Rivetz.com offers built-in Hardware Security

rivetz_logo_wordmark_horiz_750Rivetz.com is a company that I have been following very closely for several years now.

Rivetz believes that online services are significantly enhanced when a device can be trusted to be what it says it is and to execute instructions exactly as asked. Building upon a decade of industry investment in trusted computing, Rivetz is offering a platform that delivers on this goal.

A service provider generally has confidence in its servers. They are under administrative control and usually protected physically. However, nearly all services are delivered to users through devices the service provider knows very little about and over which it rarely exerts any control.

Rivetz changes this. Through the use of Trusted Execution technology we are able to provide a service provider with an oasis of trust in the unknown world of consumer devices. Basic capabilities such as “sign this”, or “decrypt this” are executed outside the murky world of the main OS. Keys can be generated and applied without ever being exposed in memory and can be attested to through a chain of endorsements traced back to the device manufacturer.

When you can trust a device not to lie or leak secrets, you can form a much more reliable and simpler relationship with the device. It makes life easier and safer for the user and service provider alike.

What Can I Do with Rivetz?

Rivetz is all about trust in devices. We believe that a reliable relationship with a device can make for a much safer, easier and stronger relationship with an end user.

To achieve this, first and foremost you need to know with confidence that a device is the same device it was before. You also need to be sure that a device won’t leak its secrets when asked to do something sensitive, like a decryption or signing.

Our device code runs in the Trusted Execution Environment (TEE) available in many modern devices. The TEE is a hardware environment that runs small applets outside the main OS. This protects sensitive code and data from malware or snooping with purpose-built hardware governed by an ecosystem of endorsements, beginning with the device manufacturer.

Rivetz enrolls a device and equips it with a service provider’s keys. Our API’s enable secure execution of a number of sensitive device-side transactions, including:

  • Get a reliable and anonymous device id – On request, Rivetz will generate a signing key for a device. The public key is hashed into a string that can be used to identify and communicate with a device. The private key remains locked in the hardware and can only be applied on behalf of the SP that requested the ID.
  • Get a device to sign something – The private key of the device identity can be used to sign things proving that this device was involved. The signing ceremony is executed in secure hardware such that the key is never exposed to normal processing environment of the device.
  • Get a device to encrypt something – An encryption key can be generated on request and applied to any blob of data. Encryption/Decryption is triggered locally and takes place within the secure execution environment so as to protect the key.
  • Create a Bitcoin account – The device can be asked to generate a new Bitcoin account using the RNG built into the Trusted Execution Environment.
  • Sign a Bitcoin transaction – The device can apply it’s private Bitcoin account key to sign a transaction and then return it to the service provider
  • Secure Confirmation – (coming soon) Newer TEE environments support trusted display and input in addition to trusted execution. Trusted display enables a simple confirmation message, such as “confirm transaction amount”, to be presented to an end user.
  • Join Devices to share and backup identities – Most users have a couple of devices. Rivetz allows those devices to be bound into a ring so they can interchangeably present themselves to a service provider on behalf of the user.

Rivetz is a toolbox for riveting the online world to the hardware we use to get online. By providing this basic set of features we hope services across the web from wallets to content apps can provide a simpler and safer experience.

How does it work?

A Service Provider calls Rivetz to create hardware keys in a device. Different types of keys are available depending on the purpose, such as for crypto-coins or data encryption.

Riveted keys are governed by simple usage rules established during creation. For example, a key may require that usage requests are signed by the Service Provider that created the key, or that the user confirms access through the Trusted User Interface.

A Rivet will only respond to an instruction from a Service Provider that has been “paired” with the device. Rivetz.net conducts the pairing ceremony as it is able to confirm the integrity and identity of both device and service provider. When a device is paired it acquires the public key of the service provider, while the service provider gets a uniquely generated identity and public key for the device.

While Rivetz supports local calls, ideally all instructions are signed by the Service Provider. This protects a device key from being applied by a rogue application. The _Rivetz Library is used by all components to prepare and sign device instructions and interpret instruction results.

Trusted Execution Environment

There is a class of apps that benefit greatly from strong assurance of their origin and opaque separation from the execution of other apps. This is known as a Trusted Execution Environment or TEE.

Unlike an app running on the primary OS and memory stack, an app running in a TEE has access to cryptographic primitives that can be exercised without snooping by the OS. On certain platforms, it also has direct access to user input and display to ensure a private interaction with the operator of the device.

While the technology has been pursued for well over a decade, it is only recently that devices with support for a TEE have become available. Intel began delivery of commercial solutions in 2011 and Trustonic, an ARM joint venture, launched in 2013.

Deploying an applet into a TEE is akin to delivering a dedicated hardware device. Execution and data are cryptographically isolated from any other function of the host.

Rivetz and the TEE

While most applications of Trusted Execution technology have been concerned with enterprise security or DRM, Rivetz instead provides an applet that is focused on the needs of common web services. Crypto currencies such as Bitcoin have highlighted the need for consumer key security.

Cyber Security and Blockchain – AlleyWatch

rivetz_logo_wordmark_horiz_750There have been a number of high-profile hacks recently, evidently demonstrating that hiding and using secrest on the Internet is still really difficult. From the $5 million in bitcoin lost at Bitstamp to the Sony hack, it is clear that a new approach to the problem is required. Recently, I was at CES, and the IoT is moving along at breakneck speed, with barely and afterthought for cyber security. All of the things end up controlled by a smartphone or PC. The integrity of the connection from your computing device to your house, car or medical equipment will need the same peer-to-peer security that bitcoin requires.  So how should we all be approaching the problem? All private keys should be protected by tamper-resistant hardware — a device, not the operating system. Smart cards or USB tokens are great solutions, but the embedded trusted execution environment provides the built-in solution we all desire. It also provides the tamper-resistant security to match that of a SIM module, but it is not controlled by the carrier. In addition to access, the instruction sent to a cloud service or another device should be encrypted (for privacy) and signed (for integrity), assuring that the intended action is not corrupted.  This critical step is mostly overlooked on today’s systems. Protecting the instruction assures that the intended action is actually what happens. Instructions are critical interactions between the client and the cloud.  Rivetz leverages the trusted execution environment to assure the formation of the highest quality instructions. Trusted user input and output is by far the hardest piece of the puzzle. This is where an uncorrupted presentation of the intended transaction to the user and the proper collection of the user’s consent is executed. Secure display in combination with a secure PIN or secure biometrics is ultimately required to be fully effective.  The technology to do this is just now being integrated but is not available on most platforms. Intel has been at the forefront of trusted display for a number of years.  Rivetz is now demonstrating the trusted user interface on Intel and on some Samsung Galaxy Note 4 phablets released in December.

Continue Reading: Cyber Security and Blockchain – AlleyWatch

BRIVAS LABS brings advancements to revolutionize USER identity.

brivasBRIVAS LABS brings advancements to revolutionize USER identity in the privacy ecosystem. Identity management is vital in our new cyber and BRIVAS PHALANX v 1.0 solves the user identity problem leveraging existing thru augmented authentication with real-time + contextual biometric encryption. Biometrics are increasingly used as a way to verify a person’s identity. As organizations become more security-conscious, biometric-based solutions are set to grow in terms of usage and importance as ability to accurately capture and compute increase. Given the growing global security threats, governments around the world have long known that the biometric elements of identity verification increase security, augment accountability, and provide risk and liability mitigation. BRIVAS is a computer vision and machine learning specialist dealing in biometric fusion and contextual, real time verification on smartphone technology. Our digital needs require a continuous search for a cost-effective means of reducing fraud and gaining accurate USER information. BRIVAS accomplishes this with GPU and CLOUD processing at an extremely affordable and scalable approach. BRIVAS is able to pattern the events leading up to an authentication, then qualify a real-time, singular event data structure actually encrypted with our proprietary biometric facial verification technology.

brivas2The human face plays an important role in our social interaction, conveying people’s identity and now in BRIVAS’ man & machine binding qualities. Using identity as a key to security, coupled with trusted computing adds greater accuracy to the entire security system. As compared with other biometrics systems using fingerprint/palmprint and iris, face recognition has distinct advantages because of its non-contact process which leverages our streaming methods to detect liveness, intent to authenticate, 3D verification, and real-time contextual existence. Beyond authentication and verification, we hold patent pending on a unique method to generate secret encryption/decryption keys tied specifically to the unique architecture of an individual’s unique facial structure to generate keys. BRIVAS’ contextual face recognition process has a highly diverse range of applications, extending from crime fighting, border control, to access control for sensitive areas and (limited access control) that blend to a smart, elastic format to provide greater accuracy and assurances while keeping cost in mind Right now, we are implementing our solution in the electronic medical records industry for a one-touch release of people’s medical records. We would market to EMR/health technology companies who sell to Healthcare providers. we would be using the EMR/Health technology companies as a strategic partner channel to go after the Accountable Care Organizations, mid-sized and small hospitals and independent physician/clinics. To summarize, BRIVAS IDENTITY’ technology is the future and companies are quickly responding to the ease of use as well as the many different uses for it.