??ࡱ?>?? [?????XYZ}?z??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????F?/EP~ m???2?!???????JFIF,,???Photoshop 3.08BIM?,,8BIM x8BIM8BIM? 8BIM 8BIM' 8BIM?H/fflff/ff???2Z5-8BIM?p????????????????????????????????????????????????????????????????????????????????????????????8BIM@@8BIM8BIMurX Untitled-1Xr8BIM8BIM8BIM DpEPZ? (????JFIFHH??Adobed????            ??Ep"?????   3!1AQa"q?2???B#$R?b34r??C%?S???cs5???&D?TdE£t6?U?e???u??F'???????????????Vfv????????7GWgw????????5!1AQaq"2????B#?R??3$b?r??CScs4?%???&5??D?T?dEU6te????u??F???????????????Vfv????????'7GWgw??????? ??ߝ?r?X ?ֵ??Oc??ysH???6??U񺥹USeT???;2{Λ?{??f???(?8?h?????ݴ7Og?????§?5??W?n? a??? ??o???Ѡ????1 ?~?u??TV?????W[?}??} ??O?WP?;c??^?A???=}??ݳ?????+??K?+sY????p???u?IM?|?2?????m?8????7{kw?؆޵??ە?d#!?A˾??qh??e??????Z?9?[m???M?v????????܆?$??'v??cݵ%6?? ???w?v???۾'????'ve??kiv??!??Hvk???*ȥ????d??~????EHӑd??-????? v???椥euF?m???hh???)????n]?m/??:?Vv????V?X>??X?幌k??.???]1????5????=????k]e?~???ވ ???o٫??E?=?)???l??99]C?-[u{??ge,n?+??????e?񕧣?eQs/h?ur???I?_^??m;=?Qu?Tfu+3[?c*6?kK??M??q?????7!????;?[j??np;lcv??~???N?b??"??yhy %?o?%?n-g?~꺰?\k?? s?? %?,!?̲?1?ik??7l??????7????fC??O??9mo??¤w?;?,jo??X?P????&? }1?-????,`?2-??Xꪶ??n?H?,K?M????؂?ė9?̷?ڭ??c??Ϋ.???;?ovuԷ??s? Y????v]crH[??)?5?e???O?z>?Jv?\ñ?e?gvE??c[?Q??vuW??/?????? ?2?M?g???^?Z??{*ʻ!?s??)?Ib?1?妫.s\H"r?3????????z??-?b?Yp??6?n??}?%???ZJwX?N?W???oc??^??T??N?}:^?9??}V?c߇???????????C?K??}?g???6zI)?????}~??Wu??M{[???~?LO?G?{c??????Fc??Eo-s?淋s-k??????V?;?g?X?E???c?..????????p??z&???J?Y3??p?"'?R;?v?[{ ?? `_~Emf?{~??I??f;????? ?v]y?Sǧ?%͚?/{?w??????^Y$??_?;? ???M}???X??i?ҪF??ư?? %??Iy???Y?_????*????Xm??z?hi???[????Vϡ???? ?_??ʷ??O??R?+???ͳd?ٶ?????7???[Xn?t ??????hw?=??c?ck????. ??1ξ?{??w?%$??U?????v?S ?Ӟ?Ai??$ZJ??«?????kv??4?6?;?3??єֆ?? {????sw9%#?j?????O??Kը??9?O???????e???;? ?W?;k???w?A%99???=?4l? ??HsY?W?;kX׳??ߡc?b??/??ӏ???F?6??o?6?n?7}??M.?K????s??1?C?`\ݿ????w?/ҡt?*6??z?3?????????n? )???/c.?y?7????v:??ua??r???Z?>????{??L{\?^?g?n&??s????̳?m??G??}Q??W???S?=???f?????I?z???g?PgN??pp?qk??mp??????f?E??$??b??8{?????g??k??V?C?E?????????>Ǔ??_}?ʖ'Q????l??k??%??l???}??/???=X?3?z??_??P??b?? (??2???????×?s?ǟ???6_J?5?fH??????֐? 72??9Wgպ?g?V??????w??c?67k??)???z}U?a`sN??v??{X???E*??o;???e?}? 9????3n???H͛???Տ??_????? ۯ?q???Q??J߫?ݷ?mGcC?hӹ?ې>??J[????˺?+?.?7?;? ??l~?????N~_???? ???5?!?k?/??ֺ???c?ݶ?؞???/nML?\Ϣ?n&;n?{?m???II~Ǔ??_}?ʓp?I??V?t?*??g????J?)??i????D??c]m???w?m?l}? \?m?|05????jL? ç3{??ʩ?6?32??k???7?rЯ?eS??*??c????c`h???~??O?_F-8??ʭz?A Zrv????M%????T?ʩ$?ꤗʩ$?꥟?=S??^?vϲ??ǻ?g?l??[???eI%?F?}??????}???>??????o?'??ϲ???"Dn?G?'?[?"??$??߲m?g?X?7??????~?o??W:O???z_m? ???l?w?G?G??3? ??愒S?RK?T?S?RK?T?S??8BIM!UAdobe PhotoshopAdobe Photoshop 6.08BIM??Adobed???         ??rX??K???  s!1AQa"q?2???B#?R??3b?$r??%C4S???cs?5D'???6Tdt???&? ??EF??V?U(???????eu????????fv????????7GWgw????????8HXhx????????)9IYiy????????*:JZjz????????m!1AQa"q??2??????#BRbr?3$4C??S%?c??s?5?D?T? &6E'dtU7??()??󄔤?????eu????????FVfv????????GWgw????????8HXhx????????9IYiy????????*:JZjz?????????? ??N*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث???N*??k?^???z???yKT??Jh?????a??fQ?0?e?a?B%)N0??s1 ????????_????k?~C??5?????????? ??^??????x{??m???-ƿ??׏?1???^???[~i??q?????5?? ?׀w??Vߚ??k??0??x?C??5?????????? ??^??????x{??m???-ƿ??׏?1???^???[~i??q?????5?? ?׀w??Vߚ??k??0??x?C??5?????????? ??^??????xzR???t? ? G?孍???B"?O?Q?gn(?W??????\ߕ??2Y??7??]?+????K??&?????s~V???g???w??o????,????b?????[?S%??LU??+?d???o銻?W7?o?L??M?1W????????? ??*??\ߕ??2Y??7??]?+????K??&?????s~V???g???w??o????,????b?????[?S%??LU??+?d???o銻?W7?o?L??M?1W????????? ??*??\ߕ??2Y??7??Y>???z֛??]Gy?܂?\?y#?b??ٔ?UO^????6MOZ???O???s;q@]??'??4?X???o????,????b?????[?S%??LU??+?d???o銻?W7?o?L??M?1W????????? ??*??\ߕ??2Y??7??]?+????K??&?????s~V???g???w??o????,????b?????[?S%??LU??i?^j?????kַ7?LR??󑂖!A??????U???N*????????i?t???O?X??/?l??(~SyG?w??S??????&ҭ?Y????ئ???K?,g?/ɟ?/i??m?4b?G???\?4+?1O??r? 8V???%֟??.?R???Co????????B???1U???H2ƃ? c??? ?`H?Zb???^L??{L??+??w?/ɟ?/i??m?4b???3???3?????U?_??[?柢yn?O?l?????J??????L?Q?Z???:????O????37??????C?y??k?l?????|?\??Q.l?qБ?-?????D˕!???*?Gw#????]???qWr8??U܎*?Gw#???;??a??A???^??Q??V?^{?RH??????u)?VaɱWrlUİ?*?M???b??ث?6*?M???b??ث?6*?M?? 0?????_???J??&??Y??M????^?#Q?g[???qWr8??U܎*?Gw#????]???qWr8??U܎*?Gw#????Q???c???.4???}?Q??7???K????lX??????3???qWr8??U܎*?G?~?d????V?U܎*?Ga^5?g????e??u?*?U???N*????????i?t???O?X??/?l??#?'??Ty????? ?`˱V?O,???ϟ??֖?N???m.??Xe0?u?9|5?N??>??y?&*??|???,S?PZ^Ente?-??2^%?????d?掍'?????Ҭ???i???/i?5???????U3FRY?9|??o |mS?|Y?,UR???K?????]b?mF?$???Ks?9da??y*?Un-????)??q?????7CO???Df????pt??2"???*zq3|X????Z=???ѭ??m?E.z?Ί?/&汻#(??qU 8.a?????b?[Akrn?_ё/T?"7?f]?O??[?6??e??ߦ?qgqomsijk*5??????"HԐ?n?g?b?ɇ+?i????v*?/?S?a??V5?/???M?????>*???G?䱗??Zg?FŊ????o??Vb??X??Z??o&_X?r??mK??|?Gp?&???(??c???^d?@?b?t?&?SN??lm>??]??g?M>a4?]??凛/???LU?Ɠ?????M?Y_?\Ga?[٠H>?I????mx??;??=o?\U?_?v>b??? }|??^:5??%-B???)N?e?U?b??]?????Y?u?m??s??'???N*????????i?t???O?X??/?l??#?'??Ty????? ?`˱V???]???Z?6???????_RQzM??I#^&&??T?&\UB?ν?[ccu,w?V?w????C?74) ??????_????o?7??8m?O??.??%d???(̯ B??????Ibub??_????.?7--n?^??Z??w??Ш?Y???T0?n5?I?8Ɋ??????~ 4?An!iWQ???/g?O??zIƈ??ߺi9#?\U?CLU?U????yo?}'?N?*?;?S???`_????????fP?i?????6??037?/?K??????Kyg?1O?Q2?Hz>*??qV?T??$?އq?G-?X?9?4kmD??-????3JT(?J?T??*??]??lb?*???a??c?b?K????Zx??€̂y??%???G????W??S6???H?k??۴(?`?U?(?)gS???ddVelU.??????_Yi???F>?ڽ???)d?R?C/?`??yse?P?染?m??ׂ??ᵞf?r}pHѢ¼??'???*???*\_??????yt??F'???U8?*?~??&\U8?X????????_???J??&??Y??M????^?'???8??Uث?V ??NyGV֮5?׻mZ??/Z?LG?/@[,`z~???f???m??UJ??*,? wW?}1Z2?e?Է?x?-m1p?ȫ?¾?%??b?w??R?MU??*??????҈?IVixava+??3?????%|???:6????s?"%??,le ΂ibg???????œWL???Ҥ?.?(?-F????_?E????B/G?~+?Q?/8?_I?~%?R?'?_?zm֟t/?????y?#????4[?cZƋs#r??f???l?%|?iy???}}?M??۳Dc???B????*?vY8??b?r?F?NV??/?1I??$|-?-?????t^^?H?>lU?K1cԚ?b??]??????X~?U?~K????5??Gϊ?????,e?????Q?b??O??qU???Wb?C?c?ڗ???w??r,Z?????p?&?)???(?t?_????T?(|??p?5??=??j?[??~?????T??/????mUWfx??Wb??XW???,??????N??^??????N*????????i?t???O?X??/?l??*?Qj?R~U?F7??IJ?WG?5`Bt ?9???~?????i?I?X?G>??yq?nqc.?d?f???S,+?9/W?g?G????X?Z??H??c?Cp.?CuP?*?+/¼??_?pn<1U3?/?c??O??.d???}??#![?汘??ĭ?z8??ǖ?-?%?I?ӥi?g?5•-p??0_S??4??/????V????? ?b??6?H^?*Y?iVy?????4????%?X??cG?????$E?5b??/???????"???W??{?t???? ??i'?R????????????h???c3{;??Y?9??w??6??͏?L ???????????O???Y??S??L?R?????U???d?????Q?pu?4?]?bb??4?"w?Iː???>*??k???K???լͭ?????hܿ????M ??1D?)????*?????b ?P?ů??M?B??w7?I? ~???+????+???i?ܱ???X???=7Ky?????=?[#,?2!Wy.???[???_??????;?:???j?V?\????z??+n?)?fA$-?q???b?U=N*?*??^y?8????O???C??%?^??????Q)?????J|U?B?*???O+Z?R?W??V" o??C0??K?ZrR??3ʿ?)?b?t???$yj?ܝE?`?V???o?%????ςqL?9????lUU(C??2??劤???????z????t?D"????,?@??FT?????V??'? ???^??9??&???[ո?%uY=?V5?_ݺ?Jثc?Aզ?ooK??%?V?ј??,?=*??u"???ˌ|?$?P???_?p?Z??մ????|??m?Xe?$+???????|I???*?i??~_?d?kIn,'???"????խ# U? ????⬳bZg?N?????6|U*?????e?oM7???z,??7??1Wb??R?5^??y[Y??n6?S???"?? ;ц*?/)~g??,Z??Ok?jz?g q{l?pi?^?O?#?I?2,3??b?`???[??w??a?/ ?]:;ٌ??sb???S???I8z1|\9b????z녞 ???ƙ\??I?>?nn?q????Q???L?*????P?}DE??\[??&?K?I?.}Hê3ٱ??IU9??*?{???-0^?K@?o?-?D-nenS؈???%n??>/??UX?=u??[B?????E?g?O?<5?Ee`h&_Q??lU??W??Y??no??m??u?B????b??)?$?N/?X?.?]??v*?/?S?a??V5?/???M?????>*???G?䱗??Zg?FŊ????o??^k??nI???S?n?c?m??l?ۦf?p??&??3[%?J???O?[F? ?u?KԤ??koіb8D?Q^FZP????/U???qTt??XMOԡ?n??ͪ??P7??[?!?gP??p?[?*?O?o+j1?[-????[S2 ?&?ke(8?!VY?7???|X???͟%L;H&?V???E$k?~???C??6????xs?P???1?ޥ,?O?}*;9n@?e?T?y?G+?9???????E?ۥ?\[æi??S 6VB?0?݄?":???Q??ː؛˘.??C#??S???u<)S?D?sUF???d~Y?E??m?%??ki,.Z????(t?Qd??u!?Dm?H???)g????e??u?*??U???N*?o?_?(?7???:????b???eʐ?|U?H?*?U?>8??|qWT????'uO?*?U?Uثcy????J ??b????z?*??ʯ?D??????u)?V_???t?n?o+j}? ?ȍv?E??bvN??b?G?G???1?c6?"??\*I,?'??1?;?!?=?<2???n??|???9d?UZ?U??C$?Į.???E~?V?hV7??q?X֗??=N??O??R}????i4?iqEu/?,n????m?;?5g????V??M?r?Y??&???UX?.|???Z4???!g"?=?"W?d?$?H?7?lU?ߗF????G?cyb?d&F_Ru?ј?cYdTO????*?k?e?+X?+}(??Z<ćx~?Ǒr??e????^y%?wm"?0Y?^?#?Ï.*?$m"??~'?S];G?4?tl-????nn????X???????[???~]?v_??\?I?_???N*?o?_?(?7??G??Q?ퟗ4?K???xt???+ƙ??i*?@Zղ?'???&?????&?w???ɿ?n?????]?3?ro?[???"o?W~???????(?ț?Uߣ??&?????&?w???ɿ?n?????]?3?ro?[???"o?W~???????(?ț?Uߣ??&?????&?w???ɿ?n?????]?3?ro?[???"o?W~???????(?ț?U??OyR?O??|???Cu} ?O-?a+??Z/0??M?*?1W??[???-?t?6/\??۫yng?I?]??p?DS???~U0????,>X???C???????,>X???C???????,>X???C???????,>X???C???????,>X???C???????,>X???C???????,>X???C???????,>X???C???????,>X???C???????,>X???C???????,>X???C???????,>X???C??⪾P?Ϟ???f?8?"???t?{}2K?????.?tO??6?T?=???y???k ?뺌Wv?Ik?c2-??#*??yPw?R?????f'?Ue???Ա?Z???????????8???`~i?嬾????*??X??k/??)c???V??Z????X????????????8???`~i?嬾????*??X??k/??)c???V??Z????X????????????8???`~i?嬾????*??X??k/??)c???V??Z????X????????????8???`~i?嬾????*??X??k/??)c????_?j???V_lk?KU??Siz??? 2?W?6:???n,ٕ?fk?e Y V?]zb?O?*k~i?,?V?sj[???)d+-??JÙ? xb?\??,O?&???P?]?k?/?????1?P?]?k?/?????1?P?]?k?/?????1?P?]?k?/?????1?P?]?k?/?????1?P?]?k?/?????1?P?]?k?/?????1?P?]?k?/?????1?P?]?k?/?????1?P?R??7?_?G?.o???a??/}sq?B;?ekI? ??Q??U;???N*?#Q?L?接 $????#m????Gc?3???c???ݳ? ??Ǜ?8????3^????6ڥ?wp?,׾???? ?2??G0X&??;???_?:???b??!???,?Z?????Kw????f???????X??H~v?7???u??R?]?C??Y???#???*?????????T?W~?????o-?????????g??yk?G_??,U%?G?槕#??5{ {CS??ZMveSv?y?"*? ??#????O????37??????C?%?????W????ɥ?|?\??Q.i?T?b??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]?????N*????????i?t???O?X??/?l??#?'??Ty????? ?`˱Vs????????7?Z?ۻ@H??u[??C??cϟ?7????~m贱?????{r-?e??1+ٵ?s????$+U??}???S;/??,͠Xk?±] Qr"oP[Iy??l??S"???z~l?|?Enb??^ ?????q!??K????DP?ח??x?z???t?4??[??HmnS?'x?ZE???Qj`???g??Vcksլ7P?P??;U\??U1W??~??9?? ???:ث)????O????37??????C?%?????W????ɥ?|?\??Q.i?T?b??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]?????N*????????i?t???O?X??/?l??#?'??Ty????? ?`???? ??41??eT?f??W??~????wr?s6??Os%????p?L?\?????#??z|?gj????3?j?n=) ?6I?F mnmc?????rbu?2/??U??7?'???f]:3?I V?ۊ?x??"? ????h?ܱU?y/?Rkqk?g??xd?P?5?2[??‹ ?%)?X?T?)??'[e????)???0/??f?w????(sd?Z??sJ??;?4??????%?2ʐ?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb????N*????????i?t???O?X??/?l??#?'??Ty????? ?`??2,?˯??T??? ^? 6??????????[?(ԙ??⫵-???K???-N???z?w?N?U?w>??[?oݢ??NX???7?z??om%?????K???Fw????Y??O???yz???????E??V??g?]?Oyh?_]w???(???bј??r??s???9reSA????뚥????9??}FqrYco?>??a???|W??????˦?61??@??[?^o?_?(?5]s?8????M?&?T?????????I?Q?O?-?\??M??⽹?? ?J??$?????i$SZ]m??????@ͬ~v????c?%M*?L?*I?B???Nӫ?'??1q??D??k?X?Zi????XQ_Q{?a(ENjZ?\?ޟ?*???8WC?x??:?ޢ\E?(DVv????U??+?X?3???? *?-Ϙ?ϔ??#t?#k?nh???֎  ??Yy?g???N*??󕖽??J???MTO~????Ѳ?????2?O?$7???6I???_?t???%??????#u;h^?&TҀ?%?X???D??2???????Ѵ?8????n???5 ??????E$??H%??_?O?????G?~f??S????>??}YY????H?k?o9F?r?W?S?6Ue?ߛ??Z?????????(m?Y kY???D??K?L?l?>?Ŋ?b͙??ٌٙhY?ONBx??J???8?????s?&_J?"??O?G?ٰ??U#??????_?o????бU??x%E?N??_? U????$?*?q?Oλk=B?{?? ɵg?D??X?V???Mr???㜑???O??X?e??55??5²\qY5(??dH?K?°G??????r???Dk?Q???4?_Q?P?!?3E ??3/?d?HcNM??6??,U?~N??'? ?X????/??+?$?d?{?6?d??:???\zR\?,??V$_??????? ??r?c?։???_??)?-?)##?sm?u?RhDEZ?[?z?>??U??*?p??D??_F?k}=ţOnZ'mQ$?ꥉX?&?iۑoO??\[?*?{???[C??????D????Y?Y?.$?+a?I$??U?? s|U }g???-di?kp?MqZT??ӷ??~9????,?}_?k??lU??O?????????t?Ÿ???KX? 1????Y/~ œE.???>???ީmvb?\Z??"i?ʲ'(??&?"?S????#?^???????R??>???J?c?_Z?~?9}??Gb?;L?????ů?Gϊ??????i??M??C?*?~Q?????,???⬳m~??^??~qi???y??^??+MFio>?,????"لG???"??H޲|_gOl????e??5mQ??q??Ɔ`?^{?,??ѭ~??"??>?*???}?Q?`Ig?Y?? ??mmZi???F?;C?o????kd?????}??/-=?b?kh?y??H?s???????7??0????v*?U?k??4|?????1*?UǦ*????????????d???qWb?:???????????????M??_????? ?J?]?????Y?u?m??s??'???N*????F?;???ӡ??O?X??/?l??=#??h??ͳ??t? ?*?4 ?5??|;Z3j2^??T?J?K/խR????I#?L??,??*?]?L??x??gcͯ ?W?[?i?(?|??$?????WDj?B?N??j?ZJCw??z?ZF?o꛹.??W???fh_??????zF??ǣ?Tne[(#??Ē??'??&?Qث?W??o??G?e??D??i?VO?????????fog?2?6K??G4??????K????X?\?u???j? 7??9Ro?8???gʿ? '?DK?? ?kv*????4??I?Ȗ?]4jh?!??TƘ???珖?k9?5[Kx???G?????&?4O???D??hxs???TD?>R}R{s*?????A????cѠ???????-??Im?$??-ځd^??yb??oͭ5}OK?????N??h^I????i??q^?y???_*?9??????ir?X,?D?l?$?2+*^?P?/??????? ?Q?6?x?\-??p3C?ho ??' ?ʇс???>)????u??^????Oo?ް?b'궑??=9]J[̧???ToΟ.??? ????:?%E@$???Aɇ?I.????W㊣?/?)5?4[h??o?_Mw4?!xn,/??D%]9??_???Y?*?_???H?,??(??M6*??;?S???`_????????fP??|??(??0v??is7?/?K????MC?a???g*C?????L?W?a????qW???]???+56?N??-?`??b??p? 7??m????o-?????bm)4?I,/t?Kk??!6??EJ;?2JY>Ų?$??|qV|I&???Z?]??@y??Q?W?`????G?W?I?(??6Պ????;?+????Pcz*?U*?f?????Uت???O????^u?8??(~?????'?*??9??V???`???U??1V?Wb?'??? ??2?w??Ki?i????????\?.?"Ƞ???"Q?K??=k?;W????N???Ӯ????}d?sf????u??6?=H?r????Uv??3?[/3E?I{?j}nY???u??I??Kl??O?#??g?\U;??򞭣???ԅ?p?9??-oY?ҭ?y"WP?Fi%}?rh?_??6???r^??n?ZZ}b S}]??z???1Wb??X????G???X??b?A?\zb???p??Oc?1???FI??7v*?.?G?????;??~]????????3???*??Uث ??????_?ݗ???8??qW???N*????F?;???ӡ??O?X??/?l??=#??h??ͳ??t??򇕮?%???m?????????TI ??Q+?5?VG?(?w=?z=?]]J??L???,r??????D????Z|????]~??Vu???0"dij???dy??v?R}?ɚe?????R?Q?)?K?N ?G?cX?+?=[?7/??Sۯ(yZ???Γm/??9F/?B?M_??$O?B?????'G?3݈?̞????+???G?6?YW??>^???t?#??i? ?Z:5?s? ????o?V*?b?5???????????b????%?????X??????el??_?i_?o?&?1?}r??D??/???eqkˇ??Ε?5+Z}9R7?~H?hyG?Ѵ??mt?%)mn4?g???ݘ?Lz?U0??a????Vo??Y??X???X~s??՛???V*??V???uf??E??Պ??U????]Y??g?5b???a????Vo??Y??X???X~s??՛???V*??V???uf??E??Պ??U????]Y??g?5b???a????Vo??Y??X???X~s??՛???V*??V???uf??E??Պ??~T~p???o7术 ??ʟ?-Q?V7pqW?y?ʾP?|?.>?4?d?%}>|?k?[??*??2?-5?5?:???????hY????%??ZE??T| GF?X?I?*???.???????Wʰ???˫7??,??U???9?????p????w???????"??j?]?*???.???????Wʰ???˫7??,??U???9?????p????w???????"??j?[??????V??ڢ??j?YO?g?&?7???.53?\\^O}=?@ZK??gF*???˷^d?n??ZL??:??? ?Q?,??X7?o?r7??/?>_늻?7?9?S????/??]?????????????? ??F?????????qW???#?g????????????3?{????\U??????????p??*?????o?L?^??|??w?o?r7??/?>_늻?7?9?S????/??S?!?'??q??7?5[ F??O?N?]>?*E3MV ??F?Y??y??*k:=??s?67?;׊??2)jv?b?9??7????h#ʺU?ҭ!?Vt2z(???T??M?J?s?ԝ??a??w?_????????????+???Rv??q???\Uߥ9??Nҿ?0??K???????I?W????qW~???????[t?s/?d???J?s?ԝ??a??w?_????????????+???Rv??q???\UKL??1?_=?:ƽ???:~??f??k????DQ??<?u/???? 5>???p????u?>C?iR???????-??@&???"7??9*?yo_?״?ԭ?h??U???L??#F????ǜU??U4?]?????R??/? !??M???????h???c3{;??Y?9?_-?9?????\???????eHv*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?UǦ*????????????d??Ҥ?????4q?^.ꦟ"F*??^dҵMOV?l?2\h?E ???x????!?????Xo????????????T?.??m~j??n??PgV????4?O.??w?]mL????v?[t??$>?gXd?*??1V;?a?????6ڎ?s??c??^?Z??t?ll??~:dpUG ??K???*?|??)g????e??u?*??U???N*????F?;???ӡ??O?X??/?l??=#??h??ͳ??t? :?????k?B??X/ś?3s???7$?1 ?o?qT??W?Z??l???/V?? ?.?%-0h#f?W???Z??qT??.??҄??o??(??`??Հm???? B???-???W?sp?Z??U:?F??T,μ?B?o?*????T??V??M?u?05̱?ߝ ???*????? Rѭ5^?R?XE,1FФע??? ?5L????¿???? ??,???Q >^?b????%?????X??????el??_?i_?o?&?1?}r??D??YR?-?%?J??T?t???5mQ^???)d!o(,?[a????V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*??V_???*????ӊ??U???J?O?!A?4???e?o?R???HP?8???Y~[?ԫ????N*?g򿖴???#????i?qo? ͤ)0??Ǘ9q??*???x????J{????2LU/???N?e?94????h?#XC%?i:P????&[?h?eS?/??劽?ZE?]&;7i-?1??vZlZ????*??X?????????????T?.??m~j??n??PgF~o?p?:?o`???:?6?oszt???Ш???c W????8???? {-W??S??4c?Ntxm.??Z??P???Y???ޟ/???qU??Y?u?m??s??'???N*????F?;???ӡ??O?X??/?l??=#??h??ͳ??t? ?*?Uث?Wb??]??y??????_?C?&?d????)???0/??f?w????(sd?Z??sJ??;?4??????%?2ʐ???????m}[??_z&*?Uث?Wb??]??v*?Uث?T5???iѬ???Q9?\H?)jV???U^b?$? XdP??FSЫ ?1U?i??[?~?_?z????χ???????|X?&??????????+[u 4Ӻƀ??,? ?U?:???Bg??7-??*?!"??&???qWb?W76ֱz?2?UWԕ?/'?*?~Lj?????-??ѭ??O??涵??Ɠ*1???Ǐ U???K?.???/?ӮqW?????N*????>iԿ4??aԼ??N????]?\ڋ?X#6?(y?%U?? ?????X???9?GM?????k:]??v?:4J???n ???k?Gh?G~?W??????d?!Ӝ^O???? m̃???????K??WY7?|???#??V]l?h????c?/%?3 ?????:,??/???????????w?3?i?Kq?y?.?۝M??]K?\ ???2,5+???p?R?f=[y?'A?G?-??N?iph????d???Ƌg'?{?Un??y??ϓ?? ƶ?ٯ?䱴+??N+zu*????N??~ U)?!?Ҹ?֫c{??ηzL?sy?]oA?Qo2?HG9Z $?U??*?I/??-D?~?mHŮYd_??/???2???????,U??\?y??V?-??u ???_?Ů?&?8???`????ث?,.?9???}$???? -U?????.?9$E^Kly?"????qT^?c????J????/?޵???Kw7(?p???%?;N97??e?U4󟖵??'iqi?a6??ֱZ???X??֭?????M?*?ա?寓?????m??p?i?=??"?@ӿG?????m8?????,U??wK???ϕb???[{It8 ֊YM???J?!?$|-)"?}V??O???Q֖??׺M????ݱ??ןԋ?RI?*???????;L????.*??ߜ_?'i??o?%?]?[????3?? ?d???K~qԝ??a??w?o?/??????7????-???Rv??q???\Uߥ?8??N???0??K??????I?g????qW~?????;L????.*??ߜ_?'i??o?%?]?[????3?? ?d???K~qԝ??a??w?o?/??????7????-???Rv??q???\Uߥ?8??N???0??K??????I?g????qW~?????;L????.*??ߜ_?'i??o?%?]?[????3?? ?d???K~qԝ??a??w?o?/??????7????-???Rv??q???\Uߥ?8??N???0??K??????I?g????qW~?????;L????.*??ߜ_?'i??o?%?]?[????3?? ?d???K~qԝ??a??w?o?/??????7????-???Rv??q???\Uߥ?8??N???0??K??????I?g????qW~?????;L????.*??ߜ_?'i??o?%?]?[????3?? ?d???K~qԝ??a??w?o?/??????7????-???Rv??q???\Uߥ?8??N???0??K??????I?g????qW~?????;L????.*??ߜ_?'i??o?%?]?[????3?? ?d???K~qԝ??a??w?o?/??????7????-???Rv??q???\Uߥ?8??N???0??K??????I?g????qT>??~b?ߘ^????I??Ho????ݼ?y"?&??1??M=1W??8䧱???G??$?P??vZ?????m???K$?@???_W??Lek??ߺ?e~q????^??H?????|?(?\??%?d03?????~?*ü????_?l???*??w??k?W?ct???8?;?FoF??2Y?ɩy?=NI42[@?-?? ̮?If?l??s?7O?+MA/l??h?ma????Uj????qU?~J_?GO??U??OӵY?K[E???&?K?N??!???>8?Qa?E??5}>uM.??"????Z?Or?t?????J??????*??Xh?? ĀZƢ?'??+{?^>N??Y?^?? ?~?*????i&yu?+˥ŧ d ????0?խϤdXپ??7NJ?Z7?W?7Y????^??S? ! /??*#??Dx?n????^???????Q?-??O?????YO?o?J4? ???????????/???ҿ???M.c????b?sL??;v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*??x????J{????2LU??#????s37?$??W?ys?Z?̿????UK???&??????qTo???M"?Ki5&??S.????LW?<^9??:??~?*?????P???5?B???????O?4?m6F??EKG?????????⩧???,??????N??^??????N*?N}O??j8??d??YT)?K?<9fv???՗??r??????9!??/????ZK=.?;[y&?鑣?qR?9|?`?L~??99?~??}???????}?ث???99?~??}???????}?ث???99?~??}???????}?ث???99?~??}???????}?تY?y???r?^c?ːi6:???3??o??U~T_P5????%?????X??????el??_?i_?o?&?1?}r??D????_:y???????D?5?fY?+ynV?5??#,?d`´?2?1??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4???~?廱?????N*??????[?????4??W?????~?????*??I?Z\]??[?%?E?9r???X?ԏLU????)??7Q???1W???^u???h?2??;a?'qU/˿??_??????P???r??Uo,iV???;k?h`?E????Wp?0??YU?G????_ ⩧??ئ??ƶڍ?????ծ??Q?^?`G"z>? ?????)g????e??u?*??U???N*?m????g?늚~?k?i??+o??R??#?? ??J??e???ZՖ?w?1ͣi????}?5??ߤe$?b?/?W?W@뿙?n?5?)4?1??q|??&???s?Y?ܧ? ?>?????U ?ẉE????4?z???w??7b2??ܲqg? x|1?????*???٫??[?h>]??c????VK??@???b??oU???W??X???|????6m+KF->U???xZ_??????????2?4rI? ????y?m?{,?r?R6?i?Mo?5?G_?O??V?ǔ??ώ*?,?9??i??!??j'?Ť?b?H?????-?\U"???QZ?v?iqs?^?????????G,K,??s???:????7 x??9????uI???ˆP?!Di???T+?Sy??ӆ?a}??*-??n?ߵ:??'?????U};??ɚq?6?N???{Z?+q?Rs%?5o??c??c?1V?o????????X?鶺Q?R;?vf?Ńz?ȿZU?%??p?>.X?#??o?";!u??[Ef?1?bd????5H&??[?w^??S?5?+??iKO??K????/-???? qc?u?>??8?W?*???[i???[??ķ???uኢ1Wb??]??v*?Uث?Wb??]??v*?Uث?Wb?8???????lmO?$1W????ǿ???S???n??Q?b?M?]???˟???e??v??N?_??6?5?7L??3??+v*¼??)g????e??u?*??U???N*???Ɗ$9^\~U4????%?ڄ6??2ɥ?%?????$??@?$aŞ.k??[?i?^\Z??î۵??s?Jy(X?4?֠z???/????>?*??2??th???!?M???Bi?4????$I)?,????3ȉ?E??b??1??E?4????3z?]8rE?X?w?~A??N?}r?b??I?:??u?#&> ׋???????h?u?.u$H?Z??g"J(Յ????_?~?Ŋ?y??ɞZ?[]sU???? ?g0?)?Q| ??o???U????$??0h?k6??"K?byE*N@?Rޡn8?S???}o??[[?Ԗ?-!4??+ dW{?}??"????)?LU#?ܞr/$??IrHٹ?*???.u???U?}^?e?h??O?$??M???3:~?*??4G?)?b???&??m???(?,???b?M_?7?:>??N????j:G4?J??z??d???V??w???5??1??d !??&??/??(????*֡?????a-޹n?jq ?9W?????3 a\?rq^_*????qy? ?A????????w?X?I????՞D??m?h???NE??I&????~}???U1?ߛ|??kyg??? p?( ???%?º?H?x???U ?~a?+Q?gѬ?he?m?_R??P?_???I???x;p??Uf????MN?P?????KOV?v&4?#P%???E?9#7??W鿘^Kԭmn??X????i???oy,U??~%?gR??3|??@g?֠?!s5?O"M͵=h@?"r?R{??O-?זV???}CU??m???u_?(-,?U)??}?6*??~`?v=u6?=R[?;??6????d+?CDž8?c?σN?}Z?X?,?k?,?#??r(Lr?e???E??]??v*?Uث?Wb??]???\?ֆ?O???????^?zb???p??Oc?1???FI??7v*?.?G?????;??~]????????3???*??Uث ??????_?ݗ???8??qW???N*??Q[D? ? >??j9Aߦ?_?.|?????\U???_?(5O?????2,U?~t???7??7???????el??_?i_?o?&?1?}r??D??:???????@?? ?v*?Uث?Wb??]??az?x???V??D?????]?V.t ?E?6?#?2ʯ?%Cq ?qT?J?????\??ͥ??։?h?nw.Xݷ8???ҁ+???UE?-?T?U??ԯ-L+q??[?Ж??x?{+?1r??mƈ?ެm????}?'BЭ????2???Q?????Q"0??K??,\?)$??~?*???Uy?N???6׺|?lMV?V??E?i?j0?0???XՖn?NJ????Mw??s˺?????m?1x?(7Z???&?MBCċS?Dy˞u??????5]B?k????[\s?B娉 ??.#?%?R?AU?Tߔ>l?t?????:????X?~??6BU??s΄?G?c??v??U??MR?o4???Z}???k4???*c?dH??/ٗ??7NJ?V>@?N??ۻ?.?Oo/jW????^@f???`XZ(j=/ބf'??U+??(|?ms?i????kD????:h?A?K=ש???؍ ??:?iW?*???h? "?A?V?e??+?/??\???6??۽GT? ?jw?mlZ?k??qh?'9n?ؒI(???/??b?b??g? ?KٛP???.??&[p?j(??J?mn???ە?YqT5??V?/?uM'S????M6?J?/?k?? I??^d???D??œS??تy????????uu?E? ;Z??-- ?D?)m?c?`=y$???F_???UK???֝?iZ??{gt?Z֭???IſI?#E?84h???qU??U?????Pӯ,????=ߘ"???X? ??/I?G!"?o??T???[?O?Ͼh????L?+???V??K????c??0?^??S?D??qW??_?~?˾F?t+? u?????? W?$b??*?Uث?Wb??]??v*?Uث?5??ho$??S?? U?g?*????????????d???qWb?:???????????????M??_????? ?J?]?????Y?u?m??s??'???N*?|???????????Ӣ??O?X??/?l????a?y?j3?Z??l.??Hk??`F?ʀ??SEb?_?S???*???w???ʿ??t??GO銢?????'P?Q?|?ailK[??,?H*J?|$?U?????N*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث???N*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث???N*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb? ?_?????????t3??>??5???Ӥl??O??j?R?<|?e??:?????!???[H?9???_ԉ?t?>k??????qT???WE????N??????Kk?F?C?6???z?d??U=o??M/??Z?[5????օ/?????X]?d??4???c??U/???o?G?{?KmSI?ֵ8l??ݒ?n?y=*???+?IS?V???lUOA??m 5?oH????_?A?????? r\ *???8^lkI-29?(?f19?-H?z|_ᅨB?V/6??_I?/??u ?????ƶk?e?֜׌LQe23r??A?~uy^? . ? i?zƞ?S?.??C???W?$?9'Ŋ?r?B?n++?ٴ?J;{[m>?fd???S`?KA)ߛ|Q??U6??94+S?,?lo=.Mc?|^?I?????y?:K??NI??#???̚??E?????,?A ???^???ng?I8?i>U.??=??? id?????4??Z ???????1\?F?2??v??U4????E ????O??$H???P????8S??*?????T.?;E̞]?G?&?M_[??/c?h????1?-????7.??qT??_???2*????Z????????@??g?$?o?켵ko-ż?-s!?5?G+I?i?B???7?o????/?????-???5???e̋FM??݉}?8????͊???.?????[ܭ?Omgtx?-???&x?????? h?vU劤??m?ߔ?=^??V?l?e0K??ki?&??-?%G???????N8?ow????Mr?I????T??n?8E???|?"?sdoۢ|????áj?b??l쮟????????6}.??/?*?????U???]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?W???N*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb?N???}}ko?\X]?$????F?)R?X?VW????]?'4CL??ҵ]*K?>?i?N/?ԹI?h?2??8F???b??3??L???cQ?????^&]SH??K?OM???E??]?T?E???4????2Ť\h?#CH?n??i??[?v?g?L??E]?ZH???N???Nz??F?R?&?(?Ũx?RmG?O-^?B??]WB? ?????Om???????o?~/QqV6??ϡ??ql?iOo?I-\UZ8?8?Q??$???J?W??Ѭ? [?LV(????E?T3}????%?䟕?????0????4?-???&H~???U??S??P7_?>X?Ӯ??5+??r???in܃?}?K???Pi?Q?y???k??^X?%?d?8?#?????]??/??^<=D?Y"~Q?e5?~?2??6?? z?7zOr?^u??,e?5??㊠4?ȿ)??i?=??妛?_i+m;G?[mFF?q!DF?ɾV^8??_??pд}?[Ԯ?t?mCKiZ??L?$??8ֻ???>*??? ?X?}B?;??Z?????????2 |=' g??>*????V^l?G?????]?5&???ވ???I9*??8?_??V??H?jz?p??+??H?a??X4?c1~??y??,U)o?????Pk??ߖ??P?֦??XM?~??"?ee??'??Y???e?k?5?_]ZK??????m?d?xE#V?Wf??9??*???ހ?C??_ׯ?F??=????$?䪟O?U??*???[???׷??މo?k-n`?Y?ӄAw??_???G?O!?a?t:??vޅ??Է???Z?ӻ5"?????"?u'?????^???v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??_???N*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث???N*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث?Wb??]??v*?Uث??n??g?|?I>?\?r? K??PNG  IHDR??ܙ^rPLTE$$ $$$(((<<,,,$00000044(88444088,<<PP8880<<0@@<<<@@@]]aaDDDHHHLLLPPPuuUUU}}YYY]]]??aaa????iii??qqquuuyyyu}}??}}}???????????????Α??????ڙ??????桡?????򮮮?????????????????????????????????????????j?.tbKGD?H cmPPJCmp0712Hs??IDATx^? c?8r???VE????i?>?ڮ?s?Q?Z??pj.M+?????%G??A????(2 ??h@`0??qST%??RnT۫?????c?.???wL?g?1?j???@?4?z7 Bu?ȝ၀P?A?.????0??u??yU꫙?>?F ??y?':??OM1!asx?E????|_?l2B;?}'d1 nq' ????? ?"??` ??j#,%ίG0Ҕʞ?`???Z??u>??f4_??????????z>?ܳ ???!#Kx??žև????Tp?????=?p??2?kڤ?O?{?pzo??>? ???38?+l.??#?n??)V"??r:ag ???z??i?A?Z????|?+{~???C@z֙5_?? lj??ͺ??L??xf?(?????(??Q?V5??9E? B!?Bl?T???Y???w????????BE??l?`?Br|ʼ ?7z+??%?H+??2B??E?XbE??>_rCg}:4G ? ??"??9? ,"??? ???0?N'?+h?? nlxc??ѓ?4??^q?x ?*ʧ} B?ː?p????.??)T???p&o??"?%???Y4?N?^?=?ˬ? p?p?x?A?{???i>?3pD>??9 ?d#??W:!&?v7??x ڡ8e?F?v?.9??c?k?q??}??H?3Rh ypOq?iqK???x+C?y1Ļ?-Ü?`Z??6?????a????B?;<????y7?H?a4 ?L? ?5? o??9?'0????M?x?~x K?U?@??Y;?t?/? B?Б??"?0?q3<'N=??9??? ?????Ϥv[?z???;?????G??????&9U?B?H1\2?A?h3?a Ap??2Y)?*hp?@?q??Ď ?3????1??k?Kk???K? ?;e(???0?@?x????'??_?9?o'????$b??~???.s,???Il??0p??@6[??????w?L?????]ez???? ???8??o??"?K0#?`?G ??? ?????A??wf?/?Z???%/v??x???P?q?Z;?;???QFTmT?b ?8??q?0??-R?B?~??E?Ͼ@in?X+????9??X??V?H^????K?S?P????e_~?l???z??CN B?}???? n?^?mޝ:_??z5#i9?,?EŶ-??Rc?Q???A?H?ŋ?? X?JՏ??^?HZ????k?82[?*??? >??P?B??j?SdzS'N??&?v? S????uu?q?"?K?a?Iu??Vܵ????????%\U?O?GR?U=؎e?)f??q?e?q?^?:"?.|?2??Z?g??As???#?/???ɉ???1.:k?|???c]?&U???;7??{????,C????i?^j?J?l??&?[?????~?S?d^?ђg??vv?h_Q??L??Gc?J?tk??/n\?n~?????R??]!??N?!??u ??̇kZ?8;??? ??@*#??k~P-L??̔??!?`)?Z??Nn???! ??v??r???αp???Ի%k?????7??P??#??x? ?d?6?^Z????~?b;?w? ˜??y?2ܒ?IY?rg H?f?A??s?h?Z??px?z?2Е?"?_??E??¿?ͷs ? g???\ ?C*O?????OӒ???/??????ױ?73?Ҍ4C??me?/FUǒBQGH@??[ϙ????E?>???1??? ?d$I???,m???{?\??0=w??#??Mym1??cw?`?k?He???s?f?w?3????6?P??2?j5??4???PFz???j?y?;?HM????^?;ȷ?& ?Vx?f??E??_yw??vЄ??j???,4s?ˢ???u#|l胸?婼?ށ?tЄ:?ܩa?δm??v?DS??o+?V?k?u ??h%?CA?Y??8d?\?pWv ???1R?#?P?T???v?ď?0?x?`?S? |:?Nq????h`!(??9s74;?oM?-?ݱ?s?????^?!Ġ?.?1]??? ?ȷ?&~??? ?"p?p{??sXh????????A?B?f D???Oq !???o????fFJ??M?O?? ?+??H?o&?????~n$B???V?6b??cyܵm?D?kx?R?L????t??h??.???C?n?8??UM?6?k?/W?kJ???n?????;i???]=??#?B?jG?U! uM=ȷ?&Z#T???|??mr??7YM4?O???X???p?lZ?(;?????:h?QJo ?_T??F???f?^?????? ?R?B?/?X?-???3Ut?0????p?gGe??Ax???G+?-$?n`???$??d*V?۪ojF?;N??pR??J ???}"{??QM????i+?2B?qm?"3?"??clڠ>??B??E??s,*Q?鬶@?F?j?^???].̒1?? B??Rr?\y!?k????RSz?ՙga l۷V?H7Y?0sD?.?H??xab?2Bʩ? ??!?"??xA?#Q????Zxq?????0?&??HTS???0M {?6_7}?0??@?L?y?n??? ۷?Y?????.y?)?0B? k66ð?m?¼?s?g?t???^??"D??nj?u]?4??|?X? ?b?\?x?????????{??KWm?$?(L?`??M?????/?>???㹯?B&?%sUz??˩?^????&`??_?? ?~ ??~t?E????h???}??,6?gaV?????Y*& x??Y(??I> ɕ ?h)&?x?%?i[?\ԸN?&??ˎ\ )\??????\??s)?i$T>??!??.!p??]?x?b??e?4??B??h?&+> ?a`E6?f ӝ"?m1? B1%t1tZ?Ͱ??c??K??"??B??H(?,}=????? ?Y??7?"???y??V?????n?B?I5?N_‡湇W??!MCΜ??~^?@?0 ??!?_??v??!9?) ??? FN?x?????ܡ;?f?NA?0I*;~*?|?[(kE?M?Z?_ߪXvO????A[o?V???fZ??I?S?P5g??_?b??վ??ej?̩U???ڟ?OO?Ց8???P???͉R6C1W?~|??0??(l ?R???$B?2 ?U???^??zJk??hqg?8?6FҚe@ !|.?l?$b?T???????d??9m?-???&[!\?7^??Z???nn?c?-?M΄zQ3??ѣ??[!C??????h??!,w5a%۬HuM?/???&??%????-ԉ???]jaE?F ?#5?˴? Ž???J?p??|`?ud??O?YhR??*j?DH>?E???ȶX ?N?H4R=?"??OA:]??v?>???F?PB??\R???ıH?c?۶??ҹ??8!??r?刭39V#Dw?k?yHN?N5"??A?G'sBl???V??Ϝ???Q??fFjb?????tR?G?ϊ?!5?g5?s?*"?}OB?????ƿ??W.`?2?s?q??W?Ii?s? Mhǡ??,.?m?4?g?y?뾧aB B?1t)?C???Qn~?2?s?q?ԧl?1Z?"?]?c?B???iv*?]4f?B???YD:vy????֕=?'??|??j+ ??(?K+@? 4?Ve ???0???%?#[(?G?R)?˞?`???Bl1@?Zad#w?QXxJ?b??d?j??I??`?2?s???r?#u??☹?Ch??]??U??Q??%sZ)?r4P?a?ӻ?S:?@?)J?????!phч?@???# ;??-%[???.B>?bp?ͦʃa ?Eon? ?Ⱥ??? ?;??î?yg?C??Y?c"???@?>??y?8ށ??L?ꎯ?Q?????}!P??????q? ?x 2?? ?z???J?????I?v8p?gm?t?|H??8?o96?ޫ4~????*??????܁)?2oA?v??C:?l???????;?ϯ?c$????c??;0?x?-????8??.???????9??8Q?Է6?m?;??T?vP??????8Km???M?K??S?ǃ??g????s????????qe?oP?y?? ҉=??Е?~???H?I??????1?w߆~M?K???u????[??>??yk?XI?q???mm??0?U?{MU)??1???Q?ψ??x?vv???????өF9"ćJ??_X?U?#8~??1???^n??`;<1?v?=?P?b??IB?er???e??>^?^??,?l?N??c??m|?}?AL#???u??x^?ϸ}@W????anCE?J??|A???c?ϗ??6տ?~?????V?)??= @??4`?  @??4`?  @??4`?  @??4`?  @??4`? ?H.??l?^@?x9q B????מ?}?q̗ P?ߓ?C?Hr !@g?8&L?s"y ?$?8??e?z???g? ?D????8??5y?1??л6N$ !??>??? ??]'??A?w??q?1?et?@??8?Љ?_?s?d ? `?D? ???W?7ὧ^8@?]':q?????q?{j?????@??8?,`? ~?6?l?|?m??m??^???????A?A>??f?0a?On?s??G???R????8?"?^?xMH???} ~箺}M??Uԯ??~?86???~??:?8?L?3?c0?c?:?$?Ɖr?6?+???ܮ?????r???-?? ??^????~?8??E/????u?q>? ?~ޣ??( ?8?'R??V?????,????? ?XT?7??ck[??T??oA?"a?|?? G?????8?'R??6???h/?7??Q???x??'H???l?H!?Kj?vs? ???y?Q??4?0?[Vt????`pF6N???D???Шt??.??8????]?!Dvq66N$???ڮ?l???????8?r????'?h??$?ƉPӿWڮ??v????????(?????r|A?Oah??@?s???p"?8@ǡ G????? ?^^????q?~ 2@ǹ G???:?"?Ɖd????)?\8??ms??}?a?y?u??H.?"?Ɖ?ϫ&sm,ފ?}??Ձ??zm??0?m\??ߊa?Oa_?? ??Y?8?,-??z?/ֈ*@?n?tZKq?l??ٜ????Tl??8?7??8??)?+?{8??'??y???????yo??k??ܼ\].??kk??}? ??~3?m?????;;8?/'??K?|?\"????=o????mL????g?q?|?????ۆu>?????A+??e??=4`?  @??4`?  @??4`?  @??4`?  @??4`?  @??4??r????3??W?'B?Ҏ?k&a?p?~??????iP"\?~O???l?t\??V???3$=?????????g??^?k^?j???~?d????*???? ?C/?5????? ?G/?????ںX??픺??@??b$a^Ȅ??G#???%?Tu?r7 F^?S.?? ?~C???????????kA?6??]?ۙn???p??{?~o??z?پB?????ڎ?ec??????)???z?y??Z?v&?[?y[ۉzZ??`?s??@6?{p???8?sY?=n??!@???z?? ?!??c?ڎ???u?q? ?*???ZCZ\???m?9@ga??z????v.b?~???=?F? ~??d?g?@??5?U???:??? ?=???2???ۯ???????d?עVn?3xݎ???g?I??~?U?\ ?ް?ۇ??(?;?u??????d??¸`G?ۆ???߻ .T?~~??z?^?? 뵕{?0??sx?@??c??4`?  @??4`?  @??4`?  @??4`?  @??4`?  @??4`?  @??4`?  @??4`?  @??4`?  @??4`?  @?#r??e?v??5?<?@????l???dxxx?|??l?l??m???&???????ݸ?75L????'????6????u??v?X"@@?ܸq? ????N -?KZ?????y?dk{?_:^???????|????????c,?w???ϫ???sn\?<??5?k?~?:;@d??`:J{??Yy?NȜ;?Njjkn??@d?u?sx2d?k??6?n???Y??c???Ȉ\?z?@(?? :??????;??????m?փ[???=2?ؠl?6}p?y?+??&-{6Ic{??b??{?@?A!@@?i`?O??? :???y?w?92+a?m?/????j?r?_2?ˆ~?`??-h?]?S2?;?9? ???m?Z?l?????g~?&A?B??ЅZ C+S?"??????#???S??L?7??B???t????c>s?m?]?t ?z??? !ҩ'_??,?s???-̐Xx?| ?1???h[.?~|??@Yh????e?&Y?????8? ?I?AU?s?GV???RxJ"@@?????SVv???{;#[H?6ok?@? ?^?9'q G?5???=.d@???t*F?d??⹜t?]?4_?~}??F~????Ƃ??[??6???v3m?Zӹ?i??Q?V[#?m????P/?T?Ja??t?U8??:???????Fx0 @U?{???a?M???_W+wnosZZ?"?????c?䎶???????P@ECG???%[l?C_?~?X?o??p??zi\???g֩?2??ϟ?C???????5P?쮕??Yδ??E???N?????k???>gm??[wlp?rMm?3?gk???? 9{?????s?D?0?????I??y??E??o? ??uĺ??????ֺm?X?m?c??A6?tnq??p??)ܦ6 ÅM?q??Z?y??? ??ؘ?????gʹ2}?M@&Dǣ?Ga?????C?9Ự?/?Y???߶i?,YtG????;????N ?0\???? `ҵkפ??.?9̄?t??'r?c?}??[oM6?[H:4?Iz???z4?Z???{?M П|? '?D#@??w??`\???_j1????n???}?r???yWzLa?.? {?H皦)Z0?dh?????oΌ4@? ?n??ɢF7??`/_??r??ǎC??=?k??/???@b?L:???Μո?@?T??1y?^??Qw???9?L??th??:?V^?s??R?N??Xݎx?>?:?sȏ???????w?}?@b?L?Z?C???>@?S???d???i7s???Wq ??[fˑ#G?hm??9?$?8-]?s???}R??l?zf?6@?,?S??vv\?^?e??Z9s?L??BBIE?2H/Z1::*}[:??ϺpPˍ???9i[?/s?+?F??K-?Q???{???R%? ?~y?$"@s??E?????ʕ??G??_?3@???I????i???? ??N???????@"????Q??;dp?Šy?????0??Ev&e?lV?0?/ms?G?/@s?s???6y??e4s?$??kڿ?n???W??x.???n?0?.??p?h??% ??#'??rҶ|??:ujZx>w?'&??"@)711!?w????DsSy?dns?? ??.???^?^??m??cxy9'??~???q?zeô??GqrH,4?b:mc`?=Ψr\G*i޿???y???ζ??????w??????????sNP?E?R?????_?!p?C ??=??N?:'w4̙RΎv?? ?ԕ+W?????????].??D#@)t??%???sZtKֹ?>?m?:t?????8Q$H!?,??Z?4??????29?????d?Hh e??FS?|?~??F?W????M?Ԃf*?$"@)3>>.?? l?X?e??S.???] i?@?0???ַa? 1 ??@ʌ???Уu?5Z,?c;gɓO>9?*?BH4?2hZ?ۉ?g?????????@?????*?jq-=U~!'???S?6]? IA?RfbbB???MT?$@????KN^?A?R?~?D??#\f?}}_? N П~?)'.?? @)4x?A?x.9???ֿe?9rdZ???/~?? 1?@ ]?zU??.L?? t?Z??r???i??>???h ???w???1??l????????ۜ?͝)gΜ???}?]NZ?A?R??ŋ2?ka"???in?????s?}/?????ۘ|???ݑ??'n?ب???????k[???|?? @)v??e??9? Е?n??????ȸ???J????R???[A??X4???`??߿? ??@? ??K??6?%???d?!?R "@??j7??tη??Bt?????'?p?H 4?!?o?"?DV??Mp?????0?????>ёh???賶˗/s?H 4?1??rB??&????;?΃u[??t??9?q?A?F?????OW??m??s???w??''?? @??|;?P???ړ??%???? 9?ntP??M???*?? H??^?m? ۋ?5?Сe?l??SGf??{?W ??Ν???(h #&&&?s??~yj???????[-?N}=>?ϴ?j??K[ۮ????)?w6??\x?v??ug????O???(h #??񘌽U??g?????@7??h??6yA???E?:??ƶ4?w?/?ӧOW ????? d?իW?{??X,????k??6]???L^???W????Q????x??2']??ĉU?3?7$Ȁ?g?t?-ġtЋ???n??T??{??s??u?K?1? ??@?ݸqC??O?????L??7Z?z9^t????V?ȷ?>??@"????t? l?O|xf?9??W???no?a??o?J?&Ws??????? ??@ʍ??ȩgf?"@?-G?״????s;???esd`O??????ߦ?3?D#@)w??e??t;?+҂?ơ??o?l??^#???????/????hh ?Ҳ??^sJеM?????_g?,??q???АQpf?3?? @)G???6 ʺ?P??;Gk??s?,Z8K??3q?7?&?H???a?*?C?I?y?m??i??޳N???/ǎ???Mk?@Z?????O?%ҌF?u??O`ηs??ɵk?8? H???q?l_@0??nW?r?ze???????ƩCiC?2??k?s?8?!?mi:]$?58?????????xR? d??߼/???#?\5??c?}F?Yk;k? ?3?, @?????.v?i՚?wvS?N?7???N]g?j?4?/^??] ?4_ uzƗ_~)ׯ_??Yh Cv?ʥj ???M/?????? ?G?2Df??v?Se??H+?:W͖?Ǐ? ?_}?'??#@??????.??$,Ҧ????!??m?8?E?@?2ibbB??w???:?#mr???;?^????#'??#@6??+??Q'? ?? ̖?;P??3? d?իW???.g???9??K?#???_&|?l:?&??5w?F?n??j?:?-hr??5??w?#[??(? see?,9??L~!?4 t???TN?䤳-'MKr2??>p?ܵ?O?/2a=?g??]??-wu?j=?-h????ɰt?? ???~?u?ir.޺|???$????r?BW??4?fmZbp?????6e.7m㫯??? ???ˎU ?|ۨ?R??^??.????9۩n?7??mz?n???? ????????{?JSS?ܹb?ܵr?37?0??/'?Er³?cvSR?p?Iۼy?̝;W??ڜ????m??????????ȈrBܫ??*;?!˛?˲?Z9??Lg??i??JZ?M?OhՉE g??{7?????????"?R?u?ssS%C/dR??i???#??u?6??^MR??_??_? ????@uhF|?A????J????)??+?}??gS????\\?⡁Z?/æ??4????t[kk97?>??jzP7??ˎ?ȳ^ ??ov5????~U??`ѢE????\"@pEG8u~s>t???M?䯋>\v!???Jsw?eش???|Ӡ????b{YD?AU?^?$????s]q????????:g]???????ߜ?6?_?6m?$?????U?T?_??_N?ʇ, a?i&t????~Iy6 ?z????Q?h?>?V???s?_? G%?t?j???_ ??o??????Ғg3f?p????ѣG}o?w????p????sg???SbO+v?Y??m?lW??lO?0?#?:M?????ѩ??f5X?R:?C?G???ہg?Q|U???1?b?η?)Ag]$?s???V???Q?~??D??~q?B @??!???|??󛃤 ???Kgz?׋?_M?/??8?AK?[딊|Us?u??_g??M]$?f?cq???%j???i(? ?? ˴?F??{ KQ?)??4[?,??r+?????b_?r?)?f?… S????-???f8??ut?Z?֋??b??8?Ѳz???8^0E?Pĉi???Z???TH24?q??}a@????J T??b?8qBv???Ԗ??i ?Ny?????4d?߫Ɔ?΅b???益s??_?L߫??f?4?4eΗ1???,^HC???n?R??rz?m????t???(i?.??g?g?)d ? ??\X?y?޽???U?=?~F?? ?--iX?ud????nݺ?У#??.~?EZ??x?uM?nOLL??=? ?ṰN8??v????\?V|[ۏ]Jn?U?????o??q?>נ?|?š???^?N??U$ߴ\?nSI??O?A?o?-?- ????"?<D?\5??v?? ?pO?Hk?/??un??ֲz:M$ 4H???? ?=?ߢ?҄???\l?*???)u???s?AT???n_?v?>??l???R?NJ??Is?kh? ʍ!*??<???Y?λ???V?$ :#l|U? ??m???Ad?!?u;A͇4??? K?iXa?????Z2?8HW?7N???~ H"tFx?0)u_?ە???ܽJ?~?ۺ????J??f??^?MZ????XЗ?Li???4_{\ۦM??i????[@R?3??Q?m??N??????m?dZ??????lӠ\x n (@??"??Uᇮ^??EI@ri?ֺ??sZ?I@14???Ç?\????@z? ? ???y,?G? ????+\??ϼ@z????چӧO??G?\????????5??l?????)C"H?F?\x饗??t??]0\? ??j?o?? T?#̅5?u?:?t?YG? ?@6??tN??m.?w?\HP??RGa%? ??@????@?*Zm*? ?A?5@z??I?fm??v??|?*mZߙ??L???z?|????? ??????????:?ڵ??t<ѾC?bX??B?????.?  ?W????_p)߯???#@#? /?[j??@l??=:]?8HS?H.42???????H?@P40???M????? $?]?vM._???V??!ٲ?T?sa{≫???'W?^?  ?U?Z[???-???# ?dɒn?55?C?# Bh8?u$vϞ? υ::;??W???? RT=???q???:???\X???s@~??Q ????,? Ӱ?\?;?m==????SBC?# y???}????#8Om<0B?????L?ъ???/;w???? BT=???!W?\?U??ep? !? "Bգ?H<tF?|玎~9rd?pl??|ժ>???E?#?!??????o!???ҟ[?+?Q??A?N1-?????,?#?o?s?.?ST=??҅?R:?L???e:j?M_n?>??j?B?#?!??!?U???]? O???n?????μ]?kFm?8pI6m?w?2H? ?g?Q??E??A?Z???8??/a?';/tPs??tҳ׬r???!???\kr???Yz????? H??辇v8??2?R]ܢ蠵]8(???ضn=-O=5D??????b??TD)SZO?? 湛Sgs??????A?lZJ?z??={?\U?Њ???_I-߾??kҳ?wJ?oX\:?????N???;wL?????X?/?3?s?*tP?Q?T?֐?\????k?l\~"?w????N8? ????p????????KZ?dYW?dkٳI???L???J?+??? ???_(?6}pt???|wߔm????"?79????٠nR???i??3keI?ZY??6'h&=,??j}?-?ke??yN??'U?????Өz??e.@?\?%?Vev??k??$??1????+ ?l???v9s???R#??Cm?t??=?0]?? ?9??i?????Өz??e?B*??/d???????[?????j!???rU"?u7?p?A?\??YG?u:??`U? ??=??̝~??{?????Q???쥼???{R?????,???R{W?l??-+S*ʅ?r?????h??9???5?Z??st??ڷE???#???9???F?#?+?Z]?tI???ϩ???2sa??)/??+?v??s?1???8́?Q?Yu??{d(?N??(s??? t?A&??N_;?$M4?s?3U??zDգ?#@W???????߽?W?,?s~NtFAN???(^`??N??k?.in~??s?[o?Y?Z??=?A?#?Q?(??1D??wӟ[?r~R?|}03?WL?~?=?'??????? ??S???ە???ە??????q?????GT=??Q????i>?,i?(??????=?MKG??? K?5?g?B&&&bqN? ?&???c?????????R???GI?z?h:t?Ϧ??????a??L?U?8??y??zY??.???? t?)&? ???&??????S???G??M?N?8j? ????-m??{7L?O?t]????????o]????񩗕?XI??j۲??n???4??T=Jfգ? @ӡ?Bl?_???'|j???9?T/Ϫ?????Кo:?[???M????Ϗ?|Hnmos??>?|?? ?tA?@?x?r?d!?-!??GI?z?h:t??'f?JY~_???液?^?$UXb?T??|?v?tzE????????o??SƮ?c?-cW??!??-m??8?%??QV??Э-jIs? +@_?~? ?t??L?j?????!@?W??"@'?Q?(9U???C???{T!?\??z?CCC???? @?-=NJk???ըz??GYA???$h???????ۿyYE^?>?t>8?? Cϭ?yV? ?ɝ?A?#D?CY?Kꦞ?????¿?]?i4Z?M???'O?SШz4???f ??m=??9???#mmm?-¦?࣏>J?Ni????؍@???T`6????W?????UȠ?h???[??YϽ$Xd?Q?h?.@?L}j?͇O?tq?f4 =? ?s???4߰4?:??m>G:?9?6???u??s?Q??"@?ܣ ?h?CI???L??t?j6?pxy?Qh??T="@#??t??Hڢ:t??6N??y?^????h:t4??M?"B???"Zh:t4???q?H?#?[???F??o>???Hp??6???ih??6?s??Z???M?N?܆??????'۾}??????OJ݂?i??\5??>???1Y??+mzq??o?zD?F??cڡww?Nܢ???H?9?Z;b ??A۹?yil?l??wMyOjfϓ???ɶ????a{>|?j+?Ϛ????6?m??L?^?6?\?ί? ?z\?E$4d߸q? ֜??? :??_?.????s?h?~RLC??"{?\t>P?:eI?F?1?,jp°???l?dמy?U??u? M>O}?;68!???F?;??ŗNL^nvbb??B?&@^?c??g???؏g6@???S-4,??xb2(/??M?t?u???c?????؆c?m??G?`?zp????????륵?M>s???v?'"R?M?? @??O:*??N?Kʢ??š?7?v??>?ƙj?aYd???i[?Ã??\?3Z]?? ?˛???2::*??㜔H֜?/? ?_]?ի??? ??mL??U?7?"s6?̺ٲ?k?3CC"a?]?z?3ߺs?,imr?~ {^?\??ɉ?#@?/? ?#????B??."?[z?V?ңGoH???>w??[?:!?0lo?~ i?lsF????M?z ???nT=BT? ?? ?m?={?b9.Z?g̘U#?6?r]??M+??Z?Al3???G?8S=?o??L???H ?E?h???1U?w??񩧆d˖S???[+gh?:?a?32??'??I ?A6?G?L?X?(?~|???@?#?Q?^???Fd???????gv?o?S?T??S%@???9?#????????Z?'G?L$>?T=??U?P??b?????d߾?? ??˼?M?2???????/r?"1?z????_?zDգ0?SN??=?Рl?~6q??֭#???&?fJ???hk/')??G????u???5'T=B:#N??????a{????*-dq?????E??[???????-n??G???|???^?????N?{?iiy???,T1?[?=?SA:??Fy%?U?hqkT=???I???n]???9V?{ckﭟ?"Е??.b!@?jkn?/??C?Q?????8?%??J!@c ]\???/;w?ƪ???;V[]P?֨??e=@w?#?~? ?A?#?ťQ??.4Jz???e˩X͇^?b??9q ?=????|0?ya????'2??GT=??Q??>4?z?????B}?mۥi?&?W?r??bPU8*??J?E*m????j??"???w³V)???G?-?zL??}hT??_]r???t??v| s????]?!H?Ǫ'????UΟ???U????U??U????涒??Q????????~v$@{o??sIk??|?{̹?P??_hu?o?h?O?1U?A?F??*????֝e??#nZGV?x?????ҨzDգP?d???T???6gԳ??Vg?mWQDZu?sXZ??H??. ?D?#?٨z,4REGu^|??7,??;???~.P[yl??7.o?3?x????GT=????g???Ժt?|?̝?ϩ??m????H?~!iݱ??'z??A?=?U??zd?Q?(<h??v"Zb????4?j?!Pà?B?q???????:Ҭ_H???X??G?9?Өz.42G?h?0??Й7?s?3%????L?e?????{?E?:¬?3?K?v?8@?zD?6mT=???X?Q?$?߼??Xu?zYW?,߷?Y??T&???/ ?????-??Ցy]8<?vQ?齠?)z4;w?hQ:!)?w?l???d????M!??f = ??;jWh?N3ՄVV?z???Q?W)?({?????G???"?Ǜ???L?z|?W=߲ ?????????[??M??3g??ǒ???^(4Z?@h?J!?>{??ȡϥ?>?0?~џ o(???C?????[?ЪRc?1P?s?BC?ϥ -i(???C????? ??B??@h-c@U)???b?9???"?]H???2??B?Ko?B?7._2%?}[?W(???W)????鶶?C??;????Z??ږ???@h96???\???"吐ث !?W??v\?P??T6t?h?!?h??"??6tI?T?????.?D|?@?o?T.?@od?0j?6?TQ ?Xfh??ɫ?.+k@?[qZ_??@?U?K8?????I)?ˏ?iӒ?? :?)??r5??{?o??ʳ? ???:??@???zx 3?0??!p=m?Pڷ?z"9Nn??u@?ⴾ?8?rD?????H??4_\ӿqO6_O:???D??@?????nA3)E$?y??=a?)GN?3==w???V?6???a????D,? \=?? $?rd?XYlA?{??8?ֶ ?3??k?l?@?~?? ??vP? @z??;??E?? ??vP? @?~?? ??vP? @?~?? ??vP? ? ?weJk?????I??SOs?????̺@K?|_n?[o???z??ĩ-v̈́??/9??9??܄??G@?mV28?Ů?f??cs?a?V4??9?P?????P??Rݢd\?+?W@fHU.oP????7?-m-Ȯ?n@??(?n?'??î՜YW???{??hID??ثX??n????Z?Φ??}HK???@??&K.z?>?}{?J??x8??Ak???U?[???3k?hh)Йm?oO^ ?| ?b⮂>??[??????a?t?۲??!9?????Ǔ u)??7W????V:#'&??"?d???w??? ?/k???Q ?Siw?m?d???f????"thrb??'???o*?@K? e?hr?`??Bz???"????#?t??;{??O͒oЍ??v?\Kn???:??????N?m?;e-?v?o?ü?M?Q?2?N??ԑ?r???W??֧?P?ڏ?+B?|3?+\). ??-??? ??~????Ma??E4??t?Z2e8?Wh@?@??v r??5y? @? ?x?c?n?ߑC_?=?(/?*Qy(tF????????`????q?L??-?a ??%?h=2? @?'???T???DH1}ר??{?p^?@??3\?7??mg?)?^?-???E +~?=?ȁ?????@o???K9??`????c?>????"???zj?AR?ڤF??cx???B$??z$??i??Ӷٯ??O@S??@:,H?_??D?=?r ?rM?s4??r????@?@W~t?Z@h]??&???^Zب?????[] ??Bo???ÀBg? P?Z??)?=??Ua?)G??@?Wn(4z>u{?z ^??#??$?@??O??~ʶ?????w=B??*?D49oo???%???4????j??^ί????'_M ??Vc??!npY ?t?^\)R????@?D-n @?????h??]/???^6%??? k?y?? ?2?????ݭ?q9m5l~??tz? ???ʅ?"??Dπap?1?)?-?ob0????cFl?/?᤬B?t?IJ??M?-J]?? ????ijߖ+?}l${???v]Ut??-?]1?{? ?&????q??-:????*?b????U?? ?q?s?l?_r?`?? ??g6;???????????I?v??G]K?!Մ ?????????n6?V?????b?菣?`??_??Z?S??$"wLϰ?G??_F?M6?&?33??YG?2%ﲭ?َ?y??? ????m????S?? ????~?E??ڪ??h6E;?g?-??? ??-)4:???*????-??=?Dm??@??2????>?$??@ǻߧ{?z?hs?{?1?)??D??K?m?r?(.????m?hvi(??A??? ??nPh???A???H?S:??#?I????V?Y(?R??wJ=?|e_?”??oSX???p?????=w|???W?K m?/)?`?~w?a? '?4+4?N????z؜???d?=w;???'L9???i??Rݾ??????a]?/??????/$xT? ?ڷ)??Z?}? Z?͋]?????m?????j?'?eI{???4S?:?vMZmbc a,?e?~??;??[???^?k,?s?KR????L?eOo??Ѯ1c??|?1Nnk?I4???:%??,۵??s?ʉz??& ]sS?ٽ?6??I ??E?ndU?\?s[??u>?4?Krk`?8????N?.?C?n?!X?3E?g9"6?*??tv?5k2??R???GG???} ??%!?@ ?B]???????a?;E???v5???M?6?f@?U?p?|+:M8???ߦkg?1??e|? ׉??_B?o ? nIA?Kt????) ]?????~?L??5"??Ϋ??G?9??I ??}@/?F?'&????6??}h?_???w?06??}?X???lc?wd??V????X?)??l????Q????̊?C?????{˭??؛B?n:?^v??P????]???0??b??|?~?v??Գ?̌?? ??7?/??e?j?#N9?xn????oz??yhe?U?Щ??2.'I@#?M v?M #TqT#???r???:?6qw?Y???????$Z?a?08?????OM9?(t???1ϏGԹ??kW9زͫd?Cz.N? m??y?>y?? ??|*??hN?y?6\wIE2A?????qF9?k:?nR??????h9??r? wI??}?&?U7???FNw??8???b+?1@?kyhB????tm%?_U٫L?ӷy $?fs??L????aA(??n)?;???s????ߧhq??B?????}?z@/t>????ߧhq??B?????}?z@/t>????ߧhq??B?????}?z@/t>????ߧhq??B?????}?z???g?7??????,hkM?????n??.e?~49FI?UM??_?:?z???qx??>e??j?]5?J??Q?{y?d??f?o??? ?o/?Z ?zz??~???¶oS?V`?D?lʺh?4???????.-4???`|?:S?:6?z??]M ?,?Scp4p?%?o??:?H"?(U͐?e;?Q?ö??qo??IXX?謰??s?e_*? 3?#???IYQ??#????u7oѶ??mq$'?UHt_??Ph????O?b}B????}??n }kuv?!@$??C?F;iM%?=}???-x?z@?UЪ? c4P??*?0@?UЪ? c4P??*?0@?UЪ? c4P??*?0@?UЪ? c4P??*?0@?UЪ? c4P??*?0@?UЪ? c4P??*?0@?UЪ? c4P??*?0@?UЪ? c4P??*?0@?UЪ? c4P??*?0@?UЪ? c4P??*?0@?UЪ? c4P??*?0@?UЪ? c??2?'?!?IEND?B`?n??N??ԆAa??1`m???PNG  IHDR? ??htEXtSoftwareMicrosoft Office?5q PLTE??????~=?:tRNS@??f pHYs@@bCc[ cmPPJCmp0712Om?? IDATx?횿n?6?3??Z?Э??9:???>??`p!???%䭃 ?oՅШ? <??$?-????6??%??D??Ϥ?C?ww66666666666?a?-??_?[t????&?`??\~%??K?srBY?!?#7???r/t?X ?D?NR o??io?? )??I??2??y????:?? ??s??ԈS?:?5\QJ???l? ????X?%Y? ???;J?;.IbRӒ??zS?*ƪ2?<$??z%?j[̤?\?*?$??D<i?9??????*???S'?l/?d?LE??z?X?%Y?P????fҝn?& j???DF&j'? ???xS+??H$Z7Ьp???n26Il?,^?=?H????B?T?!{?Ѻ??S?T#?a?"dt????gR??o?!훸%U????&q$??@"5?p}??v??D劋 QP??7I???,???c??`y? kTW?Do! ?9IPq?"? ?l? ?W?V?8> ????V.??A'??䈕???HLB????)?H_񾒤??? ???}%???NjA;?i???_?H\???{??#?$?I?G5??<??2??_?> ?Čp?Fp?x??c?`?WU쑷[w??P6???$??X%HRW8-?FI???? I??ߌN????X?uI?*?N7WI?8??do??gqK?y?G&?*f^? gj?p1?{?N??ws,ɒ?'#M??@_???ڶX???U?UEb??f?I???IP?p?2?7W2 I??E??㒄#3??θ?&5?$??"?? ?7t0 [o7????pU߻?A#,^?\֗1?b?_???? -ɒ?%??w??$?ε$K??????捐j??H??nC$??)d̉?D.?& ?t*R?$v??6Eb??:?S0E???-?!q???i???a"g?1D_'#??O???YÒ,?C???O?????????????;Ϳ?$??(˖?IEND?B`??[??(`???  ? D???7??http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf???A??http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf? /? 0???DTimes New RomanȻ?????d? 0?? & 0,?DSymbolew RomanȻ?????d? 0?? & 0, ?DMonotype SortsȻ?????d? 0?? & 00?DVerdana SortsȻ?????d? 0?? & 0,"@?DTimesNewRomanȻ?????d? 0?? & 0P?DArial,BoldanȻ?????d? 0?? & 0`?DArial Unicode MS?????d? 0?? & 0??f???? ? .??@  @@``???  @?n???" dd@?????????  @@``?? ? ?? ?( ?.*&3?2  ! W !"#$()*+,   -  P56789:;<=>?o?R?$/EP~ m???2?!???????$??b?$?g?|?I>?\?r? K? ???b?$???gC6?n5?dh??,???O???b?$??掑?-?f?u`?0??(?$?b?$N??ԆAa??1`m???:M?S ?~??????????1???????????0? ??????n?@???????8???????g??4MdMdd? 0??????????p?pp?0 ? <?4BdBd???@ 0`???u?ʚ;2N??ʚ;<?4!d!d???= 0??<?4dddd???= 0???F?>?___PPT9? /? 0?z????-?ZMarch 27, 2003. Vrije Universiteit, Amsterdam ?2XML Web Services SecurityO? ?=?????XML Web Services Security?$(??QIIDS Group, Vrije Universiteit March 27, 2003 Yuri Demchenko ?"R.$"?& $ ??g??Outlines??oHistorical XML Security Web Services Security OGSA Security XML Web Services technology for IIDS - Discusion ?<=2=2?e ?????:Historical: How all this started (quoting Tim Berners-Lee)?&; ?.??VInitial idea to create resource description language Existing technologies: SGML + WAIS, Gopher + Library Catalogues Problems: hyperlinks reference and semantic meaning binding Past steps: WWW and HTML RDF and Metadata XML and XML Signature Next step: Semantic Web Ongoing development: Computer Grids -> Information Grids -> Semantic Grids ?`5| 5e5| 5e??^??+XML Basics: DTD, Schema, XML Protocol, etc.???DTD is document-oriented Like HTML Schema is data-oriented XML Signature SAML Basic XML Protocol(s) XML-RPC SOAP XForms, XLink, XML Query, XPath, XPointer, XSL and XSLT, Legal XML??  D  D?Hs??W??.XML Security vs Traditional (Network) security???Traditional Security: Host-to-host or point-to-point security Client/server oriented Connection or connectionless oriented Generically single/common trust domain/association XML Security Document oriented approach Security tokens/assertions and policies can be associated with the document or its parts Intended to be cross-domain Potentially for virtual and dynamic trust domains (security associations)?t?Yf?Yf?????XML Security - Components???XML Signature XML Encryption Security Assertion SAML (Security Assertion Mark-up Language) XrML (XML Right Mark-up Language) XACML (XML Access Control Mark-up Language) XKMS (XML Key Management Specification) ?R1z(1z(?????XML Signature: Features??uFundamental feature: the ability to sign only specific portions of the XML tree rather than the whole document. XML document may have a long history when different component are authored by different parties at different times Different parties may want to sign only those elements relevant to them Important when keeping integrity of certain parts of an XML document is essential while leaving the possibility for other parts to be changed Allows carrying security tokens/assertions on document/data rather than on user/client Provides security features for XML based protocols Provides basic functionality for state assertions ?Np?2p?2 ?????XML Signature structure???? ? ? (? ()?? ? ? )+? ? ()?? ()*? ??$?Z?%??? /   $?????XML Web Services???A Web Service is a software system identified by URI, whose public interfaces and bindings are defied and described by XML. Other software systems may discover and interact with the Web Service in a manner prescribed by its definition, using XML based messages conveyed by Internet protocols. Service oriented architecture for application-to-application interaction Describing Web services  WSDL Exchanging messages  SOAP extensions Publishing and Discovering WS descriptions - UDDI Programming language-, programming model-, and system software-neutral Standard based: XML/SOAP foundation Industry initiatives (and development platforms) Sun SunONE/J2EE (SunONE Studio) Microsoft .NET (Visual Studio .NET) IBM Dynamic e-Business (AlphaWorks) XML Spy by Altova?v&ZJZyZ?ZzZ&Jy?z  ?P?E  ?????&XML WS - Service Oriented Architecture??nWSDL based Service Description SOAP based messaging over HTTP, SMTP, TCP, etc. UDDI based Publishing/Discovery?oo?????HWeb services features  three stacks?? ??p??'Web Service Description Language (WSDL)??=WSDL is an XML document format for describing Web service as a set of endpoints operating on messages containing either document-oriented or procedure-oriented (RPC) messages. The operations and messages are described abstractly and then bound to a concrete network protocol and message format to define an endpoint ?>>?????>WSDL Example  TimeService.wsdl?, ??ehttp://www.Nanonull.com/TimeService/ http://www.Nanonull.com/TimeService/#message(getUTCTimeSoapIn) ?.fJ? ????b     ?????Web Services Security Model ?? WS-Security model provides end-to-end security (as contrary to point-to-point) allowing intermediaries A Web service can require that an incoming message prove a set of claims (e.g., name, key, permission, capability, etc.). Set of required claims and related information is referred as a Policy. A requester can send messages with proof of the required claims by associating security tokens with the messages. Messages both demand a specific action and prove that their sender has the claim to demand the action. When a requester does not have the required claims, the requester or someone on its behalf can try to obtain the necessary claims by contacting other Web services. Security token services broker trust between different trust domains by issuing security tokens. ??g{Ish?b B{Ish? b??+?????Web Services Security Model?? ?????WS Security Scenarios???All are built on SOAP based security tokens exchange Direct Trust using username/password (using SSL/TLS) Direct Trust using security token Security token acquisition Issued security token Enforcing business policy Web clients Mobile clients (gateway services) Enabling Federations Using trust chaining, security token exchange, credentials exchange Supporting delegation Access control Auditing?N5?Z5?Z?????"Web Services Security Architecture???WS-Security: describes how to attach signature and encryption headers to SOAP messages. In addition, it describes how to attach security tokens, including binary security tokens such as X.509 certificates, SAML, Kerberos tickets and others, to messages. Core Specification - Web Services Security: SOAP Message Security http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf ??A\?2,Z??Am 0?@??7m 0?A??????ZWeb Service Security  others specifications ???WS-Policy: will describe the capabilities and constraints of the security (and other business) policies on intermediaries and endpoints (e.g. required security tokens, supported encryption algorithms, privacy rules) WS-Trust: will describe a framework for trust models that enables Web services to securely interoperate WS-Privacy: will describe a model for how Web services and requesters state privacy preferences and organizational privacy practice statements WS-SecureConversation: will describe how to manage and authenticate message exchanges between parties including security context exchange and establishing and deriving session keys WS-Federation: will describe how to manage and broker the trust relationships in a heterogeneous federated environment including support for federated identities WS-Authorization: will describe how to manage authorization data and authorization policies??? ?` ?? ?L????????"WS Security: SOAP Message Security???SOAP Message Security must support a wide variety of security models. Key driving requirements for the specification: Multiple security tokens for authentication or authorization Multiple trust domains Multiple encryption technologies End-to-end message-level security and not just transport-level security Primary security concerns Protection against interception  confidentiality XML Encryption Protection against illegal modification  integrity XML Signature Security consideration  Auditing Timestamping and message expiration Sequence number and Messages correlation??xZ?ZZ2ZZ4ZZ"ZMZG1?24    "M?? @?????SOAP Message Security Model??nDescribe abstract message security model in terms of security tokens combined with digital signatures as proof of possession of the security token (key). Security token asserts claims and signatures provide mechanism for proving the sender s knowledge of key A claim can be either endorsed or unendorsed by a trusted authority An X.509 Cert, claiming the binding between one s identity and public key, is an example of a endorsed/signed security token An unendorsed claim can be trusted if there is trust relations between the sender and the receiver (usually based on historical relations/communications context) Proof-of-Possession (e.g. username/password)  special type of unendorsed claim ?b??}?Q??}?Q ?????"WS-Security SOAP message structure??jURI: http://schemas.xmlsoap.org/ws/2002/04/secext Namespaces used in WSSL: SOAP S http://www.w3.org/2001/12/soap-envelope XML Digital Sign ds http://www.w3.org/2000/09/xmldsig# XML Encryption xenc http://www.w3.org/2001/04/xmlenc# XML/SOAP Routing m http://schemas.xmlsoap.org/rp WSSL wsse http://schemas.xmlsoap.org/ws/2002/04/secext ?kk?? bJ  ?????SecurityTokenReference Model????Usage and processing models for the <wsse:SecurityTokenReference> element. Local Reference  A security token, that is included in the message in the <wsse:Security> header, is associated with an XML Signature. Remote Reference  A security token, that is not included in the message but may be available at a specific URI, is associated with an XML Signature. Key Identifier  A security token, which is associated with an XML Signature and identified using a known value that is the result of a well-known function of the security token (defined by the token format or profile). Key Name  A security token is associated with an XML Signature and identified using a known value that represents a "name" assertion within the security token (defined by the token format or profile). Format- Specific References  A security token is associated with an XML Signature and identified using a mechanism specific to the token Non-Signature References  A message may contain XML that does not represent an XML signature, but may reference a security token (which may or may not be included in the message). ??LZZLy?? ?n??>%X??????Computer Grids??NOriginated from Distributing Supercomputing To become  pluggable computing resource Computer Grids -> Information Grids -> Semantic Grids Current de-facto standard  Globus Toolkits Open Grid Services Architecture was boosted by developing XML Web Services  2002 Commercial Grids are starting?v,)6~,_~?????&Open Grid Services Architecture (OGSA)???WSDL extensions to describe specifics of Grid Services Defines new portType - GridService Provides mechanism to create Virtual Organisation Provides mechanism to create transient services - Factories Provides soft-state registration of GSH - Registry Grid services can maintain internal state for the lifetime of the service. The existence of state distinguishes one instance of a service from another that provides the same interface. OGSA services can be created and destroyed dynamically Grid Service is assigned globally (persistent) unique name, the Grid service handle (GSH) Grid services may be upgraded during their lifetime and referenced by Grid (dynamic) service reference (GSR) ?67??7???,C  _????-Security Issues in Grid computing - Specifics?..#? . ???General issues: Traditional systems are user/client/host centric Grid computing is data centric Traditional systems: Protect system from its users Protect data of one user from compromise In Grid systems: Protect applications and data from system where computation execute Stronger/mutual authentication needed (for users and code) Ensure that resources and data not provided by a attacker Protect local execution from remote systems Different admin domains/Security policies??PG;VPG ; V ? ? ?????.Security Issues in Grid computing - Components? / ???Authentication Password based Kerberos based (authentication and key distribution protocol) SSL authentication PKI/Cert based Authorisation Integrity and confidentiality Cryptography Assurance Accounting Audit ?jo, o, ? ? ?????Authentication?  ???Traditional systems: Authenticate user/client to protect system Grid systems: Mutual authentication required Ensure that resources and data not provided by a attacker Delegation of Identity Process that grants one principal the authority to act as another individual Assume another s identity to perform certain functions E.g., in Globus: use gridmap file on a particular resource to map authenticated user user onto another s account, with corresponding privileges Data origin authentication??+;+;   ?&X  ? ????? Authorisation?  ??:Traditional systems: Determine whether a particular operation is allowed based on authenticated identity of requester and local information Grid systems: Determine whether access to resource/operation is allowed Access control list associated with resources, principal or authorised programs Distributed Authorisation Distributed maintenance of authorisation information One approach: Embed attributes in certificates Restricted proxy: authorisation certificate that grants authority to perform operation on behalf of grantor Alternative: separate authorisation server ??w:Pdl+w:P dl+?&   ! ?????Assurance, Accounting, Audit?  ??JAssurance When service is requested, to assure that candidate service provider meets requirements Accounting Means of tracking, limiting or changing for consumption of resources Audit Record operations performed by systems and associate actions with principals Find out what went wrong: typical role of Intrusion Detection Systems?? X E? X E?  ? K ????? OGSA Security??Built upon WS Security??y??*OGSA Security Roadmap - Specifications (1)?++??)Naming OGSA Identity Specification OGSA Target/Action Naming Specification OGSA Attribute and Group Naming Specification Transient Service Identity Acquisition Specification Translating between Security Realms Identity Mapping Service Specification Generic Name Mapping Specification Policy Mapping Service Specification Credential Mapping Service Specification Authentication Mechanism Agnostic Certificate Validation Service Specification OGSA-Kerberos Services Specifications Pluggable Session Security GSSAPI-SecureConversation Specification ??Z?Z$Z?Z"ZTZZ)Z?$?"T  )??#(.5?u??z??*OGSA Security Roadmap - Specifications (2)?$+ ???Pluggable Authorization Service OGSA-Authorization Service Specification Authorization Policy Management Coarse-grained Authorization Policy Management Specification Fine-grained Authorization Policy Management Specifications Trust Policy Management OGSA Trust Service Specification Privacy Policy Management Privacy Policy Framework Specification VO Policy Management VO Policy Service Specification Delegation Identity Assertion Profile Specification Capability Assertion Profile Specification?!Z)Z!ZzZZ"ZZ'ZZ!Z ZTZ!)!z"  '  ! T??{??*OGSA Security Roadmap - Specifications (3)?$+ ??<Firewall "Friendly" OGSA Firewall Interoperability Specification Security Policy Expression and Exchange Grid Service Reference and Service Data Security Policy Decoration Specification Secure Service Operation Secure Service s Policy and Processing Specification Service Data Access Control Specification Audit and Secure Logging OGSA Audit Service Specification OGSA Audit Policy Management Specification ??.(RaM.(Ra  M   ??x??Trust establishment process (1)??? 1. Binding an entity identity to a Distinguished Name ( DN - the subject name in an X.509 identity certificate) Trust in this step is accomplished through the (published and audited) policy based identity verification procedures of the Certification Authority that issues the identity certificates 2. Binding a public key to the DN (generating an X.509 certificate) Trust in this step is accomplished through the (published and audited) policy based operational procedures of the issuing Certification Authority ( CA ). 3. Assurance that the public key that is presented actually represents the user Trust in this step comes from the cryptography and protocols of Public Key Infrastructure. 4. Assurance that a message tied to the entity DN could only have originated with that entity: Trust that a message signed by a private key could only have been signed by the private key corresponding to the public key (and therefore the named entity via X.509 certs) comes from public key cryptography Trust in this step is also through user key management (the mechanism by which the user limits the use of its identity), which is assured by user education, care in dealing with one s cyber environment, and shared understanding as to the significance of the private key.??qZ?ZDZ?ZPZ[Z_Z?Zq?D?P[_  ????4?????Trust establishment process (2)???5. Mutual authentication, whereby two ends of a communication channel agree on each other s identity Trust in this step is through the cryptographic techniques and protocols of the Transport Level Security ( TLS ) standard. 6. Delegation of identity to remote Grid systems Trust in this step is through the cryptographic techniques and protocols for generating, managing, and using proxy certificates that are directly derived from the CA issued identity certificates. ?peZ{Z1Z?Ze{1???w??CRemote Authentication, Delegation, and Secure Communication in GRID?DD??gRemote authentication is accomplished by techniques that verify a cryptographic identity in a way that establishes trust in an unbroken chain from the relying party back to a named human, system, or service identity. This is accomplished in a sequence of trusted steps, each one of which is essential in order to get from accepting a remote user on a Grid resource back to a named entity. Delegation involves generating and sending a proxy certificate and its private key to a remote Grid system so that remote system may act on behalf of the user. This is the essence of the single sing-on provided by the Grid: A user / entity proves its identity once, and then delegates its authority to remote systems for subsequent processing steps. A secure communication channel is derived from the Public Key Infrastructure process and the IETF Transport Level Security protocol.?hh??|??)Globus Grid Security Infrastructure (GSI)???Operational solution providing security infrastructure for Globus Toolkits Targeted problems: Thousands of users  thousands of Certs  many of CAs (with different policies) Grid-wide user group and roles are needed No grid-wide logging or auditing Need for anonymous users Intended to evolve into OGSA Security GSI Components Proxy Certificate Profile Provides proxy credentials to allow for single sign-on and to provide delegated credentials for use by agent and servers Online Credential Retrieval to create and manage proxy certificates Impersonation certificate and restricted delegation certificate??Kz!&y?Kz!   &y??\K5     ~ Q? ??}??Proxy Certificate Profile???Impersonation  used for Single-Sign-On and Delegation Unrestricted Impersonation Restricted Impersonation defined by policy Proxy with Unique Name Allows using in conjunction with Attribute Cert Used when proxy identity is referenced to 3rd party, or interact with VO policy Proxy Certificate (PC) properties: It is signed by either an X.509 End Entity Certificate (EEC), or by another PC. This EEC or PC is referred to as the Proxy Issuer (PI). It can sign only another PC. It cannot sign an EEC. It has its own public and private key pair, distinct from any other EEC or PC. It has an identity derived from the identity of the EEC that signed the PC. Although its identity is derived from the EEC's identity, it is also unique. It contains a new X.509 extension to identify it as a PC and to place policies on the use of the PC. This new extension, along with other X.509 fields and extensions, are used to enable proper path validation and use of the PC. ??7ZFZZ?Z%Z?Z7F[#%  ??b#?4O??????#Other Technologies to look for IIDS???SIP (Session Initiation Protocol) based technologies Instant Messaging and Presence Protocol  SIP based ?jj??~??&XML Web Services technologies for IIDS?? Discussion?  $/?? P?????R? `? ????????f??????`? ???3?????????????`? ???___?????????????>???" dd=??????????????" dd?=?????????????uA?4? d?O?" ?i ?n???" dd??????????   @@``P?P   4 O i`? p?@??@    ? ?)? ?( ? ??p ? ? ?H??????d???? ?'W??? ? ? ?Z?L???a????a?????????? ??x8???? ? ?T?? Click to edit Master title style?!? !?: ? ? ?T??a????a????????? ??Sg??? ? ???RClick to edit Master text styles Second Level Third Level Fourth Level Fifth Level?!    ? S? ?  ?`?? ?a????a??????????? ?? ?????  ?`??*? ???=44OOii?  ?   ?`???a????a??????????? ?? `???   ?b??*? ???=44OOii?& ?!  ?`?4?a????a??????????? ??!?????  ?~??Slide2_*?(  ???=44OOii?Z?F ?1?lY ?$ ??~???~ ?" ? ?N?????????2?????1?l$?~ ?# ? ?N?????????2?????1IlY??F ??? ?) ???c?8 ?% s ?B?C{DE?8F?@??????????????????@????????F??h??=?Zhz?zFz?\F3? @???????????????????0 ?& s ?B?C?DE?4F?<??????????????????@????? ????i??<?????<??#i?????@???????????????g?5?0 ?' s ?B-C?DE?4F?<??????????????????@????? ??o?????*l??,J??????Jz?o@???????????????Arn*? ?( ? ??BKCoDE?4F?<?????????? ??(%+(J27JQ+E%nEQ7@???????????????????H ? ? ?0??@??޽h??? ?? ??????????f?????? ?International?? ? ??@?% ?E?( ??4p? ~?p? ? ?^ ? ? ?6??????? ?@_??p ? ? ?H??????d???? ??_??? ? ? ?Z?X(?a????a?????????? ????????  ?T?? Click to edit Master title style?!? !?? ? ? ?Z??*?a????a?????????? ??HZjG ??  ?W??#Click to edit Master subtitle style?$? $? ?  ?`??3?a????a??????????? ????????  ?\??*????=44OOii? ?  ?`?0>?a????a??????????? ???S ???   ?^??*????=44OOii? ?  ?`?G?a????a??????????? ????????  ?n??Slide 2_*?  ???=44OOii?H ? ? ?0??@??޽h??? ?? ??????????f?????????? 0 ??`??*?( ? ?? ? ? ?T?ĕ?jJ??jJ??????? ???? K3??   ?h??*? ?? ? ??? ? ? ?T?H??jJ??jJ??????? ????? ?3??  ?j??*? ?? ? ???p ? ? ?0?????1? ???8?] ?? ?: ? ? ?T?????g?ֳ??g?ֳ?????? ??? V?%??  ???RClick to edit Master text styles Second level Third level Fourth level Fifth level?!    ? S?  ? ? ?Z?l??jJ??jJ???????? ??? K???   ?h??*? ?? ? ???  ? ? ?Z????jJ??jJ???????? ???? ????  ?j??*? ?? ? ???H ? ? ?0??޽h?????? ?? ??????̙33????????? ??p??0?( ? ??H ? ? ?0???޽h????? ?? ??????̙33??????????? 0?(0????( ? ??? ? # ?l?lO?g????g????????????? ? ??x$??  ? ??? ? # ?l??H?g????g????????????? ? ?H?????  ? ??H ? ? ?0???@??޽h?? ?? ??????????f????????? ? ??????$?( ? ??r ? S ???\???x8????  \ ? ??r ? S ??L\???Sg??? \ ? ??H ? ? ?0???@??޽h?? ?? ??????????f????????? ? ???????$?( ? ???r ?? S ??(\???x8????  \ ? ??r ?? S ???\???Sg??? \ ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ???????$?( ? ???r ?? S ???!\???x8????  \ ? ??r ?? S ??T"\???Sg??? \ ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ???????$?( ? ???r ?? S ??h+\???x8????  \ ? ??r ?? S ??$,\???Sg??? \ ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ???????$?( ? ???r ?? S ??l0\???x8????  \ ? ??r ?? S ??(1\???Sg??? \ ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ??????0?( ? ???x ?? c ?$??>\????x8????  \ ? ??x ?? c ?$?\?\????Sg??? \ ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ??P???0?( ? ???x ?? c ?$??z????x8????  z ? ??x ?? c ?$??y????Sg??? z ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ??????0?( ? ???x ?? c ?$? xz????x8????  z ? ??x ?? c ?$??zz????Sg??? z ? ??H ?? ? ?0???@??޽h?? ?? ??????????f???????z? ? *?"p????( ? ???x ?? c ?$?Llz????x8????  z ? ????8 ?)r~ ???)r~?? ?? C ????A?lD:\My Documents\demch_html\grid\archive\peer2peer.png?)r~?~ ?? ? ?N???????1??????? Q* r?x ?? c ?$?oz????S???? z ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? N?F`?????( ? ???x ?? c ?$?|?z????x8????  z ? ??x ?? c ?$?d?z????S???? z ? ??? ?? C ?~??A?fD:\My Documents\demch_html\grid\archive\3Stack.gif??Ly?H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? >?6??,???( ? ?,?r ?, S ???A\???x8????  \ ? ??r ?, S ??hB\???Sj ??? \ ? ??? ?, C ?z??A?bD:\My Documents\demch_html\grid\archive\wsdl.gif?? ? ?H ?, ? ?0???@??޽h?? ?? ??????????f????????? ? ???????$?( ? ???r ?? S ???JP???x8????  P ? ??r ?? S ??HP???Sg??? P ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ??@???0?( ? ???x ?? c ?$??\????x8????  \ ? ??x ?? c ?$?Ģ\????Sg??? \ ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? 2?*P?????( ? ???x ?? c ?$? ?\????x8????  \ ? ???? ??  ????0e????0e???A?L???????????????D:\My Documents\ws-security-model.gif? e?? ?? \?? ?? ? ?T??`y???????1???????????  ???@Security token types Username/password X.509 PKC SAML XrML XCBF ?6 2, 2,?H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ??p???0?( ? ???x ?? c ?$???\????x8????  \ ? ??x ?? c ?$???\????Sg??? \ ? ??H ?? ? ?0???@??޽h?? ?? ??????????f???????V ? ?  ??? ???( ? ???x ?? c ?$??S\????x8????  \ ? ??x ?? c ?$?lT\????+ o??? \ ? ??^?F ?^ ?? ?? ???o?"???? ?? ? ?T?V\???????1???????f? M  ?J?? WS-Policy ?$  ??? ?? ? ?T??X\???????1???????^? ?? ?E??SOAP Foundation???? ?? ? ?T??|\???????1???????f? ?k  ?A?? WS Security?  ??? ?? ? ?T?H???????1???????^ ?  ?m??WS-SecureConversation????? ? ? ? ?T???\???????1???????N? ? U  ?I?? WS-Trust ?$  ??? ? ? ? ?T?$?\???????1???????& ? ?U  ?K?? WS-Privacy ?$  ??? ? ? ? ?T???\???????1???????.  ??  ?Q??WS-Authorisation ?$??? ? ? ? ?T???\???????1???????V  ?  ?N??WS-Federation ?$?H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ?? ???0?( ? ???x ?? c ?$?(?\????x8????  \ ? ??x ?? c ?$???\????Sg??? \ ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ??????0?( ? ???x ?? c ?$???\????x8????  \ ? ??x ?? c ?$???\????Sg??? \ ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ??????0?( ? ???x ?? c ?$???\????x8????  \ ? ??x ?? c ?$???\????Sg??? \ ? ??H ?? ? ?0???@??޽h?? ?? ??????????f???????) ? ? ? ?? ????i ?( ? ???x ?? c ?$???\????x8????  \ ? ??Y ?F ???H  ?? ?????H ?? ?? ? ?T????????1?????????H ??? ?? ? ?T?`?\???????1???????V?? ???? SOAP Header? ??? ?? ? ?T???\???????1???????^'? ?@?? SOAP Routing? ??? ?? ? ?T?p?\???????1???????V/?  ?B??Security token??? ?? ? ?T????????1???????X8?P ??? ? ?  ?`???\?????????1?????????? ?E??Digital signature??? ? ? ? ?T????????1????????@?? ?-? ? ?  ?`?@?\?????????1????????Gu?  ???GDigSignature description: Normalisation Transformation Signed elements?HH? <??? ? ? ? ?T?X?\???????1????????7 ?  ?`??DigSignature value?? ??? ? ? ? ?T? ?\???????1????????G ?#  ?l??Ref to DSign Sec token?? ??? ?? ? ?T??????????1???????^? ?? ?H??SOAP Message payload?? ??  ?`?H??a????a????????? ????? ?; ?? ? ? ?? ?? ? ?T????a????a????????? ???  ?? ????Security element Header block targets specific receiver SOAP Actor Multiple header blocks are allowed targeted at different Actors New header block are added/appended to existing ones ?<???H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ???????$?( ? ???r ?? S ????z???x8????  z ? ??r ?? S ???,z???Sg??? z ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ???????$?( ? ???r ?? S ??(2z???x8????  z ? ??r ?? S ???"y???Sg??? y ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ??????$?( ? ??r ? S ???z???x8????  z ? ??r ? S ?? Uz???Sg??? z ? ??H ? ? ?0???@??޽h?? ?? ??????????f????????? ? ????h?0?( ? ?h?x ?h c ?$?xx?????x8????  ? ? ??x ?h c ?$?4y?????Sg??? ? ? ??H ?h ? ?0???@??޽h?? ?? ??????????f????????? ? ????l?0?( ? ?l?x ?l c ?$?p??????x8????  ? ? ??x ?l c ?$???????Sg??? ? ? ??H ?l ? ?0???@??޽h?? ?? ??????????f????????? ? ????p?0?( ? ?p?x ?p c ?$?D??????x8????  ? ? ??x ?p c ?$???????Sg??? ? ? ??H ?p ? ?0???@??޽h?? ?? ??????????f????????? ? ????t?0?( ? ?t?x ?t c ?$?H??????x8????  ? ? ??x ?t c ?$???????Sg??? ? ? ??H ?t ? ?0???@??޽h?? ?? ??????????f????????? ? ????x?0?( ? ?x?x ?x c ?$?|??????x8????  ? ? ??x ?x c ?$?8??????Sg??? ? ? ??H ?x ? ?0???@??޽h?? ?? ??????????f????????? ? j?b??????( ? ???r ?? S ??4?????x8????  ? ? ??r ?? S ??????eg??? ? ? ???? ?? C ???A??D:\My Documents\demch_html\grid\archive\ogsa-sec\ogas-sec-layering.jpg??????H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ????VQ?0?( ? ?P?x ?P c ?$??C?????x8????  ? ? ??x ?P c ?$?tD?????Sg??? ? ? ??H ?P ? ?0???@??޽h?? ?? ??????????f????????? ? ???T?0?( ? ?T?x ?T c ?$??G?????x8????  ? ? ??x ?T c ?$?DP?????Sg??? ? ? ??H ?T ? ?0???@??޽h?? ?? ??????????f????????? ? ???X?0?( ? ?X?x ?X c ?$??T?????x8????  ? ? ??x ?X c ?$?tU?????Sg??? ? ? ??H ?X ? ?0???@??޽h?? ?? ??????????f????????? ? ????L?0?( ? ?L?x ?L c ?$?8,?o?R?$/EP~ m???2?!???????$??b?$?g?|?I>?\?r? K? ???b?$???gC6?n5?dh??,???O???b?$??掑?-?f?u`?0??(?$?b?$N??ԆAa??1`m???:M?S ?~??????????1???????????0? ??????n?@???????8???????g??4MdMdd? 0h?????????p?pp?0 ? <?4BdBd???@ 0$???u?ʚ;2N??ʚ;<?4!d!d???= 0??<?4dddd???= 0???F?>?___PPT9? /? 0?z????-?ZMarch 27, 2003. Vrije Universiteit, Amsterdam ?2XML Web Services SecurityO? ?=?????XML Web Services Security?$(??_March 27, 2003 IIDS Group, Vrije Universiteit Yuri Demchenko, NLnet Labs ?"`/1"?1 ??g??Outlines??oHistorical XML Security Web Services Security OGSA Security XML Web Services technology for IIDS - Discusion ?<=2=2?e ?????:Historical: How all this started (quoting Tim Berners-Lee)?&; ?.??VInitial idea to create resource description language Existing technologies: SGML + WAIS, Gopher + Library Catalogues Problems: hyperlinks reference and semantic meaning binding Past steps: WWW and HTML RDF and Metadata XML and XML Signature Next step: Semantic Web Ongoing development: Computer Grids -> Information Grids -> Semantic Grids ?`5| 5e5| 5e??^??+XML Basics: DTD, Schema, XML Protocol, etc.???DTD is document-oriented Like HTML Schema is data-oriented XML Signature SAML Basic XML Protocol(s) XML-RPC SOAP XForms, XLink, XML Query, XPath, XPointer, XSL and XSLT, Legal XML??  D  D?Hs??W??.XML Security vs Traditional (Network) security???Traditional Security: Host-to-host or point-to-point security Client/server oriented Connection or connectionless oriented Generically single/common trust domain/association XML Security Document oriented approach Security tokens/assertions and policies can be associated with the document or its parts Intended to be cross-domain Potentially for virtual and dynamic trust domains (security associations)?t?Yf?Yf?????XML Security - Components???XML Signature XML Encryption Security Assertion SAML (Security Assertion Mark-up Language) XrML (XML Right Mark-up Language) XACML (XML Access Control Mark-up Language) XKMS (XML Key Management Specification) ?R1z(1z(?????XML Signature: Features??uFundamental feature: the ability to sign only specific portions of the XML tree rather than the whole document. XML document may have a long history when different component are authored by different parties at different times Different parties may want to sign only those elements relevant to them Important when keeping integrity of certain parts of an XML document is essential while leaving the possibility for other parts to be changed Allows carrying security tokens/assertions on document/data rather than on user/client Provides security features for XML based protocols Provides basic functionality for state assertions ?Np?2p?2 ?????XML Signature structure???? ? ? (? ()?? ? ? )+? ? ()?? ()*? ??$?Z?%??? /   $?????XML Web Services???A Web Service is a software system identified by URI, whose public interfaces and bindings are defied and described by XML. Other software systems may discover and interact with the Web Service in a manner prescribed by its definition, using XML based messages conveyed by Internet protocols. Service oriented architecture for application-to-application interaction Describing Web services  WSDL Exchanging messages  SOAP extensions Publishing and Discovering WS descriptions - UDDI Programming language-, programming model-, and system software-neutral Standard based: XML/SOAP foundation Industry initiatives (and development platforms) Sun SunONE/J2EE (SunONE Studio) Microsoft .NET (Visual Studio .NET) I  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????      !"#$%&'()*+,-./0123456789:;<=>?]ABCD&FGHIJKLMNOPQRSTUVW?????????????\????^_`abcdefghijklmnopqrstuvwxyz{|~?????Root Entry??????????d?O?????)?0?H???@Pictures????????UCurrent User????????????SJSummaryInformation(????\ PowerPoint Document(?????????????L?DocumentSummaryInformation8????????* ????????????????????????df? /? 0???DTimes New RomanȻ?t?\?d? 0t? & 0,?DSymbolew RomanȻ?t?\?d? 0t? & 0, ?DMonotype SortsȻ?t?\?d? 0t? & 00?DVerdana SortsȻ?t?\?d? 0t? & 0,"@?DTimesNewRomanȻ?t?\?d? 0t? & 0P?DArial,BoldanȻ?t?\?d? 0t? & 0`?DArial Unicode MS?t?\?d? 0t? & 0??f???? ? .??@  @@``???  @?n???" dd@?????????  @@``?? ? ?? ?( ?.*&3?2  ! W !"#$()*+,   -  P56789:;<=>,?o?R?$/EP~ m???2?!???????$??b?$?g?|?I>?\?r? K? ???b?$???gC6?n5?dh??,???O???b?$??掑?-?f?u`?0??(?$?b?$N??ԆAa??1`m???:M?S ?~??????????1???????????0? ??????n?@???????8???????g??4MdMdd? 0h?????????p?pp?0 ? <?4BdBd???@ 0$???u?ʚ;2N??ʚ;<?4!d!d???= 0??<?4dddd???= 0???F?>?___PPT9? /? 0?z????-?ZMarch 27, 2003. Vrije Universiteit, Amsterdam ?2XML Web Services SecurityO? ?=?#????XML Web Services Security?$(??`IIDS Group, Vrije Universiteit March 27, 2003 Yuri Demchenko, NLnet Labs ?"a01"?8 1 ??g??Outlines??oHistorical XML Security Web Services Security OGSA Security XML Web Services technology for IIDS - Discusion ?<=2=2?e ?????:Historical: How all this started (quoting Tim Berners-Lee)?&; ?.??VInitial idea to create resource description language Existing technologies: SGML + WAIS, Gopher + Library Catalogues Problems: hyperlinks reference and semantic meaning binding Past steps: WWW and HTML RDF and Metadata XML and XML Signature Next step: Semantic Web Ongoing development: Computer Grids -> Information Grids -> Semantic Grids ?`5| 5e5| 5e??^??+XML Basics: DTD, Schema, XML Protocol, etc.???DTD is document-oriented Like HTML Schema is data-oriented XML Signature SAML Basic XML Protocol(s) XML-RPC SOAP XForms, XLink, XML Query, XPath, XPointer, XSL and XSLT, Legal XML??  D  D?Hs??W??.XML Security vs Traditional (Network) security???Traditional Security: Host-to-host or point-to-point security Client/server oriented Connection or connectionless oriented Generically single/common trust domain/association XML Security Document oriented approach Security tokens/assertions and policies can be associated with the document or its parts Intended to be cross-domain Potentially for virtual and dynamic trust domains (security associations)?t?Yf?Yf?????XML Security - Components???XML Signature XML Encryption Security Assertion SAML (Security Assertion Mark-up Language) XrML (XML Right Mark-up Language) XACML (XML Access Control Mark-up Language) XKMS (XML Key Management Specification) ?R1z(1z(?????XML Signature: Features??uFundamental feature: the ability to sign only specific portions of the XML tree rather than the whole document. XML document may have a long history when different component are authored by different parties at different times Different parties may want to sign only those elements relevant to them Important when keeping integrity of certain parts of an XML document is essential while leaving the possibility for other parts to be changed Allows carrying security tokens/assertions on document/data rather than on user/client Provides security features for XML based protocols Provides basic functionality for state assertions ?Np?2p?2 ?????XML Signature structure???? ? ? (? ()?? ? ? )+? ? ()?? ()*? ??$?Z?%??? /   $?????XML Web Services???A Web Service is a software system identified by URI, whose public interfaces and bindings are defied and described by XML. Other software systems may discover and interact with the Web Service in a manner prescribed by its definition, using XML based messages conveyed by Internet protocols. Service oriented architecture for application-to-application interaction Describing Web services  WSDL Exchanging messages  SOAP extensions Publishing and Discovering WS descriptions - UDDI Programming language-, programming model-, and system software-neutral Standard based: XML/SOAP foundation Industry initiatives (and development platforms) Sun SunONE/J2EE (SunONE Studio) Microsoft .NET (Visual Studio .NET) IBM Dynamic e-Business (AlphaWorks) XML Spy by Altova?v&ZJZyZ?ZzZ&Jy?z  ?P?E  ?????&XML WS - Service Oriented Architecture??nWSDL based Service Description SOAP based messaging over HTTP, SMTP, TCP, etc. UDDI based Publishing/Discovery?oo?????HWeb services features  three stacks?? ??p??'Web Service Description Language (WSDL)??=WSDL is an XML document format for describing Web service as a set of endpoints operating on messages containing either document-oriented or procedure-oriented (RPC) messages. The operations and messages are described abstractly and then bound to a concrete network protocol and message format to define an endpoint ?>>?????>WSDL Example  TimeService.wsdl?, ??ehttp://www.Nanonull.com/TimeService/ http://www.Nanonull.com/TimeService/#message(getUTCTimeSoapIn) ?.fJ? ????b     ?????Web Services Security Model ?? WS-Security model provides end-to-end security (as contrary to point-to-point) allowing intermediaries A Web service can require that an incoming message prove a set of claims (e.g., name, key, permission, capability, etc.). Set of required claims and related information is referred as a Policy. A requester can send messages with proof of the required claims by associating security tokens with the messages. Messages both demand a specific action and prove that their sender has the claim to demand the action. When a requester does not have the required claims, the requester or someone on its behalf can try to obtain the necessary claims by contacting other Web services. Security token services broker trust between different trust domains by issuing security tokens. ??g{Ish?b B{Ish? b??+?????Web Services Security Model?? ?????WS Security Scenarios???All are built on SOAP based security tokens exchange Direct Trust using username/password (using SSL/TLS) Direct Trust using security token Security token acquisition Issued security token Enforcing business policy Web clients Mobile clients (gateway services) Enabling Federations Using trust chaining, security token exchange, credentials exchange Supporting delegation Access control Auditing?N5?Z5?Z?????"Web Services Security Architecture???WS-Security: describes how to attach signature and encryption headers to SOAP messages. In addition, it describes how to attach security tokens, including binary security tokens such as X.509 certificates, SAML, Kerberos tickets and others, to messages. Core Specification - Web Services Security: SOAP Message Security http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf ??A\?2,Z??Am 0?@??7m 0?A??????ZWeb Service Security  others specifications ???WS-Policy: will describe the capabilities and constraints of the security (and other business) policies on intermediaries and endpoints (e.g. required security tokens, supported encryption algorithms, privacy rules) WS-Trust: will describe a framework for trust models that enables Web services to securely interoperate WS-Privacy: will describe a model for how Web services and requesters state privacy preferences and organizational privacy practice statements WS-SecureConversation: will describe how to manage and authenticate message exchanges between parties including security context exchange and establishing and deriving session keys WS-Federation: will describe how to manage and broker the trust relationships in a heterogeneous federated environment including support for federated identities WS-Authorization: will describe how to manage authorization data and authorization policies??? ?` ?? ?L????????"WS Security: SOAP Message Security???SOAP Message Security must support a wide variety of security models. Key driving requirements for the specification: Multiple security tokens for authentication or authorization Multiple trust domains Multiple encryption technologies End-to-end message-level security and not just transport-level security Primary security concerns Protection against interception  confidentiality XML Encryption Protection against illegal modification  integrity XML Signature Security consideration  Auditing Timestamping and message expiration Sequence number and Messages correlation??xZ?ZZ???????????????????????????????????????????????????E?????????@???????????????????????????????????????????????????????????????????????2ZZ4ZZ"ZMZG1?24    "M?? @?????SOAP Message Security Model??nDescribe abstract message security model in terms of security tokens combined with digital signatures as proof of possession of the security token (key). Security token asserts claims and signatures provide mechanism for proving the sender s knowledge of key A claim can be either endorsed or unendorsed by a trusted authority An X.509 Cert, claiming the binding between one s identity and public key, is an example of a endorsed/signed security token An unendorsed claim can be trusted if there is trust relations between the sender and the receiver (usually based on historical relations/communications context) Proof-of-Possession (e.g. username/password)  special type of unendorsed claim ?b??}?Q??}?Q ?????"WS-Security SOAP message structure??jURI: http://schemas.xmlsoap.org/ws/2002/04/secext Namespaces used in WSSL: SOAP S http://www.w3.org/2001/12/soap-envelope XML Digital Sign ds http://www.w3.org/2000/09/xmldsig# XML Encryption xenc http://www.w3.org/2001/04/xmlenc# XML/SOAP Routing m http://schemas.xmlsoap.org/rp WSSL wsse http://schemas.xmlsoap.org/ws/2002/04/secext ?kk?? bJ  ?????SecurityTokenReference Model????Usage and processing models for the <wsse:SecurityTokenReference> element. Local Reference  A security token, that is included in the message in the <wsse:Security> header, is associated with an XML Signature. Remote Reference  A security token, that is not included in the message but may be available at a specific URI, is associated with an XML Signature. Key Identifier  A security token, which is associated with an XML Signature and identified using a known value that is the result of a well-known function of the security token (defined by the token format or profile). Key Name  A security token is associated with an XML Signature and identified using a known value that represents a "name" assertion within the security token (defined by the token format or profile). Format- Specific References  A security token is associated with an XML Signature and identified using a mechanism specific to the token Non-Signature References  A message may contain XML that does not represent an XML signature, but may reference a security token (which may or may not be included in the message). ??LZZLy?? ?n??>%X??????Computer Grids??NOriginated from Distributing Supercomputing To become  pluggable computing resource Computer Grids -> Information Grids -> Semantic Grids Current de-facto standard  Globus Toolkits Open Grid Services Architecture was boosted by developing XML Web Services  2002 Commercial Grids are starting?v,)6~,_~?????&Open Grid Services Architecture (OGSA)???WSDL extensions to describe specifics of Grid Services Defines new portType - GridService Provides mechanism to create Virtual Organisation Provides mechanism to create transient services - Factories Provides soft-state registration of GSH - Registry Grid services can maintain internal state for the lifetime of the service. The existence of state distinguishes one instance of a service from another that provides the same interface. OGSA services can be created and destroyed dynamically Grid Service is assigned globally (persistent) unique name, the Grid service handle (GSH) Grid services may be upgraded during their lifetime and referenced by Grid (dynamic) service reference (GSR) ?67??7???,C  _????-Security Issues in Grid computing - Specifics?..#? . ???General issues: Traditional systems are user/client/host centric Grid computing is data centric Traditional systems: Protect system from its users Protect data of one user from compromise In Grid systems: Protect applications and data from system where computation execute Stronger/mutual authentication needed (for users and code) Ensure that resources and data not provided by a attacker Protect local execution from remote systems Different admin domains/Security policies??PG;VPG ; V ? ? ?????.Security Issues in Grid computing - Components? / ???Authentication Password based Kerberos based (authentication and key distribution protocol) SSL authentication PKI/Cert based Authorisation Integrity and confidentiality Cryptography Assurance Accounting Audit ?jo, o, ? ? ?????Authentication?  ???Traditional systems: Authenticate user/client to protect system Grid systems: Mutual authentication required Ensure that resources and data not provided by a attacker Delegation of Identity Process that grants one principal the authority to act as another individual Assume another s identity to perform certain functions E.g., in Globus: use gridmap file on a particular resource to map authenticated user user onto another s account, with corresponding privileges Data origin authentication??+;+;   ?&X  ? ????? Authorisation?  ??:Traditional systems: Determine whether a particular operation is allowed based on authenticated identity of requester and local information Grid systems: Determine whether access to resource/operation is allowed Access control list associated with resources, principal or authorised programs Distributed Authorisation Distributed maintenance of authorisation information One approach: Embed attributes in certificates Restricted proxy: authorisation certificate that grants authority to perform operation on behalf of grantor Alternative: separate authorisation server ??w:Pdl+w:P dl+?&   ! ?????Assurance, Accounting, Audit?  ??JAssurance When service is requested, to assure that candidate service provider meets requirements Accounting Means of tracking, limiting or changing for consumption of resources Audit Record operations performed by systems and associate actions with principals Find out what went wrong: typical role of Intrusion Detection Systems?? X E? X E?  ? K ????? OGSA Security??Built upon WS Security??y??*OGSA Security Roadmap - Specifications (1)?++??)Naming OGSA Identity Specification OGSA Target/Action Naming Specification OGSA Attribute and Group Naming Specification Transient Service Identity Acquisition Specification Translating between Security Realms Identity Mapping Service Specification Generic Name Mapping Specification Policy Mapping Service Specification Credential Mapping Service Specification Authentication Mechanism Agnostic Certificate Validation Service Specification OGSA-Kerberos Services Specifications Pluggable Session Security GSSAPI-SecureConversation Specification ??Z?Z$Z?Z"ZTZZ)Z?$?"T  )??#(.5?u??z??*OGSA Security Roadmap - Specifications (2)?$+ ???Pluggable Authorization Service OGSA-Authorization Service Specification Authorization Policy Management Coarse-grained Authorization Policy Management Specification Fine-grained Authorization Policy Management Specifications Trust Policy Management OGSA Trust Service Specification Privacy Policy Management Privacy Policy Framework Specification VO Policy Management VO Policy Service Specification Delegation Identity Assertion Profile Specification Capability Assertion Profile Specification?!Z)Z!ZzZZ"ZZ'ZZ!Z ZTZ!)!z"  '  ! T??{??*OGSA Security Roadmap - Specifications (3)?$+ ??<Firewall "Friendly" OGSA Firewall Interoperability Specification Security Policy Expression and Exchange Grid Service Reference and Service Data Security Policy Decoration Specification Secure Service Operation Secure Service s Policy and Processing Specification Service Data Access Control Specification Audit and Secure Logging OGSA Audit Service Specification OGSA Audit Policy Management Specification ??.(RaM.(Ra  M   ??x??Trust establishment process (1)??? 1. Binding an entity identity to a Distinguished Name ( DN - the subject name in an X.509 identity certificate) Trust in this step is accomplished through the (published and audited) policy based identity verification procedures of the Certification Authority that issues the identity certificates 2. Binding a public key to the DN (generating an X.509 certificate) Trust in this step is accomplished through the (published and audited) policy based operational procedures of the issuing Certification Authority ( CA ). 3. Assurance that the public key that is presented actually represents the user Trust in this step comes from the cryptography and protocols of Public Key Infrastructure. 4. Assurance that a message tied to the entity DN could only have originated with that entity: Trust that a message signed by a private key could only have been signed by the private key corresponding to the public key (and therefore the named entity via X.509 certs) comes from public key cryptography Trust in this step is also through user key management (the mechanism by which the user limits the use of its identity), which is assured by user education, care in dealing with one s cyber environment, and shared understanding as to the significance of the private key.??qZ?ZDZ?ZPZ[Z_Z?Zq?D?P[_  ????4?????Trust establishment process (2)???5. Mutual authentication, whereby two ends of a communication channel agree on each other s identity Trust in this step is through the cryptographic techniques and protocols of the Transport Level Security ( TLS ) standard. 6. Delegation of identity to remote Grid systems Trust in this step is through the cryptographic techniques and protocols for generating, managing, and using proxy certificates that are directly derived from the CA issued identity certificates. ?peZ{Z1Z?Ze{1???w??CRemote Authentication, Delegation, and Secure Communication in GRID?DD??gRemote authentication is accomplished by techniques that verify a cryptographic identity in a way that establishes trust in an unbroken chain from the relying party back to a named human, system, or service identity. This is accomplished in a sequence of trusted steps, each one of which is essential in order to get from accepting a remote user on a Grid resource back to a named entity. Delegation involves generating and sending a proxy certificate and its private key to a remote Grid system so that remote system may act on behalf of the user. This is the essence of the single sing-on provided by the Grid: A user / entity proves its identity once, and then delegates its authority to remote systems for subsequent processing steps. A secure communication channel is derived from the Public Key Infrastructure process and the IETF Transport Level Security protocol.?hh??|??)Globus Grid Security Infrastructure (GSI)???Operational solution providing security infrastructure for Globus Toolkits Targeted problems: Thousands of users  thousands of Certs  many of CAs (with different policies) Grid-wide user group and roles are needed No grid-wide logging or auditing Need for anonymous users Intended to evolve into OGSA Security GSI Components Proxy Certificate Profile Provides proxy credentials to allow for single sign-on and to provide delegated credentials for use by agent and servers Online Credential Retrieval to create and manage proxy certificates Impersonation certificate and restricted delegation certificate??Kz!&y?Kz!   &y??\K5     ~ Q? ??}??Proxy Certificate Profile???Impersonation  used for Single-Sign-On and Delegation Unrestricted Impersonation Restricted Impersonation defined by policy Proxy with Unique Name Allows using in conjunction with Attribute Cert Used when proxy identity is referenced to 3rd party, or interact with VO policy Proxy Certificate (PC) properties: It is signed by either an X.509 End Entity Certificate (EEC), or by another PC. This EEC or PC is referred to as the Proxy Issuer (PI). It can sign only another PC. It cannot sign an EEC. It has its own public and private key pair, distinct from any other EEC or PC. It has an identity derived from the identity of the EEC that signed the PC. Although its identity is derived from the EEC's identity, it is also unique. It contains a new X.509 extension to identify it as a PC and to place policies on the use of the PC. This new extension, along with other X.509 fields and extensions, are used to enable proper path validation and use of the PC. ??7ZFZZ?Z%Z?Z7F[#%  ??b#?4O??????#Other Technologies to look for IIDS???SIP (Session Initiation Protocol) based technologies Instant Messaging and Presence Protocol  SIP based ?jj??~??&XML Web Services technologies for IIDS?? Discussion?  $/?? P???????? 0 ??`??*?( ? ?? ? ? ?T?ĕ?jJ??jJ??????? ???? K1??   ?h??*? ?? ? ??? ? ? ?T?H??jJ??jJ??????? ????? ?1??  ?j??*? ?? ? ???p ? ? ?0?????1? ???B?L ?? ?: ? ? ?T?????g?ֳ??g?ֳ?????? ??? V???  ???RClick to edit Master text styles Second level Third level Fourth level Fifth level?!    ? S?  ? ? ?Z?l??jJ??jJ???????? ??? K???   ?h??*? ?? ? ???  ? ? ?Z????jJ??jJ???????? ???? ????  ?j??*? ?? ? ???H ? ? ?0??޽h?9???? ?? ??????̙33????????? ??p??0?( ? ??H ? ? ?0???޽h?9??? ?? ??????̙33??????????? 0?(0????( ? ??? ? # ?l?lO?g????g????????????? ? ??x$??  ? ??? ? # ?l??H?g????g????????????? ? ???????  ? ??H ? ? ?0???@??޽h?? ?? ??????????f????????? 0 ???P??? ?( ????? ???X ?? C ?????B?L ??  ?? ?? S ??????? V???   ?"?? ?H ?? ? ?0???޽h?9??? ?? ??????̙33???????r 0(???W? ?????'????a??(`???  ? D???7??http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf???A??http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf? /? 0  !"#$%&'()????+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRUT????VWX???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Oh??+'??0, px??? ? ( 4 @ LX`?? HTTP и CGI TP=D:\msoffice\Templates\Presentation Designs\International.potfYuri Demchenkop431Microsoft PowerPoint 7.0sen@0?k??@??G?}Y?@`??X7?@?=;??? G??????y  Y0&?????? &????&#????TNPP ?2??OMi & TNPP? &????&TNPP   ?? ????-?-- !???-????-??-????--- !?T?F--?-&????u??&????-?-????- $u?u?~~????-? $~?~???????-? $???????>>?-? $????????-? $??????-?--&????&????--BPM:--???w@ h??؟?w??w ?w?f?- ????@Times New Roman؟?w??w ?w?f?-? .-2 ??XML Web Services Security#/! 1  .--O )l-- ????@Times New Roman؟?w??w ?w?f?-? .2 lHMarch 27, 2003   . .2 ?? IIDS Group,?   . ."2 ??Vrije Universiteit     .????@Times New Roman؟?w??w ?w?f?-? .02 ?Yuri Demchenko, NLnet Labs        . .%2 %#     .--??"System??f? !???-?&TNPP &????????՜.??+,??D??՜.??+,?????????? ? ?? ????  B?A4 Paper (210x297 mm)sL??-2 5Times New RomanSymbolMonotype SortsBM Dynamic e-Business (AlphaWorks) XML Spy by Altova?v&ZJZyZ?ZzZ&Jy?z  ?P?E  ?????&XML WS - Service Oriented Architecture??nWSDL based Service Description SOAP based messaging over HTTP, SMTP, TCP, etc. UDDI based Publishing/Discovery?oo?????HWeb services features  three stacks?? ??p??'Web Service Description Language (WSDL)??=WSDL is an XML document format for describing Web service as a set of endpoints operating on messages containing either document-oriented or procedure-oriented (RPC) messages. The operations and messages are described abstractly and then bound to a concrete network protocol and message format to define an endpoint ?>>?????>WSDL Example  TimeService.wsdl?, ??ehttp://www.Nanonull.com/TimeService/ http://www.Nanonull.com/TimeService/#message(getUTCTimeSoapIn) ?.fJ? ????b     ?????Web Services Security Model ?? WS-Security model provides end-to-end security (as contrary to point-to-point) allowing intermediaries A Web service can require that an incoming message prove a set of claims (e.g., name, key, permission, capability, etc.). Set of required claims and related information is referred as a Policy. A requester can send messages with proof of the required claims by associating security tokens with the messages. Messages both demand a specific action and prove that their sender has the claim to demand the action. When a requester does not have the required claims, the requester or someone on its behalf can try to obtain the necessary claims by contacting other Web services. Security token services broker trust between different trust domains by issuing security tokens. ??g{Ish?b B{Ish? b??+?????Web Services Security Model?? ?????WS Security Scenarios???All are built on SOAP based security tokens exchange Direct Trust using username/password (using SSL/TLS) Direct Trust using security token Security token acquisition Issued security token Enforcing business policy Web clients Mobile clients (gateway services) Enabling Federations Using trust chaining, security token exchange, credentials exchange Supporting delegation Access control Auditing?N5?Z5?Z?????"Web Services Security Architecture???WS-Security: describes how to attach signature and encryption headers to SOAP messages. In addition, it describes how to attach security tokens, including binary security tokens such as X.509 certificates, SAML, Kerberos tickets and others, to messages. Core Specification - Web Services Security: SOAP Message Security http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf ??A\?2,Z??Am 0?@??7m 0?A??????ZWeb Service Security  others specifications ???WS-Policy: will describe the capabilities and constraints of the security (and other business) policies on intermediaries and endpoints (e.g. required security tokens, supported encryption algorithms, privacy rules) WS-Trust: will describe a framework for trust models that enables Web services to securely interoperate WS-Privacy: will describe a model for how Web services and requesters state privacy preferences and organizational privacy practice statements WS-SecureConversation: will describe how to manage and authenticate message exchanges between parties including security context exchange and establishing and deriving session keys WS-Federation: will describe how to manage and broker the trust relationships in a heterogeneous federated environment including support for federated identities WS-Authorization: will describe how to manage authorization data and authorization policies??? ?` ?? ?L????????"WS Security: SOAP Message Security???SOAP Message Security must support a wide variety of security models. Key driving requirements for the specification: Multiple security tokens for authentication or authorization Multiple trust domains Multiple encryption technologies End-to-end message-level security and not just transport-level security Primary security concerns Protection against interception  confidentiality XML Encryption Protection against illegal modification  integrity XML Signature Security consideration  Auditing Timestamping and message expiration Sequence number and Messages correlation??xZ?ZZ2ZZ4ZZ"ZMZG1?24    "M?? @?????SOAP Message Security Model??nDescribe abstract message security model in terms of security tokens combined with digital signatures as proof of possession of the security token (key). Security token asserts claims and signatures provide mechanism for proving the sender s knowledge of key A claim can be either endorsed or unendorsed by a trusted authority An X.509 Cert, claiming the binding between one s identity and public key, is an example of a endorsed/signed security token An unendorsed claim can be trusted if there is trust relations between the sender and the receiver (usually based on historical relations/communications context) Proof-of-Possession (e.g. username/password)  special type of unendorsed claim ?b??}?Q??}?Q ?????"WS-Security SOAP message structure??jURI: http://schemas.xmlsoap.org/ws/2002/04/secext Namespaces used in WSSL: SOAP S http://www.w3.org/2001/12/soap-envelope XML Digital Sign ds http://www.w3.org/2000/09/xmldsig# XML Encryption xenc http://www.w3.org/2001/04/xmlenc# XML/SOAP Routing m http://schemas.xmlsoap.org/rp WSSL wsse http://schemas.xmlsoap.org/ws/2002/04/secext ?kk?? bJ  ?????SecurityTokenReference Model????Usage and processing models for the <wsse:SecurityTokenReference> element. Local Reference  A security token, that is included in the message in the <wsse:Security> header, is associated with an XML Signature. Remote Reference  A security token, that is not included in the message but may be available at a specific URI, is associated with an XML Signature. Key Identifier  A security token, which is associated with an XML Signature and identified using a known value that is the result of a well-known function of the security token (defined by the token format or profile). Key Name  A security token is associated with an XML Signature and identified using a known value that represents a "name" assertion within the security token (defined by the token format or profile). Format- Specific References  A security token is associated with an XML Signature and identified using a mechanism specific to the token Non-Signature References  A message may contain XML that does not represent an XML signature, but may reference a security token (which may or may not be included in the message). ??LZZLy?? ?n??>%X??????Computer Grids??NOriginated from Distributing Supercomputing To become  pluggable computing resource Computer Grids -> Information Grids -> Semantic Grids Current de-facto standard  Globus Toolkits Open Grid Services Architecture was boosted by developing XML Web Services  2002 Commercial Grids are starting?v,)6~,_~?????&Open Grid Services Architecture (OGSA)???WSDL extensions to describe specifics of Grid Services Defines new portType - GridService Provides mechanism to create Virtual Organisation Provides mechanism to create transient services - Factories Provides soft-state registration of GSH - Registry Grid services can maintain internal state for the lifetime of the service. The existence of state distinguishes one instance of a service from another that provides the same interface. OGSA services can be created and destroyed dynamically Grid Service is assigned globally (persistent) unique name, the Grid service handle (GSH) Grid services may be upgraded during their lifetime and referenced by Grid (dynamic) service reference (GSR) ?67??7???,C  _????-Security Issues in Grid computing - Specifics?..#? . ???General issues: Traditional systems are user/client/host centric Grid computing is data centric Traditional systems: Protect system from its users Protect data of one user from compromise In Grid systems: Protect applications and data from system where computation execute Stronger/mutual authentication needed (for users and code) Ensure that resources and data not provided by a attacker Protect local execution from remote systems Different admin domains/Security policies??PG;VPG ; V ? ? ?????.Security Issues in Grid computing - Components? / ???Authentication Password based Kerberos based (authentication and key distribution protocol) SSL authentication PKI/Cert based Authorisation Integrity and confidentiality Cryptography Assurance Accounting Audit ?jo, o, ? ? ?????Authentication?  ???Traditional systems: Authenticate user/client to protect system Grid systems: Mutual authentication required Ensure that resources and data not provided by a attacker Delegation of Identity Process that grants one principal the authority to act as another individual Assume another s identity to perform certain functions E.g., in Globus: use gridmap file on a particular resource to map authenticated user user onto another s account, with corresponding privileges Data origin authentication??+;+;   ?&X  ? ????? Authorisation?  ??:Traditional systems: Determine whether a particular operation is allowed based on authenticated identity of requester and local information Grid systems: Determine whether access to resource/operation is allowed Access control list associated with resources, principal or authorised programs Distributed Authorisation Distributed maintenance of authorisation information One approach: Embed attributes in certificates Restricted proxy: authorisation certificate that grants authority to perform operation on behalf of grantor Alternative: separate authorisation server ??w:Pdl+w:P dl+?&   ! ?????Assurance, Accounting, Audit?  ??JAssurance When service is requested, to assure that candidate service provider meets requirements Accounting Means of tracking, limiting or changing for consumption of resources Audit Record operations performed by systems and associate actions with principals Find out what went wrong: typical role of Intrusion Detection Systems?? X E? X E?  ? K ????? OGSA Security??Built upon WS Security??y??*OGSA Security Roadmap - Specifications (1)?++??)Naming OGSA Identity Specification OGSA Target/Action Naming Specification OGSA Attribute and Group Naming Specification Transient Service Identity Acquisition Specification Translating between Security Realms Identity Mapping Service Specification Generic Name Mapping Specification Policy Mapping Service Specification Credential Mapping Service Specification Authentication Mechanism Agnostic Certificate Validation Service Specification OGSA-Kerberos Services Specifications Pluggable Session Security GSSAPI-SecureConversation Specification ??Z?Z$Z?Z"ZTZZ)Z?$?"T  )??#(.5?u??z??*OGSA Security Roadmap - Specifications (2)?$+ ???Pluggable Authorization Service OGSA-Authorization Service Specification Authorization Policy Management Coarse-grained Authorization Policy Management Specification Fine-grained Authorization Policy Management Specifications Trust Policy Management OGSA Trust Service Specification Privacy Policy Management Privacy Policy Framework Specification VO Policy Management VO Policy Service Specification Delegation Identity Assertion Profile Specification Capability Assertion Profile Specification?!Z)Z!ZzZZ"ZZ'ZZ!Z ZTZ!)!z"  '  ! T??{??*OGSA Security Roadmap - Specifications (3)?$+ ??<Firewall "Friendly" OGSA Firewall Interoperability Specification Security Policy Expression and Exchange Grid Service Reference and Service Data Security Policy Decoration Specification Secure Service Operation Secure Service s Policy and Processing Specification Service Data Access Control Specification Audit and Secure Logging OGSA Audit Service Specification OGSA Audit Policy Management Specification ??.(RaM.(Ra  M   ??x??Trust establishment process (1)??? 1. Binding an entity identity to a Distinguished Name ( DN - the subject name in an X.509 identity certificate) Trust in this step is accomplished through the (published and audited) policy based identity verification procedures of the Certification Authority that issues the identity certificates 2. Binding a public key to the DN (generating an X.509 certificate) Trust in this step is accomplished through the (published and audited) policy based operational procedures of the issuing Certification Authority ( CA ). 3. Assurance that the public key that is presented actually represents the user Trust in this step comes from the cryptography and protocols of Public Key Infrastructure. 4. Assurance that a message tied to the entity DN could only have originated with that entity: Trust that a message signed by a private key could only have been signed by the private key corresponding to the public key (and therefore the named entity via X.509 certs) comes from public key cryptography Trust in this step is also through user key management (the mechanism by which the user limits the use of its identity), which is assured by user education, care in dealing with one s cyber environment, and shared understanding as to the significance of the private key.??qZ?ZDZ?ZPZ[Z_Z?Zq?D?P[_  ????4?????Trust establishment process (2)???5. Mutual authentication, whereby two ends of a communication channel agree on each other s identity Trust in this step is through the cryptographic techniques and protocols of the Transport Level Security ( TLS ) standard. 6. Delegation of identity to remote Grid systems Trust in this step is through the cryptographic techniques and protocols for generating, managing, and using proxy certificates that are directly derived from the CA issued identity certificates. ?peZ{Z1Z?Ze{1???w??CRemote Authentication, Delegation, and Secure Communication in GRID?DD??gRemote authentication is accomplished by techniques that verify a cryptographic identity in a way that establishes trust in an unbroken chain from the relying party back to a named human, system, or service identity. This is accomplished in a sequence of trusted steps, each one of which is essential in order to get from accepting a remote user on a Grid resource back to a named entity. Delegation involves generating and sending a proxy certificate and its private key to a remote Grid system so that remote system may act on behalf of the user. This is the essence of the single sing-on provided by the Grid: A user / entity proves its identity once, and then delegates its authority to remote systems for subsequent processing steps. A secure communication channel is derived from the Public Key Infrastructure process and the IETF Transport Level Security protocol.?hh??|??)Globus Grid Security Infrastructure (GSI)???Operational solution providing security infrastructure for Globus Toolkits Targeted problems: Thousands of users  thousands of Certs  many of CAs (with different policies) Grid-wide user group and roles are needed No grid-wide logging or auditing Need for anonymous users Intended to evolve into OGSA Security GSI Components Proxy Certificate Profile Provides proxy credentials to allow for single sign-on and to provide delegated credentials for use by agent and servers Online Credential Retrieval to create and manage proxy certificates Impersonation certificate and restricted delegation certificate??Kz!&y?Kz!   &y??\K5     ~ Q? ??}??Proxy Certificate Profile???Impersonation  used for Single-Sign-On and Delegation Unrestricted Impersonation Restricted Impersonation defined by policy Proxy with Unique Name Allows using in conjunction with Attribute Cert Used when proxy identity is referenced to 3rd party, or interact with VO policy Proxy Certificate (PC) properties: It is signed by either an X.509 End Entity Certificate (EEC), or by another PC. This EEC or PC is referred to as the Proxy Issuer (PI). It can sign only another PC. It cannot sign an EEC. It has its own public and private key pair, distinct from any other EEC or PC. It has an identity derived from the identity of the EEC that signed the PC. Although its identity is derived from the EEC's identity, it is also unique. It contains a new X.509 extension to identify it as a PC and to place policies on the use of the PC. This new extension, along with other X.509 fields and extensions, are used to enable proper path validation and use of the PC. ??7ZFZZ?Z%Z?Z7F[#%  ??b#?4O??????#Other Technologies to look for IIDS???SIP (Session Initiation Protocol) based technologies Instant Messaging and Presence Protocol  SIP based ?jj??~??&XML Web Services technologies for IIDS?? Discussion?  $/?? P???????? 0?(0????( ? ??? ? # ?l?lO?g????g????????????? ? ??x$??  ? ??? ? # ?l??H?g????g????????????? ? ???????  ? ??H ? ? ?0???@??޽h?? ?? ??????????f??????r?ls?????u??H??(`???  ? D???7??http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf???A??http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecuri      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxy{????|}~?ty-11-0303.pdf? /? 0???DTimes New RomanȻ?????d? 0?? & 0,?DSymbolew RomanȻ?????d? 0?? & 0, ?DMonotype SortsȻ?????d? 0?? & 00?DVerdana SortsȻ?????d? 0?? & 0,"@?DTimesNewRomanȻ?????d? 0?? & 0P?DArial,BoldanȻ?????d? 0?? & 0`?DArial Unicode MS?????d? 0?? & 0??f???? ? .??@  @@``???  @?n???" dd@?????????  @@``?? ? ?? ?( ?.*&3?2  ! W !"#$()*+,   -  P56789:;<=>,?o?R?$/EP~ m???2?!???????$??b?$?g?|?I>?\?r? K? ???b?$???gC6?n5?dh??,???O???b?$??掑?-?f?u`?0??(?$?b?$N??ԆAa??1`m???:M?S ?~??????????1???????????0? ??????n?@???????8???????g??4MdMdd? 0??????????p?pp?0 ? <?4BdBd???@ 0`???u?ʚ;2N??ʚ;<?4!d!d???= 0??<?4dddd???= 0???F?>?___PPT9? /? 0?z????-?ZMarch 27, 2003. Vrije Universiteit, Amsterdam ?2XML Web Services SecurityO? ?=?????XML Web Services Security?$(??_March 27, 2003 IIDS Group, Vrije Universiteit Yuri Demchenko, NLnet Labs ?"`/1"?1 ??g??Outlines??pHistorical XML Security Web Services Security OGSA Security XML Web Services technology for IIDS - Discussion ?<=3=3?????:Historical: How all this started (quoting Tim Berners-Lee)?&; ?.??VInitial idea to create resource description language Existing technologies: SGML + WAIS, Gopher + Library Catalogues Problems: hyperlinks reference and semantic meaning binding Past steps: WWW and HTML RDF and Metadata XML and XML Signature Next step: Semantic Web Ongoing development: Computer Grids -> Information Grids -> Semantic Grids ?`5| 5e5| 5e??^??+XML Basics: DTD, Schema, XML Protocol, etc.???DTD is document-oriented Like HTML Schema is data-oriented XML Signature SAML Basic XML Protocol(s) XML-RPC SOAP XForms, XLink, XML Query, XPath, XPointer, XSL and XSLT, Legal XML??  D  D?Hs??W??.XML Security vs Traditional (Network) security???Traditional Security: Host-to-host or point-to-point security Client/server oriented Connection or connectionless oriented Generically single/common trust domain/association XML Security Document oriented approach Security tokens/assertions and policies can be associated with the document or its parts Intended to be cross-domain Potentially for virtual and dynamic trust domains (security associations)?t?Yf?Yf?????XML Security - Components???XML Signature XML Encryption Security Assertion SAML (Security Assertion Mark-up Language) XrML (XML Right Mark-up Language) XACML (XML Access Control Mark-up Language) XKMS (XML Key Management Specification) ?R1z(1z(?????XML Signature: Features??uFundamental feature: the ability to sign only specific portions of the XML tree rather than the whole document. XML document may have a long history when different component are authored by different parties at different times Different parties may want to sign only those elements relevant to them Important when keeping integrity of certain parts of an XML document is essential while leaving the possibility for other parts to be changed Allows carrying security tokens/assertions on document/data rather than on user/client Provides security features for XML based protocols Provides basic functionality for state assertions ?Np?2p?2 ?????XML Signature structure???? ? ? (? ()?? ? ? )+? ? ()?? ()*? ??$?Z?%??? /   $?????XML Web Services???A Web Service is a software system identified by URI, whose public interfaces and bindings are defied and described by XML. Other software systems may discover and interact with the Web Service in a manner prescribed by its definition, using XML based messages conveyed by Internet protocols. Service oriented architecture for application-to-application interaction Describing Web services  WSDL Exchanging messages  SOAP extensions Publishing and Discovering WS descriptions - UDDI Programming language-, programming model-, and system software-neutral Standard based: XML/SOAP foundation Industry initiatives (and development platforms) Sun SunONE/J2EE (SunONE Studio) Microsoft .NET (Visual Studio .NET) IBM Dynamic e-Business (AlphaWorks) XML Spy by Altova?v&ZJZyZ?ZzZ&Jy?z  ?P?E  ?????&XML WS - Service Oriented Architecture??nWSDL based Service Description SOAP based messaging over HTTP, SMTP, TCP, etc. UDDI based Publishing/Discovery?oo?????HWeb services features  three stacks?? ??p??'Web Service Description Language (WSDL)??=WSDL is an XML document format for describing Web service as a set of endpoints operating on messages containing either document-oriented or procedure-oriented (RPC) messages. The operations and messages are described abstractly and then bound to a concrete network protocol and message format to define an endpoint ?>>?????>WSDL Example  TimeService.wsdl?, ??ehttp://www.Nanonull.com/TimeService/ http://www.Nanonull.com/TimeService/#message(getUTCTimeSoapIn) ?.fJ? ????b     ?????Web Services Security Model ?? WS-Security model provides end-to-end security (as contrary to point-to-point) allowing intermediaries A Web service can require that an incoming message prove a set of claims (e.g., name, key, permission, capability, etc.). Set of required claims and related information is referred as a Policy. A requester can send messages with proof of the required claims by associating security tokens with the messages. Messages both demand a specific action and prove that their sender has the claim to demand the action. When a requester does not have the required claims, the requester or someone on its behalf can try to obtain the necessary claims by contacting other Web services. Security token services broker trust between different trust domains by issuing security tokens. ??g{Ish?b B{Ish? b??+?????Web Services Security Model?? ?????WS Security Scenarios???All are built on SOAP based security tokens exchange Direct Trust using username/password (using SSL/TLS) Direct Trust using security token Security token acquisition Issued security token Enforcing business policy Web clients Mobile clients (gateway services) Enabling Federations Using trust chaining, security token exchange, credentials exchange Supporting delegation Access control Auditing?N5?Z5?Z?????"Web Services Security Architecture???WS-Security: describes how to attach signature and encryption headers to SOAP messages. In addition, it describes how to attach security tokens, including binary security tokens such as X.509 certificates, SAML, Kerberos tickets and others, to messages. Core Specification - Web Services Security: SOAP Message Security http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf ??A\?2,Z??Am 0?@??7m 0?A??????ZWeb Service Security  others specifications ???WS-Policy: will describe the capabilities and constraints of the security (and other business) policies on intermediaries and endpoints (e.g. required security tokens, supported encryption algorithms, privacy rules) WS-Trust: will describe a framework for trust models that enables Web services to securely interoperate WS-Privacy: will describe a model for how Web services and requesters state privacy preferences and organizational privacy practice statements WS-SecureConversation: will describe how to manage and authenticate message exchanges between parties including security context exchange and establishing and deriving session keys WS-Federation: will describe how to manage and broker the trust relationships in a heterogeneous federated environment including support for federated identities WS-Authorization: will describe how to manage authorization data and authorization policies??? ?` ?? ?L????????"WS Security: SOAP Message Security???SOAP Message Security must support a wide variety of security models. Key driving requirements for the specification: Multiple security tokens for authentication or authorization Multiple trust domains Multiple encryption technologies End-to-end message-level security and not just transport-level security Primary security concerns Protection against interception  confidentiality XML Encryption Protection against illegal modification  integrity XML Signature Security consideration  Auditing Timestamping and message expiration Sequence number and Messages correlation??xZ?ZZ2ZZ4ZZ"ZMZG1?24    "M?? @?????SOAP Message Security Model??nDescribe abstract message security model in terms of security tokens combined with digital signatures as proof of possession of the security token (key). Security token asserts claims and signatures provide mechanism for proving the sender s knowledge of key A claim can be either endorsed or unendorsed by a trusted authority An X.509 Cert, claiming the binding between one s identity and public key, is an example of a endorsed/signed security token An unendorsed claim can be trusted if there is trust relations between the sender and the receiver (usually based on historical relations/communications context) Proof-of-Possession (e.g. username/password)  special type of unendorsed claim ?b??}?Q??}?Q ?????"WS-Security SOAP message structure??jURI: http://schemas.xmlsoap.org/ws/2002/04/secext Namespaces used in WSSL: SOAP S http://www.w3.org/2001/12/soap-envelope XML Digital Sign ds http://www.w3.org/2000/09/xmldsig# XML Encryption xenc http://www.w3.org/2001/04/xmlenc# XML/SOAP Routing m http://schemas.xmlsoap.org/rp WSSL wsse http://schemas.xmlsoap.org/ws/2002/04/secext ?kk?? bJ  ?????SecurityTokenReference Model????Usage and processing models for the <wsse:SecurityTokenReference> element. Local Reference  A security token, that is included in the message in the <wsse:Security> header, is associated with an XML Signature. Remote Reference  A security token, that is not included in the message but may be available at a specific URI, is associated with an XML Signature. Key Identifier  A security token, which is associated with an XML Signature and identified using a known value that is the result of a well-known function of the security token (defined by the token format or profile). Key Name  A security token is associated with an XML Signature and identified using a known value that represents a "name" assertion within the security token (defined by the token format or profile). Format- Specific References  A security token is associated with an XML Signature and identified using a mechanism specific to the token Non-Signature References  A message may contain XML that does not represent an XML signature, but may reference a security token (which may or may not be included in the message). ??LZZLy?? ?n??>%X??????Computer Grids??NOriginated from Distributing Supercomputing To become  pluggable computing resource Computer Grids -> Information Grids -> Semantic Grids Current de-facto standard  Globus Toolkits Open Grid Services Architecture was boosted by developing XML Web Services  2002 Commercial Grids are starting?v,)6~,_~?????&Open Grid Services Architecture (OGSA)???WSDL extensions to describe specifics of Grid Services Defines new portType - GridService Provides mechanism to create Virtual Organisation Provides mechanism to create transient services - Factories Provides soft-state registration of GSH - Registry Grid services can maintain internal state for the lifetime of the service. The existence of state distinguishes one instance of a service from another that provides the same interface. OGSA services can be created and destroyed dynamically Grid Service is assigned globally (persistent) unique name, the Grid service handle (GSH) Grid services may be upgraded during their lifetime and referenced by Grid (dynamic) service reference (GSR) ?67??7???,C  _????-Security Issues in Grid computing - Specifics?..#? . ???General issues: Traditional systems are user/client/host centric Grid computing is data centric Traditional systems: Protect system from its users Protect data of one user from compromise In Grid systems: Protect applications and data from system where computation execute Stronger/mutual authentication needed (for users and code) Ensure that resources and data not provided by a attacker Protect local execution from remote systems Different admin domains/Security policies??PG;VPG ; V ? ? ?????.Security Issues in Grid computing - Components? / ???Authentication Password based Kerberos based (authentication and key distribution protocol) SSL authentication PKI/Cert based Authorisation Integrity and confidentiality Cryptography Assurance Accounting Audit ?jo, o, ? ? ?????Authentication?  ???Traditional systems: Authenticate user/client to protect system Grid systems: Mutual authentication required Ensure that resources and data not provided by a attacker Delegation of Identity Process that grants one principal the authority to act as another individual Assume another s identity to perform certain functions E.g., in Globus: use gridmap file on a particular resource to map authenticated user user onto another s account, with corresponding privileges Data origin authentication??+;+;   ?&X  ? ????? Authorisation?  ??:Traditional systems: Determine whether a particular operation is allowed based on authenticated identity of requester and local information Grid systems: Determine whether access to resource/operation is allowed Access control list associated with resources, principal or authorised programs Distributed Authorisation Distributed maintenance of authorisation information One approach: Embed attributes in certificates Restricted proxy: authorisation certificate that grants authority to perform operation on behalf of grantor Alternative: separate authorisation server ??w:Pdl+w:P dl+?&   ! ?????Assurance, Accounting, Audit?  ??JAssurance When service is requested, to assure that candidate service provider meets requirements Accounting Means of tracking, limiting or changing for consumption of resources Audit Record operations performed by systems and associate actions with principals Find out what went wrong: typical role of Intrusion Detection Systems?? X E? X E?  ? K ????? OGSA Security??Built upon WS Security??y??*OGSA Security Roadmap - Specifications (1)?++??)Naming OGSA Identity Specification OGSA Target/Action Naming Specification OGSA Attribute and Group Naming Specification Transient Service Identity Acquisition Specification Translating between Security Realms Identity Mapping Service Specification Generic Name Mapping Specification Policy Mapping Service Specification Credential Mapping Service Specification Authentication Mechanism Agnostic Certificate Validation Service Specification OGSA-Kerberos Services Specifications Pluggable Session Security GSSAPI-SecureConversation Specification ??Z?Z$Z?Z"ZTZZ)Z?$?"T  )??#(.5?u??z??*OGSA Security Roadmap - Specifications (2)?$+ ???Pluggable Authorization Service OGSA-Authorization Service Specification Authorization Policy Management Coarse-grained Authorization Policy Management Specification Fine-grained Authorization Policy Management Specifications Trust Policy Management OGSA Trust Service Specification Privacy Policy Management Privacy Policy Framework Specification VO Policy Management VO Policy Service Specification Delegation Identity Assertion Profile Specification Capability Assertion Profile Specification?!Z)Z!ZzZZ"ZZ'ZZ!Z ZTZ!)!z"  '  ! T??{??*OGSA Security Roadmap - Specifications (3)?$+ ??<Firewall "Friendly" OGSA Firewall Interoperability Specification Security Policy Expression and Exchange Grid Service Reference and Service Data Security Policy Decoration Specification Secure Service Operation Secure Service s Policy and Processing Specification Service Data Access Control Specification Audit and Secure Logging OGSA Audit Service Specification OGSA Audit Policy Management Specification ??.(RaM.(Ra  M   ??x??Trust establishment process (1)??? 1. Binding an entity identity to a Distinguished Name ( DN - the subject name in an X.509 identity certificate) Trust in this step is accomplished through the (published and audited) policy based identity verification procedures of the Certification Authority that issues the identity certificates 2. Binding a public key to the DN (generating an X.509 certificate) Trust in this step is accomplished through the (published and audited) policy based operational procedures of the issuing Certification Authority ( CA ). 3. Assurance that the public key that is presented actually represents the user Trust in this step comes from the cryptography and protocols of Public Key Infrastructure. 4. Assurance that a message tied to the entity DN could only have originated with that entity: Trust that a message signed by a private key could only have been signed by the private key corresponding to the public key (and therefore the named entity via X.509 certs) comes from public key cryptography Trust in this step is also through user key management (the mechanism by which the user limits the use of its identity), which is assured by user education, care in dealing with one s cyber environment, and shared understanding as to the significance of the private key.??qZ?ZDZ?ZPZ[Z_Z?Zq?D?P[_  ????4?????Trust establishment process (2)???5. Mutual authentication, whereby two ends of a communication channel agree on each other s identity Trust in this step is through the cryptographic techniques and protocols of the Transport Level Security ( TLS ) standard. 6. Delegation of identity to remote Grid systems Trust in this step is through the cryptographic techniques and protocols for generating, managing, and using proxy certificates that are directly derived from the CA issued identity certificates. ?peZ{Z1Z?Ze{1???w??CRemote Authentication, Delegation, and Secure Communication in GRID?DD??gRemote authentication is accomplished by techniques that verify a cryptographic identity in a way that establishes trust in an unbroken chain from the relying party back to a named human, system, or service identity. This is accomplished in a sequence of trusted steps, each one of which is essential in order to get from accepting a remote user on a Grid resource back to a named entity. Delegation involves generating and sending a proxy certificate and its private key to a remote Grid system so that remote system may act on behalf of the user. This is the essence of the single sing-on provided by the Grid: A user / entity proves its identity once, and then delegates its authority to remote systems for subsequent processing steps. A secure communication channel is derived from the Public Key Infrastructure process and the IETF Transport Level Security protocol.?hh??|??)Globus Grid Security Infrastructure (GSI)???Operational solution providing security infrastructure for Globus Toolkits Targeted problems: Thousands of users  thousands of Certs  many of CAs (with different policies) Grid-wide user group and roles are needed No grid-wide logging or auditing Need for anonymous users Intended to evolve into OGSA Security GSI Components Proxy Certificate Profile Provides proxy credentials to allow for single sign-on and to provide delegated credentials for use by agent and servers Online Credential Retrieval to create and manage proxy certificates Impersonation certificate and restricted delegation certificate??Kz!&y?Kz!   &y??\K5     ~ Q? ??}??Proxy Certificate Profile???Impersonation  used for Single-Sign-On and Delegation Unrestricted Impersonation Restricted Impersonation defined by policy Proxy with Unique Name Allows using in conjunction with Attribute Cert Used when proxy identity is referenced to 3rd party, or interact with VO policy Proxy Certificate (PC) properties: It is signed by either an X.509 End Entity Certificate (EEC), or by another PC. This EEC or PC is referred to as the Proxy Issuer (PI). It can sign only another PC. It cannot sign an EEC. It has its own public and private key pair, distinct from any other EEC or PC. It has an identity derived from the identity of the EEC that signed the PC. Although its identity is derived from the EEC's identity, it is also unique. It contains a new X.509 extension to identify it as a PC and to place policies on the use of the PC. This new extension, along with other X.509 fields and extensions, are used to enable proper path validation and use of the PC. ??7ZFZZ?Z%Z?Z7F[#%  ??b#?4O??????#Other Technologies to look for IIDS???SIP (Session Initiation Protocol) based technologies Instant Messaging and Presence Protocol  SIP based ?jj??~??&XML Web Services technologies for IIDS?? Discussion?  $/?? P??????? ? ??????$?( ? ??r ? S ???\???x8????  \ ? ??r ? S ??L\???Sg??? \ ? ??H ? ? ?0???@??޽h?? ?? ??????????f??????r0v???g? vl??D??(`???  ? F???7??http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf???A??http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf? /? 0???DTimes New Romanl??????d? 0?? & 0 ?DSymbolew Romanl??????d? 0?? & 0  ?DMonotype Sortsl??????d? 0?? & 00?DVerdana Sortsl??????d? 0?? & 0 "@?DTimesNewRomanl??????d? 0?? & 0P?DArial,Boldanl??????d? 0?? & 0`?DArial Unicode MS?????d? 0?? & 0??f???? ? .??@  @@``???  @?n???" dd@?????????  @@``?? " ? ?P  ?1*& 3?2 +  )W*+  -#$%&'   (P !">,,./12o?R?$/EP~ m???2?!?????,?$?,b?$?g?|?I>?\?r? K? ??,b?$???gC6?n5?dh??,???O??,b?$??掑?-?f?u`?0??(?$,b?$N??ԆAa??1`m???:M,S ?~??????????1???????????0? ??????n?@???????8???????g??4MdMdd? 0??????????p?pp?0 ? <?4BdBd???@ 0`???u?ʚ;2N??ʚ;<?4!d!d???= 0??<?4dddd???= 0???F?>?___PPT9? /? 0?z????-?ZMarch 27, 2003. Vrije Universiteit, Amsterdam ?2XML Web Services SecurityO? ?=?Ö???XML Web Services Security?$(??_March 27, 2003 IIDS Group, Vrije Universiteit Yuri Demchenko, NLnet Labs ?"`/1"?1 ??g??Outlines??pHistorical XML Security Web Services Security OGSA Security XML Web Services technology for IIDS - Discussion ?<=3=3?????:Historical: How all this started (quoting Tim Berners-Lee)?&; ?.??VInitial idea to create resource description language Existing technologies: SGML + WAIS, Gopher + Library Catalogues Problems: hyperlinks reference and semantic meaning binding Past steps: WWW and HTML RDF and Metadata XML and XML Signature Next step: Semantic Web Ongoing development: Computer Grids -> Information Grids -> Semantic Grids ?`5| 5e5| 5e??^??+XML Basics: DTD, Schema, XML Protocol, etc.???DTD is document-oriented Like HTML Schema is data-oriented XML Signature SAML Basic XML Protocol(s) XML-RPC SOAP XForms, XLink, XML Query, XPath, XPointer, XSL and XSLT, Legal XML??  D  D?Hs??W??.XML Security vs Traditional (Network) security???Traditional Security: Host-to-host or point-to-point security Client/server oriented Connection or connectionless oriented Generically single/common trust domain/association XML Security Document oriented approach Security tokens/assertions and policies can be associated with the document or its parts Intended to be cross-domain Potentially for virtual and dynamic trust domains (security associations)?t?Yf?Yf?????XML Security - Components???XML Signature XML Encryption Security Assertion SAML (Security Assertion Mark-up Language) XrML (XML Right Mark-up Language) XACML (XML Access Control Mark-up Language) XKMS (XML Key Management Specification) ?R1z(1z(?????XML Signature: Features??uFundamental feature: the ability to sign only specific portions of the XML tree rather than the whole document. XML document may have a long history when different component are authored by different parties at different times Different parties may want to sign only those elements relevant to them Important when keeping integrity of certain parts of an XML document is essential while leaving the possibility for other parts to be changed Allows carrying security tokens/assertions on document/data rather than on user/client Provides security features for XML based protocols Provides basic functionality for state assertions ?Np?2p?2 ?????XML Signature structure???? ? ? (? ()?? ? ? )+? ? ()?? ()*? ??$?Z?%??? /   $?????XML Web Services???A Web Service is a software system identified by URI, whose public interfaces and bindings are defied and described by XML. Other software systems may discover and interact with the Web Service in a manner prescribed by its definition, using XML based messages conveyed by Internet protocols. Service oriented architecture for application-to-application interaction Describing Web services  WSDL Exchanging messages  SOAP extensions Publishing and Discovering WS descriptions - UDDI Programming language-, programming model-, and system software-neutral Standard based: XML/SOAP foundation Industry initiatives (and development platforms) Sun SunONE/J2EE (SunONE Studio) Microsoft .NET (Visual Studio .NET) IBM Dynamic e-Business (AlphaWorks) XML Spy by Altova?v&ZJZyZ?ZzZ&Jy?z  ?P?E  ?????&XML WS - Service Oriented Architecture??nWSDL based Service Description SOAP based messaging over HTTP, SMTP, TCP, etc. UDDI based Publishing/Discovery?oo?????HWeb services features  three stacks?? ??p??'Web Service Description Language (WSDL)??=WSDL is an XML document format for describing Web service as a set of endpoints operating on messages containing either document-oriented or procedure-oriented (RPC) messages. The operations and messages are described abstractly and then bound to a concrete network protocol and message format to define an endpoint ?>>?????>WSDL Example  TimeService.wsdl?, ??ehttp://www.Nanonull.com/TimeService/ http://www.Nanonull.com/TimeService/#message(getUTCTimeSoapIn) ?.fJ? ????b     ?????Web Services Security Model ?? WS-Security model provides end-to-end security (as contrary to point-to-point) allowing intermediaries A Web service can require that an incoming message prove a set of claims (e.g., name, key, permission, capability, etc.). Set of required claims and related information is referred as a Policy. A requester can send messages with proof of the required claims by associating security tokens with the messages. Messages both demand a specific action and prove that their sender has the claim to demand the action. When a requester does not have the required claims, the requester or someone on its behalf can try to obtain the necessary claims by contacting other Web services. Security token services broker trust between different trust domains by issuing security tokens. ??g{Ish?b B{Ish? b??+?????Web Services Security Model?? ?????WS Security Scenarios???All are built on SOAP based security tokens exchange Direct Trust using username/password (using SSL/TLS) Direct Trust using security token Security token acquisition Issued security token Enforcing business policy Web clients Mobile clients (gateway services) Enabling Federations Using trust chaining, security token exchange, credentials exchange Supporting delegation Access control Auditing?N5?Z5?Z?????"Web Services Security Architecture???WS-Security: describes how to attach signature and encryption headers to SOAP messages. In addition, it describes how to attach security tokens, including binary security tokens such as X.509 certificates, SAML, Kerberos tickets and others, to messages. Core Specification - Web Services Security: SOAP Message Security http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf ??A\?2,Z??Am 0?@??7m 0?A??????ZWeb Service Security  others specifications ???WS-Policy: will describe the capabilities and constraints of the security (and other business) policies on intermediaries and endpoints (e.g. required security tokens, supported encryption algorithms, privacy rules) WS-Trust: will describe a framework for trust models that enables Web services to securely interoperate WS-Privacy: will describe a model for how Web services and requesters state privacy preferences and organizational privacy practice statements WS-SecureConversation: will describe how to manage and authenticate message exchanges between parties including security context exchange and establishing and deriving session keys WS-Federation: will describe how to manage and broker the trust relationships in a heterogeneous federated environment including support for federated identities WS-Authorization: will describe how to manage authorization data and authorization policies??? ?` ?? ?L????????"WS Security: SOAP Message Security???SOAP Message Security must support a wide variety of security models. Key driving requirements for the specification: Multiple security tokens for authentication or authorization Multiple trust domains Multiple encryption technologies End-to-end message-level security and not just transport-level security Primary security concerns Protection against interception  confidentiality XML Encryption Protection against illegal modification  integrity XML Signature Security consideration  Auditing Timestamping and message expiration Sequence number and Messages correlation??xZ?ZZ2ZZ4ZZ"ZMZG1?24    "M?? @?????SOAP Message Security Model??nDescribe abstract message security model in terms of security tokens combined with digital signatures as proof of possession of the security token (key). Security token asserts claims and signatures provide mechanism for proving the sender s knowledge of key A claim can be either endorsed or unendorsed by a trusted authority An X.509 Cert, claiming the binding between one s identity and public key, is an example of a endorsed/signed security token An unendorsed claim can be trusted if there is trust relations between the sender and the receiver (usually based on historical relations/communications context) Proof-of-Possession (e.g. username/password)  special type of unendorsed claim ?b??}?Q??}?Q ?????"WS-Security SOAP message structure??jURI: http://schemas.xmlsoap.org/ws/2002/04/secext Namespaces used in WSSL: SOAP S http://www.w3.org/2001/12/soap-envelope XML Digital Sign ds http://www.w3.org/2000/09/xmldsig# XML Encryption xenc http://www.w3.org/2001/04/xmlenc# XML/SOAP Routing m http://schemas.xmlsoap.org/rp WSSL wsse http://schemas.xmlsoap.org/ws/2002/04/secext ?kk?? bJ  ?????SecurityTokenReference Model????Usage and processing models for the <wsse:SecurityTokenReference> element. Local Reference  A security token, that is included in the message in the <wsse:Security> header, is associated with an XML Signature. Remote Reference  A security token, that is not included in the message but may be available at a specific URI, is associated with an XML Signature. Key Identifier  A security token, which is associated with an XML Signature and identified using a known value that is the result of a well-known function of the security token (defined by the token format or profile). Key Name  A security token is associated with an XML Signature and identified using a known value that represents a "name" assertion within the security token (defined by the token format or profile). Format- Specific References  A security token is associated with an XML Signature and identified using a mechanism specific to the token Non-Signature References  A message may contain XML that does not represent an XML signature, but may reference a security token (which may or may not be included in the message). ??LZZLy?? ?n??>%X??????Computer Grids??NOriginated from Distributing Supercomputing To become  pluggable computing resource Computer Grids -> Information Grids -> Semantic Grids Current de-facto standard  Globus Toolkits Open Grid Services Architecture was boosted by developing XML Web Services  2002 Commercial Grids are starting?P,`~,`~?????&Open Grid Services Architecture (OGSA)???WSDL extensions to describe specifics of Grid Services Defines new portType - GridService Provides mechanism to create Virtual Organisation Provides mechanism to create transient services - Factories Provides soft-state registration of GSH - Registry Grid services can maintain internal state for the lifetime of the service. The existence of state distinguishes one instance of a service from another that provides the same interface. OGSA services can be created and destroyed dynamically Grid Service is assigned globally (persistent) unique name, the Grid service handle (GSH) Grid services may be upgraded during their lifetime and referenced by Grid (dynamic) service reference (GSR) ?67??7???,C  _????-Security Issues in Grid computing - Specifics?..#? . ???General issues: Traditional systems are user/client/host centric Grid computing is data centric Traditional systems: Protect system from its users Protect data of one user from compromise In Grid systems: Protect applications and data from system where computation execute Stronger/mutual authentication needed (for users and code) Ensure that resources and data not provided by a attacker Protect local execution from remote systems Different admin domains/Security policies??PG;VPG ; V ? ? ?????.Security Issues in Grid computing - Components? / ???Authentication Password based Kerberos based (authentica??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????tion and key distribution protocol) SSL authentication PKI/Cert based Authorisation Integrity and confidentiality Cryptography Assurance Accounting Audit ?jo, o, ? ? ?????Authentication?  ???Traditional systems: Authenticate user/client to protect system Grid systems: Mutual authentication required Ensure that resources and data not provided by a attacker Delegation of Identity Process that grants one principal the authority to act as another individual Assume another s identity to perform certain functions E.g., in Globus: use gridmap file on a particular resource to map authenticated user user onto another s account, with corresponding privileges Data origin authentication??+;+;   ?&X  ? ????? Authorisation?  ??:Traditional systems: Determine whether a particular operation is allowed based on authenticated identity of requester and local information Grid systems: Determine whether access to resource/operation is allowed Access control list associated with resources, principal or authorised programs Distributed Authorisation Distributed maintenance of authorisation information One approach: Embed attributes in certificates Restricted proxy: authorisation certificate that grants authority to perform operation on behalf of grantor Alternative: separate authorisation server ??w:Pdl+w:P dl+?&   ! ?????Assurance, Accounting, Audit?  ??JAssurance When service is requested, to assure that candidate service provider meets requirements Accounting Means of tracking, limiting or changing for consumption of resources Audit Record operations performed by systems and associate actions with principals Find out what went wrong: typical role of Intrusion Detection Systems?? X E? X E?  ? K ????? OGSA Security??Built upon WS Security??y??*OGSA Security Roadmap - Specifications (1)?++??)Naming OGSA Identity Specification OGSA Target/Action Naming Specification OGSA Attribute and Group Naming Specification Transient Service Identity Acquisition Specification Translating between Security Realms Identity Mapping Service Specification Generic Name Mapping Specification Policy Mapping Service Specification Credential Mapping Service Specification Authentication Mechanism Agnostic Certificate Validation Service Specification OGSA-Kerberos Services Specifications Pluggable Session Security GSSAPI-SecureConversation Specification ??Z?Z$Z?Z"ZTZZ)Z?$?"T  )??#(.5?u??z??*OGSA Security Roadmap - Specifications (2)?$+ ???Pluggable Authorization Service OGSA-Authorization Service Specification Authorization Policy Management Coarse-grained Authorization Policy Management Specification Fine-grained Authorization Policy Management Specifications Trust Policy Management OGSA Trust Service Specification Privacy Policy Management Privacy Policy Framework Specification VO Policy Management VO Policy Service Specification Delegation Identity Assertion Profile Specification Capability Assertion Profile Specification?!Z)Z!ZzZZ"ZZ'ZZ!Z ZTZ!)!z"  '  ! T??{??*OGSA Security Roadmap - Specifications (3)?$+ ??<Firewall "Friendly" OGSA Firewall Interoperability Specification Security Policy Expression and Exchange Grid Service Reference and Service Data Security Policy Decoration Specification Secure Service Operation Secure Service s Policy and Processing Specification Service Data Access Control Specification Audit and Secure Logging OGSA Audit Service Specification OGSA Audit Policy Management Specification ??.(RaM.(Ra  M   ??x??Trust establishment process (1)??? 1. Binding an entity identity to a Distinguished Name ( DN - the subject name in an X.509 identity certificate) Trust in this step is accomplished through the (published and audited) policy based identity verification procedures of the Certification Authority that issues the identity certificates 2. Binding a public key to the DN (generating an X.509 certificate) Trust in this step is accomplished through the (published and audited) policy based operational procedures of the issuing Certification Authority ( CA ). 3. Assurance that the public key that is presented actually represents the user Trust in this step comes from the cryptography and protocols of Public Key Infrastructure. 4. Assurance that a message tied to the entity DN could only have originated with that entity: Trust that a message signed by a private key could only have been signed by the private key corresponding to the public key (and therefore the named entity via X.509 certs) comes from public key cryptography Trust in this step is also through user key management (the mechanism by which the user limits the use of its identity), which is assured by user education, care in dealing with one s cyber environment, and shared understanding as to the significance of the private key.??qZ?ZDZ?ZPZ[Z_Z?Zq?D?P[_  ????4?????Trust establishment process (2)???5. Mutual authentication, whereby two ends of a communication channel agree on each other s identity Trust in this step is through the cryptographic techniques and protocols of the Transport Level Security ( TLS ) standard. 6. Delegation of identity to remote Grid systems Trust in this step is through the cryptographic techniques and protocols for generating, managing, and using proxy certificates that are directly derived from the CA issued identity certificates. ?peZ{Z1Z?Ze{1???w??CRemote Authentication, Delegation, and Secure Communication in GRID?DD??gRemote authentication is accomplished by techniques that verify a cryptographic identity in a way that establishes trust in an unbroken chain from the relying party back to a named human, system, or service identity. This is accomplished in a sequence of trusted steps, each one of which is essential in order to get from accepting a remote user on a Grid resource back to a named entity. Delegation involves generating and sending a proxy certificate and its private key to a remote Grid system so that remote system may act on behalf of the user. This is the essence of the single sing-on provided by the Grid: A user / entity proves its identity once, and then delegates its authority to remote systems for subsequent processing steps. A secure communication channel is derived from the Public Key Infrastructure process and the IETF Transport Level Security protocol.?hh??|??)Globus Grid Security Infrastructure (GSI)???Operational solution providing security infrastructure for Globus Toolkits Targeted problems: Thousands of users  thousands of Certs  many of CAs (with different policies) Grid-wide user group and roles are needed No grid-wide logging or auditing Need for anonymous users Intended to evolve into OGSA Security GSI Components Proxy Certificate Profile Provides proxy credentials to allow for single sign-on and to provide delegated credentials for use by agent and servers Online Credential Retrieval to create and manage proxy certificates Impersonation certificate and restricted delegation certificate??Kz!&y?Kz!   &y??\K6     ~ Q? ??}??Proxy Certificate Profile???Impersonation  used for Single-Sign-On and Delegation Unrestricted Impersonation Restricted Impersonation defined by policy Proxy with Unique Name Allows using in conjunction with Attribute Cert Used when proxy identity is referenced to 3rd party, or interact with VO policy Proxy Certificate (PC) properties: It is signed by either an X.509 End Entity Certificate (EEC), or by another PC. This EEC or PC is referred to as the Proxy Issuer (PI). It can sign only another PC. It cannot sign an EEC. It has its own public and private key pair, distinct from any other EEC or PC. It has an identity derived from the identity of the EEC that signed the PC. Although its identity is derived from the EEC's identity, it is also unique. It contains a new X.509 extension to identify it as a PC and to place policies on the use of the PC. This new extension, along with other X.509 fields and extensions, are used to enable proper path validation and use of the PC. ??7ZFZZ?Z%Z?Z7F[ #%  ??b#?4O??????Reference: PKC vs AC: Purposes??X.509 PKC binds an identity and a public key AC is a component of X.509 Role-based PMI AC contains no public key AC may contain attributes that specify group membership, role, security clearance, or other authorisation information associated with the AC holder Analogy: PKC is like passport, and AC is like entry visa PKC is used for Authentication and AC is used for Authorisation AC may be included into Authentication message PKC relies on Certification Authority and AC requires Attribute Authority (AA) ??W?@/OW?@/O?????!PKC vs AC: Certificates structure?"" ??}X.509 PKC Version Serial number Signature Issuer Validity Subject Subject Public key info Issuer unique identifier Extensions?* t t ??`AC Version Holder Issuer Signature Serial number Validity Attributes Issuer unique ID Extensions?*^^?????TX.509 PKC Fields and Extensions  RFC 3280?++ ??\X.509 PKC Fields Serial Number Subject Subject Public Key Issuer Unique ID Subject Unique ID?&LL ??:X.509 PKC Extensions Standard Extensions Authority Key Identifier Subject Key Identifier Key Usage Extended Key Usage CRL Distribution List Private Key Usage Period Certificate Policies Policy Mappings Subject Alternative Name Issuer Alternative Name Subject Directory Attributes Basic Constraints Name Constraints?:?????$AC Attribute Types and AC Extensions??|AC Attribute Types Service Authentication Information Access Identity Charging Identity Group Role Clearance Profile of AC ?*jj ???AC Extensions Audit Identity To protect privacy and provide anonymity May be traceable via AC issuer AC Targeting Authority Key Identifier Authority Information Access CRL Distribution Points?VI[I[?????#Other Technologies to look for IIDS???SIP (Session Initiation Protocol) based technologies Instant Messaging and Presence Protocol  SIP based ?jj??~??&XML Web Services technologies for IIDS?? Discussion?  $/?? P??????? ? ?????0?( ? ??x ? c ?$?`_?????x8????  ? ? ??x ? c ?$?,",-.2<3=o?R?$/EP~ m???2?!??????$?b?$?g?|?I>?\?r? K? ??b?$???gC6?n5?dh??,???O??b?$??掑?-?f?u`?0??(?$b?$N??ԆAa??1`m???:MS ?~??????????1???????????0? ??????n?@???????8???????g??4ldldd? 0h?????????p?pp?0 ? <?4BdBd???@ 0$?N?u?ʚ;2N??ʚ;<?4!d!d???= 0??<?4dddd???= 0???F?>?___PPT9? /? 0?z????-?ZMarch 27, 2003. Vrije Universiteit, Amsterdam ?2XML Web Services SecurityO? ?=?????XML Web Services Security?$(??_March 27, 2003 IIDS Group, Vrije Universiteit Yuri Demchenko, NLnet Labs ?"`/1"?Z      ??g??Outlines??pHistorical XML Security Web Services Security OGSA Security XML Web Services technology for IIDS - Discussion ?<=3=3?????:Historical: How all this started (quoting Tim Berners-Lee)?&; ?.??VInitial idea to create resource description language Existing technologies: SGML + WAIS, Gopher + Library Catalogues Problems: hyperlinks reference and semantic meaning binding Past steps: WWW and HTML RDF and Metadata XML and XML Signature Next step: Semantic Web Ongoing development: Computer Grids -> Information Grids -> Semantic Grids ?`5| 5e5| 5e??^??+XML Basics: DTD, Schema, XML Protocol, etc.???DTD is document-oriented Like HTML Schema is data-oriented XML Signature SAML Basic XML Protocol(s) XML-RPC SOAP XForms, XLink, XML Query, XPath, XPointer, XSL and XSLT, Legal XML??  D  D?Hs??W??.XML Security vs Traditional (Network) security???Traditional Security: Host-to-host or point-to-point security Client/server oriented Connection or connectionless oriented Generically single/common trust domain/association XML Security Document oriented approach Security tokens/assertions and policies can be associated with the document or its parts Intended to be cross-domain Potentially for virtual and dynamic trust domains (security associations)?t?Yf?Yf?????XML Security - Components???XML Signature XML Encryption Security Assertion SAML (Security Assertion Mark-up Language) XrML (XML Right Mark-up Language) XACML (XML Access Control Mark-up Language) XKMS (XML Key Management Specification) ?R1z(1z(?????XML Signature: Features??uFundamental feature: the ability to sign only specific portions of the XML tree rather than the whole document. XML document may have a long history when different component are authored by different parties at different times Different parties may want to sign only those elements relevant to them Important when keeping integrity of certain parts of an XML document is essential while leaving the possibility for other parts to be changed Allows carrying security tokens/assertions on document/data rather than on user/client Provides security features for XML based protocols Provides basic functionality for state assertions ?Np?2p?2 ?????XML Signature structure???? ? ? (? ()?? ? ? )+? ? ()?? ()*? ??$?Z?%??? /   $?????*File/Document Encryption vs XML Encryption?&   ??qFor multi-user encryption Document can contain encrypted shared decryption key with pubK of all intended targets ?rr?&T   ?????-Binding semantics to the document with XMLSig?"'  ???XML Signature allows signing selected parts of the document Providing Integrity and Authenticity Binding attributes and permissions to the the Document?*<Z\Z<\?< \?????XML Web Services???A Web Service is a software system identified by URI, whose public interfaces and bindings are defied and described by XML. Other software systems may discover and interact with the Web Service in a manner prescribed by its definition, using XML based messages conveyed by Internet protocols. Service oriented architecture for application-to-application interaction Describing Web services  WSDL Exchanging messages  SOAP extensions Publishing and Discovering WS descriptions - UDDI Programming language-, programming model-, and system software-neutral Standard based: XML/SOAP foundation Industry initiatives (and development platforms) Sun SunONE/J2EE (SunONE Studio) Microsoft .NET (Visual Studio .NET) IBM Dynamic e-Business (AlphaWorks) XML Spy by Altova?v&ZJZyZ?ZzZ&Jy?z  ?P?E  ?????&XML WS - Service Oriented Architecture??nWSDL based Service Description SOAP based messaging over HTTP, SMTP, TCP, etc. UDDI based Publishing/Discovery?oo?????HWeb services features  three stacks?? ??p??'Web Service Description Language (WSDL)??=WSDL is an XML document format for describing Web service as a set of endpoints operating on messages containing either document-oriented or procedure-oriented (RPC) messages. The operations and messages are described abstractly and then bound to a concrete network protocol and message format to define an endpoint ?>>?????Web Services Security Model ?? WS-Security model provides end-to-end security (as contrary to point-to-point) allowing intermediaries A Web service can require that an incoming message prove a set of claims (e.g., name, key, permission, capability, etc.). Set of required claims and related information is referred as a Policy. A requester can send messages with proof of the required claims by associating security tokens with the messages. Messages both demand a specific action and prove that their sender has the claim to demand the action. When a requester does not have the required claims, the requester or someone on its behalf can try to obtain the necessary claims by contacting other Web services. Security token services broker trust between different trust domains by issuing security tokens. ??g{Ish?b B{Ish? b??+?????Web Services Security Model?? ?????WS Security Scenarios???All are built on SOAP based security tokens exchange Direct Trust using username/password (using SSL/TLS) Direct Trust using security token Security token acquisition Issued security token Enforcing business policy Web clients Mobile clients (gateway services) Enabling Federations Using trust chaining, security token exchange, credentials exchange Supporting delegation Access control Auditing?N5?Z5?Z?????"Web Services Security Architecture???WS-Security: describes how to attach signature and encryption headers to SOAP messages. In addition, it describes how to attach security tokens, including binary security tokens such as X.509 certificates, SAML, Kerberos tickets and others, to messages. Core Specification - Web Services Security: SOAP Message Security http://www.oasis-open.org/committees/download.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf ??A\?2,Z??Am 0?@??7m 0?A??????ZWeb Service Security  others specifications ???WS-Policy: will describe the capabilities and constraints of the security (and other business) policies on intermediaries and endpoints (e.g. required security tokens, supported encryption algorithms, privacy rules) WS-Trust: will describe a framework for trust models that enables Web services to securely interoperate WS-Privacy: will describe a model for how Web services and requesters state privacy preferences and organizational privacy practice statements WS-SecureConversation: will describe how to manage and authenticate message exchanges between parties including security context exchange and establishing and deriving session keys WS-Federation: will describe how to manage and broker the trust relationships in a heterogeneous federated environment including support for federated identities WS-Authorization: will describe how to manage authorization data and authorization policies??? ?` ?? ?L?????"WS Security: SOAP Message Security???SOAP Message Security must support a wide variety of security models. Key driving requirements for the specification: Multiple security tokens for authentication or authorization Multiple trust domains Multiple encryption technologies End-to-end message-level security and not just transport-level security Primary security concerns Protection against interception  confidentiality XML Encryption Protection against illegal modification  integrity XML Signature Security consideration  Auditing Timestamping and message expiration Sequence number and Messages correlation??xZ?ZZ2ZZ4ZZ"ZMZG1?24    "M?? @?????SOAP Message Security Model??nDescribe abstract message security model in terms of security tokens combined with digital signatures as proof of possession of the security token (key). Security token asserts claims and signatures provide mechanism for proving the sender s knowledge of key A claim can be either endorsed or unendorsed by a trusted authority An X.509 Cert, claiming the binding between one s identity and public key, is an example of a endorsed/signed security token An unendorsed claim can be trusted if there is trust relations between the sender and the receiver (usually based on historical relations/communications context) Proof-of-Possession (e.g. username/password)  special type of unendorsed claim ?b??}?Q??}?Q ?????"WS-Security SOAP message structure??jURI: http://schemas.xmlsoap.org/ws/2002/04/secext Namespaces used in WSSL: SOAP S http://www.w3.org/2001/12/soap-envelope XML Digital Sign ds http://www.w3.org/2000/09/xmldsig# XML Encryption xenc http://www.w3.org/2001/04/xmlenc# XML/SOAP Routing m http://schemas.xmlsoap.org/rp WSSL wsse http://schemas.xmlsoap.org/ws/2002/04/secext ?kk?? bJ  ?????SecurityTokenReference Model????Usage and processing models for the <wsse:SecurityTokenReference> element. Local Reference  A security token, that is included in the message in the <wsse:Security> header, is associated with an XML Signature. Remote Reference  A security token, that is not included in the message but may be available at a specific URI, is associated with an XML Signature. Key Identifier  A security token, which is associated with an XML Signature and identified using a known value that is the result of a well-known function of the security token (defined by the token format or profile). Key Name  A security token is associated with an XML Signature and identified using a known value that represents a "name" assertion within the security token (defined by the token format or profile). Format- Specific References  A security token is associated with an XML Signature and identified using a mechanism specific to the token Non-Signature References  A message may contain XML that does not represent an XML signature, but may reference a security token (which may or may not be included in the message). ??LZZLy?? ?n??>%X??????Computer Grids??NOriginated from Distributing Supercomputing To become  pluggable computing resource Computer Grids -> Information Grids -> Semantic Grids Current de-facto standard  Globus Toolkits Open Grid Services Architecture was boosted by developing XML Web Services  2002 Commercial Grids are starting?P,`~,`~?????&Open Grid Services Architecture (OGSA)???WSDL extensions to describe specifics of Grid Services Defines new portType - GridService Provides mechanism to create Virtual Organisation Provides mechanism to create transient services - Factories Provides soft-state registration of GSH - Registry Grid services can maintain internal state for the lifetime of the service. The existence of state distinguishes one instance of a service from another that provides the same interface. OGSA services can be created and destroyed dynamically Grid Service is assigned globally (persistent) unique name, the Grid service handle (GSH) Grid services may be upgraded during their lifetime and referenced by Grid (dynamic) service reference (GSR) ?67??7???,C  _????-Security Issues in Grid computing - Specifics?..#? . ???General issues: Traditional systems are user/client/host centric Grid computing is data centric Traditional systems: Protect system from its users Protect data of one user from compromise In Grid systems: Protect applications and data from system where computation execute Stronger/mutual authentication needed (for users and code) Ensure that resources and data not provided by a attacker Protect local execution from remote systems Different admin domains/Security policies??PG;VPG ; V ? ? ?????.Security Issues in Grid computing - Components? / ???Authentication Password based Kerberos based (authentication and key distribution protocol) SSL authentication PKI/Cert based Authorisation Integrity and confidentiality Cryptography Assurance Accounting Audit ?jo, o, ? ? ?????Authentication?  ???Traditional systems: Authenticate user/client to protect system Grid systems: Mutual authentication required Ensure that resources and data not provided by a attacker Delegation of Identity Process that grants one principal the authority to act as another individual Assume another s identity to perform certain functions E.g., in Globus: use gridmap file on a particular resource to map authenticated user user onto another s account, with corresponding privileges Data origin authentication??+;+;   ?&X  ? ????? Authorisation?  ??:Traditional systems: Determine whether a particular operation is allowed based on authenticated identity of requester and local information Grid systems: Determine whether access to resource/operation is allowed Access control list associated with resources, principal or authorised programs Distributed Authorisation Distributed maintenance of authorisation information One approach: Embed attributes in certificates Restricted proxy: authorisation certificate that grants authority to perform operation on behalf of grantor Alternative: separate authorisation server ??w:Pdl+w:P dl+?&   ! ?????Assurance, Accounting, Audit?  ??JAssurance When service is requested, to assure that candidate service provider meets requirements Accounting Means of tracking, limiting or changing for consumption of resources Audit Record operations performed by systems and associate actions with principals Find out what went wrong: typical role of Intrusion Detection Systems?? X E? X E?  ? K ????? OGSA Security??Built upon WS Security??y??*OGSA Security Roadmap - Specifications (1)?++??)Naming OGSA Identity Specification OGSA Target/Action Naming Specification OGSA Attribute and Group Naming Specification Transient Service Identity Acquisition Specification Translating between Security Realms Identity Mapping Service Specification Generic Name Mapping Specification Policy Mapping Service Specification Credential Mapping Service Specification Authentication Mechanism Agnostic Certificate Validation Service Specification OGSA-Kerberos Services Specifications Pluggable Session Security GSSAPI-SecureConversation Specification ??Z?Z$Z?Z"ZTZZ)Z?$?"T  )??#(.5?u)??z??*OGSA Security Roadmap - Specifications (2)?$+ ???Pluggable Authorization Service OGSA-Authorization Service Specification Authorization Policy Management Coarse-grained Authorization Policy Management Specification Fine-grained Authorization Policy Management Specifications Trust Policy Management OGSA Trust Service Specification Privacy Policy Management Privacy Policy Framework Specification VO Policy Management VO Policy Service Specification Delegation Identity Assertion Profile Specification Capability Assertion Profile Specification?!Z)Z!ZzZZ"ZZ'ZZ!Z ZTZ!)!z"  '  ! T??{??*OGSA Security Roadmap - Specifications (3)?$+ ??<Firewall "Friendly" OGSA Firewall Interoperability Specification Security Policy Expression and Exchange Grid Service Reference and Service Data Security Policy Decoration Specification Secure Service Operation Secure Service s Policy and Processing Specification Service Data Access Control Specification Audit and Secure Logging OGSA Audit Service Specification OGSA Audit Policy Management Specification ??.(RaM.(Ra  M   ??x??Trust establishment process (1)??? 1. Binding an entity identity to a Distinguished Name ( DN - the subject name in an X.509 identity certificate) Trust in this step is accomplished through the (published and audited) policy based identity verification procedures of the Certification Authority that issues the identity certificates 2. Binding a public key to the DN (generating an X.509 certificate) Trust in this step is accomplished through the (published and audited) policy based operational procedures of the issuing Certification Authority ( CA ). 3. Assurance that the public key that is presented actually represents the user Trust in this step comes from the cryptography and protocols of Public Key Infrastructure. 4. Assurance that a message tied to the entity DN could only have originated with that entity: Trust that a message signed by a private key could only have been signed by the private key corresponding to the public key (and therefore the named entity via X.509 certs) comes from public key cryptography Trust in this step is also through user key management (the mechanism by which the user limits the use of its identity), which is assured by user education, care in dealing with one s cyber environment, and shared understanding as to the significance of the private key.??qZ?ZDZ?ZPZ[Z_Z?Zq?D?P[_  ????4?????Trust establishment process (2)???5. Mutual authentication, whereby two ends of a communication channel agree on each other s identity Trust in this step is through the cryptographic techniques and protocols of the Transport Level Security ( TLS ) standard. 6. Delegation of identity to remote Grid systems Trust in this step is through the cryptographic techniques and protocols for generating, managing, and using proxy certificates that are directly derived from the CA issued identity certificates. ?peZ{Z1Z?Ze{1???w??CRemote Authentication, Delegation, and Secure Communication in GRID?DD??gRemote authentication is accomplished by techniques that verify a cryptographic identity in a way that establishes trust in an unbroken chain from the relying party back to a named human, system, or service identity. This is accomplished in a sequence of trusted steps, each one of which is essential in order to get from accepting a remote user on a Grid resource back to a named entity. Delegation involves generating and sending a proxy certificate and its private key to a remote Grid system so that remote system may act on behalf of the user. This is the essence of the single sing-on provided by the Grid: A user / entity proves its identity once, and then delegates its authority to remote systems for subsequent processing steps. A secure communication channel is derived from the Public Key Infrastructure process and the IETF Transport Level Security protocol.?hh??|??)Globus Grid Security Infrastructure (GSI)???Operational solution providing security infrastructure for Globus Toolkits Targeted problems: Thousands of users  thousands of Certs  many of CAs (with different policies) Grid-wide user group and roles are needed No grid-wide logging or auditing Need for anonymous users Intended to evolve into OGSA Security GSI Components Proxy Certificate Profile Provides proxy credentials to allow for single sign-on and to provide delegated credentials for use by agent and servers Online Credential Retrieval to create and manage proxy certificates Impersonation certificate and restricted delegation certificate??Kz!&y?Kz!   &y??\K6     ~ Q? ??}??Proxy Certificate Profile???Impersonation  used for Single-Sign-On and Delegation Unrestricted Impersonation Restricted Impersonation defined by policy Proxy with Unique Name Allows using in conjunction with Attribute Cert Used when proxy identity is referenced to 3rd party, or interact with VO policy Proxy Certificate (PC) properties: It is signed by either an X.509 End Entity Certificate (EEC), or by another PC. This EEC or PC is referred to as the Proxy Issuer (PI). It can sign only another PC. It cannot sign an EEC. It has its own public and private key pair, distinct from any other EEC or PC. It has an identity derived from the identity of the EEC that signed the PC. Although its identity is derived from the EEC's identity, it is also unique. It contains a new X.509 extension to identify it as a PC and to place policies on the use of the PC. This new extension, along with other X.509 fields and extensions, are used to enable proper path validation and use of the PC. ??7ZFZZ?Z%Z?Z7F[ #%  ??b#?4O??????Reference: PKC vs AC: Purposes??X.509 PKC binds an identity and a public key AC is a component of X.509 Role-based PMI AC contains no public key AC may contain attributes that specify group membership, role, security clearance, or other authorisation information associated with the AC holder Analogy: PKC is like passport, and AC is like entry visa PKC is used for Authentication and AC is used for Authorisation AC may be included into Authentication message PKC relies on Certification Authority and AC requires Attribute Authority (AA) ??W?@/OW?@/O?????!PKC vs AC: Certificates structure?"" ??}X.509 PKC Version Serial number Signature Issuer Validity Subject Subject Public key info Issuer unique identifier Extensions?* t t ??`AC Version Holder Issuer Signature Serial number Validity Attributes Issuer unique ID Extensions?*^^?????TX.509 PKC Fields and Extensions  RFC 3280?++ ??\X.509 PKC Fields Serial Number Subject Subject Public Key Issuer Unique ID Subject Unique ID?&LL ??:X.509 PKC Extensions Standard Extensions Authority Key Identifier Subject Key Identifier Key Usage Extended Key Usage CRL Distribution List Private Key Usage Period Certificate Policies Policy Mappings Subject Alternative Name Issuer Alternative Name Subject Directory Attributes Basic Constraints Name Constraints?:?????$AC Attribute Types and AC Extensions??|AC Attribute Types Service Authentication Information Access Identity Charging Identity Group Role Clearance Profile of AC ?*jj ???AC Extensions Audit Identity To protect privacy and provide anonymity May be traceable via AC issuer AC Targeting Authority Key Identifier Authority Information Access CRL Distribution Points?VI[I[?????#Other Technologies to look for IIDS???SIP (Session Initiation Protocol) based technologies Instant Messaging and Presence Protocol  SIP based ?jj??~??&XML Web Services technologies for IIDS?? Discussion?  $/?? P??????)? ? ?)??) ?;;$?)?( ? ?$?~ ?$ s ?*?? ?????x8????  ? ? ??~ ?$ s ?*?? ??      !"#$%???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????0g??? ? ? ??v ?$ ? ?N???????1???????l?}??? ?$  ?`?(???????????1?????????Q? ?w?? FileA/ DocA? ?0   ?v ?$ ? ?N???????1???????w("??? ?$  ?`?????????????1????????#U? ????Encrypt with/for pubK B??.   ?v ?$ ? ?N???????1???????p?? ??? ? $ ? ?T???????????1???????o?? w ????Encrypted File (pubK B)??.   ?v ? $ ? ?N???????1???????op j??? ? $  ?`?????????????1????????? ?? ?~??Decrypt with privK B??.    ?v ? $ ? ?N???????1???????h?????? ? $  ?`?????????????1?????????? ?h?? FileA/ Doc? ?"  ?v ?$ ? ?N???????1???????? ? ??? ?$  ?`?x???????????1?????????!S  ?X??XML Doc1? ? ?? ?$ ? ?T???????????1??????????? ???User A (knows pubK B)??.   ??? ?$ ? ?T???????????1??????????? ?V??User B?? ?v ?$ ? ?N???????1????????lf ??? ?$  ?`????????????1??????? ? %  ?g??Encrypted select parts?? ?v ?$ ? ?N???????1???????? $ ? ? ?v ?$ ? ?N???????1???????E ? a ?v ?$ ? ?N???????1???????? ? } ? ?v ?$ ? ?N???????1?????????? ?? ?$  ?`????????????1???????????  ?x??(Encrypt select parts for select targets?))?( ?? ?$ ? ?T??????????1???????% `??  ????User A (knows pubK B,C, D)??.   ?v ?$ ? ?N???????1????????] W? ?? ?$  ?`?ܛ??????????1????????o ??  ?~??Decrypt with privK B??.    ?v ?$ ? ?N???????1??????????? ??? ?$  ?`?6??????????1?????????Mz ?T??Doc1?? ?? ?$ ? ?T?d?????????1????????\??  ????2User B can read whole Doc1 and decrypt only part B?33?2 ?v ?$ ? ?N???????1????????  y? ?? ? $  ?`?4???????????1???????? ? ??  ?~??Decrypt with privK C??.    ?v ?!$ ? ?N???????1???????? ??? ??? ?"$  ?`?4???????????1???????| ?AP  ?T??Doc1?? ??? ?#$ ? ?T?L?????????1???????? 2 ? ?  ?Q??B? ? ??? ?$$ ? ?T?L?????????1???????? ? k ?  ?Q??C? ? ??? ?%$ ? ?T?L?????????1???????? O ? o  ?Q??D? ? ?$?F ?2\b ?&$ ???~??? ?~ ?'$ ? ?N???????1?????????U[?~ ?($ ? ?N???????1???????2????? ?)$ ? ?T? ?????????1???????83?? ?Q??C? ? ??? ?*$ ? ?T???????????1?????????\b ?Q??D? ? ?$?F ? C?? ?+$ ???? ??? ?~ ?,$ ? ?N???????1??????? 9???~ ?-$ ? ?N???????1???????!C? ??? ?.$ ? ?T???????????1???????'e? ?Q??B? ? ??? ?/$ ? ?T???????????1???????!K?? ?Q??D? ? ?vB ?0$ ? ?ND???jJ????????????vB ?1$ ? ?ND???jJ?????????? g ??vB ?2$ ? ?ND???jJ?????????-???vB ?3$ ? ?ND???jJ?????????????vB ?4$ ? ?ND???jJ?????????????vB ?5$ ? ?ND???jJ????????? ??? ?vB ?6$ ? ?ND???jJ???????? ?? ?vB ?7$ ? ?ND???jJ????????? ??? ?vB ?8$? ? ?ND???jJ???????? 8 = B ?vB ?9$ ? ?ND???jJ????????@ 8 d ? ?/? ?:$ ? ?T?`?????????1???????sI?? ???'Only User B can open FileA with pirvK B?((?H     ?? ?;$ ? ?T?x?????????1???????? Z??  ????2User C can read whole Doc1 and decrypt only part D?33?2 ?H ?$ ? ?0???@??޽h?? ?? ??????????f???????])? ?  )?)0?<<(?(?( ? ?(?x ?( c ?$???D????x8????  D ? ??x ?( c ?$??H?????p g??? D ? ??v ?( ? ?N???????1???????x1=??? ?( ? ?T??V????????1??????????T ?b??XML Doc1/ JobDescr?? ?v ?( ? ?N???????1?????????????? ?(  ?`??Z??????????1???????s V? ?f??Signed selected parts?? ?v ?( ? ?N?????f????1???????SIo?? ? ( ? ?T??Y????????1???????I r?  ???2User/System A creates XML Doc1 and signs with SigA?33?".  ??? ? ( ? ?T?Lb????????1???????u??" ?V??SigB? ? ?vB ? ( ? ?ND???jJ?????????????v ? ( ? ?N???????1?????????????? ? ( ? ?T?g????????1??????????m ?Y??XMLSigA? ? ?v ?( ? ?N???????1???????w1>??? ?( ? ?T?f????????1????????8./ ?Y??XMLSigA? ? ?v ?( ? ?N???????1???????|?? A??? ?(  ?`?,m??????????1???????w?? ? ?f??Signed selected parts?? ?v ?( ? ?N?????f????1???????W? ? s?v ?( ? ?N?????f????1???????R?? n??? ?( ? ?T?,q????????1???????y6 ? & ?V??SigB? ? ??? ?( ? ?T?Du????????1???????| ? ) ?V??SigC? ? ?v ?( ? ?N???????1???????{?? B??? ?( ? ?T??y????????1?????????? 3 ?Y??XMLSigA? ? ?v ?( ? ?N???????1???????v ?D??? ?(  ?`??}??????????1???????ze ?? ?f??Signed selected parts?? ?v ?( ? ?N?????f????1???????Z?jv?v ?( ? ?N?????f????1??????? Tf)?v ?( ? ?N?????f????1???????U? bq??? ?( ? ?T???????????1???????|?P) ?V??SigB? ? ??? ?( ? ?T???????????1???????? X, ?V??SigC? ? ??? ?( ? ?T???????????1???????T?m ?V??SigD? ? ?v ? ( ? ?N???????1???????~v ?E??? ?!( ? ?T?؍????????1????????? ?6 ?Y??XMLSigA? ? ?j? ?"( ? ?T???????????1??????? ???  ????pUsers/Systems B, C, D sign selected parts with their privK B, C, D Can add new information and re-sign document?$C.q?.5   .??F ?{?@  ?#( ???? f+? ?~ ?$( ? ?N?????f????1???????{?@ ??? ?%( ? ?T???????????1????????&? ?V??SigB? ? ??F ???8 ?&( ??? x&$ ?~ ?'( ? ?N?????f????1?????????8??? ?(( ? ?T?0?????????1????????.? ?V??SigC? ? ??F ?*?C? ?)( ???? |?? ?~ ?*( ? ?N?????f????1???????*?<???? ?+( ? ?T???????????1???????w?C? ?V??SigD? ? ???F ?L c?  ?,( ??? ??? ?~ ?-( ? ?N???????1???????L c? ??? ?.( ? ?T??????????1???????j `?  ?Y??XMLSigA? ? ?v ?/( ? ?N???????1??????????H??? ?0(  ?`?X???????????1???????~??? ?f??Signed selected parts?? ?v ?1( ? ?N?????f????1???????^??z?v ?2( ? ?N?????f????1?????????-?v ?3( ? ?N?????f????1???????Y??u??? ?4( ? ?T???????????1????????2?- ?V??SigB? ? ??? ?5( ? ?T???????????1?????????0 ?V??SigC? ? ??? ?6( ? ?T?0?????????1???????X?? ?V??SigD? ? ?v ?7( ? ?N???????1??????????I??? ?8( ? ?T???????????1??????????: ?Y??XMLSigA? ? ?vB ?9( ? ?ND???jJ?????????????vB ?:( ? ?ND???jJ?????????) 6 ??vB ?;( ? ?ND???jJ????????????? ?<( ? ?T?t?????????1???????? ?`b  ???EReceiver validates integrity of XML Doc1 by validating all signatures?FF?E ?H ?( ? ?0???@??޽h?? ?? ??????????f??????rG?? ?v????#? ??