How can you differentiate between authenticity and non authenticity?
What is the difference between authenticity and non repudiation?
I was going through the meaning of these two and an article had a paragraph with the following lines - Authenticity means that its origin can be identified. Proof of existence allows us to identify a time reference when the document existed. Non-repudiation prevents an originator from repudiating that he is the origin of a document.
Why would you want non-authenticity?
To prove that a person said a particular sentence, typed a specific phrase, or performed a specific action. To repudiate is to claim that whatever was said, typed, communicated, or performed was not done by you (or the person in question).
If someone claims that George Carlin used swear words, and George Carlin attempts to repudiate the claim, it is easy to prove that he has used swear words. There is evidence that George Carlin has used swear words. If George Carlin cannot repudiate the claim about swear words, the evidence provides non-repudiation.
Non-repudiation is an active attempt to creat artifacts which may be used against an identified person who is denying that they are the origin of a communication or action. The artifacts are identity, authentication of the identity, and something connecting a communication or action to the identity.
In the George Carlin example there are legal documents that record the testimony of many witnesses who identified and authenticated George Carlin and witnessed him using swear words. This is a passive and accidental production of artifacts connecting an action to an identity.
In security we want active purposeful production of artifacts that may assist in a non-repudiation argument. In order to do that we must identify an entity, authenticate the identity and connect the identified entity to a specific action or communication.
Some people use public/private key certificates to sign their email. By using their email address they are providing identification. Their use of a private key (to sign the email) provides authentication as long as the private key is known only by the individual. When they sign an email with their digital signature they are connecting the content of the e-mail to the identity authenticated by the certificate. These artifacts may assist in preventing an individual from repudiating the contents of the e-mail; "I never sent that email." However, to repudiate the e-mail a sender may claim that their private key was stolen (known by another party) and the thief sent the email.
Why would you want authentication?
To know that an email, piece of software, web site, or other item originated from a specific person, computer system, or company. Generally you are using the identity of origin as part of a decision about trust.
If an email comes from your bank and you authenticate the e-mail, you place a certain amount of trust in the contents. If an email comes from an adversary, but claims to come from your back, and you are unable to authenticate the e-mail, you distrust the contents of the e-mail.
Authentication is used to verify identity. Identity is the claim that an individual is a specific person. Authentication is an attempt to verify a claim about identity. I can claim to be Margaret Thatcher, but since I am not Margaret Thatcher I should not be able to authenticate my claim.