General Cryptography Part 1 of 2

Home , Cryptography, GOST (block cipher), GOST (hash function), Lucifer (cipher), Skipjack (cipher)

Table of Contents

Cryptography ...... 2

Cryptography Interoperability ...... 3

Cryptography in Everyday Use ...... 5

Common Terms in Cryptography -1 ...... 6

Common Terms in Cryptography - 2 ...... 8

Common Terms in Cryptography - 3 ...... 9

Kerckhoff’s Principle ...... 12

Symmetric Cryptosystem ...... 14

Asymmetric Cryptosystems ...... 16

Asymmetric Algorithms ...... 18

Block Cipher ...... 21

Block Cipher Modes -1 ...... 22

Block Cipher Modes -2 ...... 25

Block Cipher Modes -1 ...... 26

Block Cipher Modes -2 ...... 27

Block Cipher Examples ...... 28

Stream Cipher ...... 30

Stream Cipher Examples ...... 32

Notices ...... 33

Page 1 of 33 Cryptography

Cryptography

Used to protect data at-rest and data in-transit from being compromised or misused. Assures confidentiality and integrity of data • Protected communications are not visible by others. • Verifies data has not been altered or corrupted. Provides authentication • Verifies identity of participants. Non-repudiation • Undeniable transactions – sender sent it, recipient received it. • Usually requires an independent third party (Certificate Authority). • Digital signatures provide the mechanisms behind the concept.

**006 First, before we go any further whatsoever, the idea of cryptography is to communicate in the presence of adversaries. You and I want to talk, and we don't want them to listen in.

So what we want in cryptography is we want to use mathematical transforms of different kinds to ensure that our communication is protected, confidential. We also want to make sure that our communications aren't interrupted by a man in the middle that can swap our communications out and put something else in.

Page 2 of 33 We also want to provide authentication. How do you know it wasn't somebody else that jumped into this?

There's no take- backsies." That's what nonrepudiation is. It says you can't deny that you said something. You can't take it back. Nonrepudiation typically involves a certification authority. You could do it without.

So then with cryptography, we need to talk about the tools that we use.

Cryptography Interoperability

Achieved when crypto systems work together seamlessly. • For example, web-browser based SSL

Good design goal when designing new systems. • For example, does a WAP support WEP, WPA, WPA2, or all 3?

Validate any vendor claims of interoperability. • Common Criteria, NIST, and the Cryptographic Module Validation Program (CMVP).

**007 When we use those tools, can you use the same tool that I do? So

Page 3 of 33 what we have to do is all agree that we're going to use the same protocol and the same encryption methodologies for it to all work out. And the reason why old cryptography stays in place for a really long time is because not only do you and I have to agree, but we have to get the whole world to agree. And when we design new systems, we need to make sure that that system-- well, that it thinks about the other possibilities in the future.

A perfect example of a good system gone bad is our first try at encryption for wireless communications, in WEP. Also, we need to roll this out to the vendors and they need to be able to implement it. And in a lot of cryptography, what we do is we use hardware, special purpose ASIX chips that are designed for that one thing. So think about chip fabrication. How long do you think that takes? That's years.

Then once we create a design, once we create an implementation-- maybe even once we create chips-- how do we know that that is verifiable and valid for the uses that we put it to? And that's where we start reaching out to cryptographic module validation programs; we start reaching out to governments and asking them to review our design.

Page 4 of 33 Cryptography in Everyday Use

Cryptography in Everyday Use

E-mail • Messages and attachments can be encrypted. • Implementations are S/MIME, PGP, and PEM. E-commerce • Transactions can be encrypted. • Implementations include SSL/TLS, and PCI-DSS.

**008 We use this every single day in ecommerce. There's no doubt about it. Some of us use it every single day in email. You don't have to have any fancy setup to use cryptography on a day-to-day basis, because it's built into most of the things that we're doing.

Some regulations require that we have cryptography end-to-end.

Page 5 of 33 Common Terms in Cryptography -1

Common Terms in Cryptography -1

Cryptosystem – the system of algorithm, parameters, key, and/or password used for encrypting and decrypting data. Code – a cryptosystem that uses substitution of words for the original text. Cipher – a procedure to scramble a message so only the person with the knowledge of how it was scrambled (the key) can read it. Steganography – process of hiding information in another message or file.

**009 Cryptosystems. This is all of the mathematical transforms that are all jammed together. This is where the key sits. This is where the algorithm sits. There is where all the parameters can be changed within the system, and if it's got a password, this is where it encrypts and decrypts. This could be a chip right with current Intel processors. There is actually a separate chip within most Intel processors today that does AES encryption and decryption as a separate chip.

When we talk about code, that is usually a substitution, a trade for one thing or the other. For example,

Page 6 of 33 code talker. So, in World War II, we wanted to have communications from ship to shore, and the way we did that was we didn't use what everybody else used. We had our own special cryptographers, which were Native Americans.

What they did was is they took information from the ships and translated it into their native language, which there was no written record of that native language for our adversaries. And then on the other side, the other Native American on the other side would retranslate that back into issued orders. There was no record of this, so there was no way to do that code translation.

Well, these code talkers had to come up with codes that fit with artillery movements and words that weren't in their language. So a code is to trade one for another, or substitution.

A cipher is a way to scramble things. I want to encipher or decipher. And so we'll create a mathematical transformation that predictively scrambles those things. And when we run that math the other way-- or run it the same way in some cases, especially for symmetric encryption-- it will decipher it so that we can read it again. So ciphering is the procedure for scrambling.

Steganography is covert communications. And the best way that I can give you an example of this is when we do invisible ink. We

Page 7 of 33 still have to pass something back and forth, but when our adversaries look at it, they just see, "Oh, he's handing them a piece of paper."

Common Terms in Cryptography - 2

Common Terms in Cryptography -2

Plain text – the original, unencrypted data. Cipher text – the encrypted data. Substitution – each character is replaced with another to form the cipher text. • Simple – one to one Message  Nfttbhf • Homophonic – one to many Message  Nafbtctdbehffg • Polygram – block to block Message  Actksisiwksiea

• Polyalphabetic – multiple alphabets Message  Transposition – reorders plain text to form cipher text. MES   MESSAGE SAG MSEEA0SG0 E00

**010 Some other common cryptology terms that dig down into what we're doing. Plain text-- that's the stuff that humans can read. Cipher text-- that's the stuff that's been transformed where humans can't read without our tools, our key and our algorithm.

When we substitute, we trade one for another. And we can substitute at many different levels. We can do it

Page 8 of 33 at a one-to-one level. We can do it one-to-many. We can do it from block-to-block, and we can do it from one alphabet to another.

In this case, we're trading one for another. We could leave the message intact and rearrange it, and that's called transposition. So substitution trades one for another; transposition leaves it there but switches its order in some way, shape or form.

Common Terms in Cryptography - 3

Common Terms in Cryptography -3

Randomness – key property of cryptosystems; used for generating keys and passwords. Pseudo-random number generator (PRNG) – a mathematical approach to creating randomness. Confusion – implemented through substitution, it prevents identifying relationships between key, plain text, and cipher text. Diffusion – implemented through transposition, spreads plaintext throughout the cipher text.

**011 One of the things that we need to have in order to protect our communications is seemingly

Page 9 of 33 randomness. When we use keys, we will pick them from a key space. And we will be very particular about that. But how we choose them from that key space should be very random in the way that we do it.

Now, there are some ciphers that we use that need to, as a seed value, take one of these keys and drop it into a calculator and generate what looks like a random string. This is a pseudo-random number generator. Sometimes called a P ring. I don't know if you've ever heard that term before or not.

Now, when we do these activities, how well do we do these activities? If we do them correctly, we cause confusion. Confusion in a cipher, it happens through substitution, and it prevents the relationship between the key, the plain text and the cipher text from being able to figured out. We generate confusion. That's different from diffusion. If we do transposition, if we trade those things around very well, then we will create diffusion. Now, confusion most people understand, but let's give you a little analogy on diffusion.

In front of you on your desk is a big glass of water that you can see through, and it's perfectly clear. And I come by with an eye dropper with milk in it, and I drop one drop into your glass of water. You wouldn't be able to taste this, but it would start as one little drip inside of there, and eventually that milk would diffuse and cause a general cloudiness, just

Page 10 of 33 a hint, in all of your glass of water. And this speaks to how well the cryptography works. If we're doing good diffusion, one change in our plain text-- one space, one period, one exclamation point-- will radically change the way our text is transposed. And that's what we want. Good algorithms will-- when we change one period or add one space-- will ripple throughout all the transposition and all the numbers-- I mean, all the letters that are there, they'll just scramble up really, really differently. And that's what we want.

Good confusion means that when we do one substitution, one different letter, all the substitutions look radically different.

Page 11 of 33 Kerckhoff’s Principle

Kerckhoff’s Principle

The cryptosystem should not require secrecy to maintain its encryption strength – only the key must remain secret. Assumptions by cryptographers based upon Kerckhoff The adversary has your cypher text The adversary knows your algorithm That adversary has some plaintext

**012 Kerckhoff's principle says the only thing protecting us is the key. So what would think is protecting us that isn't protecting us? Well, is our adversary listening? And the answer is yes, and always. So we assume, as a cryptographer, that our adversary is capturing all of the communications between us, so they have all of our encrypted text. That's an assumption that we make. So if there's any discernable patterns in this cipher text, we're in trouble.

Next, our adversary has our algorithm. They know our algorithm. They know the mathematical transform that we're using. And then

Page 12 of 33 today what we do is we publish that for everybody to see, so there's no mystery whatsoever. So we'll say, "Yep, this math is so good that everybody can see it."

Also, your adversary has been at one of the endpoints for a short period of your communication, and that means that they either know the plain text that I decided to key in to shoot to you, or they've seen, on your side, you writing that out to a piece of paper and they've captured some of that plain text. So if they know your cipher, they know your algorithm, and they have some of your plain text, then the only thing that's protecting you at that point is the key. And that's Kerckhoff's principle.

Page 13 of 33 Symmetric Cryptosystem

Symmetric Cryptosystem

Symmetric – same key is used for encryption and decryption. • Protecting and sharing this key is critical. • Fast, but provides confidentiality only. • Not scalable to large implementation – think pre-shared keys. • Relies on substitution and transposition for encryption strength.

DES Same Key AES RC-4

kjdiekdg Message Message Encryption Decryption

**013 Let's look at systems. Let's combine some things together here and see how this works out for us.

Symmetric encryption systems. The key is exactly equal on both sides. We take the message with the key and we pump it into the algorithm, and that will encrypt the information. We pass that across the channel where the adversary is listening. That would be right here in the middle. And then on the other side, we use the exact same key to decrypt and we can look at the message. The symmetric encryption that we deal with today is DES, AES,

Page 14 of 33 and RC4. Mostly we stick with AES and RC4.

The problem that we run into is this key. How do we get the key from one side to the other? I mean, we can't pass it across this channel because the adversary is listening, right? What will we do? Well, we would pass it out of band. We would pass it over another channel. So I'm going to send an email message to you that's encrypted using AES, and I'm going to use this key right here. And I'd pick up the phone and I'd go, "The key is..." Here's this long, 256- bit number.

Now, if the adversary is listening in on this channel and listening in on this channel here, then they got us. So we're going to have to figure out a way to do the transmission correctly. Don't worry, we'll get there.

Page 15 of 33 Asymmetric Cryptosystems

Asymmetric Cryptosystems

Asymmetric – different keys are used. • Protecting the PRIVATE key is critical. • Slow, but scalable to large implementations. • Relies on mathematical algorithms and complexity for strength. • Extremely difficult to crack – computationally unfeasible.

DH Different Key RSA

kjdiekdg Message Message Encryption Decryption

**014 Asymmetric encryption. Now, in this case, the keys are different. They are mathematically related and generated at the same time, and how they're distributed is much more elegant.

In this case, what we do is we use one key to encrypt and the other key to decrypt. You can't use this key in the decryption process. It won't work for asymmetric cryptography. They are different keys. If you use this key to encrypt, then this key will decrypt. But you got to figure out how to get the key there, and that's the trick.

Page 16 of 33 Now, what's nice is, in asymmetric encryption systems, we have one key that we always protect and hold dear. That's our private key, and we keep that, and we guard that at all costs. The other key is the public key, and that one we give to everyone. "Here, take a copy." If you want to encrypt something and send it to me, the only key that will decrypt this is the one that I hold dear.

If I encrypt something with my private key, everyone can decrypt it. "Oh my god, then we don't want to use that." Ah, but it's for a different purpose. What we use it for is for nonrepudiation of source. If I'm protecting this key with all my might and then I use it to encrypt something and I send it out there, you know that I'm the only one that has this key. And so when I say I'll sell you my car for a thousand dollars, now what we have is authentication of me-- because anybody can decrypt and they know that that key is associated with my key-- and we have nonrepudiation of source. Because I was the one that encrypted it, it could only come from me. What wouldn't happen is we wouldn't reveal this private key in any of our conversations. What's great about asymmetric cryptography is every single one of us could all have a different private key, and then take all of our public keys and publish them out there for anybody to use. And as long as we protect these private keys, we're in a great space.

Page 17 of 33 Asymmetric Algorithms

Asymmetric Algorithms

Diffie-Hellman Exchange (DHE) • Used for key exchange; secrets never transmitted. Elliptical Curve Diffie-Hellman Exchange (ECDHE) • Variant of DHE that uses elliptical curve cryptography, based on the algebraic structure of elliptic curves. RSA • Most popular; used for data encryption. Elgamal • Used for data encryption and key exchange, but weak algorithm. Elliptic Curve (ECC) • Small key sizes permit use by limited power devices.

**015 Now, with asymmetric algorithms, there are a whole bunch of different algorithms that we want to pay attention to, and some are used for different things.

The one that's in the middle of the slide is the most important one, RSA. That is used for data encryption of a particular kind. We'll come back to that in a bit. ElGamal and ECC are actually coming on stronger these days. One of the things that's nice about ElGamal is it's used for encryption and key exchange. It can be used for both data encryption and key exchange.

Page 18 of 33 Now, go up to the top where we talk about Diffie-Hellman. Diffie-Hellman Exchange, and Elliptical Curve Diffie- Hellman Exchange, is only good for key exchange. It cannot be used for encryption. But the result of what it does is that it allows us to have a key for a session. Diffie-Hellman is usually used with session keys that we want to generate but we haven't met.

There is math that is elegant enough so that I can transmit some information to you and you can transmit some information to me, but it's not enough information in either portion of this for our adversary to be able to figure out the key. We can do it with never having met before. We can do it without exchanging information in private. We get to exchange all of our information in public. But we're not exchanging enough information for our adversary to be able to do the math. And we do this with remainder math, and really cool prime numbers. That's the end of it. No more.

But it's only good for key exchange. It's not good for anything else. RSA is good for encryption. ElGamal is good for encryption and data exchange. Some people argue that the algorithm is relatively weak.

Today ECC, Elliptic Curve Cryptography, is actually coming on as a very useful tool, because our size of our RSA keys are getting pretty big at this point. The DoD is starting to recommend the size of

Page 19 of 33 keys for RSAs to be 4096 bits in size. And the reason why those-- if you look at AES and it's 256 bits versus RSA 4096 bits-- is in AES you can use almost every single key in the entire key space, and that key space is very dense, because you can use one key right after another. You wouldn't use them in order, but you could use every single key and that would be effective.

When you're using large prime numbers, as it is with RSA, the key space for prime numbers starts to spread out, and there start to be less and less numbers that we can use between two prime numbers, because all of those numbers are not prime. So we have to go up to 4096- bit keys in order to do that. Now, because the keys are so large, that also mathematically requires a heavy computation when we're doing encryption and decryption, so therefore it's not good to do big, heavy, bulk encryption with RSA. And that's one of the problems with asymmetric encryption. The math is so intense that it's not good for bulk encryption. But symmetric encryption, well, the math is not as intense and the key space is very dense, so therefore it's better for bulk encryption.

Page 20 of 33 Block Cipher

Block Cipher

Encrypts a message one block at a time. • Larger block sizes provide better encryption strength. • Supports different modes to optimize encryption/decryption.

Message Message Message Message Me Block kj kjdiekdg Message Cipher

**016 Now, when we talk about encryption, usually when we're talking about symmetric encryption, we talk about block. And we do one block at a time. So here we have-- in the center we have this encryption algorithm. We're going to put our particular key that we choose at this time inside of here. Sometimes we're going to put an initialization vector in there to disturb the plain text pattern, and then we're going to pump it through this block. It's going to be a fixed block size.

As that block size gets larger-- in other words, we compute more information at the same time, or we

Page 21 of 33 encrypt or decrypt at the same time-- what happens is it's better for our encryption strength because, well, what people do against blocks is they try to encrypt every single different message under every single different key, thus creating a huge dictionary. But as this block gets bigger, that dictionary gets-- well, every time it goes up a bit, it gets twice as big. So if I go from a 56-bit block cipher and it takes you-- we're making up a number now-- four billion dictionary terms, when I go to 57 bits, now you've got to have eight billion terms. If I go from 57 bits to 26 bits-- mathematicians.

Block Cipher Modes -1

Electronic Code Book (ECB) • Least complex, no IV, identical plaintext = identical ciphertext, useful for short messages, but not good for bulk data encryption. Cipher Block Chaining (CBC) • Uses IV, and chaining, where encrypted blocks are fed back into the cryptosystem as the new IV for the next block. Cipher Feedback (CFB), • Uses IV and key, output from encrypted block is used as key for next block. Output Feedback (OFB), Counter (CTR) • Same as CFB except key is pre-computed for each block.

Page 22 of 33 **017 When we use block ciphers, sometimes what we will do is we will mode them into modes. And what this means is that a block cipher is good for certain things, but sometimes what we want to do is we want to stream those communications. So we use one of the four main modes. Now, these are the four modes, and when we start with the first one, the Electronic Code Book, ECB, we use the standard transform. And that means that we don't change anything about the algorithm. That's what we do when we first start off. Like with AES, we say, "Okay, we're going to use Electronic Code Book."

And then somebody says, "Well, there's a pattern that is shown when we encrypt a lot of data that's the same. In ECB, if we encrypt the first plain text block, we encrypt the second plain text block the exact same way-- and if this was a picture, a really, really large picture, and it had a whole bunch of white in it and a little bit of black in it, each one of these blocks would encrypt and the encryption information would be the exact same over and over and over again.

So what we want to do is we want to say, "Hey, we have to disturb this pattern. And that's what we do in cipher block chaining. We chain one block to the next block to the next block, and we use an input from the previous block, an initialization vector, to disturb that pattern. And all's it does is it makes it look more like snow.

Page 23 of 33 In cipher feedback, what we do is we use this initialization vector in a little bit different way. And also, this allows us-- in cipher feedback-- this allows us to stream our content. Now, this is a block mode cipher that's being used as a stream.

When would you need a stream? Well, it would be when you have a stream of data, like voice communications, or video communications, bidirectional communications, voice and video. We need to do a little bit of encryption first, and what we can do is instead of encrypting our plain text, what we do is we encrypt our initialization vector first. Because if we did that, that's before there's any text going back and forth-- I mean, before there's any video going back and forth. So we can get out just ahead of what I'm going to say next. And we can keep on doing that, because we're just a little bit out ahead.

Next are two other modes, output feedback and counter. Output feedback says, "Cipher feedback is not quite strong enough for our purposes, and what we'd really like right now is a one-time pad." And a one-time pad means that we use a key that is as long as our message, and we never use that keying material again. In output feedback, we generate keying material that is almost relatively unique, which gets really close to what a one-time pad looks like.

Page 24 of 33 Lastly, if we've got lots and lots of data that we want to stream and one processor won't do it, counter mode will allow us to parallelize all of this content so that we can assign pieces of it to other processors by using a number used once and a counter that is incremented for each one of these blocks that's being passed.

Now, at this point-- well, let me give you a little bit more.

Block Cipher Modes -2

These modes offer integrity by hashing: • Cipher-based Message Authentication Code (CMAC) • Counter with Cipher Block Chaining – Message Authentication Code (CCM) • Galois/Counter Mode (GCM)

**018 There are also other modes of ciphers that are like the old modes--

Page 25 of 33 Block Cipher Modes -1

Block Cipher Modes -1

**017 --But now what we say is it's not enough to have confidentiality--

Page 26 of 33 Block Cipher Modes -2

Block Cipher Modes -2

These modes offer integrity by hashing: • Cipher-based Message Authentication Code (CMAC) • Counter with Cipher Block Chaining – Message Authentication Code (CCM) • Galois/Counter Mode (GCM)

**018 --We have to also have integrity. And so CMAC and CCM and GCM add integrity bits to these previous ones.

Page 27 of 33 Block Cipher Examples

Block Cipher Examples

DES – Data Encryption Standard, 64-bit block, 56-bit key 3-DES – Triple Data Encrypt Standard, 64-bit block, two or three 56-bit keys to increase key space AES – Replaced DES, 128-bit block, 128/192/256-bit key IDEA – Used by PGP, 64-bit block, 128-bit key Blowfish – Extremely fast, 64-bit block cipher, variable length key Others • CAST, Cellular Message Encryption Algorithm, GOST, LOKI, Lucifer, RC-2, RC-6, Serpent, MARS, Twofish, Skipjack

**019 When we look at block ciphers, we got to go back in history to the Data Encryption Standard. That was good. It was invented in '75-- well, actually it was invented before that by Dr. Feistel. He used something called the Lucifer Cipher as the start of it, which was a little bit bigger cipher. And what happened was the NSA came along and said, "Well, we're going to fix it so that it works for most of our equipment and most of our chips that we're dealing with. So we'll do the Data Encryption Standard. It's going to be a 64-bit block with a 56-bit key.

Page 28 of 33 That was sufficient all the way up until about 10 years ago, for all but nation-states to be able to decrypt. Today, when we decrypt, we could spend about two thousand dollars and decrypt DES in real-time.

One of the nice things about DES is, as an algorithm it is not susceptible to the block issue. Don't worry about what the block issue is. But what that means is that what we can do is we can use it three times in a row-- Triple DES-- and we can use that exact same chip that's in that machine and what we do is we just keep on re-encrypting three times, and we will get more strength.

Now, the key space doesn't have to change, but it can. You can use three separate keys. The key space can change-- I mean, the number of keys that you can change. It can be one key for encryption, using another key to decrypt it wrong, and then re- encrypt it with that first key again. See, by decrypting with the wrong key, we're going to get an output that's different, that's not what we want, and we can re-encrypt it with the original key and we'll get something that's very, very different.

Our block cipher today that we use, that's prevalent throughout the globe, is AES. It replaces Data Encryption Standard. Now, the nice thing about AES is that it's got a knob on it that will allow us to change the number of bits in the key.

Page 29 of 33 IDEA is used by PGP. If you are doing Pretty Good Privacy for your own email, you are probably using IDEA. And that's a 64-bit block with 128-bit key. And yes, your key sizes do not have to match your block sizes. That will work.

There are a couple of other algorithms out there that you may look at. By the way, in the Other, down at the bottom where it says Lucifer, that is a cipher that is the precursor to DES.

Stream Cipher

Encrypts a single bit or byte at a time. • Uses linear feedback shift registers to increase encryption strength. • Plaintext stream is exclusive OR’d with key stream.

Key

1 1 0 0 1 0 Stream 0 0 0 1 1 0 Cipher Message Message Ciphertext Message 1 1 0 1 0 0

Plaintext One Time Pad (OTP) – Key is only used once and never reused.

**020 So I've talked about a block cipher. Let's talk about a stream cipher.

Page 30 of 33 What we would really like is a one- time pad. And as we talked about before, a one-time pad is a key that is the same length as our message. Generating a key that is as long as our message, that we never use again, is very expensive, very time- consuming, and then the transmissions of the keys are even tougher at that point. So what we do is we create an algorithm that allows us to take a particular key and encrypt that key to generate a key stream that looks very, very random and very unique. And then what we do is we match that with the plain text. How we match that is at the bit level, and what we do is we do this combination that's called XOR'ing, which means we combine the two digits together.

Page 31 of 33 Stream Cipher Examples

Stream Cipher Examples

Synchronous – sender and receiver must be in step together with the keystream. • HC-128 • RC-4 – of WEP fame Asynchronous – sender uses part of the ciphertext to generate the keystream. • Ciphertext autokey (CTAK) • Cipher feedback mode (CFB) – block cipher acting in stream mode

**021 There are plenty of stream ciphers that are out there. The one that is used primarily today is RC4. However, you could use cipher feedback. You could use a block cipher, implemented as a stream. So that is also possible.

Page 32 of 33 Notices

Notices

© 2015 Carnegie Mellon University This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected]. This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide. Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding. THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT). CERT ® is a registered mark owned by Carnegie Mellon University.

Page 33 of 33