A blog post by Steven Sprague CEO Rivetz Corp.
The transition to multifactor authentication is providing a solid platform for a new model of E-Commerce. A model that is more than just the proof the user knows a secret but one that assure the platform is a known device in a known condition with a known user. Rivetz has developed a new model for advanced assurance built on the benefits of embedded security and the new API fabric supported by all cyber security controls. Hundreds of millions of modern computing devices support embedded trusted execution (TEE). Rivetz has developed the framework to integrate strong authentication, instructions and strong attestation for both internal and external device attributes. The active/real-time monitoring of cyber security controls provides the real-time decision data that should be part of any Financial transaction. Rivetz delivers the service that can assure the state of the device is in a known and provable condition. Rivetz Easyauth service integrates with many existing standard authentication services and provides enhanced cyber controls fully integrated into the transaction.
Securing the Bitcoin wallet is not enough. Web Wallets and multisig offer real value to protect accounts. However recently 2 factor authentication has failed since the phone number can be stolen. The criminals are finding the cracks in the systems. Simple 2 factor authentication is no longer enough. While the user is identified, the device is not. It is critical that the device is in a known good condition and that the cyber controls are in place when access is granted to sensitive data and services.
Rivetz is introducing new models of Cyber security to enhance the quality and security of a transaction. These technologies are all part of a continuum built from a strong foundation of trusted execution and the core cyber security principals developed over the last 15 years by the trusted computing group and global platform standards and specifications. This is not a one fits all solution but a strong roadmap to next generation transaction security for digital assets and instructions.
Rivetz solution Level 1
A simple two factor authentication anchored in the trusted computing foundations. A capability that can be demonstrated today and integrated with any hosted bitcoin wallet. Based on interoperability with the Google products it provides a simple step forward and uses the tamper proof storage and processing of the Trusted Execution Environment. https://youtu.be/RtLrhRhD0xQ This service can be a user option if the wallet will support the standard protocols and offers state of the art protection embedded within the phone. It also eliminates all of the risks that are well known with SMS based two factor and software only solutions.
Rivetz Solution Level 2
A more complex and requires integration but is a huge step forward in the assurance model. Trusted User Interface is part of the globalplatform TEE specification. Secure display assures that the message on the screen cannot be altered or read by the operating system and assures that the message seen by the user is the instruction that is actually processed. Rivetz has developed an API call that enables an assured channel to the Trusted User interface for the cloud wallet to confirm the transaction details with the user as part of an embedded 2nd factor confirmation. The message is created within the trust boundary of the transaction service and then delivered as an encrypted and signed transaction to the users registered device. A simple service that can be added to any blockchain transaction to assure the instruction sent was intended. https://youtu.be/e5gIrpa0VWI Any message can be confirmed.
Rivetz Solution Level 3
Modern devices have been built with an enhanced isolated compute capability, the trusted execution environment (TEE). This measured execution environment provides a strong foundation for a whole new model of secure authentication and transactions for the modern computing architecture. Known devices in a known condition with a known user as defined by their owner can easily be verified by any relying service. The controls are put in place by the owner of the system and in partnership with the verifying service assuring the desired controls are verified prior to a transaction being completed. These active cyber controls integrate a new model of E-commerce where required attributes of a device can be established and verified for the responsible party.
This is the model that was sought by NY bitlicense provable Cyber security controls for Peer to Peer or Distributed transactions. The transaction model is based on a preregistered contract that is required between the blockchain and the owner of the device. This dynamic contract assures that only agreed to devices in an agreed to condition will be granted access and that forensic controls are available to assert the conditions were met each time access was granted. Leveraging the TEE, Rivetz transfers the responsibility of compliance enforcement to the client device and the blockchain process. A device is provided a business process or script that must be satisfied to enable access. The Rivetz Attribute registrar provides the execution of the Client required script and preparation of the hashes for the end device. Once all of the conditions are met a collection of digital signatures are created that assure the business process steps have been satisfied. These hash values are rolled up into a single platform health statement that is then provided by the TEE environment to the service through the authentication process assuring the process is cryptographically provable. The tokenization of the process assures that full privacy controls are in place. The block chain is only verifying that a Real-time health hash is equal to the reference value stored on the blockchain.
Many types of attributes are possible for real-time validation and assurance.
• Verified Enterprise controls
• KYC Know Your Customer
• Derived identity with Enterprise IDAM
• Proof of endpoint Data Encryption
• Proof of Data Loss Prevention (DLP)
• Any third party verifiable consistent control
Proof of Compliance
The realm of cyber regulations and controls continues to grow in an effort to slow down the loss of data. The older compliance models of monitoring and enterprise management are failing badly to address these losses. Every year industry spends more on Cyber security and every year losses climb. The Rivetz EZauth service provides real-time compliance with Cyber controls assuring the users collection of devices meet the minimum requirements for access to data. Provable state of the device assures that the controls required where in place at the time the data was accessed and delivered. The logging of device access will also provide a better picture of all the devices that have had access to sensitive information. A known data on a known device in a known condition with a known user.
The API Network
The Rivetz model is built on the new API economy. Cloud management and enterprise services have all built API based models for secure sharing of data and control. This API layer of the network assures the most of the components to monitor, manage, and visualize the network have been built. The Rivetz service provides a model for registration of the device identity attributes across these API models. The result is that data on the real-time compliance for a specific device can be easily accessed by a single trusted entity, the device isolated trusted execution (TEE). This information can then be tokenized, verified and bound to a transaction on the network. If a device is not in the correct condition the User will be forced to address the problem and assure a device is back in compliance. In most cases, configuration compliance can be an automated process that assures a device is in the proper configuration and has the correct updates.
The modern network of devices is almost infinitely complex. The decentralized model of cyber security controls offers a new model of control. The trusted execution environment provides the assurance that the device can verify its own controls and then attest that those controls are in place. The device is by default already registered with all of the systems that manage it. The TEE prevents the lying endpoint. The administrator can now define the conditions for a specific device that must be met and that policy is verified to be in place every time a device connects to sensitive networks or data. Securely logging this data will provide a solid foundation for provable compliance, cyber insurance and peace of mind.
Integration with Blockchain and Smart Contracts
Blockchain is a new technical capability on the internet the ability to maintain a proof of a timestamped event. The Rivetz EsyAuth service provides strong integration points for Blockchain and smart contracts. These technologies enable distributed and trusted testing of does the Reference health of the device equal the current real-time measurement. The natural cryptographic operations are simple to integrate and support in a transaction or in a smart contract. The persistent log of the test becomes a forensic proof of the state of the device when a transaction is completed. The Mixing of these two technologies will provide the foundation for modern provable financial and IoT transactions.
https://youtu.be/XUG7-UCmZjY is a Rivetz demonstrated a fully integrated transaction of bitcoin and a health claim on a modified blockchain. Every Bitcoin and blockchain project would benefit from enhanced assurance provided by embedding cyber security controls with privacy into the fabric of the transaction. Segregated witness and an a couple of the Blocksteam opcodes have made this demonstration possible.
The time has come to make the network safe again assuring that Known devices in a known condition with a known user are performing forensically provable transactions and instructions. Billions of dollars and countless careers have been invested globally to enable these capabilities but the time has come to put them into effect. Multi factor authentication is no longer enough the time has come to enhance authentication with the cyber security controls that every organization has invested in. From simple cloud services for the individual to full enterprise compliance the integration of cyber security controls will improve the value of the relationship and simplify the users experience.