In web applications, transactions are vulnerable to repudiation by service providers seeking to evade legal and financial responsibilities. To safeguard users against such repudiation, verifiable evidence is essential in establishing transaction origin and confirming receipt. This paper introduces an asymmetric non-repudiation framework TEE-Receipt that leverages a Trusted Execution Environment (TEE) to counter potential server transaction repudiation and collect evidence without dependence on a third party. By considering the threat of dishonest server operators (often not considered in the state-of-the-art), we protect server secrets and conduct password-based user authentication and evidence collection all inside the TEE. This approach eliminates the need for a user to own a certified key pair. Also, TEE-Receipt offers a cost-effective deployment, requiring small software changes and a TEE-capable device. A prototype of TEE-Receipt is developed using Intel SGX as the TEE, and tested using WordPress. Performance evaluations demonstrate that TEE-Receipt introduces trivial overhead and provides satisfactory response time from the user’s perspective.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

TEE-Receipt: A TEE-Based Non-repudiation Framework for Web Applications

  • Mahmoud Hofny,
  • Lianying Zhao,
  • Mohammad Mannan,
  • Amr Youssef

摘要

In web applications, transactions are vulnerable to repudiation by service providers seeking to evade legal and financial responsibilities. To safeguard users against such repudiation, verifiable evidence is essential in establishing transaction origin and confirming receipt. This paper introduces an asymmetric non-repudiation framework TEE-Receipt that leverages a Trusted Execution Environment (TEE) to counter potential server transaction repudiation and collect evidence without dependence on a third party. By considering the threat of dishonest server operators (often not considered in the state-of-the-art), we protect server secrets and conduct password-based user authentication and evidence collection all inside the TEE. This approach eliminates the need for a user to own a certified key pair. Also, TEE-Receipt offers a cost-effective deployment, requiring small software changes and a TEE-capable device. A prototype of TEE-Receipt is developed using Intel SGX as the TEE, and tested using WordPress. Performance evaluations demonstrate that TEE-Receipt introduces trivial overhead and provides satisfactory response time from the user’s perspective.