Does anyone know of any solutions being researched in NZ or OZ re Repudiation attack prevention ?

Discussion in 'NZ Computing' started by Ramon, Aug 11, 2005.

  1. Ramon

    Ramon Guest

    Hello .. strange question I know, I have to research this but I really
    have no clue where to start, other than google, and the most usefull
    info I get from that is RFC from Allied Telesyn.
    I have to find "Solutions being researched to prevent or reduce the
    likelihood, and organization risk, of a repudiation attack within New
    Zealand and Australia." specifically.

    Can any one help .. or point me in the right direction ??
    Thanks
     
    Ramon, Aug 11, 2005
    #1
    1. Advertising

  2. Ramon

    Tim Guest

    Try googling non-repudiation - many hits.
    Try googling Repudiation Attack - I get many hits.

    Repudiation by itself has a lot of connotations and interpretations
    depending on context but is (to me) also a rarely used term, so step one I
    would suggest would be to understand the question further. It certainly
    would help me :)

    If you want material on non-repudiation with regard to secure
    communications, try Applied Cryptography by Bruce Schneier - your local Uni
    should have a copy. Bruce goes into detail in his book into many things
    including how to have secure communications where the sender can not deny
    sending... or agreeing or transacting...

    The term "Repudiation Attack" is to me one of these marvelously vague terms
    (visions of a shop being inundated with thousands of stupid people and
    grinding it to a halt), so a google on "Repudiation Attack Definition"
    (without the quotes) revealed a lot of references with the following NZ link
    at the top:

    http://www.e-government.govt.nz/docs/authentication-bpf/chapter5.html

    If this answer doesn't get you any further, then narrowing the field a
    little may help.

    HTH
    - Tim



    "Ramon" <> wrote in message
    news:...
    > Hello .. strange question I know, I have to research this but I really
    > have no clue where to start, other than google, and the most usefull
    > info I get from that is RFC from Allied Telesyn.
    > I have to find "Solutions being researched to prevent or reduce the
    > likelihood, and organization risk, of a repudiation attack within New
    > Zealand and Australia." specifically.
    >
    > Can any one help .. or point me in the right direction ??
    > Thanks
    >
     
    Tim, Aug 11, 2005
    #2
    1. Advertising

  3. Ramon

    Ramon Guest

    Thank you for your help .. the e -government link was usefull :) . I am
    still in a quandry about the "research into solutions" side of things.
    As far as I know there is digital signatures and encryption... but what
    else ?
    I guess I was a little vague in my question sorry.
    But again thank you for your help I will be able to quote the
    definition from that site :)
     
    Ramon, Aug 11, 2005
    #3
  4. Ramon

    Stu Fleming Guest

    Re: Does anyone know of any solutions being researched in NZ or OZre Repudiation attack prevention ?

    Ramon wrote:
    > Thank you for your help .. the e -government link was usefull :) . I am
    > still in a quandry about the "research into solutions" side of things.
    > As far as I know there is digital signatures and encryption... but what
    > else ?
    > I guess I was a little vague in my question sorry.
    > But again thank you for your help I will be able to quote the
    > definition from that site :)
    >


    I do some work on non-repudiation with respect to group authentication and
    biometrics. There's some stuff at
    http://www.cs.otago.ac.nz/research/techreports.html
    reports OUCS-2004-21, OUCS-2004-16 and OUCS-2004-17

    --
    IT Management. Tel: +64 3 479 5478
    Web and database hosting, Co-location. Web: http://www.wic.co.nz
    Software development. Email:
     
    Stu Fleming, Aug 11, 2005
    #4
  5. I remember Michael Wigley of Wigley and Company law firm
    (http://www.wigleylaw.com) talking about this when he spoke for us at
    polytech. Perhaps he would be a good contact to talk about these things
    with, he's very knowledgeable in the area of IT law and things relating
    to it.

    Regards,
    Waylon.
     
    Waylon Kenning, Aug 12, 2005
    #5
  6. Ramon

    Tim Guest

    The concept of a Repudiation attack is interesting and I think one that
    should be brought forward.
    The very use of ordinary signatures, contracts, wax seals, and so on in
    history opens things a bit, but many companies perhaps do not give thought
    to what would happen if they were subjeccted suddenly to say an attack using
    conventional business with electroinic transactions (many have no form of
    Non-Repudiation), email purchase requests, online purchase requests and so
    on. Most business protect themselves simply by not accepting orders from
    people without payment or credit rating.

    As a concept it is important. Everyone has to protect themselves against the
    customer that denies ordering, or refuses to pay, or entraps one in work.
    This happened to me once (all 3 by the one tosser), but the concept of an
    orchestrated attack is new. Well, its not - I was certain after dealing with
    the fellow that he systematically would do what he was doing hoping that he
    would not get taken to court because he persistently did it with small
    orders... so that adds another slant to it IE the 1 to N attack rather than
    the N to 1 attack. This is commonly known as fraud I think. Cripes the
    fellow used many facets of social engineering to achieve his goal - he even
    presented himself as running a substantial business, having an MBA, being
    fluent in computing and so on - he was none of these things.

    Solutions:

    Define the types of problems.
    For each look for common solutions.

    Common techniques:

    Contract Law & Contracts, Terms and Conditions of Business, etc.
    Order forms requiring signatures.
    Secure online systems using SSL using Customer Accounts, secret passwords.
    + Encryption
    + Hashing
    + Cryptography in general
    + Non-Repudiation facilities created by using the above.
    - Hacking
    - Insecure systems
    - Code Injection
    - Passwords, Accounts, secret info not stored using encrption and / or
    stored when it should not be
    EG passwords should not be stored, Credit Card numbers must be encrypted
    or asked for every time.
    etc.
    Cash only purchases.
    Receipts.


    - Tim


    "Ramon" <> wrote in message
    news:...
    > Thank you for your help .. the e -government link was usefull :) . I am
    > still in a quandry about the "research into solutions" side of things.
    > As far as I know there is digital signatures and encryption... but what
    > else ?
    > I guess I was a little vague in my question sorry.
    > But again thank you for your help I will be able to quote the
    > definition from that site :)
    >
     
    Tim, Aug 12, 2005
    #6
  7. Ramon

    Ramon Guest

    Interesting report.

    I can see that there is not going to be a single "solution" but more of
    a layered approach, for example digital signatures with keystroke
    pattern recognition.
    Using the Bio-metric security enhancements in the repudiation arena
    seems to have a hole... the need for both the receiver and sender to
    have the bio-metric data, this would be the case even with the
    keystroke pattern recognition.

    Thanks
     
    Ramon, Aug 12, 2005
    #7
  8. Ramon

    Ramon Guest

    Thanks for that :)
    I have had a look through their website and found some good articles in
    regards to the legal implecations of non-repudiation in data storage.

    I wont contact Michael Wigley untill I have exausted othe resources
    first (never bug a lawer ! ) hehe

    Thanks Again
     
    Ramon, Aug 12, 2005
    #8
  9. Ramon

    Ramon Guest

    Another thing that I thought, is without the bio-metric layer in a
    non-repudiation solution, repudiation can still happen. You can not
    tell who the person is at the keyboard. This is a problem because the
    "repudiator" can simply say they did not send it even if it came from
    their PC.

    Just a thought
     
    Ramon, Aug 12, 2005
    #9
  10. Ramon

    Ramon Guest

    I agree the "attack" is a new concept (well new to me) Obviously the
    pharse "I didnt do it, nobody saw me do it" (Bart Simpson) has been
    arround since mischeif began. But a concerntrated pre-meditated attack
    does give rise to some interesting questions, the main one's being..
    how do we stop it ?, how do we detect it ?, how do we prove it ? and
    how do we protect against it ?
    I guess that is the main thrust of this research report, what are the
    solutions for New Zealand, and what is being researched in this area.
    Also interesting point, repudiation occors in many forms, not just in
    electrical communication.

    Thanks
     
    Ramon, Aug 12, 2005
    #10
  11. Ramon

    Ramon Guest

    The electronic wallet is an excelent idea ! (OUCS-2004-17) In the
    example you gave was it a phisical "tamper proof" device? How would you
    use the same concept to provide authentication without phisical contact
    ?
    I wonder if this requires a third party, one that can authenticate the
    biometric data from both parties. I suppose in essence thats what the
    "wallet" is (see
    http://www.cs.otago.ac.nz/research/publications/oucs-2004-17.pdf ) It
    is very communication dependent .. ie the sender needs to let the
    receiver know when / how to pick it up. I wonder if the only "safe" way
    of authenticating is physical.
     
    Ramon, Aug 12, 2005
    #11
  12. Ramon

    Ramon Guest

    Just think about this further, the "wallet" would have to have the
    biometric information of both the sender and receiver before hand (so
    sender can specify who receiver is) which brings me back to the
    distributed bio-data problem. ... wouldnt it be easier to have an
    international person database .... (enter the "spoofing" and "big
    brother" debates) :)
     
    Ramon, Aug 12, 2005
    #12
  13. Ramon

    Ramon Guest

    Ramon, Aug 12, 2005
    #13
  14. Ramon

    Stu Fleming Guest

    Re: Does anyone know of any solutions being researched in NZ or OZre Repudiation attack prevention ?

    Ramon wrote:
    > http://www.anu.edu.au/people/Roger.Clarke/DV/DigSig.html
    > Very interesting report, his conclusions are that Digital Signatures
    > will inevitably be Bio-metric.


    Yes, but the more important thing is that the raw biometric data must be
    protected by strong encryption and/or divided so that it requires presence of
    both the authenticating party and the authentication requester.

    If you want to do it online, then you need to establisha chain of trust
    between the authenticating party (e.g. user) and the authenticator (e.g. web
    site). That's what both methods in the paper do - the group authentication
    with split certificates and the electronic wallet with tamper-proof smartcard.

    Regards,
    Stu


    --
    IT Management. Tel: +64 3 479 5478
    Web and database hosting, Co-location. Web: http://www.wic.co.nz
    Software development. Email:
     
    Stu Fleming, Aug 13, 2005
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. dorothy.bradbury
    Replies:
    15
    Views:
    1,087
    dorothy.bradbury
    Jul 21, 2003
  2. Rob Slade, doting grandpa of Ryan and Trevor

    REVIEW: "Non-Repudiation in Electronic Commerce", Jianying Zhou

    Rob Slade, doting grandpa of Ryan and Trevor, Apr 20, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    465
    Rob Slade, doting grandpa of Ryan and Trevor
    Apr 20, 2004
  3. Anthony Glassman

    A Successful Weight-Loss System Researched By Harvard University

    Anthony Glassman, Jan 25, 2006, in forum: Computer Information
    Replies:
    0
    Views:
    344
    Anthony Glassman
    Jan 25, 2006
  4. Nigel Howe
    Replies:
    9
    Views:
    429
    T.N.O.
    Sep 4, 2003
  5. Stuart
    Replies:
    3
    Views:
    353
    Uncle StoatWarbler
    Sep 5, 2003
Loading...

Share This Page