Non-repudiation — SY0-701
Non-repudiation for CompTIA Security+ SY0-701: definition, how digital signatures provide it, and how it differs from authentication.
WHAT IT IS
Non-repudiation is a security service that provides assurance of the integrity and origin of data in such a way that the integrity and origin can be verified and validated by a third party as having originated from a specific entity in possession of the private key (FIPS 186-5). In operational terms, it is protection against an individual falsely denying having performed a particular action — such as creating information, sending a message, approving information, or receiving a message (CNSSI 4009-2015).
The mechanism that provides non-repudiation is the digital signature: the result of a cryptographic transformation of data that, when properly implemented, provides a mechanism for verifying origin authentication, data integrity, and signatory non-repudiation (FIPS 186-5).
Mental model
Think of a notarized contract. The notary's stamp does not prove the signer is who they claim to be at the moment of signing — that is authentication's job. The stamp creates independently verifiable evidence that this specific person signed this specific document at this specific time, evidence that can be presented to a third party who was not present. Non-repudiation is the property that makes "I didn't sign that" an unsustainable claim, because the cryptographic evidence is separable from both parties and verifiable by anyone with the public key.
When to use it
Candidates regularly confuse non-repudiation with authentication because both involve proving identity. The distinction is when the proof applies and who can verify it.
| Property | Core question | Requires third-party verifiability? | Mechanism |
|---|---|---|---|
| Authentication | Is this entity who they claim to be right now? | No — point-in-time verification between parties | Passwords, MFA, certificates, tokens |
| Non-repudiation | Can a third party later prove this entity performed this action? | Yes — evidence must hold up outside the original session | Digital signature tied to a private key |
Authentication answers a present-tense question about identity. Non-repudiation answers a past-tense question about a performed action — and the answer must be defensible to a third party who was absent.
NIST SP 800-57 Part 1 Rev. 5 defines non-repudiation specifically as "a service using a digital signature that is used to support a determination by a third party of whether a message was actually signed by a given entity." Third-party verifiability is definitional, not incidental.
Integrity is also related but distinct: FIPS 200 defines integrity as "guarding against improper information modification or destruction" and notes it "includes ensuring information non-repudiation and authenticity" — meaning non-repudiation is a component that integrity-related controls can provide, not a synonym for integrity itself.
COMMON MISCONCEPTION
The exam exploits the confusion between non-repudiation and authentication by presenting scenarios where identity is verified and asking which property is satisfied. Candidates select "authentication" when the scenario actually describes evidence that could be presented to a third party after the fact.
The trap: authentication can be satisfied without non-repudiation. A shared password or a symmetric key authenticates a session, but because both parties hold the same secret, neither can prove to a third party which one performed the action. Non-repudiation requires an asymmetric mechanism — specifically a digital signature — where only one entity possesses the private key used to produce the signature. NIST SP 800-57 Part 1 Rev. 5 explicitly ties non-repudiation to digital signatures for this reason.
A second, subtler misconception is treating non-repudiation as a confidentiality property. It is not. A digital signature provides origin authentication, data integrity, and signatory non-repudiation (FIPS 186-5) — not confidentiality. Encrypting data and signing data are separate operations that address separate properties.
How it shows up on the exam
The cognitive target is distinguishing non-repudiation from closely adjacent concepts — particularly authentication and integrity — in a scenario context.
Signal phrases that point toward non-repudiation:
- "prove that a specific party sent / approved / received"
- "third party can verify"
- "cannot deny"
- "digital signature"
- "private key"
Candidates often encounter a scenario describing a digital signature on an email or document and must identify which security property is provided. Because integrity is also a correct-sounding answer (signatures do protect integrity), the question tests whether the candidate recognizes that non-repudiation is the more specific and complete property that a digital signature provides — including the third-party verifiability dimension that integrity alone does not cover.
NIST SP 800-18 Rev. 1 frames non-repudiation as the assurance that "the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the information." Questions may describe either the sender's side or the recipient's side of this — both are non-repudiation scenarios.
Related concepts
- CIA Triad — Non-repudiation is closely associated with integrity; FIPS 200 explicitly includes non-repudiation as a component of what integrity controls provide.
- AAA Framework — Authentication (the first A) is the property most commonly confused with non-repudiation; accountability (tracing actions uniquely to an entity) is the AAA property non-repudiation supports.
- Zero Trust — Zero trust architectures rely on continuous verification; non-repudiation provides the cryptographic evidence layer that makes identity claims durable beyond a single session.
Sources
Every claim on this page traces to the public exam blueprint and official documentation: