The present disclosure relates to techniques for discovering and authenticating a peer based on a shared secret to establish a secure connection between electronic devices.
Financial legal transactions, for example involving reservations, quotes, payments, agreements and contracts, are often performed during face-to-face interactions. In principle, portable electronic devices, such as smartphones and tablet computers, can be useful tools in facilitating these interactions. For example, cellular telephones can be used to digitally capture content during an interaction, and then seamlessly integrate the content into backend systems, such as: legal or financial management systems, payment networks or banking systems.
However, in order to use portable electronic devices to facilitate face-to-face interactions, a secure communication typically has to be established between the participants' portable electronic devices. Usually, the portable electronic devices first need to find or discover each other. In order to be discoverable in a communication network, a portable electronic device or service typically needs to be advertised. This advertising may be achieved using a form of broadcast to all peers. Furthermore, advertising usually includes network-specific connection parameters of the advertising portable electronic device or service and a name that can be recognized by peer portable electronic devices, services, and/or their users.
In cases when there is no pre-existent trust relationship between the users or their portable electronic devices, there is no general mechanism that allows the peers to recognize each other and to establish a secure communication. When this occurs, a secure sessions can be established using a trusted third party. However, this can be problematic. In particular, the parties may not have a shared trusted third party, or the trusted third party may not be readily accessible at the time of the transaction (i.e., when the parties want to establish the secure connection).
Another possibility is to establish a direct peer-to-peer connection between the portable electronic devices. In order to establish a peer-to-peer connection between two portable electronic devices, the portable electronic devices need to be able to discover and authenticate each other. However, existing techniques for establishing secure communication between portable electronic devices are often cumbersome and/or impractical. For example, many techniques leverage trust between the participants or an offline certification authority. But these approaches may not be suitable when the participants have no prior direct or indirect trust relationship.
Alternatively, secure communication can be implemented using physical security, for example, by coupling the portable electronic devices using a physical cables, and restricting communication to just physically secured connections. However, this is often cumbersome and impractical due to absence of a universal cable to connect arbitrarily selected portable electronic devices.
In addition, several existing techniques for establishing a secure connection between portable electronic devices leverage additional capabilities, such as absolute time and location measurements, which are not available on all portable electronic devices, and which may not have sufficient resolution to reliably establish the secure connection. Techniques have also been proposed based on proximity of the portable electronic devices and shared information in the physical environment, such as images of bar-codes or audible information. However, these proposed techniques are complicated, and may be vulnerable to security breaches by a third party who intercepts the shared information.
This lack of lack of reliability and the usability problems make it difficult for users to conduct transactions via portable electronic devices.