Hi EMU, In my previous job, I was one of the team members implementing EAP- NOOB. I have now changed employers and work on something completely different (Platform Security). I am following this draft out of personal interest.
I appreciate the fact that the authors have taken the time to formally verify the protocol. A paper from as recent as CCS 2018 (October): http s://papers.mathyvanhoef.com/ccs2018.pdf, shows new attacks in the Wi-Fi 4-way handshake protocol and recommends formally modelling 802.11. I would however strongly recommend the authors of this document, and others, to encrypt as many EAP messages as possible. For example, error messages sent in EAP-NOOB are still in plain. Since these messages usually cause one or the other side to change states, they should be protected. 802.11, TLS and other protocols have been taking a similar approach of encrypting as much as possible. As an example, 802.11 now uses protected management frames. Regards Shiva On ke, 2018-10-24 at 17:47 +0000, Aura Tuomas wrote: > Dear all, > > We have submitted a new version of our draft titled “Nimble out-of- > band authentication for EAP (EAP-NOOB)”: > > https://tools.ietf.org/html/draft-aura-eap-noob-04 > > The draft defines an EAP method where the authentication is based on > a user-assisted out-of-band (OOB) channel between the server and > peer. It is intended as a generic bootstrapping solution for > Internet-of-Things devices which have no pre-configured > authentication credentials and which are not yet registered on the > authentication server. > > What is new in version -04? Since the previous version, we have done > extensive modeling and verification of the protocol and worked to > resolve some discovered issues. We especially looked for denial-of- > service conditions that may arise from dropped messages and other > protocol failures, which both could be caused a network attacker. > Based on this analysis, we have rethought the recovery from dropped > final messages. The error handling still needs some attention. In any > case, the specification is a pretty good shape and ready for anyone > to review. > > The open-source implementation and the mCRL2 formal model are still > based on the previous version but work is ongoing to update them: > https://github.com/tuomaura/eap-noob > > Emu is the working group that closest matches our spec. Thus, we look > forward to your feedback and comments here or in the wg meeting in a > couple of weeks. > > Regards, > Tuomas > > > > -----Original Message----- > From: internet-dra...@ietf.org <internet-dra...@ietf.org> > Sent: Monday, 22 October, 2018 20:50 > To: Mohit Sethi <mo...@piuha.net>; Aura Tuomas <tuomas.a...@aalto.fi> > Subject: New Version Notification for draft-aura-eap-noob-04.txt > > > A new version of I-D, draft-aura-eap-noob-04.txt has been > successfully submitted by Tuomas Aura and posted to the IETF > repository. > > Name: draft-aura-eap-noob > Revision: 04 > Title: Nimble out-of-band authentication for EAP (EAP-NOOB) > Document date: 2018-10-22 > Group: Individual Submission > Pages: 58 > URL: https://www.ietf.org/internet-drafts/draft-aura-eap-n > oob-04.txt > Status: https://datatracker.ietf.org/doc/draft-aura-eap-noob/ > Htmlized: https://tools.ietf.org/html/draft-aura-eap-noob-04 > Htmlized: https://datatracker.ietf.org/doc/html/draft-aura-eap- > noob > Diff: https://www.ietf.org/rfcdiff?url2=draft-aura-eap-noob > -04 > > Abstract: > Extensible Authentication Protocol (EAP) provides support for > multiple authentication methods. This document defines the EAP- > NOOB > authentication method for nimble out-of-band (OOB) authentication > and > key derivation. This EAP method is intended for bootstrapping all > kinds of Internet-of-Things (IoT) devices that have a minimal user > interface and no pre-configured authentication credentials. The > method makes use of a user-assisted one-directional OOB channel > between the peer device and authentication server. > > > > > > Please note that it may take a couple of minutes from the time of > submission until the htmlized version and diff are available at > tools.ietf.org. > > The IETF Secretariat > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
