How can two devices communicating over a secure channel come to a shared secret?
I have two Android devices running an app. The app uses the Bump API to exchange information with the goal to come up with a shared secret for later use.
Specifically, the shared secret will later be sent to a central server where the devices are then registered as a "couple".
I came up with two types of solutions, but there must be other ones as well.
- Decide which of the two devices may generate the secret (e.g., by flipping a coin)
- Let both devices input a part of the secret and combine them (e.g., multiplying or XORing the two contributions)
What is the best solution for this situation?
--EDIT-- I'm not trying communicate securely (I consider the Bump channel secure enough). Rather, I'm trying to find the most elegant solution to this specific issue.
Diffie-Hellman key exchange immediately comes to mind.
Each device generates random data equal in length to shared secret and sends it to other device. Shared secret is a XOR of this two parts.
Even if one device is broken and generates only zero strings, shared secret will be still good.