We find ourselves on the final step of our "PAIN" journey - non-repudiation (NR). As we navigate our increasingly digital lives, let's embrace the covenant of non-repudiation with open arms and cautious clicks. It is a world where "I didn't send that embarrassing email" just won't cut it anymore. In the digital realm, non-repudiation is like an online notary public of every action we take. It's the technological equivalent of your mom saying, "I know it was you who ate the last cookie" – but with mathematical certainty.
It ensures you can run but can't hide from your online actions. It's making honesty the best policy, not by choice, but by cryptographic necessity. NR turns every digital promise into an ironclad contract. Think of it as the binding magic of a genie’s wish—be careful what you click for; you’ll get it, and it will stick. In the landscape of non-repudiation, the 'oops' button is perpetually out of order.
It is not all doom and gloom. Non-repudiation is the superhero that swoops in, cape fluttering, ensuring every digital action is as traceable as Sherlock Holmes following a trail of breadcrumbs—no vanishing into the ether allowed! Summary - NR ensures that every action has a consequence in our vast online universe, and every digital move is accounted for. It’s not just about keeping you honest; it’s also about keeping everyone else honest. In this ever-connected world, it’s the guardian of digital integrity, ensuring that what goes online stays verifiable online.
Listen on for NR insights.
Learn more about your ad choices. Visit megaphone.fm/adchoices
[00:00:02] Hi, I'm Samiran. Hi, I'm Mulej. Hi, I'm Sheetal. And you're listening to 3TB. 3 Techies Banter All of your listening, we won the Best Podcast in the Science and Technology category at the Podmasters Award which is hosted by Hindustan Times.
[00:00:45] So thank you, thank you everyone for that. As you might have been following, we are on this quest to explain pain. So pain is nothing other than pain, of course, is nothing but privacy, authentication, integrity and non-repudiation. So in fact I wanted to get a
[00:01:14] little deeper into pain and I said let me find out something that explains pain. I found another acronym that is used to detect pain. There is an acronym that is for a checklist
[00:01:29] of pain and that acronym is called Socrates. So Socrates is a acronym that doctors, it's a new morning in fact that doctors used to find pain and so it's actually stands for site on set character, where is the pain radiating form associated symptoms, blah blah blah, severity.
[00:01:51] So anyway, Socrates and pain, there you are. But I think more importantly, it is a logical conclusion and end to the series and it is only fitting that we can of closed it out with this. The reason for that is that non-repudiation is actually a critical part of
[00:02:15] information security, it ensures that the authenticity and integrity of data, preventing parties from denying their action which means that you know it kind of little bit like the reverse of security in that you know that if you take an action
[00:02:33] and if there is a digital trail which there should be, you cannot deny it. Having said that the issue also is that if somebody else gets access to your digital footprint or your physical
[00:02:48] train, then they could create a train which then kind of puts the liability on you. So I mean it's an important aspect to kind of remember at the end of the sole privacy authentication and integrity and with all that pain and all the Socrates, I kind of
[00:03:03] will leave it to the other two intelligent people to deal with this. So if the beginning of this episode has confused the hell out of you, this is trademark Sabira, okay. He took a very simple concept which we started with a couple of episodes
[00:03:24] which was that we would decode data security for you from the perspective of privacy with the entity, integrity and non-repudiation and confused you by adding Socrates to the mix. So what we're going to do in simple terms, in today's episode, we in the last couple
[00:03:45] of episodes, in one of the episodes we covered privacy in depth. We then had you know Rahul Mathel Kavanan and speak to us about privacy etc. Then we did an episode on authenticity
[00:03:58] and integrity and today we thought we would end it on and the whole acronym of pain which is ending it on non-repudiation. Non-repudiation is what Sabira spoke about and me being the non-techy I love to simplify things. So in the non-digital world
[00:04:18] where it is easier, think of your signature as a tool of non-repudiation. When you sign something off, you are now making sure that you cannot deny that this is something that you have done. As long as you have done the signature and somebody is not a
[00:04:34] forged your signature. So that's one way. A cash receipt or a receipt is another way of non-repudiation which says that I have received money. I'm giving you a token saying that I have received the money. I'm acknowledging that I have got it etc. So that's really all about
[00:04:53] this non-repudiation and what an average might be interesting for us to do is we spoke about integrity and authentication and we were not of no-repudiation. So I'm going to take on integrity as to how integrity differs from non-repudiation, maybe you can take of
[00:05:12] authentication because it's like the closer to non-repudiation. So integrity really ensures that a message or a transaction that you've done has not been tampered with. So that's what integrity means. That transaction or the message has not been tampered with. Non-repudiation
[00:05:32] actually provides evidence that the message exists or the transaction exists and ensures that the transaction is not a transaction. So that's what is integrity and non-repudiation. So I'm going to let you talk about authenticity and non-repudiation.
[00:05:48] So before you do that, I have to give you a story about signatures. Since you said signatures are such an important thing. So this goes back to the long long time ago when we got married. So in the days of you're going to get the marriage certificate.
[00:06:05] So obviously in the wedding got over somebody's give some certificate and few days later you have to go to the registry. So low and behold, the Pundit had forgotten to sign
[00:06:16] the form. So my father had sent the Pune in there. So the Pune went in and he said Pundit has not the signature. You know it's not there. So he came out he called my daddy. He said, you know, who do I do? Let me have a second.
[00:06:28] Signed her day. So in fact my mother sent him again. He said, if my father's Pune has the Pundit. So that is so much thought that doesn't be any integrity for you and the power of signatures.
[00:06:41] You know, Samira and I who do hope you realize you've gone on record for these. Right? So if the government of India wants to nullify marriage, you have provided the identity integrity and non-reviewedation on this podcast.
[00:07:02] I think the happier person might be my wife but they don't care. So you know, let me let me take that cue because and and explain non-reportation in the offline physical world with the asymmetric key aspect of non-reportation.
[00:07:24] I'll try to simplify it. I'll come to the digital asymmetric key very soon. So so what Samira and you mentioned just now was actually a classic asymmetric key concept whereby there has to be a certificate certifying authority.
[00:07:39] Right? So marriage certificate is a classic case where honestly two people get married and you know, you have given mouse to each other and it's done and understood. But no, there has to be a certifying authority where you go physically or the Monday goes and does the signature
[00:07:56] and any notarization of a document is a classic example of non-reportation in a physical offline world. Now these certifying authorities or notaries have to actually ask for your identity.
[00:08:13] So your in today's world are the hot and stuff like that and check that Samira and coach is the one person standing in front of me.
[00:08:21] And then if Samira and science, that signature is Samira and in your case probably the pun would have posed as the pun did and got away with it. But oh well I'm going to say that's an expensive or fast Samira thing to ask about it.
[00:08:39] Maybe there will be some right minutes of the yacht that has been doing their rounds in the previous week. So coming back to this concept of certifying authority, so notary is a notary or any certificate certifying body like marriage certificate
[00:08:55] both certificate. There is a third party who ensures non-depudiation meaning the person who is signing cannot later deny that he or she didn't sign it. So that is the idea of non-depudiation. She will come into your point of how is it different from authentication?
[00:09:12] Very different. Actually sometimes I feel non-depudiation, you know, it is one of the core pillars of security and it has elements of integrity, authenticity or authentication all rolled in.
[00:09:29] In the way it is implemented, right? And there are so many ways and honestly it's very difficult to point out whether the any system is doing non-depudiation to its fullest extent or not.
[00:09:42] So I'll tell you very quickly how. So authentication essentially is only specifying that a person says who he or she is, right? So in a contract to people, you know, they have to digitally, you know, authenticate themselves and it provides a level of access.
[00:10:03] But the whole idea of integrity and authentication is has to be combined to get the non-depudiation as well. So I'll quickly give two examples and that is what I said it's a bit complicated because it can be implemented in multiple ways.
[00:10:18] So starting with the notarization aspect, if some even, you know, again going to the physical world authentication and saying that some even went to the marriage certificate and showed his other card or whatever the identity was prevalent.
[00:10:32] I think that's authenticate some data. Finish. The signature part takes it to a physical level, right? So you actually physically did something, right? Whatever you did. And then there was a third party who recorded everything.
[00:10:47] Actually a notary has to keep a record certifying a 30 has to keep a record that this person came on this date. He gave me this document. This is the number on the document. This is a signature blah blah blah.
[00:10:57] So so that is what is non-depudiation. In digital world, the way to do it is the best way possibly or the most prevalent way is public, private key infrastructure, the asymmetrical keys, right?
[00:11:12] And how do you do that? So let's take a example of a two way simple thing like a mail being sent from a person to another person.
[00:11:22] The way you would do it is that you would create a digital signature. So if I am sending a mail to Samira, I have to create a digital signature, right? And I'll go into the details of whether it should be a tag or the whole message should be encrypted.
[00:11:37] Let's go with the simple thing that message and clear text and there is a signature. If people use even Gmail allows a PGP, you can use it.
[00:11:47] It makes it a bit complicated, but proton mail is another mailing example which is highly secure, completely encrypted and signature as a compulsion.
[00:11:55] So when I send this digital signature, essentially it is it is locked with my private key, right? And when it reaches Samira, he can unlock this using the asymmetric pair of my key, which is publicly available.
[00:12:10] So that is why it is a public private key infrastructure. And it is hosted by certifying authority. So as I said, notep, notery is a certifying authority in physical world. Here it would be something like a thought or a RSA who will host the public key infrastructure.
[00:12:27] Now Samira was able to open and check this digital signature using a public my public key. Now I can never deny unless I have given my private key to someone, I can never deny that I did not send this email because it could not have been opened with the pair, right?
[00:12:48] And this digital signature carries a lot of other information like a date or where I actually location information on. So where I signed it, what was my IP address and these details are in the digital signature. So it is sent as a tag with the message.
[00:13:02] So this is a public private key based method using asymmetric keys. The other method which is quite revealing also, but a difficult to implement.
[00:13:14] Difficult or maybe it is a bit compromised is a Mac. So Mac is also a tag which is a message authentication code and what Mac does is that it is a symmetric key encryption, meaning there is only one key you lock it. It can be only opened with one key. Now in symmetric key kind of a scenario if I had to send a Mac, I would have to exchange that key with Samira in a very secure manner.
[00:13:42] So that both have the same key. That poses a bit of a problem because it can be tampered when I'm trying to share it digitally. But once shared, honestly, it, you know,
[00:13:55] the needs for a certifying authority, right? So I send a message with a Mac and Samira has the same key. He opens it symmetric key encryption and he knows that, okay, I cannot deny because only two of us have this key.
[00:14:09] So Mac is another mechanism where you can, you know, implement non-deputation. These are the two methods. Very quickly the third and final thing I would add is if you had to take it to the next level, you could even encrypt the whole message.
[00:14:23] Right? Now it is now giving you a digital signature or tag and the message and everything is encrypted and using asymmetric key.
[00:14:33] Samira and when he receives it, he decrypt the message and the tag. And again, I cannot deny that I did not send it and it provides the integrity of the message because it cannot be tampered with.
[00:14:46] The only issue very quickly I'll point out why no one goes to, why there are these levels and non-repidation is compute, right? The required compute keeps increasing. The whole idea of encrypting decrypting it takes resources. So that was, I don't know, simplified words.
[00:15:07] No one, I think, I think, an issue with the idea important thing for me was that I was reading this web horizon, data breach report, I think.
[00:15:16] And it had this very dangerous statistic that said 80% of digital credentials are compromised or it's kind of theft and all that, which kind of brings us to the complete reverse of, you know, a system that is created for your defense, which means traceability, provenance and what have you.
[00:15:37] Once brief can be misused and then the owners of burden of proof is on you because I mean theoretically you have the key, but it has been stolen. So if somebody opens the lock with your key, then only you are level.
[00:15:54] So which is kind of a very, yeah, it's kind of a dangerous situation. I mean it's a great thing to have, but it's a dangerous situation.
[00:16:02] Yeah, so Malaysia as a Labour's right who doesn't understand that these things like, you know, keys and stuff like that and does not understand the whole space of data non-reviewedation.
[00:16:17] What happens to people like that? So if somebody is talking about, so there is we've talked about identity with her, we've talked about things like that in the earlier episodes.
[00:16:27] What happens when, what, what the meter mentioned happens to an average individual who doesn't even know that I have done this. Okay, where does that? How does one solve for that?
[00:16:43] So I'll give you, so absolutely good points both of you make and somehow you're absolutely right where your private key gets compromised. You are in very simple terms crude, right?
[00:16:54] So, but there are two schemes or mechanisms I can talk of. First one coming back to my favorite would be a multi-factor or two-factor introduced in it.
[00:17:09] So what we are essentially saying is that let me give another factor, if I have a key and it gets compromised then I will also do a multi-factor where by there will be another authentication mechanism other than the key which can help me understand at least that you know I have been compromised.
[00:17:32] So it can be a SMS or it can be a token, sorry, should I leave it?
[00:17:38] No, no, I wanted to ask you question, it throws, because you said two-factor authentication today in India we are all aware of the fact that the phones are getting cloned people are getting into your phones.
[00:17:50] Even your two factors not going to work because the SMS or the code is going to the guy, right? So now he has access to your key and the two-factor authentication is not going to work.
[00:18:01] So that is why I use the word multi-factor, right? So then there is your ultimate defense, right? So actually speaking there are three factors of authentication we have talked of.
[00:18:11] We will not go there again but when it comes to non-repidation there are five things to check, okay? You may still be compromised but how you will know there are five things.
[00:18:21] So obviously there is something you know what you know which is your password or you know some such an amount. Then what you have, which can be your key or your SMS that you receive on your phone.
[00:18:35] But again that can be compromised. The third level is who you are. So biometrics also comes into picture where by you can have a biometric kind of a mechanism in which it can't be non-repidated.
[00:18:48] And I will take a quick example of, I will not say to the level of biometric but many US organizations use something called, I forget the name the call it CAC which is an access control card, right? Something like that. What what it does is it does a non-repidation in the way where you at least get two or three factors in place. So what you do is you need a card, okay?
[00:19:15] And then you have to put the card in. The key is never outside this card. So essentially you have a physical thing and the key is inside that and then you possess the card, again, you can lose the card.
[00:19:31] So you can put a level of biometric authentication on it. The two more thing I told when it comes to non-repidation are actually related to the location and the time.
[00:19:44] So all this together ensures non-repidation, you can still be compromised but then can I check whether this person. So let's say someone cloned your phone. He has to be in the same postcode as the mirror and if it's a mirror in the postcode. If he's not then location goes out of the picture.
[00:20:04] So you need these five things that time, maybe it is a time of that and maybe the guy is sitting. So a lot of this cloning happens in it seems the hotbed of these things is in Europe as Germany.
[00:20:18] When you travel to Germany sometimes your credit card company, when you come back will say that you may want to change. I was surprised a lot of scheming happens in Germany.
[00:20:28] Then Thailand is a hotbed, there are many Nigeria, I mean there are usual suspects that I was surprised to know about Germany. So the location, so suddenly why is this person in Germany? What is the time of the day? And obviously all these three factors.
[00:20:41] But to come to the point I think most of the time the security is breached due to either human, folly or man in middle kind of attacks. Honestly, you can put as much technology in place as possible.
[00:20:57] But if you share your key cards, your logins, your non-reputation goes out of the window. I share my login with someone and he uses it to send a message. The key is already there in my application.
[00:21:13] It's for all you care, it is in the relationship between the two. So those are things we need to take care of.
[00:21:21] One more thing, sorry, because I wanted to add another thing on this aspect which is probably she told you once briefly mentioned it and probably it requires another whole episode.
[00:21:33] It's homomorphic encryption. So what people are doing now is that why would breaches happen? Because finally you're storing this key in its alpha numeric form.
[00:21:46] And it might get stored on a server in Amazon or it is somewhere stored. Now you encrypt it, encrypt this key itself and then store it. Now what happens that the storage of all your data is encrypted including your keys.
[00:22:01] And then you still use it without compromising the data. That is where homomorphic encryption comes, which is a complex mathematical concept whereby you say that if I did a mathematical operation on an encrypted data and there is a output X.
[00:22:21] If I decrypted the data and decrypted this output X it will result in the same X if the mathematical operation was performed on it.
[00:22:32] So in a way homomorphic encryption ensures that you can store everything encrypted, you can do mathematical operations or transformations of it and not compromise anything.
[00:22:45] And later on check decrypting both the output and input and same thing will result. So yeah, as I said, going into a different realm altogether.
[00:22:57] So that's really fascinating. It's the other thing I was reading and maybe we can do this after a break but the other thing that I was reading is that non-tiputation could possibly be under a bit of a challenge.
[00:23:11] In when we think about quantum computing and a couple of years ago we thought quantum computing was a while away but it seems like it's right around the corner.
[00:23:23] And therefore will non-repudiation be under some kind of threat and what happens then when you have quantum computing with non-repudiation is something that we can discuss after this short break.
[00:23:45] Welcome back to this conversation and we left this conversation on the fact that non-repudiation may have some challenges when it comes to quantum computing. But before we go there, some even when he was doing all of the work that he was doing with non-repudiation.
[00:24:03] Realize that there are already challenges with non-repudiation and therefore, so we don't over to you to talk about some of the challenges that we have with non-repudiation. And then we'll talk about how those get confirmed with quantum computing.
[00:24:16] So it was quite astonishing that when I was looking for stuff to talk about non-repudiation there seemed to be a lot of things that could go wrong because of compromising of non-repudiation systems.
[00:24:33] Because ultimately like we discussed, it is meant to create a trail which cannot be disputed for a tale then there is a clear, what should I say, a path of ownership that can be traced back in stuff like that.
[00:24:48] But in maybe countries, maybe like India, maybe anywhere in the world frankly, when we put these systems in place, we cannot don't factor in or we know the fact that there could be things that could go wrong.
[00:25:08] In fact, I came up with quite a few examples of what do you do in situations of co-host consent.
[00:25:20] So while we're not saying that is the ordinary course of business but there have been enough and most situations where if it's co-host consent and then you have non-repudiation in place then how do you even get out of it?
[00:25:33] Because obviously you are doing it and there is traceability. There have been cases of breach of systems and there are n number of examples of the classical case of Sony pictures in 2014, there was a, you know, equifax as a data by breach I think in 2017, there was married and all of that.
[00:26:00] In all of these cases, while you know, you may think of it as the data breach but it is essentially somebody getting into your system somebody taking ownership either of your email or your credentials and doing something with it.
[00:26:16] So to me, you know, I'm especially in the light of what you said she tell about quantum computing and all that. So quantum computing is one angle where anything can theoretically be hacked and on the other end, of course there is this human element where, you know, people breach these systems and then they take over your identity or your digital signature or some imprint of yours that prove that you are you and then miss use it.
[00:26:44] It is a very difficult thing to guard against I would say well of course biometrics are there and there are other systems that could be put in place but I don't know, I mean I really found this non-repudiation to be a great thing which could be greatly misused.
[00:27:04] I think I think you know even before quantum computing and thing one of the classic things or classic hacks is social engineering and non-repudiation is at biggest threat when it comes to social engineering.
[00:27:21] So one is a wrong person proving that you are who you say you are and that just I mean the people over phone calls get some details of you or I think we have spoken earlier right people at times mentioned their whole bank account in clear on some website trying classic is your consumer complaints.
[00:27:48] Why do you need to give your complete you know you are talking about let's say some bank not not having some complaint against some bank and you're putting the whole account number.
[00:27:58] And suddenly when you start talking of a account number would be at least 12 to 16 digits and you know each digit suddenly the other person will think you are owner of that account right so social engineering engineering through these websites and all is I think much greater threat to non-repudiation honestly that.
[00:28:19] In fact it is not that you mentioned in the first two days we are just going to that issue so the person who works with me his son is getting his admission in the 12 standard 11 standard in VR.
[00:28:32] And they have to fill out a form the rules you know we write to the rules in detail you know fill out a form give 10 colleges options blah blah blah everything.
[00:28:40] But low and behold there is one agent somewhere there in the middle who actually fills out that form now so what what he or she does is everything data there any his put that guy's mobile number but like very clever he's put his email ID okay.
[00:28:58] So whatever reason he's put his email and when the preferences are pulled when this child gave a certain preference when he finally made the entry he flipped it around just a little bit.
[00:29:09] So now that number one option for this child is his least desired college and he has signed up on it so in the sense like you know the government is provided so much difference but at that you know that it's exactly I mean whether you call this the man in the middle, whether you call it social engineering or just pure modified intent but that whole you know if you have to sign off you have to say it but he's just done one last thing in the middle.
[00:29:35] And now this kid is stuck with the college that he doesn't want to go to and still kind of figuring out how to get to it.
[00:29:42] And this is I think this is going to get worse with all of the voice recognition software that we are getting into play well now all of us I need which way doing everything over voice right.
[00:29:54] And now if anybody can fake your voice which is what is going to happen that they will you know we're training any your voice can go anywhere.
[00:30:02] I mean our voice could easily be you know if somebody took all our episodes and put it out there I mean our voice could easily be.
[00:30:11] That's what he has been chasing your LinkedIn to pay me fifty dollars an hour to take all our episodes and do voice training with it. Please don't agree to it.
[00:30:22] No actually come to think of her sheathal that's you know one of the that is also one of the biometric signatures using voice. And it's the easiest to implement honestly it's the easiest to implement but you're right.
[00:30:37] And all IVRs all IVRs today are asking you to say things with voice right you're not even typing anymore. This is a yes thing whatever I mean if you've replicated my voice you have done with your voice.
[00:30:51] So so and that threat is understood that's why it never took off but it is the easiest and there are some some implementations of voice signatures because it's easy.
[00:31:03] So coming you know quickly concluding our today's episodes so you mentioned quantum computing so just for the listeners why quantum so there are social engineering is a threat man in the middle is a threat.
[00:31:16] And for me it's the biggest threat but quantum computing is the hardcore technology threat that is out there for the whole encryption industry and I would you know urge people to read up it's there is a lot of work happening on the other side.
[00:31:35] The encryption industry itself is trying to create quantum safe encryption and I think 2022 there was an NIST nest conference where by the actually release some very beautiful papers about quantum safe encryption.
[00:31:55] But today as it stands are infrastructure the the PKI public private key infrastructure is very very vulnerable to quantum computing so if you had enough compute you can break this encryption scheme.
[00:32:10] So essentially you just need human because amount of compute which quantum provides to actually guess it's like absolute brute force right and and you just needed compute which was not going to take you know 10 years to break a signature if it happens in second.
[00:32:24] Your screen and and quantum provides that kind of ability but I think the work is happening on the other end to to create quantum safe encryption. So these are quite complex topics but the the simple fact remains am instance is the concluding episode of our pillars of security.
[00:32:44] I think while we talked about the concept of privacy authentication integrity and today non depudiation. The simple fact remains that we need to be vigilant. We need to take care of all our personal information.
[00:33:01] Even today you know we you know I think in one of our episode we talked about Adhar right and even the government has created mask.
[00:33:10] Adhar is a classic case where we give it left right center everything in clear right I think all of us need to become very well aware of these mechanisms not give our information in clear not be prone to social engineering.
[00:33:27] Honestly just reject all the calls which you don't know and then period. If the best way is if if something was important it will come back to me and it will come back to me in a in a more offline manner.
[00:33:41] More probably so just reject point blank that is that is what I do reject all these calls are calls for information.
[00:33:49] So in fact it's manager of mine in IBM had just think he said he is supposed to be the south of office message and then I asked you how do you deal with these 800 1000 email.
[00:33:57] You said no when I come back I just delete all of them. Wow, it's a why he said no if it was an emergency they would have called me right I mean they wouldn't try to expect me to answer email after two weeks right so.
[00:34:09] And to this point of security I think we have to start ho ho hoening our homing pigeon skills and kind of go back to good old fashion rocks.
[00:34:21] So that we say what's something and I'm waiting for the day when we send a hoeing pigeon from India to Dublin to send a message.
[00:34:31] That I mean yeah and when when I'll get that message okay to that point there was a test done somewhere in the late it is a well a pigeon was sent to the message and email was sent the pigeon reach faster of course those were the days are very low bandwidth but the pigeon was faster.
[00:34:49] So on that interesting note of going totally offline and to homing pigeons we end another episode of 3 Tb if you if you liked our banta then please share that episode and don't forget to follow the show.
[00:35:04] We are really thankful for all your support which helped us when the HD pod master's award and we'll coming up with the interesting concepts and theories as we go along. Thank you. Bye bye.