Internet DRAFT - draft-chen-emu-eap-tls-ibs

draft-chen-emu-eap-tls-ibs







Internet Engineering Task Force                                Chen, Ed.
Internet-Draft                                                     L. Su
Intended status: Informational                              China Mobile
Expires: 2 September 2023                                        H. Wang
                                          Huawei International Pte. Ltd.
                                                            1 March 2023


               Use Identity as Raw Public Key in EAP-TLS
                     draft-chen-emu-eap-tls-ibs-05

Abstract

   This document specifies the use of identity as a raw public key in
   EAP-TLS, the procedure of EAP-TIBS is consistent with EAP-TLS's
   interactive process, identity-based signature is extended to support
   EAP-TLS's signature algorithms to avoid X.509 certificates, this
   authentication method can avoid the overhead of receiving and
   processing certificate chains.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 2 September 2023.

Copyright Notice

   Copyright (c) 2023 IETF Trust and the persons identified as the
   document authors.  All rights reserved.










Chen, et al.            Expires 2 September 2023                [Page 1]

Internet-Draft                 EAP TLS IBS                    March 2023


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  EAP TIBS Use Cases  . . . . . . . . . . . . . . . . . . . . .   4
     3.1.  IoT use case  . . . . . . . . . . . . . . . . . . . . . .   4
     3.2.  Non CA use case . . . . . . . . . . . . . . . . . . . . .   4
   4.  Structure of the Raw Public Key Extension . . . . . . . . . .   5
   5.  EAP-TIBS for TLS1.2 . . . . . . . . . . . . . . . . . . . . .   6
     5.1.  EAP-TIBS Handshake  . . . . . . . . . . . . . . . . . . .   6
     5.2.  EAP-TIBS example  . . . . . . . . . . . . . . . . . . . .   9
   6.  EAP-TIBS for TLS1.3 . . . . . . . . . . . . . . . . . . . . .  10
     6.1.  EAP-TIBS Handshake  . . . . . . . . . . . . . . . . . . .  11
     6.2.  EAP-TIBS example  . . . . . . . . . . . . . . . . . . . .  13
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  15
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  15
   9.  Informative References  . . . . . . . . . . . . . . . . . . .  15
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  16

1.  Introduction

   The Extensible Authentication Protocol(EAP) defined in [RFC3748] can
   provide support for multiple authentication methods.  Transport Layer
   Security(TLS) provides for mutual authentication, integrity-protected
   ciphersuite negotiation, and exchange between two endpoints.  The
   EAP-TLS defined in [RFC5216] which combines EAP and TLS that apply
   EAP method to load TLS procedures.















Chen, et al.            Expires 2 September 2023                [Page 2]

Internet-Draft                 EAP TLS IBS                    March 2023


   Traditionally, TLS client and server public keys are obtained in PKIX
   containers in-band as part of the TLS handshake procedure and are
   validated using trust anchors based on a PKIX certification authority
   (CA).  But there is another method, Using Raw Public Keys in
   Transport Layer Security (TLS) and Datagram Transport Layer Security
   (DTLS) are defined in [RFC7250], the document defines two TLS
   extensions client_certificate_type and server_certificate_type, which
   can be used as part of an extended TLS handshake when raw public keys
   are used.  [RFC9190] reads certificates can be of any type supported
   by TLS including raw public keys.  In [RFC7250] it assuming that an
   out-of-band mechanism is used to bind the public key to the entity
   presenting the key.

   Digital signatures provide the functions of Sender reliability and
   Message integrity.  A chain of trust for such signatures is usually
   provided by certificates, but in low-bandwidth and resource-
   constrained environments, the use of certificates might be
   undesirable.  In comparison with the original certificate, the raw
   public key is fairly small.  This document describes a signature
   algorithm using identity as a raw public key in EAP-TLS, instead of
   transmitting a full certificate in the EAP-TLS message, only public
   keys are exchanged between client and server, also known as EAP-TIBS.

   With the existing raw public key scheme, a public key and identity
   mapping table is required at server.  This table usually established
   with offline method and may require additional efforts for
   establishment and maintenance, especially when the number of devices
   are huge.  On the other hand, with IBS signature algorithm, it not
   only can take the advantage of raw public key, but also eliminates
   the efforts for the mapping table establishment and maintenance at
   the server side.  Instead, a small table for CRL is enough for
   exclude revoked identity from accessing the network.  A number of IBE
   and IBS algorithms have been standardized, such as ECCSI defined in
   [RFC6507].

   IBC was first proposed by Adi Shamir in 1984.  For an IBC system, a
   Key Management System (KMS) is required to generate keys for devices.
   The KMS choose its KMS Secret Authentication Key(KSAK) as the root of
   trust.  A public parameter, KMS Public Authentication Key (KPAK) is
   derived from this secrete key and is used by others in verifying the
   signature.  The signatures are generated by an entity with private
   keys obtained from the KMS.  KMS is a trusted third party, users or
   devices can obtain private key using their identities from KMS.  In
   IBS the private key is also known as Secret Signing Key(SSK).  A
   sender can sign a message using SSK.  The receiver can verify the
   signature with sender's identity and the KPAK.

   This method has great advantages in internal management.



Chen, et al.            Expires 2 September 2023                [Page 3]

Internet-Draft                 EAP TLS IBS                    March 2023


2.  Terminology

   The following terms are used:

   *  IBC: Identity-Based Cryptograph, it is an asymmetric public key
      cryptosystem.

   *  IBS: Identity-based Signature, such as ECCSI.

   *  PKI: Public Key Infrastructure, an infrastructure built with a
      public-key mechanism.

   *  Authenticator: The entity initiating EAP authentication.

   *  Peer: The entity that responds to the authenticator.

   *  Backend authenticator server: A backend authentication server is
      an entity that provides an authentication service to an
      authenticator.  When used, this server typically executes EAP
      methods for the authenticator.

   *  EAP server: The entity that terminates the EAP authentication
      method with the peer.  In the case where no backend authentication
      server is used, the EAP server is part of the authenticator.  In
      the case where the authenticator operates in pass-through mode,
      the EAP server is located on the backend authentication server.

3.  EAP TIBS Use Cases

3.1.  IoT use case

   Used for authentication of Internet of Things devices: due to the
   limited processing power of IoT devices, resources for secure
   identity authentication are limited, especially passive, long life
   cycle devices, however, the traditional certificate authentication
   based on PKI X509, because of the complexity of certificate
   processing and certificate chain authentication, not very suitable
   for the Internet of Things scenario.  Internet of Things devices
   really need a more lightweight authentication method, and EAP-TIBS as
   one of the candidates.

3.2.  Non CA use case

   Used for systems that do not support CA certificates: an internal
   system with network security boundaries that can self-operate the Key
   Management System(KMS) secret key distribution center, EAP-TIBS can
   be used between internal subsystems.




Chen, et al.            Expires 2 September 2023                [Page 4]

Internet-Draft                 EAP TLS IBS                    March 2023


4.  Structure of the Raw Public Key Extension

   To support the negotiation of using raw public key between client and
   server, a new certificate structure is defined in [RFC7250].  It is
   used by the client and server in the hello messages to indicate the
   types of certificates supported by each side.  When RawPublicKey type
   is selected for authentication, SubjectPublicKeyInfo which is a data
   structure is used to carry the raw public key and its cryptographic
   algorithm.

   The SubjectPublicKeyInfo structure is defined in Section 4.1 of
   [RFC5280] and not only contains the raw keys, such as the public
   exponent and the modulus of an RSA public key, but also an algorithm
   identifier.  The algorithm identifier can also include parameters.
   The structure of SubjectPublicKeyInfo is shown in Figure 1:

  SubjectPublicKeyInfo  ::=  SEQUENCE  {
             algorithm               AlgorithmIdentifier,
             subjectPublicKey        BIT STRING  }

        AlgorithmIdentifier   ::=  SEQUENCE  {
             algorithm               OBJECT IDENTIFIER,
             parameters              ANY DEFINED BY algorithm OPTIONAL }

        Figure 1: SubjectPublicKeyInfo ASN.1 Structure

   The algorithms identifiers are Object Identifier(OIDs),
   AlgorithmIdentifier is also data structure with two fields, OID
   represent the cryptographic algorithm used with raw public key, such
   as ECCSI, parameters are the necessary parameters associated with the
   algorithm.

   In the case of IBS algorithm, the User's identity is the raw public
   key which can be represented by "subjectPublicKey", when ECCSI is
   used as the Identity-based signature algorithm, then "algorithm" is
   for ECCSI, and "parameters" is the parameters needed in ECCSI.

   So far, IBS has the following four algorithms, the following table is
   the corresponding table of Key type and OID.












Chen, et al.            Expires 2 September 2023                [Page 5]

Internet-Draft                 EAP TLS IBS                    March 2023


   +--------------------------+----------------+-----------------------+
   |         Key Type         |    Document    |          OID          |
   +--------------------------+----------------+-----------------------+
   |  ISO/IEC 14888-3 IBS-1   |     ISO/IEC    |     1.0.14888.3.0.7   |
   |                          | 14888-3: IBS-1 |                       |
   |                          |   mechanism    |                       |
   +--------------------------+----------------+-----------------------+
   |  ISO/IEC 14888-3 IBS-2   |     ISO/IEC    |     1.0.14888.3.0.8   |
   |                          | 14888-3: IBS-2 |                       |
   |                          |   mechanism    |                       |
   +--------------------------+----------------+-----------------------+
   |     ISO/IEC 14888-3      |     ISO/IEC    | 1.2.156.10197.1.302.1 |
   |     ChineseIBS(SM9)      |    14888-3:    |                       |
   |                          |   ChineseIBS   |                       |
   |                          |   mechanism    |                       |
   +--------------------------+----------------+-----------------------+
   |   Elliptic Curve-Based   |   Section 5.2  |   1.3.6.1.5.5.7.6.29  |
   |    Signatureless For     |  in RFC 6507   |                       |
   |     Identitiy-based      |                |                       |
   |    Encryption (ECCSI)    |                |                       |
   +--------------------------+----------------+-----------------------+

                   Table 1: Algorithm Object Identifiers

   In the draft draft-wang-tls-raw-public-key-with-ibc, there extend
   signature scheme with IBS algorithm which indicated in the client's
   "signature_algorithms" extension.  The SignatureScheme data structure
   also keep pace with the section 4.

5.  EAP-TIBS for TLS1.2

5.1.  EAP-TIBS Handshake

   This section describes EAP-TIBS in the case of TLS1.2, as described
   in [RFC7250], the document intrudoces the use of raw public keys in
   TLS/DTLS, the basic raw public key TLS exchange will appear as
   follows, Figure 2 shows the client_certificate_type and
   server_certificate_type extensions added to the client and server
   hello messages.  An extension type MUST NOT appear in the ServerHello
   unless the same extension type appeared in the corresponding
   ClientHello, defined in [RFC5246].

   The server_certificate_type extension in the client hello indicates
   the types of certificates the client is able to process when provided
   by the server in a subsequent certificate payload.






Chen, et al.            Expires 2 September 2023                [Page 6]

Internet-Draft                 EAP TLS IBS                    March 2023


   The client_certificate_type and server_certificate_type extensions
   sent in the client hello each carry a list of supported certificate
   types, sorted by client preference.  When the client supports only
   one certificate type, it is a list containing a single element.  Many
   types of certificates can be used, such as RawPublicKey, X.509 and
   OpenPGP.

   This section describes EAP-TLS extend using raw public keys, the
   procedures is as follows, In the discussion, we will use the term
   "EAP server" to denote the ultimate endpoint conversing with the
   peer.








































Chen, et al.            Expires 2 September 2023                [Page 7]

Internet-Draft                 EAP TLS IBS                    March 2023


   Authenticating Peer     EAP server
      -------------------     -------------
                              <- EAP-Request/
                              Identity
      EAP-Response/
      Identity (MyID) ->
                              <- EAP-Request/
                              EAP-Type=EAP-TLS
                              (TLS Start)
      EAP-Response/
      EAP-Type=EAP-TLS
      (TLS client_hello
       +signature_algorithm
       server_certificate_type,
       client_certificate_type)->

                              <- EAP-Request/
                              EAP-Type=EAP-TLS
                              (TLS server_hello,
                                {client_certificate_type}
                                {server_certificate_type}
                                {TLS certificate}
                                {TLS server_key_exchange}
                                {TLS certificate_request}
                                {TLS server_hello_done}
                           )
      EAP-Response/
      EAP-Type=EAP-TLS
      (TLS certificate,
       TLS client_key_exchange,
       TLS certificate_verify,
       TLS change_cipher_spec,
       TLS finished) ->
                              <- EAP-Request/
                              EAP-Type=EAP-TLS
                              (TLS change_cipher_spec,
                               TLS finished)
      EAP-Response/
      EAP-Type=EAP-TLS ->
                              <- EAP-Success

      Figure 2: EAP-TIBS authentication procedure for TLS1.2









Chen, et al.            Expires 2 September 2023                [Page 8]

Internet-Draft                 EAP TLS IBS                    March 2023


5.2.  EAP-TIBS example

   In this example, both the TLS client and server use ECCSI for
   authentication, and they are restricted in that they can only process
   ECCSI signature algorithm.  As a result, the TLS client sets both the
   server_certificate_type and the client_certificate_type extensions to
   be raw public key; in addition, the client sets the signature
   algorithm in the client hello message to be eccsi_sha256.











































Chen, et al.            Expires 2 September 2023                [Page 9]

Internet-Draft                 EAP TLS IBS                    March 2023


Authenticating Peer                EAP server
   -------------------               -------------
                                     <- EAP-Request/
                                     Identity
   EAP-Response/
   Identity (MyID) ->
                                     <- EAP-Request/
                                     EAP-Type=EAP-TLS
                                     (TLS Start)
   EAP-Response/
   EAP-Type=EAP-TLS
   (TLS client_hello
   signature_algorithm = (eccsi_sha256)
    server_certificate_type = (RawPublicKey,...)
    client_certificate_type = (RawPublicKey,...))->

                                    <- EAP-Request/
                                    EAP-Type=EAP-TLS
                                    (TLS server_hello,
                                    {client_certificate_type = RawPublicKey}
                                    {server_certificate_type = RawPublicKey}
                                    {certificate = (1.3.6.1.5.5.7.6.29, hash
                                    value of ECCSIPublicParameters),
                                    serverID)}
                                    {certificate_request = (eccsi_sha256)}
                                    {server_hello_done}
                            )
   EAP-Response/
   EAP-Type=EAP-TLS
   ({certificate = ((1.3.6.1.5.5.7.6.29,
   hash value of ECCSIPublicParameters),
   ClientID)},
    {certificate_verify = (ECCSI-Sig-Value)},
    {finished}) ->
                                 <- EAP-Request/
                                 EAP-Type=EAP-TLS
                                 (TLS finished)
   EAP-Response/
   EAP-Type=EAP-TLS ->
                                 <- EAP-Success

         Figure 3: EAP-TIBS example

6.  EAP-TIBS for TLS1.3







Chen, et al.            Expires 2 September 2023               [Page 10]

Internet-Draft                 EAP TLS IBS                    March 2023


6.1.  EAP-TIBS Handshake

   TLS1.3 defined in [RFC8446], as TLS 1.3 is not directly compatible
   with previous versions, all versions of TLS incorporate a versioning
   mechanism which allows clients and servers to interoperably negotiate
   a common version if one is supported by both peers. when make the
   discussion on EAP-TLS using raw public keys we also make a different
   with TLS1.2, this section is for EAP-TLS1.3 handshake using raw
   public keys and give example for EAP-TIBS.

   This section describes EAP-TLS1.3 extend using raw public keys, the
   procedures is as follows, both client and server have the extension
   "key_share", the "key_share" extension contains the endpoint's
   cryptographic parameters. the "signature_algorithm" extension
   contains the signature algorithm and hash algorithms the client and
   server can support for the new signature algorithms specific to the
   IBS algorithms.  When IBS is chosen as signature algorithm, the
   server need to indicated the required IBS signature algorithms int
   the signature_algorithm extension within the CertificateRequest.
































Chen, et al.            Expires 2 September 2023               [Page 11]

Internet-Draft                 EAP TLS IBS                    March 2023


   Authenticating Peer     EAP server
      -------------------     -------------
                              <- EAP-Request/
                              Identity
      EAP-Response/
      Identity (MyID) ->
                              <- EAP-Request/
                              EAP-Type=EAP-TLS
                              (TLS Start)
      EAP-Response/
      EAP-Type=EAP-TLS
      (TLS client_hello
       +key_share
       +signature_algorithm
       server_certificate_type,
       client_certificate_type)->

                              <- EAP-Request/
                              EAP-Type=EAP-TLS
                              (TLS server_hello,
                                +key_share
                                {EncryptedExtensions}
                                {client_certificate_type}
                                {server_certificate_type}
                                {certificate}
                                {CertificateVerify}
                                {certificateRequest}
                                {Finished}
                           )
      EAP-Response/
      EAP-Type=EAP-TLS
      ({certificate}
       {CertificateVerify}
       {Finished}
       ) ->
                             EAP-Request/
                             EAP-Type=EAP-TLS
                    <--TLS Application Data 0x00

       EAP-Response/
       EAP-Type=EAP-TLS-->
                              <- EAP-Success


      Figure 4:  EAP-TIBS authentication procedure for TLS1.3






Chen, et al.            Expires 2 September 2023               [Page 12]

Internet-Draft                 EAP TLS IBS                    March 2023


6.2.  EAP-TIBS example

   When the EAP server receives the client hello, it processes the
   message.  Since it has an ECCSI raw public key from the KMS, it
   indicates that it agrees to use ECCSI and provides an ECCSI key by
   placing the SubjectPublicKeyInfo structure into the Certificate
   payload back to the client, including the OID, the identity of
   server, ServerID, which is the public key of server also, and hash
   value of KMS public parameters.  The client_certificate_type
   indicates that the TLS server accepts raw public key.  The TLS server
   demands client authentication, and therefore includes a
   certificate_request, which requires the client to use eccsi_sha256
   for signature.  A signature value based on the eccsi_sha256 algorithm
   is carried in the CertificateVerify.  The client, which has an ECCSI
   key, returns its ECCSI public key in the Certificate payload to the
   server, which includes an OID for the ECCSI signature.  The example
   of EAP-TLS1.3-IBS is as follows:


































Chen, et al.            Expires 2 September 2023               [Page 13]

Internet-Draft                 EAP TLS IBS                    March 2023


 Authenticating Peer                EAP server
   -------------------               -------------
                                     <- EAP-Request/
                                     Identity
   EAP-Response/
   Identity (MyID) ->
                                     <- EAP-Request/
                                     EAP-Type=EAP-TLS
                                     (TLS Start)
   EAP-Response/
   EAP-Type=EAP-TLS
   (TLS client_hello
    signature_algorithm = (eccsi_sha256)
    server_certificate_type = (RawPublicKey)
    client_certificate_type = (RawPublicKey))->

                                    <- EAP-Request/
                                    EAP-Type=EAP-TLS
                                    (TLS server_hello,
                                    +key_share
                                    {client_certificate_type = RawPublicKey}
                                    {server_certificate_type = RawPublicKey}
                                    {certificate = (1.3.6.1.5.5.7.6.29, hash
                                    value of ECCSIPublicParameters,
                                    serverID)}
                                    {certificate_request = (eccsi_sha256)}
                                    {certificate_verify = {ECCSI-Sig-Value}}
                                    {Finished}

                            )
   EAP-Response/
   EAP-Type=EAP-TLS
   ({certificate = ((1.3.6.1.5.5.7.6.29,
   hash value of ECCSIPublicParameters),
   ClientID)},
    {certificate_verify = (ECCSI-Sig-Value)},
    {Finished})
                 --->
                                    EAP-Request/
                                    EAP-Type=EAP-TLS
                               <----TLS Application Data 0x00)
    EAP-Response/
    EAP-Type=EAP-TLS---->
                                <---- EAP-Success


         Figure 5: EAP-TLS1.3-IBS example




Chen, et al.            Expires 2 September 2023               [Page 14]

Internet-Draft                 EAP TLS IBS                    March 2023


7.  IANA Considerations

   This document registers the following item in the "Method Types"
   registry under the "extensible Authentication Protocol(EAP) Registry"
   heading.

                   +---------+-------------------+
                   | Value   | Description       |
                   +---------+-------------------+
                   | TBD     | EAP-TIBS          |
                   +---------+-------------------+

8.  Security Considerations

   Although the identity authentication has been extended, the
   generation of session key still continues the EAP-TLS method.

9.  Informative References

   [RFC6507]  Groves, M., "Elliptic Curve-Based Certificateless
              Signatures for Identity-Based Encryption (ECCSI)",
              RFC 6507, DOI 10.17487/RFC6507, February 2012,
              <https://www.rfc-editor.org/rfc/rfc6507>.

   [RFC3748]  Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
              Levkowetz, Ed., "Extensible Authentication Protocol
              (EAP)", RFC 3748, DOI 10.17487/RFC3748, June 2004,
              <https://www.rfc-editor.org/rfc/rfc3748>.

   [RFC5216]  Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS
              Authentication Protocol", RFC 5216, DOI 10.17487/RFC5216,
              March 2008, <https://www.rfc-editor.org/rfc/rfc5216>.

   [RFC7250]  Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J.,
              Weiler, S., and T. Kivinen, "Using Raw Public Keys in
              Transport Layer Security (TLS) and Datagram Transport
              Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250,
              June 2014, <https://www.rfc-editor.org/rfc/rfc7250>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <https://www.rfc-editor.org/rfc/rfc5280>.







Chen, et al.            Expires 2 September 2023               [Page 15]

Internet-Draft                 EAP TLS IBS                    March 2023


   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246,
              DOI 10.17487/RFC5246, August 2008,
              <https://www.rfc-editor.org/rfc/rfc5246>.

   [RFC9190]  Preuß Mattsson, J. and M. Sethi, "EAP-TLS 1.3: Using the
              Extensible Authentication Protocol with TLS 1.3",
              RFC 9190, DOI 10.17487/RFC9190, February 2022,
              <https://www.rfc-editor.org/rfc/rfc9190>.

   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
              <https://www.rfc-editor.org/rfc/rfc8446>.

Authors' Addresses

   Meiling Chen (editor)
   China Mobile
   BeiJing
   China
   Email: chenmeiling@chinamobile.com


   Li Su
   China Mobile
   BeiJing
   China
   Email: suli@chinamobile.com


   Haiguang Wang
   Huawei International Pte. Ltd.
   Singapore
   Email: wang.haiguang1@huawei.com

















Chen, et al.            Expires 2 September 2023               [Page 16]