal effect or enforceability solely because it is in electronic form." "If a law requires a signature, an electronic signature satisfies the law." Electronic Record "Means a record created, generated, sent, communicated, received, or stored by electronic means." Effect of Electronic Record A record "may not be denied legal effect or enforceability solely because it is in electronic form." If a law requires a record to be in writing, an electronic record satisfies the law." A contract may not be denied legal effect or enforceability solely because an electronic record was used in its formation." Effect of Electronic Agents "The actions of machines ("electronic agents") programmed and used by people will bind the user of the machine, regardless of whether human review of a particular transaction has occurred."

15 Digital Signature Law Utah Digital Signature Act (1995) Very specific Mentions public key cryptography, certificates, CRLs, etc. Licensing and regulation of CAs Liabilities of users and CAs Not widely emulated "Digital Signature Guidelines" (1999) American Bar Association Guidelines for the deployment of PKI Expectations and liability associated with CAs, RAs, and users

16 International Laws UN Model Law on Electronic Commerce similar to UETA EU Directive on Digital Signatures similar to Utah law specific requirements for PKI

17 State of law Complex and unsettled Different laws in different states / countries Catch-22 Slow adoption of PKI is tied to legal uncertainties Lack of legal precedents / guidelines due to slow adoption

18 Break

19 Non-repudiation System property Protocol provides for the retention of evidence that can be used to resolve disputes regarding transactions

20 Non-repudiation Strong and substantial evidence of the identity of the signer of a message and of message integrity, sufficient to prevent a party from successfully denying the origin, submission or delivery of the message and the integrity of its contents. – ABA Digital Signature Guidelines

21 Disputes "I never said that." origin "I never got your message." reception "Check's in the mail." submission

22 Types needed Non-repudiation of origin NRO Non-repudiation of delivery NRD Non-repudiation of submission NRS

23 Non-repudiation of Origin Evidence needed Identity of originator Contents of message Time of generation this may matter for establishing a negotiation sequence Techniques two party three party

24 Originator Digital Signature Alice creates message M dates it T and signs it S Alice sends M + T + S to Bob Bob uses Alice's public key certificate to verify signature Bob archives M + T + S Alice's public key certificate and CRL used to verify it

25 Features Identity and contents are protected Timestamping depends on the accuracy of Alice's clock Alice needs digital signature capability

26 TTP Signature Trusted third-party (Vicky) Receives Alice's transaction M message Generates time stamp T Signs M + T creating S' Returns to Alice Bob gets M + T + S' can verify that whole transaction matches S' archives the message for dispute resolution also Vicky's certificate and CRL used to verify it

27 Features Alice doesn't need to sign she can review message before sending Alice doesn't need a key pair lower PKI overhead Timestamp Vicky's timestamp will be more reliable than Alice's Identity less secure no digital signature from Alice Vicky has access to message contents

28 TTP Digest Signature Alice doesn't want to disclose M Same operation with hash of M using key k creates hash H Sends H to Vicky gets back H + T + S' Attaches M encrypts M + k + H + T + S' Bob receives message verifies that H is a true hash of M verifies Vicky's signature archives the transaction

29 Features Alice needs encryption / hashing capability Confidentiality is preserved Identity still a problem

30 In-line TTP Receives Alice's transaction M message Generates time stamp T Signs M + T creating S' Archives M + T + S' Forwards M to Bob perhaps with transaction id Bob can contact Vicky to get evidence

31 Features Vicky does archiving Alice and Bob don't need encryption capability Content and identity guarantees

32 TTP Token Receives Alice's transaction M Generates time stamp T Creates a secure hash H of M + T using a cryptographic key k Returns to Alice M + T + H Bob gets M + T + H Bob can contact Vicky with H Vicky verifies that H matches message

33 Features Content secure No PKI Ordinary symmetric encryption sufficient Identity less secure

34 Combination of methods Originator Signature + TTP Digest Signature if we care about disclosure and recipient can archive Originator Signature + In-line TTP if we don't care about disclosure and we want 3 rd party archiving In-line TTP could archive encrypted message Bob would need private key to access evidence

35 Non-repudiation of delivery Same information needed Identity of recipient Content of message Timestamp Think of NRO but the origin message is the acknowledgement of receipt

36 Signed receipt Alice sends Bob M Bob generates a timestamp T computes a hash of M = H signs H + T = S' sends Alice a receipt message H + T + S' Alice checks H against her original message validates Bob's signature archives the receipt message

37 Features Like digital signature NRO, but in reverse message = acknowledgement Standardized part of S/MIME secure receipt of email available in MS Outlook Other variants TTP Signature, In-Line etc. all the same options available

38 Problem Requires that the recipient generate the receipt What about the "reluctant recipient"? reason for NRD in the first place

39 Trusted Delivery Agent Alice sends message of Vicky Bob must contact Vicky to access message Vicky generates receipt

40 Non-repudiation of submission Useful when what matters is submitting something a bid acceptance Like NDD but with the mail system or the bidding engine doing the verification

41 Basic idea Parties agree to non-repudiation mechanism Evidence is generated during transaction Evidence is transmitted Evidence is verified Evidence is archived If necessary Evidence is retrieved Evidence is presented for dispute resolution

42 Digital evidence Evidence will be strong if secure chain of custody from creation to presentation properties of authenticity and integrity policies of the CA and TTP

43 Secure bidding Suppose Alice doesn't want Bob to know the contents of her message a bid to be unsealed later Additional safeguards Alice shouldn't be able to change her mind Bob shouldn't be able to read her bid "Commitment protocol" Alice commits to an answer but doesn't reveal it

44 Commitment protocol Alice encrypts M with symmetric key k produces ciphertext C generates the transaction based on C Bob gets Alice's bid C he can verify identity and timestamp gets copy of C When bids are revealed Alice transmits k Bid can be read

45 Homework #4 Use secure email digital signature encryption Get certificate from www.thawte.com cannot use web mail if necessary, open a new hotmail account Use Outlook Express or Netscape Communicator

Download ppt "Non-repudiation Robin Burke ECT 582. Midterm scores Ave: 69 Std. dev: 23 Median: 75 Max: 100 Min: 35."

Similar presentations

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
KSTCD Branch/HRD Section/TrainForTrade & STICT Branch/ ICT Analysis Section1 Module 2 Legal validity of data messages.

KSTCD Branch/HRD Section/TrainForTrade & STICT Branch/ ICT Analysis Section1 Module 2 Legal validity of data messages.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.

Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.
6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC513-01 Instructor:Professor Anvari Student ID:106845 Name:Xin Wen Date:11/25/00.

6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.

E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
In the CA I trust. A look at Certification Authorities James E. Shearer CSEP 590 March 8 th 2006.

In the CA I trust. A look at Certification Authorities James E. Shearer CSEP 590 March 8 th 2006.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 23.

Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 23.
E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean

E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
CAMP - June 4-6, 2003 1 Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin 2003. This work is the intellectual property of the authors.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Electronic and Digital Signatures

Electronic and Digital Signatures
ESIGN 101 Ken Moyle Margo Tank David Whitaker Chief Legal Officer

ESIGN 101 Ken Moyle Margo Tank David Whitaker Chief Legal Officer

Similar presentations

Ads by Google