I'm trying to do the following:
I have 2 mobile devices, one acts as a server and the second as a client.
The server device holds a secret key and advertises a challenge. Each request causes the challenge to change.
The client device holds data (an integer value) encrypted with this key, but the client does not have the key.
The 2 devices communicate via BT.
The client generates a response to challenge according to a known algorithm, sends the data to the server, the server verify the response, decrypt the data, deduct a certain value from it, encrypts the new data and send it back to the client.
I'm trying to protect the data in the client from being reused again (for example, the client will store the encrypted data, perform the transaction to the server, receive the response, and then use the old data again).
The limitations:
- I can not store the client data in the server - the server only calculates the new value and return it.
- The client must be offline (the value can not be stored on some HTTP server).
- I must not store keys on the client.
Is there a way to do so? My brain is practically smoking already, but every idea I can come up with fails due to the fact that the response algorithm is not confidential, so as far as I can see it, every client could reuse old data.
Just to be clear, I'm not looking for a full solution, just some directions and brain storming.
