TEE-Receipt: A TEE-Based Non-repudiation Framework for Web Applications
摘要
In web applications, transactions are vulnerable to repudiation by service providers seeking to evade legal and financial responsibilities. To safeguard users against such repudiation, verifiable evidence is essential in establishing transaction origin and confirming receipt. This paper introduces an asymmetric non-repudiation framework TEE-Receipt that leverages a Trusted Execution Environment (TEE) to counter potential server transaction repudiation and collect evidence without dependence on a third party. By considering the threat of dishonest server operators (often not considered in the state-of-the-art), we protect server secrets and conduct password-based user authentication and evidence collection all inside the TEE. This approach eliminates the need for a user to own a certified key pair. Also, TEE-Receipt offers a cost-effective deployment, requiring small software changes and a TEE-capable device. A prototype of TEE-Receipt is developed using Intel SGX as the TEE, and tested using WordPress. Performance evaluations demonstrate that TEE-Receipt introduces trivial overhead and provides satisfactory response time from the user’s perspective.