Why does HTTPS not support non-repudiation

0 votes
HTTPS ensures secure communication by encrypting data and validating the identity of the server, but it seems to lack non-repudiation guarantees. My understanding is that non-repudiation requires evidence, like a digital signature, which cannot be denied by the sender. If HTTPS uses certificates, shouldn’t it inherently support non-repudiation? What are the technical or protocol-level reasons that prevent HTTPS from providing non-repudiation?
Dec 30, 2024 in Cyber Security & Ethical Hacking by Anupam
• 9,050 points
35 views

1 answer to this question.

0 votes

HTTPS (Hypertext Transfer Protocol Secure) is designed to provide secure communication over a computer network by ensuring confidentiality, integrity, and authentication. 

However, it does not inherently provide non-repudiation, which is the assurance that a party cannot deny the authenticity of their signature or the sending of a message.

Reasons HTTPS Does Not Provide Non-Repudiation

  1. Ephemeral Session Keys: HTTPS relies on the TLS (Transport Layer Security) protocol, which uses ephemeral session keys for encrypting data during a session. These session keys are typically generated for the duration of a session and are not tied to a specific user identity in a verifiable way that can be used later to prove the origin of the data.

  2. Lack of Digital Signatures for Individual Messages: While HTTPS uses certificates to authenticate servers (and sometimes clients), the data transmitted during an HTTPS session is not individually signed with a digital signature that can be independently verified later. This means there is no cryptographic proof linking specific messages to a particular sender in a way that prevents denial.

  3. Session-Based Authentication: HTTPS sessions are authenticated at the beginning of the connection, but this authentication does not extend to non-repudiation because it does not provide a persistent, verifiable record of individual transactions or messages that can be independently audited.

  4. Potential for Shared Credentials: In some cases, credentials (such as passwords or even private keys) might be shared among multiple users or systems, making it difficult to attribute actions to a single entity definitively.

Technical Limitations

  • Symmetric Encryption: TLS primarily uses symmetric encryption for data transmission after the initial handshake. Symmetric encryption does not provide non-repudiation because both parties share the same secret key, and either could have generated the encrypted data.

  • Absence of Audit Trails: HTTPS does not create an immutable audit trail of user actions or transmitted data that can be used to prove the origin and integrity of specific transactions at a later time.

Achieving Non-Repudiation

To achieve non-repudiation, additional mechanisms beyond HTTPS are necessary, such as:

  • Digital Signatures: Implementing digital signatures for individual messages or transactions ensures that each piece of data is signed by the sender's private key, providing verifiable proof of origin.

  • Public Key Infrastructure (PKI): Utilizing PKI allows for the management of digital certificates and keys, enabling entities to sign data in a way that can be independently verified by others.

  • Audit Logs: Maintaining secure, tamper-evident logs of transactions can help provide evidence of actions taken, supporting non-repudiation.

answered Dec 31, 2024 by CaLLmeDaDDY
• 13,760 points

Related Questions In Cyber Security & Ethical Hacking

0 votes
1 answer

Why does everyone want to get into cybersecurity?

There are a variety of reasons why ...READ MORE

answered Apr 19, 2023 in Cyber Security & Ethical Hacking by Edureka
• 12,690 points
426 views
0 votes
1 answer

How can I explain to non-tech friends why "cryptography is good"?

Using relevant examples and highlighting its daily ...READ MORE

answered Dec 4, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
• 13,760 points
57 views
0 votes
1 answer

What port does NetBIOS use, and why is it critical for security?

NetBIOS (Network Basic Input/Output System) utilizes specific ...READ MORE

answered Dec 20, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
• 13,760 points
59 views
0 votes
1 answer

At which OSI layer does NetBIOS operate, and why is this important?

NetBIOS (Network Basic Input/Output System) primarily operates ...READ MORE

answered Dec 20, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
• 13,760 points
58 views
+1 vote
1 answer

How do you decrypt a ROT13 encryption on the terminal itself?

Yes, it's possible to decrypt a ROT13 ...READ MORE

answered Oct 17, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
• 13,760 points
181 views
+1 vote
1 answer

How does the LIMIT clause in SQL queries lead to injection attacks?

The LIMIT clause in SQL can indeed ...READ MORE

answered Oct 17, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
• 13,760 points
344 views
+1 vote
1 answer

Is it safe to use string concatenation for dynamic SQL queries in Python with psycopg2?

The use of string concatenation while building ...READ MORE

answered Oct 17, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
• 13,760 points
188 views
+1 vote
1 answer
0 votes
1 answer

How does HMAC relate to non-repudiation?

You're correct in observing that HMAC (Hash-Based ...READ MORE

answered Dec 27, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
• 13,760 points
42 views
0 votes
1 answer

Does SSL/TLS provide non-repudiation service?

SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocols ...READ MORE

answered Dec 27, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
• 13,760 points
38 views
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP