With rapidly evolving computer and mobile systems cybersecurity, the old models of software-only security software is always one step behind the bad guys. Antivirus solutions built for enterprises and personal computer networks cannot address the rapidly growing mobile and IoT markets. Cybersecurity has failed to keep pace with evolving threats caused by the increasing use of mobile devices, blockchains, smart contracts, IoT and cloud computing. Another growing challenge is regulations. Companies can be fined up to 4% of their gross revenue for a data breach. (1)
The Rivetz architecture is designed to deliver provable cyber-controls for the owner of the devices ranging from PCs to smartphones to “Things”. The solution operates on a decentralized trust model providing the proof the owner needs without having to trust third party services or sites to back the claims made.
Rivetz provides cybersecurity services and capabilities that leverage the Trusted Execution Environment, a secure area built into the processor (TEE). (2) By providing a vault to isolate and protect keys and encrypted material from apps, malware, users, and hackers, Rivetz is focused on providing a safe experience for accessing all digital services and maximizing the quality and value of the provider-to-subscriber relationship. Rivetz has been building this technical foundations for 3 years and has existing contract with the U.S. government. (3)
The TEE provides the protected application of policy that governs the use of a key or a RvT token. Once a RvT is passed to the TEE protected private keys it can only be transferred if the device owner’s instructions meet policy. The owner of the device is the administrator of the Rivetz policy controls in the TEE and defines the process the owner expects to be followed. To reduce the risk of compromised instructions, the process integrates an attestation test and prevents a transfer of RvT if the health of the policy is violated or its enforcement cannot be verified.
According to their whitepaper, Rivetz’s Global Attestation and Identity Network (GAIN) assures the identity and integrity of the end device and assures the device cannot lie about its capabilities. Rivetz’s proposed solution will be intended to automate one of the problems in information assurance, namely proof that a control was in place at the time it was required.
There are three different phases of operation:
Phase one (registration of a reference health)
The device is paired with the Cybercontrols Marketplace (CM). The CM is the place where all the cybersecurity controls are and users can select from among them to activate whatever services they desire, using the RVT token. It calculates its internal health and integrity hash and prepares to have the manufacturer signatures for the core root of trust verified by the CM. The CM executes an owner-provided script to validate any external controls, enterprise or cloud. It also verifies if the manufacturer core root of trust signatures are valid for the Internal device tests. The external health hash is returned to the device and the token will be used to obtain these services as required. The device uses an RvT token to seal the combined internal and external health hash and record this reference health measurement on the GAIN. There is a microtransaction required to perform this service and afterwards the device records the location of the health hash for later use.
Phase two (verifying cybersecurity controls)
The user selects a service that requires a health check and the device creates a unique transaction ID. The device performs an internal real-time test and an external real-time test and calculates a combined real-time health. It seals the combined real-time health hash with the reference health hash locator with an RvT token and transmits the request to a Cybersecurity Controller (CC) for verification of a match. The CC retrieves the reference health hash and compares it to the real-time health hash. If they match, the device can be said to be in a reference condition. The CC delivers the logged event with a transaction ID to the GAIN and the results of the verification to be logged by the application as appropriate.
Phase three (proving the state of the device for a completed transaction)
A request is made to audit a transaction and the transaction ID is used to locate the logged event and verify the test was true. After that the reference health hash is received. The owner provides the CM the hash and the transaction ID that was used to create the external hash and the process executed to calculate the internal hash. The CM will verify the math and generate a transaction report for the owner proving the controls that where measured prior to the execution of the transaction.
Use of the token
Rivetz will set aside a portion of the RVT tokens to be used to incentivize the adoption of the system. The bootstrapping of the environment is a core component of the strategy and the long term success of the system. It is expected the manufacturers and services will supplement this promotional supply with the tokens that are earned by their services and that these tokens will be used to incentivize participation in the system by users, services and manufacturers. The RVT token should incentivize partners to build services that provide advance capabilities and enhance the quality, security and utility of the network over time.
There are 200 million tokens total. 70 million were earmarked for the sale. Those that were not sold (about 48 million) were automatically locked for a year and eventually will return to the company. Another 70 million are for company use. Of those, nearly 10 million are available now, 20 million are locked for one year, 20 million for two years and 20 million for three years. The other 60 million are set aside for promotional and marketing purposes. Half of those are locked for a year (from September 2017).
Rivetz has provided a full list of their partnerships on their website, we will mention a few of them.
One of their first partnerships was in 2014, Trustonic. Trustonic integrates hardware-level security and trust directly into devices. The purpose of this partnership was to protect Bitcoins from malware theft on Android and other platforms. (5)
In 2017, Rivetz and Telefonica, a provider of integrated communication solutions for the B2B market, partnered to improve mobile device security. This partnership allows Rivetz to immediately integrate Telefonica’s CyberThreats Detection & Response Service. (6)
Another partnership is with Parity, an Ethereum focused solution for dApp development, to guide Rivetz on the integration of cyber security controls into blockchain networks and smart contracts. (7)
One of the latest partnerships is with Agrello, an Estonian based company focussing on self-aware smart contracts, to develop a hardware-based cybersecurity solution for digital identities. (8)
Team and advisors (9)
CEO: Steven Sprague, (10) Steven served as President and CEO of Wave Systems Corp. for 14 years before transitioning to the board of directors. He was part of the Advisory Board of Factom, a blockchain solution for digital assets. (11)
CTO: Michael Sprague, Michael’s career began as a developer and architect for a small consulting firm that was contracted to redefine the global banking system for such clients as JP Morgan, Citibank, and Fidelity. (12)
Advisor: David A. Johnston, (13) Chairman of the Board of Factom Inc. David is an early blockchain adopter.
‘18 Q2: First release of Attestor. Developer Tools 1.0. Rivetz Authenticator 1.0 App public release and the Beta App for Secure Messaging.
‘18 Q3: Secure Messaging App public release. The Wallet App goes in Beta.
‘18 Q4: Backup and Recovery 1.0. Toolkit 1.1 B&R and SGX support. Public release of the Wallet App.
‘19 1st half: Backup recovery, removal remediation. Toolkit 1.2. Public release of the Secure Messaging App.
‘19 2nd half: Distributed Registrar 1.0 and the release of the Toolkit 2.0.
‘20 Q1-Q4: Distributed Attestor and the release of Toolkit 2.1.