00076
02420
00076
Data Field | Description |
---|---|
Vers, Verp | EAP-NOOB protocol versions supported by the EAP server and the protocol version chosen by the peer. Vers is a JSON array of unsigned integers, and Verp is an unsigned integer. Example values are "[1]" and "1", respectively. |
PeerId | Peer identifier, as defined in |
NAI, NewNAI | Peer NAI and server-assigned new peer NAI, as defined in
|
Type | EAP-NOOB message type. The type is an integer in the range 0..9. EAP-NOOB requests and the corresponding responses share the same type value. |
PeerState | Peer state is an integer in the range 0..4 (see |
PKs, PKp | The public components of the ECDHE keys of the server and
peer. PKs and PKp are sent in the JSON Web Key (JWK) format |
Cryptosuites, Cryptosuitep | The identifiers of cryptosuites supported by the server and
of the cryptosuite selected by the peer. The server-supported cryptosuites in
Cryptosuites are formatted as a JSON array of the identifier integers. The
server |
Dirs, Dirp | An integer indicating the OOB channel directions supported by the server and the directions selected by the peer. The possible values are 1=peer-to-server, 2=server-to-peer, and 3=both directions. |
Dir | The actual direction of the OOB message (1=peer-to-server, 2=server-to-peer). This value is not sent over any communication channel, but it is included in the computation of the cryptographic fingerprint Hoob. |
Ns, Np | 32-byte nonces for the Initial Exchange. |
ServerInfo | This field contains information about the server to be passed
from the EAP method to the application layer in the peer. The information is
specific to the application or to the OOB channel, and it is encoded as a JSON
object of at most 500 bytes. It could include, for example, the access-network
name and server name, a Uniform Resource Locator (URL) |
PeerInfo | This field contains information about the peer to be passed from the EAP method to the application layer in the server. The information is specific to the application or to the OOB channel, and it is encoded as a JSON object of at most 500 bytes. It could include, for example, the peer brand, model, and serial number, which help the user distinguish between devices and deliver the OOB message to the correct peer through the out-of-band channel. |
SleepTime | The number of seconds for which the peer |
Noob | 16-byte secret nonce sent through the OOB channel and used for the session key derivation. The endpoint that received the OOB message uses this secret in the Completion Exchange to authenticate the exchanged key to the endpoint that sent the OOB message. |
Hoob | 16-byte cryptographic fingerprint (i.e., hash value) computed from all the parameters exchanged in the Initial Exchange and in the OOB message. Receiving this fingerprint over the OOB channel guarantees the integrity of the key exchange and parameter negotiation. Hence, it authenticates the exchanged key to the endpoint that receives the OOB message. |
NoobId | 16-byte identifier for the OOB message, computed with a one-way function from the nonce Noob in the message. |
MACs, MACp | Message authentication codes (HMAC) for mutual
authentication, key confirmation, and integrity check on the exchanged
information. The input to the HMAC is defined below, and the key for the HMAC
is defined in |
Ns2, Np2 | 32-byte nonces for the Reconnect Exchange. |
KeyingMode | Integer indicating the key derivation method. 0 in the Completion Exchange, and 1..3 in the Reconnect Exchange. |
PKs2, PKp2 | The public components of the ECDHE keys of the server and
peer for the Reconnect Exchange. PKp2 and PKs2 are sent in the JSON Web Key
(JWK) format |
MACs2, MACp2 | Message authentication codes (HMAC) for mutual
authentication, key confirmation, and integrity check on the Reconnect
Exchange. The input to the HMAC is defined below, and the key for the HMAC is
defined in |
ErrorCode | Integer indicating an error condition. Defined in |
ErrorInfo | Textual error message for logging and debugging purposes. A UTF-8 string of at most 500 bytes. |
Data Field | Value | Type |
---|---|---|
PeerId | Peer identifier allocated by server | UTF-8 string (typically 22 ASCII characters) |
Verp | Negotiated protocol version | integer |
Cryptosuitep | Negotiated cryptosuite | integer |
CryptosuitepPrev (at peer only) | Previous cryptosuite | integer |
NAI | NAI assigned by the server or configured by the user or the default NAI "noob@eap-noob.arpa" | UTF-8 string |
Kz | Persistent key material | 32 bytes |
KzPrev (at peer only) | Previous Kz value | 32 bytes |
KeyingMode | Description |
---|---|
0 | Completion Exchange (always with ECDHE) |
1 | Reconnect Exchange, rekeying without ECDHE |
2 | Reconnect Exchange, rekeying with ECHDE, no change in cryptosuite |
3 | Reconnect Exchange, rekeying with ECDHE, new cryptosuite negotiated |
KeyingMode | KDF input field | Value | Length (bytes) |
---|---|---|---|
0 Completion | Z | ECDHE shared secret from PKs and PKp | variable |
AlgorithmId | "EAP-NOOB" | 8 | |
PartyUInfo | Np | 32 | |
PartyVInfo | Ns | 32 | |
SuppPubInfo | (not allowed) | ||
SuppPrivInfo | Noob | 16 | |
1 Reconnect, rekeying without ECDHE | Z | Kz | 32 |
AlgorithmId | "EAP-NOOB" | 8 | |
PartyUInfo | Np2 | 32 | |
PartyVInfo | Ns2 | 32 | |
SuppPubInfo | (not allowed) | ||
SuppPrivInfo | (null) | 0 | |
2 or 3 Reconnect, rekeying, with ECDHE, same or new cryptosuite | Z | ECDHE shared secret from PKs2 and PKp2 | variable |
AlgorithmId | "EAP-NOOB" | 8 | |
PartyUInfo | Np2 | 32 | |
PartyVInfo | Ns2 | 32 | |
SuppPubInfo | (not allowed) | ||
SuppPrivInfo | Kz | 32 |
KeyingMode | KDF output bytes | Used as | Length (bytes) |
---|---|---|---|
0 Completion | 0..63 | MSK | 64 |
64..127 | EMSK | 64 | |
128..191 | AMSK | 64 | |
192..223 | MethodId | 32 | |
224..255 | Kms | 32 | |
256..287 | Kmp | 32 | |
288..319 | Kz | 32 | |
1 or 2 Reconnect, rekeying without ECDHE, or with ECDHE and unchanged cryptosuite | 0..63 | MSK | 64 |
64..127 | EMSK | 64 | |
128..191 | AMSK | 64 | |
192..223 | MethodId | 32 | |
224..255 | Kms2 | 32 | |
256..287 | Kmp2 | 32 | |
3 Reconnect, rekeying with ECDHE, new cryptosuite | 0..63 | MSK | 64 |
64..127 | EMSK | 64 | |
128..191 | AMSK | 64 | |
192..223 | MethodId | 32 | |
224..255 | Kms2 | 32 | |
256..287 | Kmp2 | 32 | |
288..319 | Kz | 32 |
Data Field | Description |
---|---|
Type | Type-tag string that can be used by the peer as a hint for how to interpret the ServerInfo contents. |
ServerName | String that may be used to aid human identification of the server. |
ServerURL | Prefix string when the OOB message is formatted as a URL, as
suggested in |
SSIDList | List of IEEE 802.11 wireless network service set identifier
(SSID) strings
used for roaming support, as suggested in |
Base64SSIDList | List of IEEE 802.11 wireless network identifier (SSID) strings
used for roaming support, as suggested in |
Data Field | Description |
---|---|
Type | Type-tag string that can be used by the server as a hint for how to interpret the PeerInfo contents. |
PeerName | String that may be used to aid human identification of the peer. |
Manufacturer | Manufacturer or brand string. |
Model | Manufacturer-specified model string. |
SerialNumber | Manufacturer-assigned serial number. |
MACAddress | Peer link-layer 48-bit extended unique identifier (EUI-48) in
the 12-digit base-16 form
|
SSID | IEEE 802.11 network SSID for channel binding. The SSID is an ASCII string. |
Base64SSID | IEEE 802.11 network SSID for channel binding. The SSID is
base64url encoded. Peer |
BSSID | Wireless network basic service set identifier (BSSID) (EUI-48)
in the 12-digit base-16 form
|
Cryptosuite | Algorithms |
---|---|
0 | Reserved |
1 | ECDHE curve Curve25519 |
2 | ECDHE curve NIST P-256 |
Message Type | Used in Exchange | Purpose |
---|---|---|
0 | Error | Error notification |
1 | All exchanges | PeerId and PeerState discovery |
2 | Initial | Version, cryptosuite, and parameter negotiation |
3 | Initial | Exchange of ECDHE keys and nonces |
4 | Waiting | Indication to the peer that the server has not yet received an OOB message |
5 | Completion | NoobId discovery |
6 | Completion | Authentication and key confirmation with HMAC |
7 | Reconnect | Version, cryptosuite, and parameter negotiation |
8 | Reconnect | Exchange of ECDHE keys and nonces |
9 | Reconnect | Authentication and key confirmation with HMAC |
Error code | Purpose |
---|---|
1001 | Invalid NAI |
1002 | Invalid message structure |
1003 | Invalid data |
1004 | Unexpected message type |
1005 | Invalid ECDHE key |
2001 | Unwanted peer |
2002 | State mismatch, user action required |
2003 | Unrecognized OOB message identifier |
2004 | Unexpected peer identifier |
3001 | No mutually supported protocol version |
3002 | No mutually supported cryptosuite |
3003 | No mutually supported OOB direction |
4001 | HMAC verification failure |
5001 | Application-specific error |
5002 | Invalid server info |
5003 | Invalid server URL |
5004 | Invalid peer info |
6001-6999 | Reserved for Private and Experimental Use |
Data Field | Specification |
---|---|
Type | RFC 9140, |
ServerName | RFC 9140, |
ServerURL | RFC 9140, |
SSIDList | RFC 9140, |
Base64SSIDList | RFC 9140, |
Data Field | Specification |
---|---|
Type | RFC 9140, |
PeerName | RFC 9140, |
Manufacturer | RFC 9140, |
Model | RFC 9140, |
SerialNumber | RFC 9140, |
MACAddress | RFC 9140, |
SSID | RFC 9140, |
Base64SSID | RFC 9140, |
BSSID | RFC 9140, |
Security Property | EAP-NOOB Claim |
---|---|
Authentication mechanism | ECDHE key exchange with out-of-band authentication |
Protected cryptosuite negotiation | yes |
Mutual authentication | yes |
Integrity protection | yes |
Replay protection | yes |
Confidentiality | no |
Key derivation | yes |
Key strength | The specified cryptosuites provide key strength of at least 128 bits. |
Dictionary attack protection | yes |
Fast reconnect | yes |
Cryptographic binding | not applicable |
Session independence | yes |
Fragmentation | no |
Channel binding | yes (The ServerInfo and PeerInfo can be used to convey integrity-protected channel properties, such as network SSID or peer MAC address.) |
Peer States | Exchange Chosen by the Server | Next Peer and Server States |
---|---|---|
Server State: Unregistered (0) | ||
0..2 | Initial Exchange | both 1 (0 on error) |
3 | - | no change, notify user |
Server State: Waiting for OOB (1) | ||
0 | Initial Exchange | both 1 (0 on error) |
1 | Waiting Exchange | both 1 (no change on error) |
2 | Completion Exchange | both 4 (A) |
3 | - | no change, notify user |
Server State: OOB Received (2) | ||
0 | Initial Exchange | both 1 (0 on error) |
1 | Completion Exchange | both 4 (B) |
2 | Completion Exchange | both 4 (A) |
3 | - | no change, notify user |
Server State: Reconnecting (3) or Registered (4) | ||
0..2 | - | no change, notify user |
3 | Reconnect Exchange | both 4 (3 on error) |
Server/Peer State | Possible Local Events in the Server and Peer | Next State |
---|---|---|
1 | OOB Output | 1 |
1 | OOB Input | 2 (1 on error) |
0..2 | Mobility/timeout/network failure | 0 |
3..4 | Mobility/timeout/network failure | 3 |
3..4 | Rekeying request | 3 |
0..4 | User resets association | 0 |
0..4 | Association state recovery | 3 |
Parameter | Description |
---|---|
OobDirs | Allowed directions of the OOB channel. |
OobMessageEncoding | How the OOB message data fields are encoded for the OOB channel. |
SleepTimeDefault | Default minimum time in seconds that the peer should sleep before the next Waiting Exchange. |
OobRetries | Number of received OOB messages with invalid Hoob, after which the
receiver moves to Unregistered (0) state. When the OOB channel has error detection
or correction, the |
NoobTimeout | How many seconds the sender of the OOB message remembers the sent
Noob value. The |
ServerInfoType | The value of the Type field and the other required fields in ServerInfo. |
PeerInfoType | The value of the Type field and the other required fields in PeerInfo. |
00076
02420
00076