You Can’t Take It Back

A long time ago I wrote about the security fundamentals of the CIA (confidentiality, integrity and availability) along with authentication. Another fundamental is Authorization, which we will discuss later. But a concept some consider a fundamental is “Non-Repudiation”. It’s a combination of integrity and authentication, so it isn’t a true fundamental, but is an important concept and one some people may still be fuzzy about.

Consider this:Bob sends a message to his employee Alice informing her of a big raise. Alice is excited, but when her paycheck arrives, there’s no raise. She confronts Bob and he denies sending the message. That’s “repudiation” or disavowing the message contents. If Bob had digitally signed the message, he would not have been able to repudiate it and Alice would have had her raise.

A digital signature contains two essential features, but may (and generally does contain more). The first is a hash of the message being signed. The second is that the hash is signed by the sender using her private key, thus authenticating the sender (if the key hasn’t been compromised, of course). The most prominent standard for digital signatures is the Digital Signature Standard

Here is a  message (using GnuPG):

Hi John --

I got word that I'm to teach 468 in Washington in a couple of
months.  That's great!  I'll stay over in the city the following
week and do some consulting work for the Folger Library.


This message was digitally signed.  If you are curious, or worried about
an "unknown attachment", see
All unencrypted communication by Internet, telephone, and fax is subject
to interception and archiving.  Corporate announcements of desire for
deletion by unintended recipients accomplish nothing.
PGP key fingerprint: 6EBE A241 1131 573C 944E  7FC3 1343 C15E 62FE 4DD1

And here is the corresponding signature:


Version: GnuPG v1.4.11 (OpenBSD)





If I can verify the signature and I trust that the key is indeed Bob’s, he cannot repudiate the message. Bob Cromwell has a good discussion on verifying signatures here: I use Thunderbird for my email so I imported Bob’s key into my public keyring (collection of keys I know). When I loaded his message, Thunderbird said, “Good signature from Bob Cromwell <>”. (I had to go to the message source to see the signature as the Thunderbird-GnuPG combo automatically checked and verified the signature.)

Sig OK

Had Firefox not known Bob’s Key, I would have received a warning such as the one below (which was from a different sender):


Interestingly, Bob is the only person with whom I regularly correspond who signs his email. But I’m not the one to be talking as I don’t tend to do so myself. My email is not set up to sign automatically. It’s simple to do, though check a checkbox and publish my key. Here are the instructions for setting up signing and encryption in Thunderbird: The most time-consuming part is generating the key itself. There is one issue, though — signing is an issue for HTML email which is what I tend to send by default, so I don’t sign by default.

My Thunderbird is set up to reply to signed messages with signed messages and to encrypted messages with encrypted ones. Thunderbird uses OpenPGP via GnuPG so the signatures are not compatible with DSS.

Of course there is a lot more to digital signing than just implementing it. There is the issue of trusting keys, for instance. Many public key systems rely on a Public Key Infrastructure while GnuPG uses a web of trust. I’ll cover those issues more in future posts, but you can learn much more about them in Learning Tree course 468, System and Network Security. And one can sign files in addition to email, too.

When do you sign messages and what tools do you use? Let us know in the comments below.

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.