SUIT B. Moran Internet-Draft Arm Limited Intended status: Standards Track Ø. Rønningstad Expires: 11 December 2025 Nordic Semiconductor A. Tsukamoto Openchip & Software Technologies, S.L. 9 June 2025 Cryptographic Algorithm Recommendations for Software Updates of Internet of Things Devices draft-ietf-suit-mti-17 Abstract This document specifies cryptographic algorithm profiles to be used with the Software Updates for Internet of Things (suit) manifest. These profiles define mandatory-to-implement algorithms to ensure interoperability. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 11 December 2025. Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. Moran, et al. Expires 11 December 2025 [Page 1] Internet-Draft SUIT Algorithm Recommendations June 2025 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 3. Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Symmetric MTI profile: suit-sha256-hmac-a128kw-a128ctr . . . . . . . . . . . . . 4 3.2. Current Constrained Asymmetric MTI Profile 1: suit-sha256-esp256-ecdh-a128ctr . . . . . . . . . . . . . 4 3.3. Current Constrained Asymmetric MTI Profile 2: suit-sha256-ed25519-ecdh-a128ctr . . . . . . . . . . . . 5 3.4. Current AEAD Asymmetric MTI Profile 1: suit-sha256-esp256-ecdh-a128gcm . . . . . . . . . . . . . 5 3.5. Current AEAD Asymmetric MTI Profile 2: suit-sha256-ed25519-ecdh-chacha-poly . . . . . . . . . . 6 3.6. Future Constrained Asymmetric MTI Profile: suit-sha256-hsslms-a256kw-a256ctr . . . . . . . . . . . . 6 4. Reporting Profiles . . . . . . . . . . . . . . . . . . . . . 7 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 5.1. Payload Encryption as Part of a Defense-in-Depth Strategy . . . . . . . . . . . . . . . . . . . . . . . . 7 5.2. Use of AES-CTR in Payload Encryption . . . . . . . . . . 8 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 7.1. Normative References . . . . . . . . . . . . . . . . . . 10 7.2. Informative References . . . . . . . . . . . . . . . . . 10 Appendix A. Full CDDL . . . . . . . . . . . . . . . . . . . . . 11 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 1. Introduction This document defines algorithm profiles for SUIT manifest parsers and authors to promote interoperability in constrained node software update scenarios. These profiles specify sets of mandatory-to- implement (MTI) algorithms tailored to the evolving security landscape, acknowledging that cryptographic requirements may change over time. To accommodate this, algorithms are grouped into profiles, which may be updated or deprecated as needed. Moran, et al. Expires 11 December 2025 [Page 2] Internet-Draft SUIT Algorithm Recommendations June 2025 This document defines the following MTI profiles for constrained environments: * One symmetric MTI profile * Two "current" constrained asymmetric MTI profiles * Two "current" AEAD asymmetric MTI profiles * One "future" constrained asymmetric MTI profile The terms "current" and "future" distinguish between traditional cryptographic algorithms and those believed to be secure against both classical and quantum computer-based attacks, respectively. At least one algorithm in each category must be FIPS-validated. Due to the asymmetric nature of SUIT deployments—where manifest authors are typically resource-rich and recipients are resource- constrained—the cryptographic requirements differ for each role. This specification uses AES-CTR in combination with a digest algorithm, as defined in [RFC9459], to support use cases that require out-of-order block reception and decryption-capabilities not offered by AEAD algorithms. For further discussion of these constrained use cases, see Section 5.2. Other SUIT use cases (see [I-D.ietf-suit-manifest]) may define different profiles. 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. The abbreviation SUIT stands for Software Updates for the Internet of Things and specifically addresses the requirements of constrained devices and networks, as described in [RFC9019]. 3. Profiles Each profile consist of algorithms from the following categories: * Digest Algorithms * Authentication Algorithms Moran, et al. Expires 11 December 2025 [Page 3] Internet-Draft SUIT Algorithm Recommendations June 2025 * Key Exchange Algorithms (optional) * Encryption Algorithms (optional) Each profile references specific algorithm identifiers, as defined in [IANA-COSE]. Since these algorithm identifiers are used in the context of the IETF SUIT manifest [I-D.ietf-suit-manifest], they are represented using CBOR Object Signing and Encryption (COSE) structures as defined in [RFC9052] and [RFC9053]. The use of the profiles by authors and recipients is based on the following assumptions: * Recipients MAY choose which MTI profile they wish to implement. It is RECOMMENDED that they implement the "Future" Asymmetric MTI profile. Recipients MAY implement any number of other profiles not defined in this document. Recipients MAY choose not to implement encryption and the corresponding key exchange algorithms if they do not intend to support encrypted payloads. * Authors MUST implement all MTI profiles. Authors MAY implement any number of additional profiles. 3.1. Symmetric MTI profile: suit-sha256-hmac-a128kw-a128ctr +================+=================+==========+ | Algorithm Type | Algorithm | COSE Key | +================+=================+==========+ | Digest | SHA-256 | -16 | +----------------+-----------------+----------+ | Authentication | HMAC-256 | 5 | +----------------+-----------------+----------+ | Key Exchange | A128KW Key Wrap | -3 | +----------------+-----------------+----------+ | Encryption | A128CTR | -65534 | +----------------+-----------------+----------+ Table 1 3.2. Current Constrained Asymmetric MTI Profile 1: suit-sha256-esp256- ecdh-a128ctr +================+==================+==========+ | Algorithm Type | Algorithm | COSE Key | +================+==================+==========+ | Digest | SHA-256 | -16 | +----------------+------------------+----------+ | Authentication | ESP256 | -9 | Moran, et al. Expires 11 December 2025 [Page 4] Internet-Draft SUIT Algorithm Recommendations June 2025 +----------------+------------------+----------+ | Key Exchange | ECDH-ES + A128KW | -29 | +----------------+------------------+----------+ | Encryption | A128CTR | -65534 | +----------------+------------------+----------+ Table 2 3.3. Current Constrained Asymmetric MTI Profile 2: suit-sha256-ed25519- ecdh-a128ctr +================+==================+==========+ | Algorithm Type | Algorithm | COSE Key | +================+==================+==========+ | Digest | SHA-256 | -16 | +----------------+------------------+----------+ | Authentication | Ed25519 | -19 | +----------------+------------------+----------+ | Key Exchange | ECDH-ES + A128KW | -29 | +----------------+------------------+----------+ | Encryption | A128CTR | -65534 | +----------------+------------------+----------+ Table 3 3.4. Current AEAD Asymmetric MTI Profile 1: suit-sha256-esp256-ecdh- a128gcm +================+==================+==========+ | Algorithm Type | Algorithm | COSE Key | +================+==================+==========+ | Digest | SHA-256 | -16 | +----------------+------------------+----------+ | Authentication | ESP256 | -9 | +----------------+------------------+----------+ | Key Exchange | ECDH-ES + A128KW | -29 | +----------------+------------------+----------+ | Encryption | A128GCM | 1 | +----------------+------------------+----------+ Table 4 Moran, et al. Expires 11 December 2025 [Page 5] Internet-Draft SUIT Algorithm Recommendations June 2025 3.5. Current AEAD Asymmetric MTI Profile 2: suit-sha256-ed25519-ecdh- chacha-poly +================+===================+==========+ | Algorithm Type | Algorithm | COSE Key | +================+===================+==========+ | Digest | SHA-256 | -16 | +----------------+-------------------+----------+ | Authentication | Ed25519 | -19 | +----------------+-------------------+----------+ | Key Exchange | ECDH-ES + A128KW | -29 | +----------------+-------------------+----------+ | Encryption | ChaCha20/Poly1305 | 24 | +----------------+-------------------+----------+ Table 5 3.6. Future Constrained Asymmetric MTI Profile: suit-sha256-hsslms- a256kw-a256ctr +================+===========+==========+ | Algorithm Type | Algorithm | COSE Key | +================+===========+==========+ | Digest | SHA-256 | -16 | +----------------+-----------+----------+ | Authentication | HSS-LMS | -46 | +----------------+-----------+----------+ | Key Exchange | A256KW | -5 | +----------------+-----------+----------+ | Encryption | A256CTR | -65532 | +----------------+-----------+----------+ Table 6 A note regarding the use of HSS-LMS: The decision as to how deep the tree is, is a decision that affects authoring tools only (see [RFC8778]). Verification is not affected by the choice of the "W" parameter, but the size of the signature is affected. To support the long lifetimes required by IoT devices, it is RECOMMENDED to use trees with greater height (see Section 2.2 of [RFC8778]). Moran, et al. Expires 11 December 2025 [Page 6] Internet-Draft SUIT Algorithm Recommendations June 2025 4. Reporting Profiles When using Manifest Recipients Response communication, particularly data structures that are designed for reporting of update capabilities, status, progress, or success, the same profile as the is used on the SUIT manifest SHOULD be used. There are cases where this is not possible, such as suit-sha256-hsslms-a256kw-a256ctr. In this case, the closest equivalent profile SHOULD be used, for example suit-sha256-esp256-ecdh-a128ctr. 5. Security Considerations Payload encryption is often used to protect Intellectual Property (IP) and Personally Identifying Information (PII) in transit. The primary function of payload in SUIT is to act as a defense against passive IP and PII snooping. By encrypting payloads, confidential IP and PII can be protected during distribution. However, payload encryption of firmware or software updates of a commodity device is not a cybersecurity defense against targetted attacks on that device. 5.1. Payload Encryption as Part of a Defense-in-Depth Strategy To define the purpose of payload encryption as a defensive cybersecurity tool, it is important to define the capabilities of modern threat actors. A variety of capabilities are possible: * find bugs by binary code inspection * send unexpected data to communication interfaces, looking for unexpected behavior * use fault injection to bypass or manipulate code * use communication attacks or fault injection along with gadgets found in the code Given this range of capabilities, it is important to understand which capabilities are impacted by firmware encryption. Threat actors who find bugs by manual inspection or use gadgets found in the code will need to first extract the code from the target. In the IoT context, it is expected that most threat actors will start with sample devices and physical access to test attacks. Due to these factors, payload encryption serves to limit the pool of attackers to those who have the technical capability to extract code from physical devices and those who perform code-free attacks. Moran, et al. Expires 11 December 2025 [Page 7] Internet-Draft SUIT Algorithm Recommendations June 2025 5.2. Use of AES-CTR in Payload Encryption AES-CTR mode with a digest is specified, see [RFC9459]. All of the AES-CTR security considerations in [RFC9459] apply. A non-AEAD encryption mode is specified in this specification due to the following mitigating circumstances: * Out-of-order decryption must be supported. Therefore, we must use a stream cipher that supports random access. * Chosen plaintext attacks are extremely difficult to achieve, since the payloads are typically constructed in a relatively secure environment--the developer's computer or build infrastructure--and should be signed in an air-gapped or similarly protected environment. In short, the plaintext is authenticated prior to encryption. * Content Encryption Keys must be used to encrypt only once. See [I-D.ietf-suit-firmware-encryption] for additional background information. As a result of these mitigating circumstances, AES-CTR is an acceptable cipher for typical software/firmware delivery scenarios. 6. IANA Considerations IANA is requested to create a page for COSE Algorithm Profiles within the category for Software Update for the Internet of Things (SUIT) IANA is also requested to create a registry for COSE Algorithm Profiles within this page. The initial content of the registry is: Moran, et al. Expires 11 December 2025 [Page 8] Internet-Draft SUIT Algorithm Recommendations June 2025 +===============+=========+======+====+========+==========+==========+=========+ |Profile |Status |Digest|Auth|Key |Encryption|Descriptor|Reference| | | | | |Exchange| |Array | | +===============+=========+======+====+========+==========+==========+=========+ |suit-sha256- |MANDATORY|-16 |5 |-3 |-65534 |[-16, 5, |Section | |hmac-a128kw- | | | | | |-3, |3.1 | |a128ctr | | | | | |-65534] | | +---------------+---------+------+----+--------+----------+----------+---------+ |suit- |MANDATORY|-16 |-9 |-29 |-65534 |[-16, -9, |Section | |sha256-esp256- | | | | | |-29, |3.2 | |ecdh-a128ctr | | | | | |-65534] | | +---------------+---------+------+----+--------+----------+----------+---------+ |suit- |MANDATORY|-16 |-19 |-29 |-65534 |[-16, -19,|Section | |sha256-ed25519-| | | | | |-29, |3.3 | |ecdh-a128ctr | | | | | |-65534] | | +---------------+---------+------+----+--------+----------+----------+---------+ |suit- |MANDATORY|-16 |-9 |-29 |1 |[-16, -9, |Section | |sha256-esp256- | | | | | |-29, 1] |3.4 | |ecdh-a128gcm | | | | | | | | +---------------+---------+------+----+--------+----------+----------+---------+ |suit- |MANDATORY|-16 |-19 |-29 |24 |[-16, -19,|Section | |sha256-ed25519-| | | | | |-29, 24] |3.5 | |ecdh-chacha- | | | | | | | | |poly | | | | | | | | +---------------+---------+------+----+--------+----------+----------+---------+ |suit-sha256- |MANDATORY|-16 |-46 |-5 |-65532 |[-16, -46,|Section | |hsslms-a256kw- | | | | | |-5, |3.6 | |a256ctr | | | | | |-65532] | | +---------------+---------+------+----+--------+----------+----------+---------+ Table 7 New entries to this registry require Standards Action. A recipient device that claims conformance to this document will have implemented at least one of the above algorithms. As time progresses, if entries are removed from mandatory status, they will become SHOULD, MAY and then possibly NOT RECOMMENDED for new implementation. However, as it may be impossible to update the SUIT manifest processor in the field, support for all relevant algorithms will almost always be required by authoring tools. When new algorithms are added by subsequent documents, the device and authoring tools will then claim conformance to those new documents. 7. References Moran, et al. Expires 11 December 2025 [Page 9] Internet-Draft SUIT Algorithm Recommendations June 2025 7.1. Normative References [I-D.ietf-suit-manifest] Moran, B., Tschofenig, H., Birkholz, H., Zandberg, K., and O. Rønningstad, "A Concise Binary Object Representation (CBOR)-based Serialization Format for the Software Updates for Internet of Things (SUIT) Manifest", Work in Progress, Internet-Draft, draft-ietf-suit-manifest-34, 28 May 2025, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8778] Housley, R., "Use of the HSS/LMS Hash-Based Signature Algorithm with CBOR Object Signing and Encryption (COSE)", RFC 8778, DOI 10.17487/RFC8778, April 2020, . [RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE): Structures and Process", STD 96, RFC 9052, DOI 10.17487/RFC9052, August 2022, . [RFC9459] Housley, R. and H. Tschofenig, "CBOR Object Signing and Encryption (COSE): AES-CTR and AES-CBC", RFC 9459, DOI 10.17487/RFC9459, September 2023, . 7.2. Informative References [I-D.ietf-suit-firmware-encryption] Tschofenig, H., Housley, R., Moran, B., Brown, D., and K. Takayama, "Encrypted Payloads in SUIT Manifests", Work in Progress, Internet-Draft, draft-ietf-suit-firmware- encryption-24, 19 March 2025, . [IANA-COSE] "CBOR Object Signing and Encryption (COSE)", 2022, . Moran, et al. Expires 11 December 2025 [Page 10] Internet-Draft SUIT Algorithm Recommendations June 2025 [RFC9019] Moran, B., Tschofenig, H., Brown, D., and M. Meriac, "A Firmware Update Architecture for Internet of Things", RFC 9019, DOI 10.17487/RFC9019, April 2021, . [RFC9053] Schaad, J., "CBOR Object Signing and Encryption (COSE): Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053, August 2022, . Appendix A. Full CDDL The following CDDL creates a subset of COSE for use with SUIT. Both tagged and untagged messages are defined. SUIT only uses tagged COSE messages, but untagged messages are also defined for use in protocols that share a ciphersuite with SUIT. To be valid, the following CDDL MUST have the COSE CDDL appended to it. The COSE CDDL can be obtained by following the directions in [RFC9052], Section 1.4. SUIT_COSE_tool_tweak /= suit-sha256-hmac-a128kw-a128ctr SUIT_COSE_tool_tweak /= suit-sha256-esp256-ecdh-a128ctr SUIT_COSE_tool_tweak /= suit-sha256-ed25519-ecdh-a128ctr SUIT_COSE_tool_tweak /= suit-sha256-esp256-ecdh-a128gcm SUIT_COSE_tool_tweak /= suit-sha256-ed25519-ecdh-chacha-poly SUIT_COSE_tool_tweak /= suit-sha256-hsslms-a256kw-a256ctr SUIT_COSE_tool_tweak /= SUIT_COSE_Profiles SUIT_COSE_Profiles /= SUIT_COSE_Profile_HMAC_A128KW_A128CTR SUIT_COSE_Profiles /= SUIT_COSE_Profile_ESP256_ECDH_A128CTR SUIT_COSE_Profiles /= SUIT_COSE_Profile_ED25519_ECDH_A128CTR SUIT_COSE_Profiles /= SUIT_COSE_Profile_ESP256_ECDH_A128GCM SUIT_COSE_Profiles /= SUIT_COSE_Profile_ED25519_ECDH_CHACHA20_POLY1304 SUIT_COSE_Profiles /= SUIT_COSE_Profile_HSSLMS_A256KW_A256CTR suit-sha256-hmac-a128kw-a128ctr = [-16, 5, -3, -65534] suit-sha256-esp256-ecdh-a128ctr = [-16, -9, -29, -65534] suit-sha256-ed25519-ecdh-a128ctr = [-16, -19, -29, -65534] suit-sha256-esp256-ecdh-a128gcm = [-16, -9, -29, 1] suit-sha256-ed25519-ecdh-chacha-poly = [-16, -19, -29, 24] suit-sha256-hsslms-a256kw-a256ctr = [-16, -46, -5, -65532] SUIT_COSE_Profile_HMAC_A128KW_A128CTR = SUIT_COSE_Profile<5,-65534> .and COSE_Messages SUIT_COSE_Profile_ESP256_ECDH_A128CTR = SUIT_COSE_Profile<-9,-65534> .and COSE_Messages SUIT_COSE_Profile_ED25519_ECDH_A128CTR = SUIT_COSE_Profile<-19,-65534> .and COSE_Messages Moran, et al. Expires 11 December 2025 [Page 11] Internet-Draft SUIT Algorithm Recommendations June 2025 SUIT_COSE_Profile_ESP256_ECDH_A128GCM = SUIT_COSE_Profile<-9,1> .and COSE_Messages SUIT_COSE_Profile_ED25519_ECDH_CHACHA20_POLY1304 = SUIT_COSE_Profile<-19,24> .and COSE_Messages SUIT_COSE_Profile_HSSLMS_A256KW_A256CTR = SUIT_COSE_Profile<-46,-65532> .and COSE_Messages SUIT_COSE_Profile = SUIT_COSE_Messages SUIT_COSE_Messages = SUIT_COSE_Untagged_Message / SUIT_COSE_Tagged_Message SUIT_COSE_Untagged_Message = SUIT_COSE_Sign / SUIT_COSE_Sign1 / SUIT_COSE_Encrypt / SUIT_COSE_Encrypt0 / SUIT_COSE_Mac / SUIT_COSE_Mac0 SUIT_COSE_Tagged_Message = SUIT_COSE_Sign_Tagged / SUIT_COSE_Sign1_Tagged / SUIT_COSE_Encrypt_Tagged / SUIT_COSE_Encrypt0_Tagged / SUIT_COSE_Mac_Tagged / SUIT_COSE_Mac0_Tagged ; Note: This is not the same definition as is used in COSE. ; It restricts a COSE header definition further without ; repeating the COSE definition. It should be merged ; with COSE by using the CDDL .and operator. SUIT_COSE_Profile_Headers = ( protected : bstr .cbor SUIT_COSE_alg_map, unprotected : SUIT_COSE_header_map ) SUIT_COSE_alg_map = { 1 => algid, * int => any } SUIT_COSE_header_map = { * int => any } SUIT_COSE_Sign_Tagged = #6.98(SUIT_COSE_Sign) SUIT_COSE_Sign = [ SUIT_COSE_Profile_Headers, payload : bstr / nil, signatures : [+ SUIT_COSE_Signature] ] Moran, et al. Expires 11 December 2025 [Page 12] Internet-Draft SUIT Algorithm Recommendations June 2025 SUIT_COSE_Signature = [ SUIT_COSE_Profile_Headers, signature : bstr ] SUIT_COSE_Sign1_Tagged = #6.18(SUIT_COSE_Sign1) SUIT_COSE_Sign1 = [ SUIT_COSE_Profile_Headers, payload : bstr / nil, signature : bstr ] SUIT_COSE_Encrypt_Tagged = #6.96(SUIT_COSE_Encrypt) SUIT_COSE_Encrypt = [ SUIT_COSE_Profile_Headers, ciphertext : bstr / nil, recipients : [+SUIT_COSE_recipient] ] SUIT_COSE_recipient = [ SUIT_COSE_Profile_Headers, ciphertext : bstr / nil, ? recipients : [+SUIT_COSE_recipient] ] SUIT_COSE_Encrypt0_Tagged = #6.16(SUIT_COSE_Encrypt0) SUIT_COSE_Encrypt0 = [ SUIT_COSE_Profile_Headers, ciphertext : bstr / nil, ] SUIT_COSE_Mac_Tagged = #6.97(SUIT_COSE_Mac) SUIT_COSE_Mac = [ SUIT_COSE_Profile_Headers, payload : bstr / nil, Moran, et al. Expires 11 December 2025 [Page 13] Internet-Draft SUIT Algorithm Recommendations June 2025 tag : bstr, recipients :[+SUIT_COSE_recipient] ] SUIT_COSE_Mac0_Tagged = #6.17(SUIT_COSE_Mac0) SUIT_COSE_Mac0 = [ SUIT_COSE_Profile_Headers, payload : bstr / nil, tag : bstr, ] Appendix B. Acknowledgments We would like to specifically thank Magnus Nyström, Deb Cooley, Michael Richardson, Russ Housley, Mike Jones, Henk Birkholz, and Hannes Tschofenig for their review comments. Authors' Addresses Brendan Moran Arm Limited Email: brendan.moran.ietf@gmail.com Øyvind Rønningstad Nordic Semiconductor Email: oyvind.ronningstad@gmail.com Akira Tsukamoto Openchip & Software Technologies, S.L. Email: akira.tsukamoto@gmail.com Moran, et al. Expires 11 December 2025 [Page 14]