Data Origin Authentication vs Non Repudiation?

Thanos

11/19/23, 10:00 PM

I'm looking into how authenticated encryption primitives work and was wondering if non-repudiation is provided with these. Investigating further into them led to the answer being that data origin authentication (DAO) are provided by the primitives.

Now DAO is defined as "the source of the information being verified", providing integrity through MAC. Yet Non-repudiation is almost defined as the same thing, in which it provides proof of the origin and the creator of said data being unable to deny that they created the data.

If they both say the same thing, then why is it that some sources state that authenticated primitives do not in fact have non-repudiation when they do? Some say that the separate primitives that are combined result in non-repudiation being created, but I am so genuinely confused at what I'm supposed to take from this.

152

1 + 1

authenticated-encryption

non-repudiation

samuel-lucas6

11/20/23, 8:30 AM

It's best to think of 'data origin authentication' as 'message authentication' in the context of AEADs. 'Origin authentication' is more for signatures. Non-repudiation is a stronger requirement that builds on this. MACs don't offer non-repudiation (without an assumption about some intermediate trusted party) because multiple parties can compute the MAC, whereas digital signatures do because only one person can compute the signature and that cannot be disputed by a third party.

Score:3

Crypto

Maarten Bodewes

11/20/23, 12:56 PM

For message authentication the sender can repute the creation of the authentication tag as the receiver has the same key. Signatures can also be verified by other parties as they may obtain a trusted public key to do so.

Imagine the sale of a house where the seller can also create the signature under the sales contract for the buyer. That is possible under message authentication but not under a signature scheme.

Diving into message authentication

Message authentication is a better term than Data Origin Authentication in my opinion. In case of data origin authentication you'd assume that the origin might be established by a third party, is not correct for MAC or AEAD schemes.

Message authentication means that the receiving party can identify that the other party that holds the secret key has generated the message. Of course, this assumes that the party doesn't accept messages that they've signed themselves.

Protection against this kind of replay attack can be accomplished in two ways:

only using the secret key in one direction, i.e. for sending or for receiving;
having some kind of identifier within the messages that are encrypted & authenticated.

Symmetric message authentication does not work for any other parties as they don't possess the symmetric key to verify the messages.

Note that the message authentication principle only works in a two-party system. You can have an $N$-party system where $N \gt 2$, but in that case it is impossible to detect any fraudulently signed messages by any of the party members. In other words, it would require full trust of the members within the network.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Data Origin Authentication vs Non Repudiation?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.