Mr. Steven Sprague, CEO of Rivetz Corp., discusses how the intersection of trusted computing and block chain provides a novel “proof of security” to protect high value transactions. Learn the background and details of how this proof of security works, and how a new cybersecurity marketplace based on a cybersecurity token can simplify the utilization of cyber controls for a mobile community in this interview with ActiveCyber.
I have known Steven for quite some time – back to my days working on trusted computing with Trusted Computing Group where Steven was often leading the charge. I’ve always been impressed with his ability to grasp complex concepts and quickly turn them into innovative offerings. Now it seems he is leading the charge again with Rivetz that ties together trusted computing with block chain and mobility platforms. I caught up with Steven at a recent DHS Science and Technology Showcase where we also talked about his announcement regarding a cybersecurity token sale – click on the side bar ad to learn more. This marketplace concept particularly intrigued me so I asked Steven to do this interview which he quickly accepted. So read the interview below to learn about this new innovative offering and see how it might change how security gets done in a block-chain-mobile-autonomous-trusted world that is coming at you right now.
Spotlight on Steve Sprague, Rivetz Corp.
August 13, 2017
Chris Daly, ActiveCyber: What are the goals of the Rivetz solution? What market need does Rivetz address and how? What market sector are you trying to address first by your solution?
Steve Sprague, Rivetz: The goal of the Rivetz solution is to enable a more secure subscriber relationship for any service. It will help raise the level of protection for the delivery of high value services while enabling a simpler user experience at the same time. This combination of capabilities will help customers build and use networks where high value transactions can be conducted in a trustworthy and secure manner. Currently, Rivetz is focused on delivering the best multi-factor authentication with integrated cybersecurity controls and supporting that technology embedded in the device you own. The initial market focus includes those customers that need more than basic authentication capabilities – but also those customers that desire additional proof that the device used for authentication was in a known condition, with a known user, with required security controls running whenever it is connected to sensitive data.
ActiveCyber: Please provide a short technical overview of the Rivetz solution. What underlying technologies does it rely on and how do these technologies interact in the solution?
Sprague: Rivetz is using the Trusted Execution Environment (TEE) that is part of ARM Trust Zone and which is deployed on well over 1 billion devices. The Rivetz solution uses the Trustonic TEE OS to provide over-the-air provisioning of the trusted app. The Rivetz trusted app provides basic crypto services and Rivetz has also developed advanced applications for multi-factor authentication, encryption, block chain and messaging. Rivetz builds the client technology and some of the key management and provisioning services to simplify the use and deployment models for the technology.
One of the important applications developed by Rivetz is a token model using block chain that enables the immutable recording of the presence of specific cyber security controls running on the device when a transaction using the device occurs.
ActiveCyber: What type of business model are you employing to make this solution work? What is the cyber control marketplace and how does it fit into the business model?
Sprague: Rivetz is exploring the use of a crypto currency token to provide a micro-transaction model for service delivery. This will allow the user or the enterprise to have a cloud subscription style model across many devices and only pay for what they actually use.
The cyber controls market place provides a portal and store for third party developers to deliver security services that can be bound into the authentication or authorization of a transaction. Services like geo-location, data tagging, “Know Your Customer” and “Know Your Service Provider” (i.e., the state of a security control running on the device or server, respectively) can all be purchased via the market place, bound to transactions on a device, and used as part of the access / transaction decision. It provides a decentralized model for obtaining attribute-based authentication capabilities for a device or service.
ActiveCyber: Rivetz employs the concept of a cybersecurity token – what is this token and how is it used? What is its relationship to other tokens such as ether and bitcoin?
Sprague: Cybersecurity tokens can be purchased with ETH, BTC or any crypto currency. The tokens will then be used to operate the downloaded security services on a per device basis. The device will be provided with a mechanism to refill its supply as the cybersecurity tokens are consumed. The token will initially be used exclusively for Rivetz security services but it also provides new opportunities for enabling other services to be consumed – from connectivity to access.
ActiveCyber: How does Rivetz work with block chain and smart contracts?
Sprague: Rivetz is designed to be fully integrated with block chain and smart contracts and we are working with some of the world leading core block chain companies such as Parity Technologies to assure the systems work well together. The company also uses block chain technology to secure the network data and keys used by the solution and provide a tamper proof record of the cyber controls in place.
ActiveCyber: How does the combined use of TEE and block chain enable Rivetz services?
Sprague: These are two technologies that play well together. TEE provides the protection of the instructions and the tools to assure the user intended the transaction. Block chain provides the immutable record that the transaction was completed. Together it is now possible to store proof of a cyber security control embedded in a transaction on a fully decentralized trust model.
ActiveCyber: How does Rivetz enable global attestation and assured identity –how does it evolve security from watching to proving? How do these solution features reduce the risk of fraud or loss due to malware?
Sprague: Network security becomes ineffective for the fully mobile user as it becomes virtually impossible to watch all the traffic on the Internet. Rivetz shifts the burden from watching the network to observing the device by using the measured systems in the TEE to assure the device is executing as expected. Tokenizing cyber security controls allows a third party service to perform a simple task to validate the device is in a reference secure condition. Manifesting proof of this condition using the block chain helps to provide a chain of trust from the device to the global network. This proof a control(s) was executed by the device assures the data coming from the device has integrity as well. Over time this shift to known devices will provide a globally strong foundation for a better handle on provenance, trust, and more secure controls for high value transactions.
ActiveCyber: How does Rivetz enable security of automatic m2m payments?
Sprague: By wrapping the payment engine in a policy container, money can only be spent at authorized providers and with budgets and limits. Your device becomes a robot with an allowance that has to follow the rules.
ActiveCyber: How does Rivetz prove that a certain set of cybersecurity controls were in place for a transaction when that transaction occurred? How are the different hashes used for verification reconciled?
Sprague: By using the TEE to measure the system and record a reference signature. The owner can define the components and process that is measured. The signature of this process is stored securely on the chain for later reference. Then during a transaction the security process is repeated and a real-time measurement is computed. The transaction server forces verification of the real-time heath matching the reference. This creates a proof of the measured state of the device.
ActiveCyber: What is the plan to roll out Rivetz and what has to occur for the full vision of the cybersecurity token to be achieved? How does Apple fit into your plans?
Sprague: The plan is to deliver a strong multi-factor authentication offering that will set the stage for the developer tools to be used for security that is built-in and not added on. Rivetz will focus on helping the user and the owner of the device have the services and controls they need to simplify the securing of the user’s collection of devices. The Rivetz solution is on Android today and will be ported to the Intel SGX capabilities on PCs. Apple has chosen to limit developers access to the TEE and while software can be used on the iOS platform, access to hardware will be required to offer a great experience.
Thank you Steve for describing your journey trusted computing to block chain. It is interesting to see how you are linking trusted computing with block chain to form a new dynamic in the cyber marketplace. I look forward to seeing how your technology and the cyber controls marketplace you envision actually unfolds. And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, block chain, IoT security, or other security topics. Also, email firstname.lastname@example.org if you’re interested in interviewing or advertising with us at ActiveCyber.
About Mr. Steven Sprague
Steven Sprague is the CEO of Rivetz Corp. and one of the principal industry evangelists for the application of trusted computing technology. Steven has a strong technical foundation in the principles, capabilities and business models for incorporating trusted hardware into everyday computing, and is skilled at translating these concepts into layman’s terms.
Steven is the co-founder of Rivetz Corporation – a company focused on the use of trusted computing and the Trusted Execution Environment (TEE) to enhance the quality and security of the relationship with the user and their device. Rivetz provides app developers services and tools to enable simple integration of embedded cyber security capabilities for modern devices. Rivetz is playing an important role in providing the key technologies for the protection of private keys, encryption and secure instructions for blockchain, identity, messages, IoT and crypto currencies.
Steven graduated from Cornell University with a B.S. in Mechanical Engineering.