DDoS Attack Mitigation

TrustCentral (TC) uses its Inviter-Invitee Protocol to authenticate the identity of remote IoT endpoints and establish an authenticated relationship between those endpoints.  The TC Attribute Authority acts as the vital trusted third party in this process.

The result of the Inviter-Invitee process is the establishment of a Certificate-Enforced Relationship (CER) between the paired endpoints.  Each established CER includes an appropriate digital agreement between the endpoints (which may include business logic).


TC embeds nonces and pubic keys into these long-lived CER certificates with per-pairing encryption details.  CER certificates are established before any subsequent live communications protocol attempt occurs between the endpoints (and thus before nonces are normally used).  TC’s use of long-lived certificate-pairs-per-device introduces a new benefit over SSH and TLS. For a typical interactive connection, SSH uses a nonce every time (as TC does) however, TC also use nonces and public keys in the initial CER trust setup.  Because SSH does no advance trust set up, SSH must then “Trust on First Use”(TOFU).

TC brings a fundamental improvement to the application of SSH (and TLS) between endpoints by moving to a paradigm using embedded, long-lived pre-pairing (i.e., CER’s) resulting in TC’s new principal of “Trusted Before First Use”.

Thus an endpoint can authenticate a remote endpoint attempting to establish live communication with it beforeentering into a communication protocol thus eliminating the commencement of a DDoS attack (when there’s no live communications protocol, there’s no DDoS attack opening).

Beyond DDoS protection, an endpoint only enters into a communication protocol with other endpoints with which it has a pre-paired CER endpoints also benefit from “PKI-Enforced Whitelisting.