Network Working Group G. Chudov Internet-Draft S. Leontiev Intended status: Informational A. Chelpanov Expires: June 15, 2009 P. Smirnov CRYPTO-PRO December 12, 2008 GOST based Security Uniform Resource Identifiers (URIs). draft-chudov-cryptopro-cpxmldsig-01 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on June 15, 2009. Abstract This document specifies how to use Russian national cryptographic standards GOST R 34.10-2001, GOST R 34.10-94, GOST R 34.11-94 GOST 28147-89 with XML Signatures and XML encryption. The mechanism specified provides integrity, message authentication, and/or data encryption and/or signer authentication services. Chudov, et al. Expires June 15, 2009 [Page 1] Internet-Draft GOST based Security URIs December 2008 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. GOST R 34.10-94/2001 . . . . . . . . . . . . . . . . . . . . . 3 3. Specifying GOST within XMLDSIG and XML encryption syntax and processing . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Version, Namespaces and Identifiers . . . . . . . . . . . 3 3.2. XML Schema Preamble and DTD Replacement . . . . . . . . . 4 3.2.1. XML Schema Preamble . . . . . . . . . . . . . . . . . 4 3.2.2. DTD Replacement . . . . . . . . . . . . . . . . . . . 4 3.3. Public Key Signature Algorithms . . . . . . . . . . . . . 4 3.4. DigestMethod Algorithms . . . . . . . . . . . . . . . . . 5 3.5. Hash Message Authentication Code Algorithms . . . . . . . 5 3.6. GOST Key Values . . . . . . . . . . . . . . . . . . . . . 5 3.6.1. Key Value Root Element . . . . . . . . . . . . . . . . 5 3.6.2. GOST R 34.10 Parameters . . . . . . . . . . . . . . . 7 3.7. EncryptionMethod Algorithms . . . . . . . . . . . . . . . 8 3.8. Key Agreement Algorithms . . . . . . . . . . . . . . . . . 9 3.9. Key Transport Algorithm . . . . . . . . . . . . . . . . . 10 3.10. Symmetric Key Wrap . . . . . . . . . . . . . . . . . . . . 10 3.10.1. GOST 28147-89 Key Wrap . . . . . . . . . . . . . . . . 10 3.10.2. CryptoPro Key Wrap . . . . . . . . . . . . . . . . . . 11 4. Security Considerations . . . . . . . . . . . . . . . . . . . 12 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5.1. Signed message . . . . . . . . . . . . . . . . . . . . . . 12 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 7.1. Normative references . . . . . . . . . . . . . . . . . . . 13 7.2. Informative references . . . . . . . . . . . . . . . . . . 15 Appendix A. Aggregate XML Schema . . . . . . . . . . . . . . . . 15 Appendix B. Aggregate DTD . . . . . . . . . . . . . . . . . . . . 17 Appendix C. Examples . . . . . . . . . . . . . . . . . . . . . . 17 C.1. Signed document . . . . . . . . . . . . . . . . . . . . . 17 Appendix D. Acknowledgments . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18 Intellectual Property and Copyright Statements . . . . . . . . . . 21 Chudov, et al. Expires June 15, 2009 [Page 2] Internet-Draft GOST based Security URIs December 2008 1. Introduction This document specifies how to use GOST R 34.10-2001, GOST R 34.10-94 digital signatures and public keys, GOST R 34.11-94 hash, GOST 28147-89 encryption algorithms with XML Signatures [XMLDSIG] and XML Encryption. This document uses both XML Schemas ([XML-SCHEMA-1], [XML-SCHEMA-2]) (normative) and DTDs [XML] (informational) for specifying the corresponding XML structures. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [KEYWORDS]. 2. GOST R 34.10-94/2001 Algorithms GOST R 34.10-94, GOST R 34.10-2001 and GOST R 34.11-94 have been developed by Russian Federal Agency of Governmental Communication and Information (FAGCI) and "All-Russian Scientific and Research Institute of Standardization". They are described in [GOSTR341094], [GOSTR341001] and [GOSTR341194] ([GOST3431095], [GOST3431004] and [GOST3431195]). RECOMMENDED parameters for those algorithms are described in [CPALGS]. The only hash function used with GOST R 34.10-94/2001 is GOST R 34.11-94. 3. Specifying GOST within XMLDSIG and XML encryption syntax and processing This section specifies the details of how to use GOST algorithms with XML Signature Syntax and Processing [XMLDSIG] and XML Encryption Syntax and Processing [XMLENC-CORE]. It relies heavily on syntaxes and namespaces defined in [XMLDSIG] and [XMLENC-CORE]. 3.1. Version, Namespaces and Identifiers This specification makes no provision for an explicit version number in the syntax. If a future version is needed, it will use a different namespace. The XML namespace [XML-NS] URI [RFC2396] that MUST be used by implementations of this (dated) specification is: Chudov, et al. Expires June 15, 2009 [Page 3] Internet-Draft GOST based Security URIs December 2008 http://www.w3.org/2006/10/xmldsig-gost# Elements in the namespace of the [XMLDSIG] specification are marked as such by using the namespace prefix "dsig" in the remaining sections of this document. Elements in the namespace of the [XMLENC-CORE] specification are marked as such by using the namespace prefix "xenc" in the remaining sections of this document. 3.2. XML Schema Preamble and DTD Replacement 3.2.1. XML Schema Preamble The subsequent preamble is to be used with the XML Schema definitions given in the remaining sections of this document. 3.2.2. DTD Replacement In order to include GOST XML-signature syntax, the following definition of the entity Key.ANY SHOULD replace the one in [XMLDSIG]: 3.3. Public Key Signature Algorithms The input to the GOST R 34.10-94/2001 algorithms is the canonicalized representation of the dsig:SignedInfo element as specified in Section 3 of [XMLDSIG]. The signature value (text value of element dsig:SignatureValue - see section 4.2 of [XMLDSIG]) consists of the base64 encoding of the 64 octets as described in section 2.2 of [CPPK]. The identifier for the GOST R 34.10-94 signature algorithm is: http://www.w3.org/2006/10/xmldsig-gost#gostr341094-gostr3411 The identifier for the GOST R 34.10-2001 signature algorithm is: http://www.w3.org/2006/10/xmldsig-gost#gostr34102001-gostr3411 Chudov, et al. Expires June 15, 2009 [Page 4] Internet-Draft GOST based Security URIs December 2008 3.4. DigestMethod Algorithms The identifier for the GOST R 34.11-94 digest algorithm is: http://www.w3.org/2006/10/xmldsig-gost#gostr3411 The DigestMethod may contain optional element gost:ParametersR3411. ParametersR3411 contains one OID specified in section 8.2. [CPALGS]. If ParametersR3411 is missed, the application implicitly knows about it from other means. It is RECOMMENDED to use parameters defined by id-GostR3411-94- CryptoProParamSet if ParametersR3411 is omitted (see Section 11.2 [CPALGS]). Schema Definition: DTD Definition: 3.5. Hash Message Authentication Code Algorithms GOST R 34.11-94 can also be used in HMAC [HMAC] as described in section 6.3.1 of [XMLDSIG]. Identifier: http://www.w3.org/2006/10/xmldsig-gost#hmac-gostr3411 The Hash Message Authentication Code Algorithms contain the same parameters as DigestMethod Algorithms. If ParametersR3411 is missed, the parameters, identified by id- GostR3411-94-CryptoProParamSet, are RECOMMENDED to use (see Section 11.2 [CPALGS]). 3.6. GOST Key Values 3.6.1. Key Value Root Element Elements of KeyValue1994Type and KeyValue2001Type types are used for GOST public keys encoding. The usage of these elements with [XMLDSIG] or [XMLENC-CORE] is the same as for dsig:RSAKeyValue or xenc:DHKeyValue predefined elements in dsig:KeyValue. The elements consist of an optional subelement PublicKeyParameters and the mandatory subelement PublicKey. If PublicKeyParameters are Chudov, et al. Expires June 15, 2009 [Page 5] Internet-Draft GOST based Security URIs December 2008 missing in an instance, this means that the application knows about them from other means (implicitly). Schema Definition: DTD Definition: If KeyValue2001Type PublicKeyParameters subelement is missed, the parameters, identified by DefaultPublicKeyParameters2001, are RECOMMENDED to use. Chudov, et al. Expires June 15, 2009 [Page 6] Internet-Draft GOST based Security URIs December 2008 DefaultPublicKeyParameters2001: 1.2.643.2.2.35.1 1.2.643.2.2.30.1 1.2.643.2.2.31.1 If KeyValue1994Type PublicKeyParameters subelement is missed, the parameters, defined by DefaultPublicKeyParameters1994, are RECOMMENDED to use. DefaultPublicKeyParameters1994: 1.2.643.2.2.32.2 1.2.643.2.2.30.1 1.2.643.2.2.31.1 3.6.2. GOST R 34.10 Parameters Gost paramaters contain three OIDs: publicKeyParamSet, digestParamSet and optional encryptionParamSet. Parameter values, corresponding to these OIDs, can be found in [CPALGS]. Chudov, et al. Expires June 15, 2009 [Page 7] Internet-Draft GOST based Security URIs December 2008 Schema Definition: DTD Definition: 3.7. EncryptionMethod Algorithms This subsection gives identifiers and information for GOST 28147-89 EncryptionMethod Algorithms. Chudov, et al. Expires June 15, 2009 [Page 8] Internet-Draft GOST based Security URIs December 2008 The identifier for the GOST 28147-89 encryption algorithm is: http://www.w3.org/2006/10/xmldsig-gost#gost28147 Complete description of GOST 28147-89 can be found in [GOST28147] (in Russian). 256-bit key, 64-bit Initialization Vector (IV), and optional parameters are used in GOST 28147-89 encryption method algorithms. The resulting cipher text is prefixed by the IV. If included in XML output, it is then base64 encoded. GostParameters28147 specifies the set of corresponding Gost28147-89- ParamSetParameters (see Section 8.1 of [CPALGS] ). Encryption mode is specified by mode parameter of Gost28147-89-ParamSetParameters structure. CFB and CNT modes are RECOMMENDED to use. If ParametersR3411 is missed, the application implicitly knows about it from other means. If GostParameters28147 is omitted, the parameters, defined by id- Gost28147-89-CryptoPro-A-ParamSet, are RECOMMENDED to use (see Section 8.1 [CPALGS]). Schema Definition: DTD Definition: 3.8. Key Agreement Algorithms Key agreement algorithms based on GOST R 34.10-94/2001 public keys (see Section 5 [CPALGS]) involves the derivation of shared secret information based on compatible keys from the sender and recipient. The identifiers for the algorithms based on GOST R 34.10-94/2001 are: http://www.w3.org/2006/10/xmldsig-gost#agree-gost1994 http://www.w3.org/2006/10/xmldsig-gost#agree-gost2001 The shared keying material for algorithm based on GOST R 34.10-94 needed will be calculated as a result of function VKO GOST R 34.10-94 (see Section 5.1 [CPALGS]), which generates GOST KEK using two GOST R 34.10-94 keypairs. Chudov, et al. Expires June 15, 2009 [Page 9] Internet-Draft GOST based Security URIs December 2008 The shared keying material for algorithm based on GOST R 34.10-2001 needed will be calculated as a result of function VKO GOST R 34.10- 2001 (see Section 5.2 [CPALGS]), which generates GOST KEK using two GOST R 34.10-2001 keypairs and UKM. KA-Nonce field of AgreementMethod contains base64 encoded 64-bits value of UKM, if UKM is used. 3.9. Key Transport Algorithm The key transport alogorithms based on VKO GOST R 34.10-2001 or VKO GOST R 34.10-1994, specified in [CPALGS], are public key encryption algorithms, which MUST be used for key encryption/decryption only. The identifiers for the algorithms based on VKO GOST R 34.10-94/2001 are: http://www.w3.org/2006/10/xmldsig-gost#transport-gost1994 http://www.w3.org/2006/10/xmldsig-gost#transport-gost2001 The CipherValue for such encrypted key is the base64 encoding of the [X.208-88] encoding structure GostR3410-KeyTransport (see section 4.2.1 [CPCMS]). In order to produce the KEK, the algorithm VKO GOST R 34.10-94/2001 (described in [CPALGS]) is used with the secret key, which corresponds to the GostR3410-TransportParameters ephemeralPublicKey, and recipient's public key. If the CryptoPro key wrap algorithm is used to produce CEK_ENC, CEK_MAC, and UKM, then GostR3410-TransportParameters encryptionParamSet is used for all encryption operations. The resulting encrypted key (CEK_ENC) is placed in the Gost28147-89- EncryptedKey encryptedKey field, its mac (CEK_MAC) is placed in the Gost28147-89-EncryptedKey macKey field, and UKM is placed in the GostR3410-TransportParameters ukm field. 3.10. Symmetric Key Wrap Symmetric Key Wrap algorithms are shared secret key encryption algorithms, which MUST be used for symmetric keys encryption/ decryption only. 3.10.1. GOST 28147-89 Key Wrap The GOST 28147-89 Key Wrap algorithms wrap (encrypt) a key (the wrapped key, WK) under a GOST 28147-89 Key Wrap (specified in sections 6.1, 6.2 [CPALGS]). Chudov, et al. Expires June 15, 2009 [Page 10] Internet-Draft GOST based Security URIs December 2008 Note: These algorithms MUST NOT be used without Key Agreement algorithm, because such WK is constant for every wrappnig-encrypting pair. The encryption of many different keys with the same constant WK may reveal that WK. The identifier for the GOST 28147-89 Key Wrap algorithms is http://www.w3.org/2006/10/xmldsig-gost#kw-gost The CipherValue for such wrapped key is the base64 encoding of the [X.208-88] DER encoding structure GostR3410-KeyWrap. ASN.1 structure: GostR3410-KeyWrap ::= SEQUENCE { encryptedKey Gost28147-89-EncryptedKey, encryptedParameters Gost28147-89-KeyWrapParameters } Gost28147-89-KeyWrapParameters is described in section 4.1.1 of [CPCMS]. KA-Nonce field of AgreementMethod tag MUST be used as ukm. The resulting wrapped key (WK) is placed in the Gost28147-89- EncryptedKey encryptedKey field, its mac (CEK_MAC) is placed in the Gost28147-89-EncryptedKey macKey field. ukm field of Gost28147-89- KeyWrapParameters MUST be absent. 3.10.2. CryptoPro Key Wrap The CryptoPro Key Wrap algorithm wraps (encrypts) a key (wrapped key, WK) under a CryptoPro Key Wrap (specified in sections 6.3, 6.4 [CPALGS]). The identifier for the CryptoPro Key Wrap algorithms is http://www.w3.org/2006/10/xmldsig-gost#kw-cp The CipherValue for such wrapped key is the base64 encoding of the [X.208-88] DER encoding structure GostR3410-KeyWrap (See 'GOST 28147-89 Key Wrap'). The resulting wrapped key (WK) is placed in the Gost28147-89- EncryptedKey encryptedKey field, its mac (CEK_MAC) is placed in the Gost28147-89-EncryptedKey macKey field. If CryptoPro Key wrap algorithm is combined with Key Agreement Algorithm, KA-Nonce field of AgreementMethod tag MUST be used as ukm. ukm field of Gost28147-89-KeyWrapParameters type must be absent. Chudov, et al. Expires June 15, 2009 [Page 11] Internet-Draft GOST based Security URIs December 2008 If CryptoPro Key wrap algorithm is not combined with Key Agreement Algorithm, ukm field of Gost28147-89-KeyWrapParameters type MUST be present. 4. Security Considerations Conforming applications MUST use unique values for ukm and iv. Recipients MAY verify that ukm and iv, specified by the sender, are unique. It is RECOMMENDED that software applications verify signature values, subject public keys and algorithm parameters to conform to [GOSTR341001], [GOSTR341094] standards before to use them. Cryptographic algorithm parameters affect algorithm strength. The use of parameters not listed in [CPALGS] is NOT RECOMMENDED (see the Security Considerations section of [CPALGS]). Use of the same key for signature and key derivation is NOT RECOMMENDED. SHOULD NOT use XML encryption without XML signature or HMAC. 5. Examples 5.1. Signed message This message is signed using the sample certificate. 6. IANA Considerations IANA has assigned the following values for GOST 28147-89 mode ciphers definitions: IANA has assigned the following XML namespace [XML-NS] URN: http://www.w3.org/2006/10/xmldsig-gost# [IANA please remove] Note: The above URN have not yet been registered. 7. References Chudov, et al. Expires June 15, 2009 [Page 12] Internet-Draft GOST based Security URIs December 2008 7.1. Normative references [CPALGS] Popov, V., Kurepkin, I., and S. Leontiev, "Additional Cryptographic Algorithms for Use with GOST 28147-89, GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms", RFC 4357, January 2006. [CPCMS] Leontiev, S. and G. Chudov, "Using the GOST 28147-89, GOST R 34.11-94, GOST R 34.10-94, and GOST R 34.10-2001 Algorithms with Cryptographic Message Syntax (CMS)", RFC 4490, May 2006. [CPPK] Leontiev, S. and D. Shefanovski, "Using the GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms with the Internet X.509 Public Key Infrastructure Certificate and CRL Profile", RFC 4491, May 2006. [GOST28147] Government Committee of the USSR for Standards, "Cryptographic Protection for Data Processing System, Gosudarstvennyi Standard of USSR (In Russian)", GOST 28147-89, 1989. [GOST3431004] Council for Standardization, Metrology and Certification of the Commonwealth of Independence States (EASC), Minsk, "Information technology. Cryptographic Data Security. Formation and verification processes of (electronic) digital signature based on Asymmetric Cryptographic Algorithm (In Russian)", GOST 34.310-2004, 2004. [GOST3431095] Council for Standardization, Metrology and Certification of the Commonwealth of Independence States (EASC), Minsk, "Information technology. Cryptographic Data Security. Produce and check procedures of Electronic Digital Signature based on Asymmetric Cryptographic Algorithm (In Russian)", GOST 34.310-95, 1995. [GOST3431195] Council for Standardization, Metrology and Certification of the Commonwealth of Independence States (EASC), Minsk, "Information technology. Cryptographic Data Security. Cashing function (In Russian)", GOST 34.311-95, 1995. [GOSTR341001] Government Committee of the Russia for Standards, Chudov, et al. Expires June 15, 2009 [Page 13] Internet-Draft GOST based Security URIs December 2008 "Information technology. Cryptographic Data Security.Signature and verification processes of [electronic] digital signature, Gosudarstvennyi Standard of Russian Federation (In Russian)", GOST R 34.10-2001, 2001. [GOSTR341094] Government Committee of the Russia for Standards, "Information technology. Cryptographic Data Security. Produce and check procedures of Electronic Digital Signatures based on Asymmetric Cryptographic Algorithm, Gosudarstvennyi Standard of Russian Federation (In Russian)", GOST R 34.10-94, 1994. [GOSTR341194] Government Committee of the Russia for Standards, "Information technology. Cryptographic Data Security. Hashing function, Gosudarstvennyi Standard of Russian Federation (In Russian)", GOST R 34.11-94, 1994. [HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, February 1997. [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2396] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifiers (URI): Generic Syntax", RFC 2396, August 1998. [X.208-88] International International Telephone and Telegraph Consultative Committee, "Specification of Abstract Syntax Notation One (ASN.1)", CCITT Recommendation X.208, November 1988. [XML-NS] Bray, T., Hollander, D., Layman, A., and R. Tobin, "Namespaces in XML (Second Edition)", W3C REC-xml-names, August 2006, . [XML-SCHEMA-1] Thompson, H., Beech, D., Maloney, M., and N. Mendelsohn, "XML Schema Part 1: Structures Second Edition", W3C REC- xmlschema-1, October 2004, . Chudov, et al. Expires June 15, 2009 [Page 14] Internet-Draft GOST based Security URIs December 2008 [XML-SCHEMA-2] Biron, P. and A. Malhotra, "XML Schema Part 2: Datatypes Second Edition", W3C REC-xmlschema-2, October 2004, . [XMLDSIG] Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup Language) XML-Signature Syntax and Processing", RFC 3275, March 2002. [XMLENC-CORE] Eastlake, D. and J. Reagle , "XML Encryption Syntax and Processing", W3C Candidate Recommendation xmlenc-core, August 2002, . 7.2. Informative references [RFC4134] Hoffman, P., "Examples of S/MIME Messages", RFC 4134, July 2005. [XML] Bray, T., Paoli, J., Sperberg-McQueen, C., Maler, E., and F. Yergeau, "Extensible Markup Language (XML) 1.0 (Fourth Edition)", W3C REC-xml, August 2006, . Appendix A. Aggregate XML Schema Chudov, et al. Expires June 15, 2009 [Page 15] Internet-Draft GOST based Security URIs December 2008 Chudov, et al. Expires June 15, 2009 [Page 16] Internet-Draft GOST based Security URIs December 2008 Appendix B. Aggregate DTD Appendix C. Examples Examples here are stored in the same format as the examples in [RFC4134] and can be extracted using the same program. If you want to extract without the program, copy all the lines between the "|>" and "|<" markers, remove any page breaks, and remove the "|" in the first column of each line. The result is a valid Base64 blob that can be processed by any Base64 decoder. C.1. Signed document This sample contain the signed XML document using the sample certificate from Section 4.2 of [CPPK]. Chudov, et al. Expires June 15, 2009 [Page 17] Internet-Draft GOST based Security URIs December 2008 |>XmlDocSigned2001.xml |PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48Q3J5cHRvUHJv |WE1MIFNpZ25lZD0idHJ1ZSI+SGVyZSBpcyBzb21lIGRhdGEgdG8gc2lnbi48U2ln |bmF0dXJlIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcj |Ij48U2lnbmVkSW5mbz48Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09 |Imh0dHA6Ly93d3cudzMub3JnL1RSLzIwMDEvUkVDLXhtbC1jMTRuLTIwMDEwMzE1 |IiAvPjxTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9y |Zy8yMDAxLzA0L3htbGRzaWctbW9yZSNnb3N0cjM0MTAyMDAxLWdvc3RyMzQxMSIg |Lz48UmVmZXJlbmNlIFVSST0iIj48VHJhbnNmb3Jtcz48VHJhbnNmb3JtIEFsZ29y |aXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3Bl |ZC1zaWduYXR1cmUiIC8+PC9UcmFuc2Zvcm1zPjxEaWdlc3RNZXRob2QgQWxnb3Jp |dGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNnb3N0 |cjM0MTEiIC8+PERpZ2VzdFZhbHVlPi9Kd3RRc3Z5NWsvUjBWZUx6ZG0ySWlqUEJ0 |U0o1cEpSalQ5RlVRSEV5VGc9PC9EaWdlc3RWYWx1ZT48L1JlZmVyZW5jZT48L1Np |Z25lZEluZm8+PFNpZ25hdHVyZVZhbHVlPkZjYjNxNGlCdmRmZ1lvN245NUdhUUN1 |ZDkxWVA3dzhvVjAzUjZ6a1JEZGxjK0RuQ2MwcjlNc0E1YS9iaFlDeVdQZC9jRVU4 |K3FZRnJ5SmJjaXJ5d0hBPT08L1NpZ25hdHVyZVZhbHVlPjxLZXlJbmZvPjxYNTA5 |RGF0YT48WDUwOUNlcnRpZmljYXRlPk1JSUIwRENDQVg4Q0VDdjF4aDdDRWIwWHg5 |elVZbWEwTGlFd0NBWUdLb1VEQWdJRE1HMHhIekFkQmdOVkJBTU1Ga2R2YzNSU016 |UXhNQzB5TURBeElHVjRZVzF3YkdVeEVqQVFCZ05WQkFvTUNVTnllWEIwYjFCeWJ6 |RUxNQWtHQTFVRUJoTUNVbFV4S1RBbkJna3Foa2lHOXcwQkNRRVdHa2R2YzNSU016 |UXhNQzB5TURBeFFHVjRZVzF3YkdVdVkyOXRNQjRYRFRBMU1EZ3hOakUwTVRneU1G |b1hEVEUxTURneE5qRTBNVGd5TUZvd2JURWZNQjBHQTFVRUF3d1dSMjl6ZEZJek5E |RXdMVEl3TURFZ1pYaGhiWEJzWlRFU01CQUdBMVVFQ2d3SlEzSjVjSFJ2VUhKdk1R |c3dDUVlEVlFRR0V3SlNWVEVwTUNjR0NTcUdTSWIzRFFFSkFSWWFSMjl6ZEZJek5E |RXdMVEl3TURGQVpYaGhiWEJzWlM1amIyMHdZekFjQmdZcWhRTUNBaE13RWdZSEtv |VURBZ0lrQUFZSEtvVURBZ0llQVFOREFBUkFoSlZvZFdBQ0drQjFDTTBUakRHSkxQ |M2xCUU42UTF6MGJTc1A1MDh5ZmxlUDY4d1d1WldJQTlDYWZJV3VEK1NONnFhN2Zs |Ykh5N0RmRDJhOHl1b2FZREFJQmdZcWhRTUNBZ01EUVFBOEw4a0pSTGNucWV5bjFl |bjdVMjNTdzZwa2ZFUXUzdTB4RmtWUHZGUS8zY0hlRjI2TkcreHh0WlB6M1RhVFZY |ZG9pWWtYWWlEMDJyRXgxYlVjTTk3aTwvWDUwOUNlcnRpZmljYXRlPjwvWDUwOURh |dGE+PC9LZXlJbmZvPjwvU2lnbmF0dXJlPjwvQ3J5cHRvUHJvWE1MPg== |