idnits 2.17.1 draft-ietf-ipsec-ciph-sha-256-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == The page length should not exceed 58 lines per page, but there was 10 longer pages, the longest (page 1) being 63 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Experimental ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 2402 (ref. 'AH') (Obsoleted by RFC 4302, RFC 4305) ** Obsolete normative reference: RFC 2401 (ref. 'ARCH') (Obsoleted by RFC 4301) ** Obsolete normative reference: RFC 2406 (ref. 'ESP') (Obsoleted by RFC 4303, RFC 4305) ** Obsolete normative reference: RFC 2409 (ref. 'IKE') (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2411 (ref. 'ROADMAP') (Obsoleted by RFC 6071) Summary: 9 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Draft IPsec Working Group 3 June 2002 S. Frankel, NIST 4 Expiration Date: December 2002 S. Kelly, Black Storm Networks 5 Category: Experimental 7 The HMAC-SHA-256-128 Algorithm and Its Use With IPsec 8 10 Status of this Memo 12 This document is an Internet-Draft and is in full conformance with 13 all provisions of Section 10 of RFC2026. Internet Drafts are working 14 documents of the Internet Engineering Task Force (IETF), its areas, 15 and its working Groups. Note that other groups may also distribute 16 working documents as Internet Drafts. 18 Internet-Drafts are draft documents valid for a maximum of six months 19 and may be updated, replaced, or obsoleted by other documents at any 20 time. It is inappropriate to use Internet-Drafts as reference 21 material or to cite them other than as "work in progress." 23 The list of current Internet-Drafts can be accessed at 24 http://www.ietf.org/ietf/1id-abstracts.txt. 26 The list of Internet-Drafts Shadow Directories can be accessed at 27 http://www.ietf.org/shadow.html. 29 This document is a submission to the IETF Internet Protocol Security 30 (IPsec) Working Group. Comments are solicited and should be addressed 31 to the working group mailing list (ipsec@lists.tislabs.com) or to the 32 editors. 34 Distribution of this memo is unlimited. 36 Abstract 38 This document describes the use of the HMAC algorithm in conjunction 39 with the SHA-256 algorithm as an experimental authentication mecha- 40 nism within the context of the IPsec AH and ESP protocols. This algo- 41 rithm is intended to provide data origin authentication and integrity 42 protection. Given the current lack of practical experience with 43 SHA-256, implementations based on this document will be experimental 44 in nature, and implementation is not required in order to claim com- 45 pliance with the IPsec proposed standards. The version of the HMAC- 46 SHA-256 authenticator described in this document specifies truncation 47 to 128 bits, and is therefore named HMAC-SHA-256-128. 49 Table of Contents 51 1. Specification of Requirements . . . . . . . . . . . . . . . . . 3 52 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 3. The HMAC-SHA-256-128 Algorithm . . . . . . . . . . . . . . . . . 3 54 3.1 Keying Material . . . . . . . . . . . . . . . . . . . . . . 3 55 3.2 Padding . . . . . . . . . . . . . . . . . . . . . . . . . . 4 56 3.3 Truncation . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 3.4 Interaction with the ESP Cipher Mechanism . . . . . . . . . 4 58 3.5 Performance . . . . . . . . . . . . . . . . . . . . . . . . 5 59 3.6 Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . 5 60 4. IKE Interactions . . . . . . . . . . . . . . . . . . . . . . . . 7 61 4.1 Phase 1 Identifier . . . . . . . . . . . . . . . . . . . . . 7 62 4.2 Phase 2 Identifier . . . . . . . . . . . . . . . . . . . . . 7 63 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 64 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8 65 7. Intellectual Property Rights Statement . . . . . . . . . . . . . 8 66 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 8 67 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 68 10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 69 11. Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 10 70 1. Specification of Requirements 72 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 73 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" that 74 appear in this document are to be interpreted as described in 75 [RFC-2119]. 77 2. Introduction 79 This document specifies the use of SHA-256 [SHA2-1] combined with 80 HMAC [HMAC] as an experimental keyed authentication mechanism within 81 the context of the IPsec AH and ESP protocols. This algorithm is in- 82 tended to provide data origin authentication and integrity protec- 83 tion. Given the current lack of practical experience with SHA-256, 84 implementations based on this document will be experimental in na- 85 ture, and implementation is not required in order to claim compliance 86 with the IPsec proposed standards. Furthermore, HMAC-SHA-1-96 [HMAC- 87 SHA] provides sufficient security at a lower computational cost. The 88 version of the HMAC-SHA-256 authenticator described in this document 89 specifies truncation to 128 bits, and is therefore named HMAC- 90 SHA-256-128. For further information on ESP, refer to [ESP] and 91 [ROADMAP]. For further information on AH, refer to [AH] and 92 [ROADMAP]. 94 The goal of HMAC-SHA-256-128 is to ensure that the packet is authen- 95 tic and cannot be modified in transit. Data integrity and data ori- 96 gin authentication as provided by HMAC-SHA-256-128 are dependent upon 97 the scope of the distribution of the secret key. If the key is known 98 only by the source and destination, this algorithm will provide both 99 data origin authentication and data integrity for packets sent be- 100 tween the two parties. In addition, only a party with the identical 101 key can verify the MAC. 103 3. The HMAC-SHA-256-128 Algorithm 105 [SHA2-1] and [SHA2-2] describe the underlying SHA-256 algorithm, 106 while [HMAC] describes the HMAC algorithm. The HMAC algorithm pro- 107 vides a framework for inserting various hashing algorithms such as 108 SHA-256. 110 The following sections contain descriptions of the various character- 111 istics and requirements of the HMAC-SHA-256-128 algorithm. 113 3.1 Keying Material 115 HMAC-SHA-256-128 is a secret key algorithm. While no fixed key length 116 is specified in [HMAC], for use with either ESP or AH a fixed key 117 length of 256-bits MUST be supported. Key lengths other than 256- 118 bits MUST NOT be supported (i.e. only 256-bit keys are to be used by 119 HMAC-SHA-256-128). A key length of 256-bits was chosen based on the 120 recommendations in [HMAC] (i.e. key lengths less than the authentica- 121 tor length decrease security strength and keys longer than the au- 122 thenticator length do not significantly increase security strength). 124 [HMAC] discusses requirements for key material, which includes a dis- 125 cussion on requirements for strong randomness. A strong pseudo-random 126 function MUST be used to generate the required 256-bit key. 128 At the time of this writing there are no specified weak keys for use 129 with HMAC. This does not mean to imply that weak keys do not exist. 131 [ARCH] describes the general mechanism for obtaining keying material 132 when multiple keys are required for a single SA (e.g. when an ESP SA 133 requires a key for confidentiality and a key for authentication). 135 In order to provide data origin authentication, the key distribution 136 mechanism must ensure that unique keys are allocated and that they 137 are distributed only to the parties participating in the communica- 138 tion. 140 [HMAC] makes the following recommendation with regard to rekeying: 141 "Current attacks do not indicate a specific recommended frequency for 142 key changes ... However, periodic key refreshment is a fundamental 143 security practice that helps against potential weaknesses of the 144 function and keys, and limits the damage of an exposed key." Rekey- 145 ing also reduces the information available to a cryptanalyst. 147 3.2 Padding 149 HMAC-SHA-256-128 operates on 512-bit blocks of data. Padding require- 150 ments are specified in [SHA2-1] and are part of the SHA-256 algo- 151 rithm. If you build SHA-256 according to [SHA2-1] you do not need to 152 add any additional padding as far as HMAC-SHA-256-128 is concerned. 153 With regard to "implicit packet padding" as defined in [AH], no im- 154 plicit packet padding is required. 156 3.3 Truncation 158 HMAC-SHA-256-128 produces a 256-bit authenticator value. This 256-bit 159 value can be truncated as described in [HMAC]. For use with either 160 ESP or AH, a truncated value using the first 128 bits MUST be sup- 161 ported. Upon sending, the truncated value is stored within the au- 162 thenticator field. Upon receipt, the entire 256-bit value is computed 163 and the first 128 bits are compared to the value stored in the au- 164 thenticator field. No other authenticator value lengths are supported 165 by HMAC-SHA-256-128. 167 The length of 128 bits was selected because it meets the security re- 168 quirements described in [HMAC]. [HMAC] discusses the potential addi- 169 tional security which is provided by the truncation of the resulting 170 MAC. Specifications which include HMAC are strongly encouraged to 171 perform this MAC truncation. 173 3.4 Interaction with the ESP Cipher Mechanism 175 As of this writing, there are no known issues which preclude the use 176 of the HMAC-SHA-256-128 with any specific cipher algorithm. 178 3.5 Performance 180 [HASH] states that "(HMAC) performance is essentially that of the un- 181 derlying hash function". As of this writing no detailed performance 182 analysis has been done of SHA-256, HMAC or HMAC combined with 183 SHA-256. 185 [HMAC] outlines an implementation modification which can improve per- 186 packet performance without affecting interoperability. 188 3.6 Test Vectors 190 The following test cases for HMAC-SHA-256 and HMAC-SHA-256-128 in- 191 clude the key, the data, and the resulting HMAC. The values of keys 192 and data are either hexadecimal numbers (prefixed by "0x") or ASCII 193 character strings (surrounded by double quotes). If a value is an 194 ASCII character string, then the HMAC computation for the correspond- 195 ing test case DOES NOT include the trailing null character ('\0') of 196 the string. The computed HMAC values are all hexadecimal numbers. 198 These test cases were verified using 3 independent implementations: 199 an HMAC wrapper on top of Aaron Gifford's SHA256 implementation 200 (www.aarongifford.com/computers/sha.html), the BeeCrypt crypto li- 201 brary (www.virtualunlimited.com/products/beecrypt) and the Nettle 202 cryptographic library (www.lysator.liu.se/~nisse/nettle). Partial 203 blocks were padded as specified in [SHA2-1]. 205 Test cases 1 and 2 were taken from the SHA-2 FIPS [SHA2-1] and test 206 cases 4-10 were borrowed from [HMAC-TEST] with some key sizes adjust- 207 ed for HMAC-SHA-256. These test cases illustrate HMAC-SHA-256 with 208 various combinations of input and keysize. All test cases include the 209 computed HMAC-SHA-256; only those with a keysize of 32 bytes (256 210 bits) also include the truncated HMAC-SHA-256-128. 212 Test Case #1: HMAC-SHA-256 with 3-byte input and 32-byte key 213 Key_len : 32 214 Key : 0x0102030405060708090a0b0c0d0e0f10 215 1112131415161718191a1b1c1d1e1f20 216 Data_len : 3 217 Data : "abc" 218 HMAC-SHA-256 : 0xa21b1f5d4cf4f73a4dd939750f7a066a 219 7f98cc131cb16a6692759021cfab8181 220 HMAC-SHA-256-128: 0xa21b1f5d4cf4f73a4dd939750f7a066a 222 Test Case #2: HMAC-SHA-256 with 56-byte input and 32-byte key 223 Key_len : 32 224 Key : 0x0102030405060708090a0b0c0d0e0f10 225 1112131415161718191a1b1c1d1e1f20 226 Data_len : 56 227 Data : "abcdbcdecdefdefgefghfghighijhijk 228 ijkljklmklmnlmnomnopnopq" 229 HMAC-SHA-256 : 0x104fdc1257328f08184ba73131c53cae 230 e698e36119421149ea8c712456697d30 231 HMAC-SHA-256-128: 0x104fdc1257328f08184ba73131c53cae 232 Test Case #3: HMAC-SHA-256 with 112-byte (multi-block) input 233 and 32-byte key 234 Key_len : 32 235 Key : 0x0102030405060708090a0b0c0d0e0f10 236 1112131415161718191a1b1c1d1e1f20 237 Data_len : 112 238 Data : "abcdbcdecdefdefgefghfghighijhijk 239 ijkljklmklmnlmnomnopnopqabcdbcde 240 cdefdefgefghfghighijhijkijkljklm 241 klmnlmnomnopnopq" 242 HMAC-SHA-256 : 0x470305fc7e40fe34d3eeb3e773d95aab 243 73acf0fd060447a5eb4595bf33a9d1a3 244 HMAC-SHA-256-128: 0x470305fc7e40fe34d3eeb3e773d95aab 246 Test Case #4: HMAC-SHA-256 with 8-byte input and 32-byte key 247 Key_len : 32 248 Key : 0x0b repeated 32 times 249 Data_len : 8 250 Data : 0x4869205468657265 251 Data : "Hi There" 252 HMAC-SHA-256 : 0x198a607eb44bfbc69903a0f1cf2bbdc5 253 ba0aa3f3d9ae3c1c7a3b1696a0b68cf7 254 HMAC-SHA-256-128: 0x198a607eb44bfbc69903a0f1cf2bbdc5 256 Test Case #5: HMAC-SHA-256 with 28-byte input and 4-byte key 257 Key_len : 4 258 Key : "Jefe" 259 Data_len : 28 260 Data : "what do ya want for nothing?" 261 HMAC-SHA-256 : 0x5bdcc146bf60754e6a042426089575c7 262 5a003f089d2739839dec58b964ec3843 264 Test Case #6: HMAC-SHA-256 with 50-byte input and 32-byte key 265 Key_len : 32 266 Key : 0xaa repeated 32 times 267 Data_len : 50 268 Data : 0xdd repeated 50 times 269 HMAC-SHA-256 : 0xcdcb1220d1ecccea91e53aba3092f962 270 e549fe6ce9ed7fdc43191fbde45c30b0 271 HMAC-SHA-256-128: 0xcdcb1220d1ecccea91e53aba3092f962 273 Test Case #7: HMAC-SHA-256 with 50-byte input and 37-byte key 274 Key_len : 37 275 Key : 0x0102030405060708090a0b0c0d0e0f10 276 1112131415161718191a1b1c1d1e1f20 277 2122232425 278 Data_len : 50 279 Data : 0xcd repeated 50 times 280 HMAC-SHA-256 : 0xd4633c17f6fb8d744c66dee0f8f07455 281 6ec4af55ef07998541468eb49bd2e917 283 Test Case #8: HMAC-SHA-256 with 20-byte input and 32-byte key 284 Key_len : 32 285 Key : 0x0c repeated 32 times 286 Data_len : 20 287 Data : "Test With Truncation" 288 HMAC-SHA-256 : 0x7546af01841fc09b1ab9c3749a5f1c17 289 d4f589668a587b2700a9c97c1193cf42 290 HMAC-SHA-256-128: 0x7546af01841fc09b1ab9c3749a5f1c17 292 Test Case #9: HMAC-SHA-256 with 54-byte input and 80-byte key 293 Key_len : 80 294 Key : 0xaa repeated 80 times 295 Data_len : 54 296 Data : "Test Using Larger Than Block-Size Key - 297 Hash Key First" 298 HMAC-SHA-256 : 0x6953025ed96f0c09f80a96f78e6538db 299 e2e7b820e3dd970e7ddd39091b32352f 301 Test Case #10: HMAC-SHA-256 with 73-byte (multi-block) input 302 and 80-byte key 303 Key_len : 80 304 Key : 0xaa repeated 80 times 305 Data_len : 73 306 Data : "Test Using Larger Than Block-Size Key and 307 Larger Than One Block-Size Data" 308 HMAC-SHA-256 : 0x6355ac22e890d0a3c8481a5ca4825bc8 309 84d3e7a1ff98a2fc2ac7d8e064c3b2e6 311 4. IKE Interactions 313 4.1 Phase 1 Identifier 315 For Phase 1 negotiations, IANA has assigned a Hash Algorithm ID of 4 316 for SHA2-256. 318 For further information on the use of Hash Algorithm IDs within IKE, 319 see [IKE]. 321 4.2 Phase 2 Identifier 323 For Phase 2 negotiations, IANA has assigned an AH Transform Identifi- 324 er of 5 for AH_SHA2-256. 326 For Phase 2 negotiations, IANA has assigned an AH/ESP Authentication 327 Algorithm Attribute Value of 5 for HMAC-SHA2-256. 329 For further information on the use of Transform Identifiers and At- 330 tributes Value within IKE, see [IKE] and [DOI]. 332 5. Security Considerations 334 The security provided by HMAC-SHA-256-128 is based upon the strength 335 of SHA-256. At the time of this writing there are no practical cryp- 336 tographic attacks against SHA-256. 338 As is true with any cryptographic algorithm, part of its strength 339 lies in the correctness of the algorithm implementation, the security 340 of the key management mechanism and its implementation, the strength 341 of the associated secret key, and upon the correctness of the imple- 342 mentation in all of the participating systems. This draft contains 343 test vectors to assist in verifying the correctness of HMAC- 344 SHA-256-128 code. 346 6. IANA Considerations 348 IANA has assigned Hash Algorithm ID 4 to SHA2-256. 349 IANA has assigned AH Transform Identifier 5 to AH_SHA2-256. 350 IANA has assigned AH/ESP Authentication Algorithm Attribute Value 5 351 to HMAC-SHA2-256. 353 7. Intellectual Property Rights Statement 355 Pursuant to the provisions of [RFC-2026], the authors represent that 356 they have disclosed the existence of any proprietary or intellectual 357 property rights in the contribution that are reasonably and personal- 358 ly known to the authors. The authors do not represent that they per- 359 sonally know of all potentially pertinent proprietary and intellectu- 360 al property rights owned or claimed by the organizations they repre- 361 sent or third parties. 363 The IETF takes no position regarding the validity or scope of any in- 364 tellectual property or other rights that might be claimed to pertain 365 to the implementation or use of the technology described in this doc- 366 ument or the extent to which any license under such rights might or 367 might not be available; neither does it represent that it has made 368 any effort to identify any such rights. Information on the IETF's 369 procedures with respect to rights in standards-track and standards- 370 related documentation can be found in BCP-11. Copies of claims of 371 rights made available for publication and any assurances of licenses 372 to be made available, or the result of an attempt made to obtain a 373 general license or permission for the use of such proprietary rights 374 by implementers or users of this specification can be obtained from 375 the IETF Secretariat. 377 8. Acknowledgments 379 Portions of this text were unabashedly borrowed from [HMAC-SHA]. 381 Thanks to Hugo Krawczyk for his comments and recommendations. 383 9. References 385 [AH] Kent, S. and R. Atkinson, "IP Authentication Header", 386 RFC 2402, November 1998. 388 [ARCH] Kent, S. and R. Atkinson, "Security Architecture for 389 the Internet Protocol", RFC 2401, November 1998. 391 [DOI] Piper, D., "The Internet IP Security Domain of 392 Interpretation for ISAKMP," 394 [ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security 395 Payload (ESP)", RFC 2406, November 1998. 397 [HASH] Bellare, M., R. Canetti and H. Krawczyk, "Keying Hash 398 Functions for Message Authentication," Advances in 399 Cryptography, Crypto96 Proceedings, June 1996. 401 [HMAC] Krawczyk, H., M. Bellare and R. Canetti, "HMAC: Keyed- 402 Hashing for Message Authentication," RFC 2104, February 403 1997. 405 [HMAC-SHA] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 406 within ESP and AH," RFC 2404, November 1998. 408 [HMAC-TEST] Cheng, P. and R. Glenn, "Test Cases for HMAC-MD5 and 409 HMAC-SHA-1", RFC 2202, September 1997. 411 [IKE] Harkins, D. and D. Carrel, "The Internet Key Exchange 412 (IKE)", RFC 2409, November 1998. 414 [RFC-2026] Bradner, S., "The Internet Standards Process -- 415 Revision 3", RFC2026, October 1996. 417 [RFC-2119] Bradner, S., "Key words for use in RFCs to Indicate 418 Requirement Levels", RFC-2119, March 1997. 420 [ROADMAP] Thayer, R., N. Doraswamy, and R. Glenn, "IP Security 421 Document Roadmap", RFC 2411, November 1998. 423 [SHA2-1] NIST, Draft FIPS PUB 180-2 "Specifications for the 424 Secure Hash Standard," May 2001. 425 http://csrc.nist.gov/encryption/shs/dfips-180-2.pdf 427 [SHA2-2] "Descriptions of SHA-256, SHA-384, and SHA-512." 428 http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf 430 10. Authors' Addresses 432 Sheila Frankel 433 NIST 434 820 West Diamond Ave. 435 Room 680 436 Gaithersburg, MD 20899 437 Phone: +1 (301) 975-3297 438 Email: sheila.frankel@nist.gov 440 Scott Kelly 441 Black Storm Networks 442 250 Cambridge Ave 443 Palo Alto CA 94304 444 Phone: +1 (650) 617-2934 445 Email: scott@bstormnetworks.com 447 The IPsec working group can be contacted through the chairs: 449 Barbara Fraser 450 Cisco Systems Inc. 451 Email: byfraser@cisco.com 453 Theodore Ts'o 454 Massachusetts Institute of Technology 455 Email: tytso@mit.edu 457 11. Full Copyright Statement 459 Copyright (C) The Internet Society (1998). All Rights Reserved. 461 This document and translations of it may be copied and furnished to 462 others, and derivative works that comment on or otherwise explain it 463 or assist in its implementation may be prepared, copied, published 464 and distributed, in whole or in part, without restriction of any 465 kind, provided that the above copyright notice and this paragraph are 466 included on all such copies and derivative works. However, this doc- 467 ument itself may not be modified in any way, such as by removing the 468 copyright notice or references to the Internet Society or other In- 469 ternet organizations, except as needed for the purpose of developing 470 Internet standards in which case the procedures for copyrights de- 471 fined in the Internet Standards process must be followed, or as re- 472 quired to translate it into languages other than English. 474 The limited permissions granted above are perpetual and will not be 475 revoked by the Internet Society or its successors or assigns. 477 This document and the information contained herein is provided on an 478 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 479 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 480 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HERE- 481 IN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MER- 482 CHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.