Comment by colmmacc
2 years ago
It's one thing for customers phones' wifi issues to be a problem, but it's an even worse problem if the scanner itself needs reliable connectivity. That makes me wonder if there is some kind of delegated deterministic derivation step in the secrets too (which wouldn't be obvious in this kind of analysis), so that the handheld scanners can avoid an on-line dependency.
They needed reliable connectivity in the previous scenario (checking barcodes against a central db) - they just setup a local private wifi network for the handsets and all the venue devices.
Otherwise I can't see how you would avoid replay attacks.
You can do time-based binding. Many TLS/Quic 0RTT take this approach; where the signature is only valid for a second or so. It's not as good as a real strike register, but probably ok for this kind of environment. Of course the barcodes would need to be more dynamic, but that's doable.