From 1320185e875d5ccdb622df1fde55fa901a3cc358 Mon Sep 17 00:00:00 2001 From: cameronrich Date: Sun, 25 Feb 2007 04:25:17 +0000 Subject: [PATCH] added TiddlyWiki page git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@65 9a5d90b5-6617-0410-8a86-bb477d3ed2e3 --- CHANGELOG | 24 - LICENSE | 178 - README | 161 +- config/axhttpd.aip | 38 +- config/linuxconfig | 2 +- config/win32config | 2 +- httpd/Config.in | 2 +- httpd/README | 68 - ssl/openssl.c | 29 +- ssl/ssl.h | 3 +- www/index.html | 10895 +++++++++++++++++---------- www/index_files/crypto_2600des.gif | Bin 15768 -> 0 bytes www/index_files/crypto_3ways.gif | Bin 17993 -> 0 bytes www/index_files/crypto_backrsa.jpg | Bin 6750 -> 0 bytes www/index_files/crypto_cert.gif | Bin 17873 -> 0 bytes www/index_files/crypto_des.gif | Bin 7085 -> 0 bytes www/index_files/crypto_ecc.gif | Bin 4700 -> 0 bytes www/index_files/crypto_sslv3.gif | Bin 30156 -> 0 bytes www/index_files/crypto_types.gif | Bin 11401 -> 0 bytes www/index_files/kerberos.gif | Bin 20772 -> 0 bytes www/test_dir/bin/.htaccess | 1 + 21 files changed, 7155 insertions(+), 4248 deletions(-) delete mode 100644 CHANGELOG delete mode 100644 LICENSE delete mode 100644 httpd/README delete mode 100644 www/index_files/crypto_2600des.gif delete mode 100644 www/index_files/crypto_3ways.gif delete mode 100644 www/index_files/crypto_backrsa.jpg delete mode 100644 www/index_files/crypto_cert.gif delete mode 100644 www/index_files/crypto_des.gif delete mode 100644 www/index_files/crypto_ecc.gif delete mode 100644 www/index_files/crypto_sslv3.gif delete mode 100644 www/index_files/crypto_types.gif delete mode 100644 www/index_files/kerberos.gif create mode 100644 www/test_dir/bin/.htaccess diff --git a/CHANGELOG b/CHANGELOG deleted file mode 100644 index 80ba19027..000000000 --- a/CHANGELOG +++ /dev/null @@ -1,24 +0,0 @@ -Changes since 1.0.0 - -* AES should now work on 16bit processors (there was an alignment problem). -* Various freed objects are cleared before freeing. -* Header files now installed in /usr/local/include/axTLS. -* -DCYGWIN replaced with -DCONFIG_PLATFORM_CYGWIN (and the same for solaris). -* removed "-noextern" option in Swig. Fixed some other warnings in Win32. -* SSLCTX changed to SSL_CTX (to be consistent with openssl). -* malloc()/open() etc call abort() on failure. -* Fixed a memory leak in directory listings. -* Added openssl() compatibility functions. -* Fixed cygwin 'make install' issue. - -axhttpd Changes -* main.c now becomes axhttpd.c. -* Header file issue fixed (in mime_types.c). -* chroot() now used for better security. -* Basic authentication implemented (via .htpasswd). -* SSL access/denial protection implemented (via .htaccess). -* Directory access protection implemented (via .htaccess). -* Can now have more than one CGI file extension in mconf. -* "If-Modified-Since" request now handled properly. -* Performance tweaks to remove ssl_find() - diff --git a/LICENSE b/LICENSE deleted file mode 100644 index 32e42d5a8..000000000 --- a/LICENSE +++ /dev/null @@ -1,178 +0,0 @@ -GNU LESSER GENERAL PUBLIC LICENSE - -Version 2.1, February 1999 - -Copyright (C) 1991, 1999 Free Software Foundation, Inc. -51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -Everyone is permitted to copy and distribute verbatim copies -of this license document, but changing it is not allowed. - -[This is the first released version of the Lesser GPL. It also counts - as the successor of the GNU Library Public License, version 2, hence - the version number 2.1.] - -Preamble - -The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. - -This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below. - -When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things. - -To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it. - -For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights. - -We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library. - -To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others. - -Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license. - -Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. - -When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library. - -We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances. - -For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License. - -In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system. - -Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library. - -The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run. - -TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - -0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you". - -A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. - -The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".) - -"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. - -Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. - -1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. - -You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. - -2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: - - * a) The modified work must itself be a software library. - * b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. - * c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. - * d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful. - - (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) - - These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. - - Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. - - In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. - -3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. - -Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. - -This option is useful when you wish to copy part of the code of the Library into a program that is not a library. - -4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. - -If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. - -5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. - -However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. - -When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. - -If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) - -Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. - -6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. - -You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things: - - * a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) - * b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. - * c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. - * d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. - * e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. - -For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. - -It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. - -7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: - - * a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. - * b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. - -8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. - -9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. - -10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. - -11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. - -If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. - -It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. - -This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. - -12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. - -13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. - -Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. - -14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. - -NO WARRANTY - -15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. - -16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. - -END OF TERMS AND CONDITIONS -How to Apply These Terms to Your New Libraries - -If you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License). - -To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. - -one line to give the library's name and an idea of what it does. -Copyright (C) year name of author - -This library is free software; you can redistribute it and/or -modify it under the terms of the GNU Lesser General Public -License as published by the Free Software Foundation; either -version 2.1 of the License, or (at your option) any later version. - -This library is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -Lesser General Public License for more details. - -You should have received a copy of the GNU Lesser General Public -License along with this library; if not, write to the Free Software -Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - -Also add information on how to contact you by electronic and paper mail. - -You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the library, if necessary. Here is a sample; alter the names: - -Yoyodyne, Inc., hereby disclaims all copyright interest in -the library `Frob' (a library for tweaking knobs) written -by James Random Hacker. - -signature of Ty Coon, 1 April 1990 -Ty Coon, President of Vice - diff --git a/README b/README index fcc18121b..c8926d9bf 100644 --- a/README +++ b/README @@ -1,162 +1,3 @@ -######################################################################## -# axTLS Quick-Start Guide -######################################################################## -This is a guide to get a small SSL web-server up and running quickly. - -######################################################################## -# Introduction -######################################################################## -The axTLS project is an SSL client/server library using the TLSv1 protocol. -It is designed to be small and fast, and is suited to embedded projects. A web -server is included. - -The web server + SSL library is around 50-60kB and is configurable for -features or size. - -######################################################################## -# Compilation -######################################################################## - -All platforms require GNU make. This means on Win32 that Cygwin needs to be -installed with "make" and various developer options selected. - -Configuration now uses a tool called "mconf" which gives a nice way to -configure options (similar to what is used in BusyBox and the Linux kernel). - -You should be able to compile axTLS simply by extracting it, change into -the extracted directory and typing: - -> make - -Select your platform type, save the configuration, exit, and then -type "make" again. - -If all goes well, you should end up with an executable called "axhttpd" (or -axhttpd.exe) in the _stage directory. - -To play with all the various axTLS options, type: - -> make menuconfig - -Save the new configuration and rebuild. - -######################################################################## -# Running it -######################################################################## - -To run it, go to the _stage directory, and type (as superuser): - -> axhttpd - -And then point your browser at: - -https://127.0.0.1 - -And you should see a html page with a padlock appearing on your browser. - -or type: - -http://127.0.0.1 - -to see the same page unencrypted. - -######################################################################## -# The axssl utilities -######################################################################## - -The axssl suite of tools are the SSL test tools in the various language -bindings. They are: - -axssl - C sample -axssl.csharp - C# sample -axssl.vbnet - VB.NET sample -axtls.jar - Java sample -axssl.pl - Perl sample - -All the tools have identical command-line parameters. e.g. to run something -interesting: - -> axssl s_server -verify -CAfile ../ssl/test/axTLS.ca_x509 - -and - -> axssl s_client -cert ../ssl/test/axTLS.x509_1024 -key \ - ../ssl/test/axTLS.key_1024 -reconnect - -C# -== -If building under Linux or other non-Win32 platforms, Mono must be installed -and the executable is run as: - -> mono axssl.csharp.exe ... - -Java -==== -The java version is run as: - -> java -jar axtls.jar - -Perl -==== -> [perl] ./axssl.pl - -If running under Win32, be sure to use the correct version of Perl (i.e. -ActiveState's version works ok). - -######################################################################## -# Known Issues -######################################################################## - -* Firefox doesn't handle legacy SSLv2 at all well. Disabling SSLv2 still - initiates a SSLv23 handshake (v1.5). And continuous pressing of the - "Reload" page instigates a change to SSLv3 for some reason (even though the - TLS 1.0 option is selected). This will cause a "Firefox and cannot - communicate securely because they have no common encryption - algorithms" (v1.5), or "Firefox can't connect to because the site - uses a security protocol which isn't enabled" (v2.0). See bugzilla issues - 343543 and 359484 (Comment #7). It's all broken (hopefully fixed soon). - -* Perl/Java bindings don't work on 64 bit Linux machines. I can't even compile - the latest version of Perl on an AMD64 box (using FC3). - -* Java 1.4 or better is required for the Java interfaces. - -* Processes that fork can't use session resumption unless some form of IPC is - used. - -* Ensure libperl.so and libaxtls.so are in the shared library path when - running with the perl bindings. A way to do this is with: - - export LD_LIBRARY_PATH=`perl -e 'use Config; print $Config{archlib};'`/CORE:. - -* The default Microsoft .NET SDK is v2.0.50727. Download from: - http://msdn.microsoft.com/netframework/downloads/updates/default.aspx. - -Win32 issues -============ -* Be careful about doing .NET executions on network drives - .NET complains - with security exceptions on the binary. TODO: Add a manifest file to prevent - this. - -* The test harness appears to be broken under VC8.0. Debugging shows a problem - the _close() function which is weird. CGI is also broken under VC8.0. - -* CGI works under Win32, but needs some more work to get it right. - -Solaris issues -============== -* mconf doesn't work well - some manual tweaking is required for string values. - -* GNU make is required and needs to be in $PATH. - -* To get swig's library dependencies to work (and for the C library to be - found), I needed to type: - > export LD_LIBRARY_PATH=/usr/local/gcc-3.3.1/lib:. - -Cygwin issues -============= -* The bindings all compile but don't run under Cygwin with the exception of - Perl. This is due to win32 executables being incompatible with Cygwin - libraries. +See www/index.html for the README, CHANGELOG, LICENSE and other notes. diff --git a/config/axhttpd.aip b/config/axhttpd.aip index d252672c4..f80a1cf6f 100755 --- a/config/axhttpd.aip +++ b/config/axhttpd.aip @@ -21,9 +21,9 @@ - + + - @@ -37,15 +37,15 @@ - - + + - + @@ -61,28 +61,20 @@ - - - - - - - - - - - - - + + + + + + - - - + + - + - + diff --git a/config/linuxconfig b/config/linuxconfig index 8d021f7f1..4ba7d43d2 100644 --- a/config/linuxconfig +++ b/config/linuxconfig @@ -54,7 +54,7 @@ CONFIG_HTTP_HTTPS_PORT=443 CONFIG_HTTP_SESSION_CACHE_SIZE=5 CONFIG_HTTP_WEBROOT="../www" CONFIG_HTTP_PORT=80 -CONFIG_HTTP_TIMEOUT=5 +CONFIG_HTTP_TIMEOUT=300 # CONFIG_HTTP_HAS_CGI is not set CONFIG_HTTP_CGI_EXTENSIONS="" # CONFIG_HTTP_DIRECTORIES is not set diff --git a/config/win32config b/config/win32config index 9155617c0..a90b85a0e 100644 --- a/config/win32config +++ b/config/win32config @@ -58,7 +58,7 @@ CONFIG_HTTP_PORT=80 CONFIG_HTTP_HTTPS_PORT=443 CONFIG_HTTP_SESSION_CACHE_SIZE=5 CONFIG_HTTP_WEBROOT="www" -CONFIG_HTTP_TIMEOUT=5 +CONFIG_HTTP_TIMEOUT=300 # CONFIG_HTTP_HAS_CGI is not set CONFIG_HTTP_CGI_EXTENSIONS="" CONFIG_HTTP_DIRECTORIES=y diff --git a/httpd/Config.in b/httpd/Config.in index 2dfe558f1..cfac61861 100644 --- a/httpd/Config.in +++ b/httpd/Config.in @@ -49,7 +49,7 @@ config CONFIG_HTTP_WEBROOT config CONFIG_HTTP_TIMEOUT int "Timeout" - default 5 + default 300 help Set the timeout of a connection in seconds. diff --git a/httpd/README b/httpd/README deleted file mode 100644 index 8ab78cbd3..000000000 --- a/httpd/README +++ /dev/null @@ -1,68 +0,0 @@ - -axhttpd is a small embedded web server using the axTLS library. - -It is based originally on the web server written by Doug Currie which is at: -http://www.hcsw.org/awhttpd. - -***************************************************************************** -* axhttpd Features * -***************************************************************************** - -Basic Authentication -==================== - -Basic Authentication uses a password file called ".htpasswd", in the -directory to be protected. This file is formatted as the familiar -colon-separated username/encrypted-password pair, records delimited by -newlines. The protection does not carry over to subdirectories. The -utility program htpasswd is included to help manually edit .htpasswd files. - -The encryption of this password uses a proprietary algorithm due to the -dependency of many crypt libraries on DES. - -An example is in /test_dir/ssl_only (username 'abcd', password is '1234'). - -Note: This is an mconf configuration option. - -SSL Protection -==================== - -Directories/files can be accessed using the 'http' or 'https' uri prefix. If -normal http access for a directory needs to be disabled, then put -"SSLRequireSSL" into a '.htaccess' file in the directory to be protected. - -Conversely, use "SSLDenySSL" to deny access to directories via SSL. - -An example is in /test_dir/no_http and /test_dir/no_ssl. - -Entire directories can be denied access with a "Deny all" directive -(regardless of SSL or authentication). - -CGI -=== - -chroot() is now used for added security. However this has the impact of -removing the regular filesystem, so any CGI applications no longer have the -usual access (to things like /bin, /lib etc). - -So any executables and libraries need to be copied into webroot. - -Failure to do so will result in mystical blank screens (and probably hundreds -of axhttpd instances being created...). - -Directory Listing -================= - -An mconf option. Allow the files in directories to be displayed. - -Permissions Checking -===================== - -An mconf option. This will display the various file permissions to standard -output of files in web root. - -Other Features -============== - -Check the help options in mconf for all the other features used. - diff --git a/ssl/openssl.c b/ssl/openssl.c index 61e5b0f21..4254bc702 100644 --- a/ssl/openssl.c +++ b/ssl/openssl.c @@ -17,8 +17,11 @@ */ /* - * Enable some openssl compatible functions. We don't aim to be 100% + * Enable a subset of openssl compatible functions. We don't aim to be 100% * compatible - just to be able to do basic ports etc. + * + * Only really tested on mini_httpd, so I'm not too sure how extensive this + * port is. */ #include "config.h" @@ -26,9 +29,11 @@ #ifdef CONFIG_OPENSSL_COMPATIBLE #include #include +#include #include "ssl.h" #define OPENSSL_CTX_ATTR ((OPENSSL_CTX *)ssl_ctx->bonus_attr) + void *SSLv23_server_method(void) { return NULL; } void *SSLv3_server_method(void) { return NULL; } void *TLSv1_server_method(void) { return NULL; } @@ -37,6 +42,7 @@ void *SSLv3_client_method(void) { return NULL; } void *TLSv1_client_method(void) { return NULL; } typedef void * (*ssl_func_type_t)(void); +typedef void * (*bio_func_type_t)(void); typedef struct { @@ -170,6 +176,7 @@ int SSL_get_error(const SSL *ssl, int ret) return 0; /* TODO: return proper return code */ } +void SSL_CTX_set_options(SSL_CTX *ssl_ctx, int option) {} int SSL_library_init(void ) { return 1; } void SSL_load_error_strings(void ) {} void ERR_print_errors_fp(FILE *fp) {} @@ -177,4 +184,24 @@ long SSL_CTX_get_timeout(const SSL_CTX *ssl_ctx) { return CONFIG_SSL_EXPIRY_TIME*3600; } long SSL_CTX_set_timeout(SSL_CTX *ssl_ctx, long t) { return SSL_CTX_get_timeout(ssl_ctx); } +void BIO_printf(FILE *f, const char *format, ...) +{ + va_list(ap); + va_start(ap, format); + vfprintf(f, format, ap); + va_end(ap); +} + +void* BIO_s_null(void) {} +FILE *BIO_new(bio_func_type_t func) +{ + if (func == BIO_s_null) + return fopen("/dev/null", "r"); +} + +FILE *BIO_new_fp(FILE *stream, int close_flag) { return stream; } +int BIO_free(FILE *a) { if (a != stdout && a != stderr) fclose(a); return 1; } + + + #endif diff --git a/ssl/ssl.h b/ssl/ssl.h index 1ea8a8069..7cdab2aa8 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -32,7 +32,8 @@ * - Highly configurable compile time options. * - Portable across many platforms (written in ANSI C), and has language * bindings in C, C#, VB.NET, Java and Perl. - * - A very small footprint for a HTTPS server (around 50-60kB in 'server-only' + * - Partial openssl API compatibility (via a wrapper). + * - A very small footprint for a HTTPS server (around 60-70kB in 'server-only' * mode). * - No dependencies on sockets - can use serial connections for example. * - A very simple API - ~ 20 functions/methods. diff --git a/www/index.html b/www/index.html index 5a391a34c..f09fa6a3a 100644 --- a/www/index.html +++ b/www/index.html @@ -1,3790 +1,7105 @@ -An Overview of Cryptography - - - - -
-

- -An Overview of Cryptography - -

-

-Gary C. Kessler
-May 1998
-(1 August 2006) -

-
-
-

-A much shorter, edited version of this paper appears in the 1999 Edition of Handbook on Local Area Networks, published by Auerbach in September 1998. Since that time, this article has taken on a life of its own... -

-
-
- -
- - -
-

CONTENTS

- - -		  - - -

FIGURES

-
    -
  1. Three types of cryptography: secret-key, public key, and hash function. -
  2. Sample application of the three cryptographic techniques for secure communication. -
  3. Kerberos architecture. -
  4. GTE Cybertrust Global Root-issued certificate (Netscape Navigator). -
  5. Sample entries in Unix/Linux password files. -
  6. DES enciphering algorithm. -
  7. A PGP signed message. -
  8. A PGP encrypted message. -
  9. The decrypted message. -
  10. IPsec Authentication Header format. -
  11. IPsec Encapsulating Security Payload format. -
  12. IPsec tunnel and transport modes for AH. -
  13. IPsec tunnel and transport modes for ESP. -
  14. SSL v3 configuration screen (Netscape Navigator). -
  15. SSL/TLS protocol handshake. -
  16. Elliptic curve addition. -
  17. AES pseudocode. -
-

TABLES

-
    -
  1. Minimum Key Lengths for Symmetric Ciphers. -
  2. Contents of an X.509 V3 Certificate. -
  3. Other Crypto Algorithms and Systems of Note. -
  4. ECC and RSA Key Comparison. -
-
-
- -
-
-

1. INTRODUCTION

-

-Does increased security provide comfort to paranoid -people? Or does security provide some very basic protections that we -are naive to believe that we don't need? During this time when the -Internet provides essential communication between tens of millions of -people and is being increasingly used as a tool for commerce, security -becomes a tremendously important issue to deal with. -

-There are many aspects to security and many -applications, ranging from secure commerce and payments to private -communications and protecting passwords. One essential aspect for -secure communications is that of cryptography, which is the focus of -this chapter. But it is important to note that while cryptography is necessary for secure communications, it is not by itself sufficient. -The reader is advised, then, that the topics covered in this chapter -only describe the first of many steps necessary for better security in -any number of situations. -

-This paper has two major purposes. The first is to -define some of the terms and concepts behind basic cryptographic -methods, and to offer a way to compare the myriad cryptographic schemes -in use today. The second is to provide some real examples of -cryptography in use today. -

-I would like to say at the outset that this paper is very focused on terms, concepts, and schemes in current -use and is not a treatise of the whole field. No mention is made here -about pre-computerized crypto schemes, the difference between a -substitution and transposition cipher, cryptanalysis, or other history. -Interested readers should check out some of the books in the -bibliography below for this detailed — and interesting! — background -information.

- -
-

2. THE PURPOSE OF CRYPTOGRAPHY

-

-Cryptography is the science of writing in secret code -and is an ancient art; the first documented use of cryptography in -writing dates back to circa 1900 B.C. when an Egyptian scribe used -non-standard hieroglyphs in an inscription. Some experts argue that -cryptography appeared spontaneously sometime after writing was -invented, with applications ranging from diplomatic missives to -war-time battle plans. It is no surprise, then, that new forms of -cryptography came soon after the widespread development of computer -communications. In data and telecommunications, cryptography is -necessary when communicating over any untrusted medium, which includes -just about any network, particularly the Internet.

-

-Within the context of any application-to-application communication, there are some specific security requirements, including:

-
    -
  • Authentication: The process of proving one's -identity. (The primary forms of host-to-host authentication on the -Internet today are name-based or address-based, both of which are -notoriously weak.)
    • -
  • Privacy/confidentiality: Ensuring that no one can read the message except the intended receiver.
    • -
  • Integrity: Assuring the receiver that the received message has not been altered in any way from the original.
    • -
  • Non-repudiation: A mechanism to prove that the sender really sent this message.
    • -
-

-Cryptography, then, not only protects data from theft or -alteration, but can also be used for user authentication. There are, in -general, three types of cryptographic schemes typically used to -accomplish these goals: secret key (or symmetric) cryptography, -public-key (or asymmetric) cryptography, and hash functions, each of -which is described below. In all cases, the initial unencrypted data is -referred to as plaintext. It is encrypted into ciphertext, which will in turn (usually) be decrypted into usable plaintext.

-

-In many of the descriptions below, two communicating -parties will be referred to as Alice and Bob; this is the common -nomenclature in the crypto field and literature to make it easier to -identify the communicating parties. If there is a third or fourth party -to the communication, they will be referred to as Carol and Dave. -Mallory is a malicious party, Eve is an eavesdropper, and Trent is a -trusted third party.

- -
-

3. TYPES OF CRYPTOGRAPHIC ALGORITHMS

-

-There are several ways of classifying cryptographic -algorithms. For purposes of this paper, they will be categorized based -on the number of keys that are employed for encryption and decryption, -and further defined by their application and use. The three types of -algorithms that will be discussed are (Figure 1): -

    -
  • Secret Key Cryptography (SKC): Uses a single key for both encryption and decryption -
  • Public Key Cryptography (PKC): Uses one key for encryption and another for decryption -
  • Hash Functions: Uses a mathematical transformation to irreversibly "encrypt" information -
-
-
- -

-

FIGURE 1: Three types of cryptography: secret-key, public key, and hash function.

-
-
- -

-

3.1. Secret Key Cryptography

 -

-With secret key cryptography, a single key is -used for both encryption and decryption. As shown in Figure 1A, the -sender uses the key (or some set of rules) to encrypt the plaintext and -sends the ciphertext to the receiver. The receiver applies the same key -(or ruleset) to decrypt the message and recover the plaintext. Because -a single key is used for both functions, secret key cryptography is -also called symmetric encryption.

-

-With this form of cryptography, it is obvious that the -key must be known to both the sender and the receiver; that, in fact, -is the secret. The biggest difficulty with this approach, of course, is -the distribution of the key.

-

-Secret key cryptography schemes are generally categorized as being either stream ciphers or block ciphers. -Stream ciphers operate on a single bit (byte or computer word) at a -time and implement some form of feedback mechanism so that the key is -constantly changing. A block cipher is so-called because the scheme -encrypts one block of data at a time using the same key on each block. -In general, the same plaintext block will always encrypt to the same -ciphertext when using the same key in a block cipher whereas the same -plaintext will encrypt to different ciphertext in a stream cipher.

-

-Stream ciphers come in several flavors but two are worth mentioning here. Self-synchronizing stream ciphers calculate each bit in the keystream as a function of the previous n -bits in the keystream. It is termed "self-synchronizing" because the -decryption process can stay synchronized with the encryption process -merely by knowing how far into the n-bit keystream it is. One problem is error propagation; a garbled bit in transmission will result in n garbled bits at the receiving side. Synchronous stream ciphers -generate the keystream in a fashion independent of the message stream -but by using the same keystream generation function at sender and -receiver. While stream ciphers do not propagate transmission errors, -they are, by their nature, periodic so that the keystream will -eventually repeat.

-

-Block ciphers can operate in one of several modes; the following four are the most important:

-
    -
  • Electronic Codebook (ECB) mode is the -simplest, most obvious application: the secret key is used to encrypt -the plaintext block to form a ciphertext block. Two identical plaintext -blocks, then, will always generate the same ciphertext block. Although -this is the most common mode of block ciphers, it is susceptible to a -variety of brute-force attacks.
    • -
  • Cipher Block Chaining (CBC) mode adds a feedback mechanism -to the encryption scheme. In CBC, the plaintext is exclusively-ORed -(XORed) with the previous ciphertext block prior to encryption. In this -mode, two identical blocks of plaintext never encrypt to the same -ciphertext.
    • -
  • Cipher Feedback (CFB) mode is a block cipher implementation -as a self-synchronizing stream cipher. CFB mode allows data to be -encrypted in units smaller than the block size, which might be useful -in some applications such as encrypting interactive terminal input. If -we were using 1-byte CFB mode, for example, each incoming character is -placed into a shift register the same size as the block, encrypted, and -the block transmitted. At the receiving side, the ciphertext is -decrypted and the extra bits in the block (i.e., everything above and -beyond the one byte) are discarded.
    • -
  • Output Feedback (OFB) mode is a block cipher implementation -conceptually similar to a synchronous stream cipher. OFB prevents the -same plaintext block from generating the same ciphertext block by using -an internal feedback mechanism that is independent of both the -plaintext and ciphertext bitstreams.
    • -
- -

-Secret key cryptography algorithms that are in use today include:

-
    -

  • Data Encryption Standard (DES): The most -common SKC scheme used today, DES was designed by IBM in the 1970s and -adopted by the National Bureau of Standards (NBS) [now the National -Institute for Standards and Technology (NIST)] in 1977 for commercial -and unclassified government applications. DES is a block-cipher -employing a 56-bit key that operates on 64-bit blocks. DES has a -complex set of rules and transformations that were designed -specifically to yield fast hardware implementations and slow software -implementations, although this latter point is becoming less -significant today since the speed of computer processors is several -orders of magnitude faster today than twenty years ago. IBM also -proposed a 112-bit key for DES, which was rejected at the time by the -government; the use of 112-bit keys was considered in the 1990s, -however, conversion was never seriously considered.

    -

    -DES is defined in American National Standard X3.92 and three Federal Information Processing Standards (FIPS):

    - -

    -Information about vulnerabilities of DES can be obtained from the Electronic Frontier Foundation.

    -

    -Two important variants that strengthen DES are:

    -
      -

    • Triple-DES (3DES): A variant of DES that employs up to -three 56-bit keys and makes three encryption/decryption passes over the -block; 3DES is also described in FIPS 46-3 and is the recommended replacement to DES.

      • -

    • DESX: -A variant devised by Ron Rivest. By combining 64 additional key bits to -the plaintext prior to encryption, effectively increases the keylength -to 120 bits.

      • -
    -

    -More detail about DES, 3DES, and DESX can be found below in Section 5.4.

    • - -

  • Advanced Encryption Standard (AES): In 1997, NIST -initiated a very public, 4-1/2 year process to develop a new secure -cryptosystem for U.S. government applications. The result, the Advanced Encryption Standard, became the official successor to DES in December 2001. AES uses an SKC scheme called Rijndael, -a block cipher designed by Belgian cryptographers Joan Daemen and -Vincent Rijmen. The algorithm can use a variable block length and key -length; the latest specification allowed any combination of keys -lengths of 128, 192, or 256 bits and blocks of length 128, 192, or 256 -bits. NIST initially selected Rijndael in October 2000 and formal -adoption as the AES standard came in December 2001. FIPS PUB 197 -describes a 128-bit block cipher employing a 128-, 192-, or 256-bit -key. The AES process and Rijndael algorithm are described in more -detail below in Section 5.9.

    • - -

  • CAST-128/256: CAST-128, described in Request for Comments (RFC) 2144, is a DES-like substitution-permutation crypto algorithm, employing a 128-bit key operating on a 64-bit block. CAST-256 (RFC 2612) -is an extension of CAST-128, using a 128-bit block size and a variable -length (128, 160, 192, 224, or 256 bit) key. CAST is named for its -developers, Carlisle Adams and Stafford Tavares and is available -internationally. CAST-256 was one of the Round 1 algorithms in the AES -process.

    • - -

  • International Data Encryption Algorithm (IDEA): -Secret-key cryptosystem written by Xuejia Lai and James Massey, in 1992 -and patented by Ascom; a 64-bit SKC block cipher using a 128-bit key. -Also available internationally.

    • - -

  • Rivest Ciphers (aka Ron's Code): Named for Ron Rivest, a series of SKC algorithms.

    -
      -

    • RC1: Designed on paper but never implemented.

      • -

    • RC2: A 64-bit block cipher using variable-sized keys -designed to replace DES. It's code has not been made public although -many companies have licensed RC2 for use in their products. Described -in RFC 2268.

      • -

    • RC3: Found to be breakable during development.

      • -

    • RC4: A -stream cipher using variable-sized keys; it is widely used in -commercial cryptography products, although it can only be exported -using keys that are 40 bits or less in length.

      -

    • RC5: A block-cipher supporting a variety of block sizes, key sizes, and number of encryption passes over the data. Described in RFC 2040.

      • -

    • RC6: An improvement over RC5, RC6 was one of the AES Round 2 algorithms.

      • -
    - -

  • Blowfish: -A symmetric 64-bit block cipher invented by Bruce Schneier; optimized -for 32-bit processors with large data caches, it is significantly -faster than DES on a Pentium/PowerPC-class machine. Key lengths can -vary from 32 to 448 bits in length. Blowfish, available freely and -intended as a substitute for DES or IDEA, is in use in over 80 products.

    • - -

  • Twofish: -A 128-bit block cipher using 128-, 192-, or 256-bit keys. Designed to -be highly secure and highly flexible, well-suited for large -microprocessors, 8-bit smart card microprocessors, and dedicated -hardware. Designed by a team led by Bruce Schneier and was one of the -Round 2 algorithms in the AES process.

    • - -

  • Camellia: -A secret-key, block-cipher crypto algorithm developed jointly by Nippon -Telegraph and Telephone (NTT) Corp. and Mitsubishi Electric Corporation -(MEC) in 2000. Camellia has some characteristics in common with AES: a -128-bit block size, support for 128-, 192-, and 256-bit key lengths, -and suitability for both software and hardware implementations on -common 32-bit processors as well as 8-bit processors (e.g., smart -cards, cryptographic hardware, and embedded systems). Also described in - RFC 3713. Camellia's application in IPsec is described in RFC 4312.

    • - -

  • MISTY1: Developed at Mitsubishi Electric Corp., a block -cipher using a 128-bit key and 64-bit blocks, and a variable number of -rounds. Designed for hardware and software implementations, and is -resistant to differential and linear cryptanalysis. Described in RFC 2994.

    • - -

  • Secure and Fast Encryption Routine (SAFER): Secret-key crypto scheme designed for implementation in software. Versions have been defined for 40-, 64-, and 128-bit keys.

    • - -

  • KASUMI: -A block cipher using a 128-bit key that is part of the Third-Generation -Partnership Project (3gpp), formerly known as the Universal Mobile -Telecommunications System (UMTS). KASUMI is the intended -confidentiality and integrity algorithm for both message content and -signaling data for emerging mobile communications systems.

    • - -

  • SEED: -A block cipher using 128-bit blocks and 128-bit keys. Developed by the -Korea Information Security Agency (KISA) and adopted as a national -standard encryption algorithm in South Korea. Also described in RFC 4269.

    • - -

  • Skipjack: -SKC scheme proposed for Capstone. Although the details of the algorithm -were never made public, Skipjack was a block cipher using an 80-bit key -and 32 iteration cycles per 64-bit block.

    • -
- -

3.2. Public-Key Cryptography

 -

-Public-key cryptography has been said to be the -most significant new development in cryptography in the last 300-400 -years. Modern PKC was first described publicly by Stanford University -professor Martin Hellman and graduate student Whitfield Diffie in 1976. -Their paper described a two-key crypto system in which two parties -could engage in a secure communication over a non-secure communications -channel without having to share a secret key.

-

-PKC depends upon the existence of so-called one-way functions, -or mathematical functions that are easy to computer whereas their -inverse function is relatively difficult to compute. Let me give you -two simple examples:

-
    -
  1. Multiplication vs. factorization: Suppose I -tell you that I have two numbers, 9 and 16, and that I want to -calculate the product; it should take almost no time to calculate the -product, 144. Suppose instead that I tell you that I have a number, -144, and I need you tell me which pair of integers I multiplied -together to obtain that number. You will eventually come up with the -solution but whereas calculating the product took milliseconds, -factoring will take longer because you first need to find the 8 pair of -integer factors and then determine which one is the correct pair.
    2. -
  2. Exponentiation vs. logarithms: Suppose I tell you that I want to take the number 3 to the 6th power; again, it is easy to calculate 36=729. But if I tell you that I have the number 729 and want you to tell me the two integers that I used, x and y so that logx 729 = y, it will take you longer to find all possible solutions and select the pair that I used.
    3. -
-

-While the examples above are trivial, they do represent -two of the functional pairs that are used with PKC; namely, the ease of -multiplication and exponentiation versus the relative difficulty of -factoring and calculating logarithms, respectively. The mathematical -"trick" in PKC is to find a trap door in the one-way function so that the inverse calculation becomes easy given knowledge of some item of information.

-

-Generic PKC employs two keys that are mathematically -related although knowledge of one key does not allow someone to easily -determine the other key. One key is used to encrypt the plaintext and -the other key is used to decrypt the ciphertext. The important point -here is that it does not matter which key is applied first, but -that both keys are required for the process to work (Figure 1B). -Because a pair of keys are required, this approach is also called asymmetric cryptography.

-

-In PKC, one of the keys is designated the public key and may be advertised as widely as the owner wants. The other key is designated the private key -and is never revealed to another party. It is straight forward to send -messages under this scheme. Suppose Alice wants to send Bob a message. -Alice encrypts some information using Bob's public key; Bob decrypts -the ciphertext using his private key. This method could be also used to -prove who sent a message; Alice, for example, could encrypt some -plaintext with her private key; when Bob decrypts using Alice's public -key, he knows that Alice sent the message and Alice cannot deny having -sent the message (non-repudiation).

- -

-Public-key cryptography algorithms that are in use today for key exchange or digital signatures include:

-
    -

  • RSA: The first, and still most common, -PKC implementation, named for the three MIT mathematicians who -developed it — Ronald Rivest, Adi Shamir, and Leonard Adleman. RSA -today is used in hundreds of software products and can be used for key -exchange, digital signatures, or encryption of small blocks of data. -RSA uses a variable size encryption block and a variable size key. The -key-pair is derived from a very large number, n, that is the -product of two prime numbers chosen according to special rules; these -primes may be 100 or more digits in length each, yielding an n with roughly twice as many digits as the prime factors. The public key information includes n and a derivative of one of the factors of n; an attacker cannot determine the prime factors of n -(and, therefore, the private key) from this information alone and that -is what makes the RSA algorithm so secure. (Some descriptions of PKC -erroneously state that RSA's safety is due to the difficulty in factoring -large prime numbers. In fact, large prime numbers, like small prime -numbers, only have two factors!) The ability for computers to factor -large numbers, and therefore attack schemes such as RSA, is rapidly -improving and systems today can find the prime factors of numbers with -more than 200 digits. Nevertheless, if a large number is created from -two prime factors that are roughly the same size, there is no known -factorization algorithm that will solve the problem in a reasonable -amount of time; a 2005 test to factor a 200-digit number took 1.5 years -and over 50 years of compute time (see the Wikipedia article on integer factorization.) -Regardless, one presumed protection of RSA is that users can easily -increase the key size to always stay ahead of the computer processing -curve. As an aside, the patent for RSA expired in September 2000 which -does not appear to have affected RSA's popularity one way or the other. -A detailed example of RSA is presented below in Section 5.3.

    • - -

  • Diffie-Hellman: -After the RSA algorithm was published, Diffie and Hellman came up with -their own algorithm. D-H is used for secret-key key exchange only, and -not for authentication or digital signatures. More detail about -Diffie-Hellman can be found below in Section 5.2.

    • - -

  • Digital Signature Algorithm (DSA): -The algorithm specified in NIST's Digital Signature Standard (DSS), -provides digital signature capability for the authentication of -messages.

    • - -

  • ElGamal: Designed by Taher Elgamal, a PKC system similar to Diffie-Hellman and used for key exchange.

    • - -

  • Elliptic Curve Cryptography (ECC): A PKC algorithm based -upon elliptic curves. ECC can offer levels of security with small keys -comparable to RSA and other PKC methods. It was designed for devices -with limited compute power and/or memory, such as smartcards and PDAs. -More detail about ECC can be found below in Section 5.8. Other references include "The Importance of ECC" Web page and the "Online Elliptic Curve Cryptography Tutorial", both from Certicom.

    • - -

  • Public-Key Cryptography Standards (PKCS): A set of interoperable standards and guidelines for public-key cryptography, designed by RSA Data Security Inc. -

      -
    • PKCS #1: RSA Cryptography Standard (Also RFC 3447)
      • -
    • PKCS #2: Incorporated into PKCS #1.
      • -
    • PKCS #3: Diffie-Hellman Key-Agreement Standard
      • -
    • PKCS #4: Incorporated into PKCS #1.
      • -
    • PKCS #5: Password-Based Cryptography Standard (PKCS #5 V2.0 is also RFC 2898)
      • -
    • PKCS #6: Extended-Certificate Syntax Standard (being phased out in favor of X.509v3)
      • -
    • PKCS #7: Cryptographic Message Syntax Standard (Also RFC 2315)
      • -
    • PKCS #8: Private-Key Information Syntax Standard
      • -
    • PKCS #9: Selected Attribute Types (Also RFC 2985)
      • -
    • PKCS #10: Certification Request Syntax Standard (Also RFC 2986)
      • -
    • PKCS #11: Cryptographic Token Interface Standard
      • -
    • PKCS #12: Personal Information Exchange Syntax Standard
      • -
    • PKCS #13: Elliptic Curve Cryptography Standard
      • -
    • PKCS #14: Pseudorandom Number Generation Standard is no longer available
      • - -
    • PKCS #15: Cryptographic Token Information Format Standard
      • -
    - -

  • Cramer-Shoup: A public-key cryptosystem proposed by R. Cramer and V. Shoup of IBM in 1998.

    • - -

  • Key Exchange Algorithm (KEA): A variation on Diffie-Hellman; proposed as the key exchange method for Capstone.

    • - -

  • LUC: -A public-key cryptosystem designed by P.J. Smith and based on Lucas -sequences. Can be used for encryption and signatures, using integer -factoring.

    • -
- -

-For additional information on PKC algorithms, see "Public-Key Encryption", Chapter 8 in Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone (CRC Press, 1996).

- -
-
-

-A digression: Who invented PKC? I tried to be -careful in the first paragraph of this section to state that Diffie and -Hellman "first described publicly" a PKC scheme. Although I have -categorized PKC as a two-key system, that has been merely for -convenience; the real criteria for a PKC scheme is that it allows two -parties to exchange a secret even though the communication with the -shared secret might be overheard. There seems to be no question that -Diffie and Hellman were first to publish; their method is described in -the classic paper, "New Directions in Cryptography," published in the -November 1976 issue of IEEE Transactions on Information Theory. -As shown below, Diffie-Hellman uses the idea that finding logarithms is -relatively harder than exponentiation. And, indeed, it is the precursor -to modern PKC which does employ two keys. Rivest, Shamir, and Adleman -described an implementation that extended this idea in their paper "A -Method for Obtaining Digital Signatures and Public-Key Cryptosystems," -published in the February 1978 issue of the Communications of the ACM (CACM). -Their method, of course, is based upon the relative ease of finding the -product of two large prime numbers compared to finding the prime -factors of a large number.

-

-Some sources, though, credit Ralph Merkle with first -describing a system that allows two parties to share a secret although -it was not a two-key system, per se. A Merkle Puzzle works -where Alice creates a large number of encrypted keys, sends them all to -Bob so that Bob chooses one at random and then lets Alice know which he -has selected. An eavesdropper will see all of the keys but can't learn -which key Bob has selected (because he has encrypted the response with -the chosen key). In this case, Eve's effort to break in is the square -of the effort of Bob to choose a key. While this difference may be -small it is often sufficient. Merkle apparently took a computer science -course at UC Berkeley in 1974 and described his method, but had -difficulty making people understand it; frustrated, he dropped the -course. Meanwhile, he submitted the paper "Secure Communication Over -Insecure Channels" which was published in the CACM in April -1978; Rivest et al.'s paper even makes reference to it. Merkle's method -certainly wasn't published first, but did he have the idea first?

-

-An interesting question, maybe, but who really knows? -For some time, it was a quiet secret that a team at the UK's Government -Communications Headquarters (GCHQ) had first developed PKC in the early -1970s. Because of the nature of the work, GCHQ kept the original memos -classified. In 1997, however, the GCHQ changed their posture when they -realized that there was nothing to gain by continued silence. Documents -show that a GCHQ mathematician named James Ellis started research into -the key distribution problem in 1969 and that by 1975, Ellis, Clifford -Cocks, and Malcolm Williamson had worked out all of the fundamental -details of PKC, yet couldn't talk about their work. (They were, of -course, barred from challenging the RSA patent!) After more than 20 -years, Ellis, Cocks, and Williamson have begun to get their due credit.

-

-And the National Security Agency (NSA) claims to have -knowledge of this type of algorithm as early as 1966 but there is no -supporting documentation... yet. So this really was a digression...

-
-
- -

3.3. Hash Functions

 -

-Hash functions, also called message digests and one-way encryption, -are algorithms that, in some sense, use no key (Figure 1C). Instead, a -fixed-length hash value is computed based upon the plaintext that makes -it impossible for either the contents or length of the plaintext to be -recovered. Hash algorithms are typically used to provide a digital fingerprint -of a file's contents, often used to ensure that the file has not been -altered by an intruder or virus. Hash functions are also commonly -employed by many operating systems to encrypt passwords. Hash -functions, then, provide a measure of the integrity of a file.

- -

-Hash algorithms that are in common use today include:

-
    -

  • Message Digest (MD) algorithms: A series of byte-oriented algorithms that produce a 128-bit hash value from an arbitrary-length message.

    -
      -

    • MD2 (RFC 1319): Designed for systems with limited memory, such as smart cards.

      • -

    • MD4 (RFC 1320): Developed by Rivest, similar to MD2 but designed specifically for fast processing in software.

      • -

    • MD5 (RFC 1321: -Also developed by Rivest after potential weaknesses were reported in -MD4; this scheme is similar to MD4 but is slower because more -manipulation is made to the original data. MD5 has been implemented in -a large number of products although several weaknesses in the algorithm -were demonstrated by German cryptographer Hans Dobbertin in 1996.

      • -
    -

  • Secure Hash Algorithm (SHA): Algorithm for NIST's -Secure Hash Standard (SHS). SHA-1 produces a 160-bit hash value and was -originally published as FIPS 180-1 and RFC 3174. FIPS 180-2 -describes five algorithms in the SHS: SHA-1 plus SHA-224, SHA-256, -SHA-384, and SHA-512 which can produce hash values that are 224, 256, -384, or 512 bits in length, respectively. SHA-224, -256, -384, and -52 -are also described in RFC 4634.

    • -

  • RIPEMD: A series of message digests that initially came from the RIPE (RACE Integrity Primitives Evaluation) project. RIPEMD-160 -was designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel, -and optimized for 32-bit processors to replace the then-current 128-bit -hash functions. Other versions include RIPEMD-256, RIPEMD-320, and -RIPEMD-128.

    • -

  • HAVAL (HAsh of VAriable Length): -Designed by Y. Zheng, J. Pieprzyk and J. Seberry, a hash algorithm with -many levels of security. HAVAL can create hash values that are 128, -160, 192, 224, or 256 bits in length.

    • -

  • Whirlpool: A relatively new hash function, designed by V. Rijmen and P.S.L.M. Barreto. Whirlpool operates on messages less than 2256 -bits in length, and produces a message digest of 512 bits. The design -of this has function is very different than that of MD5 and SHA-1, -making it immune to the same attacks as on those hashes (see below).

    • -
- -

-Hash functions are sometimes misunderstood and some -sources claim that no two files can have the same hash value. This is, -in fact, not correct. Consider a hash function that provides a 128-bit -hash value. There are, obviously, 2128 possible hash values. But there are a lot more than 2128 possible -files. Therefore, there have to be multiple files — in fact, there have -to be an infinite number of files! — that can have the same 128-bit -hash value.

-

-The difficulty is finding two files with the same -hash! What is, indeed, very hard to do is to try to create a file that -has a given hash value so as to force a hash value collision — which is -the reason that hash functions are used extensively for information -security and computer forensics applications. Alas, researchers in 2004 -found that practical collision attacks could be launched on -MD5, SHA-1, and other hash algorithms. At this time, there is no -obvious successor to MD5 and SHA-1 that could be put into use quickly; -there are so many products using these hash functions that it could -take many years to flush out all use of 128- and 160-bit hashes. -Readers interested in this problem should read the following:

- - - -

-An excellent review of the situation with hash collisions can be found in RFC 4270 (by P. Hoffman and B. Schneier, November 2005). And for additional information on hash functions, see David Hopwood's MessageDigest Algorithms page.

- -

3.4. Why Three Encryption Techniques?

 -

-So, why are there so many different types of cryptographic schemes? Why can't we do everything we need with just one? -

-The answer is that each scheme is optimized for some -specific application(s). Hash functions, for example, are well-suited -for ensuring data integrity because any change made to the contents of -a message will result in the receiver calculating a different hash -value than the one placed in the transmission by the sender. Since it -is highly unlikely that two different messages will yield the same hash -value, data integrity is ensured to a high degree of confidence. -

-Secret key cryptography, on the other hand, is ideally suited to encrypting messages. The sender can generate a session key on a per-message basis to encrypt the message; the receiver, of course, needs the same session key to decrypt the message. -

-Key exchange, of course, is a key application of -public-key cryptography (no pun intended). Asymmetric schemes can also -be used for non-repudiation; if the receiver can obtain the session key -encrypted with the sender's private key, then only this sender could -have sent the message. Public-key cryptography could, theoretically, -also be used to encrypt messages although this is rarely done because -secret-key cryptography operates about 1000 times faster than -public-key cryptography. -

-
-
- -

-

FIGURE 2: Sample application of the three cryptographic techniques for secure communication.

-
-
-
-

-Figure 2 puts all of this together and shows how a hybrid cryptographic scheme combines all of these functions to form a secure transmission comprising digital signature and digital envelope. In this example, the sender of the message is Alice and the receiver is Bob. -

-A digital envelope comprises an encrypted message and an -encrypted session key. Alice uses secret key cryptography to encrypt -her message using the session key, which she generates at -random with each session. Alice then encrypts the session key using -Bob's public key. The encrypted message and encrypted session key -together form the digital envelope. Upon receipt, Bob recovers the -session secret key using his private key and then decrypts the -encrypted message. -

-The digital signature is formed in two steps. First, -Alice computes the hash value of her message; next, she encrypts the -hash value with her private key. Upon receipt of the digital signature, -Bob recovers the hash value calculated by Alice by decrypting the -digital signature with Alice's public key. Bob can then apply the hash -function to Alice's original message, which he has already decrypted -(see previous paragraph). If the resultant hash value is not the same -as the value supplied by Alice, then Bob knows that the message has -been altered; if the hash values are the same, Bob should believe that -the message he received is identical to the one that Alice sent. -

-This scheme also provides nonrepudiation since it proves -that Alice sent the message; if the hash value recovered by Bob using -Alice's public key proves that the message has not been altered, then -only Alice could have created the digital signature. Bob also has proof -that he is the intended receiver; if he can correctly decrypt the -message, then he must have correctly decrypted the session key meaning -that his is the correct private key.

- -

3.5. The Significance of Key Length

 -

-In a recent article in the industry literature (circa -9/98), a writer made the claim that 56-bit keys do not provide as -sufficient protection for DES today as they did in 1975 because -computers are 1000 times faster today than in 1975. Therefore, the -writer went on, we should be using 56,000-bit keys today instead of -56-bit keys to provide adequate protection. The conclusion was then -drawn that because 56,000-bit keys are infeasible (true), we should accept the fact that we have to live with weak cryptography (false!). -The major error here is that the writer did not take into account that -the number of possible key values double whenever a single bit is added -to the key length; thus, a 57-bit key has twice as many values as a -56-bit key (because 257 is two times 256). In fact, a 66-bit key would have 1024 times the possible values as a 56-bit key.

- -

-But this does bring up the issue, what is the precise significance of key length as it affects the level of protection?

-

-In cryptography, size does matter. The larger the key, -the harder it is to crack a block of encrypted data. The reason that -large keys offer more protection is almost obvious; computers have made -it easier to attack ciphertext by using brute force methods rather than -by attacking the mathematics (which are generally well-known anyway). -With a brute force attack, the attacker merely generates every possible -key and applies it to the ciphertext. Any resulting plaintext that -makes sense offers a candidate for a legitimate key. This was the -basis, of course, of the EFF's attack on DES.

-

-Until the mid-1990s or so, brute force attacks were -beyond the capabilities of computers that were within the budget of the -attacker community. Today, however, significant compute power is -commonly available and accessible. General purpose computers such as -PCs are already being used for brute force attacks. For serious -attackers with money to spend, such as some large companies or -governments, Field Programmable Gate Array (FPGA) or -Application-Specific Integrated Circuits (ASIC) technology offers the -ability to build specialized chips that can provide even faster and -cheaper solutions than a PC. Consider that an AT&T ORCA chip (FPGA) -costs $200 and can test 30 million DES keys per second, while a $10 -ASIC chip can test 200 million DES keys per second (compared to a PC -which might be able to test 40,000 keys per second).

-

-The table below shows what DES key sizes are needed to -protect data from attackers with different time and financial -resources. This information is not merely academic; one of the basic -tenets of any security system is to have an idea of what you are protecting and from who -are you protecting it! The table clearly shows that a 40-bit key is -essentially worthless today against even the most unsophisticated -attacker. On the other hand, 56-bit keys are fairly strong unless you -might be subject to some pretty serious corporate or government -espionage. But note that even 56-bit keys are declining in their value -and that the times in the table (1995 data) are worst cases.

- -
- - - - - - - - - - - - - -
-TABLE 1. Minimum Key Lengths for Symmetric Ciphers. -
Type of Attacker -Budget -Tool -Time and Cost
Per Key Recovered -		Key Length Needed
For Protection
In Late-1995 -
40 bits -56 bits -
Pedestrian Hacker -Tiny -Scavanged
computer
time -		1 week -Infeasible -45 -
$400 -FPGA -5 hours
($0.08) -		38 years
($5,000) -		50 -
Small Business -$10,000 -FPGA -12 minutes
($0.08) -		18 months
($5,000) -		55 -
Corporate Department -$300K -FPGA -24 seconds
($0.08) -		19 days
($5,000) -		60 -
ASIC -0.18 seconds
($0.001) -		3 hours
($38) -
Big Company -$10M -FPGA -7 seconds
($0.08) -		13 hours
($5,000) -		70 -
ASIC -0.005 seconds
($0.001) -		6 minutes
($38) -
Intelligence Agency -$300M -ASIC -0.0002 seconds
($0.001) -		12 seconds
($38) -		75 -
-
-

- -

-So, how big is big enough? DES, invented in 1975, is -still in use today, nearly 25 years later. If we take that to be a -design criteria (i.e., a 20-plus year lifetime) and we believe Moore's -Law ("computing power doubles every 18 months"), then a key size -extension of 14 bits (i.e., a factor of more than 16,000) should be -adequate. The 1975 DES proposal suggested 56-bit keys; by 1995, a -70-bit key would have been required to offer equal protection and an -85-bit key will be necessary by 2015.

-

-The discussion above suggests that a 128- or 256-bit key -for SKC will suffice for some time because that key length keeps us -ahead of the brute force capabilities of the attackers. While a large -key is good, a huge key may not always be better. That is, many -public-key cryptosystems use 1024- or 2048-bit keys; expanding the key -to 4096 bits probably doesn't add any protection at this time but it -does add significantly to processing time.

-

-The most effective large-number factoring methods today -use a mathematical Number Field Sieve to find a certain number of -relationships and then uses a matrix operation to solve a linear -equation to produce the two prime factors. The sieve step actually -involves a large number of operations of operations that can be -performed in parallel; solving the linear equation, however, requires a -supercomputer. Indeed, finding the solution to the RSA-140 challenge in -February 1999 — factoring a 140-digit (465-bit) prime number — required -200 computers across the Internet about 4 weeks for the first step and -a Cray computer 100 hours and 810 MB of memory to do the second step.

-

-In early 1999, Shamir (of RSA fame) described a new -machine that could increase factorization speed by 2-3 orders of -magnitude. Although no detailed plans were provided nor is one known to -have been built, the concepts of TWINKLE (The Weizmann Institute Key Locating Engine) -could result in a specialized piece of hardware that would cost about -$5000 and have the processing power of 100-1000 PCs. There still appear -to be many engineering details that have to be worked out before such a -machine could be built. Furthermore, the hardware improves the sieve -step only; the matrix operation is not optimized at all by this design -and the complexity of this step grows rapidly with key length, both in -terms of processing time and memory requirements. Nevertheless, this -plan conceptually puts 512-bit keys within reach of being factored. -Although most PKC schemes allow keys that are 1024 bits and longer, -Shamir claims that 512-bit RSA keys "protect 95% of today's E-commerce -on the Internet." (See Bruce Schneier's Crypto-Gram (May 15, 1999) for more information, as well as the comments from RSA Labs.)

-

-It is also interesting to note that while cryptography -is good and strong cryptography is better, long keys may disrupt the -nature of the randomness of data files. Shamir and van Someren ("Playing hide and seek with stored keys") -have noted that a new generation of viruses can be written that will -find files encrypted with long keys, making them easier to find by -intruders and, therefore, more prone to attack.

-

-Finally, U.S. government policy has tightly controlled -the export of crypto products since World War II. Until recently, -export outside of North America of cryptographic products using keys -greater than 40 bits in length was prohibited, which made those -products essentially worthless in the marketplace, particularly for -electronic commerce. More recently, the U.S. Commerce Department -relaxed the regulations, allowing the general export of 56-bit SKC and -1024-bit PKC products (certain sectors, such as health care and -financial, allow the export of products with even larger keys). The -Commerce Department's Bureau of Export Administration maintains a Commercial Encryption Export Controls web page with more information. The potential impact of this policy on U.S. businesses is well beyond the scope of this paper.

-

-Much of the discussion above, including the table, are based on the paper "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security" by M. Blaze, W. Diffie, R.L. Rivest, B. Schneier, T. Shimomura, E. Thompson, and M. Wiener.

-

-On a related topic, public key crypto schemes can be -used for several purposes, including key exchange, digital signatures, -authentication, and more. In those PKC systems used for SKC key -exchange, the PKC key lengths are chosen so to be resistant to some -selected level of attack. The length of the secret keys exchanged via -that system have to have at least the same level of attack resistance. -Thus, the three parameters of such a system — system strength, secret -key strength, and public key strength — must be matched. This topic is -explored in more detail in Determining Strengths For Public Keys Used For Exchanging Symmetric Keys (RFC 3766).

- -
-

4. TRUST MODELS

-

-Secure use of cryptography requires trust. While secret -key cryptography can ensure message confidentiality and hash codes can -ensure integrity, none of this works without trust. In SKC, Alice and -Bob had to share a secret key. PKC solved the secret distribution -problem, but how does Alice really know that Bob is who he says he is? -Just because Bob has a public and private key, and purports to be -"Bob," how does Alice know that a malicious person (Mallory) is not -pretending to be Bob? -

-There are a number of trust models employed by various cryptographic schemes. This section will explore three of them: -

-
    -
  • The web of trust employed by Pretty Good Privacy (PGP) users, who hold their own set of trusted public keys. -
  • Kerberos, a secret key distribution scheme using a trusted third party. -
  • Certificates, which allow a set of trusted third parties to authenticate each other and, by implication, each other's users. -
-

-Each of these trust models differs in complexity, general applicability, scope, and scalability. -

-

4.1. PGP Web of Trust

 -

-Pretty Good Privacy (described more below in Section 5.5) -is a widely used private e-mail scheme based on public key methods. A -PGP user maintains a local keyring of all their known and trusted -public keys. The user makes their own determination about the -trustworthiness of a key using what is called a "web of trust." -

-If Alice needs Bob's public key, Alice can ask Bob for -it in another e-mail or, in many cases, download the public key from an -advertised server; this server might a well-known PGP key repository or -a site that Bob maintains himself. In fact, Bob's public key might be -stored or listed in many places. (The author's public key, for example, -can be found at http://www.garykessler.net/kumquat_pubkey.html.) Alice is prepared to believe that Bob's public key, as stored at these locations, is valid. -

-Suppose Carol claims to hold Bob's public key and offers -to give the key to Alice. How does Alice know that Carol's version of -Bob's key is valid or if Carol is actually giving Alice a key that will -allow Mallory access to messages? The answer is, "It depends." If Alice -trusts Carol and Carol says that she thinks that her version of Bob's -key is valid, then Alice may — at her option — trust -that key. And trust is not necessarily transitive; if Dave has a copy -of Bob's key and Carol trusts Dave, it does not necessarily follow that -Alice trusts Dave even if she does trust Carol. -

-The point here is that who Alice trusts and how she -makes that determination is strictly up to Alice. PGP makes no -statement and has no protocol about how one user determines whether -they trust another user or not. In any case, encryption and signatures -based on public keys can only be used when the appropriate public key -is on the user's keyring. -

-

4.2. Kerberos

 -

-Kerberos is a commonly used authentication scheme on the -Internet. Developed by MIT's Project Athena, Kerberos is named for the -three-headed dog who, according to Greek mythology, guards the entrance -of Hades (rather than the exit, for some reason!). -

- -Kerberos employs a client/server architecture and -provides user-to-server authentication rather than host-to-host -authentication. In this model, security and authentication will be -based on secret key technology where every host on the network has its -own secret key. It would clearly be unmanageable if every host had to -know the keys of all other hosts so a secure, trusted host somewhere on -the network, known as a Key Distribution Center (KDC), knows the keys -for all of the hosts (or at least some of the hosts within a portion of -the network, called a realm). In this way, when a new node is -brought online, only the KDC and the new node need to be configured -with the node's key; keys can be distributed physically or by some -other secure means. -
-
-

- -

-

FIGURE 3: Kerberos architecture.

-
-
-
The Kerberos Server/KDC has two main -functions (Figure 3), known as the Authentication Server (AS) and -Ticket-Granting Server (TGS). The steps in establishing an -authenticated session between an application client and the application -server are: -

-
    -
  1. The Kerberos client software -establishes a connection with the Kerberos server's AS function. The AS -first authenticates that the client is who it purports to be. The AS -then provides the client with a secret key for this login session (the TGS session key) -and a ticket-granting ticket (TGT), which gives the client permission -to talk to the TGS. The ticket has a finite lifetime so that the -authentication process is repeated periodically. -
  2. The client now communicates with the TGS -to obtain the Application Server's key so that it (the client) can -establish a connection to the service it wants. The client supplies the -TGS with the TGS session key and TGT; the TGS responds with an -application session key (ASK) and an encrypted form of the Application -Server's secret key; this secret key is never sent on the network in any other form. -
  3. The client has now authenticated itself and -can prove its identity to the Application Server by supplying the -Kerberos ticket, application session key, and encrypted Application -Server secret key. The Application Server responds with similarly -encrypted information to authenticate itself to the client. At this -point, the client can initiate the intended service requests (e.g., -Telnet, FTP, HTTP, or e-commerce transaction session establishment). -
-

-The current shipping version of this protocol is Kerberos V5 (described in RFC 1510), -although Kerberos V4 still exists and is seeing some use. While the -details of their operation, functional capabilities, and message -formats are different, the conceptual overview above pretty much holds -for both. One primary difference is that Kerberos V4 uses only DES to -generate keys and encrypt messages, while V5 allows other schemes to be -employed (although DES is still the most widely algorithm used). -

-

4.3. Public Key Certificates and Certificate Authorities

 -

-Certificates and Certificate Authorities (CA) -are necessary for widespread use of cryptography for e-commerce -applications. While a combination of secret and public key cryptography -can solve the business issues discussed above, crypto cannot alone -address the trust issues that must exist between a customer and vendor -in the very fluid, very dynamic e-commerce relationship. How, for -example, does one site obtain another party's public key? How does a -recipient determine if a public key really belongs to the sender? How -does the recipient know that the sender is using their public key for a -legitimate purpose for which they are authorized? When does a public -key expire? How can a key be revoked in case of compromise or loss? -

-The basic concept of a certificate is one that is -familiar to all of us. A driver's license, credit card, or SCUBA -certification, for example, identify us to others, indicate something -that we are authorized to do, have an expiration date, and identify the -authority that granted the certificate. -

-As complicated as this may sound, it really isn't! -Consider driver's licenses. I have one issued by the State of Vermont. -The license establishes my identity, indicates the type of vehicles -that I can operate and the fact that I must wear corrective lenses -while doing so, identifies the issuing authority, and notes that I am -an organ donor. When I drive outside of Vermont, the other -jurisdictions throughout the U.S. recognize the authority of Vermont to -issue this "certificate" and they trust the information it contains. -Now, when I leave the U.S., everything changes. When I am in Canada and -many other countries, they will accept not the Vermont license, per se, -but any license issued in the U.S.; some other countries may -not recognize the Vermont driver's license as sufficient bona fides -that I can drive. This analogy represents the certificate chain, where -even certificates carry certificates. -

-For purposes of electronic transactions, certificates are digital documents. The specific functions of the certificate include: -

    -
  • Establish identity: Associate, or bind, a public key to an individual, organization, corporate position, or other entity. -
  • Assign authority: Establish what actions the holder may or may not take based upon this certificate. -
  • Secure confidential information (e.g., encrypting the session's symmetric key for data confidentiality). -
-

-Typically, a certificate contains a public key, a name, -an expiration date, the name of the authority that issued the -certificate (and, therefore, is vouching for the identity of the user), -a serial number, any pertinent policies describing how the certificate -was issued and/or how the certificate may be used, the digital -signature of the certificate issuer, and perhaps other information. -
-
-

- -

-

FIGURE 4: GTE Cybertrust Global Root-issued certificate as viewed
by Netscape Navigator V4.

-
-
-
-

-A sample abbreviated certificate is -shown in Figure 4. This is a typical certificate found in a browser; -while this one is issued by GTE Cybertrust, many so-called root-level -certificates can be found shipped with browsers. When the browser makes -a connection to a secure Web site, the Web server sends its public key -certificate to the browser. The browser then checks the certificate's -signature against the public key that it has stored; if there is a -match, the certificate is taken as valid and the Web site verified by -this certificate is considered to be "trusted." -

-
- - -
-TABLE 2. Contents of an X.509 V3 Certificate. -
-
    -version number
    -certificate serial number
    -signature algorithm identifier
    -issuer's name and unique identifier
    -validity (or operational) period
    -subject's name and unique identifier
    -subject public key information
    -standard extensions
    -
      -certificate appropriate use definition
      -key usage limitation definition
      -certificate policy information
      -
    -other extensions
    -
      -Application-specific
      -CA-specific
      -
    -
-
-
-

-

-The most widely accepted certificate format is the one -defined in International Telecommunication Union Telecommunication -Standardization Sector (ITU-T) Recommendation X.509. Rec. X.509 is a -specification used around the world and any applications complying with -X.509 can share certificates. Most certificates today comply with X.509 -Version 3 and contain the information listed in Table 2. -

-Certificate authorities are the repositories for -public-keys and can be any agency that issues certificates. A company, -for example, may issue certificates to its employees, a -college/university to its students, a store to its customers, an -Internet service provider to its users, or a government to its -constituents.

-When a sender needs an intended receiver's public key, -the sender must get that key from the receiver's CA. That scheme is -straight-forward if the sender and receiver have certificates issued by -the same CA. If not, how does the sender know to trust the -foreign CA? One industry wag has noted, about trust: "You are either -born with it or have it granted upon you." Thus, some CAs will be -trusted because they are known to be reputable, such as the CAs -operated by AT&T, BBN, Canada Post Corp., CommerceNet, GTE Cybertrust, MCI, Nortel EnTrust, Thawte, the U.S. Postal Service, and VeriSign. -CAs, in turn, form trust relationships with other CAs. Thus, if a user -queries a foreign CA for information, the user may ask to see a list of -CAs that establish a "chain of trust" back to the user. -

-One major feature to look for in a CA is their -identification policies and procedures. When a user generates a key -pair and forwards the public key to a CA, the CA has to check the -sender's identification and takes any steps necessary to assure itself -that the request is really coming from the advertised sender. Different -CAs have different identification policies and will, therefore, be -trusted differently by other CAs. Verification of identity is just of -many issues that are part of a CA's Certification Practice Statement -(CPS) and policies; other issues include how the CA protects the public -keys in its care, how lost or compromised keys are revoked, and how the -CA protects its own private keys. -

-

4.4. Summary

 -

-The paragraphs above describe three very different trust -models. It is hard to say that any one is better than the others; it -depend upon your application. One of the biggest and fastest growing -applications of cryptography today, though, is electronic commerce -(e-commerce), a term that itself begs for a formal definition. -

-PGP's web of trust is easy to maintain and very much -based on the reality of users as people. The model, however, is -limited; just how many public keys can a single user reliably store and -maintain? And what if you are using the "wrong" computer when you want -to send a message and can't access your keyring? How easy it is to -revoke a key if it is compromised? PGP may also not scale well to an -e-commerce scenario of secure communication between total strangers on -short-notice. -

-Kerberos overcomes many of the problems of PGP's web of -trust, in that it is scalable and its scope can be very large. However, -it also requires that the Kerberos server have a priori -knowledge of all client systems prior to any transactions, which makes -it unfeasible for "hit-and-run" client/server relationships as seen in -e-commerce. -

-Certificates and the collection of CAs will form a -Public Key Infrastructure (PKI). In the early days of the Internet, -every host had to maintain a list of every other host; the Domain Name -System (DNS) introduced the idea of a distributed database for this -purpose and the DNS is one of the key reasons that the Internet has -grown as it has. A PKI will fill a similar void in the e-commerce and -PKC realm. -

-While certificates and the benefits of a PKI are most -often associated with electronic commerce, the applications for PKI are -much broader and include secure electronic mail, payments and -electronic checks, Electronic Data Interchange (EDI), secure transfer -of Domain Name System (DNS) and routing information, electronic forms, -and digitally signed documents. A single "global PKI" is still many -years away, that is the ultimate goal of today's work as international -electronic commerce changes the way in which we do business in a -similar way in which the Internet has changed the way in which we -communicate. -

-
- -

5. CRYPTOGRAPHIC ALGORITHMS IN ACTION

-

-The paragraphs above have provided an overview of the -different types of cryptographic algorithms, as well as some examples -of some available protocols and schemes. Table 3 provides an even -longer list of some of the schemes employed today for a variety of -functions, most notably electronic commerce. The paragraphs below will -show several real cryptographic applications that many of us employ -(knowingly or not) everyday; for password protection and private -communication. -

-
- - - - -
TABLE 3. Other Crypto Algorithms and Systems of Note.

Capstone -A now-defunct U.S. National Institute -of Standards and Technology (NIST) and National Security Agency (NSA) -project under the Bush Sr. and Clinton administrations for publicly -available strong cryptography with keys escrowed by the government -(NIST and the Treasury Dept.). Capstone included in one or more -tamper-proof computer chips for implementation (Clipper), a secret key -encryption algorithm (Skipjack), digital signature algorithm (DSA), key -exchange algorithm (KEA), and hash algorithm (SHA). -
Clipper -The computer chip that would implement the Skipjack encryption scheme. See also EPIC's The Clipper Chip Web page. - -
Escrowed Encryption Standard (EES) -Largely unused, a controversial -crypto scheme employing the SKIPJACK secret key crypto algorithm and a -Law Enforcement Access Field (LEAF) creation method. LEAF was one part -of the key escrow system and allowed for decryption of ciphertext -messages that had been legally intercepted by law enforcement agencies. -Described more in FIPS 185. - -
Federal Information Processing Standards (FIPS) -These computer security- and -crypto-related FIPS are produced by the U.S. National Institute of -Standards and Technology (NIST) as standards for the U.S. Government. -
Fortezza (formerly called Tessera) -A PCMCIA card developed by NSA that -implements the Capstone algorithms, intended for use with the Defense -Messaging Service (DMS). -
GOST -GOST is a family of algorithms that -is defined in the Russian cryptographic standards. Although most of the -specifications are written in Russian, RFC 4357 provides supplemental information and specifications so that the algorithms can be used effectively in Internet applications. - - -
IP Security Protocol (IPsec) -The IPsec protocol suite is used to -provide privacy and authentication services at the IP layer. An -overview of the protocol suite and of the documents comprising IPsec -can be found in RFC 2411. Other documents include: -
    -
  • RFC 4301: IP security architecture. -
  • RFC 4302: -IP Authentication Header (AH), one of the two primary IPsec functions; -AH provides connectionless integrity and data origin authentication for -IP datagrams and protects against replay attacks. -
  • RFC 4303: -IP Encapsulating Security Payload (ESP), the other primary IPsec -function; ESP provides a variety of security services within IPsec. -
  • RFC 4304: -Extended Sequence Number (ESN) Addendum, allows for negotiation of a -32- or 64- bit sequence number, used to detect replay attacks.
    • -
  • RFC 4305: Cryptographic algorithm implementation requirements for ESP and AH.
    • -
  • RFC 4306: -The Internet Key Exchange (IKE) protocol, version 2, providing for -mutual authentication and establishing and maintaining security -associations.
    • -
      -
    • IKE v1 was described in three separate documents, RFC 2407 (application of ISAKMP to IPsec), RFC 2408 (ISAKMP, a framework for key management and security associations), and RFC 2409 -(IKE, using part of Oakley and part of SKEME in conjunction with ISAKMP -to obtain authenticated keying material for use with ISAKMP, and for -other security associations such as AH and ESP). IKE v1 is obsoleted -with the introdcution of IKEv2.
      • -
    -
  • RFC 4307: Cryptographic algoritms used with IKEv2.
    • -
  • RFC 4308: Crypto suites for IPsec, IKE, and IKEv2.
    • -
  • RFC 4309: The use of AES in CBC-MAC mode with IPsec ESP.
    • -
  • RFC 4312: The use of the Camellia cipher algorithm in IPsec.
    • -
  • RFC 4359: The Use of RSA/SHA-1 Signatures within Encapsulating Security Payload (ESP) and Authentication Header (AH).
    • -
  • RFC 4434: Describes AES-XCBC-PRF-128, a pseudo-random function derived from the AES for use with IKE.
    • -
  • RFC 2403: Describes use of the HMAC with MD5 algorithm for data origin authentication and integrity protection in both AH and ESP. -
  • RFC 2405: Describes use of DES-CBC (DES in Cipher Block Chaining Mode) for confidentiality in ESP. -
  • RFC 2410: Defines use of the NULL encryption algorithm (i.e., provides authentication and integrity without confidentiality) in ESP. -
  • RFC 2412: Describes OAKLEY, a key determination and distribution protocol. -
  • RFC 2451: Describes use of Cipher Block Chaining (CBC) mode cipher algorithms with ESP. -
  • RFCs 2522 and 2523: Description of Photuris, a session-key management protocol for IPsec. -
-

-IPsec was first proposed for use with IP version 6 (IPv6), but can also be employed with the current IP version, IPv4. -

-(See more detail about IPsec below in Section 5.6.) - -

Internet Security Association and Key Management Protocol (ISAKMP/OAKLEY) -ISAKMP/OAKLEY provide an infrastructure for Internet secure communications. ISAKMP, designed by the National Security Agency (NSA) and described in RFC 2408, -is a framework for key management and security associations, -independent of the key generation and cryptographic algorithms actually -employed. The OAKLEY Key Determination Protocol, described in RFC 2412, is a key determination and distribution protocol using a variation of Diffie-Hellman. - -
Kerberos -A secret-key encryption and -authentication system, designed to authenticate requests for network -resources within a user domain rather than to authenticate messages. -Kerberos also uses a trusted third-party approach; a client -communications with the Kerberos server to obtain "credentials" so that -it may access services at the application server. Kerberos V4 uses DES -to generate keys and encrypt messages; DES is also commonly used in -Kerberos V5, although other schemes could be employed. -

Microsoft added support for Kerberos V5 — with some proprietary -extensions — in Windows 2000. There are many Kerberos articles posted -at Microsoft's Knowledge Base, notably "Basic Overview of Kerberos User Authentication Protocol in Windows 2000," "Windows 2000 Kerberos 5 Ticket Flags and KDC Options for AS_REQ and TGS_REQ Messages," and "Kerberos Administration in Windows 2000." - -

Keyed-Hash Message Authentication Code (HMAC) -A message authentication scheme based -upon secret key cryptography and the secret key shared between two -parties rather than public key methods. Described in FIPS 198 and RFC 2104. - -
Message Digest Cipher (MDC) -Invented by Peter Gutman, MDC turns a one-way hash function into a block cipher. - -
MIME Object Security Standard (MOSS) -Designed as a successor to PEM to provide PEM-based security services to MIME messages. - -
Pretty Good Privacy (PGP) -A family of cryptographic routines -for e-mail and file storage applications developed by Philip -Zimmermann. PGP 2.6.x uses RSA for key management and digital -signatures, IDEA for message encryption, and MD5 for computing the -message's hash value; more information can also be found in RFC 1991. -PGP 5.x (formerly known as "PGP 3") uses Diffie-Hellman/DSS for key -management and digital signatures; IDEA, CAST, or 3DES for message -encryption; and MD5 or SHA for computing the message's hash value. -OpenPGP, described in RFC 2440, is an open definition of security software based on PGP 5.x. -

-(See more detail about PGP below in Section 5.5.) - -

Privacy Enhanced Mail (PEM) -Provides secure electronic mail over -the Internet and includes provisions for encryption (DES), -authentication, and key management (DES, RSA). May be superseded by -S/MIME and PEM-MIME. Developed by IETF PEM Working Group and defined in -four RFCs: -
  • RFC 1421: Part I, Message Encryption and Authentication Procedures -
  • RFC 1422: Part II, Certificate-Based Key Management -
  • RFC 1423: Part III, Algorithms, Modes, and Identifiers -
  • RFC 1424: Part IV, Key Certification and Related Services - - -
    • Private Communication Technology (PCT) -Developed by Microsoft and Visa for -secure communication on the Internet. Similar to SSL, PCT supports -Diffie-Hellman, Fortezza, and RSA for key establishment; DES, RC2, RC4, -and triple-DES for encryption; and DSA and RSA message signatures. A -companion to SET. -
    Secure Electronic Transactions (SET) -A merging of two other protocols: -SEPP (Secure Electronic Payment Protocol), an open specification for -secure bank card transactions over the Internet, developed by -CyberCash, GTE, IBM, MasterCard, and Netscape; and STT (Secure -Transaction Technology), a secure payment protocol developed by -Microsoft and Visa International. Supports DES and RC4 for encryption, -and RSA for signatures, key exchange, and public-key encryption of bank -card numbers. SET is a companion to the PCT protocol. -
    Secure Hypertext Transfer Protocol (S-HTTP) -An extension to HTTP to provide -secure exchange of documents over the World Wide Web. Supported -algorithms include RSA and Kerberos for key exchange, DES, IDEA, RC2, -and Triple-DES for encryption. -
    Secure Multipurpose Internet Mail Extensions (S/MIME) -An IETF secure e-mail scheme intended to supercede PEM. S/MIME, described in RFCs 2311 and 2312, adds digital signature and encryption capability to Internet MIME messages. - -
    Secure Sockets Layer (SSL) -Developed by Netscape Communications -to provide application-independent security and privacy over the -Internet. SSL is designed so that protocols such as HTTP, FTP (File -Transfer Protocol), and Telnet can operate over it transparently. SSL -allows both server authentication (mandatory) and client authentication -(optional). RSA is used during negotiation to exchange keys and -identify the actual cryptographic algorithm (DES, IDEA, RC2, RC4, or -3DES) to use for the session. SSL also uses MD5 for message digests and -X.509 public-key certificates. (Found to be breakable soon after the -IETF announced formation of group to work on TLS.) -

    -(See more detail about SSL below in Section 5.7.) - -

    Server Gated Cryptography (SGC) -Microsoft extension to SSL that -provides strong encryption for online banking and other financial -applications using RC2 (128-bit key), RC4 (128-bit key), DES (56-bit -key), or 3DES (equivalent of 168-bit key). Use of SGC requires a -Windows NT Server running Internet Information Server (IIS) 4.0 with a -valid SGC certificate. SGC is available in 32-bit Windows versions of -Internet Explorer (IE) 4.0, and support for Mac, Unix, and 16-bit -Windows versions of IE is expected in the future. -
    Simple Authentication and Security Layer (SASL) -(SASL) is a framework for providing -authentication and data security services in connection-oriented -protocols (a la TCP). It provides a structured interface and allows new -protocols to reuse existing authentication mechanisms and allows old -protocols to make use of new mechanisms. -

    It has been common practice on the Internet to permit anonymous -access to various services, employing a plain-text password using a -user name of "anonymous" and a password of an email address or some -other identifying information. New IETF protocols disallow plain-text -logins. The Anonymous SASL Mechanism (RFC 4505) provides a method for anonymous logins within the SASL framework. - -

    Simple Key-Management for Internet Protocol (SKIP) -Key management scheme for secure IP -communication, specifically for IPsec, and designed by Aziz and Diffie. -SKIP essentially defines a public key infrastructure for the Internet -and even uses X.509 certificates. Most public key cryptosystems assign -keys on a per-session basis, which is inconvenient for the Internet -since IP is connectionless. Instead, SKIP provides a basis for secure -communication between any pair of Internet hosts. SKIP can employ DES, -3DES, IDEA, RC2, RC5, MD5, and SHA-1. -
    Transport Layer Security (TLS) -IETF specification (RFC 2246) -intended to replace SSL. Employs Triple-DES (secret key cryptography), -SHA (hash), Diffie-Hellman (key exchange), and DSS (digital -signatures). -

    -(See more detail about TLS below in Section 5.7.) - -

    X.509 -ITU-T recommendation for the format -of certificates for the public key infrastructure. Certificates map -(bind) a user identity to a public key. The IETF application of X.509 -certificates is documented in RFC 2459. An Internet X.509 Public Key Infrastructure is further defined in RFC 2510 (Certificate Management Protocols) and RFC 2527 (Certificate Policy and Certification Practices Framework). -
    - -

    -

    5.1. Password Protection

     -

    -Nearly all modern multiuser computer and network -operating systems employ passwords at the very least to protect and -authenticate users accessing computer and/or network resources. But -passwords are not typically kept on a host or server in plaintext, but are generally encrypted using some sort of hash scheme.

    - -
    -
    - -
    -
    A) /etc/passwd file
-
- root:Jbw6BwE4XoUHo:0:0:root:/root:/bin/bash
- carol:FM5ikbQt1K052:502:100:Carol Monaghan:/home/carol:/bin/bash
- alex:LqAi7Mdyg/HcQ:503:100:Alex Insley:/home/alex:/bin/bash
- gary:FkJXupRyFqY4s:501:100:Gary Kessler:/home/gary:/bin/bash
- todd:edGqQUAaGv7g6:506:101:Todd Pritsky:/home/todd:/bin/bash
- josh:FiH0ONcjPut1g:505:101:Joshua Kessler:/home/webroot:/bin/bash
-
-B.1) /etc/passwd file (with shadow passwords)
-
- root:x:0:0:root:/root:/bin/bash
- carol:x:502:100:Carol Monaghan:/home/carol:/bin/bash
- alex:x:503:100:Alex Insley:/home/alex:/bin/bash
- gary:x:501:100:Gary Kessler:/home/gary:/bin/bash
- todd:x:506:101:Todd Pritsky:/home/todd:/bin/bash
- josh:x:505:101:Joshua Kessler:/home/webroot:/bin/bash
-
-B.2) /etc/shadow file
-
- root:AGFw$1$P4u/uhLK$l2.HP35rlu65WlfCzq:11449:0:99999:7:::
- carol:kjHaN%35a8xMM8a/0kMl1?fwtLAM.K&kw.:11449:0:99999:7:::
- alex:1$1KKmfTy0a7#3.LL9a8H71lkwn/.hH22a:11449:0:99999:7:::
- gary:9ajlknknKJHjhnu7298ypnAIJKL$Jh.hnk:11449:0:99999:7:::
- todd:798POJ90uab6.k$klPqMt%alMlprWqu6$.:11492:0:99999:7:::
- josh:Awmqpsui*787pjnsnJJK%aappaMpQo07.8:11492:0:99999:7:::
-
    -

    -

    FIGURE 5: Sample entries in Unix/Linux password files.

    -
    -
    - -

    -Unix/Linux, for example, uses a well-known hash via its crypt() function. Passwords are stored in the /etc/passwd -file (Figure 5A); each record in the file contains the username, hashed -password, user's individual and group numbers, user's name, home -directory, and shell program; these fields are separated by colons (:). -Note that each password is stored as a 13-byte string. The first two -characters are actually a salt, randomness added to each -password so that if two users have the same password, they will still -be encrypted differently; the salt, in fact, provides a means so that a -single password might have 4096 different encryptions. The remaining 11 -bytes are the password hash, calculated using DES.

    -

    -As it happens, the /etc/passwd file is -world-readable on Unix systems. This fact, coupled with the weak -encryption of the passwords, resulted in the development of the shadow password -system where passwords are kept in a separate, non-world-readable file -used in conjunction with the normal password file. When shadow -passwords are used, the password entry in /etc/passwd is replaced with a "*" or "x" (Figure 5B.1) and the MD5 hash of the passwords are stored in /etc/shadow along with some other account information (Figure 5B.2).

    -
    -

    -Windows NT uses a similar scheme to store passwords in -the Security Access Manager (SAM) file. In the NT case, all passwords -are hashed using the MD4 algorithm, resulting in a 128-bit (16-byte) -hash value (they are then obscured using an undocumented mathematical transformation that was a secret until distributed on the Internet). The password password, for example, might be stored as the hash value (in hexadecimal) 60771b22d73c34bd4a290a79c8b09f18.

    -

    -Passwords are not saved in plaintext on computer systems -precisely so they cannot be easily compromised. For similar reasons, we -don't want passwords sent in plaintext across a network. But for remote -logon applications, how does a client system identify itself or a user -to the server? One mechanism, of course, is to send the password as a -hash value and that, indeed, may be done. A weakness of that approach, -however, is that an intruder can grab the password off of the network -and use an off-line attack (such as a dictionary attack where -an attacker takes every known word and encrypts it with the network's -encryption algorithm, hoping eventually to find a match with a -purloined password hash). In some situations, an attacker only has to -copy the hashed password value and use it later on to gain unauthorized -entry without ever learning the actual password.

    -

    -An even stronger authentication method uses the password -to modify a shared secret between the client and server, but never -allows the password in any form to go across the network. This is the -basis for the Challenge Handshake Authentication Protocol (CHAP), the -remote logon process used by Windows NT.

    -

    -As suggested above, Windows NT passwords are stored in a -security file on a server as a 16-byte hash value. In truth, Windows NT -stores two hashes; a weak hash based upon the old LAN Manager -(LanMan) scheme and the newer NT hash. When a user logs on to a server -from a remote workstation, the user is identified by the username, sent -across the network in plaintext (no worries here; it's not a secret -anyway!). The server then generates a 64-bit random number and sends it -to the client (also in plaintext). This number is the challenge.

    -

    -Using the LanMan scheme, the client system then encrypts -the challenge using DES. Recall that DES employs a 56-bit key, acts on -a 64-bit block of data, and produces a 64-bit output. In this case, the -64-bit data block is the random number. The client actually uses three -different DES keys to encrypt the random number, producing three -different 64-bit outputs. The first key is the first seven bytes (56 -bits) of the password's hash value, the second key is the next seven -bytes in the password's hash, and the third key is the remaining two -bytes of the password's hash concatenated with five zero-filled bytes. -(So, for the example above, the three DES keys would be 60771b22d73c34, bd4a290a79c8b0, and 9f180000000000.) Each key is applied to the random number resulting in three 64-bit outputs, which comprise the response. -Thus, the server's 8-byte challenge yields a 24-byte response from the -client and this is all that would be seen on the network. The server, -for its part, does the same calculation to ensure that the values match.

    -

    -There is, however, a significant weakness to this -system. Specifically, the response is generated in such a way as to -effectively reduce 16-byte hash to three smaller hashes, of length -seven, seven, and two. Thus, a password cracker has to break at most a -7-byte hash. One Windows NT vulnerability test program that I have used -in the past will report passwords that are "too short," defined as -"less than 8 characters." When I asked how the program knew that -passwords were too short, the software's salespeople suggested to me -that the program broke the passwords to determine their length. This is -undoubtedly not true; all the software really has to do is look at the -second 7-byte block and some known value indicates that it is empty, -which would indicate a password of seven or less characters.

    -

    -Consider the following example, showing the LanMan hash -of two different short passwords (take a close look at the last 8 -bytes):

    - - - - -
    AA: -89D42A44E77140AAAAD3B435B51404EE -
    AAA: -1C3A2B6D939A1021AAD3B435B51404EE -
    - -

    -Note that the NT hash provides no such clue:

    - - - - -
    AA: -C5663434F963BE79C8FD99F535E7AAD8 -
    AAA: -6B6E0FB2ED246885B98586C73B5BFB77 -
    - -

    -It is worth noting that the discussion above describes the Microsoft version of CHAP, or MS-CHAP (MS-CHAPv2 is described in RFC 2759). -MS-CHAP assumes that it is working with hashed values of the password -as the key to encrypting the challenge. More traditional CHAP (RFC 1994) -assumes that it is starting with passwords in plaintext. The relevance -of this observation is that a CHAP client, for example, cannot be -authenticated by an MS-CHAP server; both client and server must use the -same CHAP version.

    - -

    5.2. Some of the Finer Details of Diffie-Hellman

     -

    -The first published public-key crypto algorithm was -Diffie-Hellman. The mathematical "trick" of this scheme is that it is -relatively easy to compute exponents compared to computing discrete -logarithms. Diffie-Hellman allows two parties — the ubiquitous Alice -and Bob — to generate a secret key; they need to exchange some -information over an unsecure communications channel to perform the -calculation but an eavesdropper cannot determine the shared key based -upon this information.

    -

    -Diffie-Hellman works like this. Alice and Bob start by agreeing on a large prime number, n. They also have to choose some number g so that g<n.

    -

    -There is actually another constraint on g, specifically that it must be primitive with respect to n. Primitive is a definition that is a little beyond the scope of our discussion but basically g is primitive to n if we can find integers i so that gi -= j mod n for all values of j from 1 to n-1. As an example, 2 is not -primitive to 7 because the set of powers of 2 from 1 to 6, mod 7 = -{2,4,1,2,4,1}. On the other hand, 3 is primitive to 7 because the set -of powers of 3 from 1 to 6, mod 7 = {3,2,6,4,5,1}.

    -

    -(The definition of primitive introduced a new term to some readers, namely mod. The phrase x mod y (and read as written!) means "take the remainder after dividing x by y." Thus, 1 mod 7 = 1, 9 mod 6 = 3, and 8 mod 8 = 0.)

    -

    -Anyway, either Alice or Bob selects n and g; they then -tell the other party what the values are. Alice and Bob then work -independently:

    - -
    - - -
    -
    Alice...

    -Choose a large random number, x
    -Send to Bob: X = gx mod n
    -Compute: KA = Yx mod n
    -    		 -
    Bob...

    -Choose a large random number, y
    -Send to Alice: Y = gy mod n
    -Compute: KB = Xy mod n
    -
    -
    - -

    -Note that x and y are kept secret while X -and Y are openly shared; these are the private and public keys, -respectively. Based on their own private key and the public key learned -from the other party, Alice and Bob have computed their secret keys, KA and KB, respectively, which are equal to gxy mod n.

    -

    -Perhaps a small example will help here. Although Alice -and Bob will really choose large values for n and g, I will use small -values for example only; let's use n=7 and g=3.

    - -
    - - -
    -
    Alice...

    -Choose x=2
    -Send to Bob: X = 32 mod 7 = 2
    -KA = 62 mod 7 = 1
    -    		 -
    Bob...

    -Choose y=3
    -Send to Alice: Y = 33 mod 7 = 6
    -KB = 23 mod 7 = 1
    -
    -
    - -

    -In this example, then, Alice and Bob will both find the secret key 1 which is, indeed, 36 -mod 7. If an eavesdropper (Mallory) was listening in on the information -exchange between Alice and Bob, he would learn g, n, X, and Y which is -a lot of information but insufficient to compromise the key; as long as -x and y remain unknown, K is safe. As said above, calculating X as gx is a lot easier than finding x as logg X!

    -
    -

    -A short digression on modulo arithmetic. In the paragraph above, we noted that 36 mod 7 = 1. This can be confirmed, of course, by noting that:

    -

    -36 = 729 = 104*7 + 1

    -

    -There is a nice property of modulo arithmetic, however, -that makes this determination a little easier, namely: (a mod x)(b mod -x) = (ab mod x). Therefore, one possible shortcut is to note that 36 = (33)(33). Therefore, 36 mod 7 = (33 mod 7)(33 mod 7) = (27 mod 7)(27 mod 7) = 6*6 mod 7 = 36 mod 7 = 1.

    -
    -

    -Diffie-Hellman can also be used to allow key sharing -amongst multiple users. Note again that the Diffie-Hellman algorithm is -used to generate secret keys, not to encrypt and decrypt messages.

    - -

    5.3. Some of the Finer Details of RSA Public-Key Cryptography

     -

    -Unlike Diffie-Hellman, RSA can be used for key exchange -as well as digital signatures and the encryption of small blocks of -data. Today, RSA is primary used to encrypt the session key used for -secret key encryption (message integrity) or the message's hash value -(digital signature). RSA's mathematical hardness comes from the ease in -calculating large numbers and the difficulty in finding the prime -factors of those large numbers. Although employed with numbers using -hundreds of digits, the math behind RSA is relatively straight-forward.

    -

    -To create an RSA public/private key pair, here are the basic steps:

    -
      -
    1. Choose two prime numbers, p and q. From these numbers you can calculate the modulus, n = pq. -
    2. Select a third number, e, that is relatively prime to (i.e., -it does not divide evenly into) the product (p-1)(q-1). The number e is -the public exponent. -
    3. Calculate an integer d from the quotient (ed-1)/[(p-1)(q-1)]. The number d is the private exponent. -
    -

    -The public key is the number pair (n,e). Although these -values are publicly known, it is computationally infeasible to -determine d from n and e if p and q are large enough.

    -

    -To encrypt a message, M, with the public key, create the ciphertext, C, using the equation:

    -
      -C = Me mod n -
    -

    -The receiver then decrypts the ciphertext with the private key using the equation:

    -
      -M = Cd mod n -
    -

    -Now, this might look a bit complex and, indeed, the -mathematics does take a lot of computer power given the large size of -the numbers; since p and q may be 100 digits (decimal) or more, d and e -will be about the same size and n may be over 200 digits. Nevertheless, -a simple example may help. In this example, the values for p, q, e, and -d are purposely chosen to be very small and the reader will see exactly -how badly these values perform, but hopefully the algorithm will be -adequately demonstrated:

    -
      -
    1. Select p=3 and q=5. -
    2. The modulus n = pq = 15. -
    3. The value e must be relatively prime to (p-1)(q-1) = (2)(4) = 8. Select e=11 -
    4. The value d must be chosen so that (ed-1)/[(p-1)(q-1)] is an -integer. Thus, the value (11d-1)/[(2)(4)] = (11d-1)/8 must be an -integer. Calculate one possible value, d=3. -
    5. Let's say we wish to send the string SECRET. For this -example, we will convert the string to the decimal representation of -the ASCII values of the characters, which would be 83 69 67 82 69 84. -
    6. The sender encrypts each digit one at a time (we have to -because the modulus is so small) using the public key value -(e,n)=(11,15). Thus, each ciphertext character Ci = Mi11 mod 15. The input digit string 0x836967826984 will be transmitted as 0x2c696d286924. -
    7. The receiver decrypts each digit using the private key value (d,n)=(3,15). Thus, each plaintext character Mi = Ci3 mod 15. The input digit string 0x2c696d286924 will be converted to 0x836967826984 and, presumably, reassembled as the plaintext string SECRET. -
    -

    -Again, the example above uses small values for -simplicity and, in fact, shows the weakness of small values; note that -4, 6, and 9 do not change when encrypted, and that the values 2 and 8 -encrypt to 8 and 2, respectively. Nevertheless, this simple example -demonstrates how RSA can be used to exchange information.

    - -

    -RSA keylengths of 512 and 768 bits are considered to be -pretty weak. The minimum suggested RSA key is 1024 bits; 2048 and 3072 -bits are even better.

    - -

    -As an aside, Adam Back (http://www.cypherspace.org/~adam/) wrote a two-line Perl script to implement RSA. It employs dc, an arbitrary precision arithmetic package that ships with most UNIX systems:

    - - -
    -
    print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
-)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
-
    -
    - -

    5.4. Some of the Finer Details of DES, Breaking DES, and DES Variants

     -

    -The Data Encryption Standard (DES) has been in use since -the mid-1970s, adopted by the National Bureau of Standards (NBS) [now -the National Institute for Standards and Technology (NIST)] as Federal -Information Processing Standard 46 (FIPS 46-3) and by the American National Standards Institute (ANSI) as X3.92.

    -

    -As mentioned earlier, DES uses the Data Encryption -Algorithm (DEA), a secret key block-cipher employing a 56-bit key -operating on 64-bit blocks. FIPS 81 -describes four modes of DES operation: Electronic Codebook (ECB), -Cipher Block Chaining (CBC), Cipher Feedback (CFB), and Output Feedback -(OFB). Despite all of these options, ECB is the most commonly deployed -mode of operation.

    -

    -NIST finally declared DES obsolete in 2004, and withdrew FIPS 46-3, 74, and 81 (Federal Register, July 26, 2004, 69(142), 44509-44510). -Although other block ciphers will replace DES, it is still interesting -to see how DES encryption is performed; not only is it sort of neat, -but DES was the first crypto scheme commonly seen in non-govermental -applications and was the catalyst for modern "public" cryptography. DES -remains in many products — and cryptography students and cryptographers -will continue to study DES for years to come.

    - -

    DES Operational Overview

    -

    -DES uses a 56-bit key. In fact, the 56-bit key is -divided into eight 7-bit blocks and an 8th odd parity bit is added to -each block (i.e., a "0" or "1" is added to the block so that there are -an odd number of 1 bits in each 8-bit block). By using the 8 parity -bits for rudimentary error detection, a DES key is actually 64 bits in -length for computational purposes (although it only has 56 bits worth -of randomness, or entropy).

    - -
    -
    - -

    -

    FIGURE 6: DES enciphering algorithm.

    -
    -
    -
    -

    -DES then acts on 64-bit blocks of the -plaintext, invoking 16 rounds of permutations, swaps, and substitutes, -as shown in Figure 6. The standard includes tables describing all of -the selection, permutation, and expansion operations mentioned below; -these aspects of the algorithm are not secrets. The basic DES steps are:

    -
      -
    1. The 64-bit block to be encrypted -undergoes an initial permutation (IP), where each bit is moved to a new -bit position; e.g., the 1st, 2nd, and 3rd bits are moved to the 58th, -50th, and 42nd position, respectively.

      -
    2. The 64-bit permuted input is divided into two 32-bit blocks, called left and right, respectively. The initial values of the left and right blocks are denoted L0 and R0.

      -
    3. There are then 16 rounds of operation on the L and R blocks. During each iteration (where n ranges from 1 to 16), the following formulae apply: - -At any given step in the process, then, the new L block -value is merely taken from the prior R block value. The new R block is -calculated by taking the bit-by-bit exclusive-OR (XOR) of the prior L -block with the results of applying the DES cipher function, f, to the prior R block and Kn. (Kn -is a 48-bit value derived from the 64-bit DES key. Each round uses a -different 48 bits according to the standard's Key Schedule algorithm.) -

      -The cipher function, f, combines the 32-bit R block -value and the 48-bit subkey in the following way. First, the 32 bits in -the R block are expanded to 48 bits by an expansion function (E); the -extra 16 bits are found by repeating the bits in 16 predefined -positions. The 48-bit expanded R-block is then ORed with the 48-bit -subkey. The result is a 48-bit value that is then divided into eight -6-bit blocks. These are fed as input into 8 selection (S) boxes, -denoted S1,...,S8. Each 6-bit input yields a -4-bit output using a table lookup based on the 64 possible inputs; this -results in a 32-bit output from the S-box. The 32 bits are then -rearranged by a permutation function (P), producing the results from -the cipher function. -

      -

    4. The results from the final DES round — i.e., L16 and R16 — are recombined into a 64-bit value and fed into an inverse initial permutation (IP-1). -At this step, the bits are rearranged into their original positions, so -that the 58th, 50th, and 42nd bits, for example, are moved back into -the 1st, 2nd, and 3rd positions, respectively. The output from IP-1 is the 64-bit ciphertext block. -
    -

    -Consider this example with the given 56-bit key and input:

    - - -

    Breaking DES

    -

    -The mainstream cryptographic community -has long held that DES's 56-bit key was too short to withstand a -brute-force attack from modern computers. Remember Moore's Law: -computer power doubles every 18 months. Given that increase in power, a -key that could withstand a brute-force guessing attack in 1975 could -hardly be expected to withstand the same attack a quarter century later.

    -

    -DES is even more vulnerable to a -brute-force attack because it is often used to encrypt words, meaning -that the entropy of the 64-bit block is, effectively, greatly reduced. -That is, if we are encrypting random bit streams, then a given byte -might contain any one of 28 (256) possible values and the entire 64-bit block has 264, -or about 18.5 quintillion, possible values. If we are encrypting words, -however, we are most likely to find a limited set of bit patterns; -perhaps 70 or so if we account for upper and lower case letters, the -numbers, space, and some punctuation. This means that only about ¼ of the bit combinations of a given byte are likely to occur.

    -

    -Despite this criticism, the U.S. -government insisted throughout the mid-1990s that 56-bit DES was secure -and virtually unbreakable if appropriate precautions were taken. In -response, RSA Laboratories sponsored a series of cryptographic challenges to prove that DES was no longer appropriate for use.

    -

    -DES Challenge I was launched in March 1997. It was -completed in 84 days by R. Verser in a collaborative effort using -thousands of computers on the Internet.

    -

    -The first DES II challenge lasted 40 days in early 1998. This problem was solved by distributed.net, -a worldwide distributed computing network using the spare CPU cycles of -computers around the Internet (participants in distributed.net's -activities load a client program that runs in the background, -conceptually similar to the SETI @Home "Search for Extraterrestrial -Intelligence" project). The distributed.net systems were checking 28 billion keys per second by the end of the project.

    -

    -The second DES II challenge lasted less than 3 days. On -July 17, 1998, the Electronic Frontier Foundation (EFF) announced the -construction of hardware that could brute-force a DES key in an average -of 4.5 days. Called Deep Crack, the device could check 90 billion keys -per second and cost only about $220,000 including design (it was -erroneously and widely reported that subsequent devices could be built -for as little as $50,000). Since the design is scalable, this suggests -that an organization could build a DES cracker that could break 56-bit -keys in an average of a day for as little as $1,000,000. Information -about the hardware design and all software can be obtained from the EFF.

    -

    -The DES III challenge, launched in January 1999, was -broken is less than a day by the combined efforts of Deep Crack and -distributed.net. This is widely considered to have been the final nail -in DES's coffin.

    -

    -The Deep Crack algorithm is actually quite interesting. -The general approach that the DES Cracker Project took was not to break -the algorithm mathematically but instead to launch a brute-force attack -by guessing every possible key. A 56-bit key yields 256, or -about 72 quadrillion, possible values. So the DES cracker team looked -for any shortcuts they could find! First, they assumed that some -recognizable plaintext would appear in the decrypted string even though -they didn't have a specific known plaintext block. They then applied -all 256 possible key values to the 64-bit block (I don't -mean to make this sound simple!). The system checked to see if the -decrypted value of the block was "interesting," which they defined as -bytes containing one of the alphanumeric characters, space, or some -punctuation. Since the likelihood of a single byte being "interesting" -is about ¼, then the likelihood of the entire 8-byte stream being -"interesting" is about ¼8, or 1/65536 (½16). This dropped the number of possible keys that might yield positive results to about 240, or about a trillion.

    -

    -They then made the assumption that an "interesting" -8-byte block would be followed by another "interesting" block. So, if -the first block of ciphertext decrypted to something interesting, they -decrypted the next block; otherwise, they abandoned this key. Only if -the second block was also "interesting" did they examine the key -closer. Looking for 16 consecutive bytes that were "interesting" meant -that only 224, or 16 million, keys needed to be examined -further. This further examination was primarily to see if the text made -any sense. Note that possible "interesting" blocks might be 1hJ5&aB7 or DEPOSITS; -the latter is more likely to produce a better result. And even a slow -laptop today can search through lists of only a few million items in a -relatively short period of time. (Interested readers are urged to read Cracking DES and EFF's Cracking DES page.)

    -

    -It is well beyond the scope of this paper to discuss -other forms of breaking DES and other codes. Nevertheless, it is worth -mentioning a couple of forms of cryptanalysis that have been shown to -be effective against DES. Differential cryptanalysis, invented -in 1990 by E. Biham and A. Shamir (of RSA fame), is a chosen-plaintext -attack. By selecting pairs of plaintext with particular differences, -the cryptanalyst examines the differences in the resultant ciphertext -pairs. Linear plaintext, invented by M. Matsui, uses a linear -approximation to analyze the actions of a block cipher (including DES). -Both of these attacks can be more efficient than brute force.

    - -

    DES Variants

    -

    -Once DES was "officially" broken, several variants -appeared. But none of them came overnight; work at hardening DES had -already been underway. In the early 1990s, there was a proposal to -increase the security of DES by effectively increasing the key length -by using multiple keys with multiple passes. But for this scheme to -work, it had to first be shown that the DES function is not a group, -as defined in mathematics. If DES was a group, then we could show that -for two DES keys, X1 and X2, applied to some plaintext (P), we can find -a single equivalent key, X3, that would provide the same result; i.e.,:

    -

    -EX2(EX1(P)) = EX3(P)

    -

    -where EX(P) represents DES encryption of some plaintext P using DES key X. -If DES were a group, it wouldn't matter how many keys and passes we -applied to some plaintext; we could always find a single 56-bit key -that would provide the same result.

    -

    -As it happens, DES was proven to not be a group so that -as we apply additional keys and passes, the effective key length -increases. One obvious choice, then, might be to use two keys and two -passes, yielding an effective key length of 112 bits. Let's call this -Double-DES. The two keys, Y1 and Y2, might be applied as follows:

    -

    -C = EY2(EY1(P))
    -P = DY1(DY2(C))

    -

    -where EY(P) and DY(C) represent DES encryption and decryption, respectively, of some plaintext P and ciphertext C, respectively, using DES key Y.

    -

    -So far, so good. But there's an interesting attack that -can be launched against this "Double-DES" scheme. First, notice that -the applications of the formula above can be thought of with the -following individual steps (where C' and P' are intermediate results):

    -

    -C' = EY1(P) and C = EY2(C')
    -P' = DY2(C) and P = DY1(P')

    -

    -Unfortunately, C'=P'. That leaves us vulnerable to a simple known plaintext -attack (sometimes called "Meet-in-the-middle") where the attacker knows -some plaintext (P) and its matching ciphertext (C). To obtain C', the -attacker needs to try all 256 possible values of Y1 applied to P; to obtain P', the attacker needs to try all 256 possible values of Y2 applied to C. Since C'=P', the attacker knows when a match has been achieved — after only 256 + 256 = 257 key searches, only twice the work of brute-forcing DES. So "Double-DES" won't work.

    -

    -Triple-DES (3DES), based upon the Triple Data Encryption Algorithm (TDEA), is described in FIPS 46-3. -3DES, which is not susceptible to a meet-in-the-middle attack, employs -three DES passes and one, two, or three keys called K1, K2, and K3. -Generation of the ciphertext (C) from a block of plaintext (P) is -accomplished by:

    -

    -C = EK3(DK2(EK1(P)))

    -

    -where EK(P) and DK(P) represent DES encryption and decryption, respectively, of some plaintext P using DES key K. (For obvious reasons, this is sometimes referred to as an encrypt-decrypt-encrypt mode operation.)

    -

    -Decryption of the ciphertext into plaintext is accomplished by:

    -

    -P = DK1(EK2(DK3(C)))

    -

    -The use of three, independent 56-bit keys provides 3DES -with an effective key length of 168 bits. The specification also -defines use of two keys where, in the operations above, K3 = K1; this -provides an effective key length of 112 bits. Finally, a third keying -option is to use a single key, so that K3 = K2 = K1 (in this case, the -effective key length is 56 bits and 3DES applied to some plaintext, P, -will yield the same ciphertext, C, as normal DES would with that same -key). Given the relatively low cost of key storage and the modest -increase in processing due to the use of longer keys, the best -recommended practices are that 3DES be employed with three keys.

    -

    -Another variant of DES, called DESX, is due to Ron -Rivest. Developed in 1996, DESX is a very simple algorithm that greatly -increases DES's resistance to brute-force attacks without increasing -its computational complexity. In DESX, the plaintext input is XORed -with 64 additional key bits prior to encryption and the output is -likewise XORed with the 64 key bits. By adding just two XOR operations, -DESX has an effective keylength of 120 bits against an exhaustive -key-search attack. As it happens, DESX is no more immune to other types -of more sophisticated attacks, such as differential or linear -cryptanalysis, but brute-force is the primary attack vector on DES.

    - -

    5.5. Pretty Good Privacy (PGP)

     -

    -Pretty Good Privacy (PGP) is one of today's most widely used public key cryptography programs. Developed by Philip Zimmermann -in the early 1990s and long the subject of controversy, PGP is -available as a plug-in for many e-mail clients, such as Claris Emailer, -Microsoft Outlook/Outlook Express, and Qualcomm Eudora.

    -

    -PGP can be used to sign or encrypt e-mail messages with -the mere click of the mouse. Depending upon the version of PGP, the -software uses SHA or MD5 for calculating the message hash; CAST, -Triple-DES, or IDEA for encryption; and RSA or DSS/Diffie-Hellman for -key exchange and digital signatures.

    -

    -When PGP is first installed, the user has to create a -key-pair. One key, the public key, can be advertised and widely -circulated. The private key is protected by use of a passphrase. The passphrase has to be entered every time the user accesses their private key.

    - -
    -
    - -
    -
    - -----BEGIN PGP SIGNED MESSAGE-----
- Hash: SHA1
-
- Hi Carol.
-
- What was that pithy Groucho Marx quote?
-
- /kess
-
- -----BEGIN PGP SIGNATURE-----
- Version: PGP for Personal Privacy 5.0
- Charset: noconv
-
- iQA/AwUBNFUdO5WOcz5SFtuEEQJx/ACaAgR97+vvDU6XWELV/GANjAAgBtUAnjG3
- Sdfw2JgmZIOLNjFe7jP0Y8/M
- =jUAU
- -----END PGP SIGNATURE-----
-
    -

    -

    FIGURE 7: A PGP signed message. The sender uses their private -key; at the destination, the sender's e-mail address yields the public -key from the receiver's keyring.

    -
    -
    - -
    -

    -Figure 7 shows a PGP signed message. This message will -not be kept secret from an eavesdropper, but a recipient can be assured -that the message has not been altered from what the sender transmitted. -In this instance, the sender signs the message using their own private -key. The receiver uses the sender's public key to verify the signature; -the public key is taken from the receiver's keyring based on the -sender's e-mail address. Note that the signature process does not work -unless the sender's public key is on the receiver's keyring.

    - -
    -
    - -
    -
    ------BEGIN PGP MESSAGE-----
-Version: PGP for Personal Privacy 5.0
-MessageID: DAdVB3wzpBr3YRunZwYvhK5gBKBXOb/m
-
-qANQR1DBwU4D/TlT68XXuiUQCADfj2o4b4aFYBcWumA7hR1Wvz9rbv2BR6WbEUsy
-ZBIEFtjyqCd96qF38sp9IQiJIKlNaZfx2GLRWikPZwchUXxB+AA5+lqsG/ELBvRa
-c9XefaYpbbAZ6z6LkOQ+eE0XASe7aEEPfdxvZZT37dVyiyxuBBRYNLN8Bphdr2zv
-z/9Ak4/OLnLiJRk05/2UNE5Z0a+3lcvITMmfGajvRhkXqocavPOKiin3hv7+Vx88
-uLLem2/fQHZhGcQvkqZVqXx8SmNw5gzuvwjV1WHj9muDGBY0MkjiZIRI7azWnoU9
-3KCnmpR60VO4rDRAS5uGl9fioSvze+q8XqxubaNsgdKkoD+tB/4u4c4tznLfw1L2
-YBS+dzFDw5desMFSo7JkecAS4NB9jAu9K+f7PTAsesCBNETDd49BTOFFTWWavAfE
-gLYcPrcn4s3EriUgvL3OzPR4P1chNu6sa3ZJkTBbriDoA3VpnqG3hxqfNyOlqAka
-mJJuQ53Ob9ThaFH8YcE/VqUFdw+bQtrAJ6NpjIxi/x0FfOInhC/bBw7pDLXBFNaX
-HdlLQRPQdrmnWskKznOSarxq4GjpRTQo4hpCRJJ5aU7tZO9HPTZXFG6iRIT0wa47
-AR5nvkEKoIAjW5HaDKiJriuWLdtN4OXecWvxFsjR32ebz76U8aLpAK87GZEyTzBx
-dV+lH0hwyT/y1cZQ/E5USePP4oKWF4uqquPee1OPeFMBo4CvuGyhZXD/18Ft/53Y
-WIebvdiCqsOoabK3jEfdGExce63zDI0=
-=MpRf
------END PGP MESSAGE-----
-
    -

    -

    FIGURE 8: A PGP encrypted message. The receiver's e-mail -address is the pointer to the public key in the sender's keyring. At -the destination side, the receiver uses their own private key.

    -
    -
    - -
    -

    -Figure 8 shows a PGP encrypted message (PGP compresses -the file, where practical, prior to encryption because encrypted files -lose their randomness and, therefore, cannot be compressed). In this -case, public key methods are used to exchange the session key for the -actual message encryption using secret-key cryptography. In this case, -the receiver's e-mail address is the pointer to the public key in the -sender's keyring; in fact, the same message can be sent to multiple -recipients and the message will not be significantly longer since all -that needs to be added is the session key encrypted by each receiver's -private key. When the message is received, the recipient must use their -private key to extract the session secret key to successfully decrypt -the message (Figure 9).

    - -
    -
    - -
    -
    - Hi Gary,
-
- "Outside of a dog, a book is man's best friend.
- Inside of a dog, it's too dark to read."
-
- Carol
-
    -

    -

    FIGURE 9: The decrypted message.

    -
    -
    - -
    -

    -It is worth noting that PGP was one of the first -so-called "hybrid cryptosystems" that combined aspects of SKC and PKC. -When Zimmermann was first designing PGP in the late-1980s, he wanted to -use RSA to encrypt the entire message. The PCs of the days, however, -suffered significant performance degradation when executing RSA so he -hit upon the idea of using SKC to encrypt the message and PKC to -encrypt the SKC key.

    -

    -The state of PGP is in flux as of the fall of 2002. -Zimmermann sold PGP to Network Associates, Inc. (NAI) in 1997 and -himself resigned from NAI in early 2001. In March 2002, NAI announced -that they were dropping support for the commercial version of PGP -having failed to find a buyer for the product willing to pay what NAI -wanted. In August 2002, PGP was purchased from NAI by PGP Corp. (http://www.pgp.com/).

    -
    - -

    5.6. IP Security (IPsec) Protocol

     -
    -

    -NOTE: The information in this section assumes -that the reader is familiar with the Internet Protocol (IP), at least -to the extent of the packet format and header contents. More -information about IP can be found in An Overview of TCP/IP Protocols and the Internet. More information about IPv6 can be found in IPv6: The Next Generation Internet Protocol.

    -
    -

    -The Internet and the TCP/IP protocol suite were not -built with security in mind. This statement is not meant as a -criticism; the baseline UDP, TCP, IP, and ICMP protocols were written -in 1980 and built for the relatively closed ARPANET community. TCP/IP -wasn't designed for the commercial-grade financial transactions that -they now see nor for virtual private networks (VPNs) on the Internet. -To bring TCP/IP up to today's security necessities, the Internet -Engineering Task Force (IETF) formed the IP Security Protocol Working Group -which, in turn, developed the IP Security (IPsec) protocol. IPsec is -not a single protocol, in fact, but a suite of protocols providing a -mechanism to provide data integrity, authentication, privacy, and -nonrepudiation for the classic Internet Protocol (IP). Although -intended primarily for IP version 6 (IPv6), IPsec can also be employed -by the current version of IP, namely IP version 4 (IPv4).

    -

    -As shown in Table 3, IPsec is described in nearly a dozen RFCs. RFC 4301, in particular, describes the overall IP security architecture and RFC 2411 provides an overview of the IPsec protocol suite and the documents describing it.

    -

    -IPsec can provide either message authentication and/or -encryption. The latter requires more processing than the former, but -will probably end up being the preferred usage for applications such as -VPNs and secure electronic commerce.

    -

    -Central to IPsec is the concept of a security association (SA). -Authentication and confidentiality using AH or ESP use SAs and a -primary role of IPsec key exchange it to establish and maintain SAs. An -SA is a simplex (one-way or unidirectional) logical connection between -two communicating IP endpoints that provides security services to the -traffic carried by it using either AH or ESP procedures. The endpoint -of an SA can be an IP host or IP security gateway (e.g., a proxy -server, VPN server, etc.). Providing security to the more typical -scenario of two-way (bi-directional) communication between two -endpoints requires the establishment of two SAs (one in each direction).

    -

    -An SA is uniquely identified by a 3-tuple composed of:

    -
      -
    • Security Parameter Index (SPI), a 32-bit identifier of the connection
      • -
    • IP Destination Address
      • -
    • security protocol (AH or ESP) identifier
      • -
    -

    -The IP Authentication Header (AH), described in RFC 4302, provides a mechanism for data integrity and data origin authentication for IP packets using HMAC with MD5 (RFC 2403), HMAC with SHA-1 (RFC 2404), or HMAC with RIPEMD (RFC 2857). See also RFC 4305.

    - -
    -
    - -
    -
    -    0                   1                   2                   3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   | Next Header   |  Payload Len  |          RESERVED             |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                 Security Parameters Index (SPI)               |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                    Sequence Number Field                      |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                                                               |
-   +                Integrity Check Value-ICV (variable)           |
-   |                                                               |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
    -

    -

    FIGURE 10: IPsec Authentication Header format. (From RFC 4302)

    -
    -
    -

    -

    -Figure 10 shows the format of the IPsec AH. The AH is -merely an additional header in a packet, more or less representing -another protocol layer above IP (this is shown in Figure 12 below). Use -of the IP AH is indicated by placing the value 51 (0x33) in the IPv4 -Protocol or IPv6 Next Header field in the IP packet header. The AH -follows mandatory IPv4/IPv6 header fields and precedes higher layer -protocol (e.g., TCP, UDP) information. The contents of the AH are:

    -
      -
    • Next Header: An 8-bit field that identifies the type of the next payload after the Authentication Header.
      • -
    • Payload Length: An 8-bit field that indicates the length of -AH in 32-bit words (4-byte blocks), minus "2". [The rationale for this -is somewhat counter intuitive but technically important. All IPv6 -extension headers encode the header extension length (Hdr Ext Len) -field by first subtracting 1 from the header length, which is measured -in 64-bit words. Since AH was originally developed for IPv6, it is an -IPv6 extension header. Since its length is measured in 32-bit words, -however, the Payload Length is calculated by subtracting 2 (32 bit -words) to maintain consistency with IPv6 coding rules.] In the default -case, the three 32-bit word fixed portion of the AH is followed by a -96-bit authentication value, so the Payload Length field value would be -4.
      • -
    • Reserved: This 16-bit field is reserved for future use and always filled with zeros.
      • -
    • Security Parameters Index (SPI): An arbitrary 32-bit value -that, in combination with the destination IP address and security -protocol, uniquely identifies the Security Association for this -datagram. The value 0 is reserved for local, implementation-specific -uses and values between 1-255 are reserved by the Internet Assigned -Numbers Authority (IANA) for future use.
      • -
    • Sequence Number: A 32-bit field containing a sequence number -for each datagram; initially set to 0 at the establishment of an SA. AH -uses sequence numbers as an anti-replay mechanism, to prevent a -"person-in-the-middle" attack. If anti-replay is enabled (the default), -the transmitted Sequence Number is never allowed to cycle back to 0; -therefore, the sequence number must be reset to 0 by establishing a new -SA prior to the transmission of the 232nd packet.
      • -
    • Authentication Data: A variable-length, 32-bit aligned field -containing the Integrity Check Value (ICV) for this packet (default -length = 96 bits). The ICV is computed using the authentication -algorithm specified by the SA, such as DES, MD5, or SHA-1. Other -algorithms may also be supported.
      • -
    -

    -The IP Encapsulating Security Payload (ESP), described in RFC 4303, -provides message integrity and privacy mechanisms in addition to -authentication. As in AH, ESP uses HMAC with MD5, SHA-1, or RIPEMD -authentication (RFC 2403/RFC 2404/RFC 2857); privacy is provided using DES-CBC encryption (RFC 2405), NULL encryption (RFC 2410), other CBC-mode algorithms (RFC 2451), or AES (RFC 3686). See also RFC 4305 and RFC 4308.

    - -
    -
    - -
    -
    -    0                   1                   2                   3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ----
-   |               Security Parameters Index (SPI)                 | ^Int.
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov-
-   |                      Sequence Number                          | |ered
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ----  
-   |                    Payload Data* (variable)                   | |   ^
-   ~                                                               ~ |   |
-   |                                                               | |Conf.
-   +               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov-
-   |               |     Padding (0-255 bytes)                     | |ered*
-   +-+-+-+-+-+-+-+-+               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |   |
-   |                               |  Pad Length   | Next Header   | v   v
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ------
-   |         Integrity Check Value-ICV   (variable)                |
-   ~                                                               ~
-   |                                                               |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-       * If included in the Payload field, cryptographic synchronization
-         data, e.g., an Initialization Vector (IV), usually is not
-         encrypted per se, although it often is referred to as being
-         being part of the ciphertext.
-
-
    -

    -

    FIGURE 11: IPsec Encapsulating Security Payload format. (From RFC 4303)

    -
    -
    -

    -

    -Figure 11 shows the format of the IPsec ESP information. -Use of the IP ESP format is indicated by placing the value 50 (0x32) in -the IPv4 Protocol or IPv6 Next Header field in the IP packet header. -The ESP header (i.e., SPI and sequence number) follows mandatory -IPv4/IPv6 header fields and precedes higher layer protocol (e.g., TCP, -UDP) information. The contents of the ESP packet are:

    -
      -
    • Security Parameters Index: (see description for this field in the AH, above.)
      • -
    • Sequence Number: (see description for this field in the AH, above.)
      • -
    • Payload Data: A variable-length field containing data as -described by the Next Header field. The contents of this field could be -encrypted higher layer data or an encrypted IP packet.
      • -
    • Padding: Between 0 and 255 octets of padding may be added to -the ESP packet. There are several applications that might use the -padding field. First, the encryption algorithm that is used may require -that the plaintext be a multiple of some number of bytes, such as the -block size of a block cipher; in this case, the Padding field is used -to fill the plaintext to the size required by the algorithm. Second, -padding may be required to ensure that the ESP packet and resulting -ciphertext terminate on a 4-byte boundary. Third, padding may be used -to conceal the actual length of the payload. Unless another value is -specified by the encryption algorithm, the Padding octets take on the -value 1, 2, 3, ... starting with the first Padding octet. This scheme -is used because, in addition to being simple to implement, it provides -some protection against certain forms of "cut and paste" attacks.
      • -
    • Pad Length: An 8-bit field indicating the number of bytes in the Padding field; contains a value between 0-255.
      • -
    • Next Header: An 8-bit field that identifies the type of data -in the Payload Data field, such as an IPv6 extension header or a higher -layer protocol identifier.
      • -
    • Authentication Data: (see description for this field in the AH, above.)
      • -
    -

    -Two types of SAs are defined in IPsec, regardless of whether AH or ESP is employed. A transport mode SA -is a security association between two hosts. Transport mode provides -the authentication and/or encryption service to the higher layer -protocol. This mode of operation is only supported by IPsec hosts. A tunnel mode SA -is a security association applied to an IP tunnel. In this mode, there -is an "outer" IP header that specifies the IPsec destination and an -"inner" IP header that specifies the destination for the IP packet. -This mode of operation is supported by both hosts and security gateways.

    - -
    -
    - -
    -
    -  ORIGINAL PACKET BEFORE APPLYING AH
-
-         ----------------------------
-   IPv4  |orig IP hdr  |     |      |
-         |(any options)| TCP | Data |
-         ----------------------------
-
-         ---------------------------------------
-   IPv6  |             | ext hdrs |     |      |
-         | orig IP hdr |if present| TCP | Data |
-         ---------------------------------------
-
-  AFTER APPLYING AH (TRANSPORT MODE)
-
-          -------------------------------------------------------
-    IPv4  |original IP hdr (any options) | AH | TCP |    Data   |
-          -------------------------------------------------------
-          |<- mutable field processing ->|<- immutable fields ->|
-          |<----- authenticated except for mutable fields ----->|
-
-         ------------------------------------------------------------
-   IPv6  |             |hop-by-hop, dest*, |    | dest |     |      |
-         |orig IP hdr  |routing, fragment. | AH | opt* | TCP | Data |
-         ------------------------------------------------------------
-         |<--- mutable field processing -->|<-- immutable fields -->|
-         |<---- authenticated except for mutable fields ----------->|
-
-               * = if present, could be before AH, after AH, or both
-
-
-  AFTER APPLYING AH (TUNNEL MODE)
-
-        ----------------------------------------------------------------
-   IPv4 |                              |    | orig IP hdr*  |   |      |
-        |new IP header * (any options) | AH | (any options) |TCP| Data |
-        ----------------------------------------------------------------
-        |<- mutable field processing ->|<------ immutable fields ----->|
-        |<- authenticated except for mutable fields in the new IP hdr->|
-
-        --------------------------------------------------------------
-   IPv6 |           | ext hdrs*|    |            | ext hdrs*|   |    |
-        |new IP hdr*|if present| AH |orig IP hdr*|if present|TCP|Data|
-        --------------------------------------------------------------
-        |<--- mutable field -->|<--------- immutable fields -------->|
-        |       processing     |
-        |<-- authenticated except for mutable fields in new IP hdr ->|
-
-          * = if present, construction of outer IP hdr/extensions and
-              modification of inner IP hdr/extensions is discussed in
-              the Security Architecture document.
-
-
    -

    -

    FIGURE 12: IPsec tunnel and transport modes for AH. (Adapted from RFC 4302)

    -
    -
    -

    -

    -Figure 12 show the IPv4 and IPv6 packet formats when -using AH in both transport and tunnel modes. Initially, an IPv4 packet -contains a normal IPv4 header (which may contain IP options), followed -by the higher layer protocol header (e.g., TCP or UDP), followed by the -higher layer data itself. An IPv6 packet is similar except that the -packet starts with the mandatory IPv6 header followed by any IPv6 -extension headers, and then followed by the higher layer data.

    -

    -Note that in both transport and tunnel modes, the entire IP packet is covered by the authentication except for the mutable fields. A field is mutable -if its value might change during transit in the network; IPv4 mutable -fields include the fragment offset, time to live, and checksum fields. -Note, in particular, that the address fields are not mutable.

    -
    - -
    -
    - -
    -
    -    ORIGINAL PACKET BEFORE APPLYING ESP
-
-            ----------------------------
-      IPv4  |orig IP hdr  |     |      |
-            |(any options)| TCP | Data |
-            ----------------------------
-
-            ---------------------------------------
-      IPv6  |             | ext hdrs |     |      |
-            | orig IP hdr |if present| TCP | Data |
-            ---------------------------------------
-
-
-    AFTER APPLYING ESP (TRANSPORT MODE)
-
-            -------------------------------------------------
-      IPv4  |orig IP hdr  | ESP |     |      |   ESP   | ESP|
-            |(any options)| Hdr | TCP | Data | Trailer | ICV|
-            -------------------------------------------------
-                                |<---- encryption ---->|
-                          |<-------- integrity ------->|
-
-            ---------------------------------------------------------
-      IPv6  | orig |hop-by-hop,dest*,|   |dest|   |    | ESP   | ESP|
-            |IP hdr|routing,fragment.|ESP|opt*|TCP|Data|Trailer| ICV|
-            ---------------------------------------------------------
-                                         |<--- encryption ---->|
-                                     |<------ integrity ------>|
-
-                * = if present, could be before ESP, after ESP, or both
-
-
-    AFTER APPLYING ESP (TUNNEL MODE)
-
-            -----------------------------------------------------------
-      IPv4  | new IP hdr+ |     | orig IP hdr+  |   |    | ESP   | ESP|
-            |(any options)| ESP | (any options) |TCP|Data|Trailer| ICV|
-
-            -----------------------------------------------------------
-                                |<--------- encryption --------->|
-                          |<------------- integrity ------------>|
-
-            ------------------------------------------------------------
-      IPv6  | new+ |new ext |   | orig+|orig ext |   |    | ESP   | ESP|
-            |IP hdr| hdrs+  |ESP|IP hdr| hdrs+   |TCP|Data|Trailer| ICV|
-            ------------------------------------------------------------
-                                |<--------- encryption ---------->|
-                            |<------------ integrity ------------>|
-
-            + = if present, construction of outer IP hdr/extensions and
-                modification of inner IP hdr/extensions is discussed in
-                the Security Architecture document.
-
-
    -

    -

    FIGURE 13: IPsec tunnel and transport modes for ESP. (Adapted from RFC 4303)

    -
    -
    -

    -

    -Figure 13 shows the IPv4 and IPv6 packet formats when using ESP in both transport and tunnel modes.

    -
      -
    • As with AH, we start with a standard IPv4 or IPv6 packet.
      • -
    • In transport mode, the higher layer header and data, as well as ESP -trailer information, is encrypted and the entire ESP packet is -authenticated. In the case of IPv6, some of the IPv6 extension options -can precede or follow the ESP header.
      • -
    • In tunnel mode, the original IP packet is encrypted and placed -inside of an "outer" IP packet, while the entire ESP packet is -authenticated.
      • -
    -

    -Note a significant difference in the scope of ESP and -AH. AH authenticates the entire packet transmitted on the network -whereas ESP only covers a portion of the packet transmitted on the -network (the higher layer data in transport mode and the entire -original packet in tunnel mode). The reason for this is -straight-forward; in AH, the authentication data for the transmission -fits neatly into an additional header whereas ESP creates an entirely -new packet which is the one encrypted and/or authenticated. But the -ramifications are significant. ESP transport mode as well as AH in both -modes protect the IP address fields of the original transmissions. -Thus, using IPsec in conjunction with network address translation (NAT) -might be problematic because NAT changes the values of these fields after IPsec processing.

    -

    -The third component of IPsec is the establishment of -security associations and key management. These tasks can be -accomplished in one of two ways.

    -

    -The simplest form of SA and key management is manual -management. In this method, a security administer or other individual -manually configures each system with the key and SA management data -necessary for secure communication with other systems. Manual -techniques are practical for small, reasonably static environments but -they do not scale well.

    -

    -For successful deployment of IPsec, however, a scalable, -automated SA/key management scheme is necessary. Several protocols have -defined for these functions:

    -
      -
    • The Internet Security Association and Key Management -Protocol (ISAKMP) defines procedures and packet formats to establish, -negotiate, modify and delete security associations, and provides the -framework for exchanging information about authentication and key -management (RFC 2407/RFC 2408). ISAKMP's security association and key management is totally separate from key exchange.
      • -
    • The OAKLEY Key Determination Protocol (RFC 2412) -describes a scheme by which two authenticated parties can exchange key -information. OAKLEY uses the Diffie-Hellman key exchange algorithm.
      • -
    • The Internet Key Exchange (IKE) algorithm (RFC 2409) is the default automated key management protocol for IPsec.
      • -
    • An alternative to IKE is Photuris (RFC 2522/RFC 2523), -a scheme for establishing short-lived session-keys between two -authenticated parties without passing the session-keys across the -Internet. IKE typically creates keys that may have very long lifetimes.
      • -
    -

    -On a final note, IPsec authentication for both AH and ESP uses a scheme called HMAC, a keyed-hashing message authentication code described in FIPS 198 and RFC 2104. -HMAC uses a shared secret key between two parties rather than public -key methods for message authentication. The generic HMAC procedure can -be used with just about any hash algorithm, although IPsec specifies -support for at least MD5 and SHA-1 because of their widespread use.

    -

    -In HMAC, both parties share a secret key. The secret key -will be employed with the hash algorithm in a way that provides mutual -authentication without transmitting the key on the line. IPsec key -management procedures will be used to manage key exchange between the -two parties.

    -

    -Recall that hash functions operate on a fixed-size block -of input at one time; MD5 and SHA-1, for example, work on 64 byte -blocks. These functions then generate a fixed-size hash value; MD5 and -SHA-1, in particular, produce 16 byte (128 bit) and 20 byte (160 bit) -output strings, respectively. For use with HMAC, the secret key (K) -should be at least as long as the hash output.

    -

    -The following steps provide a simplified, although -reasonably accurate, description of how the HMAC scheme would work with -a particular plaintext MESSAGE:

    -
      -
    1. Pad K so that it is as long as an input block; call this padded key Kp.
      2. -
    2. Compute the hash of the padded key followed by the message, i.e., HASH (Kp:MESSAGE).
      3. -
    3. Transmit MESSAGE and the hash value.
      4. -
    4. The receiver does the same procedure to pad K to create Kp.
      5. -
    5. The receiver computes HASH (Kp:MESSAGE).
      6. -
    6. The receiver compares the computed hash value with the received -hash value. If they match, then the sender must know the secret key and -the message is authenticated.
      7. -
    -
    - -

    -

    5.7. The SSL "Family" of Secure Transaction Protocols for the World Wide Web

     -

    -The Secure Sockets Layer (SSL) -protocol was developed by Netscape Communications to provide -application-independent secure communication over the Internet for -protocols such as the Hypertext Transfer Protocol (HTTP). SSL employs -RSA and X.509 certificates during an initial handshake used to -authenticate the server (client authentication is optional). The client -and server then agree upon an encryption scheme; SSL v2 supports RC2 -and RC4 with 40-bit keys, while SSL v3 adds support for DES, RC4 with a -128-bit key, and 3DES with a 168-bit key, all along with either MD5 or -SHA-1 message hashes. SSL v3 is the commonly supported version on -servers today, although some implementations of SSL v2 will still be -found; both are supported by most common browsers (Figure 14).

    - -
    -
    - -

    -

    FIGURE 14: SSL v3 configuration screen (Netscape Navigator).

    -
    -
    -
    -

    -In 1997, SSL v3 was found to be breakable. By this time, -the Internet Engineering Task Force (IETF) had already started work on -a new, non-proprietary protocol called Transport Layer Security (TLS), -described in RFC 2246. TLS extends SSL and supports additional crypto schemes, such as Diffie-Hellman key exchange and DSS digital signatures; RFC 4279 -describes the pre-shared key crypto schemes supported by TLS. TLS is -backward compatible with SSL (and, in fact, is recognized as SSL v3.1).

    - -
    -
    -
                           CLIENT       SERVER
- (using URL of form https://)       (listening on port 443) 
-
-                  ClientHello ---->
-
-                                    ServerHello
-                                    Certificate*
-                                    ServerKeyExchange*
-                                    CertificateRequest*
-                              <---- ServerHelloDone
-
-                 Certificate*
-            ClientKeyExchange
-            CertifcateVerify*
-           [ChangeCipherSpec]
-                     Finished ---->
-
-                                    [ChangeCipherSpec]
-                              <---- Finished
-
-             Application Data <---> Application Data
-
-
-
-* Optional or situation-dependent messages;
-  not always sent
-
-                                     Adapted from RFC 2246
-
    -
    -

    FIGURE 15: SSL/TLS protocol handshake.

    -
    -
    -
    -

    -Figure 15 shows the basic TLS (and SSL) message exchanges: -

      -
    1. URLs specifying the protocol https:// are -directed to HTTP servers secured using SSL/TLS. The client will -automatically try to make a TCP connection to the server at port 443. -The client initiates the secure connection by sending a ClientHello -message containing a Session identifier, highest SSL version number -supported by the client, and lists of supported crypto and compression -schemes (in preference order). -
    2. The server examines the Session ID and if it is still in the -server's cache, it will attempt to re-establish a previous session with -this client. If the Session ID is not recognized, the server will -continue with the handshake to establish a secure session by responding -with a ServerHello message. The ServerHello -repeats the Session ID, indicates the SSL version to use for this -connection (which will be the highest SSL version supported by the -server and client), and specifies which encryption method and -compression method to be used for this connection. -
    3. There are a number of other optional messages that the server might send, including: -
        -
      • Certificate, which carries the server's -X.509 public key certificate (and, generally, the server's public key). -This message will always be sent unless the client and server have -already agreed upon some form of anonymous key exchange. (This message -is normally sent.) -
      • ServerKeyExchange, which will carry a premaster secret when -the server's Certificate message does not contain enough data for this purpose; used in some key exchange schemes. -
      • CertificateRequest, used to request the client's certificate in those scenarios where client authentication is performed. -
      • ServerHelloDone, indicating that the server has completed its portion of the key exchange handshake. -
      -
    4. The client now responds with a series of mandatory and optional messages: -
        -
      • Certificate, contains the client's public key certificate when it has been requested by the server. -
      • ClientKeyExchange, which usually carries the secret key to be used with the secret key crypto scheme. -
      • CertificateVerify, used to provide explicit verification of a client's certificate if the server is authenticating the client. -
      -
    5. TLS includes the change cipher spec protocol to indicate -changes in the encryption method. This protocol contains a single -message, ChangeCipherSpec, which is encrypted and compressed using the current (rather than the new) encryption and compression schemes. The ChangeCipherSpec -message is sent by both client and server to notify the other station -that all following information will employ the newly negotiated cipher -spec and keys. -
    6. The Finished message is sent after a ChangeCipherSpec message to confirm that the key exchange and authentication processes were successful. -
    7. At this point, both client and server can exchange application data using the session encryption and compression schemes. - -

      - -Side Note: It would probably be helpful to make some mention of -SSL as it is used today. Most of us have used SSL to engage in a -secure, private transaction with some vendor. The steps are something -like this. During the SSL exchange with the vendor's secure server, the -server sends its certificate to our client software. The certificate -includes the vendor's public key and a signature from the CA that -issued the vendor's certificate. Our browser software is shipped with -the major CAs' certificates which contains their public key; in that -way we authenticate the server. Note that the server does not -use a certificate to authenticate us! Instead, we are generally -authenticated when we provide our credit card number; the server checks -to see if the card purchase will be authorized by the credit card -company and, if so, considers us valid and authenticated! While -bidirectional authentication is certainly supported by SSL, this form -of asymmetric authentication is more commonly employed today since most -users don't have certificates. -

      -Microsoft's -Server Gated Cryptography (SGC) -protocol is another extension to SSL/TLS. For several decades, it has -been illegal to generally export products from the U.S. that employed -secret-key cryptography with keys longer than 40 bits. For that reason, -SSL/TLS has an exportable version with weak (40-bit) keys and a -domestic (North American) version with strong (128-bit) keys. Within -the last several years, however, use of strong SKC has been approved -for the worldwide financial community. SGC is an extension to SSL that -allows financial institutions using Windows NT servers to employ strong -cryptography. Both the client and server must implement SGC and the -bank must have a valid SGC certificate. During the initial handshake, -the server will indicate support of SGC and supply its SGC certificate; -if the client wishes to use SGC and validates the server's SGC -certificate, the session can employ 128-bit RC2, 128-bit RC4, 56-bit -DES, or 168-bit 3DES. Microsoft supports SGC in the Windows 95/98/NT -versions of Internet Explorer 4.0, Internet Information Server (IIS) -4.0, and Money 98. -

      As mentioned above, SSL was designed to provide -application-independent transaction security for the Internet. Although -the discussion above has focused on HTTP over SSL (https/TCP port 443), -SSL is also applicable to: -

      -
      - - - - - - - - -
      Protocol -  -TCP Port Name/Number - -
      File Transfer Protocol (FTP) -  -ftps-data/989 & ftps/990 - -
      Internet Message Access Protocol v4 (IMAP4) -  -imaps/993 - -
      Lightweight Directory Access Protocol (LDAP) -  -ldaps/636 - -
      Network News Transport Protocol (NNTP) -  -nntps/563 - -
      Post Office Protocol v3 (POP3) -  -pop3s/995 - -
      Telnet -  -telnets/992 -
      -
      -

      - -

      5.8. Elliptic Curve Cryptography

       -

      In general, public-key cryptography systems use hard-to-solve -problems as the basis of the algorithm. The most predominant algorithm -today for public-key cryptography is RSA, based on the prime factors of -very large integers. While RSA can be successfully attacked, the -mathematics of the algorithm have not been comprised, per se; instead, -computational brute-force has broken the keys. The defense is "simple" -— keep the size of the integer to be factored ahead of the -computational curve!

      -

      -In 1985, Elliptic Curve Cryptography (ECC) was proposed independently -by cryptographers Victor Miller (IBM) and Neal Koblitz (University of -Washington). ECC is based on the difficulty of solving the Elliptic -Curve Discrete Logarithm Problem (ECDLP). Like the prime factorization -problem, ECDLP is another "hard" problem that is deceptively simple to -state: Given two points, P and Q, on an elliptic curve, find the -integer n, if it exists, such that P = nQ.

      -

      -Elliptic curves combine number theory and algebraic geometry. These -curves can be defined over any field of numbers (i.e., real, integer, -complex) although we generally see them used over finite fields for -applications in cryptography. An elliptic curve consists of the set of -real numbers (x, y) that satisfies the equation:

      -

      -y2 = x3 + ax + b

      -

      -The set of all of the solutions to the equation forms the elliptic curve. Changing a and b -changes the shape of the curve, and small changes in these parameters -can result in major changes in the set of (x,y) solutions.

      -
      -
      - -

      -

      FIGURE 16: Elliptic curve addition.

      -
      -
      -
      -

      -Figure 16 shows the addition of two points on an elliptic curve. -Elliptic curves have the interesting property that adding two points on -the elliptic curve yields a third point on the curve. Therefore, adding -two points, P1 and P2, gets us to point P3, also on the curve. Small -changes in P1 or P2 can cause a large change in the position of P3.

      -

      -So let's go back to the original problem statement from above. The -point Q is calculated as a multiple of the starting point, P, or, Q = nP. An attacker might know P and Q but finding the integer, n, is a difficult problem to solve. Q is the public key, then, and n is the private key.

      -

      -RSA has been the mainstay of PKC for over two decades. But ECC is -exciting because of their potential to provide similar levels of -security compared to RSA but with significantly reduced key sizes. -Certicom Corp. (www.certicom.com), one of the major proponents of ECC, suggests the key size relationship between ECC and RSA per the following table:

      -
      - - - - - - - - -
      -TABLE 4. ECC and RSA Key Comparison. -
      RSA Key Size -Time to Break Key
      (MIPS Years) -      		ECC Key Size -RSA:ECC Key-Size
      Ratio - -
      512 -104 -106 -5:1 - -
      768 -108 -132 -6:1 - -
      1,024 -1011 -160 -7:1 - -
      2,048 -1020 -210 -10:1 - -
      21,000 -1078 -600 -35:1 -
      -
      -

      -

      -Since the ECC key sizes are so much shorter than comparable RSA keys, -the length of the public key and private key is much shorter in -elliptic curve cryptosystems. Presumably, this translates into faster -processing, and lower demands on memory and bandwidth. In practice, the -final results are not yet in; RSA, Inc. notes that ECC is faster than -RSA for signing and decryption, but slower than RSA for signature -verification and encryption.

      -

      -Nevertheless, ECC is particularly useful in applications where memory, -bandwidth, and/or computational power is limited (e.g., a smartcard) -and it is in this area that ECC use is expected to grow. A major -champion of ECC today is Certicom; readers are urged to see their ECC online tutorial.

      -

      - -

      5.9. The Advanced Encryption Standard and Rijndael

       -

      -The search for a replacement to DES started in January 1997 when NIST -announced that it was looking for an Advanced Encryption Standard. In -September of that year, they put out a formal Call for Algorithms and -in August 1998 announced that 15 candidate algorithms were being -considered (Round 1). In April 1999, NIST announced that the 15 had -been whittled down to five finalists (Round 2): MARS (multiplication, addition, rotation and substitution) from IBM; Ronald Rivest's RC6; Rijndael from a Belgian team; Serpent, developed jointly by a team from England, Israel, and Norway; and Twofish, developed by Bruce Schneier. In October 2000, NIST announced their selection: Rijndael.

      -

      -The remarkable thing about this entire process has been the openness as -well as the international nature of the "competition." NIST has -maintained an excellent Web site devoted to keeping the public fully -informed, at http://csrc.nist.gov/encryption/aes/. Their Overview of the AES Development Effort has full details of the process, algorithms, and comments so I will not repeat everything here.

      -

      -In October 2000, NIST released the Report on the Development of the Advanced Encryption Standard (AES) -that compared the five Round 2 algorithms in a number of categories. -The table below summarizes the relative scores of the five schemes -(1=low, 3=high):

      - - - - - - - - - - -
      -Algorithm -
      Category -MARS -RC6 -Rijndael -Serpent -Twofish -
      General security -3 -2 -2 -3 -3 -
      Implementation of security -1 -1 -3 -3 -2 -
      Software performance -2 -2 -3 -1 -1 -
      Smart card performance -1 -1 -3 -3 -2 -
      Hardware performance -1 -2 -3 -3 -2 -
      Design features -2 -1 -2 -1 -3 -
      - -

      -With the report came the recommendation that Rijndael be named the AES. In February 2001, NIST released the Draft Federal Information Processing Standard (FIPS) AES Specification -for public review and comment. AES contains a subset of Rijndael's -capabilities (e.g., AES only supports a 128-bit block size) and uses -some slightly different nomenclature and terminology, but to understand -one is to understand both. The 90-day comment period ended on May 29, -2001 and the U.S. Department of Commerce officially adopted AES in -December 2001, published as FIPS PUB 197.

      - -

      AES (Rijndael) Overview

      -

      -Rijndael (pronounced as in "rain doll" or "rhine dahl") is a block -cipher designed by Joan Daemen and Vincent Rijmen, both cryptographers -in Belgium. Rijndael can operate over a variable-length block using -variable-length keys; the version 2 specification -submitted to NIST describes use of a 128-, 192-, or 256-bit key to -encrypt data blocks that are 128, 192, or 256 bits long; note that all -nine combinations of key length and block length are possible. The -algorithm is written in such a way that block length and/or key length -can easily be extended in multiples of 32 bits and it is specifically -designed for efficient implementation in hardware or software on a -range of processors. The design of Rijndael was strongly influenced by -the block cipher called Square, also designed by Daemen and Rijmen.

      -

      -Rijndael is an iterated block cipher, meaning that the initial input -block and cipher key undergoes multiple rounds of transformation before -producing the output. Each intermediate cipher result is called a State.

      -

      -For ease of description, the block and cipher key are often represented -as an array of columns where each array has 4 rows and each column -represents a single byte (8 bits). The number of columns in an array -representing the state or cipher key, then, can be calculated as the -block or key length divided by 32 (32 bits = 4 bytes). An array -representing a State will have Nb columns, where Nb -values of 4, 6, and 8 correspond to a 128-, 192-, and 256-bit block, -respectively. Similarly, an array representing a Cipher Key will have Nk columns, where Nk values of 4, 6, and 8 correspond to a 128-, 192-, and 256-bit key, respectively. An example of a 128-bit State (Nb=4) and 192-bit Cipher Key (Nk=6) is shown below:

      - - - -
      - - - - - - - - - - - - - - - - - - - - - -
      s0,0s0,1s0,2s0,3
      s1,0s1,1s1,2s1,3
      s2,0s2,1s2,2s2,3
      s3,0s3,1s3,2s3,3
      - -      		  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      k0,0k0,1k0,2k0,3k0,4k0,5
      k1,0k1,1k1,2k1,3k1,4k1,5
      k2,0k2,1k2,2k2,3k2,4k2,5
      k3,0k3,1k3,2k3,3k3,4k3,5
      -
      - -

      -The number of transformation rounds (Nr) in Rijndael is a function of the block length and key length, and is given by the table below:

      - - - - - - - -
      No. of Rounds
      Nr -      		Block Size -
      128 bits
      Nb = 4 -      		192 bits
      Nb = 6 -      		256 bits
      Nb = 8 - -
      Key
      Size -      		128 bits
      Nk = 4 -      		10 -12 -14 -
      192 bits
      Nk = 6 -      		12 -12 -14 -
      256 bits
      Nk = 8 -      		14 -14 -14 -
      - -

      -Now, having said all of this, the AES version of Rijndael does not -support all nine combinations of block and key lengths, but only the -subset using a 128-bit block size. NIST calls these supported variants -AES-128, AES-192, and AES-256 where the number refers to the key size. -The Nb, Nk, and Nr values supported in AES are:

      - - - - - - - -
      -Parameters -
      Variant -Nb -Nk -Nr -
      AES-128 -4 -4 -10 -
      AES-192 -4 -6 -12 -
      AES-256 -4 -8 -14 -
      - -

      -The AES/Rijndael cipher itself has three operational stages:

      -
        -
      • AddRound Key transformation -
      • Nr-1 Rounds comprising: -
          -
        • SubBytes transformation -
        • ShiftRows transformation -
        • MixColumns transformation -
        • AddRoundKey transformation -
        -
      • A final Round comprising: -
          -
        • SubBytes transformation -
        • ShiftRows transformation -
        • AddRoundKey transformation -
        -
      - -

      -The paragraphs below will describe the operations mentioned above. The -nomenclature used below is taken from the AES specification although -references to the Rijndael specification are made for completeness. The -arrays s and s' refer to the State before and after a transformation, respectively (NOTE: -The Rijndael specification uses the array nomenclature a and b to refer -to the before and after States, respectively). The subscripts i and j are used to indicate byte locations within the State (or Cipher Key) array.

      - -

      The SubBytes transformation

      -

      -The substitute bytes (called ByteSub in Rijndael) transformation operates on each of the State bytes independently and changes the byte value. An S-box, or substitution table, -controls the transformation. The characteristics of the S-box -transformation as well as a compliant S-box table are provided in the -AES specification; as an example, an input State byte value of 107 -(0x6b) will be replaced with a 127 (0x7f) in the output State and an -input value of 8 (0x08) would be replaced with a 48 (0x30).

      -

      -One way to think of the SubBytes transformation is that a given byte in -State s is given a new value in State s' according to the S-box. The -S-box, then, is a function on a byte in State s so that:

      - -

      s'i,j = S-box (si,j)

      - -

      -The more general depiction of this transformation is shown by:

      - - - -
      - - - - - - - - - - - - - - - - - - - - - -
      s0,0s0,1s0,2s0,3
      s1,0s1,1s1,2s1,3
      s2,0s2,1s2,2s2,3
      s3,0s3,1s3,2s3,3
      - -      		 - - -
      ====>
      - -      		 - - -
      S-box
      - -      		 - - -
      ====>
      - -      		 - - - - - - - - - - - - - - - - - - - - - -
      s'0,0s'0,1s'0,2s'0,3
      s'1,0s'1,1s'1,2s'1,3
      s'2,0s'2,1s'2,2s'2,3
      s'3,0s'3,1s'3,2s'3,3
      -
      - -

      The ShiftRows transformation

      -

      -The shift rows (called ShiftRow in Rijndael) -transformation cyclically shifts the bytes in the bottom three rows of -the State array. According to the more general Rijndael specification, -rows 2, 3, and 4 are cyclically left-shifted by C1, C2, and C3 bytes, -respectively, per the table below:

      - - - - - - -
      Nb -C1 -C2 -C3 -
      4 -1 -2 -3 -
      6 -1 -2 -3 -
      8 -1 -3 -4 -
      - -

      -The current version of AES, of course, only allows a block size of 128 bits (Nb = 4) so that C1=1, C2=2, and C3=3. The diagram below shows the effect of the ShiftRows transformation on State s:

      - - - -
      - - - - - - - - - - - - - - - - - - - - - - -
      State s
      s0,0s0,1s0,2s0,3
      s1,0s1,1s1,2s1,3
      s2,0s2,1s2,2s2,3
      s3,0s3,1s3,2s3,3
      - -      		 - - - - - - -
       
      ----------- no shift -----------> 
      ----> left-shift by C1 (1) ----> 
      ----> left-shift by C2 (2) ----> 
      ----> left-shift by C3 (3) ----> 
      - -      		 - - - - - - - - - - - - - - - - - - - - - - -
      State s'
      s0,0s0,1s0,2s0,3
      s1,1s1,2s1,3s1,0
      s2,2s2,3s2,0s2,1
      s3,3s3,0s3,1s3,2
      -
      - -

      The MixColumns transformation

      -

      -The mix columns (called MixColumn in Rijndael) -transformation uses a mathematical function to transform the values of -a given column within a State, acting on the four values at one time as -if they represented a four-term polynomial. In essence, if you think of -MixColumns as a function, this could be written:

      - -

      s'i,c = MixColumns (si,c)

      - -

      -for 0<=i<=3 for some column, c. The column position doesn't change, merely the values within the column.

      - -

      Round Key generation and the AddRoundKey transformation

      -

      -The AES Cipher Key can be 128, 192, or 256 bits in length. The Cipher -Key is used to derive a different key to be applied to the block during -each round of the encryption operation. These keys are called the Round -Keys and each will be the same length as the block, i.e., Nb 32-bit words (words will be denoted W).

      -

      -The AES specification defines a key schedule by which the original Cipher Key (of length Nk 32-bit words) is used to form an Expanded Key. The Expanded Key size is equal to the block size times the number of encryption rounds plus 1, which will provide Nr+1 different keys. (Note that there are Nr encipherment rounds but Nr+1 AddRoundKey transformations.)

      -

      -Consider that AES uses a 128-bit block and either 10, 12, or 14 -iterative rounds depending upon key length. With a 128-bit key, for -example, we would need 1408 bits of key material (128x11=1408), or an -Expanded Key size of 44 32-bit words (44x32=1408). Similarly, a 192-bit -key would require 1664 bits of key material (128x13), or 52 32-bit -words, while a 256-bit key would require 1920 bits of key material -(128x15), or 60 32-bit words. The key expansion mechanism, then, starts -with the 128-, 192-, or 256-bit Cipher Key and produces a 1408-, 1664-, -or 1920-bit Expanded Key, respectively. The original Cipher Key -occupies the first portion of the Expanded Key and is used to produce -the remaining new key material.

      -

      -The result is an Expanded Key that can be thought of and used as 11, -13, or 15 separate keys, each used for one AddRoundKey operation. -These, then, are the Round Keys. The diagram below shows an example using a 192-bit Cipher Key (Nk=6), shown in magenta italics:

      - - - - -
      Expanded Key: -W0 -W1 -W2 -W3 -W4 -W5 -W6 -W7 -W8 -W9 -W10 -W11 -W12 -W13 -W14 -W15 -... -W44 -W45 -W46 -W47 -W48 -W49 -W50 -W51 -
      Round keys: -Round key 0 -Round key 1 -Round key 2 -Round key 3 -... -Round key 11 -Round key 12 -
      -

      -The AddRoundKey (called Round Key addition in Rijndael) -transformation merely applies each Round Key, in turn, to the State by -a simple bit-wise exclusive OR operation. Recall that each Round Key is -the same length as the block.

      - -

      Summary

      -

      -Ok, I hope that you've enjoyed reading this as much as I've enjoyed -writing it — and now let me guide you out of the microdetail! Recall -from the beginning of the AES overview that the cipher itself comprises -a number of rounds of just a few functions:

      -
        -
      • SubBytes takes the value of a word within a State and substitutes it with another value by a predefined S-box -
      • ShiftRows circularly shifts each row in the State by some number of predefined bytes -
      • MixColumns takes the value of a 4-word column within the State and changes the four values using a predefined mathematical function -
      • AddRoundKey XORs a key that is the same length as the block, using an Expanded Key derived from the original Cipher Key -
      - -
      - -
      Cipher (byte in[4*Nb], byte out[4*Nb], word w[Nb*(Nr+1)])
-begin
-  byte state[4,Nb]
-
-  state = in
-
-  AddRoundKey(state, w)
-
-  for round = 1 step 1 to Nr-1
-    SubBytes(state)
-    ShiftRows(state)
-    MixColumns(state)
-    AddRoundKey(state, w+round*Nb)
-  end for
-
-  SubBytes(state)
-  ShiftRows(state)
-  AddRoundKey(state, w+Nr*Nb)
-
-  out = state
-end
-
      -

      -

      FIGURE 17: AES pseudocode.

      -
      - -
      - -

      -As a last and final demonstration of the operation of AES, Figure 17 is -a pseudocode listing for the operation of the AES cipher. In the code:

      -
        -
      • in[] and out[] are 16-byte arrays with the plaintext -and cipher text, respectively. (According to the specification, both of -these arrays are actually 4*Nb bytes in length but Nb=4 in AES.) -
      • state[] is a 2-dimensional array containing bytes in 4 rows and 4 columns. (According to the specification, this arrays is 4 rows by Nb columns.) -
      • w[] is an array containing the key material and is 4*(Nr+1) words in length. (Again, according to the specification, the multiplier is actually Nb.) -
      • AddRoundKey(), SubBytes(), ShiftRows(), and MixColumns() are functions representing the individual transformations. -
      - -
      -

      5.10. Cisco's Stream Cipher

       -

      -Stream ciphers take advantage of the fact that:

      -

      -x XOR y XOR y = x

      -

      -One of the encryption schemes employed by Cisco routers to encrypt -passwords is a stream cipher. It uses the following fixed keystream -(thanks also to Jason Fossen for independently extending and confirming -this string):

      -

      -dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncx

      -

      -When a password is to be encrypted, the password function chooses a -number between 0 and 15, and that becomes the offset into the -keystream. Password characters are then XORed byte-by-byte with the -keystream according to:

      -

      -Ci = Pi XOR K(offset+i)

      -

      -where K is the keystream, P is the plaintext password, and C is the ciphertext password.

      -

      -Consider the following example. Suppose we have the password abcdefgh. Converting the ASCII characters yields the hex string 0x6162636465666768.

      -

      -The keystream characters and hex code that supports an offset from 0 to 15 bytes and a password length up to 24 bytes is:

      -

      -  d s f d ; k f o A , . i y e w r k l d J K D H S U B s g v c a 6 9 8 3 4 n c x
      -0x647366643b6b666f412c2e69796577726b6c644a4b4448535542736776636136393833346e6378

      -

      -Let's say that the function decides upon a keystream offset of 6 bytes. -We then start with byte 6 of the keystream (start counting the offset -at 0) and XOR with the password:

      -

      -     0x666f412c2e697965
      -XOR 0x6162636465666768
      -     ------------------
      -     0x070D22484B0F1E0D

      -

      -The password would now be displayed in the router configuration as:

      -

      -password 7 06070D22484B0F1E0D

      -

      -where the "7" indicates the encryption type, the leading "06" indicates -the offset into the keystream, and the remaining bytes are the -encrypted password characters. (Decryption is pretty trivial so that -exercise is left to the reader. If you need some help with byte-wise -XORing, see http://www.garykessler.net/library/byte_logic_table.html.)

      - -

      -

      6. CONCLUSION... OF SORTS

      -

      -This paper has briefly described how cryptography works. The reader -must beware, however, that there are a number of ways to attack every -one of these systems; cryptanalysis and attacks on cryptosystems, -however, are well beyond the scope of this paper. In the words of -Sherlock Holmes (ok, Arthur Conan Doyle, really), "What one man can -invent, another can discover" ("The Adventure of the Dancing Men"). -

      Cryptography is a particularly interesting field because of the -amount of work that is, by necessity, done in secret. The irony is that -today, secrecy is not -the key to the goodness of a cryptographic algorithm. Regardless of the -mathematical theory behind an algorithm, the best algorithms are those -that are well-known and well-documented because they are also -well-tested and well-studied! In fact, time is the only true -test of good cryptography; any cryptographic scheme that stays in use -year after year is most likely a good one. The strength of cryptography -lies in the choice (and management) of the keys; longer keys will resist attack better than shorter keys.

      -

      -The corollary to this is that consumers should run, not walk, away from -any product that uses a proprietary cryptography scheme, ostensibly -because the algorithm's secrecy is an advantage. This observation about -not using "secret" crypto schemes has been a fundamental hallmark of -cryptography for well over 100 years; it was first stated explicitly by -Dutch linguist Auguste Kerckhoffs von Nieuwenhoff in his 1883 (yes, 1883) text titled La Cryptographie militaire, and has therefore become known as "Kerckhoffs' Principle."

      -
      - -

      7. REFERENCES AND FURTHER READING

      - - -

      -And for a purely enjoyable fiction book that combines cryptography and history, check out Neal Stephenson's Crytonomicon -(published May 1999). You will also find in it a new secure crypto -scheme based upon an ordinary deck of cards (ok, you need the -jokers...) called the Solitaire Encryption Algorithm, developed by Bruce Schneier.

      - - - -
      - -

      -Finally, I am not in the clothing business although I do have an -impressive t-shirt collection (over 350 and counting!). If you want to -proudly wear the DES (well, actually the IDEA) encryption algorithm, be -sure to see 2600 Magazine's DES Encryption Shirt, found at http://store.yahoo.com/2600hacker/desenshir.html (left). A t-shirt with Adam Back's RSA Perl code can be found at http://www.cypherspace.org/~adam/uk-shirt.html (right).

      -      		 -
      - -
      -

      APPENDIX. SOME MATH NOTES

      -

      -A number of readers over time have asked for some rudimentary -background on a few of the less well-known mathematical functions -mentioned in this paper. Although this is purposely not -a mathematical treatise, some of the math functions mentioned here are -essential to grasping how modern crypto functions work. To that end, -some of the mathematical functions mentioned in this paper are defined -in greater detail below.

      - -

      A.1. The Exclusive-OR (XOR) Function

       -

      -Exclusive OR (XOR) is one of the fundamental mathematical operations -used in cryptography (and many other applications). George Boole, a -mathematician in the late 1800s, invented a new form of "algebra" that -provides the basis for building electronic computers and microprocessor -chips. Boole defined a bunch of primitive logical operations where -there are one or two inputs and a single output depending upon the -operation; the input and output are either TRUE or FALSE. The most -elemental Boolean operations are:

      -
        -
      • NOT: The output value is the inverse of the input value (i.e., the -output is TRUE if the input is false, FALSE if the input is true) -
      • AND: The output is TRUE if all inputs are true, otherwise -FALSE. (E.g., "the sky is blue AND the world is flat" is FALSE while -"the sky is blue AND security is a process" is TRUE.) -
      • OR: The output is TRUE if either or both inputs are true, -otherwise FALSE. (E.g., "the sky is blue OR the world is flat" is TRUE -and "the sky is blue OR security is a process" is TRUE.) -
      • XOR (Exclusive OR): The output is TRUE if exactly one of the -inputs is TRUE, otherwise FALSE. (E.g., "the sky is blue XOR the world -is flat" is TRUE while "the sky is blue XOR security is a process" is -FALSE.) -
      - -

      -I'll only discuss XOR for now and demonstrate its function by the use of a so-called truth tables. In computers, Boolean logic is implemented in logic gates; for design purposes, XOR has two inputs and a single output, and its logic diagram looks like this:

      - - - - - - - - - - - - - - - - - -
      XOR01
      001
      110
      - -

      So, in an XOR operation, the output will be a 1 if one input is a 1; -otherwise, the output is 0. The real significance of this is to look at -the "identity properties" of XOR. In particular, any value XORed with -itself is 0 and any value XORed with 0 is just itself. Why does this -matter? Well, if I take my plaintext and XOR it with a key, I get a -jumble of bits. If I then take that jumble and XOR it with the same -key, I return to the original plaintext.

      -

      -NOTE: Boolean truth tables usually show the inputs and output as -a single bit because they are based on single bit inputs, namely, TRUE -and FALSE. In addition, we tend to apply Boolean operations bit-by-bit. -For convenience, I have created Boolean logic tables when operating on bytes.

      - -

      A.2. The modulo Function

       -

      -The modulo function is, simply, the remainder function. It -is commonly used in programming and is critical to the operation of any -mathematical function using digital computers.

      -

      -To calculate X modulo Y (usually written X mod Y), -you merely determine the remainder after removing all multiples of Y -from X. Clearly, the value X mod Y will be in the range from 0 to Y-1.

      -

      -Some examples should clear up any remaining confusion:

      -
        -
      • 15 mod 7 = 1 -
      • 25 mod 5 = 0 -
      • 33 mod 12 = 9 -
      • 203 mod 256 = 203 -
      -

      -Modulo arithmetic is useful in crypto because it allows us to set the -size of an operation and be sure that we will never get numbers that -are too large. This is an important consideration when using digital -computers.

      - -
      -

      ABOUT THE AUTHOR

      -

      -Gary Kessler is an Associate Professor at Champlain College in Burlington, VT, where he is the director of the Computer Networking and Computer & Digital Forensics programs. He is also the president and janitor of Gary Kessler Associates, -an independent consulting and training firm specializing in computer -and network security, computer forensics, Internet access issues, and -TCP/IP networking. He has written over 60 papers for industry -publications, is co-author of ISDN, 4th. edition (McGraw-Hill, 1998), and is a contributor to Information Security Magazine. Gary's e-mail address is kumquat@sover.net and his PGP public key can be found at http://www.garykessler.net/kumquat_pubkey.html or on MIT's PGP keyserver. Some of Gary's other crypto pointers of interest on the Web can be found at his Security-related URLs list.

      -
    - -


















    - -     \ No newline at end of file + + + + + + + + + + + + axTLS Embedded SSL - changes, notes and errata + + + + + + + + + + + + + +
    +
    +
    +
    +
    changes, notes and errata
    +
    !@@bgcolor(#ff0000):color(#ffffff):Changes since 1.0.0@@\n\n!!__SSL Library__\n\n * AES should now work on 16bit processors (there was an alignment problem).\n * Various freed objects are cleared before freeing.\n * Header files now installed in ///usr/local/include/axTLS//.\n * -DCYGWIN replaced with -~DCONFIG_PLATFORM_CYGWIN (and the same for Solaris).\n * removed "-noextern" option in Swig. Fixed some other warnings in Win32.\n * SSLCTX changed to ~SSL_CTX (to be consistent with openssl). SSLCTX still exists for backwards compatibility.\n * malloc() and friends call abort() on failure.\n * Fixed a memory leak in directory listings.\n * Added openssl() compatibility functions.\n * Fixed Cygwin 'make install' issue.\n\n\n!!__axhttpd__\n\n * main.c now becomes axhttpd.c.\n * Header file issue fixed (in mime_types.c).\n * //chroot()// now used for better security.\n * Basic authentication implemented (via .htpasswd).\n * SSL access/denial protection implemented (via .htaccess).\n * Directory access protection implemented (via .htaccess).\n * Can now have more than one CGI file extension in mconf.\n * "~If-Modified-Since" request now handled properly.\n * Performance tweaks to remove //ssl_find()//.
    +
    [[Read Me]]
    +
    !GNU LESSER GENERAL PUBLIC LICENSE\n\nVersion 2.1, February 1999\n\nCopyright (C) 1991, 1999 Free Software Foundation, Inc.\n51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA\nEveryone is permitted to copy and distribute verbatim copies\nof this license document, but changing it is not allowed.\n\n[This is the first released version of the Lesser GPL. It also counts\n as the successor of the GNU Library Public License, version 2, hence\n the version number 2.1.]\n\n!!Preamble\n\nThe licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software -to make sure the software is free for all its users.\n\nThis license, the Lesser General Public License, applies to some specially designated software packages - typically libraries - of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below.\n\nWhen we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things.\n\nTo protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it.\n\nFor example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights.\n\nWe protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library.\n\nTo protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others.\n\nFinally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license.\n\nMost GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs.\n\nWhen a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library.\n\nWe call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances.\n\nFor example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License.\n\nIn other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system.\n\nAlthough the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library.\n\nThe precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run.\n\n!!TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION\n\n0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you".\n\nA "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables.\n\nThe "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)\n\n"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library.\n\nActivities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does.\n\n1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library.\n\nYou may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.\n\n2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:\n\n * a) The modified work must itself be a software library.\n * b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change.\n * c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License.\n * d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.\n\n (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.)\n\n These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.\n\n Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library.\n\n In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.\n\n3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices.\n\nOnce this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy.\n\nThis option is useful when you wish to copy part of the code of the Library into a program that is not a library.\n\n4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.\n\nIf distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.\n\n5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License.\n\nHowever, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.\n\nWhen a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law.\n\nIf such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.)\n\nOtherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself.\n\n6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications.\n\nYou must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:\n\n * a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.)\n * b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with.\n * c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.\n * d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.\n * e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy.\n\nFor an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.\n\nIt may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute.\n\n7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:\n\n * a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above.\n * b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work.\n\n8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.\n\n9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it.\n\n10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License.\n\n11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library.\n\nIf any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances.\n\nIt is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.\n\nThis section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.\n\n12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.\n\n13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.\n\nEach version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation.\n\n14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.\n\nNO WARRANTY\n\n15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.\n\n16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.\n\nEND OF TERMS AND CONDITIONS
    +
    [[Read Me]] \n[[Changelog]]\n[[axhttpd]]\n[[License]]
    +
    <div class='header' macro='gradient vert #390108 #900'>\n<div class='headerShadow'>\n<span class='siteTitle' refresh='content' tiddler='SiteTitle'></span>&nbsp;\n<span class='siteSubtitle' refresh='content' tiddler='SiteSubtitle'></span>\n</div>\n<div class='headerForeground'>\n<span class='siteTitle' refresh='content' tiddler='SiteTitle'></span>&nbsp;\n<span class='siteSubtitle' refresh='content' tiddler='SiteSubtitle'></span>\n</div>\n</div>\n<div id='mainMenu'>\n<div refresh='content' tiddler='MainMenu'></div>\n</div>\n<div id='sidebar'>\n<div id='sidebarOptions' refresh='content' tiddler='SideBarOptions'></div>\n<div id='sidebarTabs' refresh='content' force='true' tiddler='SideBarTabs'></div>\n</div>\n<div id='displayArea'>\n<div id='messageArea'></div>\n<div id='tiddlerDisplay'></div>\n</div>
    +
    !@@bgcolor(#ff0000):color(#ffffff):axTLS Quick Start Guide@@\n\nThis is a guide to get a small SSL web-server up and running quickly.\n\n!!__Introduction__\n\nThe axTLS project is an SSL client/server library using the ~TLSv1 protocol. It is designed to be small and fast, and is suited to embedded projects. A web server is included.\n\nThe basic web server + SSL library is around 60-70kB and is configurable for features or size.\n\n!!__Compilation__\n\nAll platforms require GNU make. This means on Win32 that Cygwin needs to be installed with "make" and various developer options selected.\n\nConfiguration now uses a tool called "mconf" which gives a nice way to configure options (similar to what is used in ~BusyBox and the Linux kernel).\n\nYou should be able to compile axTLS simply by extracting it, change into the extracted directory and typing:\n\n{{indent{{{{> make}}}\n\nSelect your platform type, save the configuration, exit, and then type "make" again.\n\nIf all goes well, you should end up with an executable called "axhttpd" (or axhttpd.exe) in the _stage directory.\n\nTo play with all the various axTLS options, type:\n\n{{indent{{{{> make menuconfig}}}\n\nSave the new configuration and rebuild.\n\n!!__Running it__\n\nTo run it, go to the //_stage directory//, and type (as superuser):\n\n{{indent{{{{> axhttpd}}}\n\nAnd then point your browser at https://127.0.0.1 And you should see a this html page with a padlock appearing on your browser. or type http://127.0.0.1 to see the same page unencrypted.\n\n!!__The axssl utilities__\n\nThe axssl suite of tools are the SSL test tools in the various language bindings. They are:\n\n* axssl - C sample\n* axssl.csharp - C# sample\n* axssl.vbnet - VB.NET sample\n* axtls.jar - Java sample\n* axssl.pl - Perl sample\n\nAll the tools have identical command-line parameters. e.g. to run something interesting:\n\n{{indent{{{{> axssl s_server -verify -CAfile ../ssl/test/axTLS.ca_x509}}}\n\nand\n\n{{indent{{{{> axssl s_client -cert ../ssl/test/axTLS.x509_1024 -key ../ssl/test/axTLS.key_1024 -reconnect}}}\n\n!!!!C#\n\nIf building under Linux or other non-Win32 platforms, Mono must be installed\nand the executable is run as:\n\n{{indent{{{{> mono axssl.csharp.exe ...}}}\n\n!!!!Java\n\nThe java version is run as:\n\n{{indent{{{{> java -jar axtls.jar <options>}}}\n\n!!!!Perl\n\n{{indent{{{{> [perl] ./axssl.pl <options>}}}\n\nIf running under Win32, be sure to use the correct version of Perl (i.e. ~ActiveState's version works ok).\n\n!__Known Issues__\n\n* Firefox doesn't handle legacy ~SSLv2 at all well. Disabling ~SSLv2 still initiates a ~SSLv23 handshake (v1.5). And continuous pressing of the "Reload" page instigates a change to ~SSLv3 for some reason (even though the TLS 1.0 option is selected). This will cause a "Firefox and <server> cannot communicate securely because they have no common encryption algorithms" (v1.5), or "Firefox can't connect to <server> because the site uses a security protocol which isn't enabled" (v2.0). See bugzilla issues 343543 and 359484 (Comment #7). It's all broken (hopefully fixed soon).\n* Perl/Java bindings don't work on 64 bit Linux machines. I can't even compile the latest version of Perl on an ~AMD64 box (using ~FC3).\n* Java 1.4 or better is required for the Java interfaces.\n* Processes that fork can't use session resumption unless some form of IPC is used.\n* Ensure libperl.so and libaxtls.so are in the shared library path when running with the perl bindings. A way to do this is with:\n\n{{indent{{{{> export LD_LIBRARY_PATH=`perl -e 'use Config; print $Config{archlib};'`/CORE:.}}}\n\n!!!!Win32 issues\n\n* Be careful about doing .NET executions on network drives - .NET complains with security exceptions on the binary. //TODO: Add a manifest file to prevent this.//\n* The test harness appears to be broken under ~VC8.0. Debugging shows a problem in the _close() function which is weird. CGI is also broken under ~VC8.0.\n* CGI works under Win32, but needs some more work to get it right.\n* The default Microsoft .NET SDK is v2.0.50727. Download from: http://msdn.microsoft.com/netframework/downloads/updates/default.aspx.\n\n!!!!Solaris issues\n\n* mconf doesn't work well - some manual tweaking is required for string values.\n* GNU make is required and needs to be in $PATH.\n* To get swig's library dependencies to work (and for the C library to be found), I needed to type:\n\n{{indent{{{{> export LD_LIBRARY_PATH=/usr/local/gcc-3.3.1/lib:.}}}\n\n!!!!Cygwin issues\n\n* The bindings all compile but don't run under Cygwin with the exception of Perl. This is due to win32 executables being incompatible with Cygwin libraries.\n\n
    +
    changes, notes and errata
    +
    axTLS Embedded SSL
    +
    http://axtls.cerocclub.com.au
    +
    /***\nhttp://tiddlystyles.com/#theme:DevFire\nAuthor: Clint Checketts\n***/\n\n/*{{{*/\nbody {\nbackground: #000;\n}\n/*}}}*/\n/***\n!Link styles /% ============================================================= %/\n***/\n/*{{{*/\na,\na.button,\n#mainMenu a.button,\n#sidebarOptions .sliderPanel a{\n color: #ffbf00;\n border: 0;\n background: transparent;\n}\n\na:hover,\na.button:hover,\n#mainMenu a.button:hover,\n#sidebarOptions .sliderPanel a:hover\n#sidebarOptions .sliderPanel a:active{\n color: #ff7f00;\n border: 0;\n border-bottom: #ff7f00 1px dashed;\n background: transparent;\n text-decoration: none;\n}\n\n#displayArea .button.highlight{\n color: #ffbf00;\n background: #4c4c4c;\n}\n/*}}}*/\n/***\n!Header styles /% ============================================================= %/\n***/\n/*{{{*/\n.header{\n border-bottom: 2px solid #ffbf00;\n color: #fff;\n}\n\n.headerForeground a {\n color: #fff;\n}\n\n.header a:hover {\n border-bottom: 1px dashed #fff;\n}\n/*}}}*/\n/***\n!Main menu styles /% ============================================================= %/\n***/\n/*{{{*/\n#mainMenu {color: #fff;}\n#mainMenu h1{\n font-size: 1.1em;\n}\n#mainMenu li,#mainMenu ul{\n list-style: none;\n margin: 0;\n padding: 0;\n}\n/*}}}*/\n/***\n!Sidebar styles /% ============================================================= %/\n***/\n/*{{{*/\n#sidebar {\n right: 0;\n color: #fff;\n border: 2px solid #ffbf00;\n border-width: 0 0 2px 2px;\n}\n#sidebarOptions {\n background-color: #4c4c4c;\n padding: 0;\n}\n\n#sidebarOptions a{\n margin: 0;\n color: #ffbf00;\n border: 0;\n}\n#sidebarOptions a:hover {\n color: #4c4c4c;\n background-color: #ffbf00;\n\n}\n\n#sidebarOptions a:active {\n color: #ffbf00;\n background-color: transparent;\n}\n\n#sidebarOptions .sliderPanel {\n background-color: #333;\n margin: 0;\n}\n\n#sidebarTabs {background-color: #4c4c4c;}\n#sidebarTabs .tabSelected {\n padding: 3px 3px;\n cursor: default;\n color: #ffbf00;\n background-color: #666;\n}\n#sidebarTabs .tabUnselected {\n color: #ffbf00;\n background-color: #5f5f5f;\n padding: 0 4px;\n}\n\n#sidebarTabs .tabUnselected:hover,\n#sidebarTabs .tabContents {\n background-color: #666;\n}\n\n.listTitle{color: #FFF;}\n#sidebarTabs .tabContents a{\n color: #ffbf00;\n}\n\n#sidebarTabs .tabContents a:hover{\n color: #ff7f00;\n background: transparent;\n}\n\n#sidebarTabs .txtMoreTab .tabSelected,\n#sidebarTabs .txtMoreTab .tab:hover,\n#sidebarTabs .txtMoreTab .tabContents{\n color: #ffbf00;\n background: #4c4c4c;\n}\n\n#sidebarTabs .txtMoreTab .tabUnselected {\n color: #ffbf00;\n background: #5f5f5f;\n}\n\n.tab.tabSelected, .tab.tabSelected:hover{color: #ffbf00; border: 0; background-color: #4c4c4c;cursor:default;}\n.tab.tabUnselected {background-color: #666;}\n.tab.tabUnselected:hover{color:#ffbf00; border: 0;background-color: #4c4c4c;}\n.tabContents {\n background-color: #4c4c4c;\n border: 0;\n}\n.tabContents .tabContents{background: #666;}\n.tabContents .tabSelected{background: #666;}\n.tabContents .tabUnselected{background: #5f5f5f;}\n.tabContents .tab:hover{background: #666;}\n/*}}}*/\n/***\n!Message area styles /% ============================================================= %/\n***/\n/*{{{*/\n#messageArea {background-color: #666; color: #fff; border: 2px solid #ffbf00;}\n#messageArea a:link, #messageArea a:visited {color: #ffbf00; text-decoration:none;}\n#messageArea a:hover {color: #ff7f00;}\n#messageArea a:active {color: #ff7f00;}\n#messageArea .messageToolbar a{\n border: 1px solid #ffbf00;\n background: #4c4c4c;\n}\n/*}}}*/\n/***\n!Popup styles /% ============================================================= %/\n***/\n/*{{{*/\n.popup {color: #fff; background-color: #4c4c4c; border: 1px solid #ffbf00;}\n.popup li.disabled{color: #fff;}\n.popup a {color: #ffbf00; }\n.popup a:hover { background: transparent; color: #ff7f00; border: 0;}\n.popup hr {color: #ffbf00; background: #ffbf00;}\n/*}}}*/\n/***\n!Tiddler Display styles /% ============================================================= %/\n***/\n/*{{{*/\n.title{color: #fff;}\nh1, h2, h3, h4, h5 {\n color: #fff;\n background-color: transparent;\n border-bottom: 1px solid #333;\n}\n\n.subtitle{\n color: #666;\n}\n\n.viewer {color: #fff; }\n\n.viewer table{background: #666; color: #fff;}\n\n.viewer th {background-color: #996; color: #fff;}\n\n.viewer pre, .viewer code {color: #ddd; background-color: #4c4c4c; border: 1px solid #ffbf00;}\n\n.viewer hr {color: #666;}\n\n.tiddler .button {color: #4c4c4c;}\n.tiddler .button:hover { color: #ffbf00; background-color: #4c4c4c;}\n.tiddler .button:active {color: #ffbf00; background-color: #4c4c4c;}\n\n.toolbar {\n color: #4c4c4c;\n}\n\n.toolbar a.button,\n.toolbar a.button:hover,\n.toolbar a.button:active,\n.editorFooter a{\n border: 0;\n}\n\n.footer {\n color: #ddd;\n}\n\n.selected .footer {\n color: #888;\n}\n\n.highlight, .marked {\n color: #000;\n background-color: #ffe72f;\n}\n.editorFooter {\n color: #aaa;\n}\n\n.tab{\n-moz-border-radius-topleft: 3px;\n-moz-border-radius-topright: 3px;\n}\n\n.tagging,\n.tagged{\n background: #4c4c4c;\n border: 1px solid #4c4c4c; \n}\n\n.selected .tagging,\n.selected .tagged{\n background-color: #333;\n border: 1px solid #ffbf00;\n}\n\n.tagging .listTitle,\n.tagged .listTitle{\n color: #fff;\n}\n\n.tagging .button,\n.tagged .button{\n color: #ffbf00;\n border: 0;\n padding: 0;\n}\n\n.tagging .button:hover,\n.tagged .button:hover{\nbackground: transparent;\n}\n\n.selected .isTag .tagging.simple,\n.selected .tagged.simple,\n.isTag .tagging.simple,\n.tagged.simple {\n float: none;\n display: inline;\n border: 0;\n background: transparent;\n color: #fff;\n margin: 0;\n}\n\n.cascade {\n background: #4c4c4c;\n color: #ddd;\n border: 1px solid #ffbf00;\n}\n/*}}}*/
    +
    axhttpd is a small embedded web server using the axTLS library. It is based originally on the web server written by Doug Currie which is at http://www.hcsw.org/awhttpd.\n\n!@@bgcolor(#ff0000):color(#ffffff):axhttpd Features@@ \n\n!!__Basic Authentication__\n\nBasic Authentication uses a password file called ".htpasswd", in the directory to be protected. This file is formatted as the familiar colon-separated username/encrypted-password pair, records delimited by newlines. The protection does not carry over to subdirectories. The utility program htpasswd is included to help manually edit .htpasswd files.\n\nThe encryption of this password uses a proprietary algorithm due to the dependency of many crypt libraries on DES. An example is in [[/test_dir/no_http|https://127.0.0.1/test_dir/no_http]] (username 'abcd', password is '1234').\n\n//Note: This is an mconf enabled configuration option.//\n\n!!__SSL Protection__\n\nDirectories/files can be accessed using the 'http' or 'https' uri prefix. If normal http access for a directory needs to be disabled, then put "~SSLRequireSSL" into a '.htaccess' file in the directory to be protected. \n\nConversely, use "~SSLDenySSL" to deny access to directories via SSL.\n\nAn example is in [[/test_dir/no_http|http://127.0.0.1/test_dir/no_http]] and [[/test_dir/no_ssl|https://127.0.0.1/test_dir/no_ssl]].\n\nEntire directories can be denied access with a "Deny all" directive (regardless of SSL or authentication). An example is in [[/test_dir/bin|http://127.0.0.1/test_dir/bin]]\n\n!!__CGI__\n\n//chroot()// is now used for added security. However this has the impact of removing the regular filesystem, so any CGI applications no longer have the usual access (to things like /bin, /lib etc).\n\nSo any executables and libraries need to be copied into webroot.\n\nFailure to do so will result in mystical blank screens (and probably hundreds of axhttpd instances being created...).\n\n!!__Directory Listing__\n\nAn mconf option. Allow the files in directories to be displayed.\n\n!!__Permissions Checking__\n\nAn mconf option. This will display the various file permissions to standard output of files in web root.\n\n!!__Other Features__\n\n* Timeout - HTTP 1.1 allows for persistent connections. This is the time allowed for this connection in seconds.\n* Daemon - Puts the process in daemon mode. \n* SSL session cache size - The size of the session cache (a heavily loaded server should maintain many sessions). A session will save on expensive SSL handshaking.\n\n
    +
    + + + + + diff --git a/www/index_files/crypto_2600des.gif b/www/index_files/crypto_2600des.gif deleted file mode 100644 index 10610c126672508362a8a2b4e97fff49f4d2bf21..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 15768 zcmWk#cUV)&*S`0rlS&JrCZP!uAXMojp-V9o5roxHL`2kpsGz7fjiMl-s352TQBhep zA}aRKgQ6P{U0iVuf{Lysc662B=Qn@MKQqtFb7sza=A8GOiHHjK@y+N4HUTey|8FRO zLPSzYI2s9IO~f(`Q6{EnnvtHV8Ntj5#WY1(8xxooL?%_=+(O^N($tcwZ*6H{ZDnf5 zz!)=$7SSY`5 z%L?=M2n+BC3-k-;EOO>Kdxf(tLp;5synI6aeU=7zCj|O(ox?*t!$bYUqXQx${jw8+ zB7#ErOGA8Pm-;4!`X)#FB_{@^C;FzP1cZe|#e^=6SsEJ`p0O+@D={oOH8eUgI&Ni5 z-16|O)YzQZ_=LEmtmTREX^9ETQBHbvob9wGbSJ-As{C`Ff%4PD=8swIe$%B zQdUw{PI^w^s+fZG{PfJk-!gLYGlTQj1s3K6tjkKy&r8Y9%w3MQ zyiq7EN|EhIlx*23E8SdIQYtPIOG?Z4l$Py)3wMb3R!UaNB%Ak2i>mf)sh4hT*t@l= zcK6XkNeAjnS`KYJwr_V^UD2^a+m0$qI@))hIlcRG*NzHl`QE*idn=FCmF;P$+EZ8F z+E8_3UwutwQ)5FzO>=!sb8~G|eS34uiMIVU?Jf0+1D(g4PaHm0bENIWky9s59;-id zX8);Ur_Y=@-F5s>SLgoo?Z?h{p6)z%=&bV0h4cHbUOjZ-{OPORzhAt1_WIR}XHWEX zpY6NcHFV|bK>sCq|MkZH3!VMfF7#a=n7G-0t+(SwU$45q>GrLr;r{N?+kf0sH;)aT zn;8A$uZR2px_9Bx!}G%fL$_~@j13LnyEFFS&*{74xBr@$c=YJ6hYy}Ue*AQ1>iYCw z_ntnUoPPZDpXn?AOh0`5R69F!^ZCr=>sJq+%{+hg^7)5X|Ga$xUM1_89gdFE=Ja`78dgPJ zv{I@50j%vkW?6kpx?sWmi22LVClWr~UuL){XhERHjTgqW**9o1K9-ZFMxEwpjpp@I zo4BTmQkOj$HGiaD`qV~nvQPq{`YE9znUQZdqZha16HiUQ)Wb#o=5Xgl%jWy0UVnkK zc@;15sHtKA6IL=m_1or`*-2a|TQsyMLZxnF-wj z`98(EEhCFMIUi6YgNYRtcn;@jIZ4Jo7ULrLN6yj9Py<$YRu2bb8EzEci*EeXRpnMW z%Rjy+yvcj@mMy6V4R^Ba0i>nHwTgN$$JVsJZFmgC=`T?;LN+94LzTw9tUYOZ6@zR^ zdtG?OFb>BS!UR(?(7_&=$KK1Xsd1WD(SCIe2cgtqifXlCh&2ub!bY46m#aO ztq4i8V28PFo2n3*osW#?qD+A?@g@tS_b7b}PYnk}^Qnuq-<|SzwELxi4{G{Oi}QDk zO-fZfOeTFz-a?MeAGdm+3@-d8GGj61S>xnVEl)ooCOs5ymE!*aL341C^%J`I`4?!w zzTV;l>3U}^j!r_D{I=P+<%kMh!(OPQ zm#M9zWtQne@C^<5r|7YZ&%Zocm^9D|ot$J4?RvA_9i8s`#i0;&+U4if(?vb}E2r=L zt_Z*R=lQ#SaoIIL1GXNJjf(xzOTIpb(pP^GnW}Z(^@~aP zI0e#6(Mw+Y1HiC_{R}0Ouy#~T2j0v23)Dc2|Ex>!UlvF;U`U^&Zad`RKz$tzo%(O; zNr2)uc;xM-KmOxDsg%8Gxf|iDQYq`AN}N;4DR7@V@m*E97@5DeIB#LD-|{;jo7$Oa z&>#q7WuNm-oy;_U$q0AeZe!{xJZANZjiDm>&Tp$?^vYDczX;5-Ogj!*42M!a$T2&q zZIpa|2n{R3xK>S9qv}DDyr1>f;`mn2TVs%|@WNe71G#|~CiwBMm}dh1tXv5HS`C_% zPFIBsvuSe*bg+V_pQl)Csi%*RRw|&PS(RnriecnJ^}cKA_89AJqMNOw4mUzn=s6*# zpVLN>>iVO;ey`rqI72F_2xAd4FxC!S^LY-2o#`g7U5;O4#z)u^GO#x7Z;$OzcQ9-p zmV38P6LJLzGmX65t*DpOv0P#`t|$-cV4jK2T@c}*XRxuQc2m$Z3!g`a{ENirb~pTI zf%ayg+~(k{)w({+5l*>lm58{WkDzN5XzOh4g{|s7lh-;KyGkUyu&&pnive}L-wJbo z2i}ApSdz8ixJ#`p56I<8F%C?$UL=fJU_f4zA(pRuFfO)BVv*U?WO^=_)>dXnkoHni zte=}SXr!H6zvA;$poRT&S!F?n-ckWg=07EVl$j_WFjKsSzFxX`D-L&56UzLdEtgYy zidq_tJYu4%dj1b??H*o3X8qyr#gOCXxU1{h z-8uI!E)Rw-s}`JXObEs;4q@wh?WJ5S=H+wT6ZNobI0KHE=%;tEL3f=S$r-D_O(`S1 zHp+=Rda{h)9S9E`XQDNqM(n=?aiGW#pFZ$QXDwdUf^h)y$)r8GNQJQaAi%PPD&YOO zD}nLh7?xnolgL_i!jV<)?_!4ngqWngvt5hKqJ|@WZ>u?_*r+3f4KvaXslwgjMdh3NlY8}c2SE6Mf|fX z3QnS`@~4d2_(*a^dw^bU>d^WN0D3e6&EdckmawI13KvKm#-sZZLCwk6pu>v(j~5p1 zSs-!&JYBvW6S;f?303;!zkd=bac-5lBqt9BP3GRN-Gmef^b$XZ&~7M~mtQ}JN=y?a_IRCP zdAniJK|@mpwvU0|5{8xOR!Rl<^8y5hf^32HWI~Li4Am*eT4~v5p1O8Qkmq5&`ml|7 zBX1nVI-JcxYf-}t{7wMZB*$Ii5V|zwG7Y9vh`+4EEQD&IMOs7<#oguH#^-A-Z%jkU zTKCDXsOvB`Oy#qo!1wBKZhe>keUJ6l42Y!!#r*OM2~Kn&Vyh69oa5ZLIjOVG)%v_O z^@x;j)YjB zi`G^&xxI@VRiuH)DrlE7;5@^lUky>^fap{5R*`Y$W-vQ(qst7mmf_y8*)QuO5NNlB zEQG>g^lAnwI@xz`F6s{%%2x;xH5=jXyqh944O_GBneTjx-|zjv`U{|i0Aj%wHaM%C zr%<=3#94q`&ByMZvm0SAxP~bZetcxG!Yxz_F6Luda@6fHz*2!uWp65akeu!j_{KIl zV-P&iVSGsCG{GUqQw3(1 z3c4{3I>U-Crd#T9bP7;=IynLdqgqtZHB`8<1}SG)^(RMc*a9A%-sm%i{BIVst{%5d zzFY?2&am+}Rp{0kNV^$RI**dIfkkqZi%^)E1?*7Z%Cwjk1)*P#Xv#njYcamU^$#|i zN1X7z*cWc&7kFmo#Cln<)fN*gF_>PK#`@As*Mj3CnLj_CxLKLM>f*_T=u;;L`%adc zCI3^>4BrE-G{HH>NjcBl%RT_HO3d~PD`W!f9-w`iPySblN?5yLv4;2&AU|iEwkV0b zVu~-KpyhJBmwIs%7xRQooRFWnvXnR@hyu5gbvja01IgBtBtL;R(OGmpWj^M$<{77N zTAbeLy-Dj<-iAhAvPZb_^DgNl<0;5gfk!Go%pC?(8ED5fm|a@LhyyCu9l=tdDHUz+ zyQ6Dfbu@d#dLVZvu2xt!v5Df8q~4tAP>&Jd8_0pwlFB`)W| zRh;@P7;)@7Fr$W?7^r{B+H#nvU>zby96{+v`N$U_mmSa&$SR(VO3|Lzq(?x3eOyZP_-E9YlAov6uouXs|Fc|Xr*23_!+atDV`#QNXP%uQnr{2TkI zJMZ$Dm{<3FO#t~ipIGMkps0m#ki!CF6^hour(3Z^D`p{Wny+ z5@Tw=$gIf3a5rcacgcXFZ?;=x)a*w2*kkzPxvBM6>G8JC#fb$D+pHY81*UyBznB}G zaWmUeAbH+v`@D70&%N8e`ENT2iV-U|QQU5_GYgwVAW6xp5veS$nW0{bVtQ@AY_+nk zy}9C~>V?R}2D1${4K^GA@+hQN9K5Fjtkx3W!NgNq%>6Y0MS<)4j?sfrkND(EDo{)z zeI5Zh9O64RAwXgF)L;0&M~0+UBigweu3g8N;02DB{R-S#q{DPDP~J2|o`QLR3FPsy z+cJSD{Yt0An+tA){@_ANQ~Z`Kpy8JXkSX5Z8OBH{sFe3WA|EFOLP~_tkK3qIoRo8N zy(mE`q(A~Von485qg_N z=BL@LwafspWd#^_Ah+$(A~z1kheIjV5%1=kMTl60WN4)D;T_Hs|Qp2Xd3M>nximNta=E?fv)BfKv~4Q(K)N=FK8&K@)!dZBtSTo9Dt z+rQt!(gWYevs%U>7Q}EJHH-(D!%r*__Hy$&1N686Z>g|O_=(FGLKI4@nId{vy4R{u zcylcfsKk{qP*!~B7mb*|1ccQ}iyF{6R)Kq{BJ^?y{>Ka#D=}ZnaS2*M3LiTlC)5jV ztW=@f_~#Gwp?9j#$yx}n(zIwX+m-gWMTV{-q4BUO>*>w01uBxGJv=D|Vzr3%YoH5# zP>vjzK(VSnXtCEldK$E{QeswUt0q2xF>-LMY_Y(**)qWrr$ImBH`R-F7PdkX4gQP{ zbAyk>D4OI-%u)@ujDg)NMB{sSZxk?y*$Yay_CL4lgo6`~hucsfYhvRoRm;yQR`>vInIEfOYzBfD zDd$w^`{CY8x}wPn@X)bXoC0}5skc#J`)UFo|Fo=b3qdYN?*fqb`@tQOd!s}9b5-M^ zB4;ZdMXwbK)&OX2#p^Xjk6RC66_{|orl)sHmkPT(^Z~otaCB`<5ACs;7PS-Uwo8u5 z<6s9>xE*Z#C})9io?YdcgA7+l$8WE~aiCJ=VjBMiONVhfTGIOL?CyT#76m#H9^q*4 zLlnG}f5gCn(ZxY(D_`nW2bWDq-^zfcf~S*i-b@7Y#Md>ZUqAgGUA^BXEJ1~SkzI3o z1j$pZ>iN9rep}C;z3!>Q%!M}4`5WqegK5{f3mF=St2%U@kKZGw{xxQ?vC`0%U2O~? z^K_uO5cikj%^g2)bOO>v2O63AI`dDIhp4O(Tm3!#)V& z!aH!}3dhCJ-5kLA%2C_+$Wt2pc`g2E_m|UINxS_5M?fSM+1RKgPG}lmIimjf;mT|U zMn3^h8p0+r0UnI=QvHDSX_1`{) zG3QzrKkXaFRa-Ii;}vcoo}28RsS}E2c*}$z?b|~3AJwFoe2X>hh2W~I71 zxo0X<5*+upSs)#Ies(CqUL@MBD7#4u&R8d)<1X9SMbm>5Vcmjb5;nn#6z%RMmg0=t z&sZ+bc1z&S`kNsm0mwuvG*a!>q?czIgv9d|AhDm2TbCQgxmO~{lon@O33ePbEs(zPwl zW&lnSSQe?WA!+6%sA_{NZ6E=JO?{cyX z*W{Q!^^OW;pG}|1X0&x#SIu*fHD;$(2*!jWL{GHmb*%#Npfd>(Zm5xBl%?AZMf$UnoC5Xu&81NLKS&oL7~KM|OK4Ut_*LC6~cuM$KoN3nm@fNLBRd znevru>w$aK$dPuk=LCg^yV~I!axwNrQdYfJsd7?}9*W)JJw*w4DH=RL=&lLUyBubk zxhuo2zNIqbcm+OXzRx5?Da@$ZF!AkpO&b6G4Cyjqy9&-H3-{HetzPE)Q;Bh2pPTk_IIWn(54!}8e6f*S4H?NFTy7mOx0^j0ur+*Xj7AOsENl!J7O zVIQ~Dbga7){8WJDp6^mr+G|C)$-Kz5XE^^Zu!BNqkby&J80%F*O~ExXZ?mHRk!J>Z z%Y@B30fakC(Ub?!IM5_N7n+U5acqT*2 zFgJmSm;hMGgs9+#6gD$2duEftI`^osg58s|isU%==Eip97JI*540SlxEAC!If33)* z9YC5C4={)n!18rLO_T!w(gi7q02oE>7-Ouha_Q)w@P&Izf) zewLYz!uVC#K3tpznp1NY|Dx%PI&}zoiaxeUKF1OFU#u|h5<+`+K(E8a_Cs4- z(Wj48Q%?{t?dyxb$#;!dlfOfTwg380JJKXYWL@<>_6fhp>XK((f>jI$pQ8nl0gNh$ zGGH&N#W1sBQV<&kud(suxmNlI{&3)tf(6O8?<#U8R$~8_aZk^)m+UR%8WvGx4lx;e z5o-|UHy9GfVi4~x?<-d-Bo-WxQyiU$pu2EIol+k~ZftCU8pFkbs-{r2$hb;3U}yy5 z!{JqUSkOYPNUP{0WTKphvF)d!m2Ph5xnsMP&t;CK8Mt_Ce^#{|bkz2ewyF`9U-($7 zcF>?wC&4$sxCKw0fZQwyVY-~d@VXh;Z5%gS{(J2I)^L%bLeO%129mH@QH#8%YByuw znJ=Ve?NnIpJ47MvY@9*M=TOu+Er<&h;oX&g(C3wZ?wIN~T~a|ucQH^{OvDzffX6Hn zK6FJg@l7c*S0U;zDtKXli5nH(T<)3 z_m_uKApByl0V`fD4!M*>hUbqm_Jo!Dg&G;kdk{8Otr$%yb0k;DHT@xvuPac66+kydOA&U2rI^OLx+oCWu-shnO06#>hek)38L% zMU1`?GfDw$3yDWLq?2vQXvJ+&_g{P`K#iI9>J>)827d2l_x0QR;x8Ke^wv4zy$hL@ zo^KXt5qAfVJJ^g}VC-Q9$uGv_gmDIz1Bk}Ln?J*w%U)HddNtg-?`K<{Q@E(j3TdzB zHN{=~?^wg-Ll;Yz`_!I!CXl(X933)CXOQc=epkQ#v{8IMp)(eDHa}0_KKAsPs=S8O znz!b$UZJm(4pbq3)Egw7$bGi|V)vi235H@3<7`;pj&u}d1%d#-i?oh=@?TJkwW;7; z!Ds)1vYBnu1cgp|^XgN525^%e^?}uU6(Idla?3^l?4y&O1pl$^ddhK{^>f7$_zXbbpvSxr0mdgtf%OaD#(Z{h36%+3#g(1Tu8Z`wAodf~&+ zvLCv4`%0|6R=wMC@cP@6Prmo9e=;92e)&Dlbz!=N_!%|w*Q*tqwhc!AGgbE2_2;#- zC93+Hk&0pekIYT~yJqt8^U%SY!{#@&y1@UMgQj=f`14-C@Ud%ikFEmJpl4179y}OL zJNC-(*Mvpa`h$@|VALk~X~m6i%>kPA!S6Q*5ar-cIsCtm0e3v$+6v%*>u-{(0=^*v ze_jpvaW(Lr?eX{pMW6B)mv24!}y-hXSW_k9)%?!{8S-q`NZ#{WF}g9r7Rj9E4o-<{K2Gv-4Am9XhaJ1?a^$usIb3@*%%m zc9G0BktJvV%_j|3^;%t&}o1wpftfPoo*ll(rl`X&Y@wdln53Q1-g zLiitqW5dP@$yI#ov;v{~?r#@$BfS0QH-Gr$%+2WqVEA2sxQ+fk;-qA~ye?sBd7es4 z)JV6}FxI(n>LjMH0zyn8N+Qdh*|6U)GEj%8V%a780CrmRj(J((?TFniH{75A*6V?Y zR|C5KA-@vPRC$T*vyY8MSkkbdgQ$3lM+pVI9H33v`bg7L)JTxk88qw>5L(o`sWi}V zf=98f>&UNt9yMTM1YooPS{Had1P(g{e6y+e>my9701auuyI%*5n8Q}_L0dzBti6>Y z)ioR3zF&uqqnyDtLVhZUNAoyP9MNifjrpyLH4nJN04z1aUnNb8EK4dj#}q4_{Xh#h z*pPzEjznkj%L3%!jegF8ZNbGaHU>Jw;hs9su0xWfhOn&?E(OWOBD^{zfqX;^8;RBc zTrDz)eSoWy1~8D3N+?n-wby}u46$L$%}!hHhU`n^0Q03dd=nObIMxzbIIQa#ErvJp4BM?6?3cF+R1*AHM)7TS#j zw`p^u!^iGE`!`z8dD*s66Zh!YokoA!3?4*Ia@vaSe6t}PWCbH>_gm>IyJLF^v z{&3^Iy1ad~e5)MueOA>@j2@JAqg%{8GFB`7oL(CqU_>dp`OV^#X@%ILN3^5zI;Qt- zNx(R=_}-GJSO(>H`X|+VQ{pe)$dTa`x(;M1j$kr)@6&J(2#GtZdZ}{g_TRs+*hx8O zbI>pnFjh-b)Zl>$c-6dYl@^)YA4Kxyj0uk%bHo^%PFvJxP^;jx8%K;hdAdM2FI{A=s03xPCvIOukX}n4i z-}YWp)r6cB-v8r>gV?$Pa?(nI;S=_D;sur#nZc3y){E~yvmW}p?f#p}SRYADEKH<8 z&36vAq{Ti*OseN15EYVqHKO+AA!}biPm5TilbGrtGMnehmjo6gVl>jQNhva|I@ZC6 zsFu8MuIds?S-C#B=9gHS16jT)K|;{(WyF`+tA@oOS>PRfJ>bf*)z(ary&&z@XZmvo zN2*R-&2(f$ns`M%SerNQ;2^eekb24W0>c`uul&-K^x(r!uHnVGDJZINm=?Ovejb^P zElU%iQk5V=3;eQkK`ODI4)RbST<0MUpBJpV5C~XreFTKa#dbJ|%R#xxP2wD+q%nY= zh=_E^;JmLi)Ga{o-J}5=cPeo2uu}zj`@pZ~M9hagRr;Z|=M4e;yCM;fBQqCvy(Ng% zmx1ZI;gMsKt)C-sJ&TbHM@6&^CaT%CmV@*G;}~c^C@xii&Y4GLs`lP)fZnCw_n#Nz zd_)AZMDt#0(&Qs;E*R+`U8rcp`v44`%wJne%sqwHfw2^{0g0F`lBPtW1rAbHBT68b z`TLxfZ1zt0%^>?J!b{U{@6c8n53+nftsiN}zX)e}WuvabwqHD$f}L+gm^(QA5t6{t z&a#!ye#u@Rc{!EXx@Zoy{A_#lI5KrkwuaV8)=KvLMCI3`{C>c$^O9(^LCL~LQ5vn2 z%0|XiTyi>FONg8_it<_ABMXM5%VA_u4lyPr&L9UBsXBI42iiDayAlF?oe)j$JY>(P z)yglG?yc%>0)LyAxoSH*4vQRVFGku6f>?M(1{?n~8b9VFn5v)`vV)S6Q4M3|E(jc|; z@0T*~qPx7vr)dhQlNz$tfv3Mebsx;N(m~j7VwP?lLI9a)hkC|=)wh>j?FZZ)jv@fO z7tszeO!q9clNw;3SYX9J+|Ihj=64Q)tuEJQ9_0c5|&b$p?BWSbeowJSq5l-gMoZ z)k};Jo=*^GrJ%#q2nuLrdJ(dlL}UPHLwBTq4@lREE=OM;)Bv$G$&RHkY2MZAT%zAn z5XA;c;t`n_SMYVR<#JSv7HM!o8Ustyv}GBMwV<1kwePW04_;$>IOmtbM)Qyrw;9Ps z6{)^L=YjtF`DPtzFVDyCRnUce<*+vFpeVa|5m9p}bnzhOmMuR5o-A58cfe7p4Grv?!QZOL-!t!^ub2X;H3Ae*`OJb%Su`h0QCfRd=ts^UPYU)e zYpfzVAQQ^XNdU+NWUg{U_ItoY4r!X|AJQBdjqbC+{j=*}gu@oS9f{Vy6^z2Y58TgS z=8v8V@+CV!`U{f&GK67z1~zvH_sGxd=$!eGFWE^THXmydX^hRsjB(mp_dA@w(?%m+ z0i%0JR)+L4yurkk>c2lrB${lESo&UY=mZz5Pl>OYhaHr}a}G6^=035C+vbL@>YY8& zcn>Sed6RxFx+g@gM(-^!Cn!t(DN8m(`cf={H2$-H&ezH|D=! zyaRu}w`HHA`BYlt+C)A2`YSCz(w;4AL@uq!&195^96;)0E0bSbSvn0*`9;w>YPn?Uko?$Em`+=m5NZxRTagNdsF zx=Nh=xVDNxlXuicGEbhH7nL{4a_lgfg0d3=^p6Bfy;FRT*ea>|H?dCS;R7TtvmDZd zn9Q-`Y`#BI6_=@*Hk@U<3~6GAMwu2Xx%9^8%8Mb*@*#HPQ2|JAge-vyDhm#+t$Qlb zcl2FZ`Z8>Txo_c&x+xL!#-!CcTvJ-`e!3SEZ0RSIYqSzGN1{u*O0Iy)$bj*yQ9~O%n6~O^h+)EFf$}QcO&9=KP1S zTb0P<=B`2Q7ZH+V;VvKGPxpZ&miytm4zFyFjp8`^r zBFFH4GXWAKx82#bGOTr}hKq{bsXYoBw66gmvtlJzFJ>L3F*|m-aylg;gCboSaOGJN zf#n$%u{cu^UqMglQ6Z@-vPEGCcZJ(C<79`$)8N|3T0kON#|XpFJSS-8@^IhRx)hhnK_^T3;1(u&Unx@rqAfU` z=~lDDq30r_93zuw|zVh_1fe4qD16A5a(%pspMb zZgX&Hj}5#3pe42fOi6FdQSpXSB0(hHpu^ZCs`~vL7r!*6)r$QwNsCNk&@BS6!rp5OSr*;{0R>(|w+nn=IUQUBY^Pz{=9gR6TO$A1zG89a@f)y|lrKO;NLNh;X+?;VYG?QSrIc67D?!3@luo&fl_$~* zru30_3uI?vl5Y++g)Dh`eoqQTfwrNDY*`!xwXg3m(np1>JM-r}C4{NBQwzmqnPs!J zA|!Gle`7-HimcaRbr>2<@)bOKxAa3DvXO&X{j1#b$1F8EV|)!u#iQ#LU|i?5h~>9& zap4IfS1h>Q?ctxhUfGSjsdjR~2*IM{MJ=g-gr;(^cgyTOxvX<6`*U%*->b1IeWZIx z%sR-vjR8`#ZwKT1RfawpQd9s(zR@>cZ(AmdF|R`1D0s2sM#Pfe*?Fs}|& zZ!DrMgJu#$m&hemfWYD$wHYNH{mnfDkcDos^YNc&I75SS3JD_l7Vv+*w zKc}R02~c(n5SOIjQG11l-CuF{rBK=^vPKy_TYum7#(r#K>x;_<3`7jadg1@e?)wZh zV%|JV%3|0s-^zm+jaZbu4n}u%A9#3f5R93j*qGZOYUTxczCLzN7pHqJjPMcSoZ2sgnJju;KyFp`A{Jpszbd-Q-LMMBRJQc>5oL9#05p(k z5lG)&y#ptB`e*!|^c!?Cx8h#C1V$gOlp!%H?xk$?;g)FoVdTQ8{dclJ!%xaRB*KIB z=9B>z;~dHq8A~iL1p8mh>Kz~4#w7P}Kc~CX;)>5FEL_#=qX$tg8QoHHSsCWC&iU?x z4WQqy;sNIdCO%jJ5{rDYSna~43|kxHX8lmtA3_OPAX*ld(w?k6jtO?)?wuIv1qlqy z#wif%$*drka-`NmVp!N@f*#f}>~a7n-FObJ4A47TbnE!BC{}1j-$ha2C$8$9=?cO% ztt^<+M$S`Oty1DMfRT+k1Msar;3h~nwq^9;24 zuB!N?c8FF#uR_B*Ft8&-S|r&Ee)*M_{V_!T$RtzZt~9@oJ(1*CA=-rGH5sxNak6(f zCkH5(BY!d7%l>P*Tv|pW0!*^=!rWY3s16l}WFn^G2_@cIS%49bn8EM2^vri9HL8#s zd&fBqFj!ahhpi<=gg-sRkMlSI9xIwfkQ8EpLFV!LMx;HVbzC72F|D9Um|C4j70|zB7Y*fBQM)%SfJfW`Bb|)Ko{%*Bm3Ec0`=`?X zIBJ->c*WV*Yp&)dy5IPdT$URVINn=EEtQklY6kH#vRa8LE~Mv&Lyz{qaa42tQB-Fw2p6U;551|(~ml-t~&vW${z-EVsh;}%^mq!nPUVZB| zS+Gc3Y|OJZGIr`@I8F6AQzG19s`aeMeilA6cIRGFBouh0ujk>Fq$4Dk=F$=Xt-zjY zsvz)}>nj1Y1J{VMY;7c0-&SN&3ReyQmQw?=YX&j^o#JEg*vFtJSDbel!Z2V$Bv(+( z`6ZcQH^TF=#HoGqZu;IN85iG;vIKa$lt6MVF}Bo9R6K(7Y`)HFM&`n4#VTYmhay+J zh8r$bw=`ZL+Nb`C!t`p13HoMSMHFb}vjXkeYg(nJ-vbl6>&e}K*+mX1J>0(us~;J^ z8!4i0%y_mOmE1G1Qn$Lt2L?SwKH3n!7%`dZuN$b3O?V0GnP7&h1$SjvgZA9f{hz{o)m(I$9_{4nHQX@@<(?}3dz&%XahQ{x`s{URm`we|fjItWd^xl}-qp%Qyws}vD!RBXv= z%*!M)Rb10CaOG@y+Pn=`ry@jxCO@7N1~~ZQYD~Kd2Y}!O&3-qSoE-afa1c`wg>Qt> zDMRRPPGZ|F%*22Zh4*VU^fmB(55P<@i8qDJx&hlCy-q)R>FqrGb|YJwn5I;1z5}_- z!SDBvy4-(gqK45$u}}|(J_RImIKK!DU;aIMyND9gj)!kEX2r+`USI${Kq1bcCDfF1 zO=3Xmg3rpt4la`-y5q?;RNEb|+?z5QO4EW2N*^s!WL&JjIEH6`jXV(6`}>yr$&}yf z@AGYr+{Mguc7H1G*f7Ea%i?TRzgXC)(SfbsRk+YzBcFqXMgv9_y);@HcMr!%3p3}% zW+&*F82EpkW^a06OTIy!RCL-7pkzyeRT3f~Vot%vv&<4tFmNh_^qL#2>i54E;u4w} zIVPfZlk_W&f=Ch5RzygT{^zqea843Dk8o3fc-uqvqYz8SV@-;TUW4`n5PLvuKcR&@ z4d`R3P$;aCJ^OPoY~v4*PHX;E3~nRn{mp_7zl`lHB&EQ=wgL!VCvf~|h+IoY>l zqCYmMpF-m_=fkEnu&9NZmLjs8f=!G>%TL@Y>{b!FRmlS?{Oev;1(zvS;}|f&sypMY zBHpV0Q;phj4vZ+~{&Rh%VfOIADe%``{Y_1DDQFQXG7$9HPKr#7#FlEtNNBS^#7FiyG-`Fh5j}j zusW~`;fzJtD0_z^xm%ke9R5B5&P#s_0Bx%lL}9C7j02Yn)Z5QeED6pFu?W^8b0I)<2ZZ?&46f4D%norm9i;WbeUNq}hZ8b@s7IOmEf7 zw+bH&HJj^T0P4>JWC5CYnFD+N`J8C_BlVxN775v`$uTD98uA@^RR5aKxTCD>aB(Cp zQ$(8=8Ch_Qw_p~v^Nf5>#orx@SO*h?y+$zrI%#B04@`FWd#8$GDebrY)V5NfPWCRd zerx!j->MS>f7lyj42N&9KRoi^*q|(TqI*v)?d|A%?17Zr{V5&gw=9ISqKwM{aN#p< z9J*|IJ3o>AyRHX+!HlTRCrz5Q|M z$(wW_(?SQP?RoS1SW1pMO>SXdIjDAw5m!&8Ot91DL$@o579u9->PE8$Bva*Owv@3g zNtZj>_RrYzxPNC}zNKz5TDWm^h2PNes)VoIy0oOHRP*q%fQJ9h>P*WAOL8NVHSf#d VKa;_*v3Cet7OVb7tn8JGaip1L590DD8 z0>H*qRaK$UXgC~>L?WG?okvGU=Veq;nMlgFs_ekmxKp9071fA>t75|H(oEV1R!U0EI-M(EkPs zv+_^zKVxAC7!nR$i=2$b``c>aI-e?I~||I2{?3+ zyDJpNqMW8!ozoLZC1ktMSDpJK7A_Y-r&N>o^E0PLiNVjB{DChBv;H)t+Jd34;_vnr ze%2O_WFi9z=#}e=#&Q)ua~by66^|F9a+TASzm-gu>eSjU_J1p#u0(f5(7&oLo2|7T zFEJdbFQ0F4UhhwT)ljk6;(5NeIM7hJ{2c=(WKe0WTI~uW<2D*>tX}^S$MPyerKx6f zAX&(6X|Snwdn8LPl0mh(Zg;#$qts}q`P=??bXn+69{h3<3<>9uL-^VNWU6G7x?RW2qI>-N{p_rO*7y+F2 zGgZv8L6nqd`^zKCenB_1000(5A&ij$5swyNFhrs|D}k^VoU1|P+SaSVRF*|1!30Iy zCaU=8ED#RB9M2(8?nN@C3ANHWLv>=q>`W7Y%a(gqSPVc;zGsbsPd7WCsC1Dtz;+b8oQ) zh5}t>W`mBv2c%eD6+ecM=m3y-l8w~c*aC+Z5;ZrX*&W2#Chawm(q~x zPwSXT7PrsUe63B})x4txb+SAg{+b8oqH=L+$J1!3tWUU))Ww2Ir!kMW*zK#o3CYKG zK;k6^v(2MWsl&U4_3$17NsFihF=e^lTI4^sz z;4_Yc1g5<|y4lVO<-6U<`{H=JTNLQ`!3I{e;<{Ev$bCK;{wxEvk+@y)XS!4^;l|)= zA>Z9eH>K0vc3ULWAIJ8`(Os!P&?v^Vo+YSd_7E{C+4pb+MM5VZVPxf)mZ)Z6pw1o)K~y$T=#S1pRy3Ha zKMPWw*Fkx&TNO$MK}L#;f1~uNLNE#U;T?v^K4BONzw65UbzMhEHGC4GLuB}ff4rS; zZ&X3PEDKf&>E?H=ilP+CF^SiSW6N;I- zl9sh}@z3?gf+ca}g^69F1YFHwBX~;n3R%X1CM+@w$ztMHv5vF3x%Atd{kXfIKBMPz zWDTy9o)_@P_0i^W2V3>YmBb5DcrvnZf9N%;*$I`khf)0~k}-)G`yws8h4Z0FMJE{J z;Xk&4ME#Uh+dJ@{DO(p|;dqHsANTgX7~mOt*{8?noVF*)$}E=~u*FvLsk@97!FZu) ze*f!pR0j`BP~6QcOLkkcl)7d4_F0i9wi*d@e>Oxlc2u9nJJ_rxm`Ipd55Fy`1vEqr zg0%sq45Zb`r$MZWht%pmAuh@HD#gksYym_NO-FD~rpROEaSgt@0{o!@x!=&S_N;MF zvgl2TXVY+*&YE}R&$vKBw^RxY!y2S|HbRBX>gcoaPru6wwO`Vd;i>Saf)ep$nk-Sl zYY7Fo&o=3u2-=-*g+smx7c#By!E>Y)-C*i)4f^q6ox_uoQ~6^4a++=*_IH^BwjLvRSCTVPi2YrckEP);`O;yhJ_<<=GEC7A46kp1q zb%3TM%>6)2R;`g}o?{NxPL9wjknXa_ADUCWpB1ik+>Erc(UETISFg)eEwQOC((7p) z`Bs;2>-ZsDrgKlbG#tmt0sN}m>Oax4$KhpTA@ivEt+ARVdnbKHWra2#G506DhX#gE znZ|P{;xd}DtBknS&a@L-4d{mwql(Qi`$_0bXwb{;l&BDJ0jx523hf9OP%QCQV%*MjER z*HDj5Sgl2W{vW6G+$c?5(cg7$Q1=W8GylMz;|cZhDX8MNFCuDsebjy;$I14~`NM)m zX$3Xv8f9x-`b|R8$Zu7TefcVH8^=gK2wy8c-Pipgk%MWy+!8If%e`%$^V%e`3yt0r zd>h%|>*8MfI zg=cYWGsq>pmtRP13n=Hm>4)FOG=|!wQ>y&^v*uYo2!RMY``=fs;NX);eB&GyZ`D*= zfrOTIzkMwmvEH*r6)T}m3vW!FzuOXz9R<;$Y(M>x(k>+yt0Ad51wJ;IRStDt%>0_JL2E5DJUx6>uW!A*7k#Pw zxm{y0z2&Fc$e-PVAxh}M?(1jITUOQ+{0V&SPr}q%*C?IbzuN&0Ow~~4auUBSYJGNH zr&_jN{&?Reg+74XG@iFUyMFu0V2A8=*s=_Xd5s6zZpHW3fn(75P+`mY2a{_gjq^$O zhZH^H5c;E@HRq{PgPM-uXJ?7h-YpYLS9^31##aa4arb+kU+}+3>)03mS+AUqt`s|y zO)=cKHm$G875=;N)%Xi)Iniyp-ammJ-BxQsWkHDLMT&E^H(fHPcs3HO>vcQwD^I1V~KzBf88u zJ)bYh`6Xy+;3xaYPno=-3fy-O-1r=rEh0yb_b~(dHof|dy(RKP;jpJXLUF*(8E3g^m`g*zDsBX#(S)xk>Wz*cj(bFTLWCN=VSr-f!c4UHb|Cm^ zv@Sl41+I`$$P13kx6H{}2s0z;-JlxnK(~g_SF>)aDG^zT(Ww%qAv<5jMUn+lfEJ2Q zVG`>8mcC}xJog+_-FP;h!YL}|U($oW_|K*+UdMxX?QYzoIbOsgsc0rRTz9BkdEJxB zlah$CeeN_Os&v03-niE7rqs{I-v`gwXojb_xu;JQDdaMF&5EVrQG%o7sLGq{g=W%< zS-&zwp8RdA_tV9!$ z_o_1~j%`OuJ`nuzBaCVL zvk6jxH#gZQWFS)I3>E?jcD)=*nrLpXH@tf}`7UvSw^A`rbDWBjBy6)eODMSJaseSU z6+(FEexXYd zKxSl*InoR`PD4GJN;Mr(K6nctMDZ=oG4II&dC+BF1S-PbRBRE@jtG`6=oPZY@y^Hd z^bt^B=v7v&0v=_tKaQ&mY^anT1&z9K|GlLGa#vN$R6z%_EXBYC164Upm7$NTNx5ku zUxCs{PCRehdtp-uP1e7z2Lhy#jOwmHwy&Hw)!@G-kkdEtCz#@* zj+$VmZyJO}y<-3_G?0~)@%#xiH z#!znh@4&`Drp7>hb}9fM`GP5in<|dBNog%V%eF~+o+_oZX-}XDq~5gW(&YcRIft7r zjR27D-JCfhid@93ZOlnwfzqzmbSG`rq%L+ zknZO`<-kB|%WA6yX`8P=+r(GesZ!RN0m`|SwuZ5`KH8QFulH-Tg&X@#C|c*8uk9+e z?F?sa-jCZ)Bx%nGTMi|uue`sL>9xUn0`SfVsm zG87$^b0fhC_&EZ^hyc+HHjJJEdQMvjKpp2?9b^l%PZj_&CtwsDu7rXpV1dFaUHT}n zcv_c86^_UtPy^n@2#3?0fPKCK{0M3B((OiN zF<9s^@&U+Ib|2HB&HfZQ9W{qSo2VPF8# z#sU=pIEaUI2~+7ATGa`AGdtQ2EJ*0n^1nP@|y#TC&{mn!%k46W+OASsK41F*dtXbg8?;Nz*9~>#8#vcVUB8H|6hPM`e z(8blfo<}UuH7?x^B?5s|CqQ{L&bH6Uby<%%5&|yljddAt|1@y2K+%2%qyr4zq>cVI z0BM{6jlT{4;id*X8?_Y}q08zgNFV#{1ExCxwsKb-KHN1PtBggNj8T=3arzF+VS$LM z5|`RiR$pqeDgYhk$5Y?&YXguL7W{3ngekg-g?>C32$YEf<3*1v`VJe%fi+h~>Bv7a;(PW~+!G*e=QgBd`eECPqaVba!NNNyA&b29Qgz1irH z0?j++@krc!5h;NI+bvH2_JK&mO_M!+`fiZ|eGes#n~7+fiCUbAxu1!npN)Sun_xIg z3cv+1&!n6JUK~zmI1IDJf%V#6xZJk{4^f~Ofl)Lr3~{rCk0GWfvo(gpVxtg}^kRcY zRfTO7#cgx9Q*!_V8X4qdt>MBX53W;r>3z^psmIuSyQ(9$d^XV^((SM?#XI;iZs7&N zr0?p&$fEsNy5chw*p3%&WWO{SwdCguQN+wI3{fu8BURm^(uHkSd1;=ZM>Zb;wuhE? z50^8d!H24IO^>Qu$|+8xpPe6mQnOyJpr_G;LH){?^i@_n?N@z=Aa9T>$8D7OuVvTX z26Jz$blg)@VSyRZtGHQfWrJ(ByimSqFZ!bopq#mirx7d%h$+{;D!ru z1N$ZUqiOl7VQbx$=iVzer>kk6+9x8*+e$C<#3dw$sbK)HP5Bh^X!&tY4@`a4Y-w5! z0DkR22~edZYa>S)Eo*yzB6>(p_@J|C@_F;CKg8#Loh-gbhIr*8-`3vYnt1vmS@Xij z)2(9pP?{U1vrTyo9Wl=g>SxmPdhWk(Vi#XZo-$)vWJzgV*pOa-BiAv z0KScpVR*yQLFN#Uv28;rgA&VtkqHm|`EuLVVjDfamvjoO=G*^zwEe4nZK&cXMfxzq z5X1<`YFgX3tUi450aMhz7tfX=CwFupiqq?`e?WY^TX6(Eo>oQ7by4m8vOBi$KbGB! zQDTpM;5+aDpM3rVzBfjk92%X#M~*PVyDXU}zV|p%RWV^ll%&Q{Ri1m8R(e9^Ib>+1zvnH6puelebqrkqLUP(jW+f|99y7EK&HsO#5n za~|ii_TS&rZ^T=yPOH-V^IEWV+oKa_DkcSEIUPJbZk7R0@MKWOD#Ozme}^squ~oZO zGP{6*ZvVTlzI`!vTX8I+w_Hsx221q&Gx~8@A#3BE%tbfJZToZ4T#~z)%8S_%vR-5I zzRWv=+Pjc9ZbN?oTCn>Ary;`1KL7#b3Nira5rcdf4BHt%2*h&}hp%D7pHS1(T_aXs z#Lzz@H2@$xUdFSjX2_?It_B9vgIa^AHMUezMI4s8Q#7`R0St5x5E{)LRE|P4gF>q2 zu6hBIQrsH5iq$O9DmUs$)!NstFl_U~p`F@Kz~vgsQ23gZ3jz>Mq^2vLnszsmZZAz* zQ*w4kI^7c!Nt_*{JA?6SAS?0ProGYh&#&;aWI_FjyvDt0y62X|>CZks5CJZBMxM|; za5*F3B|1~(hTlWz^|?c#Ar8wg2Bvr&W8Bw&9hQEn?2YmcJ{P5>x^dm2ea!7gXLx(j z`$J?9&hu#@FOqs%X3h8t? z;r&l47s8R8)sX@%kcge?5;~@hPbGp~ZiisX1|L#6s$g4dxs|ZbpR*-Wh<+)F-e)HW z7G|2?lD(2~`sJ#&(L6{@AYAyL(BKP7-$N)T(c&*v<R53R!4GUR(uQ?54Qp_6I zeOEW%8pXdl`n{MC93jT(rTZdfCN<`sip~Gaz$&3|=vw`Dm@i+gNmvVx*MqfFc>5_K zgRLXKS%KQ+_3pfE#jg#|W#5~<_}X5*eczTP8jJFd-f+v}=grhjxCJx1oSC0OXm^9w ziM^~Fw_}_;YpdURImzW-c_T^=zj^KZem|l)t$zND`t$?+^OVt#;NP4M8`4yry4KMl zo{l=Z(${ZnB)(S%k#HKvDozOD_*~XOaT7K^b!pFT&f&kk+w5Xd^WjV%^teZY-|nBj z8(prTHTkvP?)?Ez0t>&MzfD@|o+?$t_o%SK{aTb%9(7}v{PW1y=O<8y%sY%L2p&3U z{7qkF`&sN?lbgfuj34jmd4SMM!rUeODEZ`O_`cU)?(nNt?Z!n_e4qQ}Na{oQOUYgU ziFcCR>*$EL-|wUOK3@FET9mpLJ%<4m@$Oy$z?OWVr5|r`<+ERsQ;8mlICC`Z(@*#P z7GFB;4w&qMyT)O_*AA~u`t}WW;@=9hZjH#i#FHh`DEd#cX%vCu!xWz9nMCa|5<nJAJplyEJwy_jut@OgrA{xosEpzQj&>+I&v(Dn%8 zg)R9+aVf(lV&jPVk4jcF;Whj=|JB&jwB#BM)<@RL+TWTd3w0)v|7%n4_fj7E3w$Cb zCv2_IF4x@IDV{kH*ob9_NvlFh zUZCdd)AoooCQG}&85-f}YxhL!7S-llpSIz{8M+aXmXcH?8QMc)O4Xt_Re!}1)3%Zn zFk03>mBeit#%!5L@Ybb1p*CGL&&7395xwSKmp5rzP70YnP{{(01UtIrOB(KJPd88Z zIC^|*G2D9)2#IU6e5{PtKQqdQNE8)0YRIAzsWdB(T~?WWi~HI_tUtk2kBVDMjUIAr z)yVpQj|cRZST@k0dmIiY@OuNoM2Zd)X`e9@MEbAm~g+(^xn6}pSZ$d5ay`2J@-;huq*HN*lry|AyHIx zc&oYcX0il+9}t)4Ze8J#KNxCRqZE~9;TE1eU`+Al^Ve|*)IH1_R+GR1o`yv};MD{wyyuu2dEdDol{r%W#5p z1p`*X$PzL*AIEL~8N!hXv~zENmqB6yVRS(>uTPxDyiaYHtGp3=`M|u*yb7j)gK*1E z+I14K1azDr@_$V_k)qTtJrgH@2;oulW%0o3rT5%qyGMP);-ORMpSf}N?NtKGcKPSO z7s+niP5JJXV2VhvR~8Vk0pBwz>gend3Zk+12g@sh0Mes@P*%*OkJ!}^3HAHo_e5&p27<9=-u~Vnv131(bLax3!MLu z@W_LoqmY|z!(P008O+(Cei!-AeVf4P7X-V%45eajEh`z02P+HoO)>#Q@^699ksohA zF)rewLbg^olxB*bf4rT3ew0f|q*PYqdvLtSM=SB)-@xxDw8+8F&;Q6_Au7l_?q|2Z zxc?GjC*+#{aw9=y*gQ!j&II;RkTg^{yd;3ERp{A)P=!Sc^1DkL*+wPN2A0B2rr{h5 zWo6CQf7X;*Nv=Q!1A6I;E;$uRNmhAx+HM6RIyw1nMRHlBTX(o!x3Uzi zVnVl~raa&-U$#sBbF;iCP^!NOaF9y$yGvemp+0RS*qV>ZFh8HEEg)_-P55eTDNq7Q!1^2m@8DUs*V zea;2)0YHMDKMRBUlcM^_001UW%mASTqY6van({8JMLtjdp0I<)hyPeoS#<6z0Sp9i z2GZ;NED9QEH18vi15yG2&_-pjn{*hWrTn1(yLnWlyks^JAI(BzELmTzc}%w^;WzVF z)NuoS2`V9F11&0*{^QEniNPJ%U@ePEEkpwEK(U8MAm*_MjWe+CK5cN)eCS=-D;jHn zw|w2;!rC3)chb46L#ZZ%3CRGaEFih(z?A&!4HY0;77z*-bqE(EYhhG2oEe9Al!>FIO4!bmElu5HEL(jqsBq)$l+acHSgkKzAo8Ca@B)_mq!P$ z&6O}X&i)+mk%xm3a%bQpX8|kykt^X*lMiY!jl;G?LrrI@e_E4QF2W#G{$wj^f4fm< zkWm~e)aAmf@SOqhlQ$5YSNpBfq)|Q96aUIwdi+H^JT!(3)kl>7=FA5~Nd=r8tO3!# z**zF+A5^uB?7_$tMVXDYxr`-ZfTv|+?5eL}7=OW&hfybuFxcVP)!kUlpFtM-YF1u6 z+!Y{P{51!g#)dqQ3aj+r`WW}(AWynHS+p9TZ~dzd09EpsV2{Q|cK{h)k(|DUD2|F4 zeG6~mIPUo`AdCy%H?Bah#I^7E%-*eoX06kc;4j*9*n zSN=8u8Hy#F)FgfN3s>A<0B2GsdXQWvP&&9)T|_Irc|yfdYteNK7X{XRqCKS&C?2iJ z^-PR=NNZ?e5`H*I`+1ZTZ^|TJ`{#szJ+qdQ)|AElfMxKw)n?5~RDf{NlxwsKHFk=> zOUse%iBqte^N?UK-P_*r&S-3iY03| z(h*4YOo#aBxK6y~&;sdO2!0%5O{vyYz9frz^dvw5PeM`$N!kZ-26;u#c&pCR80xx3 z&4ja!i%?C{cIlj%jCi?b(Smf11ZF;6YLU5M-YV#R!NCYR%=+-^C93L4xd&|L={ijQ zGNXBucBqriJNEukm-f#~hQ`rGDZRYlS=T%KcinH3aR{pE=YxG_Dxc|x8|u{s50Iba zMh5FKCCqsUQ1{8?&h2K;p620#X6Cc!V%zj^4s{#;17~U)^xR9t8-BU42e8ErRDj~x2w&WPvd*B!a4x}ce$Q8btY>L> zb74PNzv0m6IB}rBuqO2~L+~s|5VY`0aG5_Ieko$SSGO3@V+a9b*1s+P=~=#;G~S42 zgFh>a zX|Y84zO&Iz;tE(>AD?f1Skr$4>bb4u044WP|>yQ0S zA4-;GEjP6(mgFo`H<|IE=wI1vbCCAUBVTk#nz^zzdX!gB%<(4&a`9o!{L|Al^ZIqv z)ryy?>2rxqnOB?cLgv}lo59YTtHGP8)Pi^z^N{G3-Ewo6b_0Xn%~yUKw9?xy6qa8$ z0)&05%<9dA;^|339(XGE%PJae-R)C+-+OEF2#0PC@*8*#u%js2^Ff`}bJQ7#757r#+`OcrI;| zk#1>RzLgSV!{um`vbCH#4$%4b*4ttGOP&p3v2K;u7Bbq>AJ67?6zPAZebP4p9FIOWC9b$}wErVLS>k7UZ@GKkyMOes|Cizf^xGM9?3`2~ zL4=yXdFfI#;s4lqmEyh2R5NI{z!})#lu%&*DRLhmc6>VJ48uKnOzHTS;^>dUQS6&z z@|O>;Uwn>vEzj8BpK*MTI_g^+b;jfG15szX0E%5od!3p8o-pB_A+}GOiO(NXy23cl zQsoX=t&Y??^$fq4tu$Yfb^wKK9K&N zUFK|S_eiI$=gi`po95Bkulj>EhIhih&&Re7q$%A8*)Q{G{ed1c&Kav(e>KG^)@Fu_ zeiXQQw7J_1yI1ylJmqtb5ja)*X063dv+uC4S z=5^Zs+k46@qVLix$zZ+e`)Wp}wczI4oR_q^R&-r1-tE2xfzvbjmTPBiL&XjES0&Sb zh8xzt2b_(P_>RHue~m=(X~&6?+R<#@7!Z49Ztr%#|3!w`Rt@n`3cb71`VjAU6ARsp z53wBj=;<-yHX`=0nnXkKdZSC+CHlFZn-SVI#CO)oaY_?(ZF$%4;`1N-bzkP5Pq7to z`<-58d~)b@yX3=qrRVA_nXYJ<87>|KgiFd}eFB#a1OPYzwVr`Vo)s+rUjn`bQdwnOaw$PaskriPO4g{Z@cM1#`HuVY zSt7$*@v{S-YP;zNfa3NE?w7X(QB_h3XG#40l*dL{@zBNXaT2@cf~m=Nr~Q!V76*I4 z!#2%_x=&(gr$6~ny7!!q-!cY0j^EIBx6!hu522PWq;sRu<1`6+6kx4GuH5?GRR3{w z=qI_SFG6&^KBxC36Ujz-vIPCkPFnUWKYWoDTZvP={6-VM?|$A+kzjUR3tK!j`Bq%n zhA!BncrrUw*A{Ovm?1*k!rC}MNt;A)(6hjd_GcLTSBO8hE7>KcVBJGX@B>H2hozLP z45UN~SwhcGi6R}Xt8WYLhEu_8xr1*)lXBm=*lgxLF|}Eh4Pq~}K}%sq*^6k3@y&{| z3IJf!v=ZB8m1~@7j#VZpyvfE{rF#+Ti3vvvONm(12+o2IQptnra6YcL{yh&| zTNNS-+!T^-wv_ND?G94vZyuR{AZIMww_}C#@*Gn|{nyE8e(t7?11lQ`R0HA$Y|$2bzN}ap5OUvfNcqf!%-c~k%tl8uq*_~6GrauT`4Jyv`K8M z`VH1?!evVYS3YzY81DYPZOg8HTkGe!L)QCR9faVdlQ_zkcIgDyzKdv5N_{Wgx^O5x z`)jd%TC92MlHs;)QozcgvZh>eS!%6)nNAq;z>*awd2P?NT7H%aGLAp#E?urZ#V|8k z+zgOOe_y$*thl`h5Ib%@|HD;yca^FQC5U74ffAA6HNt|gQ!2G2y(Vv&i>j}94}Akn zvpl>k8WmI>0z<(6;MRuc`z|MLf5#c1xGVoU!&Mht9}`)142S{49_;$xa?lEU2Yqiu zfJb2FqfhG%AJ_JeQK^TxVs)w5a1r@dijt=6n^UtY-n%=Q2N?XZ1Q@4o@kuneA zBS!}Ek~%pju+YEb0Q2FQmULaispGxzrv*F~5$;ZbhXxOn3;O}B6Mv?e@ zQ5(Z<04Q_xKLr*PSKhGX)i0a0- zeu!59@7;1B!Ca&Mq;*+P!!T%!(hz>tFC0tLLQnG*5Dgv^@a`Z-gg<1+du{y7Eo4nW zj_VhHL>)*LfRSVBr-A|ep+sTZitCyq(XQliH*~~`W+fW7NuT{;o&Ydl1;V!QIv)=k zKx_cOJjS{eHb|-R-D_!#doO9S{c+>c9-7ghWzPaiA&ZG4Yr4$%ULbvIpPgR-CdK$eqp+C(@ecenOu$4yR`XOFpNDZIh!XjpNtnu? zf+h~5M{S2bZA@>ECw{JJRYed#vDVG-3~Z5g}TWD@5-+%bO>ygXMTkmyH^`*oWuCHR$Sq zv5h@^FA!o{JnNf7jlCZ82!Y*Yjf#EEd#dk;E zc&<0;s4iNld{_D%&4l1XU9knv-kXu8iDGGi5@X*rt=j*FDw0G(&7$py$D5~&+Ak~a z8O!XR$)ekz6gm0wW*t}v&4cdBkHK4#L+G!0)9o38RmJ5iCO`OrKeYXEV9oxIg5aR7 z`VO35Q>V+qHP z#FY?E42WC@h;LeTQT^F)mpu##^%)JQTa)Tc0mo49aQ$u?H>|LRZRFio6Ys~pMgnPO zu*CAHs}8cIO#yhv`1HdTXQf?jvCd znV4<14Kkh^2Mr-0MHc1}Wcg-xd}&p{QwB;gD*5a)gKxoe-Okf zPU!m$2-ZO$oQ1LBPdUYsv^$%r_~2^zslcoOILvVG?a!Gv0y97y9i%T@|L?76kEBsU z=IYU_-9M|8-Z$sRca(V_??oKH{|SGyXOnq{Lv_E1cdY<;*kuHZGXAZ`4i!@YYM@9Q zwAM*@IW|*kQxiyGOu&X5<3)pG;OD2yNB1)jJq4VH$I$y>&ML20ufT3!5PH47>d7MVLf=RMa9WYXFS5^5062X={@$-p-e)|f zSY3C?Ch#(OV~tiem?XV5xU0evgk_OetRBoFNlIuauHL|I`zR^G{qXu6oQdd(d*XMp z9WS65y6hjUCU=QUWW6z9a{ze_6U$TvzByn%Ux&bG1y({B0LO#x1+mSo#$GdV@ZsY` zWCuEDFmM3;_?*m2A5VU0tT6LmNN$ld^J-d7%%vB1KAJv%&s=FExIk)}R)nov`D%z;SkT~`dpPHt@c2I>%GZfm{C9Ce*z#W~=gUv^iV|eU16V}4 z*!(d}L=-uFHf%=3pWib4FoO1i?-e@^iX(sVLIxfe0I1k!nYKEs70BZ;1ZXO~2NUT| zbLol=UQ<&J%Pl^NKEf+ArMvZw&3tPHb>sLKHc1K~d%)qn#;>PaUDO43#OwfJIx}Sx z2pSuxu*Jck;Ttx6t%d0Uaw3i%(0w->&fdKBmYdDye{{+H!@Sp(nxEz>P4 zuyjt~CyrB0jzx)@;S?+O8%KcN4;v`;Odk9Bn3V??yZx}GzW74W9LGl^PCxA(zxFNP zBtwYKs%*b$3ug5M?}6jh3zUBh(^I2-BgfJ6R$?PQ>txI$oFe9J8S7BNg`oIQ-=m`U zuGZa;x7 z+CkYmh`AsIWD{#!7^i3bK4;hW%<7lKR=l5%{!liKM@#~RS){hj)5FMj2K`21TS*iz zvi%B<66K-E$n$FUIIrzo*}WKB>pYsL@n<_J57ygnuy6LBV77M04vL>&*;qe39f0g{ z3T)HR+kW;RfbhuY5F>GdFz5K}1-2#b?KTC3++0b^S?OtAdaYfSpukzx2f~Wbe zMntR$l7de&`0P%F_W?zPdWNL|#A9^!k*MOT%tJJfS)T5F#;?gSDgAi@o)nFuROkpb*cN?^*ZOu*_rwn_hy3#jru|YB* z&G8v$@*=#uO#7hG%f98TB*f_8hv{CEDMzpC5;1Dm%$G|fr)UiM^jFxPmGr(>Y6)&S z*QEjPR4VD`XV{?_h|C_(*wJiCy{xAjasHy!|j|@B%vXyy%erTUU+p;Ltx~QOR zV(Y=K?kx7gpgb!hUR;10V*_xHdFlZzEl=XD(kpA)+jI5YnI&bwNysZqD$~3i)z9F0 zZkcD8G(9N#W4WJb>Z1G`fvtc|ifMvzh~QRmg+oh4d8ll~sH4@V;Uxl}r!G&+RSJr> zOj%WHIDg5O7Hg|5$5%`x^U*xAhpA#7N9Cg&d1e<2l=K{5R}oTr^nQugLDx)zvAZ#qKpuJ-UJ*sYc- z4wm9!Sl9_!_VKReEEvJ^Cx_)=c!?03<2|WCIqG!J9`<0wqB+H)u;32aDB!;wnglqm z?pP2Aoe=O>6TU+H?B~C&>X02g(XJXXcwK;*%hpUS6!YTOxH~aqFQOVhNG#_k%dGyT zfI+)((>7Goc1=E+;r%=aeeh%cE6qmv(jxQD$qS0m#yO?3%0J_Z{Sq&~mm|R3us|@A z)FoQO@?4PhWeuyEU>8)Y<3B+_9Z=s>hNAEEs6CHTkk?6%75Dsz%B8{|u z&O5^a8cp)K~GW1%7N53w`Qh0Sph}aS9 zpo+NEb~(;DK*p9R{}p)Ea1rlvSO;X|mgQ9alCB!NLe$9n@_F3PtBZxKi?-Wp4d5B7 z@Hl>R9%7E=YOc(?E%|fHRWO2llA zXil1uTj<>0dPKS2K4T$+-OF=fgCCb_FC9=;B8Jly(Zu$1|>(zMw zw~=oigE4U~9O{*@aroD|W6h^Lr%xuia?` ziu=1RXmrneMA({4G{m*cZCdQ6qcX;-f$p`t)_DIV@WzbrgZcZ>Fxn3nMO?-~e9Jn@ zC0nz`6{`v#tv<2ywLnWB#-5rVd15?F0TB{mv`sEwod)t=8@>PeJkiq#Fh|<>p1hMU zy|8$H*iGZhB97FS?%7RvO+F6j_G8OcR-|J@rOH4&YKrSNK&Ux4ax;-}BmezO$Zx^p z+giQ7;`dhcF13%dx&I@@Z~jVnT5KGiBLYCjSRCGK-{S2_RN6FW&=m6To5WqVd>^2X?W0hv$uS)&UDN1b<7xtJ&*w&}IarS^7no*NCM2wU>r2ON)y@6G8G zvq^Ammj1oUpUK(vWp5ysU)%Cd!2}CMlne>25Cvff+-%d?>stnHo$JwJWILmTPGhvB zJ(Uf`zTZHizBk#+eS1=q=i<((t_<4uxTW_#jI};0O+M3K|0DQLa~8}!Tg%(4^vv(L zwPTuqlKbxC-St$Y)1ny1uUK-34iXP>zeKr2B##A!6|xq1kKp37H|MW*`6~bT^6p#h z&hh^RO9Zt0B)sBU1!TbEM}FB&J_X<=k;S_I5(&_QG)Sxa;cq1FkHqPRfP<_4!?C{W zS0Cn|UO=OZr{_NMuS5kbzy@%<@4ws%wEpM;zL!r`?c2WRU$xvP|1l;&3&39Csy^;z z0LZ`o@N*Q?N_$mmB=@(!Nmw30tRNwPU_pZi5hhf)kYPiI1x-Ytz+%Dxix)9w)VPsj zM~@#th7>uHWJ!z)04xv*z(7lv00P96Ig@7nO`A7y=EMnrr%soUAuSj z(v>^ZK+%v#leQH+m~dgkhY=@MoDsqU3lt)J9XpvaSQ9pkENI|hac9pX->&4_H*aav zr%}(`OVlXR&#z&}mOY#HYzG)D0N7x|L}lNVMeGRSBSV9VwUH|h9d|U$)X$+ux4HUd z>%hseXV<=+JN5((GWggKImU1E2`|`KL4ksT3TeB?&$=8Wb?4IY=QmBgrC*SMNI=XzHA1o@ z{qjsQ(m)KN(-)l|L~ z^{CNKS#8zTS78nF(~Uws)z({aJvG&iR*luyUx5u)SkGqFsMcJOO;*|Fx*XQoXQ7Q& zTF_DwZP{zF#dcSYdY#t&+i$@Q*VAg5%hud;ZQXXGZpCfa-FM*)u-J@_Mc3YYQEfKf zefjOz-^Av{s9t;tMps>p*!@@Gg&A(xq<}9PxZsJeJvgI;9nM(ejTMI2B8e#uIaiA@ z!kFWeQBGM}j|Tu*Ukxtr6mXD@c z>8GKNIy#xBMdn&GN_FC+-(N6m#vTHV5?YH4Rn{Acdj@$0L zqn|FTCNvPafRx#TkbeagG&lT=L0RCim;eDbHMUUmxEX^UXmI z{n5@f{#^9aQJ*goB>)&`-SyXDk6rfJX|LV(+i}lb_uYAyou}(k4_^4uhc4duv_lE`R%#y-uv&t4`2N8$uHmh^U+UV{q@;z-~IRDk6-@z z>961Z`|;0T|NZ&z-~ays7(f9Ikbng=-~kbsKm{(4fem!v10fhe2~LoL6|~?5F_=LO SZjgf=^xy|U7{XQs1OPjGKI}*U diff --git a/www/index_files/crypto_backrsa.jpg b/www/index_files/crypto_backrsa.jpg deleted file mode 100644 index 53fafd777c8aa476f699b746c94ca6488a6c1cb5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6750 zcmbW&XHe78*C+5F1PC1g!61Q9g7n@JY0?u=P`V&0O?nBvN)r@BI;d2oDgx3WbSa@1 z=`FN`s&u4@vi_fEXLn{_?e6!^y)$?2nKSd5^Wt93TrC6FbhOY~00{{Iko;S~)n7n| znp)jJQ`Jb{;5L_;373hTr?$SJ{KFclRgHSKjeS{fQ!HYR3<>l`;> zoE$fyP%gL_KNpV(FBB>uFDN1*DI+5T<3}nXq!h)ZWu*SogoKKUik5~JLPrOY;)Zfd z{Xgfb9blvc5`bV32@gQZNCILcx#|L7|IFkh{}teWhJ+MEMos~yq@t$zS5SKmASD5T zNXbCtH)FCZu+BP%D5K;Bl@(A3gKp>+(6j7?0<9-7(gyo1)}G&~S>ZA(d?j4i@qMCHr5n|LvLs zXh9_Zh6iEBQhCXHjx*`7e0`jfPkTxRSS5krFoG0vl+AHh(cWCVL^!G{&bl zSaxM#$J(1d{X3D{wP_){1iQgzO@Uc#Rh;zE9kO|ladF|7zV5qlC>NmIS@9EmM*_^k z2uWV>27XhQ7YDhyMdp^NPs0d03h#JEkroH!pSWwwmK^ocXcB zk3qb7(JC+Dw25Iwz{%z3c2J@=Ma{HE+J{CT?u-Rs2FV_;X2Z4s6RwG;*H@BOY~+a~ z32S11rPzzx_sta_>?5p0Xc4;%KEiitYq;X9i`3-9LSGS-Yir%}9_l(P5_TdG1l^Y@ zye=4~_bOf~F*iWG*p1zBS#bumJ>Bt=BfIMZTk5{rcQSdh9DzycxZ8qC5@-)W3#78^ zm+%Hp>7@x{jNq$2l5J(5yZwjpACl%zYag? zZ)_CCZEto8_0N*olsgtCOf`=zC&WB4-%rgj`Z=VW+#epVznghWIYevfkvAY3Xdy77 z`pB3$uGEo34@8L16KRE_-3&ci8)KJL@Hjj0(JKaAs}+9^_}`?!C(&)QA2;WGRi^d% zhB1q>G*>|Fz2LKj2xPZUz9dyUk-&TW69evJ#W7lBJ`bP=Y6R+Eje+k=-tZ)Jj02Dy}VVa)jHQ*sC%j< zdHJE@2!7J;ov+c#i#x7g7YCeWGY2aNKsRo1ni%kVNQC-dXSxAF;J@)c!@J8bn%9SQ zjW3|-26==v#45qh6hgf_*B8QENl=;#iC-R5>2D?d<@$&5Gxum?+{&Yjx}tQi zE2K8N=^g6tg$Q?O^IY3fyq4$2+#; z!@;wXcaZwTLD%e7kiv%CK{cv-k?)yTbG}`|Kp&3cp49YjFSBW%K2!CoChW6@jO{72 zPNlXzHhijNFMF$+_MilXs*qkbzI$>ipQ9_3uKo9YwChU5j8rO`8!=aTEg-^$Xj{5* zc4wjMS@$w~$J|}t!1UZt*$?TvY7<*=5QI&_+cmDE$iz;F!Q`Oj4Bla`5cf8OSrY?F z^PfM{KjezLrcLIFK$Z#5FVXaQyYYetTajn71E}%!o_@77{&i~F;d%=G&D2%3oGRiw49W~jUjaopI& zWZBdL4!Wy!<`x6aZS?~z-4%Ax7Qt$pZ0}!@1Be0nQ7A3F5c6jzm~GDJ_KjzAYo{Yr z*(W-)U=eI5G`#PaGtH39x?biApnbG0cXCv?o6DpJpR;e6yIv#(AvpQ$YD4&e&s;Y- zp}Ac-d%prtdivBgEJhv5EPeaEy(L-KS zUCk?1y8MFrrsS}v+T|u5=QRDY8MeyKz%-A}->$p1?V(WW9^=P*?&6#3U&WSW*Dibo zh%7)QfMHQZQ}@D7`0WXaZq8h~%Tk*;7AfDA2&N4e!K~$m$DlknU|83ncH&sn+&SPY zej{`6CovjrL$mm`qN*LS)V!3aHukQo09`)_YyQ2wKikJawZXPt zuAk?8GrE>93V+duaSl1r4vL}D@J+MswaIoi-#cPm#N?h9~(Df0ICKz-IOSjwRS<~N- zm%84ZRjfKmx-RW~UO?RSiqH+3at0+X<`qEi%x(+5Dj!rG4h%<8+=zc)l#FKM5F8py zBn{d7YJQrj|H^#rS6a)!pE$IL(_R%TZdEGu^~7|fxcRX-H5NN+t=i;G|Gjd=KyQ!O zQBL1+>ufskG?dBR3KQ-Ky7t_`Jf8ScO3n-aOs-wWmd*(Z0VBs4840@o}bsj{Iq zl5Ws-U_tbS7R4pW#S_q*U+c-@7!Jy?$6fjog+*Ilq!7fP#WnI&mR!Em;3gD&dH)3q z>)U%_man+0V*_CK9TK%)_J@7E9*+4w08R9u&QkEa4th7h3sy5uji5wuP1N%h|GA8N zYyxkp=SwILni_1ho_{TMB6PAxHg-N%H^8M2he!_Sd3qMF^}uc7mcwnX+2x&5WDUKxKW#4yxwSavSRAWs*I=DzmM*mrr6tlP z%!o(B4=UoN(O(?*&1WlLfttuIoCUc!ih+7OJ}E1d4)FT%L(fJJWovcVwUd*ns?uLR z?_gfIenj_T{=VI7v3Breg#bv=hvlG>jhv>n+a zUv~vudY1R>`*rhqZasU0H(zE_;nMzLlmgmpak|*%u+XcEHiSx3DNaJjEAG<=#+Qvx zeN_*1eR!>#}`WshQS+n})}#|KaF7J5f_qv>Xh=3fpYkYvAr zeQh0YU(*M8wBSVftyryfHWP`;at2Cc<3>U{f7?oyVH5V=7YDWR;fv_r-dN3e+fLys z=65G@%9fpU!}KH~(%)ncraoir<%&bZa>_V!#<6u;E6F0cBAoi%9=CHpe=YYJV*e}1 z;WXT}fW~0#rL^p`*A?cZC}=9%hY?#(__xraQ~8RRCum1TI+6HTGb<989WrmW%aJle zcpo#0el7XVESZEg!-m=bPlt8yoS&^L7>Nr_EbsZt*n-N8*@0`*C1ogV7MnQ$e7r!Z?aZ=J5X>bK;DGon_db9z}SH4>r zNFpjSraxTuNotVBh+6k5mMA*S^K%s6`Kt-j06VldJSD@(bsD;n%xs%tND z>N%$?GIZE3iYEo=J^V<~2qk@3nq~cgSiOkF<*OMck2}_qKfQ)*A8wzfzjiJ*lLjA! zPQ5S~x91Mr04W}Ag=b79kKpK+nrbo~2&6psMEx2b%cG_?>VYM|n zN!S8jg;nthZ-<`V`J0v-aG>Vb_{OEwjxju0!)i)PsY<5;dh)n)>*0O>=N%lS;bu0% z!_TA3i*nscnrt`%SDTxvt7pa5Z^SeQt)ed#J}btYpx|L$E2yVrF9*o=+KnRG{}5si z_o&U;UpH;pfq$+tgDPB$gNvP@qs+V1H#M#&ykR+bD8c6M=+N~^*ZM|Xmsk_z$E18d zxpOD>G$fd>4>BLwbN6ZdhW;dPP(u+mf~#NIU+WI)LGQ{@L?!4K;Dz42Dm%})93)y#GJ`mdG zuG<$I&Wu+)+7u^Fa!(!~R=@k1wDz#g|I^pQ;7BMY>$rq9#i;`cG#j`4X7kZ(F@o>- z8fLeXpC@i8O(%65MlUX|S}Jde<3H9OF0b+)$vmimFB3j%DV~s)JnVLp1(j+BNJgIs zxUgt8UN)E+NuFQ8QVATJRUEUU+Xm(qU2b!0dsHYlv-!pqS0zYp}d%S(GLMF&KZb^V&MX(nMQOsG`i0~h# z{8VlklY*UQF^;7f2+=uoPNc3+&Ewb@+w1dtg7_iz9 z9AJmw>;%nEa}HaPr&YOi20YEq$3iy{+l~Vvq`UVGxejkWMP68^Zueg_y@d$-D!nug zN=^AW{pLMkP7wz~KB_QmV-wQDq)aP)V-efKm+M1*{WZpV(JhSXk|p=>HGfQTL23(W z5halbe7Xiw0kXWNXMnXdAKOFK=`&?0?w5=ASN0jE^MqRr*8W z*=$kbbi3{&*+ps+T6{Lm#$O{y$K4llc(&d12|QJL=Ii@bqotO$WBKKIINd25dQL9U z>s_1NFVb>!;pa%dw4uJW95g<-*PW(G>dVi>JlE%>@`DtsEnrAVqf38=#**W>P1FnN z-qAOkdNY(;O<_h!<4fg&j5~!*1_uMo%>(Hxr*i9j7#xXs{2y?kXjtoO?H0Ml*dh2X zU7eU*LR)_r(PnMLO;e4n-Us6t;7&e1n=5S)y}0|dI!o-k=VpHVqCTN%#^@xlw)~?V z#`}am^A}~2)k)mt`mNki@82ReupRrkLTnILoHv5a)YjL4E!?O5>C&wbEEmjcM=!jV zw_sZc{(8sagM<}<)(hT$xlum#%4;cn*rDO4G^)9_VO+#gB+sl|4Bp>dx<*xhq>t=F zzW<9Y3A}f#C-cS1(V+q&=9b9Y)_)*D6Y(U6F>s?8`{`)axY^*;mB{wGQgp;*{h0oDZc_{-yva%C;2ww)^?wManjArbw%v^+?L$WwQEH9 z7;m~NzChuA7VR;CWnG2EJF0GS#|N<%ki3nzk-i-zg$Ay*0{jVS?Bg4d^10y^m0Gy; zw!z&4N`gb`4FR+tNHk0;GnD{$lLaS;rkL#8PRrHNxVjeVlg4WW%3jqQG(D;`buOkZRi(+@8bAKB^<^umD`u@a@dK+Fj;cq=nf^k~ zKdt?DLCV>(G3^dPR*t56>xVn+%ugpOZ@gUm*F&8lHPJWO8$;v7&1v z{+l7JT+bm|TEF`rmU{$(ra|Es)H9=s_uLC-UkiVcONSu~rL>l$(i5!CgAS4= zd`cV--&=ZdaCBP6ZDj^oQB7|`s|W_);Z+gIpft&+9*fvt!;6>WrLyjoLymA04{i9@mU$@; zk6xX%hVusshNRBo6^~~vq#ivY%hJD@Tm1={!gRb4NX`o#U(=;5sGTU1zlXK0FqY%Lr3Q zLszUWOh$5mREk15bEFI;zLmb8soV70+0;3$0W51 zn94P4I^sutWYT~tXyv%pAz%WVT|&95BWz`6#(Ce%AOBrt7hu{&ulWg;lmtTQ3pR=k zdjeO2wO3nsbcON4S`h)7OK&$8@6M~caJ~5)cLh)qm-lZk8*@v)A4A*{$f%v}4gfIJC&mg|pSEIuxSmHDAo9an$=$)cayLdZ`+P)^ImFWJ<=;FkBpItde| z>hvul*R+}1-)Yb!_hix9AAiJiS!87#gIfeH##IZ!^(@w$8wnlxBjYkBa6+3?LaP8t z5aap!*SQ}Vg)vX6pA3I|zWsI~f0JJGevfkM`1o83I=ofUah2S&=l%kUSi=ZguXPAk zJ%HTF+g0?t0<;ry$FOe49};kHg?=hO^MUPG1mCO3+ZOt86zfSZFF#%B4X-PZrd0Kt} z-CP!M+_!aHf>O7th&MQNBP)`(s!$oZzWUMaCX4a!%zFA?HmbA-3kO**ltMCc*Yf>i zzK^<4lEC(FvgSLhy{Jf&Jm`7XcER#+&eH?MQQrCb(Co^-TWF)zHj7+~&K|ewLkA40>|NJle{4f0HpFaO<|J#B8pF7al*x1?G+1T0W z;{&z1xe4`uYdJhT+&tX0wzhV0aj|x>hJx~8_#XuP4;G-lL!eN<6H3?S_6B{&pwk_$ z&Fc&MK`xsmU6(%)h0A8WK3rEY6h|T!>H0l)AKIHnrCfKUzGy6!#bh)~rlEKuliTHV zeWameDn~d7fk?Kobf!Ss0{G3*nOLAiDMvO&)~$S@T(ib{V$`i-soJnR5?Ri@a;4sK zs$71|y=tx5aceY2&ZByx&GYJXV(jU3Ht8M$PYeLp?(~IY(Cd$b>-L7?$>l(R*7}37 zG&Y;f@z#c;sa&xrh3MNWmELFALVY{bKc`D&Qez0PH1@}}SJVGl;!Xwi3x@VOhZgHAQxwKMPkh{!rN<{24Ws2diQ_Ap|Sg*sPH1o*x zIM$VL6FJw}Ir5mTlu`0{I|Lq7Youx^eHRE6$+co`6vC@nI1Mo!O@4BQXGIP8??_&C zH$r<+wH%61Wpa<;=y_ewFPoyGDQ&CD+GYKUs<2h-(~Fk7BKXCO5i5zK?DL4sqgKZ+ zJSCvNWmI`i-$)!usu;-RP8y9a+xM&ACGoF&C}8Cr8x{}gue&;lZL4}=OEk~>W?;{2 z{vk0VUJep!4ABBWz%k|0g6hTsS{7^Gh$lqEp_KDF0t2Aj~mOS^w)RJu%I z!s*dZVObEC&3rx5p{(vy$a1XaW419GQq|bVY|~8`vsXPD)H=#k+Ie9z{F~ycU-`fU zV>8JPhsaUS-oVH{4I^jwG{a3GcMn;Ycp_qNLZ)W8{wKGU-MA1=ZNE0e970$=QsOLS zomm_iS#DJkN$rsP0VUicbXFlAA3uk>yT-`5iQI!2F*#~D*r>>tIY>%wp@p};au)rBSx=g)K&zFAV zy$+;JoYNTQsCJcMvAIN7=%5J(?Kg)0nGZ5_&7#bPiM$Se=a?AW__c0`v7c3?hs~X7nu8PljG+D>Z@xFx=flS=_bbQ&Y0>TS0vwb4Zk7BXYntG7V#coCBa-k1;6Va!oEoNDk3rtxH7+Av}9 zuc+2>6Hd1D@#tc;60QOGNvDj4tmF4$-jUWxmu9x? z^XL-31NbSg)dtWr#J5E7q;<;YkuB$aUWx{5KgSFAKKHwPsVL6qbSUqA-jA44acbF_ zNbUQ4+=)_2uF;uT@B0E0n$yx@bRJ6KeXEQOU>pczIh{wM8a>@5P)P7#d3{`qf#;U1OdEqm`P? z>U^7fQ;i*j(bj@~ZMFWfxo*Ht9j?6OFX+Cd2f5lYOm2M_{|P)SU+tV~Gc)l8qm(k; zN~RKj;h5Nk_92Z)-J@JD&)uVa9){Vo>TUKaw54=^pxSG|M?WjErIT0h%6n&Q^L6&A z>)$*b1|pq0nK_P(c~iBqTky(>w_5uKmZJ%Bhb9c-Vh?b_Rs)aFXw>*okN5RTn`m6) ziv{rCci8JJGQbX^#&Z=Vu-1%c+z2c4d4MUlF2w9z;|O+IXuXl?){@V-1dy7;+gzLt zATV`x=K={Gvc^LjuC3Rz4T}j@#U^D zXCb0^{3RYl$-TsqG?_bD1zhA20kGLjfhQf9d{20N*0A>(SNuo3M?BL`i!OP{jFvoX zypwj4_IVq=mO>4!v+m98`S2G;5>M$>%lg|xbv zt?pve7?Evd?UB>p$J^G%=52|S=&`Bj!^+9!ZG9~Eq`mvX?j?g@gE8Af{z2ZseCcgd z0M^56i}9Lx?P+^Yk{d7sP(mxg>OZ^WD&o?$Z4%{PGYENZ{i=Th-@;pY16%P2f()=w zslZ!CyK*Z0jNTP4XdhsU^%~S8cCc-KuVm@w?jc9MN^V(}Z}RsVqJ-EBN8$goq~w{U z6}SUP;UDavI1Z#--edG>9%{7k#@u9_6>l$RDxpvfvH~VpFp>iJfX}gE{O&Ao9m{98 z4=gq)_na@dGB!ATJtYht=Aj!GW`{RhKE(D64*VIGIZ0bP)z5=sMCqQB@o^QSvbJ><_kI|$=|4MWu=~9E+`;M}0O`j0yt8n;DR$&Junp#N zJi`faNOd?53oyaad!qg`jr|AaDF7Dd50rGkeY3~hq51dkf1FbT;ko{P8`iIa!+lS2 zWpDZOmrBFw(STt|ufqKgU8+$9r_C9a2bo0>m$VH_sY~XOxonu8Ev3h|MOPgh6a11u zM$O>p#~^CzAmZmgDyigbPnP|~LBw#*C~&TS7M%q=Ll742;mj=wN}WTbg3Y*Hl}p_; zQ-d9F!{So>kL$hNaXm{t!d?o^JWIX(O2hoq!UDL%ODx<2J;Nb?(!wuY|LVH=$3BNI z!9^r;M@6qkt(OtOFgO*B}xPWl!@G+Y3$>r$j((oyon3>_| zdC!=|w3w;yQC%q!o6j-ZxUsw3vHO~_-&3Nio>eQ3BTtX@j|XC}(_)#LVsAZF@4>&I4Kx=7rMa^KUK_P7}SGqJqS2yQCm;@WJD>7Adn`J11m8+Xu zJa%gQS9lYo7e~qG_*lw>g+b?3nD`;h=zhxtrWf^*XNZ=khh8|Gmo$~vTE8b$QIfK| z!f2`OE_>1eMY0B`M_y6%vZkVFL^5wg@?O8ExK>i>K$6yBlD|~aA!dr!3P8>)Sw<^n zt~BQLJ`Ri0x7GuQY6d(bweWKHjXU(QD6_Ej3UYn%UAC}tI0RNUo4Z69)rO|VmIA$2 zQjv>*HPqJL@D`3EKxdvb|CcmNt5mmEVBI4yaRrzJpI&Gln^hLk?P~JmsgmcVcQBxW zL1X(;98ee$_mZmj6AUbc&%9OtbMk0+cl>A8EOXpFv;HKbQ_JB)GxJ6*W1lLk?Iga- zE32e6a=104WF@m9J+nI^^H+%N+hFFjd3GHnJ?niryEj7BlvaytDS^*2M5ZMntrZ9d z1g#8!V#_kU77cE^Ku%_fL$uCIAvw^%9N1RSyH`#nZ6*V)$sUh7*HZ#&80fS$_hKYB zTm}T)Mtn<~cYmV(2%q_*%=R_HPoVPOhH*|WN={!&Ac(xBKBK88GNr-VrAO4IvFRXB?X)QC(o~tW5Z$(K1B3v}~>NA0e?aDcSw4*?oAq&xiIEURkpv<+Q08*E|)t-W97S zS<7D8b!Fvqcomy?+5bkf2d%TZ;VbJ$Gwz48n!N+bR?Ei_D(6=#+FvRb@hb{mvinA> z7_mUKw2_w)xv=ThcuNL~mg%sgdB@sb{t?w)W@8GA5+&GzdvWR>t-dw!QD7x2TeOjPALOt18 zUGQ--g-^W`Z#`{PJ!vKc;6fKsXkGqGr<|3qfzziUIlO%Hw0vW=f$y!M?6g4?u~D3_ z@d&0Gf2{_$qEV*3QDLo7sl5(B-=rwl^qa2u(gzN3+^U2#RbyFw8xSFGRGzTe*- zk=9{^*fGZk?0|&)~~0OL6d{DVrqgF%tTarBYe(Rl>CL+*qFUwAcd*80oV zhAQ}SAys^eilfQQ8S-OM9t^zgoCxy2+lqq53lyn3gk_42QwxM>M?zW@B6JHF-iGJq zhgV&PYY|hjmMk=1M?%hvK$Y#G(IaM~#i{GXxT6Kd48y#1g|j-%3p$-vnLVpE-5c~h z!L;S;QC&%NzCPz;-vDJ+(NaLGtzC+PntK+3Bgy~2O<*03?ptdsL zXlXD1B=UOa7<0t>UFD{gpTHZC?%kSoJ|%tG`(7 zvtCZ6k59K56!}G{taME*_hhfLsIQ2uwD-}E4L}GwXxck+ z{Wcb!+e#QVhU7LJtv7OrHnU?k3}{!qGJvZ-69MVnDJ?x8?X|GuWe#3lr60c^GB;B) zx)9bkzmIPwSy|qEY&z?0ecSw9&Nw}*UC97wAq=nT_KrjQ=p{PtYq+SQi|%Wb>3vH#!SSkv4c1_rbOuHH3xYFEs|u6{;Br`xh(KO`|i} zixWO$;eZ2U>x0qY1I5XM^7R9IrcM1W?L)ur_2@14*vZ-VviOW~$W+G>46*Wp?a{&c z(b#&KxBjsw%49&-F}2$^-sL22>^64Q)X(Y);N%R-WCbo@m(OP!UH2b^@HADw>Z`yh z{`x98=rjwYLglX^*g4-OkT7tOi$)McrWH?NVI?-XF6*CPqd&;<6x7i5mnI^iMKJWX zDwKNSOlI?(%YPpLIc!Bdnk7D3s7_e`UCeh~qzW9Rac@TxU%oJ2?r)~YR=51AIz8<= zJ?T00jOZU%lF2y>CX%OkOOaT(1glelfWI7H|zc1=!TTMB2JW z`Mi#Sq_>5hUh3am``=*a+~9sj+-~l@SBAWSu0CR~h=m|E`uw+~inp}gw={9l=vQvW zpdy=$LwJL`uMRQ4y$?7YuKD7wxdP0W*1|C;OSe&OJml{sbMANiFB!8=2x@Lb8G0`u z_o}E5*PA!I_P2Cfw`7V}aCB`tTMtG;j|@UrpGkkEUBgU+HI) zb6#`}UXnf=EtsF&P+whzUh@rJUApf)KA+0FUn>o^1E-#Ax1Q^S-s%;X$0uaNyz8>bllRvIHq&6z#5r9i;8cn25)Oy zAAE?jX+IOFr;PbOLL+^m9$x#4bY@RJ-#Ss>uRkHTSCBvkZ%<2itI-ZE;8;G)nD6r= z6f0^EzxUlK8hiM)VQ&aL9$oOWQodLuGNWW=_|0yA3?7g5x0m0AQi(+Jp$rkX`@<=; zTIInn%EfXSjCO;S5qF2uYG?w4-_dVKE-P^oz3B? zsUF9(xtLA%JA;MjcslO(#o$Q!>v}mKj%9O&L3F)cPv@#MhWzz>+%MNU&mQ4bX$0~M z)>U*6A9npNsM z4tY)8-$;Dg&SgU#d4BRMu~{-G+{8$dqFAKJk#}{m7!Y-sE_!)7tg&)FnE>7GSSWZr zf;xMWoo(XR(t3nE`-Ws*z2R`{{gy_2*brMP3D`dR0G z`UAx;a=HUSBC1N5BWY~5pYxzmMNtTbL-n^5Ws_=$XQOk+kRu;5*HUpbv*0{rZ=zZK zraewp!^kXVQQbs-wq;ebiKAsMxG1jq3V2biWuD{4scl)3(yVP=)5NJ`8-l11jh*o;y5u4i;%>G`pbU88uNZ(bCzHRiC6@DYV0h41i9Qz`%s<=G$*k?Pqn z1lgQ>CloEz(CRw6(&)UpJTB>Ay(*-dp}0v($h3aP7-fFNlhW$6lmbibLiFf zfuXD7Fvw$(?Qz&@krM!c<+bcrdT>&+i`&GuDoQfVVv ztKDXeays2t9a;pQF7X3=MHwW%UTfeDOw8!&ZgGGGupcttM8s&3K>Dp?X7?S(e5(2z z3ybFdB3}fMK%QRkm`j@%R>5)fcdM6>^UDY+w2k6rqSW5ojlqD|KRg}`dr{@{iG$_$ zg;`LJ0FU-0Xb2V##us-ASxm3(-Q6U*VDTSR2+8PU>kHzCk9fhGHkRLT~Bo6AAX%uUjdikmxR-p89QpmZK3~B3@Hk z6aGPJ+(E(7ExiI4apO&_RZde)WzEWP{wu%W+kphN`b>mMM?NOKTIuNyrSjjuCIn;L zL&9~`F=p`Od7Cstq%&r5Qsb%wLzV;d)|ck*ce;+E)P;LR3a))+c{n&_6_elO+{N=J zs{I>ycg1fxWBB!Jf{z5e(cp!W*C}YEMr3}QJ13?v9Gv|vB3PkKRBJG%q_W_VQzS;@ ztn59Y4TKzw>RA5*W)p6(q!h?`L(`|V1)00~gPUOS6g`XgmEO+xnCP8VQsGYbv|?#V zY$c_I6n!`E3N1$NCg@Yw#z6T!y9)Z*Ng|JVM;tp|iaVs1`qW>P2&=d#v8<=O-nF+Z z4pR%IS5-t$ZI1;TyaZ4E93)US%(*(BIb#n|ZNqgJ;JTB=-0S1@_3>vDsBnc7LCM+l z1IiMUX0sFGiGR5|(bF}TXK_VO>^a?}lLTE<7`t4^c~VFb0?R3g5FF&#&I>$+afMSs z$-x+SJ71e#=ah_pl+kgNOX_;|l!USXO#jkq_za7|zfLP^BktnQqz#0OVku|5?&&>P zLzbkVmBYP}Oi6E6XnH48Vtg3S@p0UiyUEH+wSpP;32h|Xm4NZ#947kI6~Hcc&IVSj zbCQ<~O`&>;#*C&)QUMs{;o9o7T0k~=4$q{n6>8tD5m^Xey zN&)79t-(X7$4@Q1hSW)MO7gV>oy{*Q&Ep(Qo*q$r zkFpjS+yCM@+M{aFBBp%4KIl1m6%9m6Cgd)$9Xw!rD*;3>*=C~lg;zKfoKP(F9)osF z>!}Ukuh{6`kt_g9D_hi;QU3Qa%mO(4Bybb#y%_4#fH@9Dq`s*Ecs~ZBp(g_f?%CAf z#MuuU3$QwIOG*{uyHor|a4*M<>agG?t9W?UKO*v#5#h@nAIb`CIt@IRvh4Zfs!BG7 z_TOVV)%CG!e2136^l`cNpB{u>=4?9D6Kh&7nJWN3+P&vNqRs}X8(Ry(tCcBlSXU6t z#*r|F_cZ+6O+wzgsRS4ANUZsN0VR=@Ec5DYJgiK1Z-u+eVQEOPx;!AsS(oB>Z1%H# z1y{Ba;5Cp`_t+RBZx@k3oh{6&=e?E&`_wX^cjB1jvz8&bM^pi)O$E`{9F*(N$7kkS z9!XC4{X5yB^UjWjWl(4S6V|f_MjuxhHMOmUL(knnyG^^!IScm4?llcho#~WoXV2`A z$*l86%Vm9!2<~Oh`oi!B{C|tugW|{1za75bxO!XB=bT!2+P8W24I}36li5`+Sy$^v z0&uSl1ekX9<`l)^P1fp3vI|8nY-)AA)=9Mfi&&!BCuEJyT)(yK9WvL>^x*iG1_bTp z3f{t91^7(l?KMT+)9YDFybK4VHNBVowmpV?HXn#n|E7BE=Gh+3)0gRn(9gB$A=hkc zz~HJ7w0AE#q|ZI8x9GFHOWSvOU_oXWo{-glpP6kMp>pd9 z;qXqGp!%#VfgW2>y(7bk-RqCa0&&hCm%EvKH&MHvhPeE1-^?F7Ka0jP;Z}^UG!8v}HGY&ovEkYkx7DDe!LIL6i-2w7U{*Z|7 zfc>-X&vy+$sQd03lde;?p0DCP-&A|rj`?m~dTxDsz6bZfCktQmb>p9;7J4R(@6|-m z(bR|M1hl1E*VlZ3PemgT2{=tfQf<9%ZNk9pMeFN8s;ryJ?8VppL5(0X{U-bcu@jZN z7e}>JpP(1BQ0T>_`+2N&BPk+5xjuQCln$OQNjTSc2SP&EPZ!c7WLwcjG9#M%EXu-D z&Wcv?gBM8O|GkkekL5ilv8S6U50!hrI^0o|UZf8-k(P~6jF&=;-<2d;NsPz0?~}YA zia|V$rl&2fzO)omNH$qK53{ATK&qc!#y3jBR(#SMaq?G{%s8eTd%X0zxD2Mm@5%y& zeR27HRHbtSwQ+HER|!QxyoRl~s&9Xz<^at6K%Zrg886CqYm7oh9}gkWaGk;gx^9yO zsPigeLO8hOgk`}mwg``G!Z2tWNU2t_;}Z`#J=I6qpqZDV~UOMpquZIV~6C3?YM2_ zxa&S(ta5xj8Q}B|82&bD5e%>Royob*j((mM`YTsrh!nv9GZQ@r=xI|sF*6?MO-S$Yx=WAYDXxPM_B zwr}m9TM?RHsRRJ&q(&|nIo7)@G3jr^xaT4i$%-jiihMRQV*OLl^HbI1ijZ~1nsY^{ z?DUpXLSdQluM*SW)RZQ)#y4D*HhrhRhfKq}DQy8p5cNiosuYonrcef^kzsy|v`>8^ zO`}uJU_4A=Vku#9%p^jO!Gz46QoQN4$KfO%xE+yp?oNz!pxE)&ya8^ zlVQ!0g>b&z5n@ZsV1>+L$3SMOQ)cOkW&z~Wn|U*g2eV8MvmKVg{=!hKlyj^cbH60! z*wp6O&E`1V<~T#AMGLn@ zONm7*J9X<2b(@q$>xD&|jYZpoMTdt)$ALwsDs?`u8D@zkSGA@7#u?&+84tH5&yXdr zY~as@d4+)`p9KvC$cBdEgob~17@FH`V7Bt#Cgq?`l)dPwF5j|?Ms{0Qklt1OZx z+))raTdiqTK)RPQom&mal719fX{2098sG`UN)kbm6^I^TU&n1MAI;qU*FT~Iogtc4 zy9V0N>&6l*KgR|8t)$1S^a&*4T!(+zUwb#kFeRaVs`4pq% z;}`409Al8##C62C$e{(fsg3oHbGcFZjVZTDDzuHx`IWV%F5)@@qkBGE)m8WP>J_Mo zqF_M9xO@=(#Bi3pbK}3k`>qjw`MG4tS=ZvV`|;uR!D%GPWdrQ4)QJaYmbQt}KQbN3Xo6)2 zO;DD)7bn+rw30%q6$Vkr)#zUeXGyM1fe+7j<33zS8J50S569+aZ65*lE`{I@x2ZAv zIz*>GWQC?#d9X;LZ(pwceN3})n4x)CCs#VT{ynmHeKY{vwirH9K&OVgF3N=AdZv7;EdwPs+Vf zU;nSEne+JUw=LPn4VmWsn}_}4CZ#vL5tUu)1a>ow_qbOHn!UhDm9Ad*FP$p-sgcfx ze=BjY-#hR-6i|?c4bZnq_p4zfQB{i#A9^QWafhcfw_*E4klf9iIkZwjcC7|w2Oc`( zS=Z|@jBJ3$_Qi)`+)I4GfdHRn=He`8Y>V)Nm0P=-@dAyag~1bq)}xPo?_v!fNXVgY zm!aR}w!iF1EGC)>CCqSo5OaMQii)6gH(7MvSOQzMh8rG&~ z__R&jgozKyb@Mb_un-woR8nn~2exu6%*YFozwk7jzA-t^wUF?RZCgA${c}_#Az#2@ z%Cly3^8H)@VyXBjpYEPjiXE9$O=ak>s}V{%-z0JjO}=2cT~2wpGcOFGLO2|qn4FE} zGFpq-HQlV)wk1NclkC?W4XyhUW%jK=8q2u_S({-yVSB^SEaF|^7_$z+eS5ddR>I2g zB-rTlui3o66)@DQ8S;I|J!?=?Eylht3&~vI+it9{G01(Fim4A<(3tSmDC=HEBzcXz zc!by1_`1ue#1#3_-2tz7r;FqChWG+q-#AU&As;`lgn_qc{t{PV;!f;!;VQ)Z zwBPCUv=|`+bP5+M$JD&bjRH`<->nDk(fMyP2brv0>?#Ascowgb0wge>9I?4>SWzTU z6ix6-OsWj~(Hu-h>M;q!oSO6*n^9s*nlIC1ZO%dlJs0gnfe;&cphXTN-F*MJ*dyZ( z9hHY9@GD6Ea$$cc+O%WymR_-l0@ajC(X{(;oYYF*&{awzl$%0okgnub`7lFn&GiaqY6ah*&dPfQa;`l zKTraV&^PT%G2P7#9N?HOyPT|5%sf=hJcek-$5Zm>Ae&@FQ;vOvHZw#UL@m1_Z%%arFAbRus& z?RwV$$6TQn-mB+gkJl2RlsJo*GJ}`$lGlnOAn%e_`qoSJ(QD0=S4~&~NaMAT%coH4 zEmy-Q)y}fi|}c`L%uMwPWb**5*8s(@Fs6tqRqr7U%sRs;^wgLp-%} zyOj0qB`b*7`U7B{8Jq;-Y{^I2p~re^WcGnf3Wa}1^(qVXKvhJlxOA*U*$Do$?i4<& z*mUf*{8-drXk^-BO!5PxW<af^m{I~4DLU=o6ovXAZH{m#~~oSa)*u$05fkjcwYF=XEr;n^hH7sF{U?}?u`fT5g&HoUT(F4cnBo< zR|<6oGwbk~{M2i87E?6h+%CYsY?s3=YO?t~>#l}vQ6a>BZ_oOBBMDdL)g3Rl$I~T3 zHJ9&gu4f|;zq9cd%KNX?pnbEwx1l^LcMv%-X*WN79xo0WQhx>rKwho})~?dF1pOer zOIv=|c+2{M-(fws{~{lTZU1@0JI)RMCi?s%09Cm(=MSR!vXLYL!ZT?oyz}#R#1C08 zSrlX2Gg&n2C^vZw$0~SQ1@haA3nU@%t6$CQD4QA>_wC_1Apwa1r#bsPd&(X@+h-)j8VOJ#epiCt}A*4TAgcoBc=!`-Th(} z^}}jjBYCwrX7vJo@_e1cLivT~UpMVz zh6P2``i+6J2q&QxdBHpNaQTho(&&#jm^*#EyM@fr#uUkPTiVo=l_?RI%A0YP7Cc?! zpE&CEGsQ+y8}qBbv-K9VOgbMH^mIO&w2QpM%0s>%yG*TE6~u6=kt-Z41MJsny>97y%(_q6Rou$i+SAT*hKK&P$H zdiW4B%)N7mb@_b6Ro=yWR@Dx9jfT0hOvyu9^WQAZ|5fgD*?9+Pzv}%e^j_?V5Ws(9 z^l0yUJIuEQ;lH1f`}rSne`0#pNzYGTUe4(5EgJMha4UeYjJ5%l7Z{j4* z;Co?s?fAb0=Ol1KG@_`9EWwmnaF4@xM5DdcAxyrcNG3FWc(b*koE@YnE~R}$yL#PFCC)v&&hD>o+VgA z6QWG{3-IQ+B{_gjF(-GVYUu9&&@yUcNjk`hZn%d8R$1fx_X~*Mz7Go_)W-+%Q;?#y zW?z~@Q2F_NDJaNkM`V=i6M-ERRBW`w+++-Lf}+Ag!nC7GiL*w^(PVUrWuvO~&MDQl zlne&6W16yYk@WnLYNO%_8hJA@cJF4)fg^*4=q_o4_hzgKUH~JyhV*d;a%#A=tPs{{ z=}7i{yR2qbTiGM_?=q&uP4LYbW*3=3!MQf#1*!SjbL^+K7GGBIM4kU(WIc3Hb1@pr zU0j4^9FZ!P0Vu?#^M)n;f)YYBkI6#FE+vTD(8Mq-raO5W^OAf^QOMhre`l}6(= z6sMPncQ!m65-i44MwUGbKvhz`(buA^R)jLK*Q`EtdeidOJB29g96m6D30Lc5vRxZX zi%!t5PIcKw7K=Y$lLS=oMUE3sTfc-YOMR7C$jEN=5kz9v>P6M9fM7R8G^HGiDI%7O z+}!_?p+CRORyXo*Cb9|XV_Rk-;3mqv=wHrku$6rSlO~P3HN;%p;9HnceTBEH=+sY# zucDlHVw&_{J9krAYK!G%?x@S`O_vyKxoqYdV3JhGpW(}vM*Q!`nbC3jogn9$!;|=d zfwZAY-pf*5^1MB1?)sJxE3VP#T_B5aDaRD ze6Wkbjp89KX6DyAOpO9Y35a!tI{=SBQ{1O%peP5=t?y`8-eYAqySJEV(uHWN@~h~1 zyMta!s_kj2Ogc}cE_s(LsvV0Qr_zI&s#b!k9viz+FYG@d?6}Zlk1Z9Qi+!NCjT3#_ z;M5;Mz8(&~s3^|`$X(a|VX?5EOwR)@xL$;ci35VN(FW<_R z`j}p)llF?9_zXVE}VqkHXNL;V&nMtgFbzBg#4ce znFVhH1AGstx3-gx`0optKTcG-Ul%>=I zh$mbbSPdRnvD{HH&BL+Z!Eq`evpiDGM`b9lnEVxH8`^a zpZobj1`RQWMk!#yHen$qXQ47#uH0qx%7?HClCw(|u>bo(lb_E~yvt!u&S_u33EKTJ zYRt4~%)Lp*4J_c!Am;&@ux|WhB{SipD`5Rsz&E(Zw@5CqS>Ve`E+kJb^jIJS*<)AV zqfVHmiAkh&Bj=)`5M?S9<)jeH$Pv{3Ex(`0MAWYmLoS(bB3W+2>%K4PT_`z9#s?X$ zQ=1dH{3!sx#5YmU0FB;Ax+h0vVm}h>60QPJK%Tqbh1=M7E-d7S6bkSXQ^^JkeWZKe zYXplVM^|d1uu_UPg{$yVMoAx>(JV**_^$S5VXr_a*pa2thQ(L6H3rWLpTDk5y5aTty_uUi4EUJLgHcvn-g;5tv#?t%H zHqKr+s$8friv=wAYr?OZGT~WMV4F7YCXybS^~R{{#ae_MHu@ItkZ4r|Qke@Z>Jp(; z>mF)ej2hG7*ZQd&YpZFGOquy1ntG|5aYmg4V^{i7IEC(aMenO8n^sWhxbdXwb`o^5 zO1d>=&VaF<#MkUClU(tl20B8=zDp_OBQ=UkxppFXnNhbu6E5W9^z5v8e!+1Ujdmto z;!Q#Fpj)%^!m*p6_MydbLnl_+HTiQ$Zo{s;LR0cPQ93d{O`UT&O?mWsgQj=qqO%Sw7BE`!x z!b?;iDZ)(8oG4CdQ%g80%5pma`ehqDnq5O3dPW~eAOHhsqBP93TQ#G~v5LXNWBEpi z1!nlUmsaMFR=K>Z)fcptM06(j8Tpsuc7o*vplnkK?6Q?I+g&Sqgwvu+yiUSJqu;C5 zA#`AP557o9WpFO+AVuCKH^1V5!=m@*-cgdryyip zr?XqHhuD#^+Rbk=ZXQ-`{+pb)uG%tY+=f(b!(KjAo-b!Gu23=UGF|R)+OI?wmh11V zcU7&cGi~TI9T;Ek+uOHd(3eKxSyf+82~sXbZU4dgiZOwO=hj|4DA%6>7g}u)zF``*?JK*w?~B zJXk*cYd`bRpvYO^f7Zg|IKmfP!;|lQ5voP(WIDez_e2H4FOBI`o=r^a>V|CPyTxI!whnqzOlqJr-<(I&2JkSkyWkL{{9- zT3k4%-B=ckoH`6@R{RPle6BiD5mv0BI>ITZbIcp;Ehp?FR^keKoG@0r&l{XLCz7wu z%Nb4tHFX5kzsQ(xNyC^4=U6GE>M3;Uh&67Bb$(HK82m)6|A|^p?eUAorQQmQmAs*j zmfo2>$C`gz3m zGOSTigG0^0O|gJQ36(>`gX0S}hjN&ka#RyCbCU{}n`*&>O3ed?f}46b+j!pS!lG<#N<8D&IX_~}t*3xWa12VH{wzYY*^(hbtYPJaD zw2ykU@BV33@M!$C#j4`bv0KBmo6}itc8H0~g{#Fy$fKgt##5NfO{2vvuE=$W)6T)e z?hM7dkiIRH%QLRUGnLCLr^V|`Oo(O5qlC-5yTxaS%QxuBJ89JJjMM+9*}ug=Q#>T# zlj{#0_zx;~APzW?08D-&9`KVphzlGf#Qlf*dF7v`lLpw)fLjid4`*Qr6XpO8^WY8- z0EdThN5p|6l05zRLPJxzqjJDeE!@%F&!HvUVuT*fThAzr+`(7eaZlXG3N4h6;CR%R zz)!Hd2Uns?OL8SRdI+4v#gkmX?W4Gpq~Vop(3-T=66fgdaKz={^MZTAodEaDbut`a zFp!1_4t5DnyYozs7W}Z;<1X}2%`EZC%H+w=@Xn9|hXC4wOuQfUUNggZo!(#K30jG$dCKX%exSYP z2Y~ZYQ+r9gQ*2tZYk89iV8aMrb2J94KU=Hmd4Y3n5ELIKdiNK9g16Lm;t~v=VpN<; zi?)ohsd_eWNx?I!|_O=+Qwyv@1MpUmXgSG$-pW;uj`2AbpCtn!`+&^aD9*6e0wV{NHw*Hb= zVQ_nAK~-z}+CTufmOf&j+sF0~LEDwLxTk%`nD>wiPg>1;T|-A3E`Q^YZ(t3NSWn0J zR!8wta7!2;c#UUDabn1!V;ZiFAEvVn^#io`R&d2Pr4@(6gI>w4kphCB(K=L-psS8&CFg#W@K zq5wRVNJYbtNq;4S<9GWau<0eoJt4ozCF6)hoH1Jy_Jn%9OJIC*uMf{g*9a zvXr@!=F6EjYsSoZQzuTJJ%RERsqa8R07r|`LjYi2Q>Ra%MwL31YE`ROv1Zk}m1|e8 zU%`eIJCKIVy>|x(KKyra-^Ya;PmY{8bLGvKM~6QBd3ER4rCZOAojP~z-M5DaKmL1p@6O?( zmP>c(PWL~Bz7HxtK79K3?dPAbzyAJy|NQ~P?>_+pG0afI4LR)4tMuq`ur2^bD>1YaO-vER6;*7J#TQ+S5yly1tdYhW2V>B|)Xo#n zJRf@`FUTK-1k%VNkt9;dA(=dKNhh03GRh~Vgwo0?$pcZu_7p5|z%CK|QcN$&46{ry z(HzsvHPbv(%{JM5Gb9~PXPw(MBPC zRMJRKq;swZRl}0XO{eViN=`rZR8vtw9W~TbO-;4bRY`3X)!MWq6oGs6q1Dz}alKX7 zTzTEq*It4BRoGyO9oE=lk@!7U*<_hr*4bvEeOB6Nsh!r^YO%dm+ibbr*4u8u{Z?E{ zlRCiMbJ0y#-F4Y**WGvFjaS}z>8;n^d-2Uz-+lS**WZ5u4p`uU2`<>+cGV-apoI@& z*x`mDepup&DW2HkiZQ-e7|)&+UcjEj#}!esjk}UtFg{{Xu0}9pzE)_ z4jb&T#V(udv&~K$?X}fzo9(yVjvMZ|<*u9VyY0>!@4fZzoA1B<4jk~o1uvZN!wpXy L@x|4aD8<1@FTxF{0XyamU2x&FN{{eZpq*&o>CZ|Toj{9ZP8#N`xhi&u(o(O z^@I6PmP%d8Xr_P+=Q%>)&99t~!6Zzo^@xeW2Y%0Vo1d3qO0^4Bv*{Dcw9EC&?3Ra6 z<+HI$HIH9lQ5ExbHsSDTbc*9bBaH&<9S6t>*z#~IBV-u#-8k0&!4(r(0k;f#bA~Y9XOGRJ`6mZ{M+^TAHIKD9 z8ZeKOq1ZK#w9eNcmd{rcvD}me%Rv?|Q@tI_G{Xdr zr8KL{5UUJ^%0a74=Z0;oEZR{OYZnmQ$~s5)6q1`8cSO9a$wrPW%ojfnWrxBt^gkCy z%Plagz?=2EZCYB^Dh)*O@Od8m9BNGkWL*#9yT7Hg7c~(l< zSNm8lCL_E2mdVJ^Wu>(=4v08ah2k2wg3=X;}Y6y3BD*u@nJO8f0hCWDr{biiYpwU`Xb?mZPV5g#LC2rih0|;1RmsoD-2%xEI_-R0y zdZowcEOGeNGl9YB*Nh2tzA>@Unj5{eJq#(y)#tt4l}ua_{RP7pTU6`M0hdSB)Gm12 z)HWjDl?kuE+}tzu-){*+{guX^+&ra3pXv~=BL0T)$05!FFCf~Ia9mGfm$E@ zWeb4IndSad`e@0a9QeR451(8)cS^;Do4RN6L7k^8%4J;o31EOwB0{!hnl0q*5*;zm zBjF%N7b`9c7>O+Hhv$lvVf4{JvgwPDB*z~daCG>CcVWssPwtQr%IfO}+bnW_iHE{~ zLGjPKu0EaJv3$_>(0q|C+MDf?U|@RwohGJH;S|Ux>;3bM^N=zFRgP^mX`vxO$9h{& z<A47kwjS~MVuWL!+3*GYG1C245*kOzMJI1n|2Lz{#5jiAYDE(O+#34c%6>w zCM)#KxQOjR8ly9n3ZEw2){XQvdnD_S^s}9~(r9z~>Mf;O!_P4fJ(ewziYkVEf8&uo znBY8G)vpic=!h2f3E#Cy&#C_V(ld) zc|7noF<)@qTIAJ&HjRp4+yf?E1p#kushyrcZeMlx01K9wPUVW;;iYP6mc1-E0e)?dAqKZ*9VBR$GCo;K7? zq4tcGVFn6+QBFzO`WkEOxi(!-qQ*x(<7#$fX?UPmR+v(o%RHP%y%D7aeu2!Pvnw6b zCN!dSZK#uR-+zOqQ=V?%s|}vUm2V3|w7P%J2t{jDXxiFqwysb+cZ`-hcrr|{53x6D zIqrYcH=dpt`&$KNdFn<=w+!GBQ5K7tQ@QGGC6~W?M*l= zQ@xG|UfZ-|pPs_^+AdJF0K0lUG%aMfqz$p1NJX=7D2J>=`mR)o%ug^jmC zzucp`q!?8b}M}L(a ztcTWbTAv)d6OfJ;$#g4DP+HV0uGU*$snWMzg`Ud@#Y|^xUypx7)~n`5DQJS6oAY8z zJSJG|UT95E?du-zFjj84tc#4tsiNqF7{1=1ng>!|RI#b4IbfI3a|4&lQmA>BgPIzV z56c$LaTg9An%F^GzaJ<=1`Ho&B5JtA^MMFTv({~zTY%alp`E9j>iuj;0<)upKtJX- zY*GKOg$W86t&e*Pw^v$ZpnBya?KJDNT-YUyrg3r(%{5NJqhu6J-aEOVZ(Ut@>4iE( zG$RG!t9#M=L^zH!o)*_7`(ed{?v|JnaUi|=$R}->k%k*sh`cuB0`&R4$tm#)X)O;{ zb3#s(fYuRFdU7?B>q(xYL>OqI@j|52 zSkt&ZsTnZQ4nBLAW&Y`&VZGYK0YWw*< z+5d-?+7)2{(SZ33n}33p1?8?U^R(YjE1Rx<05!_rzR15uK7e4? z50(-LodKjN297EQAz6Lj&IKtJ+o$k(x`zgFfbBo^>Iu#{2p}v(n*vs*f<*=b&-#76 z2tpncS=6$HWM0UXzyk)|y$JDx@rpvylU{0qMb3nEUJn2tq-pRLI!y_^f23sePcTra z@0kUWZ?l|dc43&PZ0L`(P~%-M=?OU%wouLdAijYR5I6wZFXG)~299vP1BF5ijBz>V zMik1r{t*V-UM}NS5hMok!J?s(rBZ>SA?13J2DG7Lz2CFa)OlDUKb}Jr;E}v@0iIvM zE@5UdVNr!NA<_7-OKaPrfheC;$ws2UH5810Ac#R8#-?ohlN}aAYc>EkYu}AzWsjKC zj~Z%up|3*)>GF({iuQfr6SW z{t$h)nTh?HWZ`2KC-K;C&oh?uv7dTr9Jyc|YCCRm#*&vM{!l*NlA3`866fh@OIc>k z^$12a$U!!5+73<#zO>w zyqyy17E%LBdeiSRpya)klJZ2%C#VdBm`#m>q+tot;}Je}w69!L(jw+r3-ruSw~fA) zdDo=D5+lK-`Pc}*xbh1p~_+@6P6iGr96Kvpk;do3(o}=K;HG%QAszM zzXvSxR5GdA-17|$POMb(E!=2nyyL)`{p?w_hHx9(=t^s7EA9#??*7%b+bn$AGmOq& zM_){JR=sf+2oUjBCiGa|<}swnUETB0Qp)ZS&2Gi_GTrgqgCs`N`2~FerH8uZrSgX{ zyR5&<{$ZQDQ3(0M1}a5=?0yc*69ZY|%dZaRLi&a8(Rrn3vS$R~8gxuze_p|jO-qpr zRUa=<_F?4_aGN=Hqlu<>KFA1g}hvafY3dI{UzC2={Z16GKQND|eMHA+B(#fPm z!d~LPks!$v6faQznLaC4{A|ClOWE|zrH?LMgnU%-AlSo5HKC|9)n-UMW01!>rNk-Y z8AoG?Rl189ZIF9&ksmk^Co(c>0TDP95K4mZ z9YS!wO?5#8`rDO#qAlAtOd{@qz1l777Atd8_19l;lU6RnzC#vfL_x$qKLeLtiz52Y zbsbeAvg``@SyPfB=2 zdRG*aRKyPzE_oXgmE~34B9kmb=Dm^GSBQe9!aj6 zc%)(_!BsZDpQ>JW=o1Rmn6V)8iszqNK&@1#7p^MMEM4H};#TO@r zrx+*RcbAvh2j*Z=>6uB@K20?e(Z`4%b;b>_$>w$Ok`TR?_j{X9ewl!yRz=n1^R`knnjq_5z%vLjTWho_7;`5`4{>=7= zOI^=+qVU1Ej<-^i%gsqA61De?7~E|8SnDK@6y}ts;rBv-m{c_lFi^^OlHg`Ce0YL8 zrhuXCY%}NpJ9Yz zlzG=!lV0)KtdylA>-xZ=EQ#&wvfq9|wgccbJ-wTg>zl{fMx{cl zQlU3NpW2*%1#anDuY5zbib4Sak-IBa^^IJ8zgu?Wszwu!hh>iQSxdTt)ph{@8~d4b znXukZ6!Xq6yLbSdtQvctvqq7C;fGfviH`eqeh~t<`RrLer97{oJgyyL<5kjKU)8fJ zrd=w}!d1dwcVS z{ba^HKbS^y+};1GsGf=~zB!y9ayZ=0Qi@U^tl&L>E*V>$een3lcTW+~PJtp-&p|yk zr2R6GR`o}6&Z9FGq=7iTaeB{yEWGmDpIiYgX!?|nboa;heB16j!r_JpGu-P&jx+Ef zaLoIuieZG{_(0LhjGq^Ob*Lv!n4i(*TpAkcaVFaFhg`J;Ns%8IJANN_uEKuEUvjf09XVg%%UAk9~qcg9ZG+Ln@8`k$%-ffr2s$JiXD=+8k5YubN>Z>}gYp=WO$kl7u zuWOj^HN0aA&~_bPeHpTP<2>4y_i8*)<|aY(5^>LgN-GCB6*}KHSFT?Ci@45Vz*fCS zRNObXqS4LHmFV{y*dc7^YCY=D_C3#4Uz|-ZB{t3(D~G$6EUPY|onM*|iDD{f&Znnx z;HABx& zd9HGg@gCrP#0$j7XOy)0kpD4+oS6D6QNo&h1QDrtD>&h8Zxs0p-Xx;Qg1&HO8Szi) zpSM&~XjK|Q=r9H986VhYdLji1`qPQ|F3;x$);qJ=WnL24Y1@wHO6pUyq)pkX#Az3r z0L6uDX3BvrZ%66$xTkBxhqommdOVm+ZLJc^sAM)krDNdA#XePqY9q(hvuxXo%GFla zMtWcb=xDtp+HlgdLg?>YHlT8-Qeu(=Sd{Wq4Hw&-`eCujzayuQl;&h-G*@3f2SDw$ zIiKjMiFh=5Zf4 zDbBcsZlVjTP>=35xZaVmEsejAG$|PUIKJ*P&O4#XXEd=A`Na2#qVp;H@`3T7e-rN#8k#i*en<686gLWbxG`7cWx28QByYkCd0Q~Q z`WYb(#OnOr&jkhrW-aPQdnf;mkJgPO;lA*Qu2l$VNqIJZ8Ih_hJkuh>zME2#UE~&= zxTCNX&{llK^F>F6t+;+t@J+ABn7YW;RI8@U@|2FY63dsbpS9Ya>grwzdg|)SLxpAp zjFVA%H8v&v^?g*$U%47 z%h;(cw87X#Zf|>#Dcc9-w z1i}V0K~%h+>R~#->op3R$+`dk_JK^i|u;*vl`hHKIO^SC=A6QYy-=naP|BGH8csYtoXieW5>?O?oE)4^QHM08k;X6aWAK diff --git a/www/index_files/crypto_ecc.gif b/www/index_files/crypto_ecc.gif deleted file mode 100644 index be218e25a04a20f2ef95a1060c63967b3b4c9afe..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4700 zcmeH``9Bkm))1Ix`?tNY*rDv*W2)|!Fb zYetzO=C3eA1v2(HkD*sDN07IDhs({|u(D(hpFMq|HkQV5$9H_U6i z-j&vGjl{W+RG@#WInEQJw!1UjAv=pb&)QB!i#m2!1`ULgD7xgmb-prVfUgD&kMIY^b-)_!H0{x{k*d2J^XJQ3a z`mmf8etCLU68S-x9ZART@>IiFYfyks~xA&espNxALm@nQz5MiD%{vT#)#i}9ei*i-@gB3-d5XHeWCn zi7Xd4rTp|3KAZYAoSl6d*#e%EReTpT_c$t@JN71`hdFB`3Z?h=G+>D3;r#CSofnTM z$5f0Oy+7P?ZzML@t*O8#1UgR=O!+&yq(t}^|S zXysZ_=y6m6#q{$UUYb3S+B^_SEIpVCJsI~oOBeh`4P)0eVZn)YhFd9Wp8j0e>d+l} z8%AH*le#7JWKhfN@W(zcZD#4s!qsvgSY$eF2PSP7rdPK$pY4CLZR%+U?;m(k*1tQk z?SFOvKYe`Qx9t5l&O!Iuta&mMA#aCkhGZy-a5_YJ(Zythr zdt7|pya+A-uJN|`Deu>~iSkR>aKjuP+cqy3*_Dp)U=7R?f)!c7L*HtFo_qT+Uh2?j zsEw49Hj^Q$YJ=PNj$=r+@+A1A^7M z#_k&*(8{f?2wND0jFh!7cHkXW3&lp~IdE{M+g}_aJas#jjY&A>x4zzlxo2fv$0|LE zS(9|k4aV88FU!&TfH-?JkJA8_<{F}gFFBTT=8&DLN+HVoi*EOQfK0Uo_q-UKSaD z@>eQzH85eVM>k&J78b_7r*JC>Ow0#d!S$2r^;3kK4kK*d9PWxk{JBJWmUqF%^a3`3 z_zxT(rZ6#Y7I2~Cw@|3|yrIdQT&%P4JK;$B{sO39GB3TcDH4n4cI9`bavuG-kq-FO z4U6quRoJm7L(Rn!QoDR~cifJSz4l4$-QV|%qP}n6WseS`o%U5GiQo9V&M#2s!Eqb% z6IxdwDnQ~?lo;N^f2mT6quMdGB#1YVn!qkpksmF_dY%1c7x6AV$}=UGnB01uX2j)c zrdqLlt-Lf9CE?C+IVN>QM$K=&TD=hp-U|<8adBk;Mr2NOmh{5eFzBgIB%0UMNAuUr zwXw@?(5pt&Zvnr+oGNDH)fZ3zy5eksuug9$Eci$Ms@yEwqC2}n*9k;n=kgYbpuN#FU%)tmp8HwIU$ ze-Wa)a#1zR3t2x>qImig329M(03IFM9CR%0!K5~U2(_S|uM{ddERno5)6(%DGc-C-f8gA@smHxFp1y)pb&yxTXDacDpG42fXP!>4LKeO&>-fIo%ki|iB?XPHZ7U*F#eR`27t|mRvP@R7)}iNc>S)P@Kl+^YWp7f0`E{Gw zbidB>Ua?5tpj+1j{mV(WpmUXfk!G;HdHM54*`p01;9a2vtFP1mt-GmP6sG~dN%!jb zS8B4a5&A%E_e6;P6Gfe#voIA4pP2DI81S70eHBp+lIH$iUF;5-XCx$4LQ5NUis7U_O<@cW;Jg7WZ0d4!Ni~| z(+*2gob?}kfV<-ppFhcJgj!ZVDPT_CjMeYCmn>Hpo*-$)F_6gRm&|@SX;eClYf!UD z-ELG#k5|CB_PK3sfu5+0?veUqaTk+S^(eu$;N_=!>~Y3|YEsgmN1p={Z~U>i8u(Bv zE~G6T3Q+OC=9qNyG(^uuiDf-jEX8j~H715t-%>!_#w?bi0kjo}vEOi!aM92?wB!Ha zr!td7b9`=Qm-@-s@5-PlzW26wi3M0)>0{(g?nBcckdzXC0Hdv{--dlYHib$2_IsXi zDCime)gSFxf6Zj6v|om>aIE~*+DH0V#B_R71z`7Y4c^n2QhEIq7} z$?|-a(q9ra6_Yk3;K>sMe`n@c>5wrV=gzhQ`v|yER+#NI5V8P}H{H+vqA52clT-c2 ztP7OmH*Wd0E@!F^@^&NVEm6NuCU-~D^I*{QSz+$+VdCasu8)E7cL0LJ3HH+rv0eu| zpMlr`J-jfRd+7+V2n)SDo6F>y_aZt^;0Qk1k;g(th`A#61@c|ag-Ni9!_@Mn&$Reb z`aI<_5H6FqZkZ!!OwRI~_5&;)Dr|_I%UK$-yw6q(^w}goNERApL>uwC>I~)DepN87 zmssscwft4MC*Uw)P&5Y%b^%}2@h^1OO1e!f^xo91dz0jQ!J|B!aBB`boq84Bwm|7I5DB8|EvKoASm0zL)l`YayT6>h9v{u@@dFSO(DTjLU zC*Lv?pS%5-vallK{8;mD*L?bOz20~!M#(a0{QY5aan)qG@9cg1*m8Qit@+eFbj#Be zt8{d?0o0BS{RU>6NG=jnt8kdrUW+djXVLkx2?syFzc7@4cUtl1Ec&i%)c&S|DzZXi zNQQ`dajwq!yKJ5|OBMs}_6}>*`7NQ-;)fjCqCR}jIfp9|YL%8Kr@vZN4Qb*0KxDL} zp%5^FOUUcGT=j)vMM+A8UP`sBP^I`>^)FWu(c^4qwVD@Nu8B-FYSFHLt7~pKi-dfw zQ5C3}l*ITKpiLmv2Pll38`@Gk((G8?23Rr4YSR7GZs?+ZlfWO zy~(9e83)KkL7D;MP53FCU}+N(0w0KznFFqGYC78?;js^(#g^4ygM7u~AwIFX? z5mA`r=i%<<9zXMt3bvnC-Fj`S05kCZ1qIw8^G+m|q;1dhkN z^X*e=?a5^=F*+TOQG~Rzz?8C%vKdlV(38}Yj%FcpK1WNEJNbQkN6AP_DV6L$)LwBy zMhjDxH7FP=3JayguuyPtO3pk5Z$WMmrZ($P4>LPR7F1*z^|vFn^Q4)2LgnOWe*>ld zq-^$5T7|JuJ#cPdYt?x&Ud^$?fKc30)tdopU3d@8`QH+Ff6^yJmH|XSOkG zP~5w+?)s7L6D|b`6m4;*xO;JThZc8tcXxMpcRRS-!TsRw?(WXv{{AoShq%doGSALt zlgUmdnc3Z02`O<-E(1iU9>`~i|KaQZ^6S6Z*MGx*{POz$`2P|3eO-(=`uxau? z)wH#>1p$%mTvNFv-kp2m#?m_rDDIUoJqvfg$#H z(IoBj`vT!mXk5WHAIhD$#LhKQ&j5U@`=LrVE6G%6e&lX80(ddjfRm_+DEt1ZWZmwJes5e?}jyD6A zYju7d@cP&4tTvj?7wQ07=+|3q_xp2bTNySxUGMic0j-SNJ-$#-gmi68y91$Uq`FmY z%=;s;q$0U=?JS3&R8~?0G%2Kz`D*`FyEP4-_ls)pEJkW_La{ z>D79@)$50VBJbUHyEhs~t1#u=et$HRCxbGTVa)@*(rC3k1?+sj-WdQ#5h-+cz22Y9 z1N5f5f$z^Z`=C69p6<{0m;3YW=^o$Jvs{DLX$UAxP80}e3Qm1LMD~-Npr7JYyTRzH z=DQ)-rsc%$-(nw$AfX}u?m%3Ir|j`%%SluJ^Dcrmogr5*b7=rnGq+H+&{m2A^waoWBL( zZ?ag3-V74ALW5@`x4g&G)3W?fnzM2bRh;$I+cu+Ptu(u5Z=59LZ{tYmr^-!p z6J!vnc`rD;rZl5;{j~kE|2($gVae(m_@ZfEX z7`s~Dy5|h`>T*y*I)UA8hnzKet%uQIv#v+U(yZ^sw*P6V~dfKFk*)UugC~Cie&+OH#0*GhZR zrnZR|5DxSFgwKmz|c21ewxr=4u1k%~jB_(KmyXPl!jY zC`Ka=Ill(zZzp@!_?@(V=6!#=8N{;t@R*3@Z)^;T1-JG_&WW-551?j{T;Au8wgrh0 zU4K6B1Tnf;e%=AzDs5kXfk~qT!WB z`!PD|LYTY@5RD`UaMtQVIlBswokj-;Y7qUw#=VOVmn|m28XFbozDo#pPJXj|LUym4O|%*`CTAQQ zlXZ1W%0(onlBgI{^qosC6eXut7#mk^aZIU+CZ{v27}xBcOKlh=r?(peX+Jrpbt6(R zg;jtI!E@>Tq7=+=V-v>gP8n0t6o1MpCM@~qGv@{=*lNcn)eC3sA^eLuN2I14Gw-uc zWXrgh$EI96?sIMsi^-_V#bwrE;X)4q52d0<2;L0FoZK-7nP7&$6otjd{C zmWKl57%EXpn%PLjheFIrDshg=*;vPiB0?l;NeP;{#KebUq|YPX{js^!j)xMamG{mHV7VVRpHs5H$t z1l8VhczSPBYRylRjK0rWdf=_r9tf}9v>lE zpYZ)<#KxO3)F)g2JA%ikwJ}qoSC!#+nU}G@u?@*(vJ&vH9LZP=j<(D1yQF2DAbrfc z$oVK^GA-0TGh`=lBCEIlC(OzuWN2gdC(kj*{OgqKlvDO?*RkyxcC5VWZDuQIhY&>* z6fXZKDaQNYi6&z_KDMcta#M#E%6WjC0^QTaYV&6gN1LAfeJUGpdNcBEkdU7(R?TK# zwefASCYG(rjNVG^YqeKM^{y-~+FTqBXJ8TOxX=mdfJNzTWmLYU0c2@$pQ$!#!Oxaj zkYoO@)@?F8)wOg$)|~zMb=?JqBX2L3Bj-efQav`- z_7CvU=Gx@_eH#Mhg*(f}z%P+|AxFHqU#RPn5!P*@Ot(J6O71*T>0=Lbnsb<==2oLe z3-r+43Ir1on4h!TAG{qs+6occ1$2HKGR1Kb{g}FvWvSa_Q*fJFuD;K`|2XD+_LvFi zzMuBp$fmbzpGcc}DCGghLx(Yx%WOErY5~vGdpedHryi?mpHC$9Ugt;TpBl1!V*g-y z&MwzHwV-WYip24(Z_B&259svj3v_NhPd#^Yu$<{$ckDnZy!7F9--HW%MBQIK5A%R; z<0am0Tr{8C*MWC#)4WFwn;QP!Gu7Ez_x4A4Z<*d}Fvuf?zQX}}WCXVmIjPZSK z9{kiY4RoyXe%pHQrsYHIMhQ{)*v0F485QWhOPc;TEHioNiR*qSD||oO2fr;%^FOtM zYd^1?zTUS`z8*aUKJT*hs3#SA?iZ)QkDWcAH-0@I`zTl^d0*fc*vOY>6fpSy>kEwK z55egVsqVif;rp8A|0>~kzwD3r;*X3S@RKtDRXyOT%pY6b7rHF~W+edsC4dk+@Hb~5 zNt;(vm?%zq;Jictoq7QMOCSSw5EEw*vwHxIdr*l)Ah&uT&q@&QOAtSHupkvaTzHW9 z3&x-HV3xLE>6KvFmtgr(YY?WD zp_b{Ph@2sO|EOU7NmYcXWDKZ8zl9m4qwBSW>8yl#zl8Z>hihSn+EIl$bB2K(vBNkL z!-a&x!qUUU`$DZaBNEjklHDUx;c#r*(BekJ)pjF9Zo^~XBI6~|+kOe*xl`4sQB9JD zuc$GV4@6e>b2k=5)?m|?C3&^Lg?G6})d+?2288udMZ3a<4WEP$xko3HL}r_ZkFG?A znTM5Nqx*fM4^t!|pW_&Yg|M9E2)q{#ypI_hiTP6;imSLrn1ORY=6v*gm$3>dQw_~_DGHJgdyfciqj}yTVm?$W`C@SaK3h%QzrbtH2GG}sVVX{1R9H21yK0TQQE%wYkWf?MA zeJn<*J;i1=r3#x~Y&E&sJVnDJRlGe`2`70aJyjMbMcgA*1}9a2EagZt)tEZP#Dl7; zjmDNbO;0K1nyTLUNcI#qRKt8#x-y&s55ILvIthQr%yBcG_sZ=vcV0RwP2Qf$9g=|fV*riqSQtl^pKCY`R6S$5f8zW$sGN-suy zO`L*?VH%4l3Xe{wiJ3bo{?x$Md@Z;dEpYX~%F`%di_9`a+m&ofQrQa?nPzV}SRUn$XJwj}Y*&`0cev#~9XZyx zxosNdH@LK=|H_;#Gtaqe)jZ3-JZq{>vvlCgoz`kpm1@>kbLt|>IwH6c0EyVN!Pg$1 zv2E3w%-HT4=|L881(|6P7Ws(EC3!fNil<;fi}ott`~1AjbXNG}FpuCZqE>W#c>)x7p zt$brGoj;e5xE`eVE%)5h6l)+KYKQ zO0_!5X}wbLI^tK_YtGwi@jC0G;_^WqhVC70Ssfi&on28K0INsr9ZIp5PupmxOuO64vBPyUg1`w?Y2qyXjKL&(lJ3rjDgqizUz4KDq2MDqT(s1&yWPyyl zLrk(msvkit_!&r2(SNMt<*kdUFMuMv!$R7_#qtNdu8KCrA@RMg0exs#s`>NO7ZJ=!rFW|fezXJ{tn3tZ`h4p-p$_4bmvV} z$)MCe5P2o&%B+z`v?)nw!lk}7oOq%kdV)PTpNXoc*4sBns-`M!e8X(=vZ8!tqq_BZ ztdiG%9g*P2JO2I#?p7C`z4Z8++Z6uE_^h{I{YEP0coi)GHhmX3%pQ1JLr_R`Uxr zt5~EPhR3JR%fW@De5t~(GxOYy44;Knk;ybMO;Z-B4db&{Z~*ShS=seS8Mw)7ULT@} z7BI`y4tM5@WzFj9!q_Y0udF&ro0{)d3x^X680Xn9k-1;8C0!9MdY82_z(s?}1x2Jq zeVZk$iYc$mrGLOB@#>si_~jkxC3U$m%gZGUndR1qMQ58u-OXkB%Y`oLxmAs2OxoNa z;IgM?_O!*4UQU^`&tec#R6@?8+vT#lcefVH!Xh3v6!$a{{q&UVnxECoee?wJW*V2= ze6RM})5coqC+I6+g$QlZ>iqsp$5SOxoNKvB&N-s zYZEL6T=Mc<^5iQw;9Jy}Sv}=l_TXDWLC6dS=BE3sd?TzoLmYpfTw0JF58vGR>WKP? zS>>q4b@|-JVORnP?fCobM8xcD(=A64>^cBfNOX74;g`c~RHsh?blclBa)&R%`ZX^QVcJ@^Dlch%44tgU;` z0_g&k|GW=*ub2UtO)wN{>$_;)NT_-E3n}dxf7VkspTP3+7fn8v&c=xMp^VJTcw>W8 z#oAvkZd9a&Mj9*t!2yTnjIPJ!?&b`O&lTzAOlQuOM#R?C*vvIUeG#@ovTlsWO;Mti0( zjV^XRHh%W>d-aNYRqML55w|RAvC1?xM23CC5;rXEvGQ|yiR^ic-hK<4c-&lit=~2m zgR$L&U)68Ja~c*;hx1YN&cry8z5ecT9q;i!HowW`hg zeZIwgzM~Yc5g9|=B18DQLH@wRSN}=e7X**Q5X^a_-yeoduRECjZ@&|YfX^2iNAW;1 zkzArNkk0mo*y!|D8cjCe>TD3O7{r>45!ToMKd*IxKG$!D z=8FGq9|$D04O4e89F8L32>noZG#*c)R~z=$a5A0B;&TJTd}=tG&lSm~iTh}}SS|r{ zT0=iIU9H!2dK@PsQLIN}fXp2>Ct5G|dsqlW61ppvDo3Ckjxeycr}No-wc3cUj+g7z zdYa*4486ot5zK|deBAb&45fr`Sgd;L`l%mWEzLTOZDt45n1q?O_{cu2F zlw$0GW|d{;bF7!ep8mrs_h(tTQI37v`JM`As1s}>%X2-*st{Lmz$zo~4*j4Y1V!%r zR|Fv@et7+8q4A#tksO0OCuK^LqBLXkA0=517l$c&;_qzA|9DX4NW399U4Dzo;DxhA z2(v!^)le&OQPr{{esFzK(x~gL zW~%XT+VJsACHxy)nyI}7ze>H+w8_Phy%M;({pdfFj*}1@Ob(r*gjg<%vMgI%i)^=H zE?vO((3@p-EvI4EHA9PC z<0r$qQKuY5w($Uh#D{%yT{W}y$R!*7QWg=i=TQN17S4Sb<8;?aej2!Iam*!G({e12 z5X&XjR#m*&*VJLwbqCEygiX=@g;jrSU@BdmMfdw=C~ zJy@oe?RgGxOSMbP>W9Qh)Znt#A6~1;ibH z!x=twQIX&VNL>{oM4<~2g_8S!A;qav4U%9qr;9OET7>+A{(-LLF3OVV5N?7_ikp@` z%+@j^4h>y|{x~lJ&1@a!R!mCxm_8!-8Bb>YXCJQsPLvdLHYV&(F)@g0gv@3(K_~ct zlpIIu+~+pV7Tp*vVRTTA=2t?7Gl&=`gN*-bHn~LfkXj{!O(0e@K0n$BO)q^IGIB1- zAo`GsRBTM@DKV|*!GviVY%HbLeUk)*PC^pLCC)~HmNu&W-^nCK4y`<&xmOUklptAzAUW zXoaLwN2$-Nq3{mtUbFkLqU{_*8*T)&Te+!j9dQ;l@~wc~pGvL;2cI`Hq91BYVjM#W zC3OF}p$o>%3k9M*QS$EB8xcOMceBmv!}!3e{$!6gKyyZzjjv*F^tBHvic#+=p3rY% z(Wra~xe02{Hp!I49+}gg)87f{{-sqhz$Shly;#+Z=ckdTZ zb(OA5LjurRvO_b*D!7FLNNG*k|7)$Fro5RCPue03C4U9FRnCj=N+&IA<4*d|xaFj{ zCb$8w8)UtYZJ{ISO3Sv@1fyqmC`D@ethM^}^xXXSi8?9WGigejravG?n{|(6=_U3E z$m-DxA9c{58lYi4{vnrrcCm2;*G+lR zg(7zn3fVr_ZWa`g%?Y%Tx-%V5Jb{aQ?uYVlwgX`tLN;5q^W^RxhHjh@DVSshfGy<% zQCCp)+DKZjWYe&GB6htPTP$h>f4@%#$#xfR#crrjQL2yG-Z&_CyO$w10Ftlrx{P4*M^^Gt!5@2J;P>NAf`*kPv&*?DCXHU%w7bBF3WGSFQ(Mk z#UEneTS`o=57n=6O|g&N<}V5}qULAjs=9K~5t-#NT*66!>k}9s8nf#ut&U3FU;C%IO+KM7B00nDrRU(+C-|IJwb7$yk zE%HGxBR<8D6+ZDo2@@Kk3s<8caU+rO0HJ8(Z?b_AgXXyYcJv<={rCO6&>{wJy_|?y zx}CKAW1K=x1MGi9g9Akbc-i@k2l=cACAuQ`l|@sz2Bql+Wts*jB?qO@@gyHaC7{K` zlSSpb(qsn*mHrGVKM-$bQ7Q7~{|z2eNFK_;6H_}#wS#K4A`wzK5L12_a#7V+ z%FYyeFv1{A>{F2*_*~`0ycp8`Xs+Qw zPC_8FKqOH^@3mkR|F&OCkB2|dH*nnE%UL18AUf=W&S|R6s|KztcRC<6qUF>=?-Rl8 z85?B~wyIhEA%TxrtK~8Jh&Q5VjHK}1O*vO=4q$gaYXQACG0Jq7c#a(N)UD(45-ZWS zlXlbK)lnHq^*IrySo1f|NzheQayO2pSMg9s(`~gkYzhe;_VGk&NO51J)oP}f7k2h? zRn(2s6Yr1kZZvM8bvCk&h*^@>vGNGMHB91>DYlC{DDz=#2+eBI%>_x`b624%0Y8d> ztE_Z{*1)@lo`F54w+yX+fy5Nm6BSRJ~(d)3BqM zHa|azJdn3?o3${}n*}bodXa@`KdE;LS`JaUE|rc6yinQer93&SJiZh?0uwCvBXM%k zy7x3_@~d(Zf|VXFxO=s@p@O%oGI*k8w5#gRNU9gtn3BYPrT8tL%mk;*+kg-TYaf2` zXy4f|KH|jr1U2?MDAbu~nU(R`33PQ<6RHftiUtj9j$#yZfBc(1FPwhkQFsQ75_wMq zcz4ugwUxYcgYYFMx~RTElTLX{oqKh6EA>Jm(;AfitqOwN?a{$2ML{L+-$s`_iO;lvHCM#?=&je;o+w4w|AA^qOYv&MiSiw6wWKM}64 z;?Aeh%8%j?&=P8s3apE$s)$sILun>OA}u2Q?!m=0qWF6MwM~X%|1~fEC2keeRw<$G ziIyQ3GE%K}P&J8Jw5UeXB%d*yB-mY0H8@mdAW^mULAS(E(;!z%XjHXF%Cc2iwlPto zc~f;>OmawBb}U)0;!$%q$#7X*b_E}*C3>iN1JSf6hO8@>19O&xfTLdDSGOm6idCMV|dFa5<5wv`IG zpD6@u`cgEB?ix84cs|zM5REhlp1C!LWAKxm<%89k3-h0a3zYK<|9#u#HA&F$N&yiF z(`A|JtGkguTzZ*l7Ug)!YI!wqhy(jNFaG!s7jqr9BBw;vT(7(I%{c{@C5msVnG zd2$%P)6cGp)g|6dY{=@*S^xXVwuP~%vzO9~LNL3#ID_%HxM3p)8@z?gkK>0g!Zh~J zl!V8ah72`#_(D$m=euqzod&kHCUeXjQjuQgADv}D-(qLqjf&pO#V*BW9dVApYw!li z6F%;THlgw+c`4!&J$Tf@h(cI+*XmJ(0H8#Ork|t2Qq`f{n8OdkA#NteAo`J^P_|o3SOY_2q%q(Sf#aq(b-BhyJ0S>!JSeHtxSBU1SVxaZ?@DBYt@t8up`f z)FX44Ba2WZN#7$k%_D31Bb(44y4|Mz`A7DtM-ILwhN`W0q3E`%W;Ro%cH(A9Kabrh zjy*~V)P2o(!5YWjrpNNG$6oB(o-pPfrKVO-X8kkAL0iYjSI2=cKLU_X!eC4TO;5a~ z%!6CZU3E?(C@{j0%)?Z5B9_dHJ5Ca6P9iV{E~QW>@YtLmPhwpyg1?_qZ=rDIh$gn2 zCdP{CQXHnhET=x5rZKFft8z9QacZXS6`D$9tDa>|ohH>R9{e_;PCaAIJWx~}%p11M zca`-bY#A-$mCil*BWGEvd)5FWlA|l}f_hlTuvF!0Rn4zdlY82PeArQQW>~?0QryinQU3@#{QW@VrjN6k{N94NNQ=?PcBOYvs&(ya~kyxag=bxASU_9DxT9(Vm&kb9o8n0B-&+{(E?ZN0F0`8&SS_5w!w=bqtts<1*#{&&T6 z82IbUSQ|k$mhSbtVD~nDV)<+F#^iG4)Uj*+K8xS0Gj449n z4jXR?GJ{ijPg#mk%XZ{8d1&Z2GXcP|e?&h}<`Adz4vuapQqSYX6OV_l4#s#24*GeQ zuIgh5xd|`X7;-UTv(d`(5ieE?y>E#Dw;q4Se?S6eRdXeQw?uK*#AZL%b5Ayw)Ri&8 zbM5FiU%Euoax7cO_9mCvU){7+YWCAOeZdWcHu9eabTCpLFsB}@*lZf5mu ze_q4=I=M(3$aDTdf>#m!!&c?CVF6FCnTV}6CZ&k zH9Jw%5V>2sdAZ$ysnd?lt6(6%<-!*~4dN*OzkwK3orpB(#redKhy^>?m|#zermhmD?F%OM(P z{|>B#;dc#meMs|v2sGWp)^*Z!8(??4@3C3u+jh12YPEenUhr8e|MhIYE#L@-y>)JN zbD5@e?J@I+d-mP_*{wXc@8_g*Te2yP?&4_Ls-8GZuK5QFT2XQNZ_Y zb~=UK%?sb=Renx7*sgXc?_H`mKFj~3DeXgE!%O=)F+Z<@QrG=mJl5Cqllhy^#801I z4qv)&?lG>PTC6SF@V;%ZSt}zEtF=CBdcS=9%r?z@!Od2KwQp#{-UHiu-uFIC^+2Vi+&HNx9gQOqNyN8kFzSMW`~@KyQA+@VVlkVmvbd+1%I0>v zyEwh4oXHo^L$y(RD4#8sOrx2>A2O{t|5Y*sD@)0I=M&#I#PDHvaxz) zIhx4ixTiaPH8!c!8FI|g#66#^Qk7^_v1zB8^Rt~Srt%MNp!v>H4gBe%z( zT7|Ff&ySbq^Xut9cTTh!t%L#JamzIvf2hLbTAk!z5n46~aqa}8a=+xeOo}zFI}%Ww z5Qh^*Vv|IWW~vuTOafuiLSQ>yNTS(qVYdT+&0!K+gNsTyv^24EIksXsP*(_*Xs1qy z5+!Id$dY8ZSILqUAj=J-m^D2PJt-k62~zo7Eiyt;9m>fgjWabUGR-P8D6**JT1e9L z#<`A76eut$Q&r|F&=TBmaLDsrVYtilLr^`-3j*a{OLM)r->BrQ5`!s=Q`XQ?ATumG zPD{VFyjB$FN8-{{6lLQ6N`cVqpaDdXh*JYn&o}|GKL1?^3fuQO05w3|j&lEc_;d3L zeBz%d4P!K&bd8hT?{rPG(meFdi<(&%#zVOs)h(Nj@71jsCGZ4M3m$A+b*Ec{Ryt=L z2{czh;s9~7Q8Q$H-N_FUU68$7!8m$WQH_p_!p z^DvfGHuDIcS5xUEX+a7 zNsG4Dh?t*u)2tLJuxU>23*&Bpw2Z?=lUtSZ!G+VxhILuXYm;q7FRr|CG<`_C+4G<} z)Wt=b8T)cxKfvF4K}G{M9IOJhb6w}W zZ}HspAP^C4F&x!+r8Uv&z28l;et|#kTK5^q?$luXKL0DjJ;0}aEIqy#E-nH7hr=Yl z?pH_|BK~(ahcDmf8xWDeXOHid#mVJY4FA{Z^HKP&paW+_C5$s? zA1Xt-i=ffkPtXt_#(z;zuAM&6vsf3-{)YrLj*|)>Il)H2o8)H!)esfDM7SKjCTe53 zD7~XYRG0zDxI72lSq`GN5-%ynZ29mX+`&jIuYD6tGxqx`#grly5=^PL zY=*KLI7%%I%@v6f%(3 z1m__FZJ}RGXw;Kp{Z$F*ngldj)F6$ThUC)O19mMbP%1_!tvhpB(o6-qbEOi`^q+Bh z6etMyDW~*D<72+_RdgSc!<;AW304Uxa-TP}WEc#SVM!^Fpk-qLz?o{i?NvNH*2$2} z;z&5xf+B`6xTqU3fr+{BUmS99@zjU8P+ zfAnIGGAXgn^~95MMl$fSRk;hfkQr5sT$ze-@Mw*xpVoh3R#!(%Q`3lD&Q1SSuEq{K zH>VL?S`oZ!2L8ots`IfjrsY}RU}tUp^I0t$wLdJS$RZqnfkPP=HD-tFk~ofJO&P|m z>OGfK{$6|~5QVEYqMBCaw0Whz3#nUzdDv+XVkQ7OTdG(~$us2}*8yo_gE+qKg^;a>KB+ydBRlPuSGh41L zc`@`13J7}((k(?zHa4<0=LX1m>O%~^6~SCyyEss-!+k1K_BhM=-vy>*{L#r^f6Z@Q zaX)r_Hrr_oMe5X&;B;RN*?El6>OGG?1H=jM{OUip&Q;sHA1<$zj-w9AjZ#Lz820}2 zAAcZWX<0K4m{rvW(75!NwQyINj9Kvv=2Bn!3qI|0-zU~kS)cl7uj(RSt=BN8S6ZXx zn4|T)*Ckq&iRoaPa(~!pY?*4dvV$LDL=yM8djO1(HZ*E33y0M6@U53fPKwotOG@Wy zz$UPvmD{YByvF-{{kqM6C6>pkX$hlJ{PMAWNJdSs?5$JdlQFZX+H~M1W#JnBQB;)o zWT)#vw0fAmP3W`wpB9hK{E?k6D2j{*oYb3 z<1~9CD>f^+E`zY%RV4(g95v!eb_11N!j7U*WcOW4B2X>ABI4f%}sCoU(G`? zD}ga>89FB$wS4}#;~7cq{gg}1W7U3FLKYqON`gpG}B;>H`383ZeI>vt`Vr_?MlH8Q*{2`aX}z5GEWT ze-y#hdJH&qN8Jy96wxTW&PEYNror;%u-Cp#HFk&QN$}-JE4;0O2t&%kKGRfd-r@@(DQlW*Ym!Q^7UGlN4{D1G*4XnNhkO9_M2OfSCUBPW!ubn8;mph zNl%n4IC8a`2gxvYPp}j4Q~%2a4gx;ETP5HAF?&E#|A_B5Tn9W<=#CzkQy=n84BGQ| zz~A2pnuFirM;NG6t#C$|Rn!Y?pv8TLAuRJR?RTcice1m8|KJ{mqX^acF5dAfk@!8! zg??WDr?PMQ&QD<}c*p{m_#b7)#E^m#2*R@nYl$VR`pm0KhAQc-I!oBOyXMWR(kaS# zxx@@51^B6h$gT#FFZy70;sClIGWdA>_`T>b>c9A5I=Kqarc!D)mC}TEoi%Wh`mi*Z zzmxWhp;Hw6^o$+&NFanE%KRHC6TVPoAKX%sZjnM9{<k7=CngE_*m+hyI}__ydm zzNmMBRQ#S%K>>qnD&CV}@FNL6Oc7G9DiS;?OGG-IrzpXlz9aSym_l(XVep5_M*%P2 zo*tD3F+T~9PKJ(bp}JT^s!I{Mq9F&eGMnn69%7+B`ra>g1GHh4x;|2F+``Js@14|p zH5JR8XCdgidzmJN0eqyX`oskPhA6jIrJ@aKx`~+~_eK7Y*<7yU?dglf8)8#Pvakn> z!3Wca4u*asWxOhsd^5y7+7n?Rlg=d*g&$#AD`?v(0RJ$~!Izf3Kw>-l&Rp-$+|arkPRKS)L}}crDHlwcd}4`XVTsFGX^3V~r%t)*FsVA&kSZ*&oX68VOw%ZQX<5ya+&-0x zJeNw@o_yD#Op6;vo7-F~n$pXjSQz;PTh-KuqBP$H*L=#L!~@#|Y%Z0%XG}sGPhp|Q zZHkjwC@fwazm<>MQRY>t>PrzE5Sbg;Q7qa^5exI3Xqf2tkr==Nqw+IT$&|eIwzzS2 zO;b}%jgMSC0ZWCQob2c{M_Q#GNUg}N!6&Q|31gXKTJAffrZifvHD~U|J`|Hm{Wo4p zLHVzh@T|D0vLn7frY}u-Xk~dUO+{*DMJ`RHuVpDixnw+b$=l$W2`Q?@u?EXn{U%M# zQDw~)P3=={KWSEes12VtIjidHtkpEo`I5^TX~(j{)R zwQ6((RJ2*P9Emn7(zeF}VoU^q_ncUH_t)$O6^4t4O7dklIVJ!k}(~Eq0gi)PIL8CuY=}kwh zd33<$Tdt39Q%rL?Xjo8wM>YQhj+=ifw@gG26FQ>dFU6}NE@PnHu{=#cW>_KtESbg+ z9?`kZ98^nF&57f!l+yntEaX+aB1trn&oogiG*|9FF{-=VCka`nsfyhS_LwrHQY`j2 zR2PgOreQdjx~y((uAv>?TLg#h4%>1=C`an`!NK^YZm@yY-`Z&@sAJvE$+jKf! z4zOJP=3-E$BbPrbsv0&rDy$}RWmshw=hQ87)wPT4nCI%CQWU*<{lIeFVZfw4Y)S~zW?Wc_hPS8A-6dw@@KE!KA|oLja@5_V@xb4^nRfxwtt zW0nkKzk^wEty*EnbiE74489+x4PGBc~7JY&7?;wvqPmF{tUHMJh1DIH6u$Y z+sLKV1#1|Io8B;FTELWxBbOQrQ~0V@8ft*I9Y|!!s}o-`(9!;R@K7(84cNz2HZM;jjUtooO4Q;~TysENP9ubM_ty{sX@xsh!=2<6^vF2;IfB}OtU$B3zGjTX`rF-n@&lOzo0DDaJreP%_r6WMNXK-0FIvIAdC5#-cF?bIis>MQR9;?cG}0#auleRGkQ~{nEe2bPC6| zTNE=am9kQo#x!ANr8KH$&8l{6YI&94imIf{tg6^^Xrma3A!#+snl)?L zw2seaz+k5~!gFG3tCmR{HoG0R_iQD`nq_GRy&`;VGk^}tlg_=qy2!cSd$XaNp1ugJ zfq<)lo6g=9TNOi#3FXrnn`^x=yP3q(34v?9;gd-m`>w?kz?I$7>nSGS2@u(0mE^jX z!Cq3zZUb-~u4galZm}I`Ic8%sd55mhj03{h(f(c=sS z%e)AdKclQYcbL0no;~v;_J*gu@IpXDl)Z$TaYnVaMfGq-kF-TkbH*&U#caEWNPKtq zY@3W3r#$0`fD(*A@n=PP<^2f(vD22w$d$y=o+QAPEWs5;iXC|Bmhv?aYQ!3ckXyTP zATT<>|FbtD?j-@LmpA^EX>7n3(C*v#npVq|-RhCu)1JM|m9yQRb^Mxr-kx*Mm3z&V z|Ll?f)t-;VT|m^4NBNdd+fl&EUC78?%;8xq&{3?$U82`fWcF5U)luTaU24Z&{>%k2 zt|x0wC!^k8LD|lG;_hzeQT)P*1^LR0-y4C}EBh0IKe^p+Su_wdDDct|a{mUdC4%sW z;t9p;te0tTVB~4!=xoG$DOVD$Xr&I!eX9-1Yog>z?Su+DCU)y|3;%-3Ao5Q)6RRP8 ztwHNd0eA&adet>{c9y*-LwR*wy8#7wx{o`%uf0N`c3iO!3UMo&-@Q^7lbRbneL6d2 zcUpNMUfZSzAbxwK=e2b)z5r!jhQ8c}MP6j9y!`EWd&0U#<9Np;-bH1-7*TjzIa#ioL6}8+Z7w!|RT?1%>321_)<~&39Ze5go^C+DMGW-W> z-OFBG`;DDI+RsBQzGJVh!`9AYqwd-;{sS}cK^piliTAv<`~3NRTm*U?t!X^$R!IFF zRO>bY;tikw5cu8eO3U9)6q0V|I|SfAaqGUL6j-$a9~AkXDDl^lcHSfS_yK(9NPSlE zz8;9Duh{SPMWUdw@P>mEjD!O*IV_XmP)Yw!0O&Fo z&BcNyGj>$Dl4VPmFJZ=%Ig@5hn>TUh)VcHJfq3}b0TmjQC;|XJ@c|erRH-|o41Wd% z06;2Lpilo@jduWFJEI@Lh7~)OY+18s(WX_qmTg0a$OSJ;K1niTWy&HcFU*XR^a0PNMLVo4aJ5I# zuQ!9!$($RrR=rzy@7%vz2j>lZxNzUbi61Y%TzT{4&yh!G4t=_G=hmrTufAP- z_w2xZ%AGnMfZeb0+LfoP9&7ld>cz7+EKe?itwF!K)xV#A{(t}f_aka40SO$?zyc8j zYAc`w5^R8Z2ouOK!U!;|B(NMqNivZP`bZ-WBf^lQuw?VlwGVMK(WMYK64A95RV0x_ z6nU!A#v5_WQO6y5>~Y1Y$eU`Y^WF&@8@xiLT`vQ&f z%0m%NRM7*LJkZfbmt4@D2FFxv9(NX-iZBavobk?(?CccOP)RM-)KgL2=>P;+ZPis* zk9t+sR+F4{)+U`=5Xwb)?bX+}01dWFVZX%ZufYKRXbm66D%+I1@34#ZS!una7TRgC ztv1_hwe6PMZ>Z#Gv z*y@e<>MKxNx$fHQufYym?6Ju%+w8N^PFwA@*>2nIx8aUk?z!nUTkEG$rdsd4#cCR7 zNsXFU@WBZ$-0;H@Ph9cE8E@S2$03hg^2z=wuiWy>F^3m$U8CmPbE&Tmo!Gm}bEh5C zQ9oVv)LCEM_10m3UG~^%pWXJ_alc*n+k&I(BV;RwSMm469 zjcasc8{6o?iGdJ^bxc$V@n{$7l@5n})Zrif7)U@4QjmotXg~>?(1R8fp$k=L{zDDWtedDC#J~3JrbmB3WE!2lQJ{nSxj#Q*29VtCg zYEPA>l%*?mX-n^Uw;oDaG-^1JdQ_z*m8na0 zYEz;5RBKw)rd1uwM$_q~6Ee@F`ta&V31AO<5Fo5%?J7x6`ck#RbggY=>s#F#Lwu6c zsu{&8r2hFypMtcfrn3h;#7b7d4%Qxg4QXHZI#Gu%Hlh@DEMpbhSjawBvXzbOWhq-x zuH@>2b@l9%uo}9K9`CIBu!lYd+Yi;Mb^wGeZCc?P+qlY>wzIV@TjxsC&+7B8kJ9NE zhx*gO5}+R+xyL>J`r(hV5`d_|jp}oy3SH?&m%7unZgsJnRI2W_s-exQTt*AL*Dja1 zK9R?H zjM*69Z@UD}sCPxX)!~hIun?B;api&B3k&viuQlGhaM-T;j_1DfLS27{2ju_*n95UL z9bCP^-E;cJ8#Rb$99~vwGC2rf;ZSP3qU(`qfm?b$+WHY%9wa%Yo+Y zmMPig4DOZL!|jK9{o!b@>I2frC6i#8&EW{Dc!2IoAH2xtF7b_6#P2d6w^8loaJOsR z?J6LO{Ri)Po$tfz6Zg5+W@2(;PQ3?Jx~HC?grQaM>1N`Hr5<%VBa!NF zHe%Ja?)9*jCyHQqBA&axb*oQZ?NDF)*p&!&FZ;RAb*KB?(@5}~)AHb0OZe{2D&~7U z9OBj{vU@8o(u?a_<*+8X$Y~vU$fvv4l|P-7F@0)`OCII0);y_K4tmFjKGnERdCgI8 zb9mx>@3h=`%#@A6Y#$cr1Q0sWS$lMUBz^XV-S(UHr{Z-_rQM+Z9=yl??X9DG?D!`B z#_9cL=bL+e$gjSqn;$-O3;*%QcQV_be_~MsocuF3|G&>KaQf-J^>*xg#{Q1G{)Iny z@WwsvJtBU1Blm9erZ2hYMQ_zE&+#a)06%W>9*^^4F60_d06R|rKd&;SJo0Y$FO zR4)TlkDXYr{p{%V2Bhb<2+YW;y>5@_j869epdR#rA6#(h)~t)nF6xS?>d>z3#P03D zkL;Wd?zj#IiSO%jaO}qKiF)wsgfIwwa0ioc?v_w+e$e>NF6;2F3hnL+tx$>B&jWwx z{YGb0|E#SZRErp8$m-dqZ4dMXdl280fulUIB6zNR+z-{={ZG7e}_)N_ET5;ZJ(G}6h6qyeer4Rjx zQT>Xs{Em^8wlEU0#|yh8{%+^cJ}MLCA=<1F(&|A|unqCfiof2)|1vKC|IY#E@Ld#< z8y&FVMiZX(sTa$ktiy0*+x;@yyp^o zj}+6d{AMv35h@s|(ipK48M87fxze&$vMBY&C9?!34GkyFvKxgm9X*cbd@?BAGA;3u zD8W*1j#5Fo44Zx~FAowWt4Z8al8j1{FaL5d1+y@X>MQ3GbiOOJ$PzB!@-ZDVG9lBK z{v|G)1edK|_>RAQVabGe-GyMrE`{Y4k>mXgFJRQARXt3{*vd z6h(zJNL7kOcQjF6G{HDjLz#3*o%BMR6iT18Ll;U%j}%dQ6ue4wNV$|qyYx%*5jv6S zN-HKw9nwb86i3xGP1$r!rOHal)Rq==PLFd-z4T7OG*9ugg^V;#C8;|7={lp7N(Z%2 zr_@lTG*JoFN#WE_rzA`9VLkP9QumZnEj1{_{xqK)^+5qOr|h#$LDfw|byP*QRLiJQ zH}yXtRZ=UpRWJ2biL_5s^*_uMQ5RKFZ8cX9bysnfS7QuSXO%xz)lOlxSY7p4yHr+# zwPiXLuRhgOp_NpnHCm}PO@Vb;fu%=T)mXU|S-ll9l@(jvqE>xXS9|qbZ#7-bRb9)q zl&)1=*J4r*K;R^#{MmBB%9Wt2JS}>0R};YUuP~ zeY7=O=MQIx9QkkL77uqU7KS!0>P2wFc##NtZT294!^d0DE1CdPisr<4Y_sz(ROCd)^#wjWZ712yOwQNtz+eO zW+l*WRd#PvDqo@2Eci9<09NaSFd_|?W(n7D2N!WaEpfdr2$zos$*yr@j&jS+Avtn# z3HER!H(=k;aV58K1$T2PS0g|7BG1%vJvVVjS7BWjVXy0H|5hyIRbt&X^v?DWbr)~9 zHf}p@V#T%)@78FAcXt7?V*hW{fH!xmw&jL5c<0u5pO<+}_T{qnZW~W|O^_`3;Wf5`B_kHy(741+$<+px35dQ}=L*SaeyJbdR`*CwGej_=#25il^9$TNiXicVMSb zbI15~*%)@6ih_gqf=!lW1(Afo)`fewZHc#zKNxP)7I^KrhWS{8-!46lQ&tDA-Lb*xPs-lC-XRxO}U4?b&@IhUXC(1 zd6S9TIF{XbmStI~LK%EV8I@0Ymvvc^e|VK&wv}a;lRvqbiTRj48JRmdpl*3~bD5W+ zxtF7v1AiHq`(ub}nU=LVo4I+LtEid(_L-%5oTr(b!}Me{)tbi@W)Cbvm)V$;IiBBH znc;b!2?(5_R-DUupUs({X-JhR8JoSin+bZL4VsPd*=6;)pBdVp8=83lI*2XVo+-MX zEt;M&TAtfAp&NFg9r~jm8l-n8qAOUS3;LuFI;By1MmbtvJvyXeTBKtdbx0a~C;Fl_ zI-@IEr*V3x{=2iK;q|3udZ=gGp=)|}O=+_nx)n>=7ff9Qw4|}UE>9PBVvb*}S=sH;KT96)TPZ-5^ z#+DBg5v8g(kV?*l)DaK;FxEhuok}@*Kvs9zktd}$w)41bFK^Z|E!67kQvbSP*BZKf zXexZdt&OnGkdW&b(h95is4#cV{8f!>(9Ni*xt064wi<^Jwmk0Al-6C7W=uLg=OUT2G$kXH83|K;Y zeCiZCaih+DPi)GgPWx=J78#p<`WJt)+{%;O%jKtNjT}=dyU5Ml$-f-UZ;q~&s!n28zYezyemGr&D-T4*SoK7y8d}E<9YtO zSw7}7zKgX;yJ;|rBc9`-uI6dkq9(o3oxbUz{^_MY>ZyL}t-k89{_3?p>$!gGy}s+g z{_Dj)?8$!WXPt&9288tb+p}F`*&f4>{nuGo-rs%PTU_2z{KK0a+l3wPhaK*dy|k-+ z*RP%3b2r@M{_eHi*+rc2E!^0*_O?|{-5Hs8dKcaG-rDUR@W~xqf7swbKlDX^^hv+; zO<&-Xaw`Yht=IR-^L)(R{M!J%&tboRv;2OQT+Ipn$qQY}?_AA$pUmNh_J17E?HtU9 zfA$-@_0!zXd%Vkazs>c0&Y|4(g+G70JkE_A`Ylr-#^ynKmO_8{p}zA?|=UDzy9&R{~i780m5B7fdmH{EQs*nK?L#eHGJsM z;emt&0VuR65P(Ji6ges+xDjJJk?uT}+-Q(w%7YQzp)lA76&F z+0tjolpAek9GcT-PmxTEUhFB;DM^z>T~C;`JAMo~vgE+=4&ZZ#006vp zn>%y<>^U^((V|O_K7cy4>eQrLn||#&HtgA-Eqb;sJ2&nA-MV}8{_Q(BaM8Gj3qNi= zIr8Q3G&6s$JUaC0l`r$f*Dmurc-y;k|L#3J`0?V)lRs}hJ^JqK`@n>4y4ch+(FfZmMag zoPO$QsGyE2YN@22YU+TNcKG3muD%Lutg?m(r*qQXIvuXM=F01?zV-_2ufhgP?6Afb zi|nzc!C9T0_B~5qw9rl~ZMD>1Yi+jOS*lg4sDA5hxZsW}Zn@;1Yi_#eD!6K2+RX}Y zyz%rGa|u7~f^i*wF8@BB`!$|l=eanspm zE6_h5ZFJH|FRgUbOh4`PXcJ?nowinEi~jZ1T4&Am*65uq^S4%22p3gh&wO^;Xs@ky z+bP%FD$jDyP4|fQM*MKYQZ6Z@ZDR7>oZf=t4RPLt4{mtkg)fdc~YDJ zkBs@{nv1--<(z-+IiO&t%#l+^c@+~(7NL%MNvC`CQ&%j-z7^ZHyN&zpy64XOM{wU< zcksdwZSH~6%USJ&(fdio?;!kcO_kQ}`uEQN{{Hv>t>68Hcmyn9@a`75fB_D6Ey>7?Rs=x@ zO0aJ=YRQr`qa+^rt#KTLoZ}J*{=yH6u!A8a;Rrow!Xu4uPMymf=v){&7|O7PG<;#_ z+NUo0RY-n3$%)wt)WfIL&vpMRA^?qu#3L#ZE&?>56Q7tf<9%;>Jn4+`K$AQxLa#QX zq2d;sV@2tOZ;an7BN@+V#x$ZaI4ew_8`lTNH_9=NI9yi)iPAbAwuOjCxe8lmS30#M zaga+aBq0x(wkASxk&J{D0#B$Vz(MkZWVvhhxqh^(a{Z)wY1PDqiB?4>V3Bt`BCO^vT98Zp;+%w!^SnaXS? zuShw^XvT4x(yZp!^5Pf%U1}4T+}x%&yU9CV{&Jk;RLmng3Cd5RbDg40r#soH&UV7{ zo${2JWiZn$@~twJtn4R0|GCeAh7OkC{H8$*iqL~9beGuVi_HdD&WK7>Fv0vD0xpWt zj9xS^&g>{NKkCttf^?+cgC;dkYR#0Q6r}_;S7t1@kq#|%rU|VnO>b%-aZYrn<2+|Q zca)jcsHQSMrDr^=guxBU6N5lf>QRmQH>kR(l24uIRJlY|sZI%+0`+HC0qRPydNr(n zYU#OxDpUX*K&C*s<4o@Ox^4+Ff3M>YEm0-c{m?S6bh#@aTQ?H8!gXzYEtgycOV^$B z)hICWBM|?{*!uqAFNoo6D64?S)66!qqTEBPYBaJ|j=IK}T>N77s#sdmY@{?WF)bKl zgA(tN7C6JiqH=0$8ZXY)n6nLEZ?(7E&|L9)u7z!DTcZ)-icz@4wQXu&`^Dd$(WEM^ z?nto-?UG%QSY#4s5dkeH) zBCgK63vLU9O{G)Ks@RD>O5WiYq4ITchgm0z@DE&CYB zJuXv`txV(`**MD&EQyzb?7$nhc}r>jl2ZAm89g^g&|XH8ph3x1vMPG4j25e-zY03D zGDyEriSdld>)s0gaDEjYFitkz!@=?~z=^dlA7LlpQ4?sgsum)96-?P3=Ffs`A=_kc z?P(vLcPpq~wTC18Y75u8*8e@Ver1VjQ*YX@t)^eEW6kSmdn?5&uJ-UayQ}2(2CbK- zaWQjSo1uXF+u;t17h#KT;y5>Yr7ha?P#YBJ!do`(UbnpmE$%MrTi)bWuDI*X@6&2= z{@w$Z_q(Ip+%T>dwXZ!lxtB}u+~Br~fi^9>i#u-HW-*KHjyJ%QM&0X*Ji8dC^I%$Dxb(*Ra<0 zO6u}+W1FsQk^S_rHB4#*Yu)I;9-^qIZSAnnt;JCFtWb&C<)&U4%5*jomxUZ>C*gU| zaIW*70WD=3shMbO4>Os;JfuRS8Sr-gyWp`r_`LUs%TyJ-|p?@c~^C==aiNH6-)vzLABMc2>_e~Tgh5rN1< zCi3A3H`dmjzRHP5P3f;BAHEbW_78*N^b$WC`N;lx{3PsP;nYxkFh#I7D952e0GtbYpZV()(x@0l5DBvb=PQY0l^Q&fQ2 zwr>f@fVy&k4fq)$S8@|*auirTl4esGC?L8QOBz^pUgv>?#B4^yfBt8J@j`Z1Ra7ci zRd2_Ff2UO~xFd5{RV!$N4wF?ccqXt%d$;F92thjmDYDg=P}#6m*ohqVWYKlq0*M1*B%h-Zk1hp33EVp;A2QELc^uYzq@ zxPZ8FaFm#Zn5c=F$cfmqgQi;$ciWj7&8-Qd>qzatn++QVLF=jUL3fJ z+1QHPh&!(si{H2ylgKpM)^O|AJcf2!7x!EM_i-4viSO8n@d%IeNE@FhiuX8*_$V!< zI4VsCbWayV%2sMhcZ%F-klKil`{Rw^$dJX;hP1eOZe@C!r~Y~{D1B;%c@`;*8~KYJ z8H^s;iy*m?#HfrVnT#iijI_s(p5l+Y7LZowbGcTK2}zR&X_JZ6h!53}J1L7$Xhu{7 zl+FcR!^Ln6$BtoCiS($H^2n4+`HuFOk5Q?Q6S$I}GFa?4KTk(tj#XlSgnTy%mNhAs zZv>6UK^mvJeVb4izVX_t42mwB0%5BZCd6q2F$k%9S_gUOMC zS(t?RCVNOR1IU<->6niRnUN`(lS!GCX_=RanVGp7RjDZ>m^PjnmZ3S8quC&E;~}Sc z8L5eytErl;$(pa}nz0F+vniXkNt?H6o4JXbyQ!PK{>hua>6+r$G!xfMQRtLSiJZr& zoXRvg*x{Ud0iDk&ozY31(`lX6iJjM}o!QBq+v%O%37+36p5aNJ<7uAN$(f|7o}$T~ z>-iw7qEYcFpYutd^=Y5?iJ$qYpZm$5{pp|o*`Kp0k^^d(1d5miil7IoptM*kFy){R z3ZW4yp%Y4>6>6auilG^*p&RO;>Diti>YgBaliZ@2C2FE4ilQm1qAMzy!pSuEDO$-X zqsvL7GisyAQY$Q~qdUr@J?f(+>YgPG+|n zXqPZ9xORtWgMNuZSjwdX+IeGwr8W4a3Hnq1IVfifnxjz4rfuq`Z;Bd0iXl`gUYOQa z(Dxsnd6j~-d@_TLnZjxpqF#X2r|u_yhe|r#g_Vk>r;J4wGkIVicz@HUkhuq^mx`&G zs-iC1G;|7DXeV*cL7bJyam*!@Xk?ti(vHxva0R!H{We;#ih#+%Tg3%&un}9x#ap*3 za7F2==XQxAwWgX%ti@`qjwz>(x*y<`8sk-@GM5(W=Q`DxeHRvVhPr;=2Vr0_VqZC} zdDLJ4He%)llh-$V3+AZwcc}4qt@yP^#rKkR#a{2Htw^_g_X@2sse3iYVO$ZYF~@VK z=B|J?dPhcjZFhHntC@9 zXcRx1Zkt#A<&sgCuWs9Fhs76>$NeOZm(*T(G_n=8LY9YS{`RT!F6w;+pCx8 zy0KburP_|YHM*=tTtpdgzy2z4zja*D(-H$Waj4sF31?`nN^iEBTBGWY2uGCasJy;f zan)0*6eqmP3p7(}x!J3|nu)a&qHTR^EI!4JAJkmxA_;S z-7>aw<&S$ibog7p?7Oa9r(yROd^0I(`3knnwy1SWUt0%l>3g`6yItE0!4X`U4ckt1 z%5ogFH%0q-8OviEtFxEqu|K9GkJoyTXSAnRvTf$GN;`vVm%_Oy!WucksK>#H=OZNS zcb*4$IjbZ$n|UjYW?Txx9jtglYqCVFc0`i09UEq@=fN78iyCWqG%U4HD8W~Z#f;g# z4Z?fA*L&ehbulS@{ycYlhFi9SORxEdf9uO@$EIxN7q~Fl#`CIufc1<`L8xbY$7pM? z@_V*?3LLEYF*qyn3UZ zT%*X8s#l1;mTbz|yTwWbn&1SfNt&og+90b;f|Pv9wM@AbY@md5iwlZWEu7209EU{9 z%Vs*mT533@Y|F`8&+-h+C5_Va ztkMtd(Jg(M6RlV1ibv2`utg?f)CjKjx_ubU(;97v9PQFUjhO^JEaZs0%!8DJmX6QG zx(LVA2HnsME!9zd%`7d{SB-fKe+`*14Rcxvw(;84k8HP+T-J*{)=C7_fDPFf zY#pOq)T>*L1;=sf=vqgKj>JpVQw`dmUDbXa*`=Ktg1xxcNUd#4*hImV);P$2+SrUu z+im{y*rxs0Yn?!48j@(5*L=O#cOBfnJ(8r2+mVgh;`=|cJloA(+q-ky$BorQO)OCD zTcRD>*^S-WY}L};(#ieY&Mn^Iy&uu--9fF}!>!)H&ECS@-o$O!-F@B>4c_Bz-{gJY z{9)en?a|adEHJ9w0lwV=PT|EdIS4 zSet$2zN=hGX>bKTMk%i3-#pONtlddMF(|GQ!&UjyDi|6F3xaR6? zcHGElF>@ale(>tY#df}tysh_2t$HlCax1`#)vpR1$4CAj6Tar^Y~eMwS`aH^qaI!q z3$$Y9c27*#JPUd#t9lG1!Z>VrQMOvD%);$I3oukLm|Yr{Yr*Sj9WNnEqHE~aMo z>w_0T8@#d=3xlgOv`ky#?=2;2-s#G$&xJ}5T)T1(?$rbgzmS`@^>^5JOOVnAY|+Tt zbW6Z5_iA~YzlbizT^+{m3w3l%*u5seMxJbPoQe=W7o2|W-|XK(qq*VL{%ufxy1h%g z7PRoO#o49`yr6sL6~C%l6uX#xySbHbx8d+wuDe57Ow#kaOU>~RpSqr1@*saj@8-$A zN^zGRan?QHC1u>57Bl-WGVM$HP?o>mAGXAdKw1ZtSZU_qYi6 za-ZxV%-hW_;%m>cX{YzAN3$ku>r}46AFRWDKeK#qv~cJ4F01M%ZsLhK*Io3|4z$CE0Kfr+2^B76*wEoah!G`Dq*&47MT{9WI*fM!pF4x@+QEY-lBCI!BU7GK ziPB|Dm@H+kr1^5D&6+WD-qeZHXHTF!h3+K!bEwgxL6aU;iqvUSs7$3UrTTQL)v8gm zUe$`#Yge!=JAO2{(d=2YY1OV}YgQmZgY87lm0OqYUAz8y@$S{zm+xP{fdLN|T$u1- z!-)|uR@|8JW5lta`E9|2ZAFhJUD`C;u^<7!8`+xmYuB-1&z4=A zHUiwab>kjL+qZ4tzl8@UKHPY5 z$S|!eGcPcs-0M9q+ho#By$IZKPCDzfh(YhVYbQvA+B;xE;Z|$y!zx`9lu&pC&2!O_ z6xGu?M-lB#Ox6%}bhb-n%k;HPA7xHb?g)>yujCHGr$(Ixg-YNI_?TXnM}voABlP4``8#|-ma!Js`?UVGm(7|w&| zlJi!E8^)2r8h3h+s$LKJ71*FoOtev_{z`1gyvTwqN z)iPUt1vlL9a<>K8T*XCR(r<4g$Cq+c%+GWjP%#Rojew+0;gTyOh*QOD%rT<&#g8c;lb%+V|!QrJgn; zYZJcT>otX5(M}Ux)kx}3t(49F=b2C6c}*v_zWVa5M_zqYwJ&~tLi4vBR{r<5eeKx= zP=FVKo9pxvp#mXswvH6)tU*_mUgwMU2S7poSD{umNc9(@nbicB2cylHlIvUXF~be6=8-nG(v5O zEbF2ek7maxjxmZ(+#?iUa>lRitYtQvQQC@FNJP2_fI(zr5DUn|xga1O_?ToRDM`s- zT}g(Mlbq?sWkMHXONIXSlAFjvNiWYC&V#1Rp$a=Gt{1`!mVy%{vo2>rPL8llldIs8 zW|_TK-tvPu9Fr$OSV9tZQiscgq-1>9NN5VMcKv(KMEplh`$6xT+r(x!fnz>yhSQtl z6lXcf`JEviF`Daa+asCz&Vxoh^|9J!Fl9_BDbg z)Q}1ts7wyJP>42Eq6K9rMI&lawWTwG|KupHdX%1hhBTie6=_LHdQy|7lt2CKXiIlA zO>@TdoHC{9Ol?|IoZeKYIpryA7U@!;;>evSC8|n|T2!PSRjElGDNBR;RPzM%q7|j; zRINJEs$%u382;sIR=c`YuZ9(@V$mp6&5EF*E>*2eU29v}`c}7^)Tw8s>u6xQQ`YQ8 zuL$T(PyLG5zXletgB5IH2}_%w)>W}>N$U>TvpoPTFs^W=>|`xlSRQ;ER<^C}YGONkTa7f5^@&SB>?$GE{gH*x}7Gblq0Vn9=t zx?3(Wb{R!p;;=Y4;7eb3+lM~!Zfd>nb2NI*>pby#Z+eWbUZvIByG(zt(eRUW^bof` zPNP@8@n!X@UEPi>6S~A*HdvT7so@Tv8FRXpV7okcK{mVDSa6o1oP`;|R601=Xl8c) zpJ|E8KSw*zOC7YVt&3tSE1Hci<71PDHe+xb8EIBT=#uT2#VqFJ#)HJ8xAiDRKYDR# zAuA)49U9~|{`lQirt+1m{BM6_HP+U)F0I`p$xB+YlD<9my7WxJ1wXEqp+hjWih0V2 z3tN?cOE8%$eqmUK9J$8*GOvXlt%pxr+AD`=wF!P(L&wybul~)dT77ex<6P%C=Q(l) z{_@)zoaOP1<FknM;+^0zxq^v-t@%^9qD6N zdfCZ-b`LWh>~xKJ&)vRrxW8TQai{xxzrJ?5irwscM|veB&Aac*JLvEF>O$XZ7xP%mZHYnddxx&=U{Px# diff --git a/www/index_files/crypto_types.gif b/www/index_files/crypto_types.gif deleted file mode 100644 index d43072b14391345fc99810be9221368eee065ffe..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 11401 zcmeHrRZ|=c(=17Vgdhp-5Q4je;1=B7-Ccq#F2UX1b#ZrF2)4Mh*y1cM!JXwi@9#KY zU-VQ>^;K8(RP{*7Nb>NSti8v4e~<7#TwGlI$82nW|C<*G#utD8xA{N(p9B9tIKcG3 z1pF@x2%q2xA3l*t*BA5!f5K+aAE_@K2>(hcnGt zGM!qb{%9j`Je|#KEJvoPbTXUA^>}Txscbr5B=|F_Y;*Z+v9$Ah?X2dC`7-5V*<4u- zDunmiC~P%jEmcc(#sg7;UO%fAtIXyr4aQq*pv4xGc}N$nwd-A;*T*#(fFspv>-*1S z^6mB86&A0^($%;1yTb{Ta+aAHwSRjMY3w#mZ|h8_3giq)1rr+fX3Eu2V^OtRPGU>t zJ~+N~ww`5HTjlpmW}BP_cKV=_D<%Q0UqB=mj(ao3VlP#<_P>t?25H}059qwbn^DP9NSpGd?>XvpVDm>GgJcPLw zc{kQ})~eWsa_3&%b-ANGCd`xx!p43JG zz_g{OQPz^p+{;k+BixTMxC`CS7Sxgc8f%b;a-gQoaaTf`-SDCXWaq%zp%E|TV z)Hy6-rlu<@xL+A9*EZfLJ1oh-YugHTtvJdl$#i!o%P0u5trQb5EiEi_&3)1Y!kM2m zDyy3Dnzwb3`}m+`Esa3N3J@|XW|SQZ_&BLQ42dy+l*=a}DMZM}zIjSjqc~wm6Ixw8 z!cfB4x^9cAkv;LBQetyX>a0V`q=TjFqKNOT`f~NA-1T;!QKeI~r|O^LqRPR)UPP$3 zeV+(G7Qglrcg{>>I$t$*8|oJ(_P#R{%iSRXdNA8Ceif7z^o`rrdGu1$hhvP>Z^EUI zZ|C`Hf^!~L^6m^$eLa;jY4N9l>YC|h=K1}FYr8mY4X30$1?Xm8SqkR1psvO2Fr#Tz zbGxYTadx|egU+%%kdZkZ&VG;x)xkTePU)QFzA=9-U=y^gWHo&etTs&M0wYf zxP^~dTeFQ!VVJOk#g37*8#=I#38PcnXon@6k=5;)*ln~O&^aq|9TG(PHyn8-8+IP= z6bW&k;C7IC9oBm&ww$7F`zM?yU*-9n75B!rE_?4Pyj(^O)ZAT;{b1$2M#SuWzL+wT zWxa{!X8n4#;xzqwGe=AQ=X&{zde40ptC3&bF@8Mn<4(4c-@{>m(cATTe6Ns{#Q?eA zHEdw>?LA%Z71E3YSZoW9_p=4YtQ_z*zxjyqAoLz1A?Wi>{{0T^uV>uP!mmCBYjn$? z_qG=ycx%QeKY4hbWY~hPT)&~6aQ`JNV)gl4U5H+@^p_ZKCJcU8Z1h!1nj61UIaGLo z0?VjfOfu9iVl|oqBhXs>yP`_uSNR>RA6k8cSCdh?DLZ)A2Lnu8&Z=vw((hdfB&o<| zV}9dMVtYt~IcP4_8~b;#R_=!A(p2Ik(5OkC+ogXzp(hqGQGKgOmnGX*NiCH(r##`2oe8{*i|3~z z#^mUeti6hf@ug&vyB;+qy3QDpFXc$q>EC>Jofy}=$5KJS^Ma!Gdwimlt8H}BQ86h6 z$hpmgB%@%ci=9sX&WhrT_LSu!RxmziSryfatQVGQ6aYT>je&RhmpiyA5Ba)Oa1J2#5-xxi1*2XIBEyt z10E_awW=leXjYQy$8wT+4Zts##_}q*>;oD&VUN|M%!FlXnNN|X+iO0fS7#Ck;9KC8Df3*<)P_@fnc#slkZ~Y9>%`X;La)9lXMjD0-{HVy`}^R)a38~?CQ$yup-y_B zJV=4A#qYwF7TW|Rf3gP8zsimwXWPxReZW`)J^YuwG#2;WKrmrLq)yikR@=i6TU)ez?~u}k*+Ff4-6m=G=x`%e5gBCXh%ls*BY;eQ-ej%!RQliy>|dmPiA zYD{aJ*kkc|95=>j${3d4=g5AXuvTn>XDv;6$E(KS{j(^pi;+B&~Y`_IVi~PUY5Ob zF4@w+BkG`>{Y*PTW7+J`f@L@SO!2k>_&fi47N|G0b-1Y9FX!5Fk)p>iSYSjli$bo3)g(7wOV(T}6dlV!4_3irhOa5}1#a4ifhm|FsYC zcweUvbRUd7HjjQ7b4|lupBEDDm{1V9R`BrMj&}AesayQ-mc~Sjq2<}r3 zcP@mJxhfC59R8E+9KX+X$_@8BVb^&s0#03;{US8Kq&IzSbAJEz zTB7$X=STPcy<+#737qu_%HQ+2s`YvaoPON(}_vA4L17L&_UDg81koKE>42{U0UtgEOjrf_Ed{zD>aJ=JffiC6g=v99`wo)U;WsdV zRU_bsc1YNvA3QJvK=v_AD?C84or9Ag(&N(~=cV8jo-n@=YjS+@nFDuw+Ay;RUs>y* z@WZg&wlI~$Aa&~~6VFf=Yah3EXU~iv+vSL<{m498_jz{TAnPa)k4NsOpaAQzo=@(Z z_mOe!eo7I6NuFUtWwtgCe?GT)orL*RYRB-jMd^QvvT2KD9f=+oi5ixU)g6vplm=KF z`Xp!kDbx0#E{{WQ5AWFyk}i*hNQLTZ`(X4{Cg>WpfpG6KC8mhZ|*UgSt@TKGPJ)UXDTu- zJ2QXVB*!8g0F$x#qJ@+6-VP}Xd%8WJCDJz1+Bq|=pw?Nr=ZFHelc+0#Atk8*6NPwo z#O95rujRFJaDngoH%xdAGDcJ~~ImN|GmIbzh%Tkp8 zk)=qj$p65XpZC$tHr?w!Gh9z2LS`ve%-U^0CV%eHCp9bd93}e6t2}NtU@+aM_hV+r zO7`BzN^-9V6;F2@l!VgH71x%Y9n!%BndKeymDE8I*Wn3^M}e*0S#c<-4Nt*S!-)Z7 z-V>bx%e29@%ULf6>D_z;)`wMmnQ4>d5mP*Ye|3{nBC1FTlGgBRN**fhJ%NzVcvRjs z4$I{hylGVQY3kwCycLO?N3IT^!uO-kDMk@0S1Et=7YdYGF?~82k+r<@I<_DhghB@?At!`$_|a zop+H}?Zi6s=S zT5#Q0(v{U=9n|0e#VdL)F7W9r&+e@3>a2!#);@RE6L&T8cQxyEwfc0mXLogWb#+6# zdY-%f5_k9WcMs}ygMGS3vb)E+x+hSrk(3df!%Q=uyBAPF_V7EAdOgrID#CQOCF}#j zTvy|&9B9oBWO)bLBJP4PG9oGWSh)-MQ*dn&_dsNO)`$^cP>_YBfC6PN15N284ozvO%D)UDl7J-z zz~5pF2>@WDiNCflgIbc{f1xU(-2+_RJ&XLq3wjoC)tKR>mfE{2(EZ7vtGtCCTCd~U z(7WeBGT)&{5{q9if8X{-x@`yLocoii!6~N#a)okE@*^k2qbS?MIXUJ9-TfFPO7S^E z7=dF-;9jB$&El8N#+QM%>c1T^{hrl5{x5yCIiTd~am$JEJl}y~roJKjiD3Eu(dvne z?mm;3p7DtZZTrb-`NO;D8m;)U%!;%)WHLdeYUctG?TkW3Bs7&eWCu z^queYL(cS5_w>u!H2h^6fpo?jSHRqi+a}nAFK5_Roh`+T_w%Hj$F&Li>&$B?Tf%iO ziR82f$1LKR38n&nzbik^nF_@#H|3dp#|?azR>g#9or%D2j@H6}O<|7g73*kX?uP*@ ztDgy4?mWURFSUWXU5Sy(g4~0}LUbs|W5+?=S1wM%cy2*+0 zfEX$$>VfokTU6Bzz?;FM^ALFxbXrF~2w}^wm7kLtFXJBadc13M%d->|>WgZ=;^uyf z&$}b-&5Nfk#-kRxU7^cpmQo1F`u5DgFa<+dD*aU46|)rM_May4q~s|M8r`YO0U;~- zf~y@15+6%dI&k&;0ZN_*WCF`Zq6^Cn=Bu4RDQ8Y~H4B~WR}!T&371<%FhFetqEA1m z=uTz8pbyG>*uc<7YapVw{kKLYx^Lb8u6h*+|8Hu&41`}9fC%^dn*Ga#;`METZ3QD z%xmp{iT8`ETZzDH^bH1>mSqf-jam;kw+_C(O;)Sm1KipOHQr6x7R{aC@Pi=6K`og@ z=LXl&VQO{|twq5J==zev>yB=yI{mru@wzG@#ugpf4w~ZTY7G>AJ1^Cu!2wrkiG^`v z?4h@AhqO=$o*Q2N+=2|Qi8ySE3T+)bC?2b8y1VS%-DnKQZVn6Xn@>T-{k0|Yv`qm! z)HOQ46}Lt5_Eq8};dQQ?dAG1L`T5M61AP|Vlbv<5yggQ2(@hI$80pqo^nB8wbv)8I#RPr0YAbf<4;sD+Ckj!5npjfXRX3mbq(1@C^e{1 z*i!AG%bh&F-#vEYJn18wGn*WmyWZ80*{$|d6q=-h0tHbO4P2R}8%WRk$fjc&mkif; z7~}T-IGmjrY!LaMHIN>J+(00PMlvk(pjf4|IIU%<6ms6tXZIsD#dBHeqkBhV2b`m2 ze_m_kZ4Jr`m0uS;mKVyw7m9@!KfxEWyBE^$E;(o}#l$WpOfFf&F8PZu->+YiyyQPM^Q5O(whTq1Zbf%iF8K zRM^?&4YLg8j}f6yL)v{LxyOAQo|{oz>T`ouWo@GRt*-E649Zi*@SV?UijwX_JaI{R zKyi^1c6yx)jG!8&J=+5{pKGO@x$TbF2XL1eo4;BSd{Uvy(;hIE->%diboi_(lf~lDqhJ2RLN15j z3-0Ur!)7v?HkJ?Ml>$^sq^1R%XK9>h*2>qIO2~2o$Lo}f^N@(Jm}UxO6?AW-S}Io~ zXiiEs_?ww@Q$@2ksO@h4srO0e2Em}|4l3PdVnw+po)^=Z4qeFZYro5vYkfa_fU~@0 z)Ngbbur5;hteRSke(KS5Vd*R`jFdoWP1PgI=WGmlMEZz_I1 zx*!LvD7!EooR`~lG6d|hW0^?vb{*J2-#tHbEqNNOn+#{3%DWr6bzo=hC4TmOuD&1V zPM;R;b*HQsxzAfwENzJ(R&1ZaQ&;}cFjqX?_L$|(&=f|1rX)NzXQ$l#wsXb&x23j7 zq4QW0=G6a>1UA_?{!M>U992fXx~xH<=s&A)>lPtX7r@>n=Do#-%SF}V$5<+TLSsC;jSNUH{C2B*`D$j?4Xihlng9Mv9 z^@0i#ZjI`S_suiPawqDI^N5jSSc}Jakf|}G$HAL%k#sW+l`hp+_DQ8ci0TOSFMzAO zA#LcQ+5Y4rd|xi!v;T-h_ciM;iX3bH2e;=xn6~EuWof!=i$;(^z5DGtn$~$fijFSs z7F$Np@>F!@`Vv!ki^dn@6x<#ha}5i4#O`7%HFm4e5yK}12m&0WBN2xLdDIDsr_pT4 z__*s_i#Yy$)bQypnYq@~OOx*;X51H>K5R+4Y^`{vzG9ut)uz6m2zVZ70i>*#EoNR}^p zQqwxm$;w>=NdGkVcMN`tElid8x}kq~1qfv8b2lCU+tfKZ#x7G^Z#wn=dEJ{h4Ew4Z ze-TqIt@!Toc)QJ8=X=VAU6v=JUo{MGB&4P0@j0#AbZ|V!FT;6(cS{NT-2zVX9&R_o zja099r+fSw2Fi?HANlRLWv@`h*N(5aMc#j(^dDk0ehkP zyJGu;fn)N8e!2bIeq7kB*feHnyZ8xxVx&@tDGrcFf8j)F3Ht88|xHeMzY5v#kV*c=P_tTcH1r`bT=CxfN1^=iC0=w6cs>@ zLpJGeEx3z58%f1rdW)eWEvq>f&U3QW%NAL$<*ceHrAPHdVN+X5yvq;081=_d$)rlr5zZve{83&f(YlO(6Gii3du;0{wbpP^ zYN2O$4qHAM&(!zIipO_ktu~4|HL7^a?m+qDmzY8aIm4{_pDoJ$^F>_t1nuU-q>JrG zdR|SjWt_Auxq^}Ao`uVT%q@+*4HYG0DEeMR-tF6=mwU~d0NG0y){|6CN|{R zKO55dUw+sK5${zcPEC}lcBQRm=~9NYj+grREO9fAsns%E1Ssuc!A5XNi)>MK^iNf9lJ`&xRSwCz$3HEy zIuf>wu3TE6QnYdsPNs=1ah<>Ji@`zbRwE?g%N1mCl5*5Gy5W5FA-pGMd^LEgCfO^f zrEbkAu}hZxFr5v5_rmH)+$rfUm3boEmd4kbO|DeNk*r(8A64^aVpZdE=xv%sPzR@$ z6Ae%S#C_MkO4qJ9V}-1RA61N05tGNT!(EzX+CqJFXY5<{HmrkLtzwhpc*DqXsaHW9 zO}7}?2u#W?{Wta;qROvYN~Udg7p3HOnZ|ko#`XG@Yh{Y6uO4TaG7$Od6j5<7xeDP- zwEIxbn?EdnF%{=P_g#3Trp7IFl0#*y;aRPQWAGG{Mv9w(^U^X{+nw0@Ut#IegZ z=VHkmRf6vt6s}3qE3J%q`%<9QoenWgyNnx^x?uc5+xLtj>@kb_T8rYZ&V)<472$%cCAn8;T3u`d18M;vJHz|c zrCwzB`cOf8Q+(+1u%vrqD#+fF8@e(b=H3hxbg8?xtLB%$9y_-k9?WPcH` z(toc}~S-XsP z%-^$A4lcADZ^XZHtN1X{)N_^k<}*t1@3O0H<7V8_cRiHFd!)k3ue6Sf+;&fL)?uEPR1oSROLYrw2vdgbhEg>jJwb9iB zE*?TWl~8{X=EVU&Kt&V_`U@h5K7+;rV8QVQv2LMDxdBUa2_t#1eY2$Ijkqgn z#|yuhrLUw4iPRObP^n%HzA53qMg1(!&!28-vz zB$G)-3tyyNP-T+3!TK-5g%f;v3lhaDyy1u@X*6dK?*{=z`Xiv1i6%;g?ZIm?(&e$KF@QFh{nC zX+$$b97Vp_oO1$ALKfb2mbby>vbi9CA+q&2X#IFG71zuLrvYKi#9y!eLvFq*)mQEO8eWLEX) z*n)6pjyzO+c-vl33-)VnVsIHIf6^?+r{1MQY> zGyOa`{jxCq3Y&)COur${AmGltqn>&HbLNA@45G#ilEn-%VCG}!%%{{D6yVI~mKoHc z88pZY`rZu2?aUXX*{`^>nAEdaKWDKeW^puTaV=)?0JHd^vjnNLguvM^p;h(lMQFU= z3(?9jlbO!xfhH~`=$|QC`|&Y%X32hjV|AtI-KmA^7SUJ0v$pt}7RT^t{bI>;Db%o3 zrBo@roEr&k$WN1~XdLEP(3$AY3jOFaGx}7EF?0W^FdOcua^jZK$QH3prZKjtA+f6s zsi-~msnT#Hat)PmBjx{ES5rBj|Eaow37!4W$b`U=FEvT>3w=RZiUt1QT=cS_Ww z#`ssrLI*^5h;^L;BB@G?g4KwwmaF=cMNMPQC6HaGMV+^1!PcVoqe)#~RHZ$TwvC~7 zuad}bhp}Qg6M>R7Vh2aCp$tS{4)Vq<_tJ8I#7KqHR}d7dW{OsLpx3DPX(d0>YtS#d z2r}MAVf&x4#`*PHKv!#^tCSRIYUIt1N}7( zL6zx0R}h=h48LQ92>b(OR_AmtkwQl z=(8>BKdkwJ-})|q5(hFIn^*a12Q1yffq^VkEu6CUX9{_TZcb4Z*%o(W0{Px>XP4Y zMBrAAB4yY28}+YHEjh5oGc$j6*K-TiLl-i-)z~f>H6}8IKHP3-@^0e@X{QfuI0G1- zi;RK43_C?vA6)XQsP%;~3BO9hO@$L#N$#|xQp;CDvk{S@Sf#p6fVw<%trZS+Y&cP; zjA;|PSuJ4}k_vyo}C!ITPWjC6xW;OFzcO6_N-E!)lZrTMpff&uh9WEC`qLbYmLXKj%_&;z|HU zWCI%auNvBCvyeT!)xc6JK`f`js1KQody$Lw%(PdT;AUQP2R~NowCq7@^JWuG18NSN zpgkQ$ORJw83VCEQj+ssURamZNHjcD=k3|Zx96$x~-ghz}hQ>!XWJ+P|?cb*@~(EfKE^CM|NTVTqD(v zB?6^&AeVJmZJWcbx~?O0tWaKHD_2bIYy#d8$FP#k4KMTz@TQ3Fs9jh3!|L|EPRXcU%%T)uMT7#GNfkx`9NBwu} z)>pgPEOfo+xo~rIOMGa(W=+)y4X&kuEe&@0GATnP5o@Kyx>luDaErO?YeJ?etlLI6 zV5i!3?#v6c4NRcj!dq5(XSzz0yX)>Cey0gjq^s6k@`J>Ouh#6aIJzKn=77xmzO9N2 z?Oa?rAYz*k=umHK*X^P^F-Dr@P40FB{z0WTi(Xf6u5?%&^*X*=pxx;tCF!5j>|*l% z6V=mvIfotmykL%l?I@g6Y&d*{X7zo>ecm%UDnEY|G`!m1W;ZmMvi;pwvGGN?R%!Ag z9IttFbk)M|^fTA~=KyH70_<++B7$%oE1ns*t;*>Zaz?6+-L>^bp^1`b`sL$4gWSsx z_-01#aA#MR3(5IY#7!eiT7nZ*CS=yDhujn7xC^p_-(o$L{od=mqXtTGdzA4ycr2!M z%urM#j;=dXsj9P@QGNQhIcj+Q&tB&*rE~8~*FSpf!UM6dei{o#$&CfS?$d@b0{o1?@^W?0 z2;KF!xLqtWIcg22K9wPBTGqzn`4YnJ4O1&aBBY+RqE0u!$&}e0H0yN3V&;QxaUTXl zZUdxeRe#GPkRrGI=;J06V05sDi8hW=<6RRvX<$p{T4U>!u}oOpa{1}nC8OqZ|1CR0 zx>at7LLJEO8pFfTgW^U72#aWRoBgKu`%V80{KMFR#@>>ard7j=MF-1{p=|H8SMeb| zO~b?1(%{xEpm!0wX`e)nIQ-3yl(KQu@c}vP)N diff --git a/www/index_files/kerberos.gif b/www/index_files/kerberos.gif deleted file mode 100644 index d22b5acb321ccdc88af8d07c2712291d5e3518c6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 20772 zcmeEtQ+Fl|taUl{)V6KgwrzWAYiirJ-9EMLscqZFbKdj)jBlNNk&E1AuOurgJCT%@ z;NmnU0@nh21^HhP5fKRq2^kp~v9eBs1cCrTK!6t0fq{Vq1qJ>6{d;?RK;VDA|HJ<= z@c$tL#P1OQFDknKwf|caLeM}EY-l{GhJt}$XjB@#@rJ^oa3oTh9I3{lk!UPdo2~K2 z;<0!l(I`CWrjm(dD%C2ziKf!2bSBfu9O>q=nQShXi>-;~^0|DWU|4*amWuf-h&UR3 z8y4!ta;0LKT$$8@#bAgg3wqDx0*z|j0Dt^7_5-bAOVza6NkHvp+n;O(Ia;Qg)jD_V z82+v{hqWf1j3Fae_j zoE=0nf!*!Lu%V3XOMY6Xn7R^m>_$Dr|#3Fze^e4%2oF64CNpK$|tAhP2 zN@cRBERCs;)k2Cy_tHMhXnC*L${aRMHws=)l-zP#GY`je42+c^cJ`EjO3RZZ?np?2 zt)QwXkVA(DjLSHt!XN7ut`YIx3Re?&HbBMQ*udjdDZ>20dXx;S69WD zvfkTipSt6(Yuoe2AbU3e-Q{{K-N(UK+E+KYVc!5|iS00m6>KInisi6XuJD_;+ibYj z8P}>Gz01={c4G4KVakwUlcgk&#FlA>?~NDPe}$3S^Rczp;HAC$*)$pFj(qx<90b>`mBUT>nlywwpY#m)p+!&q1ideY zn9&Q1rT~G%bw$JiE+I;~COer`>=?+eRMks z(IZEMWNc_jGHf@QxByI|l5>rpRwd9}&P;OJ1m`hhT&|2IePY^z=P~nNOc`5wq}?`mnP??uH5`5*`tLQpdQ{{BwMc~gVoL7i0UUk(xb6ew zuJoim7MJx@LM2}*$X>OO*7;O`K0--vX*uht;~GUWbN(zcIG6r`<{%JT;r~}=sR*Oh z9ES8Br<+)00=0d`BW2x?>C0S{?N(=Nu04(OY#!9|gvS)H7 z4n{+SdW{v_ffi`SOG}w}ps6O@I*1%|X6bvi@|4ZW9PCna z-ZiBIceUmY3R_$Fv;Ch!*sYz(6@WFuwUwl<&Jqu1YZbnbt-fvEp-c*(RlLrU@n~thlEouOIBY^tMnSpN6`h8wx<}mynya{T&>xlaP$eNJTX|J^UYB zORu(65n$N^ELtigbJr!C(HE6>S|XovF64H-NRH6dlttuiYB0R#At7CAmoKbTKR+n$ zqE_nWy=@OZFy==UUK)xwF8?N4&Hjr6w3N$V+vxg;q1(RHXFi_;ndm<^_uMN1l7FlI zWqul}eP|x4lr`DMYpfW;wh1HHZ_O-ZRdoKmw9Bj9xZo-{A!TC$*6>L^Ohcxx^ZHdwD9Wp9RmI*pd_4lq-gVzS0VejNz$EyGUh%Em3s;-(e%3Ul{9cVq4Vq^-0@b*_h}!N zd1~zk-)?Now<3pX@dL zd)o5%Ie61Mm%4pC=M6nzHKc-q3HkOr$Wr)Etbd15!@FDDK)SeS268MK!HfkSLbx2M zFi1T!KxhTU{S5>!3;Z1sgaBYc$_OBS@F(FyBW(329e1Rp5=1{kK9~F(U}AvSu1Su? za1I%KP!e!Rj@G#Hm*zCE!6Fzw`7c{j0GlUUNAurrOMkB50P!;)iZfv_=wPHU4;5%3 zaV<7p4i9N7HZ7_E&9y*Y4Ayz5Fh$Bi9%8<_|VZJj< z*EK3HE?-b;P7*G>P{V56Xk)$sBM2Vn@_C*x^i4<-uiLNAg?nQ~nnTeyI#2D|`XxK@; ziKJxM_(T(lz9@tU>q+J&7*b9$eP+mT=SdvW$ri$iT}P;#&Wv0sq60?)<*tM*Fv*-= zDRlRwf)f;BL5X}#q-2>%&P9~2%0$F$sS+e)L`jrXmC1G_sXxq=q}nN|K`9oIDD07O z)?R6L>v*u-GVUm3Cc_!!tCY$d68%|vO~lsb8p7(H)xD=V3K>zRO8lGE|@qNMb}j5MWi-LhnBioy4UQnM^(<>boBEVUw%+Vd>YRjQq{ z(4*xDr?a5wc7ygcPx^OK^Gc@e_atX0GGZ2%YW2KWagx(al29-=kRe}3s9Zy6Gh3>B zvF0F{lUNXOpB5Mo*@4&YgBK8m87|Ad(L8`KBS;U6ksUQGj4C`dqwu(`5EqoEu`Q2k zf$W>2DB6?-w;UNkF(*SL6s+AUAgr(`j2_B}5fJKxPUd?PYAT{HhABl-SX|glU`e$?ETrNbwGzfvDwd|wn5XjBl4KT*czkCChH}Z+ zyONEJr`<(K5mdIYjt~oM6_8c9c-WNzO2-pKlUy*p%8pppViKui1Es68+TckX^+-Gf zmJ9c&`u7NiZHE+Gsqs<8U-@yLN@!od@qnN7koZMzA2xpe7ReY`>CgvJ=xf2UWSCC8U}tR5qEMsB@eOn`$2A`n$7wToqvx*bL65`dS;j zZ&DF_;dE|k6eMoOAseZT;mRaf*(OzUx za=MeFomMZa}c4QW=U%IWpl1(}e@nn26MgCMe$zX(uAP0G!U{W!{u4R{5`#C2);MqJSQmm|D_a6-YdhGpyweai@% zQjOL4Mz_oxW_`+4Bl1f#VmZbQJhI|umPh2|^vAQ}d&EW=(VYZi#^@mjnXO7C^^o;y zhF!kWVrc^DeGP~U$6#HVjS2-x_SM9razAG|i4WcID2HQYnA6xwPxa|o zkR5U@-$WyyWfR|^oW@k5x;Yq#xzft;FjZe5*W}jL_yj!W6y3~$-PE`C>`9I5cFrsy zbb2?3fCh}^BFFY`nXM?@T=!SsmG7UN_slO}`?a(=Vmv!O^f?Iq5dr3^N$%>X!!n!I z*_q4k0F{3z+g8Fs|EjcE@+6Dk@r!;VjP_o64EZ|YYEDm5EDWhTk@0(xerqOTI)Hpr zg^~y0L>vy~T>$3WIipak4E|b`>t&1_IFBIHPY1Kit9~uyqEth}GM5f< z@$u7jzs=5NSeRuj!?(Ga9Mj6!n=VN&(H$;*u@r%x77I=;;cp`!y3Y-#Eg8~V04q|oRVxsO1!Zy`&1;cJGUfVXjzkEn=U1x)Enb{BJiJj3;h5fnuq7l` z%YSo2ZMxU(=~f&EmfCUq4D?N7wq@h&=g-TElX_OkZHjF1aZ7Vco&087a{b)C*Pteg zr#P1()59Ic1K={EK;L+Y&KMf;L+WQ7<8n9UCO6>ywt$r`0ghaJ{kg%MQlUfXTYKUw zUtr!_3x#R5+sdHZ4^lhuks%AzTleV!W*m{solzPaJ|prGMQ@aIA7fas2K4ErUo-i< zYqoj0Go7za2iv;}<00?zwPy&mP_t2PRZ(mFF&HucOR11$>ip2{SR8__46ChFt9{do za@lqZf*WTozo6MS11y3<*I|`x5MSAKX|jK z8dQau+absVg2FQqYC4fNmq&a*-fS)hpEJC)T)Y1=CP)32$J%)pxwgm7c3ij)k2H>r ze)jZtc-cKq7wTo#RI4u_=6KQ8)$ShwzU; z$0MWO4l>W2Ei?imcg}#AyI$V;R?s2kSBH1_YtEDBOI9a$*P%M{k#>3)K?++r_7}z4 zXZPbV@O3BiA1BM#CuuwDfSoA*xGk@pnywv9aRIhUkJG?u|4aeu!`O4xfs39WeDRwQ zt&CikC<{h`{LS$lbe$O6iWqgOONfk<_1X2KaDxr#6Lg)cp7yKA(yNP#o3ovpo1dGz zBZAupf!im8+ZX@ax4her-rKL8+aCc;JFj|RofcSrIHcg6?=eAcVuL9yY5{yEQer2^ z!W~2OUH2KqZ)Q>(?tx$?N)-AM(b5A_%&y-fr zYJ@6UjDL0WpW#Evn1Bgbqr_ll_>hR&u=9uB7{%rkxxU|PwoM)1z(S` z+&M@Kx&Mgoy%t^#xzq5^Q}__?9Do7OZ?KuE*qKosNp!o}?;8(LCNIvwj8sHZ=iv-e z$M>vy9B;z3x3&A08QKGDzTeqN9aTud97#YLh4zI0LLv}| zMIiNyfWY7hgg_&MfJdRz8w_VCA4u~(y9Z!}@gkDB$n+v_!OFP2?ttKAwD$_BBRZLnSJMW|j9NaSeUn~cVa?$lDX z)vh%=(yPYtzOozxj87$2w$_`cXNy>G&7$w?tp6o2HpN|emR=@#z3;5Rz1^ym!+4_- z*lBSngrQ@@*7y8*b3U2L?#he7d9+=~VNTEU-*|jEb7(dt#QmnVUCZndovrI(@!pta z2M}80zJ3+RB=5Yge{%k*7~g*6tK*7+Fca!OjA2#chCq;28i1rGVG@A?7B`5D6ePpZ zO)!KYmOasJRSYFOfRz}5pel+Xj~ptr)QVvQJitkmk{!e|0fodO`@tx;?nepe7nDT^ z-M;PzqQQolrOE42oTMr9$tow}rQjQ6XzSsb`mkE%qDFCwACM=hz37|=V1m_d`azdN z5~ew}#Z=_DPoHF1cyEVU75QI}niU0s5Nt}qP~>c)X-CD3%AW})u6^IVDNzd2l%*{y zvWz2YjgrL2uEe`I4{U0T+^JNms)|5yc6D`4d}$eZ)KIti&rY98+`(QmjESFYBbG#~hnReUO}buVIk1OSG8% zEc&}Gc5LhYY32ZGJukaIq$HbL^W!o9hBdg@d}>$ZouDY%_iDzECl~h)N}KfipQ1H) zR1de(#(j1}(hMAE!vKasj2v8MiIRCR`!xVL&f||Y^-28*(wkJXld{wfi)=@S)(-ku z{Hpyl!ZaF_-9HpM>fmt_Jl3V@7M<4R`C&XZmE~ofHr4f`JhruMc{q~E)gs*Hbeaxq z)ak)t?+vb>_{wVFgFPZR6LI9cQ4-U4I_XgJF}p=RO8l(n$_uF;Bm>T zqjOv669Lp^K89VpIcW~|wNF@Pa_=j=t|>ydU5&Y37wuHF@CIaf}xRN!bDg$RCDgBQ)T(E}INFroXu5Cps;36%_C(x3WB=@tUe@OCjG z0;Z6uO(Hbp3~_{CiP1FOCQ@ITokIf&R062GF|e4_cmQT~Q?()!G_GWBZ)V3oN6-ZH zOM{72*HRW+Q+rG8HLD%>2(Mh7NqgKi77{5Ns?$%pW{sUj3>Y*~U)=aBsp3O4+9 z8E6yMEcdT*+BPWEvk_-S{PSa$ODMTnau?H)7(4)t1hZe5O3tY0J{Pl=B%}&cp-~Ar zA1;ovheC5s!q>??OQ*83##15K7Zo2r$()ysmFNr2Sx#Nbf^ySR0vUNRmT^^9TTZDz z!-#deMV9K{YuES+vQtR`*3!SJ;iS7A=H@9?$@gS#{G#*~ia{UK^U5u>!nsvyj~U3< z=BOdRTWJ_%ijtrR|1%2uA(L=k3Gk8LU*T|?^sAjsNY zbpog4I#{wVA&hy;xdy!rk|R6h=upKkhGS(o8slQGjJssi8x%CcQOv1evbm=k22s=% zVymSdGHG~&EGkc&?Cox4R#yS&fYZiH`*oYN%aAekF7~DHn&Q`1J4I@IHJJD-Y64BUdoDOfrEA_o*obq$Oi^ zTK-`tdKmWu=z6WbAaQ3~ju=JrL6ktrD+<~k9}S6@KaJD+4r!b3LZb|A#qQHLJnGnD zG!82blD;*+kaaDH9Fa@($_|r#Yhkuty2yT9aXs`$1c~+Fo%sgTzVZZQLi<=G-iv# zT3Zp``|VTr;+Ei42e+;;VkjZcLBzmzyY!d9W7jJfzcp)rTDFwREf2AC{abl(zH%^3 zd=R8wjL`J0BTB)Jan;|~QY&1CsC{&!@A6he>6=~by=-Q{>wB7A9-tC*%;i$>=-q*(R=qsC3pS{l?%QCo+6;-!~ZS=Y2a=4v)7|FDa zL&e{o6PkI~A#Ltj>~ThXI==V$<*u)Eb1$W_{zqDzei!P7FBZ529j@ivBDudm5CwH_ ztLHxEHR8RuUUyz$#=a;m=ZrQm`<7@rzHgBoK#ubb=w`zGpMq}P4>j{ob>x38Qpam0BuEN%#XR~gxG-^zAf0eKO=d5MGFSim09^mcb@C#oO$Sax#8OH^EUK;niT1Y6oA-AT6GV0K5q8^bnJ8H#3=NnP?)LnwYqm zD4Lfj7g?=yF&d8^?*x`G-`5aL2#?^>Al=rWTsJ@M{xC7wa6hY91~8&gG!l>W3G<$J zxC%NDReM<5OpLR8AfZsKsCiiBXvDy^TNNTf_M+rzKVw>ZB&LvEwlmk(3n|M>Je^5Y zr({IJS1fp91iS&&aB0*&h0jP$+)+4xn;K=EIPX(i!l{P+$!j!KO3YeM%*IzVaRAk! zWXzjRWD#3pnp@JDPl8k$kG(M8>1xbePck(^!lPz{JY-nz9kr!d@~$gM@oG3+O~A1P z_JDfquUKlZm=s&cnC=#VU?px;h=9;imoS+$;nMh9v^eUylz5AH!c&BsDUGmnMoNv8 z@{?GOoj^2SPK@4!EHg3$NMO3!P==lq8f^++V}k9`M0tr+K7w3^Z%(d>9BN0U3;+~3 zS>PH8LL~#L6#+^lzy*$nUSALGES(C_hvnXpeF+1ISir{m}VB( zT{Bt)0a6by+o%^IE;gA|Fd-`~Tk+IYC_2$fI?_tk)wvY)2r5;BS7CS0I(;;m_-7ad zDFQ+Z1QIC%#AvAZY049A8XbGGh)y;~TW*w0TyANQp=Cx0LX>G~NIpfbuy}eFKKH)_ zm{$vg0EtSIo9UJ#>^2KTtCYyxpV@Jp9#4@%fe`0U8CPJF-cC_Kfl#nRRlpSkSsyqyNzwFpBB1qKnxAISmd`XHu2 zl!i-=$UdDgzFq&Ne98a7E0nYhfJ!NKtBvo=1%h}+q~Qhj>WTRti0FC!Lunm@PF3oG zQKXZe>8DdVuIY^D&Lixp)YYOl4n8(j&zHIVgZPLjFA% zp|(hygUwK~$TNacD6Gt?pGqy>%k{hnKCS8qULxd-wX98Q0i(u`j@fA3Cg`R{>>6)^ zz0_xvlB$gLz>Ftu4?u2Bzu8iGm+K(SmBWvfflXYJo{2Yu$w`;SmA|Iokx(Bf=i{R5 zQKp+w(Xm%0_gmyAQ#X`T>rO!Ch0IawNx~M%)&RPxyF50G){JcqD|`;m$=jT@Epnkw4b@gIkaM-jTJiIa8Y8}*Qzl~?cwdyfcqBMc#=jEc;)N1XuV0D0IjtOtY zb>O>gtCEIpjUNyCji68SuTLLuRr_r!NY9txZ%4b~ZF1`+7H&BX>x%GczkKQ=L#|+f zI_#Gh@Abazm{BL3&KT!L?v%ls@C@vetn`yg9N6d{NYm-NtC}Pu zZFatw?srr!#>!@U9^g$JAX{e}IBUC;E(pS*tXZ4L4(KB~=t2G%{S7h3!7!fQ+GFtV z{B4>~BOw7Pku!627#pk2e`0EUb=Zbn=6{qP7-b+vFkZbh#>8OeYfUK9D+kT2&jA>x z5-_D^&~MK?#QvSE;K0(9YleieZ_2Xo2Ro*?b13|h3WQhC8rt()E;vXHMlu@ykEJJGaX zv5-5lkomCa$vlvD#^C)qaEqPSFhh#fuMLb+VJ3X`GW`KWZ^cW^zR4Vn!I_eqx4UHX~oX!)FNmUVBxQ~{k;o&Z&Ash z?ZQ#g^kdNq>>nT`yb7RC|MrA@_^na5$+ z1<~1Uou9>FU+55^L`Ya|ydQ`9TTEEk#VVZD8QCW8m7{Q&ek#RVt$Ua-zLEl-o15cFQEVRR9kTCto2qGDk3NzPYxQf@X+w3)OTe|d+ zI2O?`$CMyTqPRw|I9jE!-^jB_!#TJKLhT(*J^6_@zcKO`w!ntG>;;(X?wqEK?zCe# z*2mpq+?>m9Tt-umY5a0*+HqXWbo{7082^2gJZcq>A>n0^!|q_S&u~}nKb3hxm}6lP z>Tu_(t|poHQc}KSNBVt>@^kbRdA+-0?g_XW9d(@8!51>PLk_o(5qFyIy*v1^>N>gm zUA{|tW4AHogc}aPueTsPy(hwaAf|jE;d~&Kd?3?&Ah&#=@KAc741b_Xf1oaZplN%c z9ebc#eV{*mV0e9CgnDGcd}OA4WZ`^dm3(B=bRolRFtdMTzn$h>RpSnSOf7NY?|I}g z9OH{u5m}Wfc&8*Id+PS~@eCx1U-Eo0pG&YhjeEeNvvREO-1vPhETxX;(SVPPU%s6;qJcs;(!_N!-*{od;tz2eQq$BGd_1d z)GFt<&S%hXp~TxMzO8A!&Iq{;4AP^CzC|H6Xx7K62m<`)jGgyiCE5Ufr*9ZP^uOnu zOF!Qd3Hwq`Wzy<3y$)TxcmupXQj-o2T$8k8CmLWhd}6ZmCo&0lcV%8PA^DOJjMLb;U8Dk{hW+IZx z5jO%5>3ml`+b!d@(?49(eH;Yc_Q1USBoWDrJxx!2+;>a8+dc;wy#OBSZH(@om|ul$ z9;1CeqlUhH^=}jPuV!s-ldE4-;jiNXK0}Tkg(ASOVL=*QO5a7O?;Ock{dD(#eXpyl zUguWK>w=!)>7Kx>Z-cq_xpF^;vCkDl_i{o%@mQ}|x}W{m&cj`oqcN9z4gV9#&eH(# z^Kk#bVtX= zu|2n-SxTgnaFDCa)*ng+GgvGaVzeG9W^;Hv91#Z7s@q(s)#9@ElKG^PtCw>eFVxz;GVFAFzdl@F zrZZ}1s;L&$Vzn2qHrUQN@Y`z9n2m&21N7lnA2h2o2zgJ|lI|8J0<6KP>_6BpmZ~(% z39dibuhyC@7f+}^oaAEcs83Jy-&mw~I)jQKuh&ep22A3M$>1?qoJVbEPI_iIpZ{KM zw7J~geEYmC!i-XaD1GvMJYB3dw{7S3Jipc-vWg@82>g7($tBL86G~ z2e~V!7}-JpnC1H;%e3PM{AgPd2g2L56Nlr^o)m-=M?sq?)MR>+L{Y>+^@q|MWE4g) zPXf6}V+9hmNaJp|JyAhm-`+?QgkibK5@Ay;%;F^ptdF7?c%%tpxMjG>Q*myz$kQH) zmrWD(y{V5P1)8*Wk`*N~$+N7h&NoseIv_U`9d|HRoF$niRa!;I zC|KhNmqS9*mbBJ!TT1I8Sgz-6Vg>>7J9(jDq&ygBH)uPH7WdQcG3tt(oOd6ilgl7Lla zNubd%<^aYjnCcql%2CIt(#VZ0Avhmer(vXcpL>1xooYMta|sIl#<$7J8;8WqtL(g| zEIiC6m>b;2K4$P3vYCiFox1?2`ZA@q7XQ!YA#}?#mw)g>QcnOZ+HJLt7l!f7#r*G! zCtWp0T$V;P*;?8>MeLWBrdjb^<<(!kSG5`76+IlA_Fb_!n?V>lwMoGJn%Y_M@TshS zjTrp*|9HWF?&iI9yV(w8tnF^CbU3wgV=P@@0yk3;L4-gdmFfVIuEE-z10JH8ocsP= zu&(<-`9H6F5>sdn2aSp{i)#VP44dmMi&S14X`j6uTm3!`G-r`f1_bA&xURW>E=34` zb3Hb|-SAyC=@OnkuY*53_b~@xm(6fS=e4{XXDb@roNi9`ye`7>u>uZu<$FJ#Hv{X6PUShq-4iiU^_r1C@=Rsq@Ad{t}lcTeI=FP{M2G&=eQ7ay+ZMks98P zCc8dzwGbp19+VnJ=}3s-WPV8L9Fso+*hXGXQ$KCaHtlql;}f``uD!9#En z$HYd0HB=!ZjM5aZPnUBJA2}>|laxAYR!o}=HpMlGlB`~HOmR9^iyeg=X)R_>q)o{` zWZZn1KK6A&lMF-8owS%Ky+DRs3Zqa2?~;2nT*wv8(uR@5s?$78#km%S1mEx}xw1)rco1LGz{dmSkTXG4`Z znNng=RT)X3HoYpJ%BGHg3Qy{-u8Zzg!F^E`7}uFx@)2FYByOe3%9CY#!6LI}hk(7A zCFAhRCFW$kjAKSiF8|~?>mO;!#m6LYiaKbynvKRTa9D?g`sOxojxJ9%7h;K?8QHqG zrRFgtQhQ1N#WCZX*2;@RJ=go8xy1fd6CqotdAY1q)zwap*k@{Wk3D;v&&>RsXSMTS zCB^UPiqY0Yb?@Y%R+qoV#wlcN7?9R@9Zaud-t}*7$-Tj}l}H*SGoC{F^JQ zRzy+5%S%^V-J{D6oh;UcRx1zqqY}&dauwP$arnLxGW@I_5dkS;_yX(J_u}WAj68Kj z8qC!v$H9_POlL^jmOdr!_K-eQb3`A2HEnv*ke2v$OcSl$W9iNsE-ZIUP1!+7A<$?i zgrkBH|5Q1_ZxIkHXa0A|YeJjA#kgM1L^S+;GNKnI7ZLwdn)PG;Kixc&yw*w<6=ymw zkEN(f=bS4Zhsq;NF)#O$AN2KoB;e=7=Wz2pBVuhaO~E;Lf743g(wibffwh#K-i|sM zd#!EOxe_($%7E2psZRi)s1R#|Q>9Z$Cr2A*&@+2X!!s{F>Q>SdV@Q{*Ju@EX*2uhl zPIcM2d2PU1`QM$SVzAH2d<@2O&prL^pUnTeB z{Xz5_#~w26Ick$CSA@Eu!(P^X+0^Nob%w*h(2hm2~= zlQV0xwoAMFTtUVF@7#>t2x%FHH0JIp@DCDug~vy#Z@!MHj>*erDV3jjKyK{^%6G;- zyA19Uq9)GL^|zV1M+bF5Z+$^AJ}Fw*Hir@T63ruy>-_@$xE7Sf@?)MFJ5 zCW7UkA>D~yipe4QujgF0?-SVxZiSjKRgFphTlaF_g+za^X-lC0E!(|!C)}JP8{Eg0 zmB4ooCB0`-_|{XQ#7i4$?u%RT=T#l$XWe%%buOrtq zAz>@GTzz41&*csy?#BC0>l5L%-R7MCXX{vxf@Y~?P>NuSew*t)?NomwD|I8uoUk%8dw&MIL7Au&#wZzq01QBs;%9K~wO-SM{no0z zF=F&&ZP<-W1R}Bl^B($XPXwis_IUme5~I)`lGun2Iv3cVgTkVQBC&5MS9r+0bHKdt z+4CD+q7dDE-@vzUG1L%aVHN`;zgmU^G03A4g~6+IgU&qmfR++Y&cp*YBbv} zwplJz$5*0!e1fp5Fr26e_?!(M_lsaOPvwpf9EWI~y#Q>Z;6r-CjLt++%OsMIq*1KM z(W;0H!<6zPO8Tqt4_z1&K`|?jDT_ogc9R@ak{tVQ(-ovl)$SsA|K+PfeCW7rdLHar zNS*BWoshwMNGQ&yWoY6}x;oMJu!Qe*wBmrC6V zge>SNZ7>0%-!BFTd4}+vdoWqpuo&4egV@>p1zBENkVynL9#*2aUc(3MlGVrF$Y(dy*_Ah+yQ6=LTo^W*^Fg z9hrGuse2M6>lZznG?Uu&BIXQ9Q$%@W@l*)qHAi(zN4x~4d=F&WEXC|m$Lw*XlQAaz z2J#kSMf{`Cz*20;9djVLnR3#eI1e6u5|JuFDZ)o79nB`)uYy{Aa+A0MNE7MaKjxYy z@XcBhguT()3MR5~@O*J0sBtlC?c|e2ubY&)9?Q!Ty$Y1A;N@KS`D9F`S z%xxtKde_UOdJP;p4PNI7F0I$?e{i_dOz+G~IdS^S*@_0SfFv#^C6Kd3(s8ouegyaq zq&5qh*;J>_9OcCB_>NKekbcF+fAK!4HIu9WlIT(LumeL*nlhDxqVj73P(P}00m}$3 ztG`(lwr^CvVih5E%F$sI)F*}N=euB&>%Uhv-Vt;_(aZjjln6hVi=FHk77^VN?};^S zUSi{lZIo4TTZfyF{k5~D{kB4op}wBT z>$*OBw_7{gKQ;(6h4dzj7(Ho{r##m#0Xx}?mB|L zxI^|hLl{p(QMzGeEOGI@WRA#SuEb$p18bB4FsVn!sZ}t?_)GSpZv%wfqx-39NTRC6 zhW6~luL!HE_&Ll&AyGJ3(_lZ(zTSIt!z#>Dv{}IIZaj%~uP&*x?gTCGz%Ou!J5}<& zu=`!=NKjG^u;@s#b!f6VoS;4+uO>vXP6Vh3oKTzfRwT$HwXRg8XjC=8BJK7Nd5GAk ztX)RzS1Wv7YSku3ozMmoKz5v%RFO8=L4a!TPm0j_?j~iuX}|)b;Y<)#6I%`k>`}SPdV!{b(G0j{BOC z^LqZrMb&KW7KUAl`_Vdy=3E{9rU?}YUO(s+%G^ms!QY*dyy6`l^D=F6hRHopK;9KM z!x5;>?g#y#MD3Eqh&2+!Ss26Fh5T5d?h%c{p$@~*!u6U+-G%=(#EHF{#f{B~zV+JF zX;j_KP2HJ-)Nx(cMa&rwET zFXM}ILFY<6YGplNX4vz^ZiheGC*W52sUG~Z9z^ob0=8BZ-=AApJB+;Xo11z_kGq?n zdWi75=ZsoVp9UC1MyLPwfKQB2`3-QG4jvL!FTbv9)9RrQrt@B$iE-0e8p(`GllSCSbPYeO07> zO*bSglx+<(eGgAz&V)lZZ!5=S`7AWFsC3Z`KHH77w=7Jm^`wprhOTrB!MO}j%>=+E z7S3j-$NPmhDp11aFgaoh-ex#fRt`rOI#E{k02jBYD@xW(VhE(WkBN`}wOJ6HO%#evSkRTL zSxpqYaZ#>CT(^-^^hq>*3--1F^vYS>utiGLNy3&*`14Mbs+V4 zBFKMnD3%}%ZgPNYvkCZPtBbTr)PFnd-ZIaGL2zcL<<4=)VdLR?W6|blntFfs!Qp7z z<`Mq7SN7sG<>;)6v&ofx$Z3Ad>6Ok2 zpWg;rivU)^`4#B*+HCjeUID~Naf!FJvgmS!xo`$F-v)eg#xXK^E_y~>zD59(-!?MZ6Y5_#TmhDr zbf+v4(T{b@axF2BT#m0VVV0iZs$Ox7+-l7n@o#FNrWxa9aeBCK35eW2)m(e>kF@HX zF|S2Dd?o{608?d@-OtsVK`kJ)f_G0KYs%xl!3*fhd12&rjU zL5;b)+=+;RiH0%eobUODJO#KJ9>gDIrdlB|oh=_4yMNM)t7n2ldH$w%>!;dH`u!v0uMp7Ri2n?uNi5ag*keNR;F{OKgD!R%s%>a@bg$_QStpw6f`?QFjN zsFiG}-|eWX=P7CLY;^o=RBVf9&cH>;j4Au9EyHDUXy9fk<=t zbQE;@Gxu3a$}4-loCD-iZ1Cv<_lXW65%fw~^f5=3;+<&fLlkd~e{Y524Il0j zp!NMqdx^#Us=oXj!iDZH{umBNA7G?aG4|!rt0Ol{!fM+YvUda z=9(I7`tRL(IGNin+lxSeVy5~?=h}C2vul?0+a@|f{<&MZzq=KRAK-I9f#D|v7@J|` zUwy0_1FA6y`>AB`fI#pqms73a@`u~`t+w^V`#`4`cWsfXus;Lw1fW2`GDbm;_)Fry zR#W)08hSRnzE@3Co%nqmw($=z1zcX-)~jDn?)d-7cK%Z|$?cuovlP%ggf5OxiX+Fu zdHx)c`2eZ#IInI4+v5kv;=bhV1(8a!#CGo{04{n(PjNfhtkf; zpGUTj9zwMLNBagwCgjc(0HWl7iR)zz(QlpL_xH2s`Rzy6_74Hn8vs1uF8s5m8bvqJ zyB?|sjHwUIZ0tj@&r(wGGW*x_RBxAN?}8QZ#n#h*w=2A!PY48w>P~1N2pkTFFC)QN zG#rswB84l_L_8V<%WSDV(Nr>?P&f>YJIPEsnNqpze*!QL&+$~blK*8(moH()JUM`7 zfCLL}D#*EDKmY~-fCd!`^x#062mm0U*)yn2r%$0~1YnVBRjXIAGAz1PA;E+QyMFcR zHS7VfWzCY!x|VI*i5R2Cl{=SiUAuSj<`ucL=gpfq7bsYOz~@lILl z%MdI2JZosW5BckAw4yXD5kL!3Oi{%Z=>jeQ0ciV6yZ~s*?Lnf}BWyR2L@SC#mM}C? z$RUX=61f0>Oj5}unPk94pm0J!yasO!D!ub0gz=*uw`$U)AdL)D%rVJ?2uUx|OjFI_ zo>V}A0T3XJu$qPv2t7Nkd@;+AxD;qj;>rwE&_TmI^Up&OO*AS5t88?)ECm>;&n^)K zlh8{s&D1SJ746j1PfdFAFwq>Xup}Qh;xbK3H660Y4O`8WQ&4HG|Fu>+&zqD&3L8yn zAmUX0k=0mB?2{@Ei4}8JTbXV4&&GH)kJM7}3f913ll||$5kC`=EE2PI)!A{$Ef>We z3B)$s>Ohoizs$~hcU=va{ZrR_@ikZ9ePOZ|J9X!^PA$zYi+A9H4-WXadW9`&%7-D2 zSmKEx9w>o}FJ_qEjXCB~wBZ0&*s^v-M9bj(LKgWdjR$m?;+J8D*Jd z{8XM-n%nNl?QUDOyaCT#bG{81EpWsYSKM;PNzeISl_aNJb&*Gh4D-!l&s^}nXHPo; z+e2Tw_0oC2deSdbUtM@&ch~Fn*pc6RcFqUK9rxU)?p^xnf$dY$;k$+}?B)F1p6=p} zPhNbzmsh@djGu?TX7H(R-}ksX3VvO1369A7%I-g!{k)DJKX$_j*Sy1lPJL0^pZgGK zHGd^+a$MO=w-DB?lX>VqpqXIh&gH-H0g!_Oyj=mKmp~DYkWa=E9%oQyvTv=BX!0tW z(ZZ6y`K9P}0N~3FafrjB@C9?_BVPc~2SNjq|B#49+)~ggmqPwH@P#N$OA}qVEe8JV zfczt04s}?70@x6Xxf(zZ3CB4g5>SX4GvXOZ_bXo^k%}vX&J^+UM1r`mEESX?@mN$t zEbftqS6oUD`{$n>R`_mT{ZOY|S#`$I3;n zQ=QJ_O*_lErriZ^QrWa;R^n-w^p#R{|7jD*?fz*y=ke2&=3JFKj|dlbV&<8tglFT5 zCqG?s?Vc62-;(x8(5d;8qW}e6MhlovgQn(@s%+>pr$hmaf#K?_6m^X^J!UNz|IJlIiNsB+c&F^rp(osQ?Gs)1Pj2 zUk79=KCk&y)}gMb=d7yiuG%?cl9Q`#C07-{3N)vRb&{<_l|BV|HeCf!r)nLi5Pj-a z!EUFKah*?0={l&uA~mUz6C^+#CXhHy7NqOrs{o0)R=^IHv$QH~tHPRCBQ5rEWtG%p zMY90R1&IbW54#HcYSgx@-rtT1wgf9`__gHErako4|Zd(U-Z6?y)K*Nb~7cjJ3nAW@F1; z?tC|;DP^cpo7vmbnXX#oZDT#p`;|n2k$lx{Z(3i=Q|-!ks`oXjP$A4rXD&3t53VoA zwu{sgLbswBcAa_)%wDUyx3AefCWF&OVOKhMq0pT0i#>d;>@e|rdTpSm09jowUAM&W z4JnFe+~QPWWV-pSuu3b8&aPTWl69-@3~>zNyo&gTB*vP zcw<_QNs}q3W9LrB%vKDeltC#**IpU6Ki)D8!zYV+m z;1l0D(1NDzo_prsB&ylP#ub5d_2^5SLRS@#h&J(N869dGj!V*XrSz#$ooee1ddjLE z9HJ9k+{9g4)U`g9zDgb7s)X6qy{@jN-+b0E4mZ)VHXyBSoowQ~vd_BiT9P2gqfOtm z)5QMttd-5IJWmhVc|$Tj%v?z`yk2~fdLuJfNu{ps-Lc++P~Rbj&#Y5>K0@914FoPXU`T32`ni8*w# zE7j_GTssNJ{&u;yZ0_Q%``zCbcf2!s?|oOQ-=(K_z^_Q+qYFEp&so9=dkkHfrie8>2KX3~tvZR#{KE(xX{o5BF zssGdez3+i<;ff1+$j)be=3!rZ_mSJ=ERA^8gRb)Szd!zu^Lfu(PEt(MKcPtW{`UFr z^botPvBZ^{#b)yst@_z4+9-d0#RxJ5wPlD@B$?a0yl5~%kKqeu>Ee(P@2#GYB2nK za0k&ZayqbmxUc?15dPFI{!}oXa**dz5DIIn|AelwmWc+{$p?*0`*=eK6$t_j5XPjU z03QklG4A)Kj|{)C2%m1}$`B6mi^%FP4974E`(+8K2MB?WonBDCTui0J%nk2Q5DcG? z+t;d_Z;@IrI7aa)`s}Xg$Oqzxe2~iL7cE%f{%KX-d-g?g%KZe(4(dAsM=akGxbT9n4 z?+^=50(b8mZE;Jiv2>vB9vcuCzbp`Y4unx~q2nUfJbJD(m@Ef@>4j1qokEr}^Pa|ir4Zn*bDCgG1IU-B;p(2i>( z3vto&9CN@TlL==fG(E92LFF-3Q<+YaHD$6jaZEO8Q=e)Rk#7GpH|2(~P?H1wulT@= zk#w=U9Fp&J^El6JzML)t?P~HOsyF$trjWB)rY;!m${>evEtL^26VblLj}{f`;y6+n z$3#YT}3adX~u2L9}sMyc>1ad14 zk;@7c9m`TF*|Hw>us!!O4apKDjglzSQU;ImHDGf;F|9fQ?n4325aCn%(s3+jvBgHv z!tD6k2OlQAI_5MlJf956H6Ge*-0&QRy=PMNe2?{84)@eqx0LJL$<6I3xZ71~mDRgaHV3C~qwbvt9# z-DWjasj?ZN4ODwFRbG@=$E{bH&r;7xSO;xbZB_B4G9dHvJEhfQ zK2jp>5l4$MD7{Z4*Rw5Ubxw~|KC@L2>2oU;ktg#p^qdt=YcWNU68aJ}AH`5jTht?2 zbW6pt?UoS-?UgGTG%s;5LZ_--qYafR88iBBR6(UwBL}u5my%ma(m+9TG)MAbL2?@H zat-~pU=5Z?5jHNrlJpLg5J$5_Sq@YgYBIajUiB67%Ct>UHcUr#WQ`CW0~Rqqc0UD= zSr5)c5T_VZQb^5`!XN^06S-}R*3)r diff --git a/www/test_dir/bin/.htaccess b/www/test_dir/bin/.htaccess new file mode 100644 index 000000000..8fd8c463a --- /dev/null +++ b/www/test_dir/bin/.htaccess @@ -0,0 +1 @@ +Deny all