2

If it is confirmed that Alice is the source of a message (authentication), then shouldn't she be unable to deny that the message is from her (non-repudiation)?

Is there an example where authentication happens without non-repudiation?

schroeder
  • 123,438
  • 55
  • 284
  • 319
explorer
  • 121
  • 3
  • 8
    This is answered in [What is the difference between authenticity and non-repudiation?](https://security.stackexchange.com/questions/6730/what-is-the-difference-between-authenticity-and-non-repudiation). In short: non-reputation requires also a proof that the message was not changed which is not part of authentication. Authentication also does not include proving to a third party the origin of the message. Non-repudiation includes authentication but not vice versa. – Steffen Ullrich Oct 12 '19 at 20:25

3 Answers3

2

Non-Repudiation is the assurance that someone cannot deny something.

Examples of authentication without non-repudiation:

  1. Alice's credentials were/could have been stolen and used by someone else.

  2. The authentication process itself is flawed (has bugs).

  3. The system has provisions for impersonation, say by an administration or support user.

perror
  • 813
  • 2
  • 10
  • 26
Security Sam
  • 21
  • 2
  • 2
    While your answers are fully correct, I think they don't hit the OP's question on the head. It is a little bit about the true definition of authentication. – Ariser Oct 13 '19 at 08:33
1

The problem is that authentication isn't one thing; it's a sliding scale. On the one hand we can imagine the weakest possible authentication which is just identification, e.g. a username and no password. Or we can start to add items from the authentication triad, which comprises something you know (such as password), something you have (such as a SecurID token) and something you are (such as a retina scan).

A weak authentication provides on minimal non-repudiation because Alice can claim that someone guessed/stole her password, and that's a plausible claim, especially if she used the same password on a website that was recently hacked. But what are the chances that someone stole her password, and her token? Or her password, her token, and 3D printed a model of her eyeball for the scanner? Very, very low hence non-repudiation would be strong in that case. Another example is your bank requiring chip-and-pin or 3D Secure. It's not to protect your account, it's to protect the bank if you attempt to repudiate a transaction you've made.

So that provides a real-world example too: if you make a contactless payment then you have authenticated in the weakest possible way but there is no non-repudiation control there.

Gaius
  • 810
  • 6
  • 7
1

Example to illustrate the difference: imagine a cluster of nodes who all share a symmetric key. This counts as authentication because any node in the cluster knows that it came from another trusted node. But it is not non-repudiation because any individual node could repudiate any given message by saying "That didn't come from me", and there's no cryptographic way to prove it.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207