Vauchi DocsContact Exchange Sequence
Interaction Type: π€ IN-PERSON (Proximity Required)
Two users exchange contact cards by scanning QR codes while physically present together. Proximity is verified via ultrasonic audio handshake to prevent remote/screenshot attacks.
Participants
- Alice - User initiating exchange (displays QR)
- Alice's Device - Mobile/Desktop running Vauchi
- Bob - User completing exchange (scans QR)
- Bob's Device - Mobile/Desktop running Vauchi
- Relay - WebSocket relay server (fallback only)
Sequence Diagram
βββββββββ ββββββββββββββββββ ββββββββββββββββ βββββββ βββββββββ
β Alice β β Alice's Device β β Bob's Device β β Bob β β Relay β
βββββ¬ββββ ββββββββββ¬ββββββββ βββββββββ¬βββββββ ββββ¬βββ βββββ¬ββββ
β β β β β
β Tap "Share Contact" β β β β
ββββββββββββββββββββββββββΆ β β β
β β β β β
β βββββ β β β
β β β Generate ephemeral X25519 keypair β β β
β βββββ β β β
β β β β β
β βββββ β β β
β β β Create exchange token (expires 5 min) β β β
β βββββ β β β
β β β β β
β βββββ β β β
β β β Generate audio challenge seed β β β
β βββββ β β β
β β β β β
β βββββ β β β
β β β Encode QR: [public_key, token, audio_challenge] β β
β βββββ β β β
β β β β β
β Display QR code β β β β
ββββββββββββββββββββββββββ β β β
β β β β β
β β β Open camera, scan QR β β
β β βββββββββββββββββββββββββββ β
β β β β β
β β βββββ β β
β β β β Decode QR data β β
β β βββββ β β
β β β β β
β β βββββ β β
β β β β Validate token not expired β
β β βββββ β β
β β β β β
β β βββββ β β
β β β β Extract Alice's public key β
β β βββββ β β
β β β β β
β β βββββββββββββββββββββββββββββββββββββββββββββ β β β
β β β PROXIMITY VERIFICATION (Ultrasonic Audio) β β β β
β β βββββββββββββββββββββββββββββββββββββββββββββ β β β
β β β β β
β βββββ β β β
β β β Emit ultrasonic challenge (18-20 kHz) β β β
β βββββ β β β
β β β β β
β β βββββ β β
β β β β Detect ultrasonic challenge β
β β βββββ β β
β β β β β
β β βββββ β β
β β β β Sign challenge with Bob's key β
β β βββββ β β
β β β β β
β β βββββ β β
β β β β Emit ultrasonic response β
β β βββββ β β
β β β β β
β βββββ β β β
β β β Detect and verify response β β β
β βββββ β β β
β β β β β
β βββββ β β β
β β β Confirm proximity β β β
β βββββ β β β
β β β β β
β β βββββ β β
β β β β Confirm proximity β β
β β βββββ β β
β β β β β
β β ββββββββββββββββββββββ β β β
β β β X3DH KEY AGREEMENT β β β β
β β ββββββββββββββββββββββ β β β
β β β β β
β β βββββ β β
β β β β Generate ephemeral X25519 keypair
β β βββββ β β
β β β β β
β β Send: [Bob's identity key, ephemeral key] β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β β β
β βββββ β β β
β β β X3DH: Derive shared secret β β β
β βββββ β β β
β β β β β
β β Send: [Alice's identity key, ephemeral key] β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββΆ β β
β β β β β
β β βββββ β β
β β β β X3DH: Derive shared secret β
β β βββββ β β
β β β β β
β β βββββββββββββββββββββββββββββββββββββ β β β
β β β Both have identical shared secret β β β β
β β βββββββββββββββββββββββββββββββββββββ β β β
β β β β β
β β βββββββββββββββββββββββββ β β β
β β β CONTACT CARD EXCHANGE β β β β
β β βββββββββββββββββββββββββ β β β
β β β β β
β βββββ β β β
β β β Encrypt Alice's card with shared secret β β β
β βββββ β β β
β β β β β
β β Send encrypted contact card β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββΆ β β
β β β β β
β β βββββ β β
β β β β Decrypt Alice's cardβ β
β β βββββ β β
β β β β β
β β βββββ β β
β β β β Store Alice as contact β
β β βββββ β β
β β β β β
β β βββββ β β
β β β β Encrypt Bob's card with shared secret
β β βββββ β β
β β β β β
β β Send encrypted contact card β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β β β
β βββββ β β β
β β β Decrypt Bob's card β β β
β βββββ β β β
β β β β β
β βββββ β β β
β β β Store Bob as contact β β β
β βββββ β β β
β β β β β
β Exchange Successful β β β β
ββββββββββββββββββββββββββ β β β
β β β β β
β β β Exchange Successful β β
β β βββββββββββββββββββββββββββΆ β
β β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β ββAlice and Bob now have each other's contact cards β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β β β
βββββ΄ββββ ββββββββββ΄ββββββββ βββββββββ΄βββββββ ββββ΄βββ βββββ΄ββββ
β Alice β β Alice's Device β β Bob's Device β β Bob β β Relay β
βββββββββ ββββββββββββββββββ ββββββββββββββββ βββββββ βββββββββ
Data Exchanged
QR Code Contents
Binary format (v3) with WBEX magic
bytes:
WBEX (4 bytes magic)
version (1 byte) = 0x03
Ed25519 public key (32 bytes)
X25519 exchange key (32 bytes)
exchange token (32 bytes)
audio_challenge seed (16 bytes)
creation timestamp (8 bytes)
name_len (2 bytes, big-endian)
name (N bytes, UTF-8)
flags (1 byte, bitfield)
[if bit 0] relay_url_len (2 bytes) + relay_url (M bytes)
[if bit 1] relay_noise_pubkey (32 bytes)
signature (64 bytes, Ed25519 over all preceding fields)
Minimum size (empty name, no relay fields): 192 bytes.
Contact Card (Encrypted)
{
"display_name": "Alice Smith",
"fields": [
{"type": "phone", "label": "Mobile", "value": "+1-555-1234"},
{"type": "email", "label": "Personal", "value": "alice@example.com"}
],
"signature": "Ed25519 signature of card"
}
Security Properties
| Property | Mechanism |
|---|---|
| Proximity | Ultrasonic audio (18-20 kHz) |
| No MITM | X3DH with identity keys |
| Forward Secrecy | Ephemeral keys discarded |
| Replay Prevention | One-time token, 5-min expiry |
| Card Authenticity | Ed25519 signature |
Failure Scenarios
Proximity Verification Fails
ββββββββββββββββββ ββββββββββββββββ
β Alice's Device β β Bob's Device β
ββββββββββ¬ββββββββ βββββββββ¬βββββββ
β β
βββββ β
β β Emit ultrasonic challenge
βββββ β
β β
β βββββ
β β β No ultrasonic detected (too far)
β βββββ
β β
β βββββ
β β β Proximity verification FAILED
β βββββ
β β
β βββββ
β β β Proximity verification failed
β βββββ
β β
βββββββββββββββββββββββββββββββββββββββββ
β Exchange blocked - no cards exchanged β
βββββββββββββββββββββββββββββββββββββββββ
β β
ββββββββββ΄ββββββββ βββββββββ΄βββββββ
β Alice's Device β β Bob's Device β
ββββββββββββββββββ ββββββββββββββββ
QR Code Expired
ββββββββββββββββββ ββββββββββββββββ
β Alice's Device β β Bob's Device β
ββββββββββ¬ββββββββ βββββββββ¬βββββββ
β β
β βββββ
β β β Decode QR, check expiry
β βββββ
β β
β βββββ
β β β Token expired
β βββββ
β β
β βββββ
β β β QR code expired
β βββββ
β β
ββββββββββββββββββββββββββββββ
β Alice must generate new QR β
ββββββββββββββββββββββββββββββ
β β
ββββββββββ΄ββββββββ βββββββββ΄βββββββ
β Alice's Device β β Bob's Device β
ββββββββββββββββββ ββββββββββββββββ
Platform Variations
| Platform | Proximity Method | Fallback |
|---|---|---|
| iOS β iOS | Ultrasonic | Manual confirm |
| Android β Android | Ultrasonic | Manual confirm |
| iOS β Android | Ultrasonic | Manual confirm |
| Desktop β Mobile | N/A (no mic) | Manual confirm |
| Desktop β Desktop | N/A | Manual confirm |
Related Features
- Device Linking - Similar QR flow for linking devices
- Sync Updates - How card updates propagate after exchange