A blog post by Steven Sprague CEO Rivetz Corp.
The transition to multifactor authentication is providing a solid platform for a new model of e-commerce -- a model that is based on more than just the proof the user knows a secret but based on the assurance of a known device in a known condition with a known user. Rivetz has developed a new model for advanced assurance built on the benefits of embedded security and the new API fabric supported by all cyber security controls. Hundreds of millions of modern computing devices support embedded trusted execution (TEE). Rivetz has developed the framework to integrate strong authentication, instructions and strong attestation for both internal and external device attributes. The active/real-time monitoring of cyber security controls provides the real-time decision data that should be part of any Financial transaction. Rivetz delivers the service that can assure the state of the device is in a known and provable condition. Rivetz EasyAuth service integrates with many existing standard authentication services and provides enhanced cyber controls fully integrated into the transaction.Securing the Bitcoin wallet is not enough. Web wallets and multisig offer real value to protect accounts. However, recently two-factor authentication has failed since the phone number can be stolen. The criminals are finding the cracks in the systems. Simple two-factor authentication is no longer enough. While the user is identified, the device is not. It is critical that the device be in a known good condition and that the cyber controls be in place when access is granted to sensitive data and services.
Rivetz is introducing new models of Cyber security to enhance the quality and security of a transaction. These technologies are all part of a continuum built from a strong foundation of trusted execution and the core cyber security principals developed over the last 15 years by the Trusted Computing Group and Global Platform standards and specifications. This is not a one size fits all solution but a strong roadmap to next generation transaction security for digital assets and instructions.
Rivetz solution Level 1This solution provides a simple two-factor authentication anchored in the trusted computing foundations. It can be demonstrated today and can easily be integrated with any hosted Bitcoin wallet. Based on interoperability with the Google products, it provides a simple step forward and uses the tamper-proof storage and processing of the Trusted Execution Environment. https://youtu.be/RtLrhRhD0xQ This service can be a user option if the wallet will support the standard protocols and offers state of the art protection embedded within the phone. It also eliminates the risks associated with SMS-based two-factor, software-only solutions and is simpler then carrying an external PKI token.
Rivetz Solution Level 2Level 2 is slightly more complex and requires integration but is a huge step forward in the assurance model. Trusted User Interface is part of the Global Platform TEE specification. It uses Secure Display to assure that the confirmation message on the screen cannot be altered or read by the operating system and assures that the message seen by the user is for the transaction that is actually processed. Rivetz has developed an API that enables an assured channel to the Trusted User interface for the cloud wallet to confirm the transaction details with the user as part of an embedded 2nd-factor confirmation. The message is created within the trust boundary of the hosted service and is delivered as an encrypted and signed message to the user’s registered device. This simple service can be added to any blockchain service to assure that all transactions sent were intended by the user. https://youtu.be/e5gIrpa0VWIAny kind of message can be confirmed.
Rivetz Solution Level 3Modern devices have been built with an enhanced isolated compute capability, the Trusted Execution Environment (TEE). This measured execution environment provides a strong foundation for a whole new model of secure authentication and transactions for the modern computing architecture. Known devices in a known condition with a known user as defined by their owner can easily be verified by any relying service. The controls are put in place by the owner of the system and in partnership with the verifying service assuring the desired controls are verified prior to a transaction being completed. These active cyber controls integrate a new model of e-commerce where required attributes of a device can be established and verified for the responsible party.
This is the model that was sought by NY BitLicense: provable cyber security controls for peer-to-peer or distributed transactions. The transaction model is based on a preregistered contract that is required between the blockchain and the owner of the device. This dynamic contract assures that only agreed to devices in an agreed to condition will be granted access and that forensic controls are available to assert the conditions were met each time access was granted. Leveraging the TEE, Rivetz transfers the responsibility of compliance enforcement to the client device and the blockchain process. A device is provided a business process or script that must be satisfied to enable access. The Rivetz Attribute Registrar provides the execution of the client-required script and preparation of the hashes for the end device. Once all of the conditions are met, a collection of digital signatures are created that assure the business process steps have been satisfied. These hash values are aggregated into a single platform health statement that is then provided by the TEE environment to the service through a cryptographically provable authentication. The tokenization of the process assures that full privacy controls are in place. The blockchain is only verifying that a real-time health hash is equal to the reference value previously stored on the blockchain.
Many types of attributes are possible for real-time validation and assurance.
· Verified Enterprise controls
· KYC Know Your Customer
· Derived identity with Enterprise IDAM
· Proof of endpoint Data Encryption
· Proof of Data Loss Prevention (DLP)
· Any third party verifiable consistent control
Proof of ComplianceThe realm of cyber regulations and controls continues to grow in an effort to slow down the loss of data. The older compliance models of monitoring and enterprise management are failing badly to address these losses. Every year industry spends more on cyber security and every year losses climb. The Rivetz EasyAuth service provides real-time compliance with cyber controls assuring the user’s collection of devices meet the minimum requirements for access to data. By recording provable device state, we assure that required controls were in place at the time the data was accessed and delivered. The logging of device access will also provide a better picture of all the devices that have had access to sensitive information. This achieves the goal of known data on a known device in a known condition with a known user.
The API NetworkThe Rivetz model is built for the new API economy. Cloud management and enterprise services all provide API-based models for secure sharing of data and control. This API layer of the network assures the most of the components to monitor, manage, and visualize the network have been built. The Rivetz service provides a model for registration of device-identity attributes across these API models. The result is that data on the real-time compliance for a specific device can be easily accessed by a single trusted entity, the device-isolated Trusted Execution Environment (TEE). This information can then be tokenized, verified and bound to a transaction on the network. If a device is not in the correct condition the user will be forced to address the problem and bring the device back to compliance. In most cases, assuring compliance can be an automated process that assures a device is in the proper configuration and has the correct updates.
The modern network of devices is almost infinitely complex. A new, decentralized model of cyber security controls is needed. The Trusted Execution Environment provides the assurance that the device can verify its own controls and then attest that those controls are in place. The device is by default already registered with all of the systems that manage it. The TEE prevents the lying endpoint. The administrator can now define the conditions for a specific device that must be met and that policy is verified to be in place every time a device connects to sensitive networks or data. Securely logging this data will provide a solid foundation for provable compliance, cyber insurance and peace of mind.
Integration with Blockchain and Smart ContractsBlockchain is a new technical capability on the Internet, that provides the ability to maintain a proof of a timestamped event. The Rivetz EasyAuth service provides strong integration points for Blockchain and smart contracts. These technologies enable distributed and trusted testing of whether the reference health of a device equals the current real-time measurement. The natural cryptographic operations are simple to integrate and support in a transaction or in a smart contract. The persistent log of the test becomes forensic proof of the state of the device when a transaction is completed. The mixing of these two technologies will provide the foundation for modern provable financial and IoT transactions.
https://youtu.be/XUG7-UCmZjY is a Rivetz demonstration of a fully integrated transaction of Bitcoin with an integrated health claim on a custom, Elements-based Bitcoin sidechain. Every Bitcoin and blockchain project would benefit from enhanced assurance provided by embedding cyber security controls with privacy into the fabric of the transaction. The “New Opcodes” Element from Blockstream’s Elements Project made this demonstration possible.
The time has come to make the network safe again assuring that known devices in a known condition with a known user are performing forensically provable transactions and instructions. Billions of dollars and countless careers have been invested globally to enable these capabilities, but the time has come to put them into effect. Multi factor-authentication is no longer enough -- the time has come to enhance authentication with the cyber security controls that every organization has invested in. From simple cloud services for the individual to full enterprise compliance, the integration of cyber security controls will improve the value of the customer relationship and simplify the user’s experience.
For more Information