0

If I download https://example.com/foo.txt, how can I prove to a third party that I got it from https://example.com.

I understand that their private key is used to secure the channel, rather than to sign the content of URLs.

Is there a way of downloading https://example.com/foo.txt and providing a chain of proof that my foo.txt was obtained from https://example.com?

fadedbee
  • 916
  • 1
  • 10
  • 29
  • Dupe https://crypto.stackexchange.com/questions/60233/does-the-server-signs-message-body-after-ssl-handshake and more linked there, some of which are already automatically shown at the right of this page. – dave_thompson_085 Mar 22 '22 at 00:26

1 Answers1

1

Well, the simple truth is: you can't use encryption to do non-repudiation.

At best, encryption techniques proves the authenticity:

  • For AEAD and stand-alone message authentication codes, this is achieved through a MAC Tag.

  • For public-key encryption and key exchanges, this is done through padding and key confirmation.

Even if you get the full transcript of the transfer from the server, the disproving party can still substitute the content of the transfer with their own using the symmetric key associated with the transfer transcript, so there's no way to do non-repudiation.

More importantly, non-repudiation is a transferable proof of authenticity and integrity originated from the owner of the public key. This transferability is not something that can be achieved with just encryption - you need digital signature for this.

DannyNiu
  • 9,207
  • 2
  • 24
  • 57