Research on Non-repudiation service

By Yi Zhang

Motivation of Non-repudiation

In paper-based businessElectronic business transactions Less physical evidence The availability of sophisticated

technologies

Parties potentially involved in a dispute should be able to obtain sufficient evidence to establish what had actually happened

What is non-repudiation

The goal of a non-repudiation serviceDigital signature is vulnerable to replay attacksSender authentication does not guarantee that messages were not modifiedNon-repudiation service requires both

Model of Non-Repudiation

Sender Receiver

NRO NRS NRR

NRD

Direct Transmission

Model of Non-Repudiation

Indirect Transmission

Sender Receiver

NRO NRS NRR

NRD

Delivery authority

Technology Overview

Message Authentication Message Authentication Code (MAC) Digital Signature

Sender/Receiver Authentication Username and Password SSL Server and Client

Technology Overview

SOAP (Simple Object Access Protocol) XML based protocol An envelope A set of encoding rules A convention for representing remote

procedure calls and responses A simple SOAP sample

SOAP-DSIG appends digital signatures to SOAP

Request Example

HTML Header followed by SOAP message.

POST /order HTTP/1.1 Host: www.onlinetrade.com Content-Type: text/xml; charset="UTF-8" Content-Length: nnnn SOAPAction: "http://www.onlinetrade.com/order#buy“

……

SOAP message

Response Example

HTTP/1.1 200 OK Content-Type: text/xml; charset="UTF-8" Content-Length: nnnn

……

SOAP message

Satisfaction of Non-repudiation service

Exchanging the above HTTP messages over SSL.To guarantee the signer of a SOAP message is the same as the sender The private key used to sign the order

should be the same for SSL client authentication.

The private key used to sign the receipt should be the same for SSL server authentication