We assign the REMME project a “Positive” rating.
REMME is a project that uses blockchain technology and X.509 certificates to provide password-less authentication and user security. The traditional system of identification and authentication of nodes on the Internet has a centralized architecture that has a number of shortcomings that are often exploited by intruders. REMME relies on a distributed database (blockchain) as the center for verifying certificates. As a result, users can use such certificates to authenticate the resources that use the REMME protocol, without using traditional access methods in the form of logins and passwords.
The materials of the project convince us of the deep elaboration of the technical side of the subject area, which allowed the project team to create its own blockchain concept with public and private parts, and advantages such as the rapid recording of blockchain transactions and flexibility and other advantages. The project team was the winner of the blockchain-hackathon organized by Microsoft in 2017, confirming their high level of its technical expertise.
The materials of the project, which have been presented in a variety of publications, shows their professional approach to marketing. Activity in specialized news media helps to increase the level of trust in the project among potential clients.
The IoT market demonstrates a trend towards an increase in the volume and total number of devices. From our point of view, it represents a greater potential for the development of REMME, compared to the other possible uses of this technology. The niche of projects using a blockchain system for solving information security problems in one way or another, is only being formed, and the key advantage for such projects will be technical capabilities, which is at a high level in REMME.
The project has Ukrainian roots and has received the support of the defense enterprise, Ukrinmash, in its homeland. The Token Sale was completed on the very first day of Public Sale, reaching the Hard Cap, which may indicate the participation of large investors or funds that are not advertised. REM token is a utility token, so its price will increase mainly due to the increasing value of the product for REMME users.
General information about the Project and ICO
The REMME project works in the field of information security, Identity and Access Management. For this purpose, it is proposed to use the widely distributed X.509 certificates, which are independently released by network nodes (master codes), information about which is recorded in blockchain. The revoking of certificates is implemented by adding a predefined transaction to the blockchain of the owner of the certificate. This allows users of the REMME protocol to verify their certificates through the blockchain system, and the attacker will have to restrict the client's access to all the nodes of the blockchain to carry out the certificate substitution, which is technically difficult. In the traditional architecture of PKI (Public Key Infrastructure), there are CAs and other nodes that store information about the status of issued certificates. CA certifies the identity of the resource owners and issues certificates that are accepted by the users to authenticate the resource and establish a secure connection with the certificate holder. It is not possible to exclude certifying authorities as an element that certifies the identity of network nodes, but this approach is not applicable to end-user authentication. Services with certificates from CA register their users themselves and authentication takes place using the usual access attributes in the form of login and password. For ordinary users, storing a lot of logins and passwords is simply inconvenient and using REMME certificates would allow using the same certificate for authentication on a variety of resources, as CA certificate owners do to their users.
The REMME project is staging the ICO with the aim of attracting funds for the development of technology and brand. The project partners provide it with technical and legal support.
The project has reached the Hard Cap on the first day of Public Sale, which indicates possible investment from large players or funds in the project.
Type: ICO is staging with ERC20 tokens which can then be exchanged for their own utility token in a 1:1 ratio.
Round 1: Public pre-sale (closed on 24.12.2017)
Soft Cap: $480k
Hard Cap: $3m
Round 2: Public sale
End: 13.03.2018 planned, Hard Cap was reached on 14.02.2018.
Hard Cap: $20m including pre-sale stage
Bonuses: Day 1-3 — 10%, Day 4-7 — 5%
Minimum Buying Transaction: 0.1 ETH
Maximum Buying Transaction: Day 1 — 15 ETH
Accepted currencies: BTC, ETH
Vesting: Partners and advisors — 10% of tokens will have 6 months vesting with 3 months cliff. Team and founders — 2 years vesting with 6 months cliff.
Description of the services and scope of the project
REMME provides its customers with the ability to use a security system to communicate over the Internet or over a local area network remotely based on X.509 digital certificates. The released product gets rid of many technical problems that are inherent in the current PKI architecture.
Why do we need PKI? Let us start from the very beginning, namely with asymmetric encryption. Imagine that you and your friend need to secure your correspondence over an unprotected communication channel. You can use asymmetric encryption for these purposes. You launch an inseparable pair of equivalent keys, A and B, which are used for encryption and decryption. If the message is encrypted with the A key, it can be decrypted only with the B key and vice versa. You call the A key secret and store it in your accessible place, and the B key is called open and freely transferred to a friend. Before he sends a message to you, he will encrypt it with the B key. Now the attacker will not be able to read it when intercepting the encrypted message, because this requires the A key which only you have. A friend generates his secret and public key pair, passes his public key to you, and now you can safely maintain a remote correspondence with each other and the asymmetric encryption provides complete security. Another important feature of asymmetric encryption is the creation of an electronic signature. If you apply a special hash function to the letter that will convert it into a set of symbols of the specified length of the hash (changing the letter even for one symbol changes the hash cardinally), and then encrypt this hash with its secret key and attach it to the message, your friend will be able to decrypt your encrypted hash with your public key, create a hash of the letter yourself and compare the results.*is this last part necessary or can you just end this sentence with “your friend will be able to decrypt your encrypted hash with your public key.”* The match will mean that the letter, firstly, was sent by you and, secondly, it was not changed. The weakness of the described process is not encryption but the process of exchanging public keys among themselves. If you exchange with your friend and share keys at a personal meeting it is good. But if there are many participants, the exchange will take a lot of time. Also, if someone from a company has his secret key stolen, he will have to inform everyone about it personally. The PKI architecture was invented to identify websites on the internet effectively. It assumes the task of verifying the identity of domain owners on the Internet so that an attacker cannot introduce himself under a false name and mislead the user.
How does PKI work? The main task of the PKI infrastructure is to confirm identity. It is necessary for the Internet user, who does not want the attacker to interact with him under the name of this resource. A special certification center (CA), which is accepted to trust and whose public key the browser knows in advance, issues a certificate for the server for this purpose. The certificate represents the server name, the server public key and the validity period of the certificate. All this is certified by the CA electronic signature. The user enters the domain in to the browser and goes to the server page. This server sends the user a CA certificate, so the user understands that the public key from the certificate belongs to this server and that the certificate has not expired. A secure connection is established, and the user sees a green lock in the browser signaling security. Problems appear when the server is hacked, and its secret key is revealed, the server owner revokes this certificate from the CA, i.e. stopped its operation, and the user needs to somehow find out about it. There are solutions for such cases, but they require access to other sources, where the relevant information about the validity of certificates is stored, and if they are not available, the request for relevance can be ignored. REMME offers a new way of organizing an infrastructure that will remove many technical problems.
However, the PKI architecture does not include the ability to issue certificates for individual users. Their registration on the resources is implemented by the resources themselves and logins and passwords are most often used for authentication. Every time a user must enter logins and passwords on the resources he uses which often are the same for several systems at once. To solve this problem, the REMME project developed its own blockchain system based on Hyperledger Sawtooth framework. The essence is that the participants issue a couple of keys for themselves, independently sign a certificate and write data about the certificate and the open key to the blockchain. To revoke a certificate, the participant must add a special transaction to the blockchain account. Currently, users can install the client profile on the service that uses the REMME protocol using a self-signed REMME certificate without unnecessary login and password entries, and the same certificate can be used on all such services simultaneously. The certificate data and its validity in the distributed blockchain will be checked, which excludes the very possibility for an attacker to block access to the source to verify the certificate data.
It is important to note that it is impossible to exclude the presence of authorities in the form of CA or someone else who would undertake the procedure of confirming the identity of participants. The materials of the project do not specify how the identity of the services is supposed to be checked. This can happen through the certification of REMME certificates. However, from our point of view, it is more likely that the generally accepted and legally recognized PKI architecture will remain stable for a long time and the services will receive certificates from CA. The identity of the user who registers with the REMME client service must occur by the service itself. It is important to understand that both the PKI architecture and the proposed REMME solution provide only the technical side of the issue. If an attacker gets access to the device and uses an authentication certificate, this resource cannot install it. To reduce this risk, REMME suggests using two-factor authentication methods that will be integrated into the project, for example, via messengers.
REMME provides an opportunity for its customers to deploy a private blockchain or use a public one. In this case, the private blockchain system will be administered by the client themselves and only the nodes of this blockchain will have the rights to read and write transactions that apply to it. This can greatly simplify the administration of security in local networks of companies and organizations.
In our opinion, the development of technical solutions to ensure information security based on blockchain technology, which in many cases is associated with the notion of security, is viable. An analysis of the existing, and generally accepted, PKI architecture explicitly demonstrates the lack of centralization that can be successfully overcome by the REMME project.
Security problems are inherent in all networks, without exception, and clearly identify all market niches REMME can enter with its product - but the task is rather complicated. Unfortunately, the founders do not provide market research for target markets but only indicate the directions in which they see their niche (apparently in the medium term). We can try to analyze these market segments and make some assumptions. Before that, we must note the results of the forecast, which shows that the number of M2M connections is projected to grow 3 times from 1.1 billion in 2017 to 3.3 billion in 2021. This automatically raises the issue of ensuring the security of these connections. Outsourcing these responsibilities and freeing up resources to address key issues of the business itself will be an optimal solution for many companies and REMME services could not have been more relevant.
REMME identifies the following areas on the website: critical infrastructure protection, Internet of things (IoT), health care and crypto exchanges. Let us consider them in order.
Critical Infrastructure. Security at facilities such as, power plants or defense enterprises is the direct responsibility of the state. This means that they have specially developed internal regulations, state and international standards and recommendations. State-owned enterprises are extremely inert and only use time proven methods. Moreover, decisions to change such standards are taken at a high level. Currently, REMME has already signed an agreement with the defense company, Ukrinmash. This means that in it’s home country, the project was able to convince the public-sector representatives of the expediency of using its product. However, the prospects for introducing their services to ensure security at critical infrastructure facilities in other countries raise our doubts for the reasons already mentioned. This will require several years of successful work and proven positive results, as well as high-level communications with other countries to lobby the product and change standards. Anyway, from our point of view, it is too early to talk about them entering the security markets at critical infrastructure facilities in other countries in the medium term.
IoT. The infrastructure of various devices and sensors in cars, smart homes or at an enterprise form the Internet of things within its ecosystem. This allows using technologies of the 21st century in the form of remote monitoring. The incentive for the development of technology has become the use of RFID tags, which allows for identifying objects in the network and track their movement in real time. The RFID tags market is forecast to increase almost 1.4 times from $17.6 billion in 2018 to $24.5 billion in 2020. However, with all the advantages of IoT technology, they carry a lot of risks. Imagine that an attacker gains access to your smart home. This means that he will get full access to all sensors and cameras and can violate privacy completely and could even cause physical and material damage.
Statistics show that the size of global Internet market of things is increasing every year and will continues to grow. In 2014, the market volume was $601.2 billion, and it should reach $1,710.4 billion by 2019. The size of the installed base of connected devices to the Internet of things also shows steady growth and has a positive outlook for the future.
Size of the global Internet of Things (IoT) market from 2009 to 2019 (in billion U.S. dollars)
Internet of Things (IoT) connected devices installed base worldwide from 2015 to 2025 (in billions)
Obviously, the world market of IoT is growing and like any other growing market, it needs tools that simplify its scaling, reducing the effect of limiting factors. The issue of security and administration of access rights is one of the key issues for this area.
Health care and MedTech. Ensuring the safe access to medical information of individual citizens is becoming cheaper and more affordable with REMME. In theory, according to the founders, virtually the entire population of the country could have a special medical profile with the necessary information. In practice, the medical market differs from country to country. In the meantime, the transition to an authentication system from REMME may become possible for private network clinics that provide remote access to medical information for their patients. Such clinics frequently buy ready-made software solutions for conducting case histories. But these decisions do not always allow citizens to remotely access their medical information, which they could pass on to the attending physician in another competing clinic. We could not find enough information which would help us determine the total share of such clinics. It would be necessary to study the application market for conducting the internal accounting of clinics to determine the REMME prospects in this direction. In our point of view, private clinics have no desire to transfer information about their patients' medical history to anyone without legislative compulsion. This is rather an exception to the rules than the trend, so in this case the market is not formed.
We consider EmerCoin as the main competitor of REMME. The REMME blockchain provides the project with the opportunity to make transactions on blockchain much faster than the 10-30 minutes that it takes with EmerCoin. In our opinion, the project's ability to create a private blockchain for its customers, is one of its greatest advantages. This means that companies or corporations that need a corporate customization of their users’ rights and do not want anyone to be able to watch it in any way get this opportunity. These customers pay for the issuance of the required number of certificates and for software maintenance, which allows them to administer their own unit fully.
Based on the presentations provided by EmerCoin and its capabilities, this project is primarily aimed at providing certificates for users who are authenticated on the resources that are included in the EmerCoin infrastructure. From this point of view, even waiting half an hour for the registration of a certificate in EmerCoin blockchain will not be a big problem, as the project offers the user the chance to issue a certificate for 5 years or more and then use it on all available resources. EmerCoin also provides other services, for example, acting as a DNS server. This means that the project acts as a DNS server and maps the name of the EmerCoin client server and its IP address, which is required at a technical level to connect to the server on the Internet. In this case, EmerCoin assumes CA responsibilities in the PKI architecture in order to identify the owners of these websites. REMME also presents the possibility to use self-signed certificates but focuses on examples when REMME clients pay for the issuance of certificates for their users, who will use the certificate exclusively on the resources of these customers.
We think that the provision of information security services with the help of blockchain, which eliminates the problems of centralizing, is going in a rather promising direction but has just appeared and is only beginning to gain momentum. New protocols and decisions must be formed and either replace the old ones or at least demonstrate the inconsistency of them. The existing niche provides space for several players, each of which will win its audience and customer base. Global security standards have become such after a long time, so the founders of REMME should not hope to win world fame, at least not in the medium term. However, the REMME project offers to get rid of many problems of the centralized PKI architecture.
Team and stakeholders
The founder of the project is economist Alex Momot, and the co-founder is marketing specialist Kate Pospelova. Neither has experience in establishing or managing a large international business in the positions of top managers and, apparently, REMME is their first truly ambitious project. This fact is both a disadvantage and an advantage, as the new players in the niches, that are created by the relatively young technology of blockchain, should be enthusiasts of this technology.
Nevertheless, the qualification of the technical part of the project is obviously enough for an in-depth analysis of technology and implementation of the tasks set. In the documentation, the founders demonstrate an understanding of the technical problems that they may face, and intelligently explain the selected technical solutions that form the competitive advantages of the project. The professionalism of the team in technical matters is confirmed by them winning the Microsoft hackathon in 2017. The advisory board also includes high-level technical experts.
We got the impression that the founders focused on the technical details and opportunities that blockchain provides them but did not pay enough attention to market research due to their cooperation with organizations in the domestic market. According to the Roadmap, the concept was formulated by the founders in late 2016. In 2017 the MVP product was released and a memorandum of cooperation with Ukrinmash was signed. The market niche is only being formed and, apparently, during the life of the project, its founders focused on working out concepts for the needs of already existing customers, their desires and preferences. Here, in our opinion, the lack of experience in managing international projects affected the project, because after the ICO the team will need to conduct serious market research to develop an optimal and competent strategy for promoting the product.
Other assumptions that we can make is that the key marketing skills of the co-founder, Kate Pospelova, are related to the promotion of the product and the creation of its information support. You will find references to the project in a variety of specialized sources, which will certainly positively affect the potential customers of the company, who will look for references to the project in general. Unfortunately, the majority of them talk about the project in general terms and do not disclose the necessary details of how the project solves the existing technical problems of the PKI architecture, but it is necessary for the unprepared investor rather than the internal security officer who will negotiate with the project team for the conclusion of cooperation.
We would like to note that the project sold almost all the remaining tokens from the Pre-Sale on the first day of Public Sale. Despite the fact that on the first day of Public Sale there were restrictions of 15 ETH from one wallet, the project managed to collect more than 90% of Hard Cap in one day.
The ICO of the project is implemented with tokens based on ERC20, which is obviously done for the convenience of customers. The ERC20-based tokens can be converted to their own custom REM token. This functionality is only to be realized, but the founders assume that a special node which will convert tokens will be running for this purpose.
REM is a utility token and it is used to pay for project services. Thus, a REMME online service client can pay for the issuance of certificates for its users, which will have a limited duration and will be accepted only by this service. Monetization also includes payment for services and software configuration. Commission at a rate of 0.1% is stipulated for the transfer of tokens between participants of the ecosystem. Any transaction for payment of services is distributed between the master nodes and REMME in a proportion that depends on the success of the ICO. The amount of collected funds has already exceeded $10 million, so the distribution of funds will have a proportion of 90%:10% in favor of the master node. In order to become a master node, there should be 250,000 REM tokens on the account.
A provision is made for the prepayment for a certain number of certificates. This is an important point, since the payment for the project services is made with reference to the current fiat rate. This means that REMME regularly determines the rate of REM tokens at the current moment and sets the price for issuing certificates to REM in accordance with fiat tariffs. Such a solution excludes the possibility of hedging risks. If the cost of project services were estimated in REM tokens, customers could purchase them in advance in order to protect themselves from unfavorable price movement of the token in the future. This could create additional demand at the first stages of project development, when customers are ready for long-term cooperation, they would stock up on tokens for future use. Currently, such customers are forced either to buy certificates on prepayment or postpone the purchase until its immediately needed. But on the other hand, such a connection between the cost of services and fiat currencies allows those types of business that are far from cryptocurrency to calculate their expenses in the usual way without particular difficulties in understanding, paying no attention to the REM price hikes inherent in any cryptocurrency.
REM tokens are necessary for the ecosystem, primarily for the correct operation of the consensus algorithm, i.e. the mechanism for selecting the next master node of the network, which will write the next block. This is utility token, the use of which in the current model cannot be omitted.
REM is a utility token that is intended to pay for project services and, therefore, its cost will grow mainly due to the increase in the number of participants in the system. We predict a planned but still relatively slow increase in price. Unlike EmerCoin, whose cost of services is described in its own tokens, REM's price is tied to currencies. This allows us to assume that the volatility of REM will be less and without such peaks as EMC tokens have recently demonstrated. The fact is that customers will not have an incentive to buy tokens during a panic with a sharp increase regardless of the price of tokens because project services can be paid for at any time based on the prices in fiat.
We think that the business model of the project is adequate for its niche. The key moment for formation of the price of services is the number of issued certificates. However, we should note one point. The project gives an example where a possible client (Crypto Exchange) issues certificates for its customers at $1 apiece for a year, and this certificate will only act for this exchange. The competing project of EmerCoin, according to the documentation, exposes a cost of 0.25 EMC (approximately $1.04 as of February 2018) to issue a valid certificate for 5 years, which will be available for immediate authentication on all resources using the protocol. The proposition looks more profitable, at least, at first glance. So, the REMME project, as already mentioned above, will need to consider carefully marketing components such as pricing for successful competition with its direct competitors.
The main risk of the project, in our opinion, is the inactivity of the large system, which prevents it from using new technologies with old and used ones. The PKI architecture, even with its lack of centralization, is still a common standard, which will be extremely difficult to change en masse. Imagine that the SSL/TLS secure connection HTTPS protocol was developed in 1994 and formally described in the standard only in 2000.
There are risks that the emphasis of REMME may not work for customers who want to issue certificates only for their users. However, we assess these risks as low and the project will be able to adjust to the requirements of its potential customers with a comprehensive analysis of market requirements.
The legal side of the issue may prevent the project from obtaining clients in the form of financial companies, where the user authentication rules are often regulated at a legislative level. The same applies to government agencies. As for the rest, the project is subject to legal risks no more than other projects related to cryptocurrencies.
The information contained in the document is for informational purposes only. The views expressed in this document are solely personal stance of the ICOrating Team, based on data from open access and information that developers provided to the team through Skype, email or other means of communication.
Our goal is to increase the transparency and reliability of the young ICO market and to minimize the risk of fraud.
We appreciate feedback with constructive comments, suggestions and ideas on how to make the analysis more comprehensive and informative.