is probably the most overlooked
basic security principle
, quite possibly because it is the most difficult to implement
. Non-repudiation is the concept that after a transaction
has taken place, neither party can later claim to have not been part of the transaction; i.e., that the transaction is now provable
Why is this important? Imagine that you could call up your bank, and say, "Hey, what's this ATM withdrawal for 200 bucks? That wasn't me!" What does your bank do? They can check their audit trail, to see if they snapped a picture of you while you were taking out money - another form of authentication. If they didn't, or all that showed up was a guy in a baseball hat, they'll probably cancel your ATM card, and refund your money. You've repudiated the transaction. They lose. Maybe.
One form of non-repudiation is through unshareable secrets. If you have one - say, your ATM card - then repudiating a transaction requires repudiating every transaction you've made since then. In a world of trust, this could be too expensive for the repudiator.
A trusted third party (TTP) is essential for a large system which requires non-repudiation. In these systems, each transaction requires both parties to authenticate themselves to the TTP, who then maintains an audit record of the transaction - allowing neither party to claim a non-existent transaction, or dispute a real one.