ࡱ> hgzzy`!@:6]熊(HHM8'xڵYmp~{n>HRf4 `m"mtԱ(AɐT>#RNǶBLHh`ttLbUX6(jg5cg*JpfMbvM3Oss{=gY8eY~v ?WB_4j _b|gJg2]Xw,+bd/YVߟ[>8O(e7.PL2{xq";j^2汋#[IGڍ/#MGfg?V§ẚzk㲜Ww~"qRz5#*wۦ,ߝXIŞ2ɸz-nM$ߑuU00##Xhl3Li|Tj&0hfmA3$_] }h\LV|\Dy5筛>&jd/*4թwsZԫMMgpW0kf[pa2TT\Y:yMީ|ì!WUgB<pޗ!@҇y/ bP6Kr<. xB{D+1nZ`WZ@Zu'GiF֪C)r:! .bn6vĿ F #C> phy0>n?E( _㐴Xe~G~Wwϰ34G\+м |ܮbo@OxV Qjڀ#@; [3<$[Oi~ovzzyJH+lUagL8=;05!ff6ܣ2l~(='Rͬ <{\)^f{r}bS5]WduI9834 6nZ4- yTdd:z텶]|[vS2̕o(,)6iY>k~^mv? sf6Qa*5 S9)01LfjV5jr (λe*Q*yWe*ɛd>q,߼zu+)0 y{az|ξٜLe 3s*jlU VAQ(Qۚ iA7fjlšt<;c6xf  ) ) x,e&˘0ׁB/Wx x`6]j#¸\= ?b=4~5yu5q&9˂M<0˘0OQeG^w\lՏ5`6fgYQ_7aߊX߄M[{ b1ACn؛z-6KxB A+Ao#t64@_DZ=o3{=ԯ~O* qͬ5~u$ ֯Mx_59N/vag Ũ:'EcƼGɄg4VNh?K-u P*g,M'tN9}M69U7ZQKP\g|oRG"}OR%KKٶi1vtO\*3{ u{l;o~x+pmvwۅf/DjXebf-&Kc6|w" \?%fǞj7TBql>&3]=6zϲU)&k+NӻV Z?D? *45}sSɗ_,Yo]:՝ewWDL7n霤yE ssfr{i^z:7bqWZxw/?( Cxw/="ݳb8(   2EDGE Diagram  Pacestar.Diagram0EDGE Diagram/ 00DTimes New Roman|d 0 & 0DCourier Newman|d 0 & 01 DArialr Newman|d 0 & 0"0DSymbol Newman|d 0 & 0 ` .  @n?" dd@  @@`` @8TI      ,2$@:6]2c $@?uʚ;2Nʚ;G4YdYdd 0<4!d!dg? 0D|<4ddddg? 0D|<4BdBdg? 0D|l2$Security and Certificate Management 30 min Security: General goals Identification of users and services Authentication of the identity of these users and services Authorization for access to resources Privacy of data (files, streams, control, etc.) Public Key Infrastructure provides standards and mechanisms to fulfill these needs ^ Z- |Security: IdentificationUsers and services identified with a public key identity certificate issued by a trusted certificate authority An identity certificate contains: Information about the subject of the certificate A public key representing the subject The digital signature of the CA issuing the certV0"Identity CertificatesFor example, a Globus identity certificate: % openssl x509 -noout -text -in ~/.globus/usercert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 6060 (0x17ac) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, O=Globus, CN=Globus Certification Authority Validity Not Before: Jan 7 20:22:19 2002 GMT Not After : Jan 7 20:22:19 2003 GMT Subject: O=Grid, O=Globus, OU=mcs.anl.gov, CN=Bob Olson Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:cd:7d:bb:ae:30:bb:c1:74:2d:e4:6e:d4:30:6e: [etc] Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: SSL Client, SSL Server Signature Algorithm: md5WithRSAEncryption 23:14:96:05:0d:db:ce:aa:70:17:03:5a:07:31:a0:81:e3:10: [etc]4,ZZ,C:QW*Security: AuthenticationAssumptions: Authentication takes place on a transaction between a client and a server Client and server each hold an identity cert Authentication is mutual: After completion, client and server have verified identity of the other party Secured communications in AG2 use Globus& & which uses SSL/TLS SSL/TLS defines protocol for a secure handshake with mutual authentication.X ZZZ Pb Security: AuthorizationYAuthorization is the process of gating access to a resource based on some criteria. Many different approaches, few standards. Access control lists Role-based authorization Attribute certificates AG2 approach: provide building blocks for applications to define authorization. Reference implementation uses a basic role-based authorization scheme.X~ZEZZ3CE Security: Privacy^Usually what people think when they think security Straightforward, once authentication and authorization issues overcome Globus Security Infrastructure uses SSL/TLS mechanisms for privacy Typically, symmetric encryption with session keys negotiated at session startup. Media data uses AES encryption with session keys distributed by secure channels._Z_z Practical security issues8In AG2.0 Alpha, each user must have an identity certificate Identity certs issued by Certificate Authorities AG Development CA Globus test CA DOE Science Grid CA Commercial CA (Verisign, Thawte, & ) Certificate Safety If the private key for a cert is compromised, the cert cannot be trusted Hence, users have responsibility for maintaining safety of their keys The use of identity certificates is often cumbersometmZYZZZ5ZmY5PE4, !Identity Maintenance Alternatives""NCSA MyProxy Online proxy storage for standard identity certificates Medium-term expiration proxies kept at central server Proxies created via username/password authentication Online CA with username/password support Identity certificates held at an online CA Proxies created via username/password authentication No requirement for user storage of certs Integration with Shibboleth or other single sign-on infrastructure tZZ)ZZZ),PF   Trust issuesIf a CA is not trusted by a service, then no certificates issued by that CA are trusted CA trust is a minimum requirement for access ZX-X   +Goals of the Security Services Architecture+Provide a concrete implementation of the things we know we want Identity Basic services for obtaining and managing identity Secure control communications Access control for venues Privacy of media streams API for use throughout the system Provide hooks / APIs / Protocols for future extensibility  Correct solutions not yet clear Single Sign-ont@ZZ\Z"ZZ@\" Identity#X.509 Identity Certificates Problems Key management Semantics of identity Establishing trust Casual / one-time users Host Certificates Initial implementation: Globus identity certificates Globus Project runs a CA Other entities can run CAs as desired (trust) Enough to bootstrap the project t%ZbZ5ZgZZ%b5g>)4 Proxy CertificatesMechanism to support single sign-on Create short-lived proxy identity certificates from long-lived certificate Why? Proxies kept without passphrases Delegation mechanism used in Globus for information access, process startup, etc. Restricted proxies *vZZv, B Key ManagementZPrivate key lives on disk in one location But I want to use my identity anywhere MyProxy: QKey ManagementPossibly not ideal MyProxy server possible single point of failure Paranoia factor: Do I want a proxy held by someone else? But limited lifetimes and restricted proxies help Other solutions Online CAs where keys retrievable at any time  Username/Password registration certificate ??? Answers here provide for single sign-onZiZBZaZ(ZiBO(,~Secure communicationswAuthentication Ensure both sides have certificates Verification rules (trusted CAs, etc) SSL / GSI XMLRPC over HTTPS 6JJO&Access ControlXHard problem: dynamic groups, dynamic resources Multiple mechanisms Simple ACLs Directory-based group authorizations (mod_ldap_auth) Globus Community Authorization Services Akenti Capability Certificates Initial choices& Likely simple ACLs or LDAP solutions Still to be decided & may depend on contexttDZZZ9ZZD9bK*!7=Stream Security\Current vic / rat support AES/Rijndael encryption Key distribution via venues services mechanisms Per RFC1889 Vague worries& Are keys recoverable (in face of many gigabytes of encrypted data) Rekeying intervals? IETF Secure RTP draft (draft-ietf-avt-srtp-02) Implementations? Who s interested? However& t}ZWZ/Z#Z Z}W/# t  (1How much do we care?_What is the level of paranoia? What is the acceptable level of inconvenience for security? Do we want military level cryptographic protections, or just to keep the demo folks out of our group meeting? Auditing? Interested in user perspectives GGF ACE-RG draft Informational Document on Security Scenarios Possibility of spinning up GGF ACE Security WG`Z` FirewallsBHow paranoid are the firewall admins? Current solutions Put AG outside the firewall Burn holes through the firewall Interested in usage scenarios, acceptable practices from firewall admins Future solutions AG media / control proxies on firewall? Mutual authentication agreements between firewall and AG infrastructure ???\9Z<ZZZtZ9<Zt, ` ` ̙33` 333MMM` ff3333f` f` f` 3>?" dd@,|?" dd@   " @ ` n?" dd@   @@``PR    @ ` ` p>>  (    63 P 3 T Click to edit Master title style! !  0l!3  3 RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  0<)3 `` 3 P*   0(3 `  3 R*   043 `  3 R* H  0޽h ? ̙33 Default Design   0(  x  c $P3P  3 x  c $S3 3 H  0޽h ? ̙33  0 <(   ~  s *Z3P  3 ~  s *x[3 3 H  0޽h ? ̙333  @<(  ~  s *8U3P  3 ~  s *(m3 3 H  0޽h ? ̙333  % +#P (     0@d30  3 ~  s *3P  3   <3  QSubject information"0'^  6o @ ^  6o 5]   <3   PSubject Public Key"0'^  6o w,   <@3 d J CA Signature" 0 'H  0޽h ? ̙333  `<(  ~  s *T3P  3 ~  s *x3 3 H  0޽h ? ̙333  p<(  ~  s *3P  3 ~  s *3 3 H  0޽h ? ̙333   <(   ~  s *3P  3 ~  s *о3 3 H  0޽h ? ̙333  $<(  $~ $ s *3P  3 ~ $ s *3 3 H $ 0޽h ? ̙333  (<(  (~ ( s *3P  3 ~ ( s *3 3 H ( 0޽h ? ̙333  ,<(  ,~ , s *3P  3 ~ , s *3 3 H , 0޽h ? ̙333  00(  0x 0 c $3P  3 x 0 c $ 3 H 0 0޽h ? ̙33  40(  4x 4 c $3P   x 4 c $X   H 4 0޽h ? j  80(  8x 8 c $l3P   x 8 c $   H 8 0޽h ? jv  &<(  <x < c $,P   x < c $H/  ~ < BA ?t?pO H < 0޽h ? j  @0(  @x @ c $6P   x @ c $9  H @ 0޽h ? j  D0(  Dx D c $CP   x D c $ K  H D 0޽h ? j   H0(  Hx H c $QP   x H c $T  H H 0޽h ? j  0L0(  Lx L c $dP   x L c $xg  H L 0޽h ? j  @P0(  Px P c $xP   x P c $hz  H P 0޽h ? j  PT0(  Tx T c $P   x T c $8  H T 0޽h ? jx]yyI2Y0ƀ[+.ÀgfZ.K"Jnbvz=;$cIlNCPlGb/l #q*WS©1lcZIPo}{׳7L3f^]Xpgu&#WBk (C+S+Nc&ytgpMo8p-0 X 8pBEo\\t08 ~0=jۙW܎'p }vv?2j苉Lj`QĘ'`L/cY{&6Ax<qHO\ퟞ$2۾ obi˿ѾFՅ9_v{ӟ;ҁ?6MJ}⌺TW _+պ\W \VTsn;UpW ^k=Y,Hkws5+?xPwU]5l;ρ U/yg9pjy;wI:͏]z;a l{cxSPlȟFQQ3k9V1(Ʊ2&E  6C Ow2PnS4N4Xj])BK]-RAegmnܯ@sS9uϮ+'9] SI <'cҾʞ1k`'}{}zUi6 -vn-@nAfofSTM,V!:Hq(B:D׆5(p Zcj9ntmCCbeRLR}qI ')tK>n/ q\:jqHF t5g#0,W ƧK,8 k^;qI]-N&14櫾 a,Oka*JY#UqF, =: EH1R2R3_1_+*~;ogW)u/X1M;5ͤ|5Q.fkZƾY#&$nK*S"N&pY⩜ZT9ͪR((JIDY)BITtdPIzT)F35@T)P/uf$c70;0[(̰Ec 3\;M~&s,PX(PkkQ ;,|8N APe(ꌟ|AaPx7X$](05/ #\@Ks ݣ%]^2rHR}3(TT[Ãkꏙcx۪o 6k4 2ݘS}o+ Py31)y($BZ*&<4qDkDTU1%Q)fc=TOȢ&ugGxgŋb$Y1SH^VI}NTX0Y+mS95i/'oJ!M0,&),sd*'ΰ]fI~Hw~io?7]U'lKra9jc..I;$i%F-lu76LY-F6ёz4w:W-$jc9;5F!/kd&W<146 ΔAkz, 3d%qRgDŽz~I6jY4h4ZÅĀKbBR hHvigS# BH4m:͉ T }& Tj|m3vڬ@_5:SK,XhA X8;""8mzHb\R4+QCwRhFbhFr"!VK,FĚl$\a4 BfFFl$0cl՟-VW|}Cm-n0h8NŲ]Si5P{Z1+sӡn-Yy]k]HY yφ<ۅxNPW󒙆c(@~g6+F")[sZЮ"ݞ$`QXת B QiY3w 1iB "*&t[,RM^àx,z6K:n*eR=áׂFIDx"mղtY9S/0" Ǧt2:иa bu.`>*`j9A;y2baj:gnp SC6 ktWj5l^ֆۜm4 m4>9-O)T'k݇ؤb'Qw--cJsx+-8#۩6kyljߑN@  -&SLdژF9+XIXL%uoq]GzHa׈粯Epq0B#rB X6u 5RZ\TK @>v˭gY+ 4cd60bWTTOWnsEʷ^G8x$Olԩs1gv0P&z6mẊ5Ôē6vETXlӞKnҴŚr>= H1DKVl/릂U}uӲCt}1pNr9f_W-7ը'{"wжskrb jya_/eY}: &E6)rOē`NIT'57.kR5uFXY(1bZ^@{diUBȸ> ;¨enB.%. *#ST<-, H9䄑NN9SE=y w2ݰlgfJ2ʤ\=fnzBFCE`$.W\;^줢 ȘJiꊜ2~<ɍfШ^G2 aZ)bR, kBpJRe [/p\:MYbi2t"r:4ΗC8&O`qG]8q6O,]syi]fHJB{p~qSF4jؿ=3fAtdf^GEg L$s1 ڐa8}VH\H / f߼Z/g t8vTMfj܂8QP!&,9oA^N).]+F/3`p,iO-E#k^=ܐbV)VM9\Z(m6HtiqC!i>Yhs`ƘqV‰sR!HcFjNMwK,7Jo)բeC5b!#&#/:iicP)T퀦tZO+U=W2{p]zn,NձjվZ(Ԟ⼏ ~k}Ў4޺+F3`̫iYV>[u$uQIz4f?֓ }"H]pC6䋕}\[?_a$<3 >Nz{Dzb{Щ `F8(_lٕO?ӿYҍ"K'V ^/V;Զ'/U';? ew-MIY)ΗkCٳcp$ LP~87"d;E]{+]zXy)q7"l҈|Ts] xz==з8 -b0(*J'pTjK&4 ?PЦkת 3#nNTtu2_f8[}_G<)q,i^7[-zev_a- OcT3>)ԉ6ULD,7'!7Ҏcull}+{6U>l?dq'?a԰c. M#7Cb(ks n?wq,^O9cci ڒ]29\w4c:>uG-y#C5[̩FFgu68,X_lRS>7_ÂSw:@:vXnMH^nچ,0OO)LPLkgMI:m˔_jm@LYbGS3)R2Veztg; tJԼ8P]'HUpa{|czVR/ɐWM~Q2 yaoO✯n+NNCyqLg=VYmaX14 6bQvvutKu#Zagb3jɶehA19l#Np,.MXA9#)if^s!#Ԝ2KV~e_ `i(8Wg2e)~ޗm|g{1}:G`MCkL`ԡ3L1ۇ+(&z\E1S1Lb|`rƭ5HZwn9f#,rr]сFv*ec [Y6{.ޛ=Y?tn-wF%6V`~M1S),."*0s`L+?3Ϯ~$?c~"?#s Søߛ}F)S,s=_Gw7g?ۀyr ""*,&$!U"e59!R9~/%B_q#ُ"};p!VE,W+2i5%Gyyv_BA/ݳi),+em,G[fm+! <4_l/o^ 8fC ҝwB| FۣE|4?*% -gKg&0lZ;(4IU|Ō L!,%+r~٨zu9+)sDzX~ rL}zF3mVf3 ⣀eya+)'y I'#'S쾓,gi ԏfm0[lv4$0I K 6sJ+SV 4cŠt|DP^l,1Җ]scmF^!%޹f?XGeM1R`bK̢̳Z˹ 9R))bIkf|b&3")(f:V0ŔA Qo~6ZVIIYW-+J˗KZ8UPf_FY~P9+^/e_|D#Y@ pe]+}>G5Z,5)!2*GQDz%pw*ʜ瀧~_!9yNz$[&Ǘ pEC(`݀ p3+ i?H eоm4 9ԟGP?@hk?ڼmσ9)4%6(hEAZhfAgla@H]_{'sJGi|b\d doSՓ/QL-F1>sͺ2cA)rwP̸I ésE(w-/Q-vAIUʷo)OH+*=t'1ţżyDRA2qU-*ߑƔ~Aڠ<,]|Y*(H+\<Ҍ"puBQhcQj۔yV:rrp=7w#nB)ާ%w&w6wr~zʥ.Q.VE ^ 0֠ܧʽʰrHYܣ\{@㣀ۅ(A݀Q&<ͽW.LR9.D|"oe({߀+C ~I=vAw;n@è)4?(#V.E^^h ݉  (A {A^)+:=o.V>v;/+IC'%v(W>vS%?w(*ICŷo+j=P~$}lZ{_g_fJ, RMz\e|I>GAAP O!C(g+OSOW>B\>;67D u&F3VGlqqsқ5R6>9*.3\)0Q)BG2Sf\wҙ~un#ʷ7){˗Vt{!aRo(f^2MaeG6{??ʟgwX9Mal'}l&Y~}iVr`pl8@BDFLNPRTVXZ\^ acdfhju9@(   2EDGE Diagram  Pacestar.Diagram0EDGE Diagram/ 0   &On-screen ShoweMCS/FLe~%1 7Times New Roman Courier NewArialSymbolDefault Design EDGE Diagram%Security and Certificate Management User goals of AG security(Classic components of computer securityIdentificationAuthenticationAuthorizationConfidentialityHow are these accomplished?PKI in the AGWere all set?PKI in the AG, in practiceManaging TrustAG Certificate ManagerImporting Globus environmentInitial importCertificate RequestUser InformationFinal confirmation What now?Retrieving a CertificateRetrieving, cont.Retrieving, cont.Retrieving, cont.!Importing existing Identity CertImporting, cont.Importing, cont.Importing, cont.Importing, cont.Default IdentitiesImporting existing CA CertImporting CA, cont.Importing CA, cont.E_Zolsonolsonificate !nd of new stuffSecurity: AuthenticationSecurity: AuthorizationSecurity: PrivacyPractical security issues"Identity Maintenance Alternatives Trust issues,Goals of the Security Services Architecture IdentityProxy CertificatesKey ManagementKey ManagementSecure communicationsAccess ControlStream SecurityHow much do wand 0 & 0DCourier Newmand 0 & 01 DArialr Newmand 0 & 0"0DSymbol Newmand 0 & 0 ` .  @n?" dd@  @@`` xpp[      ,2$@:6]2c $@{uʚ;2Nʚ;g4XdXdd 0ppp@ <4!d!dg? 0`|<4ddddg? 0`|<4ddddg? 0`| P;$Security and Certificate Management mDiscussion of AG security in the abstract How does the AG approach security Using the AG security mechanisms User goals of AG securityPrivacy of venue interactions when desired Privacy of audio and video Privacy of documents and applications Restriction of access to venue Determination of identity of fellow venue participants Protection of software from attack6+`Z+`Z'Classic components of computer securityIn the abstract: Identification of users and services Authentication of the identity of these users and services Authorization for access to resources Confidentiality of data (files, streams, control, etc.) (Non-repudiation) More concretely& - *IdentificationEach user identified (*) Each server or service identified (*) Similar to mechanism used by SSL-secured websites (do you check their certificates?) Z?U#UAuthenticationMechanism by which an assertion of identity is verified In the AG, authentication performed each time a client/server transaction occurs (Provided by underlying toolkit) AuthorizationDetermination if the authenticated identity of the requestor is allowed access to a resource AG toolkit defines role-based authorization mechanisms Access control to venues Administrative access to venues, venue servers&HHConfidentialityPrivacy of control connections (SSL) Privacy of media streams (media tools + AES/Rijndael) Privacy of venue data, other venue app interactions (SSL) Q=How are these accomplished?{Key supporting technology: Public-key Infrastructure Identity asserted by X.509 Identity Certificate Document containing a JeSecurity: IdentificationUsers and services identified with a public key identity certificate issued by a trusted certificate authority An identity certificate contains: Information about the subject of the certificate A public key representing the subject The digital signature of the CA issuing the certV0"Identity CertificatesFor example, a Globus identity certificate: % openssl x509 -noout -text -in ~/.globus/usercert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 6060 (0x17ac) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, O=Globus, CN=Globus Certification Authority Validity Not Before: Jan 7 20:22:19 2002 GMT Not After : Jan 7 20:22:19 2003 GMT Subject: O=Grid, O=Globus, OU=mcs.anl.gov, CN=Bob Olson Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:cd:7d:bb:ae:30:bb:c1:74:2d:e4:6e:d4:30:6e: [etc] Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: SSL Client, SSL Server Signature Algorithm: md5WithRSAEncryption 23:14:96:05:0d:db:ce:aa:70:17:03:5a:07:31:a0:81:e3:10: [etc]4,ZZ,C:QW*Security: AuthenticationAssumptions: Authentication takes place on a transaction between a client and a server Client and server each hold an identity cert Authentication is mutual: After completion, client and server have verified identity of the other party Secured communications in AG2 use Globus& & which uses SSL/TLS SSL/TLS defines protocol for a secure handshake with mutual authentication.X ZZZ Pb Security: AuthorizationYAuthorization is the process of gating access to a resource based on some criteria. Many different approaches, few standards. Access control lists Role-based authorization Attribute certificates AG2 approach: provide building blocks for applications to define authorization. Reference implementation uses a basic role-based authorization scheme.X~ZEZZ3CE Security: Privacy^Usually what people think when they think security Straightforward, once authentication and authorization issues overcome Globus Security Infrastructure uses SSL/TLS mechanisms for privacy Typically, symmetric encryption with session keys negotiated at session startup. Media data uses AES encryption with session keys distributed by secure channels._Z_z Practical security issues8In AG2.0 Alpha, each user must have an identity certificate Identity certs issued by Certificate Authorities AG Development CA Globus test CA DOE Science Grid CA Commercial CA (Verisign, Thawte, & ) Certificate Safety If the private key for a cert is compromised, the cert cannot be trusted Hence, users have responsibility for maintaining safety of their keys The use of identity certificates is often cumbersometmZYZZZ5ZmY5PE4, !Identity Maintenance Alternatives""NCSA MyProxy Online proxy storage for standard identity certificates Medium-term expiration proxies kept at central server Proxies created via username/password authentication Online CA with username/password support Identity certificates held at an online CA Proxies created via username/password authentication No requirement for user storage of certs Integration with Shibboleth or other single sign-on infrastructure tZZ)ZZZ),PF   Trust issuesIf a CA is not trusted by a service, then no certificates issued by that CA are trusted CA trust is a minimum requirement for access ZX-X   +Goals of the Security Services Architecture+Provide a concrete implementation of the things we know we want Identity Basic services for obtaining and managing identity Secure control communications Access control for venues Privacy of media streams API for  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNjPQSTUVWXYZ[\]^_`abcdefiklmnopqrstuvwxy{|}~Root EntrydO)P= CrPicturesCurrent User9/SummaryInformation(\ PowerPoint Document(~DocumentSummaryInformation8&0DTimes New Romand 0 & 0DCourier Newmand 0 & 01 DArialr Newmand 0 & 0"0DSymbol Newmand 0 & 0 ` .  @n?" dd@  @@`` phlX      ,2$@:6]2c $@{uʚ;2Nʚ;g4XdXdd 0ppp@ <4!d!dg? 0`|<4ddddg? 0`|<4ddddg? 0`| $:$Security and Certificate Management mDiscussion of AG security in the abstract How does the AG approach security Using the AG security mechanisms User goals of AG securityPrivacy of venue interactions when desired Privacy of audio and video Privacy of documents and applications Restriction of access to venue Determination of identity of fellow venue participants Protection of software from attack6+`Z+`Z'Classic components of computer securityIn the abstract: Identification of users and services Authentication of the identity of these users and services Authorization for access to resources Confidentiality of data (files, streams, control, etc.) (Non-repudiation) More concretely& - *IdentificationEach user identified (*) Each server or service identified (*) Similar to mechanism used by SSL-secured websites (do you check their certificates?) Z?U#UAuthenticationMechanism by which an assertion of identity is verified In the AG, authentication performed each time a client/server transaction occurs (Provided by underlying toolkit) AuthorizationDetermination if the authenticated identity of the requestor is allowed access to a resource AG toolkit defines role-based authorization mechanisms Access control to venues Administrative access to venues, venue servers&HHConfidentialityPrivacy of control connections (SSL) Privacy of media streams (media tools + AES/Rijndael) Privacy of venue data, other venue app interactions (SSL) Q=Security: IdentificationUsers and services identified with a public key identity certificate issued by a trusted certificate authority An identity certificate contains: Information about the subject of the certificate A public key representing the subject The digital signature of the CA issuing the certV0"Identity CertificatesFor example, a Globus identity certificate: % openssl x509 -noout -text -in ~/.globus/usercert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 6060 (0x17ac) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, O=Globus, CN=Globus Certification Authority Validity Not Before: Jan 7 20:22:19 2002 GMT Not After : Jan 7 20:22:19 2003 GMT Subject: O=Grid, O=Globus, OU=mcs.anl.gov, CN=Bob Olson Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:cd:7d:bb:ae:30:bb:c1:74:2d:e4:6e:d4:30:6e: [etc] Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: SSL Client, SSL Server Signature Algorithm: md5WithRSAEncryption 23:14:96:05:0d:db:ce:aa:70:17:03:5a:07:31:a0:81:e3:10: [etc]4,ZZ,C:QW*Security: AuthenticationAssumptions: Authentication takes place on a transaction between a client and a server Client and server each hold an identity cert Authentication is mutual: After completion, client and server have verified identity of the other party Secured communications in AG2 use Globus& & which uses SSL/TLS SSL/TLS defines protocol for a secure handshake with mutual authentication.X ZZZ Pb Security: AuthorizationYAuthorization is the process of gating access to a resource based on some criteria. Many different approaches, few standards. Access control lists Role-based authorization Attribute certificates AG2 approach: provide building blocks for applications to define authorization. Reference implementation uses a basic role-based authorization scheme.X~ZEZZ3CE Security: Privacy^Usually what people think when they think security Straightforward, once authentication and authorization issues overcome Globus Security Infrastructure uses SSL/TLS mechanisms for privacy Typically, symmetric encryption with session keys negotiated at session startup. Media data uses AES encryption with session keys distributed by secure channels._Z_z Practical security issues8In AG2.0 Alpha, each user must have an identity certificate Identity certs issued by Certificate Authorities AG Development CA Globus test CA DOE Science Grid CA CommeROrcial CA (Verisign, Thawte, & ) Certificate Safety If the private key for a cert is compromised, the cert cannot be trusted Hence, users have responsibility for maintaining safety of their keys The use of identity certificates is often cumbersometmZYZZZ5ZmY5PE4, !Identity Maintenance Alternatives""NCSA MyProxy Online proxy storage for standard identity certificates Medium-term expiration proxies kept at central server Proxies created via username/password authentication Online CA with username/password support Identity certificates held at an online CA Proxies created via username/password authentication No requirement for user storage of certs Integration with Shibboleth or other single sign-on infrastructure tZZ)ZZZ),PF   Trust issuesIf a CA is not trusted by a service, then no certificates issued by that CA are trusted CA trust is a minimum requirement for access ZX-X   +Goals of the Security Services Architecture+Provide a concrete implementation of the things we know we want Identity Basic services for obtaining and managing identity Secure control communications Access control for venues Privacy of media streams API for use throughout the system Provide hooks / APIs / Protocols for future extensibility  Correct solutions not yet clear Single Sign-ont@ZZ\Z"ZZ@\" Identity#X.509 Identity Certificates Problems Key management Semantics of identity Establishing trust Casual / one-time users Host Certificates Initial implementation: Globus identity certificates Globus Project runs a CA Other entities can run CAs as desired (trust) Enough to bootstrap the project t%ZbZ5ZgZZ%b5g>)4 Proxy CertificatesMechanism to support single sign-on Create short-lived proxy identity certificates from long-lived certificate Why? Proxies kept without passphrases Delegation mechanism used in Globus for information access, process startup, etc. Restricted proxies *vZZv, B Key ManagementZPrivate key lives on disk in one location But I want to use my identity anywhere MyProxy: QKey ManagementPossibly not ideal MyProxy server possible single point of failure Paranoia factor: Do I want a proxy held by someone else? But limited lifetimes and restricted proxies help Other solutions Online CAs where keys retrievable at any time  Username/Password registration certificate ??? Answers here provide for single sign-onZiZBZaZ(ZiBO(,~Secure communicationswAuthentication Ensure both sides have certificates Verification rules (trusted CAs, etc) SSL / GSI XMLRPC over HTTPS 6JJO&Access ControlXHard problem: dynamic groups, dynamic resources Multiple mechanisms Simple ACLs Directory-based group authorizations (mod_ldap_auth) Globus Community Authorization Services Akenti Capability Certificates Initial choices& Likely simple ACLs or LDAP solutions Still to be decided & may depend on contexttDZZZ9ZZD9bK*!7=Stream Security\Current vic / rat support AES/Rijndael encryption Key distribution via venues services mechanisms Per RFC1889 Vague worries& Are keys recoverable (in face of many gigabytes of encrypted data) Rekeying intervals? IETF Secure RTP draft (draft-ietf-avt-srtp-02) Implementations? Who s interested? However& t}ZWZ/Z#Z Z}W/# t  (1How much do we care?_What is the level of paranoia? What is the acceptable level of inconvenience for security? Do we want military level cryptographic protections, or just to keep the demo folks out of our group meeting? Auditing? Interested in user perspectives GGF ACE-RG draft Informational Document on Security Scenarios Possibility of spinning up GGF ACE Security WG`Z` FirewallsBHow paranoid are the firewall admins? Current solutions Put AG outside the firewall Burn holes through the firewall Interested in usage scenarios, acceptable practices from firewall admins Future solutions AG media / control proxies on firewall? Mutual authentication agreements between firewall and AG infrastructure ???\9Z<ZZZtZ9<Zt,   0(  x  c $P3P  3 x  c $S3 3 H  0޽h ? ̙33  p\$(  \r \ S |bP   r \ S 2  H \ 0޽h ? ̙33  0 <(   ~  s *Z3P  3 ~  s *x[3 3 H  0޽h ? ̙333  `$(  `r ` S &P   r ` S t*  H ` 0޽h ? ̙33  d$(  dr d S P   r d S P[  H d 0޽h ? ̙33  h$(  hr h S nP   r h S s  H h 0޽h ? ̙33  l$(  lr l S P   r l S #  H l 0޽h ? ̙33x]yyI2Y0ƀ[+.ÀgfZ.K"Jnbvz=;$cIlNCPlGb/l #q*WS©1lcZIPo}{׳7L3f^]Xpgu&#WBk (C+S+Nc&ytgpMo8p-0 X 8pBEo\\t08 ~0=jۙW܎'p }vv?2j苉Lj`QĘ'`L/cY{&6Ax<qHO\ퟞ$2۾ obi˿ѾFՅ9_v{ӟ;ҁ?6MJ}⌺TW _+պ\W \VTsn;UpW ^k=Y,Hkws5+?xPwU]5l;ρ U/yg9pjy;wI:͏]z;a l{cxSPlȟFQQ3k9V1(Ʊ2&E  6C Ow2PnS4N4Xj])BK]-RAegmnܯ@sS9uϮ+'9] SI <'cҾʞ1k`'}{}zUi6 -vn-@nAfofSTM,V!:Hq(B:D׆5(p Zcj9ntmCCbeRLR}qI ')tK>n/ q\:jqHF t5g#0,W ƧK,8 k^;qI]-N&14櫾 a,Oka*JY#UqF, =: EH1R2R3_1_+*~;ogW)u/X1M;5ͤ|5Q.fkZƾY#&$nK*S"N&pY⩜ZT9ͪR((JIDY)BITtdPIzT)F35@T)P/uf$c70;0[(̰Ec 3\;M~&s,PX(PkkQ ;,|8N APe(ꌟ|AaPx7X$](05/ #\@Ks ݣ%]^2rHR}3(TT[Ãkꏙcx۪o 6k4 2ݘS}o+ Py31)y($BZ*&<4qDkDTU1%Q)fc=TOȢ&ugGxgŋb$Y1SH^VI}NTX0Y+mS95i/'oJ!M0,&),sd*'ΰ]fI~Hw~io?7]U'lKra9jc..I;$i%F-lu76LY-F6ёz4w:W-$jc9;5F!/kd&W<146 ΔAkz, 3d%qRgDŽz~I6jY4h4ZÅĀKbBR hHvigS# BH4m:͉ T }& Tj|m3vڬ@_5:SK,XhA X8;""8mzHb\R4+QCwRhFbhFr"!VK,FĚl$\a4 BfFFl$0cl՟-VW|}Cm-n0h8NŲ]Si5P{Z1+sӡn-Yy]k]HY yφ<ۅxNPW󒙆c(@~g6+F")[sZЮ"ݞ$`QXת B QiY3w 1iB "*&t[,RM^àx,z6K:n*eR=áׂFIDx"mղtY9S/0" Ǧt2:иa bu.`>*`j9A;y2baj:gnp SC6 ktWj5l^ֆۜm4 m4>9-O)T'k݇ؤb'Qw--cJsx+-8#۩6kyljߑN@  -&SLdژF9+XIXL%uoq]GzHa׈粯Epq0B#rB X6u 5RZ\TK @>v˭gY+ 4cd60bWTTOWnsEʷ^G8x$Olԩs1gv0P&z6mẊ5Ôē6vETXlӞKnҴŚr>= H1DKVl/릂U}uӲCt}1pNr9f_W-7ը'{"wжskrb jya_/eY}: &E6)rOē`NIT'57.kR5uFXY(1bZ^@{diUBȸ> ;¨enB.%. *#ST<-, H9䄑NN9SE=y w2ݰlgfJ2ʤ\=fnzBFCE`$.W\;^줢 ȘJiꊜ2~<ɍfШ^G2 aZ)bR, kBpJRe [/p\:MYbi2t"r:4ΗC8&O`qG]8q6O,]syi]fHJB{p~qSF4jؿ=3fAtdf^GEg L$s1 ڐa8}VH\H / f߼Z/g t8vTMfj܂8QP!&,9oA^N).]+F/3`p,iO-E#k^=ܐbV)VM9\Z(m6HtiqC!i>Yhs`ƘqV‰sR!HcFjNMwK,7Jo)բeC5b!#&#/:iicP)T퀦tZO+U=W2{p]zn,NձjվZ(Ԟ⼏ ~k}Ў4޺+F3`̫iYV>[u$uQIz4f?֓ }"H]pC6䋕}\[?_a$<3 >Nz{Dzb{Щ `F8(_lٕO?ӿYҍ"K'V ^/V;Զ'/U';? ew-MIY)ΗkCٳcp$ LP~87"d;E]{+]zXy)q7"l҈|Ts] xz==з8 -b0(*J'pTjK&4 ?PЦkת 3#nNTtu2_f8[}_G<)q,i^7[-zev_a- OcT3>)ԉ6ULD,7'!7Ҏcull}+{6U>l?dq'?a԰c. M#7Cb(ks n?wq,^O9cci ڒ]29\w4c:>uG-y#C5[̩FFgu68,X_lRS>7_ÂSw:@:vXnMH^nچ,0OO)LPLkgMI:m˔_jm@LYbGS3)R2Veztg; tJԼ8P]'HUpa{|czVR/ɐWM~Q2 yaoO✯n+NNCyqLg=VYmaX14 6bQvvutKu#Zagb3jɶehA19l#Np,.MXA9#)if^s!#Ԝ2KV~e_ `i(8Wg2e)~ޗm|g{1}:G`MCkL`ԡ3L1ۇ+(&z\E1S1Lb|`rƭ5HZwn9f#,rr]сFv*ec [Y6{.ޛ=Y?tn-wF%6V`~M1S),."*0s`L+?3Ϯ~$?c~"?#s Søߛ}F)S,s=_Gw7g?ۀyr ""*,&$!U"e59!R9~/%B_q#ُ"};p!VE,W+2i5%Gyyv_BA/ݳi),+em,G[fm+! <4_l/o^ 8fC ҝwB| FۣE|4?*% -gKg&0lZ;(4IU|Ō L!,%+r~٨zu9+)sDzX~ rL}zF3mVf3 ⣀eya+)'y I'#'S쾓,gi ԏfm0[lv4$0I K 6sJ+SV 4cŠt|DP^l,1Җ]scmF^!%޹f?XGeM1R`bK̢̳Z˹ 9R))bIkf|b&3")(f:V0ŔA Qo~6ZVIIYW-+J˗KZ8UPf_FY~P9+^/e_|D#Y@ pe]+}>G5Z,5)!2*GQDz%pw*ʜ瀧~_!9yNz$[&Ǘ pEC(`݀ p3+ i?H eоm4 9ԟGP?@hk?ڼmσ9)4%6(hEAZhfAgla@H]_{'sJGi|b\d doSՓ/QL-F1>sͺ2cA)rwP̸I ésE(w-/Q-vAIUʷo)OH+*=t'1ţżyDRA2qU-*ߑƔ~Aڠ<,]|Y*(H+\<Ҍ"puBQhcQj۔yV:rrp=7w#nB)ާ%w&w6wr~zʥ.Q.VE ^ 0֠ܧʽʰrHYܣ\{@㣀ۅ(A݀Q&<ͽW.LR9.D|"oe({߀+C ~I=vAw;n@è)4?(#V.E^^h ݉  (A {A^)+:=o.V>v;/+IC'%v(W>vS%?w(*ICŷo+j=P~$}lZ{_g_fJ, RMz\e|I>GAAP O!C(g+OSOW>B\>;67D u&F3VGlqqsқ5R6>9*.3\)0Q)BG2Sf\wҙ~un#ʷ7){˗Vt{!aRo(f^2MaeG6{??ʟgwX9Mal'}l&Y~}iVr0  B&P:*݌smA(   2EDGE Diagram  Pacestar.Diagram0EDGE Diagram/ 00DTimes New Rom  !"#$%'()*+,-./012345678:;<=>?@ABOh+'0, `h  %Security and Certificate Management rosolsontyolsonty7soMicrosoft PowerPointate@``'@ hq@ f CrDG;  E&@ &&#TNPP 2OMit & TNPP &&TNPP   @ --- !@---&9 4&Tw@ sww0- & 4& --3:-- @Times New Romanww0- .-2 <Security and Certificate        . .2 t Management*% .--:-- @Times New Romanww0- . 2 @ . .E2 ])Discussion of AG security in the abstract           . . 2 @ . .92 ]!How does the AG approach security       . . 2 -@ . .72 -] Using the AG security mechanisms        .-- "System 0-&TNPP &՜.+,0 use throughout the system Provide hooks / APIs / Protocols for future extensibility  Correct solutions not yet clear Single Sign-ont@ZZ\Z"ZZ@\" Identity#X.509 Identity Certificates Problems Key management Semantics of identity Establishing trust Casual / one-time users Host Certificates Initial implementation: Globus identity certificates Globus Project runs a CA Other entities can run CAs as desired (trust) Enough to bootstrap the project t%ZbZ5ZgZZ%b5g>)4 Proxy CertificatesMechanism to support single sign-on Create short-lived proxy identity certificates from long-lived certificate Why? Proxies kept without passphrases Delegation mechanism used in Globus for information access, process startup, etc. Restricted proxies *vZZv, B Key ManagementZPrivate key lives on disk in one location But I want to use my identity anywhere MyProxy: QKey ManagementPossibly not ideal MyProxy server possible single point of failure Paranoia factor: Do I want a proxy held by someone else? But limited lifetimes and restricted proxies help Other solutions Online CAs where keys retrievable at any time  Username/Password registration certificate ??? Answers here provide for single sign-onZiZBZaZ(ZiBO(,~Secure communicationswAuthentication Ensure both sides have certificates Verification rules (trusted CAs, etc) SSL / GSI XMLRPC over HTTPS 6JJO&Access ControlXHard problem: dynamic groups, dynamic resources Multiple mechanisms Simple ACLs Directory-based group authorizations (mod_ldap_auth) Globus Community Authorization Services Akenti Capability Certificates Initial choices& Likely simple ACLs or LDAP solutions Still to be decided & may depend on contexttDZZZ9ZZD9bK*!7=Stream Security\Current vic / rat support AES/Rijndael encryption Key distribution via venues services mechanisms Per RFC1889 Vague worries& Are keys recoverable (in face of many gigabytes of encrypted data) Rekeying intervals? IETF Secure RTP draft (draft-ietf-avt-srtp-02) Implementations? Who s interested? However& t}ZWZ/Z#Z Z}W/# t  (1How much do we care?_What is the level of paranoia? What is the acceptable level of inconvenience for security? Do we want military level cryptographic protections, or just to keep the demo folks out of our group meeting? Auditing? Interested in user perspectives GGF ACE-RG draft Informational Document on Security Scenarios Possibility of spinning up GGF ACE Security WG`Z` FirewallsBHow paranoid are the firewall admins? Current solutions Put AG outside the firewall Burn holes through the firewall Interested in usage scenarios, acceptable practices from firewall admins Future solutions AG media / control proxies on firewall? Mutual authentication agreements between firewall and AG infrastructure ???\9Z<ZZZtZ9<Zt,  p$(  pr p S P   r p S 03  H p 0޽h ? ̙33x]yyI2Y0ƀ[+.ÀgfZ.K"Jnbvz=;$cIlNCPlGb/l #q*WS©1lcZIPo}{׳7L3f^]Xpgu&#WBk (C+S+Nc&ytgpMo8p-0 X 8pBEo\\t08 ~0=jۙW܎'p }vv?2j苉Lj`QĘ'`L/cY{&6Ax<qHO\ퟞ$2۾ obi˿ѾFՅ9_v{ӟ;ҁ?6MJ}⌺TW _+պ\W \VTsn;UpW ^k=Y,Hkws5+?xPwU]5l;ρ U/yg9pjy;wI:͏]z;a l{cxSPlȟFQQ3k9V1(Ʊ2&E  6C Ow2PnS4N4Xj])BK]-RAegmnܯ@sS9uϮ+'9] SI <'cҾʞ1k`'}{}zUi6 -vn-@nAfofSTM,V!:Hq(B:D׆5(p Zcj9ntmCCbeRLR}qI ')tK>n/ q\:jqHF t5g#0,W ƧK,8 k^;qI]-N&14櫾 a,Oka*JY#UqF, =: EH1R2R3_1_+*~;ogW)u/X1M;5ͤ|5Q.fkZƾY#&$nK*S"N&pY⩜ZT9ͪR((JIDY)BITtdPIzT)F35@T)P/uf$c70;0[(̰Ec 3\;M~&s,PX(PkkQ ;,|8N APe(ꌟ|AaPx7X$](05/ #\@Ks ݣ%]^2rHR}3(TT[Ãkꏙcx۪o 6k4 2ݘS}o+ Py31)y($BZ*&<4qDkDTU1%Q)fc=TOȢ&ugGxgŋb$Y1SH^VI}NTX0Y+mS95i/'oJ!M0,&),sd*'ΰ]fI~Hw~io?7]U'lKra9jc..I;$i%F-lu76LY-F6ёz4w:W-$jc9;5F!/kd&W<146 ΔAkz, 3d%qRgDŽz~I6jY4h4ZÅĀKbBR hHvigS# BH4m:͉ T }& Tj|m3vڬ@_5:SK,XhA X8;""8mzHb\R4+QCwRhFbhFr"!VK,FĚl$\a4 BfFFl$0cl՟-VW|}Cm-n0h8NŲ]Si5P{Z1+sӡn-Yy]k]HY yφ<ۅxNPW󒙆c(@~g6+F")[sZЮ"ݞ$`QXת B QiY3w 1iB "*&t[,RM^àx,z6K:n*eR=áׂFIDx"mղtY9S/0" Ǧt2:иa bu.`>*`j9A;y2baj:gnp SC6 ktWj5l^ֆۜm4 m4>9-O)T'k݇ؤb'Qw--cJsx+-8#۩6kyljߑN@  -&SLdژF9+XIXL%uoq]GzHa׈粯Epq0B#rB X6u 5RZ\TK @>v˭gY+ 4cd60bWTTOWnsEʷ^G8x$Olԩs1gv0P&z6mẊ5Ôē6vETXlӞKnҴŚr>= H1DKVl/릂U}uӲCt}1pNr9f_W-7ը'{"wжskrb jya_/eY}: &E6)rOē`NIT'57.kR5uFXY(1bZ^@{diUBȸ> ;¨enB.%. *#ST<-, H9䄑NN9SE=y w2ݰlgfJ2ʤ\=fnzBFCE`$.W\;^줢 ȘJiꊜ2~<ɍfШ^G2 aZ)bR, kBpJRe [/p\:MYbi2t"r:4ΗC8&O`qG]8q6O,]syi]fHJB{p~qSF4jؿ=3fAtdf^GEg L$s1 ڐa8}VH\H / f߼Z/g t8vTMfj܂8QP!&,9oA^N).]+F/3`p,iO-E#k^=ܐbV)VM9\Z(m6HtiqC!i>Yhs`ƘqV‰sR!HcFjNMwK,7Jo)բeC5b!#&#/:iicP)T퀦tZO+U=W2{p]zn,NձjվZ(Ԟ⼏ ~k}Ў4޺+F3`̫iYV>[u$uQIz4f?֓ }"H]pC6䋕}\[?_a$<3 >Nz{Dzb{Щ `F8(_lٕO?ӿYҍ"K'V ^/V;Զ'/U';? ew-MIY)ΗkCٳcp$ LP~87"d;E]{+]zXy)q7"l҈|Ts] xz==з8 -b0(*J'pTjK&4 ?PЦkת 3#nNTtu2_f8[}_G<)q,i^7[-zev_a- OcT3>)ԉ6ULD,7'!7Ҏcull}+{6U>l?dq'?a԰c. M#7Cb(ks n?wq,^O9cci ڒ]29\w4c:>uG-y#C5[̩FFgu68,X_lRS>7_ÂSw:@:vXnMH^nچ,0OO)LPLkgMI:m˔_jm@LYbGS3)R2Veztg; tJԼ8P]'HUpa{|czVR/ɐWM~Q2 yaoO✯n+NNCyqLg=VYmaX14 6bQvvutKu#Zagb3jɶehA19l#Np,.MXA9#)if^s!#Ԝ2KV~e_ `i(8Wg2e)~ޗm|g{1}:G`MCkL`ԡ3L1ۇ+(&z\E1S1Lb|`rƭ5HZwn9f#,rr]сFv*ec [Y6{.ޛ=Y?tn-wF%6V`~M1S),."*0s`L+?3Ϯ~$?c~"?#s Søߛ}F)S,s=_Gw7g?ۀyr ""*,&$!U"e59!R9~/%B_q#ُ"};p!VE,W+2i5%Gyyv_BA/ݳi),+em,G[fm+! <4_l/o^ 8fC ҝwB| FۣE|4?*% -gKg&0lZ;(4IU|Ō L!,%+r~٨zu9+)sDzX~ rL}zF3mVf3 ⣀eya+)'y I'#'S쾓,gi ԏfm0[lv4$0I K 6sJ+SV 4cŠt|DP^l,1Җ]scmF^!%޹f?XGeM1R`bK̢̳Z˹ 9R))bIkf|b&3")(f:V0ŔA Qo~6ZVIIYW-+J˗KZ8UPf_FY~P9+^/e_|D#Y@ pe]+}>G5Z,5)!2*GQDz%pw*ʜ瀧~_!9yNz$[&Ǘ pEC(`݀ p3+ i?H eоm4 9ԟGP?@hk?ڼmσ9)4%6(hEAZhfAgla@H]_{'sJGi|b\d doSՓ/QL-F1>sͺ2cA)rwP̸I ésE(w-/Q-vAIUʷo)OH+*=t'1ţżyDRA2qU-*ߑƔ~Aڠ<,]|Y*(H+\<Ҍ"puBQhcQj۔yV:rrp=7w#nB)ާ%w&w6wr~zʥ.Q.VE ^ 0֠ܧʽʰrHYܣ\{@㣀ۅ(A݀Q&<ͽW.LR9.D|"oe({߀+C ~I=vAw;n@è)4?(#V.E^^h ݉  (A {A^)+:=o.V>v;/+IC'%v(W>vS%?w(*ICŷo+j=P~$}lZ{_g_fJ, RMz\e|I>GAAP O!C(g+OSOW>B\>;67D u&F3VGlqqsқ5R6>9*.3\)0Q)BG2Sf\wҙ~un#ʷ7){˗Vt{!aRo(f^2MaeG6{??ʟgwX9Mal'}l&Y~}iVr 0>D<]6X(   2EDGE Diagram  Pacestar.Diagram0EDGE Diagram/ 00DTimes New Romant\d 0t & 0DCourier Newmant\d 0t & 01 DArialr Newmant\d 0t & 0"0n_ 0x֩PNG  IHDRy΂sBIT3 sRGBIDATx^]=$m/{N ,` P 1P8мU @x@80 H87f {syyb}Wu) jlyy.%^;Dc"g?pO1[aDl?k6 ;Oۺ^9|)'U׻fݓn2RjmCm<<}Afwf7po Ez Pta*6z k@\<% .qwHzjch֩XѶ|+e-`mG{ !M6oxu4ژk=GfnD.#ڭ͛M';K=w5ЩI%ӑh4' ⌘N꘲ 3A e:ꚟh+ԉ49Ztu5_sdu-ncMzӨ'AJSH4 } gViW&TC3iuMT:@QՃАQ#+ 7S@FW7 0A )Ox5MYDU*QnݤhxE{GUCnfRFǨm^4o<"852r* ŔB1P5D+(k"U7NP4P7Y<trɀAeN4M$9wMdgR75pIG8'uvM:dcX4EuCswUM8wEW䇱b=bDSISh%n"Z44mXI0]НC{!P*hkb[^Pe`UL/˄ehZjJ9%ógU785Z1XO?8z@7Ʒv8!Q·Ԋՙ,IݾU9v*#S1g>CH1\[EJELk[&iEjʏic*H'։E,&ot8۸It|ƪb\: \̻1֣*FuM<ǜ-竆%97tO8HNʏ(}tPQ|Ax;2P4tT2|*y>BE7&N@ D 5h Hl u=F]'/_XO?|Dy^~|ɝ$q@C봴y;!@Ӯ >]Sߙ5~ҏ=Γi'( HGU^+}`̓9P QU9p0Np1e `tG{!6y/LV+9Vf[sVrGHI&HV XP-NFO1^cZ, ܂b4x@ĵ-q랢'*Wzb>=Eӳ&)yArճSP/V&MR=Y%2IbjRyP GvF/闿~ɮ**PL_JJեS7E#?4H8@4whOabt *kRUJ_҇Txʑ4NJ ӄE~w* ұz( EMT䨊QIqt9,Q-f9[jk2ykDрP55#駢beyE {w/7MP.n5 _!#gQ1ćFF QIVL )2{$^FEB㔫&X F4f6Vuj(^L]P4B.F:ArDф"FC@4vl>^cH1}iMv'Uj=͝cbJFTɫϳbNP7Fae{m@XO^6O0BZnE#ې/#|%t[J!\%vr>a@Y96M^^F#? &Z2vHWiOVP Y1xfOQ pAM!"0H ) 6VՇ_.|BܧB鏴2> 4Z e>xtL#hH7ۻFsPlngCIF>D3a >Oh}>bSN!tehZedea3h+SHG O e _i-Pe(=I~`̒V4_@rDH:O{J*N* lT(F7]鴿cE'ba$+SPƳF>Ҹ֧%D봨&}=5 t>㣕rA2SEM dJG;Cr`OAb2B4H \G*KCh#74#%PD w#H\sZ ZLye4β593p9_,0(bwX1yFx <4 n)|FtGNi$|jgxM ?WFxJ[Ik(0&Xʽs灒Tg kjȓ;$6*HMƪV{t)i2$(Sov{$6Վj&lkkDΤɮ񚘩I!RxMK'Ob[D tM'a7GkP{U-m8$~l=^#W&*~s TkYy,X)Siu.Ŕ*2 _dICޞ}=, jTYѤz!BlzUns;wrZmvqh[52nLx4ꑒ/,5M45Fx2(AG^Nb[{m\3צ{jJCž25(k+M5:(Ci&~Sѩ֗"u(n¡1|%ꔮqVjgVD &r$WRVBڽ%%^O gIP5 gx/֟/յ]0-iT;Lz1Cm1MV VKcbמJS=A  =Q]0oa1 !ŚTALy~7z#^0Du5UCQw{{}>ՆuN v $\>KxkX+{?)8>_1ڤ2񱛌v5/ &}m~rnlFȥ~NvLJU֡:{K:8LQƯ(/ m;+_XQF:T֭2m5%umoԌ5S ը9V;z+VkNqCum{nev>QC؉eb)̒Ҳ7X ("(yI)֡,`MjhuŪSue '[y [ Lu-Zӥ+7wxdl$Zk"pM`.?mS'2MAu>0\KEz1%erX]8Xۥ?C1ұ݀i_Guqagji aN iiL@apy P!HWϱD'Pл/2 G/V{s_t6W.]IY4Z{%Y~rU oO]'u3>fF)]K=']Q4^P$5w7%XxG>V5(PP4*/<ߓ2ҽ f􈻍{R~=MRE#iy{OTe?9_xP> 9gP ,V ]4NQ n4#ewRjH_@w 1G +#?5_7%5_8Ѩݐ:p;[MvoH~M1ʓ#.j5OV&Iеk5D%`D PwX+ [F\eDtkN5["[F\eDtkN5["[F\eDtkN5["[F\eDtkN5["[F\eDtkN5["[F`LCYBoXh%VZ9+zw%6 ~cl k}z'm,w \sX tj#~u,K)X k_ђ;5Zbz^re }DSFQ';ۨl\s^]t}<}4,K aH`|T0ʴ/2Y\د]Kv?BmcZuDGmh y.Vң#AHg7eO$).LEiu MK?L(j Ϻ?.V  EO}=UvvNsT-V;;t t 7䢡ưmG>]3}gj(;}AOr͂f]2V;}/ހG瑾koq6{T=*vօFI0;zA4A 9KP{69rӚuaQ_ul)_Ni%oU 9)(X{ԓ9ONrMXz̺pV*:ڔo)e,D5 d#%jڀNׁPsvq_U>2pm>\dJ% 7`h,r~OlnD<cQ% Yw e7[e.k '@{1; [AGO:q+pC,D\'5WPո=W1N ٭= j^pI_F޴oݯxد\#c8f:(ZUx )9+lyp42 4lޑ)L-l#qvWlLu#p05(0OPt>n+.^Sh]]_/pXa5gC)U|guC)Pxoʇ%Ҽ|+UK[X~N}=}1\c#WM~;;CC6EG {ijò=A8:cu)3kڪ.(xL`6zm5./ _Blـ;pael_U,'(^2{VQNpz,PE~cz51Nس٣ò\v/R_H${l; k8׿͞Hn$Qؠӯ2$Kt$u%z6KB撼E[#puKG"p 5@u"P"@ DkN2 D\1@) לeAcS @9lr  @`;  "@V_m9xGa/D\(?}'f9 D`Ir͞r"@6f#f7 לllrFn3#@9<䚍8$gF\sfy"5q4IΌ`D`#k6hvr͙F l&833; @وM"pfӻg6"pB\#lU s*M#X= PkV(HrU G\z@"pkX=ջ@\snd' ׬E4\䚫p#;AVf.D* \ "z WHx_!wr ߴ<5kI໗s "WcW\vr͊AS#@bkD`EkV Br;]#+B\"g"pkعX9+F`; W t~~ht_|{꺱 {QH5\rEc#4:kI7sZ "׬3cr|uNK5D"ؿ6"\y^#52Zkt2|y>+5Þ--!@ْW"p>5Þ--!@ْW"p>{p-wU|kv7@oe^].rl3:/&D`8=^K85 BPB"B\A) לeAcS @9lr  @\s  "@N( "@; @"@A8:f3(IENDB`n[* #( #) 9PNG  IHDR@՝sBIT3 sRGB)IDATx^?$q_4p3PTo`Lɩ"  ̑T))aop!Ɍ;@ <3Skvjwv9XvWW?@' $_} @/M6|i  | Q_sGyo,GZ^,{Xy{_>}R~ML&,G嵎w(/6߽4G9*ױH/2]]},z\rG%|$oۛ/oD_ǷO9/އY)L]hKywQ޺vi>Gw>P#6!T_ xR^^' E|d>>붼[(H/u<+s"*6ZhwjrYzw<+]HK_rO^EVe '#zK숊:"WT ׭p|yr|F}.ezݒcVKV>Ÿq񕸯_D<p []gR(vµJlyA.쟜M/sɍ&\ޕr<ղ:ߣ"o6ݗZt;Z?--kSɑz, JY!_^N[YpCyH}, }c߉zVJnqͷ8yqJr.?Kdyb9K/ʕYfaW?OMb\% }R3nkQi}8;ݜڦ;AXiY%;Vy=e]Bzy֩NSEEErwUgκZѫFՏ5_W!׫|yg*몎iȵpub7a Gad G[k;k>ȐRnPm)|g+owdrH|]l#j5<*uy9 9p~M/Z[vix?߮fK9(*Os^b?.5\w㺼Ԝs5ڒqO W9G'͍Cy͠sFt֔YSiV\,5e֔kӦOs~$KQr5ksX^W9xˑ+mȑn<:,pUjjZ_NsdɩP^H,oev嚟#i&5_c9B֦XyqȾ׌)جjB!G^rRCƪ2͐ɆQ}XO;:u G3uz˔u[VSwS%ϑÝGU׻KߵHyKv#_׈4xaC՚+2-^s0FɗX*G^ҿuo! eɂL|͚:[ub9C^˲#͑ u1S^!zgђJf/sdɔlzɗg aUVGTF]NEqFb]k^w\Uy9XΪcw>C(v=Ͱb]>[~r[`nm¶_bdL%v-ȥ}TܑVۃ ɷ]쵨컸PgPEǸ7c^< z$pkeV3mCn.0#.q"-Ofn kKkܗrA֔^mW=){˶q]l⮾e_~CP܃>S/d߅eۚr\/]q>LʡEyCzxxp/#rN<0w`qsYKd~\/YS2&ɰ򄻒/̚-\xE[^̚K)'UIlXSfM5)l]SnߖeMc͎ k)})qWk)u5e֔/2尲̚2kq%5帾l\Su0o >(# ʬ) }2٧̳/d'Fy9g_YH5̚E~/>[c^2 *Og,>q)wW{,O9ɝ٧,O}۳f`9Dd=%N> y g;wby=e¿%iҨompϠ'Z+O|s7S OO_д >nߞp h^z ϟSʾ5? TjߜO^ە,ِjڸZ(UR;^[[צ&iitOmM–NFfb YcǕ[ _~a?$mJ݅\O}|*.?䜪ErTvxM9_.ut+[%ZݮE>;m}N+V{kaQ>%{oYĘ-ؑgB_J~ O&=U5 v+3 N^ķĽ}F;=GK.Ԧi-mGbھJ69Niw 4Xm8ɸ?|mq!Z(Wx_b\& ɕxsd#rЎ])vONnWR4tZRwׯb1y7]DYo%'b&+fz{mz\}MWbw88s{rɑ3sķ% ~9 G':弻5ƛVW<aeF4{OQrl6}X3kkm{d&+}(kJ#}VxM5;URDm͛$V96TtJr俇аJzb~cPϾ:yM[nXjYem 21#I}SD֭>W59o؋y\LxE7oX޾52ޕL:iqU9t +w}N;ۖnn[÷}6>ƢsĂv#7W>ɓ#:[.;Ai bxh2ro2 &`9 <7  \O!/6 |θ  <~2U'SQ~ʰ2(@Q ʏ9aeP@5r <%D)ʠ G%(?jxJSAAJQ~7  +o@) |t􈹧 B4Gw対!e {o؇ `&}fd4 GQce@f @blFF@~e?X `&(Dُ-! fd4 GQce@f @blFF@~e?X `&(Dُ-! fd4 GQce@f @b~Q׿t$q!?2V5=J5V}HNS$f\~Q&bԱ 0s~WhYN/<.cs@%"ʲ,&BAn< wtLb-:V$#en6y 4hFAW-_$G=-q /r:sx]uxx^HvȢE?$wQByRQW?_ aMӈE#1EMMxQ.ƳOޭl]Fr?7i?@D#}gZA$`(r;ߌcx]sc_y6ÎeWvG22"@$n$ʒʻټodD7+~uW.L M>NEx3r,Ij'4||~)Gj6KnA3د][bM ܇d^ñ<y+xL sl_}凟<'-"mqOFO?|ͷ7Zx2v .\tPx5dʯq I[+`╣!@O^g ʧ ALQ~3v@tӅ W&(r; p:BC+@_98Dt!!@ ʯ}| W>cNG*QkiXYR\ᐉs,%`K7kGMv}2vxE",?{s+٤_Q*1q{B>sҸW#hmxPtOkF:q}IH" rycMT=*|Nve}'JƼ^,_;)}_\t跊7Ł'IHnV'EI-mxOyXD=B278E1FM5qdZ_Oi;m8׬}c9򱞸Ѭ{G[I]# L}(IN 8R}0Q4Nn--Zj}`=PuZ>{mY/[,y/=^{\8bG o1 pg|]rZd[EMQM]*_jxӠ'ϕ|h%p(OQɩʫDesq# G ȣ#uk=dV4űkshޝa<^Լ#D9DqGj5֦Pmqh#|ujqCӝ#/ųRwT;uZ%}U|7 tR9 M<Ö/hꤛd"!0HLy  Su@;_?7`N &v4#ծb4Tf~QnHp$FVh@708|Rxc&-3U>!=\ Dy'A@1d1>qST+A?9&ub]Vk<.,$+Air#ze#6зEW hIO0|ڟɍ5n'$qX!!9F/5绊C.cHTu־s4vI餋h\N9^|7=KOd~yK2j@{PsmYV.q^wdJƛwݘ ) hmvkq5(u]m2a5+9&Sɨ\Nw6$Ϥ@2yҭܭPK4eť6&1Jjg70YӰ:^lI/9M{N+("=2꛵~=RqN<%..3M'ݴ$Vw` j]3 NH!@".*Cp> <Dh '(?xqx.sœ@NQ~> \'}@ OF<8Ds@+xp!"(?W<   CE*Q_u?"4~0phre@o83,?dz>q2*~K4~QN6=l` &z$z5C/n:yb[IfNJڿ#5ߪ-hK,'+9zUݧ@g "Qa^*Ta!X9-\1„pe +*">X ߏw|;*ʓp?72F@+!@`Z2e֔ NDQ>Q0p p"򉂁+e @O \ (3 |`  D9@DW  @'"((@`)q < _ww~Lܰm"#$B&!&099'Q>V܏ +ʯ<(,_<0@5h @`@1@5h @`@1B_4w7#(8=*džϪ'ȵO>:U!L<߃Q>դ™[KdPgo%AE-/.T"]DTx*"|Maͯ]NbT> ^͎Ƌ|i;@D C *r%_Ep'ɎzMCW9LB/־sri.P"N`1{: E|kQ&XOqMCU8t{zWʧ6ZQLO4缍!ǷȔOwГs΅UdMYŵm˜lܫjKM؇E2 0DݍyqD۱wfr@yy}vvQލI&T3#ɧe}+j:gzy}6es8]\~\Mz#?snyJ|;ٺw!ySw<@昺``lG Jw1JWƷ8lU>|9IwmxPܶ|G}L_|}d:2(ʬ)RY ȾY˸NNQ>ypx-kśB''6Ӛ|)o=ÏkʈS9NwU[>ݭ ls@DYSf^@8DD@2s ' @@NDQ>Q0p p"򉂁+e @O \ 0?S  '׬,c1IENDB`n-rO'[PNG  IHDR@՝sBIT3 sRGB-IDATx^흿6ǯ^"]o[IMic 1b&bL1pXxdH}t)װ%yH"W.%~.kt)s=::ҽo/ @?W1@i_߿y܊j pkcOC&ݿ\^g\s-K׿l_Ѧo/޿}}{y=о\OeȻ{wo_˘ed7ي%lf7%K]imz^u[>ʹMik%50m}9/wSFk}֛TZmt!nmrAO~9e>'#zKK{ۊ|vsm "]y(nhO\|ù-vLaKпw>N~k;gEw۰m^캦hm*JO-=ö^bc|^1r٢k%TOJ a>Ԗ H],Qs>ѬM\a;wh%ʗ:l#4t0?E3c]ܵs1r/vq9 fqxɫ'\I,cJ<3#wˍzOY%1m/+mlF]g. |"bdeW"q~׿_PH9'&/iOKo陼4rC^z{t{\x~'lŜKD)gcmwTK^B)gTEEEdVD#Y쇋E|zy2TK:Yݛ.t%=΍HFr8a{,O@\|,B͸Vm㝮ݝn)}c?dmLduR%K%aE(ϿD'H ٴWdV]n^-Q9eWT[۶xKxHװmsz}d?0f[f԰-ۑ%,~FZI]4m_EhFﴆw ZUg1͘6QlG-K컋m&E.=%|z:Ǘ,$^u]N+rJ=%K٭_r<8w;;_q{mnߝ:}N+xqmq%݌ipD͡m8|ٳ 9{|cƭI[rxTcG_-L*rVtm٢n]ѻ1öcq+]z궊|\ܶ]sBHD_^gO3Q# n8 #:?ӯǿ{BʷW^YOe"ƙ+Hf8Y_s1gUgOeMwmA`cy7;ǟ<.oZM1t"2ՙu~gsݏ3$s w13FN9]>Syw51 kcs8^v1H0^R0>H{I_HYa{A%3"e~GA_K.lsw19mlڢf׶gbg*(͵GO_O\+E6Jlzv1꣕=̪Z\֋¨ʷJ_ݔ1bJ!#*O"kk\z]$k.g6+:1JA=ܵJ;^CA R7v^l`)۾~{WqV_u8M, j'rPkUʼn}ܭ3~|Y/[vq}Y"j/`W 0@r{8]GѝIۮk|z ٢-dc Mj^[/|=)YɱWɛ!bR<{*ua:eM-bmԖ:eSrQdz;~RVRr~;jk0z"b{"Ӕ(q!}rњǿ}Yٍ3}=Y`::0wa.O5S-NH_śij;UlS;'U_"k-J)Jf^a^sN^quNyirz/ #EN(^%̢צNYV-W.b^鯴Xe~8"\}>$j5T,[ِJP}-m90>G~^}LYS))ice[GLU:NFj|p*aSvTżGez˻سW,g&^)OMoKtl͐_g(EV|S|S6񯋝M:~"&F֯ZN>_a=_լ}w5VaSlG|^#KNپl+hHY=quUcջjmžZK|NY&Bvusrʊ\A͞7o/[w!ݒ)8$3 nlVbj [2)+uvRw*Xl溫Hq!US˻産; rr6|\,,eyes~ aN9/mwA|*JW:)EQ7wVxGǒG;ߺ9tu&k(Xe${&4u6^~q$,@c*1T,#kWk0$,CuxZtYֵur>7rҏ>srGNWϪSUjkMwI6Y^ n1snrʦf9e7rXwaINWkR!ʻ|^7 $F ^;E5wuʒ)?%3_ y.^Vi &anm&V>{3U([_ߏV1묷(YW!H F-yjgyT52W5&wU?6~*jg$uʮv:e}wT_,Srz1evx}ljKsj(ݢ4h%<)ۘ|b]{5w/l6Uk})r䗏SV* qT_I _%Z_P/5~0T\m]~sy\Xkr]Us>Bk5#:z*7]T>%r f+."QECV=] 3K}aq&ϾL_V_]6CsvE*.—l |$ZKDT_ύF%_wѫ(Ww,}xH9|+oϾ>we,yƜg_*lw]5dNg0'Z3ei=O}dx'ߗ3j/Գꇾ/f=%Μ<嗿1k6Y׏xJ &{12uʾ6S<$eI!>d)?o[:_GWpaRW̔* v*싞$ϣ^CbuVυn[ 9q[z9gѩWx.KMŢE*ok62)(v<ѹgn.R%-0ɼYGEϺ z<aaܵF>k BOae33ٜrOͥ=~vwxKe.. ɖՒ&[AhiE_aohd7Z;Ҟcmq%C]?YW^_|M 4RH&oW71^jqn^/ !&,i g9gvQgꗏ6r6iFdX?9;Z4UO5m5N{ \̎mb|Cdꤵ$po̽br NqMOц8tЅe]p:Xw[?eo O|F>RS`ُ6t&ݢmE}7ڨ64qff4%N<ahvF'N9J䋬ٝdh?6٥A1kxm(n̝n)ro cTSoq?ykã{ e,fQ |ćKGXL;:٭Dfi|?|fcC(mQNGҞJuPjeeϲ, `Ѻ+^-Io42\=28k@EFSb7g;;THy\R>Z hOo6{_n8ґ-W\msH#C[sdEvjm94{Lxޤ`ΒVB f?6=2uĆ+4ӭ 9SiXQ|RG%W{wLG{Zp6y,홺/u$.:(y?AG$U"_G͇&?~C: u&(_+%LW̚GQlj^v!(@GQlj^v!(@GQlj^v!(@GQlj^v!(@GQlj^v!(@GQlj^v!(@GQlj^v!(@GQlj^v!(@GQlj^v!(@GQlj^v!(@G  䣇Wo=^aџmzE9wf #]U %ĸ!% TUr'^Ν;'S#JU B'vˣ'JZy% . B@ lE#FY| @BkEYM)0'Yh@Q.lr @Q\ zYLaOi>Jp&(>n\ R r)@VOD̿@',qNO;JXnWSK2e,W?|wG {!N`Ua @1NMQ>{ p4< ʧv/FS%q}䈌8DÕ'JXa G !H@>#\o hܬ8 P#DF` ,DY3q@Fr^&@Yrg@M@yUa 8&'=#O7TYczA[-ǵ!zUB~Z~voLVdO@/@Y+p(mau@&PF#UFcTCI,U@(K^8Jk?@"r|F sV(/ʋ "0h:C8[rS& @Q>z)J@UaWo<Jq pG_I#<䠌W?|wG c!應EQ>08;Df~ ʇrBg'(8JJK=x#2 p@kJW(9cA%p_9,+  P#r&@Yrg@M@f]! 5z f ͺC5@k 6A摒We%c,@|7D?4Oũ;4~Q6TE@۬W/Զ?~FxAX JWn!@ "P^OY-ɒ~yU. X%^nА?!|_Qu~t@VrSazUDgJ׹` 'Ul 8¢PEx٧>d!= 'PXEXËr~IpHMw-+I^nQ%e,@Pớg@(+UKX )CK:\yp ~y䰬0@3r5 f ͺC5@k 6A@u=j$(l%(7z&HQ+4KGJ^ cx<ֿ{XI1"Pb6U moJ͕bsP f *Q^mV &ڤ>df{?=鰡hIQϰsvI@`)U1LJ[y]8G=F*u?d$Y94I:{ԅD`(%yu>uͥJSX1J*:[*=j 0I`(UIS'WIP#nN`QpN*E>La. E|@ $P^FeBNV?MOvM\mn@`K/ α(}Uy(N#&3?qhX:C8!:r.|$!(1A |n2;@`9 s!s@_f%qó\UDw@l֔!%剒1 pX7òp@5)l%(7z&HQ+4KQnL\W hܬ8 P#DF` ,DY3q@Fr^&@Yrg@M@f]! 5z f ͺC5@k 6A@u=j$(l%(7z&HQ+4KQnL\W hܬ8 P#DF` ,DY3q@Fr^&@Yrg@M@f]! 5z f ͺC5@k 6A@u=j$(l%(7z&HQ+4KQnL\W hܬ8 P#DF` ,DY3q@Fr^&@Yrg@M@f]! 5z f ͺC5@k 6A@u=j$(l%(7z&HQ+4KQnL\W hܬ8 P#DF` ,DY3q@Fr^&@Yrg@M@f]! 5z f ͺC5@k 6A@u=j$(l%(7z&HQ+4KQnL\W hܬ8 P#DF` ,DY3q@Fr^&@Yrg@M@f]! 5z f ͺC5@k 6A@u=j$(l%(7z&H΋}{~iܺWF <󹢬F@(,ʕ JHHY< S@OF&|O2@SI@g!(œ8DndY g$NAQ> pY<< S@OF&|O2@SI@g!0)qg/80s?_gt5A^y <+y5<c"Gɧ;.2IQny^I_Tb Qf/ PD"g`  D}@E劜)"E6ߡsdRn jWNZIDyth* {an ׭,YMDp= gd]>nQ^J& 99,GU5$F{ӆ9n7;qY{̝nXxFdG98: ړ< c g\(oa#0#gsCqD2EnPbMGL]N8%z6qgr{K%F_:n R‹`͘TCݤL?]k 0 h(8>(sDu\JDjtxH٫?d$:Sx6oNp:1GpF|~S&b(wM>$OGwcu69ttR? 5qh3}Dy<-l$ʷJR\\6QwQ(Sv70@Er^g@j]a@h9~_?fo{IwfNQѾT P}р" p4\;ǰ85Der GB&(ڽL8Dh^@SAG#(c |j29@hy {!SϾPzL1RP A4}IENDB`n/S^t ݶPNG  IHDR@՝sBIT3 sRGB.IDATx^흿$L`r7 (*O`ka;(7PR`}@,d"Y,֟[d ["NկNf׼oxA ?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`Qbcdefghijklmnopqrstuvwxy{|}~Ҷ_,~chwe"8=oDFKJ97ç97Xl)ݑcڶۍ?i}s{u4ƸM|%m?{lwmْA/XD&}7Ve>|iH>F¶]u{}P丿keLԶx;|*Amu!n۹rwSG_^YOƉqDҶUD͵庥|v嶏5O;Լڞ9_%c K(Z}-#Ly+#-v|Yfl6/Ⱥ,!d_4SN3J\\Ks䱝ˑ'+YŶwRPI/d9_I,cJ>3#ۭzH9%J/Q]Fڥ:G>x2/e>鯡Jmww>|+ɋ]ޝ*|vKxc-H>u5tݶe9%o5&SS;磩{fx5mȪm2SC^2.]wvݶ=:}wd܆.=|Thn>sBtil38gO3YɑO ZҙRv/?<BWʷ0G*ȟ/^3 QJyΝY꒏^31'M'OeMm=f03ʹwOg˙;;XjZ1t2_թ]3Ks坄I*wkFesz{\.l D[s{8_1_Hw//)X) l"dfѱF$R)?; 2Ȯ!#۳ȶ-imw8#h˅}0|wSɗSHL>G6}e׹՜]@K&ΪB۩˾_sMs.GV29ͭ"SQr}drwaEG|ܗuqocLY沙י1lW2=͑%SNi/t-aV[TъWh [k1֚ Y1{EmžUa ]w2^5aLM2qYat9wuR/MQ7Ʌ%vہd>!%oƆ"+l9Aik03ktَlP~ obfD8&;~!GZ)jҍ?1a'0Jmڟ-ucN֟ {4umvX?3}\qW_pƸ5n|뗋nQk'ƚZk1|y7T*E/3Q4m/ }]F3?g\S/d݅% ǐlw{X7Τ|2@[Ɍ +J㺋mz>i Քs@Cl8(⏨/RflyT)G~)l4mykS={j.^={ϟA)^iPA4waddӔߨp!}v?l G_ hv^ֱͬSֵ ¨=x`z;lfNŗwהrHڦ[įx_}fi^:eQ[K'熚hw ׮SN r _PdɅdUfkNYlWk.mr^oT~qyv>i$5f5NY4wHoe"SxZϤj:>GaƠÐJY()ic>?XƊu.;6څ_lnmFsM;chd{kMfǹuʢCN=T^|d ɑM2f|:ejfͲˎmR[WrI;:eɩϰNyZ.͑WZNVeؿ\OiGm_ &Q~0]F֔JcYjNؿTdxޣ_w1m#GݴǮ^U%,IеuY௿zu-ɐڌjW:ǫ;Q*#*l` csξZ+k2 WWPSUPS֑ח>j݅=vה:rMYy,ٓ乺~g? sm3NNH)ŢR_WF5e_&#gzRUW^~h]SNkפlc/XnaZ& 6 7mf͗q]8Rk毕(}zYK9l6_Oۙo_.K/SSi_lzYkȮFMYבu}JUݮjbT}$6Y^mvsnkvr~d}G(%ua,2}.ot6=i+/T_6e aד_N/K?_,||TwBJ]+Q&/fRGłx 딣5:)9^OΈg_?8|jNLYy}ߺR;U5e/u馿io55e3}V𽼵Յl:| /^zԬ1S6~/kkfF/;TiRS.d.ϵ=m8|wj |>Ͼ1'y~]Ͼ(ב:Bĩ)55<¨p$QW|+B%qbS! tİZfbv3rz)l+w4y_?Z#mXV>-rW̮Fk-1d_!5Ͼ+m.}!%]}az 1ϯkW*3ϾHZ[DˮPύnJ~d q.RQ-<®3OSRϾ+1&MWKQ TǚJ-?HDR Zw%˿kYst{싪č)pu9\yʳJ*s:qmFnlzXY1Yٽqr鷿+:I:6ٯ#fݳonԳSCj%ܲz].>%dm7SVYȯ|D]Q-^̛Y]_B}qV„YMpVg_ ,:ҵ BS+V EO͗/|Oy=}Ͼ0<9G*-rW~(;*uz |dժq̎o\?W(o9f(ACQC}!LQ>(ACQC}!LQ>(ACQC}!LQ>(ACQC}!LQ>(ACQC}!LQ>(ACQC}!LQ>(ACQC}!LQ>(ACQC}!LQ>(AC}w_ÞQط9O@l.6[k#;Z 8p0[ʨX*dٍgJ +(oY߷غg6|];j2<9VU;FNUN7|@\ |3\iN3 @M0fd)ύ-Fb{Ϝ%zw=Q ˳7ً_֘;&4)&W4$ґóȚop3 h1S3rj:)' JS%-SSMrK!6T|Hagn.maTlFD:5KV&6AA e\(՚CTOʥ%Oe:5gUk Jp2'(?F/.Pҥca@ޣђ&V_D,oV;SNQ>,ݟCKr4ˇ&öh}BP(jۼsl]jrg@{Q5y:VlX6NǦsZqOXwFݯ@QsM]znY4:m=4qƅm}k):t*EU03IN^i-O>@#@t! @ ʷ}|NGQ>]H0l"ҷ=r;@1rc\@or;@1rc\@or;@1rc\@or;@1rc\@or;@1rc\@oi17 ͫ~X5x/ .Q`=o5B'r=;õV(g3iCď(? WTjMI -TD;fD:)oT#i&i_+N֯`@D$EIܤٞLsil(7jY]iHeʆon;b-(1[0 iuzTEELcmɪؐ>D?c+SDՌhcdFZx2 D?vLnΑ>z,F#LI aBBpj7'ajF6}cI>*0'L]H zhKPI"fG&Ms([>ytc8yCczlp!ttv&&5C]wS 9U_"\k^y'c,xc@? m8a뉲8o>/qaĘkNkG}{ n: 8WXh.ƨrBEy};q#ϳ7#e?\{gm3dd"3W!:+G\@)}6FYRJ!,p.@i uUL0#D _0>Jn fh\[?*Z J:D4}Ǹw_ϬLJk lS_h[83/z~gϏ,_M9;,}OR:^lϔc@d7h܄Z"p? ZW7k*u|ík4Q;w?6S?xM;ޚ&F8 { JD0VYn83ŽH| D;ضmް@#; -S_@2zן"Zy}{E9QwMDw\>(* LivI[Q5i"@ce(^Yjl­nzϛ=Tt9; ",8Yxs\|=HK}ӣ*œ:kFqEGE͑n],797( nin 8*5#˃N,7;%3kOVӬyQ9]؋Dw 63Ipn(1C˭|*Kx{jdOD-0vږuVe>m=wrzPͼkPh4<`r/Xnn0k<CIG@E;΍3ǡpjZ ư0{tI-5U fDv;L/ .\%䋧̋|Z =ٿfE[sUKݏ.WǚVb8x4B EeaDy:kAw 12/ 9m n]vv0N_G UyUaժ:.챧UԌ|>=HQwq;MRȁNȭ*qldy& jVF׺z9wAy\a(}TDΥ 2)p-o@ zKXĪW }ڦhm5nsȓg' e8>_ia7L9Xs^;fgֈr@&.U ]<40>|5L@`$ZfD@W&p+t$(wVZ%(9$(wVZ%(9$(wVZ%(9$(wVZ%(9$(wVZ%(9$(wVZ%(9$Kߌ I]K)k>0ځ8%ܼK̘e3vgUU,r1o9[NFRr%3;sg .(QYC"/X3-&{\K_a/}]"w.BtRwX޸6E$*u1)&f\!(iR,0˚xx,nΞks7D`׿f N" u8h9Wl/W-2`d:(xQ8,jpiFcf98YzE&wnk~>i(k / م05$1LY7LR<}22kG$h^e^LFVXpu+'Ucsٌ:_+kR 1)==0t8?\0k:/wg߃2;K=].E,$no It,Udj::E97!YK;f E"*Ve9>?nU@B(V $6< t3*{ksE N3?;Kw&r:G{lE'Ϝy,BԚxqjt*0Ƭ Ԅe5Ư/GmGlItl}%g;&=~O?ʬsgHz9 c;QiQ1x<{(VqӴnP+LXCDօY}`Dy;;\"(/s@W$ |/SAhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qhvY@qh;/釲~mG׿o=e#3Ch< pn a2ejA7FQ. pnu@o, |` pc 8B&(;>XD A7FQ. pnu@o, @SU_i4 .8}|2@"D㳠7jݨr6Q^|c.-DE9fC}@+^A@ fC}@+^A@ fIVkZjGb䜩kP֌!yfa׮E1ɚ P" rz FcQ ʷt⫽?WӚ\By5}DQ (4 D҄D I-QMCGs_ GjkZ礵4sB+@fS(ٚ Gi95#儗8 ْJ/tTEٍ#8f/TsQ(^?uG/x;8n+{mgs(رIs֔Ko[ZU PVJ8WX B/}KfP^} y ^YO()_d“nuۿđL&>yKȔef@9 _.$2D ʧ ALQ; p:BA-@o9|` p[>C#(.$2g}!y.I, @?_sIENDB`n.1_7UxnPNG  IHDRbpsBIT3 sRGB0IDATx^흽5q_5pV;H 7VceQT$DSymbol Newmant\d 0t & 0 ` .  @n?" dd@  @@`` P)'       !"#$%&'(_2$@:6]2b$ 0x֩g2b$ #( #) 9c*g,2b$rO'[-V2b$S^t ݶ&/T2c $@{uʚ;2Nʚ;g4XdXdd 0hppp@ <4!d!dg? 0$|<4ddddg? 0$|<4ddddg? 0$| ? %P$Security and Certificate Management mDiscussion of AG security in the abstract How does the AG approach security Using the AG security mechanisms User goals of AG securityPrivacy of venue interactions when desired Privacy of audio and video Privacy of documents and applications Restriction of access to venue Determination of identity of fellow venue participants Protection of software from attack6+`Z+`Z'Classic components of computer securityIn the abstract: Identification of users and services Authentication of the identity of these users and services Authorization for access to resources Confidentiality of data (files, streams, control, etc.) (Non-repudiation) More concretely& - *IdentificationEach user identified (*) Each server or service identified (*) Similar to mechanism used by SSL-secured websites (do you check their certificates?) Z?U#UAuthenticationMechanism by which an assertion of identity is verified In the AG, authentication performed each time a client/server transaction occurs (Provided by underlying toolkit) AuthorizationDetermination if the authenticated identity of the requestor is allowed access to a resource AG toolkit defines role-based authorization mechanisms Access control to venues Administrative access to venues, venue servers&HHConfidentialityPrivacy of control connections (SSL) Privacy of media streams (media tools + AES/Rijndael) Privacy of venue data, other venue app interactions (SSL) Q=How are these accomplished?Key supporting technology: Public-key Infrastructure Identity asserted by X.509 Identity Certificate Contains a name and a public key Digitally signed by a Certificate Authority Signature asserts that the CA believes the holder of the private key has the identity asserted in the certificate Application protocols use challenge/response mechanism to verify the presenter of a cert holds the private keyeZZoZ  o PKI in the AGEach user has an identity cert Each server and service has an identity cert Communications use SSL (via Globus Toolkit"!) SSL provides mutual authentication on each connection Each peer knows identity of the other SSL provides confidentiality <Z&ZZ&hWe re all set?XWell..  Digitally signed by a Certificate Authority Verification of this requires the identity certificate of the CA How is that verified? Chain of certificates leading to a Root CA Certificate Root CA cert is self-signed Where does it come from? Applications configured with set of CA certificatesZ.ZXZSZZ4Z.X# 4   PKI in the AG, in practiceEach user has an identity certificate Issued by a CA: Globus Project CA (ending service this year) Access Grid Developer s CA (integrated with software) Other CAs DOE Science Grid NCSA EUROGRID Verisign, Thawte, & @6m46m4P6b !Managing Trust:Each client and server has a set of trusted CA Certificates For a connection to be allowed from a peer, both peers must have CA certs for their peer s identity certificate AG software ships with AGDev CA cert, Globus CA cert. Additional CA certs may be imported via Certificate ManagerZP= ("!AG Certificate ManagerHolds user identity certificates Holds trusted CA certificates Provides GUI interface for manipulation of certificates Operations: Importing initial Globus environment Requesting certificate Retrieving approved cert Importing other CA or identity certs.ZzZz,[#Importing Globus environment  Upon first execution of AG code, Certificate Manager (CM) will attempt to import an existing Globus environment user cert CA certs proxy location Where possible, integrates properly with other Globus applications on system Mostly applicable to Linux systems jq"M#q"M#>]>;$"Initial import(Prompts for private key passphrase: $%#Certificate RequestOIf no certificate is found, client prompts to request a cert via the AGdev CA: E& User Information2Prompts for information to enter into certificate:'Final confirmationVerification of data:($ What now?The submission will send a certificate request document to the AGdev CA. A private key is created and protected with the password specified by the user When the AGdev CA signs the key, a confirmation email is sent and the signed certificate is available for retrieval. 6 ,?]g)%Retrieving a Certificate Security: IdentificationUsers and services identified with a public key identity certificate issued by a trusted certificate authority An identity certificate contains: Information about the subject of the certificate A public key representing the subject The digital signature of the CA issuing the certV0"Identity CertificatesFor example, a Globus identity certificate: % openssl x509 -noout -text -in ~/.globus/usercert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 6060 (0x17ac) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, O=Globus, CN=Globus Certification Authority Validity Not Before: Jan 7 20:22:19 2002 GMT Not After : Jan 7 20:22:19 2003 GMT Subject: O=Grid, O=Globus, OU=mcs.anl.gov, CN=Bob Olson Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:cd:7d:bb:ae:30:bb:c1:74:2d:e4:6e:d4:30:6e: [etc] Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: SSL Client, SSL Server Signature Algorithm: md5WithRSAEncryption 23:14:96:05:0d:db:ce:aa:70:17:03:5a:07:31:a0:81:e3:10: [etc]4,ZZ,C:QW*Security: AuthenticationAssumptions: Authentication takes place on a transaction between a client and a server Client and server each hold an identity cert Authentication is mutual: After completion, client and server have verified identity of the other party Secured communications in AG2 use Globus& & which uses SSL/TLS SSL/TLS defines protocol for a secure handshake with mutual authentication.X ZZZ Pb Security: AuthorizationYAuthorization is the process of gating access to a resource based on some criteria. Many different approaches, few standards. Access control lists Role-based authorization Attribute certificates AG2 approach: provide building blocks for applications to define authorization. Reference implementation uses a basic role-based authorization scheme.X~ZEZZ3CE Security: Privacy^Usually what people think when they think security Straightforward, once authentication and authorization issues overcome Globus Security Infrastructure uses SSL/TLS mechanisms for privacy Typically, symmetric encryption with session keys negotiated at session startup. Media data uses AES encryption with session keys distributed by secure channels._Z_z Practical security issues8In AG2.0 Alpha, each user must have an identity certificate Identity certs issued by Certificate Authorities AG Development CA Globus test CA DOE Science Grid CA Commercial CA (Verisign, Thawte, & ) Certificate Safety If the private key for a cert is compromised, the cert cannot be trusted Hence, users have responsibility for maintaining safety of their keys The use of identity certificates is often cumbersometmZYZZZ5ZmY5PE4, !Identity Maintenance Alternatives""NCSA MyProxy Online proxy storage for standard identity certificates Medium-term expiration proxies kept at central server Proxies created via username/password authentication Online CA with username/password support Identity certificates held at an online CA Proxies created via username/password authentication No requirement for user storage of certs Integration with Shibboleth or other single sign-on infrastructure tZZ)ZZZ),PF   Trust issuesIf a CA is not trusted by a service, then no certificates issued by that CA are trusted CA trust is a minimum requirement for access ZX-X   +Goals of the Security Services Architecture+Provide a concrete implementation of the things we know we want Identity Basic services for obtaining and managing identity Secure control communications Access control for venues Privacy of media streams API for use throughout the system Provide hooks / APIs / Protocols for future extensibility  Correct solutions not yet clear Single Sign-ont@ZZ\Z"ZZ@\" Identity#X.509 Identity Certificates Problems Key management Semantics of identity Establishing trust Casual / one-time users Host Certificates Initial implementation: Globus identity certificates Globus Project runs a CA Other entities can run CAs as desired (trust) Enough to bootstrap the project t%ZbZ5ZgZZ%b5g>)4 Proxy CertificatesMechanism to support single sign-on Create short-lived proxy identity certificates from long-lived certificate Why? Proxies kept without passphrases Delegation mechanism used in Globus for information access, process startup, etc. Restricted proxies *vZZv, B Key ManagementZPrivate key lives on disk in one location But I want to use my identity anywhere MyProxy: QKey ManagementPossibly not ideal MyProxy server possible single point of failure Paranoia factor: Do I want a proxy held by someone else? But limited lifetimes and restricted proxies help Other solutions Online CAs where keys retrievable at any time  Username/Password registration certificate ??? Answers here provide for single sign-onZiZBZaZ(ZiBO(,~Secure communicationswAuthentication Ensure both sides have certificates Verification rules (trusted CAs, etc) SSL / GSI XMLRPC over HTTPS 6JJO&Access ControlXHard problem: dynamic groups, dynamic resources Multiple mechanisms Simple ACLs Directory-based group authorizations (mod_ldap_auth) Globus Community Authorization Services Akenti Capability Certificates Initial choices& Likely simple ACLs or LDAP solutions Still to be decided & may depend on contexttDZZZ9ZZD9bK*!7=Stream Security\Current vic / rat support AES/Rijndael encryption Key distribution via venues services mechanisms Per RFC1889 Vague worries& Are keys recoverable (in face of many gigabytes of encrypted data) Rekeying intervals? IETF Secure RTP draft (draft-ietf-avt-srtp-02) Implementations? Who s interested? However& t}ZWZ/Z#Z Z}W/# t  (1How much do we care?_What is the level of paranoia? What is the acceptable level of inconvenience for security? Do we want military level cryptographic protections, or just to keep the demo folks out of our group meeting? Auditing? Interested in user perspectives GGF ACE-RG draft Informational Document on Security Scenarios Possibility of spinning up GGF ACE Security WG`Z` FirewallsBHow paranoid are the firewall admins? Current solutions Put AG outside the firewall Burn holes through the firewall Interested in usage scenarios, acceptable practices from firewall admins Future solutions AG media / control proxies on firewall? Mutual authentication agreements between firewall and AG infrastructure ???\9Z<ZZZtZ9<Zt,  p$(  pr p S P   r p S 03  H p 0޽h ? ̙33  t$(  tr t S Hq(B:D׆5(p Zcj9ntmCCbeRLR}qI ')tK>n/ q\:jqHF t5g#0,W ƧK,8 k^;qI]-N&14櫾 a,Oka*JY#UqF, =: EH1R2R3_1_+*~;ogW)u/X1M;5ͤ|5Q.fkZƾY#&$nK*S"N&pY⩜ZT9ͪR((JIDY)BITtdPIzT)F35@T)P/uf$c70;0[(̰Ec 3\;M~&s,PX(PkkQ ;,|8N APe(ꌟ|AaPx7X$](05/ #\@Ks ݣ%]^2rHR}3(TT[Ãkꏙcx۪o 6k4 2ݘS}o+ Py31)y($BZ*&<4qDkDTU1%Q)fc=TOȢ&ugGxgŋb$Y1SH^VI}NTX0Y+mS95i/'oJ!M0,&),sd*'ΰ]fI~Hw~io?7]U'lKra9jc..I;$i%F-lu76LY-F6ёz4w:W-$jc9;5F!/kd&W<146 ΔAkz, 3d%qRgDŽz~I6jY4h4ZÅĀKbBR hHvigS# BH4m:͉ T }& Tj|m3vڬ@_5:SK,XhA X8;""8mzHb\R4+QCwRhFbhFr"!VK,FĚl$\a4 BfFFl$0cl՟-VW|}Cm-n0h8NŲ]Si5P{Z1+sӡn-Yy]k]HY yφ<ۅxNPW󒙆c(@~g6+F")[sZЮ"ݞ$`QXת B QiY3w 1iB "*&t[,RM^àx,z6K:n*eR=áׂFIDx"mղtY9S/0" Ǧt2:иa bu.`>*`j9A;y2baj:gnp SC6 ktWj5l^ֆۜm4 m4>9-O)T'k݇ؤb'Qw--cJsx+-8#۩6kyljߑN@  -&SLdژF9+XIXL%uoq]GzHa׈粯Epq0B#rB X6u 5RZ\TK @>v˭gY+ 4cd60bWTTOWnsEʷ^G8x$Olԩs1gv0P&z6mẊ5Ôē6vETXlӞKnҴŚr>= H1DKVl/릂U}uӲCt}1pNr9f_W-7ը'{"wжskrb jya_/eY}: &E6)rOē`NIT'57.kR5uFXY(1bZ^@{diUBȸ> ;¨enB.%. *#ST<-, H9䄑NN9SE=y w2ݰlgfJ2ʤ\=fnzBFCE`$.W\;^줢 ȘJiꊜ2~<ɍfШ^G2 aZ)bR, kBpJRe [/p\:MYbi2t"r:4ΗC8&O`qG]8q6O,]syi]fHJB{p~qSF4jؿ=3fAtdf^GEg L$s1 ڐa8}VH\H / f߼Z/g t8vTMfj܂8QP!&,9oA^N).]+F/3`p,iO-E#k^=ܐbV)VM9\Z(m6HtiqC!i>Yhs`ƘqV‰sR!HcFjNMwK,7Jo)բeC5b!#&#/:iicP)T퀦tZO+U=W2{p]zn,NձjվZ(Ԟ⼏ ~k}Ў4޺+F3`̫iYV>[u$uQIz4f?֓ }"H]pC6䋕}\[?_a$<3 >Nz{Dzb{Щ `F8(_lٕO?ӿYҍ"K'V ^/V;Զ'/U';? ew-MIY)ΗkCٳcp$ LP~87"d;E]{+]zXy)q7"l҈|Ts] xz==з8 -b0(*J'pTjK&4 ?PЦkת 3#nNTtu2_f8[}_G<)q,i^7[-zev_a- OcT3>)ԉ6ULD,7'!7Ҏcull}+{6U>l?dq'?a԰c. M#7Cb(ks n?wq,^O9cci ڒ]29\w4c:>uG-y#C5[̩FFgu68,X_lRS>7_ÂSw:@:vXnMH^nچ,0OO)LPLkgMI:m˔_jm@LYbGS3)R2Veztg; tJԼ8P]'HUpa{|czVR/ɐWM~Q2 yaoO✯n+NNCyqLg=VYmaX14 6bQvvutKu#Zagb3jɶehA19l#Np,.MXA9#)if^s!#Ԝ2KV~e_ `i(8Wg2e)~ޗm|g{1}:G`MCkL`ԡ3L1ۇ+(&z\E1S1Lb|`rƭ5HZwn9f#,rr]сFv*ec [Y6{.ޛ=Y?tn-wF%6V`~M1S),."*0s`L+?3Ϯ~$?c~"?#s Søߛ}F)S,s=_Gw7g?ۀyr ""*,&$!U"e59!R9~/%B_q#ُ"};p!VE,W+2i5%Gyyv_BA/ݳi),+em,G[fm+! <4_l/o^ 8fC ҝwB| FۣE|4?*% -gKg&0lZ;(4IU|Ō L!,%+r~٨zu9+)sDzX~ rL}zF3mVf3 ⣀eya+)'y I'#'S쾓,gi ԏfm0[lv4$0I K 6sJ+SV 4cŠt|DP^l,1Җ]scmF^!%޹f?XGeM1R`bK̢̳Z˹ 9R))bIkf|b&3")(f:V0ŔA Qo~6ZVIIYW-+J˗KZ8UPf_FY~P9+^/e_|D#Y@ pe]+}>G5Z,5)!2*GQDz%pw*ʜ瀧~_!9yNz$[&Ǘ pEC(`݀ p3+ i?H eоm4 9ԟGP?@hk?ڼmσ9)4%6(hEAZhfAgla@H]_{'sJGi|b\d doSՓ/QL-F1>sͺ2cA)rwP̸I ésE(w-/Q-vAIUʷo)OH+*=t'1ţżyDRA2qU-*ߑƔ~Aڠ<,]|Y*(H+\<Ҍ"puBQhcQj۔yV:rrp=7w#nB)ާ%w&w6wr~zʥ.Q.VE ^ 0֠ܧʽʰrHYܣ\{@㣀ۅ(A݀Q&<ͽW.LR9.D|"oe({߀+C ~I=vAw;n@è)4?(#V.E^^h ݉  (A {A^)+:=o.V>v;/+IC'%v(W>vS%?w(*ICŷo+j=P~$}lZ{_g_fJ, RMz\e|I>GAAP O!C(g+OSOW>B\>;67D u&F3VGlqqsқ5R6>9*.3\)0Q)BG2Sf\wҙ~un#ʷ7){˗Vt{!aRo(f^2MaeG6{??ʟgwX9Mal'}l&Y~}iVrD ^G3 EY%]T)#`(   Utrir ݹې Hrvr?/盗?Ç\rv <1_䃷?~b%Q  '˿ehT g%_r&=z@f /b_}yy'%oFr8yuL8߽==߽y;GYB6}!N.KȮo)1/^sѪ]bGR] Dn/ĘA,7|Z{/oy{//߸8w_OI|sE'0 r9׿ \ߎ"%=N Y C92R`(}{M a>0%}g.R ឞg C -4#^g秏\WǤƈ<s<ۛsr< Sp'}oT2oS*mk|0 ruS;F\_f☶ dҍ?VŅ,F$P`0Ԧ|x.}t:j.Aex$u]BhԂQ.vj=̭Z?V=*Ҏ.͆ C J6n]׈9^k$SHH>WGnW1rua!G{E͑ˢy%^;Q;CIU}~&pϩ!:+Ne etpjQwHI~Xg3vIJ^sb<deʾUO| y.Z!"ߒ69[} Y{ߤ9TI^SsaldQ[In=IxrGI 0Ų,;+kC0߻{x(-^^gQOe] :a/amrkZsS]8k.DY~8_9Zoy$,Ke%b!G,]㓁w>O]6/ZfJ"[ǘo~qYȳ-.~/Ŀ"vx/l.u_OzdWx;$UrٛMJwIDc Nw!gFe{^D|-M#/⍈Ofϊy}-"Gd) 3_iO]M  wƛ%-h\= T-Zz^ē{roF~D章t 䞛xC:do5/ >lȕ6>""wV|-=Zf+ꉉw&>pe o/Zsk<{Y6ZVnټFZ[\ئk x(Db 6r^&<_Gk9ʾ>5>EL>g[IȞݡ<.9_;E 8e^j}"ڐ]2ٷ<% ?l=4_l.a׉z\_*>ߑR^%%`t=Q·( %(VבF؃c}+S|*V}5gY<"q-K-HDj֩<.8䲄gſbbƟ}-Ae="<#}'1lO̧'Aƿeߛ:PهP׽,j$ˢ,:Ůe).bW\P~kY2iv 𓏝,iC}Y߹E Tve1e8ea-K(]Z¾^_a-K~%Yb- f-˼,c蛂sA;P|;y2ܬ,}Z<.&dűC!UC>SYX!_},#S> !/|+)WB<=\3">$_W/?"d+Ґ)7x쓯ᗐoe\7rf|9GdG{[ =N\.'Wk8%'2Fm--O#xU)Tc5V&!DFg=[|)t;ss%W;xs">6pl$|*;gL"IeCD-%Y.Ogfk~2!S"+R 7b珙JaDN½V9cN+L^W!ȒKdNDHr XY$N(_D0v'kY]?R&gu,vq.\q^Gm(Mv=A1e]E~smDUx\,YֲȜx`( yKHp{mi0+y+WLnζpJ<<=^SL鯺R}!Sߛ._OOFYםV1k8őxvfߕ 3}Ye+1z%Y˒_w kSUU;%ֲ=G)ֲfW¹,}Ce1*8 ?#?kYWJiyZ|mjoeiֲͩxf~g sYln< a|JHײȟZ%,h^k|qSM͓)q/Yg59';W9WYr„||9|ʹ,ֲ%z>8|: 8e\5(^qσ캖Me\"K,bD-kY\>'߉VT\`gZ$Dz~{.KHkelXK$6{dtM|32~-x߆\LGw$׼,>?MعX\e'\]@+ņ+˜3K4qyE2A˲z:˨粨ҲVzҺw]H~Ht'Dߌ]"]KzoYˢ}w+j"䳐uLz[%1U(3Yu}*kYfmC=r֜n,vޖ<4Bw g b9k56V){2kYXBawIGYGf㳡y|X˒oh"\"!{*ygqCɾ!cZAK9Z4oY/o#!GcJ*!$VF""{ZGIY$3HTb6򎡰6w o`X9}e.;6Oܙwi{v.Qen/e1+"&chN|O}9?| 71LUk;^e~Jy=13Y c[rHg\yנ-rxk7u~GKfox|$_/|zt|yu~{M+sYN9oe3byuY΅8|e`d?L޹+6?ߜ!Phb'ȎU΋ em.F`}E$#@78YLr8߇7/7/MB+XV}=֞oqn8料RvkV; vYdy混&7nqw8]ri_WcW}|r4?^]KߣzZb=<'bGG.e9ceZH/g˻-LE9=4=js.<g6lf;f3-t܎;3v&v89ؾZew?eeIE3śbW=14w] LG>+Zt/Ҽ߸.b4h=|йdrMpn5+a5hSx`}0iB{[nG)fJ85.kJLW ~aUԡS?VZ 6|y/z{ڧb+g!9~O1WB_^d^!1T8h6yǐ>R/gy4o.չwez{w 9bw m+y@z@ hT2 @m B,@ pS,7K \C@M `/C p Lk8  @7%rSd@50YH. ܔ&M9 @d#@ pS,7K \C@M 0Y~UM]$"Ñ{9tL P'd1[صi5 տc.DDV 0Yeg A pVKb?埨X6{$f3IhMl¢byy&Z+~5͋y r?Zl)I?7d+w3} 0}&Z-y//5syy3y,lS5jh]忖jauTͶ6e hV%H6 u)RY@mX3˩*ּ -ڮgK∵Qc]疬ڑC*@Lr/DnZ;*¦Oއ!ʊ&T;'Džz <nk<'*8AE%7xsWaWv{kD|@[n^|<7&eğ4; IBI1V55lBkڋ$dEURU(`m9}TTSlUլ=jĄ D˿~O>;bHagc]t  4U!a{0CB@Ft( @@N/  n`BQ@0YFn}@&K7M ` Ln E!@#d; @,4BF&2rSw@@78BQ@蚀{ qB~y-Ks  ?o93YNp'L+ MV @#nW|߇Gl):/LI3Y]BL "plH\yF[h2?UC_̅O7=W"wKeO*P)2u2:Imcвi-}h[{lwY "@@8cOlTd)y`^QQz^^k3l- rT/$=b,Ir{`їׅ !AKL{r'c6 XoƷOTknfҪyƿɢe$.>S~v j2[$蟛iNB](8:0&f*W>̮ :{MM%OFL%IE9;n:?Ap Iqo@#7&OrDVWkR, ۚ,EZrru7HfHxD"@(2V$IʠQ/g6ۉCS)}m*IU]F  q&yuI'/D!ɓ T+b)dbI&<9WVEo{cGD\h0CY>yTj$Qjn'dC%z77YzPr[Z" Cā@|xVy']Esu,$yI-j-yoNb3ɒz滊|5 죜*6#H|Vv͡F[aW';P&U,,;mr%Oޞ*G;X#mWYE3XTBhXc]alr)&k*%c3A?X+ xʸTuS7";`j–_vَBfRbexw?6+:'}آrFe՟3/cuFIQ%cTIdZoi i+M]]@z/?a0: 1 b\΅ecԱ;8~ k(JI[=, A|zYcjRK=ԑR 0.h ^/`  v^Үkd9`@F" ~rziFs@^_پv-s 8m9dلK@xM.1YΟ:j]0Y^eR)@x KLǨ*Jl[o)ֹHR)妟R4B]\$D,]wt^bQmq mw^J|Z򾔏IAHyV5i-+['f=-mzRZ4!N2վ"ϛ.:.,IUQ*U56ӞO+0-=Jя^-=g-loM-WtKq_mF,dݢJjWz՛[S>{&L"< +MbZpϬ]U!V*!RZuP [Vbii$Z{Œ %vj)+- =~36DF&:pZ1#FkVuzߛcW25X[v5lW}D,[S.k8zϺ]ni;\hn#Uq rSWYDՓ/c>պD8Yk +sՒ Sy\|CersEi5ei`%w7z1{1D*h^Ic׺;ŠK뷡*VdTpuEu򱊷ueF{t8hTr,6M^.5ZZXv5vM:ǔ!IW,LV<5,\F]!Id"ϳ*V0D[c{핣XSi:5R"belI=PpNkez3uO&U8FB} !+p! Ҋλ+R]ͪiIPu*h3z%˟ҷ T^hkK9OWu$t6lɵSPgaor-ۅ yr(c3dެVK Vtp9dݏ'EhXc9 MΗ`$&c7ƞ?})^ʃ3oS4 *//߻<;N?bY[lavo_ލ"-u+%*G;hlo *eaUN{dV/c@zam$7^K {qZh[_6~[W{x>ba\c+s]ܛ칬~^pj?&,sM6zRbZf"!㐕ewko9YIz.!3Hz}ʛyJ {2MXQdKUes3$IW07 .AlwbBʡF9JFdܧK{,ۥ,$En8C̋\ϧU= ,ThY,\~GJj:%f3‹ԓ섩G!/eHH2ks/ YY_ۏ0B6k)8ք .Sb÷:^x(.r~vP,Kp1gh[]ą,Ң .r]-%e4x(&j>ND$?/>=Θee_9-ɭ >5eS\⩖jI.r[RRVe_{H9PWI/Vhl)H>r3b-e΋rIsof4k5zfZRN7D +0iu9DJ"[rw 1ct$SըUOTVٲ1,bpZXKT!%jk#[޵R 5e9?DBgnJl,"Lˈhc'Q\ݾk"3e$+Ud<Ǚ /svDz_rN>r+;=пh_nnGH_LKtg-6I,K4Ks9ƺ$XoQG7)Ѭfd\hVѬ,5毒C&(7RҾ K9R˱+{]lK5ŕ!( $` sdH+l0Qxc?j1cb`(W9e7yt'ēq+7戈3ňQ!Fec`Lٲ!LĨゖjGsxdmD&2g򑐏iQ(xO&1њcvDh*ks ,oǗOP>%.%γhĘ-n)T*G7KbbQ1%m,ۼa`ŜsWD⅟7+Wd9W"%QfI$XF|%]doH1z!5Vl>du͑llOQC"\q,xk}kydƢRƫ)di\j!xAXUQ]:r#ܓ٠+:*ۢIeIQbUퟛ< W>RΒe҃< ʷVQsYe"6HΊ,Z|!G{5kⷔǯ)E߾lHeI)~5"zUyzX1 'ID"57b[D9Z%XndY"a틑m0 (F8⺙,a !Ϭ3H`h͢a/۴3l5q,?4̸-c师#6;(W]:s8 TQ.9cJPr|d|Y6gL< Q+ %: y,9ϴ7~S?ņ; ,,iz6O)?x9O7篪,yg+%6 ٴKJ5`XkCi#1'ߒc*9~KTIRfyYg.$A<|ЮԂ9%Of͊ Nk2ן땄)-~8.lN++bl`fb z:6uZL-?XөuZ,-g,scxNAY_+O)zbOTNBlIMrӈQxdlM*}&ƺ뗸W BD]'82Ov󣝋SbdZF׼!ҦWtN+5>ٚ5j׉Q" sŵ/1FFr9D* 2㷼cA6w͒UA鳂4q,{_r}Tfh`1*GH0>\!}H2R5džE.Ft\c,Mr<_ *]QrVxo͊,ߧ&V +b,1N+,9Įlf ;ӒeVO%er,żlْxU{!5?s[2WSHI[f$eY/>jwFV\yDbY$̷"DRPh|l"X&5ǫ&1^eeƴCٰ돲!%rs}JHrluZ>] Rg+uP uZ>E%i;WbN?rnli ӚN+QWNuZuZfi 봒5[Y)-"@Zvm[.Іz^iX}Pn֟sV㥷C|ˤL<6[ϤDMqyZVl'iy>-#:>[s->%Q$yr=6Oӯ5d."VtHI.<#4rWxŧKOK7w`?-]%}IÕOKixP7UѕvQ?iUf`9_ȧ%ĨtFHT~Z9.9gPVfY۟=a7{OП'FsgRK9Ɵ?]uDBIJqxtN\or.~M]"'O>7Ol7_<"WTu(k5˅gTOK4d DzG;5ʟI@m*b_9=]^ԧšҼv)ޓ=7K~o' 1ƣw%w\䨅?J6+ZUlW8*Q uuVTrkJaE|NKcVq8ʏ5i%kX%X<]8;3WɺC#q<jߥ"Mv:6rb`f-䰛y Dy>q^>o_uZRהS]OK#a&.biK5Dkt]if#[ 1)B~Z8_X۴gGqg3$i֒^ixEӊNjY]j~ZS@K˹fORSqR *K|$b]&]S&*US~Zᖟ_ťD#j>(5:oroGS#a"w}Ga{iܦv\+K' &%ilN˼"wrbmx8T|_O8_>/c9{.2ۻ.:-iNKl8ӑ} e)>O1.,0y>{t$Oj8RIS ig]A>@dN4,>Jyns++'>(s.ElٸNkX5oreNN$?ȼSV}\-oWe6C¥sΆ>viEg#NÞw C=aԺW9̽OF3T{}'WF30y0NڳkoT_\\QӛLKn(fi y nU1;ծO_i Xpt}Y8a}ly\ᰵr3]H8>OuqjtGgiX_.sa[Υ1mH}ݒ4nVk4qSuvޥENƅMLɼ5h`^'}KƧϖn:W7N}{ؐ'>+nM3ʥfHm9十h.W[7[pŗ R+ږ'ذb%Ro{Fky 2<iRCـtw}!vyͰ8ڋ<=xoev~?*iΥ/ QY֑E >-gyѓV-ԷN`iѬZ=qNy~Z짵=t;mWWb?-{9pl}^z^y`V\hT2nO%OksL+kIJ߁)/"^!c`\H;1EWM nܠrX;"4ȾY VH%%bRtxz4+Ҟ'f釮(-•Lv=x9O͊qvlaqvGQ *Wm[VԡDԂSZV/}!=\S/{[@佇}H'd,}jg]~Zeށ?Ç.Y{KIcx{ߒ̋֎ @ Ŵ @ ýz)@  @i"^@  @i"^@  @i"^@  @i"^@  @i"^@ ~SV( HέD+gz)@xJP @xD<-wҵgӝGć @A`崨YO'5%Y1Y-T:O,kΕhjQE9C{O"&C]3)qȃf'$)C:mى $]S4CGI.F̝mz3ZSsK@izr\/LO`~ngUy-ju뼹Z# "P"]h :I6u"VIIcS7EhO3Mġө^;$馢0!ܳɿ;7;}Y[97E$.z6mb-{|%GiZҰo ?qDh.Bqڵi6H|ƻ4՞i"36IdNTf\~+9qeprGL A<1w\T&О"vE;8Rbm?Xp*k`/`\X͊w6mt-oZQV>MUrMFwS; YvǜZA횬lZ#*TCO6?}')Z\~ڒ̲e-nuUINШe_w㎫pbec5 ڰmpi أ,MJNgB* Ͼ^ p/y8%EvR '+G'̤77+6O|ǠMR@kР?{smP6_Z\)$m-D[*ɜx#=J:LOkӑ#sϐڪvDž*<1҉9]ډG!9j7Й7=W=G{Z>S@VrǐΘVmPʽ{~6R  Xvv@+i 9U:;ѳ5ӺHS1 MKkz2[==w @'z{bZnh]tl @A?G$7  <'S<㛜=%gr(@)w]{i%U;Ķ;4u蔪Wk mrc߼ZS:npQùW_sB;7xQ*jR>6" 5[ͨfU6fUj' oCO렡:d)C)Oyvlֹ m<գy}Qk{A7PkKJŤ<%wȈ"E)8Y1 7k|Đ(raN5}Piݱzyw\9剶`< qbIs!sJ[8@dOk5z\0Du}lpS6D,L. Ӳ\^FlCVQ*X9W:x㵙5hZhՁ6կ|5玱ȪvSꡪV==$6ʼn(X=&T)~gzZrۋbǐєkD9Uړ)jno9raviv jVjLͪUr!=hNǡEbmc͹~ۋ zZM]L\;z_&-\ͰZ{O-V֘0&ɜW f[*=r854ړdkmWͧ U&dDLOhN+=oz@Z3ȒAƌoZm{IRJ[Y,yԞ>lG:A=jmWnv ضkOK GƒUz6Mcx^Ϗ#}5wAچž.Yq!wYVVgCvc=|bq ۺ;}>$V;6\<Q_a÷ڧ LsHr#=3_I7lxNiu(wJu˹ɳWER,7cJ˜1]=pOK ΐ9tfKb v׮|SgtFu_Gj}յzEIGuƮ.C#:GG3Vl:rz#}d7pydyw6[M%} iNNm)&Z:+mq7$E#WUl`3Vkc%S5ͭP"lm(C4orw,6ӎhbMms^ȏdIFr-ya3opDޘEՒ8.Z=D?8s]Ljf@>bdr0k޵I1mv""e iAd')g>˯<)$WU,U4[̳ ip*oM)L'VYK̼F-9 } ZU Β٤gj\ 8lLH2ϓO/%gnL\= -m4ǿb)()RNbNٯ1 Kũ5}Z;k{x NF4Q#:{ڞ+lkn ` yq zz3:06yΥ-W>zZ% @`7<(@Vi1D @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(xZȢ i1 @(|}owÞ @Ow7 p^>b:@"@ <1{5mu/[ <XX <k 6t(Evyepw󿷩"sd/'9LyOO\;nJ@ؙF#DԘB8R=2TgMC٢;pp4{Fk-B)%E~Sj:i-l]/eFvР0: !WUDmy_$wmwzWNOCV5WgF 56a_jn*}uZ<OzEݫTބ}de?B!i=D7apgE#{oROj=Z׶9iAVh9uD^fœ&#s3kHO{ 'pbLǸ㵫qy:7U)a(NwCZ{1kQ-X--M.<+v.}֞]iC{~{Ti#1/NşrjoCgΥڔ69jRJ:7>JP;ݹt̛ vC*9 xcVGzZ=bAuDU7><'L]>9OUyζBs3_m6z1\_-1,hm{OϜхӺl` @O i @'. ̃ @ i=pa: @'u<@wC pqxZ ̃ @ LoqO!>p 0 \ @ KeIENDB`ntJN̖.ТPNG  IHDR2BsBIT3 sRGBIDATx^]=6^enđס,p`vn1YG`?p׀s)`ev{<PtpzÛrnVeTԗUXA=ӣ:ݽ%|w{}zrQ',’]?AKȁٗr CȞU%29PGV@~VKz8BU}P5GpYdg rb(r&u}*K2af.K0S.ur ӹB+#gaK:3,RE^X=~ր\ς({ݥ<vktbe|rCReapV:\v_r,ix_Ze#=#Oe{8zvsqq-dhXӅ8*;;^*G?:x#~reǶܓSZrwf;~75ÿs'܏(͢AOL_~`l.?z"7>u`0;,@UoMGCo75wu=G;[?SOKwbC;y߹? =ù{h̨?4lޓ|gxX_1i?=w_]"h->yGTFSQY}1 ,Pԝ@1]%W(Y- q+C~S\\k%~gQr$M+XIg3^bG5@G׌xɽkhƅMahI#cLb1t֘R?<6Sq=x@%(X<0iFo?]!{GHPUCvo*:Թ-rlcq-6"B_Ǿ,qg_Zqj3~PғQG"[ų6%ouT٣DNCNdajDT;> :^#g["G샑q:Yf*ƅї(/qFv6hxl#216="(UXX{i w3\B\{&:R!"WbN(/ǒPotJ_! 1ۏ}յ>,;g3zn9(rS5r/28 ;6!'Gr+Ώw(#jzYȎ\Y_PA{b͡3;{q1W>Wt1-u{t/3IģьA3=5풚ݟ$'>AȆok<tf›oG^s~Ġ;Y"\#G_,3|˧D9wtԁzU()ΘxjC>]/J|:MdtX9zg1;B}vx1 ʈW.3$G߭ [9'AK ~];k'w]azIrWVC-R{vwQրĦ{sqiC",DNd}Fуˎg|.V,;S ;=4CRY@=tՃ_.qwrw{Q6%Ƴ=QNzA)QpL-*w\Y_e]dq=Qc0Wr9%SBdtGs[jV7<)u~~Ơ9 J#&g#Y)r9D?&LF`̯0y/\lxX 0Yzy8tQZ.otڨyg Q';ƌct1hͱiF,+ Ȓޑ v9(w{,'ZX0OMΩx<}_ⱉ|ʹ/YHd:Q^`^luYi +r{28L dq;q}rmOWS [C\k>˨Wu}6'?O^E?)䤼\ًI䳧/6'KB=r9$'cRІ\Ɂk9YWr7̃?$s  /r>deg/J^}9쬅c^mї}p nhwݷY5Ɣӯ%.-u=IŏqԕHQʥwAVH/`c Tbx!qdfG+y?JFC5!GƠKAFI]3cݚA/v<3 bжjBTHbЁmL]-YG8k9Ǣ) lGĠx.a'r=9Sw~]]\1hƠ^w ZE6l}Go"$_6pJs(!2}ؗCd:G<-m7cΆ<ÕP#X/M/G|1hA]5y,4P\3rG_1wыKcЌAr/8KRT> wgq$]"*-eq'^Iףp4,dIdkdw\BfZLA[-Clhvז{@[xr.B|Cd﫸GX%5s>(r9GȽrq;ً#ISR^`XOً?9=9^#;j~ݮ-|3,4l{qyiƞ};7tnZ}-o8v뮟kqKJwc}!w8iA'44rl=ha{9e!4sEuѷH$nS(GĆAK&GAǽ8͔eOh@-T&^ؽc$򠓽p'>u&|;{׈/L|&=hU뫿]ػξb~eJg9&:2w^jfﺘbިvM/5?y.Um siyk*Wb\߿vikOp{+1Bbc)3|;c^}jnzoK:<+LkdRvE:死hƽqf6P{v+f/Mţ<3ypq5շۃ8Q}w=C|IsDAKM  D`YJ?ylF g 0&ٔ"@A}zlK $ KDs A"@. R5 DjfiesFp嶍?fGeFEX`-꙱m\R㨦V[vv9[L5_mk>r u͖7c&33TKͼ뷥g=e0G)L*Z\#{k _di@ VXzZv4ֲxRm8zn%hxr :G{umWϕxӝ,">vy$QUuC,8rSZ$OdnP-Q-64!&-,Nόs0Y^UWZ.#@TVZg2V,B5W9GlR *%[ᆤI,VnNƬX(.5d%U)2_uC9yvbs/Nfk/? %|aL&hV^C多UJK$Gf1obPcHSNq@">uήrtRףg#f/ lnnM,BFY|ΗbQM q$> Wk&RS֒#Ɂk.shx6 6Hfwۥ/|;M.c{khdgNHKͺ$pZ B bRYe3鮱e{9U,pJnJM+YNc e5$-61"9_dE 8r-_[Yò=TNucwШ2ԩ.tM -닡nмz(uܬW9*J0QдJ[-*|Lj3j7JŒ+Yf IrTsev?yuεmt(l~Qr)W,`?YMGDlI72gAQehlBY{"D "RH+5 E As "@V zᰈ $h"@J A0 D5@X)$"D +ERpXDfK۸ Pv9/NI|ǿ&vK6_| 'Bn A8FJ;Cv FFZ ]#k"@"EaVPňU۶<ڋVʠ"@n@C4J.Sg龵?YJ{/_BA{eR B_~` Ruu "bM\moT* D`!Sph% MN: :6ߥ=b" r@Vp4dދ/ "@n@CeGyjCaKD`+,p+38 A`~c6aِٚ"'n@{s!D\尥f"@Yς C}9l"p7H;ko'"p.{qzR{gIY"вa? z缈0x1 C'D`m_Ύ #@ް8t"@ z0$ C'D`m_Ύ #@ް8t"@ z0$ C'D`m_Ύ #@ް8t"@⸞}="n>~I؋}=ǞX+Y;N 'jys?_ü~o 7 @ -=-W ɚDlG-Bzv ' D`*.<7Ig+A]%mmIae"@nh%| l)qњUrO$[oYܿha^Y @+AY8`ն9&{#%D u%d/ NL&h hyG!~ ۵~ \F+ ΂ mbAP4 |G:#zdO7ڲ F wXG]erqB 4rmik3O*' "fk^MBU,Q|Q2$={ѳ!XJIyQ28 T>]d"!fG6tbhoCmb9;k?#ћ0"If#A*ȮGWK/s!@/:ǎ- A_c@ zllD#O? ѿI-f7U~G8{>"jL#A_o 9~{="bZ6'A_π="z7H@D 4 +ERpXD4 D`Wj"@ DJ a"@H\D"@^a8,"@ k"RH+5 E As "@V7KaW폝"J>NIn؋/v9.MreO~G+T f/;"QF7Vn qG+d;0`ҖI͆"AKhi%vI  0[-d/< \ʨo%zyQ?'3M.{K] JJ6\`G?*ڒe;FՔ|[Z%cKyv>;XI #J6=:ggG~szGG=dР9Jt.5Fn41C!Jelv~0k"@E: #vgvg7"Wr4O"@[i4rm8֡s̻Ơ|{"@6@Ӌ*gv<>U3^T# Zy)S  E_~~-o.AQ8iR6SS> Gw7GcΛ".NF,!@E4`DZ-q"pxHЇ_"p4Nrivyڽ?"@V@c vsVj"ВM^8."@^jc KS'D`m#@>9u"@֍ z80$S'D`m#@>9u"@֍ z80$S'D`m#@>9u"@֍ z80$S'D`m#@>9u"@֍ z80ܰϸ?ߊV<0ClO޿Gl`WB{vő+E."@` z82$#[s'D`Wm##@>??J2]^QKqvo!ZD!lz9qI*\uLu6:庢&"P@eqA69.۽\T}IHЗDغw֘IH (ђc/~8FAC:6Z3WT#$FXm2DCJC[MƔ  `tw}:!+aM3[>8$_N]-&yɭM7wۀ"w;6osHSnvSc}"@U`p3"@@;$vX"pUHW"@ AcŚD",}\?xi7 9+..4E+2q f}؉7`*kGv q|DA8 @ a'"@>9e"@ zv(8 $S&D`a'"@>9e"@ zv(8 Uo}sD5#1X86"@h֤IENDB`nJ!"N5,kw)%7=8hPNG  IHDRV%sBIT3 sRGB IDATx^]M\Gv2  yC Q D/FE0dV{3؛dY $0FJ 2dcF^^k1 < ^ atȩ:U[u_ϛUݯ{O3|@`xūO_:w~ :ܹ{m>4<@`w NNMo6ǝ7nm[v&O/d;\LSY=2Γٳ)5GSvٱwjgӝmdLn5(U'q7ɦ[s&O;ys~7}9ȶ'c#&RXrToSbٔӝ)GӞ?c~BߨmDζT&ŧDrIb!yxBM~Bt3-|msm \&笳-]<~ٰK]BжŶuq2!Na+9|Oy->%wUo햍_l9T./9Pۓܯz2H/ߚǮ\W~TB l9s2ɶmv=2X~}e^l(ʕEeD6'|MMwl&n6i.??’:hGC&*x#h1='wS%qjݤEAEԽU{*?ڂCXk5o1PZV{՝R;osfC_L]N=JNXS;E_cfO=u*Vʝ?*~F͞kjΤmT(w_|srU,DtRV;.lnSzF@+8oǿ`(wV*K/<s|RTe)LX<&n٥wÊ` X^ij\znե'Aq_x\=r n;|^Vn%N*^\݇]\; b-Œ>8q14{u5cgB|uՙJ|]t/jMq wjEʝ@FV\cܑuQ|ejrF7B\4F_{~ǠTWN9]8!_U|r*^i|GӼ:Evs[h4'@5,+g{&ҭZ/؜Ny8{TmUQrrPcsVi甂)4аHmɜn=|t>w[-T|Loð_9O^/ul/oCSXu["9lkSߒ{[{)B{nG£ƈУ\?7/ks!6U*MTz2 *M7u[n-G"gl4e{3䟡rYȳܯ#ŦKNN7ylPc8-t,nvŶ%#_Z{]H*FHf mwr_9{|eHJݻwھt=k>wsu],1M9](z&jRbU;#a&$>]zr'S|R+B^q+;IV'ԖT;g "g8ST3Gtw*}}k|fq.R)Iڠ{;!h|T4"g^YUOVXEn{Ny[m|E!Y.%. 싏\e_|}R}Eދi_Ŀ7Z7W^4V:Թgk-ۙXK,"13]teK9#dL\1e&zs!rב6yt@;F13>DDq2 6]WLT{ )N_Q#<3g ;Jb`?SܥrI߹4~,>3^hR;:`4VOy5l?ď^Qw^eֻKǽ] wN_И2gx۽;Xxeיe5j߃<[ .naq*S/~9n܂.ΏM؎Qjڮٽ7[V۱ʚctsxȫ9E/.q %Ϳ^tm*d'm8ܓ7Bmn;0+6dV/7U]_|' k<ImO*jި-W~ymU\oOQlC񑥻T Kdz_uy{A[D;lĿ=Y|[]Iэ⦁Pĥ6/V+%AïvTW1|z%TNVWֵl#[q]m3Pvf[;-+nA^7h#WҔ{ɢBs{ ˦uʽNEXiE66P*m *mw' wnc k`rFKE|3ܥC!WVbhgu':~7!H+0xmZ{h| ,Gqu䣛7@l imХ VV!hԏBAC@`%W/^٩N/ӽO/_Gz@*R'wag{4Y,%muhabǗEWD6 fw򹏎܍t'%.n~>ҽ]9O?;m$~,OzߜdݮleǗNѶ|U+4%-T $<,{'tEUTZxM6tҵxݩҀ GS!nKَٽ'{_/_7]c; y#Gͮ38g犴kR41qYt %n"ViaP05s[ |SңwVbUǥmuCB#`.SFSU!0{t:1m%~?e)[1ћt͇5~"a(3'οpi`䂏7׀1tuW5笺ɨZ\UuVkF2#_ͷU㶈Y2 }3cm?w_q/?xNɓTܩl9%.+R"Xo!X~ 5ƊSkn9rΞ8M?>ݏv!/Lcx/Ҧ%c-!>&en^ZucE)Ji351scE@` ?CU鋳%p<}׏KFW'3t4_ݿ[AU^咅$xH}j;/;9sG# "4W2P)B`ggn18'#U#dtzA{!4a6j#F"0Oƣ m2tWӔ"0it ZA`6~*=[_nR.@mǓɔBh?> ڌl\f1mF;GSe`xw h4b?y?ZQڞ}BoI[[ڌ́OJWaJγ~Ð͍ 4Xnƚ RUPUc7p< LEӮ֗ޣ 38)G!G?ɔ:WQؐšV/tZP9wlAZ!>kH]8%C !ף*UBU8L3{amxfC񏏴\.7}vw/ٷ]uÏeIb״N'q ^x9πLbKəub69z |iΠ4.piJo|"8kmZ퐝eԵ)Vjƴ*JKicK?=ꏏGO=o/#~x8Wz;^hb$^pE.j*u6I:gJk&\2A:-8Sk#`TiKsbU1ddo7,,e f1eԳ| $Ltiޟg{h<9z<~u4p0~pH0$؍҇h0G/zǣ{Rɓ^AUų'`5˼ ҨMaT _B5UM 4{6B] N.3t ĎWW:djT=ΥW-N5Luͩg {P;OCNd;l4QpL=|`p8 ~޸nV1VRshpG7JiDF(^8~Rr/W ]lic3>pH9sW15~8yK|U!HoqZ;Y) I0~w78<G_M'aqd܉ֿ۽eB]Y0ҹG4X֤cV5q[>⿸$F)JcJi *(_U f -&NȔ27,UW"h533U7ug?q\yq޹^=9ϻ>|p덅 .`/hȶxSfzn#r̮"SW_ugƋ_gN)>mipwH/gj$2ZNXך(Jdγ?L Cz:2a>ӹ 'DeLܚc?;OO8ZyE+U^җoeX7gG{o8Kf 6g68Mm@l.'L:m/LTh%{;E)@ =*d@l.4 =*d@l.4 =*d@l.4 =*d@l.4 =*d@l.4 =*d@l.4 =*d@l.4 =*d@l.4 =*d@lOϙ_:wGl4vSxūVM]0 P@_iT~Kr*wE5mk}Ft#E1W7<AD19Vs\%֨{޽1_i쮹YPth׳"w$V?ֽuj1[iץƁ߻4k%P-!'R S"Ds ~4<˟T^]8O;(e/(|ComCJy[.^Qwы6Lmm#X9-܃ۅd'A`aK^]\]c ߻0kRܗֆ.fk:Ь#~_0(uQ8 1VB)/&*or(~4*^jG. nh ]oZ8f(E`b,?:ZȯM;岀~_yס?ӡ^v:Ll{wSשls -1V~ιvM)T\DW1#~Ԋף2zc=d~;kض4 3㵀;>V}wkV3:S+#;3(DN;: V#Ë y)R[:G)R[:G)R[:G)R[:G)R[:G)R[:GI;u*d@-DyF`1YIENDB`n<jw6[> PNG  IHDRsRGBDYX2g"_w~gcx>|ynF͏0wu=.ՇޯrW#ϣ (˖+W(߿z}DzꉸgV ~z=`EgoNt3C[g~ﳟxGkF|'fO|  #ygs>:DSi"9utŤ\:{ۉCx\-S7\Jӏn|#u?|~׏5}﫵/__};bbMϺ戤5?z6]_w~|V5Wq_kuV?nbre 毒䳹c&1_{V9MW/*oWFޥ~K;nrulMR9ޤm,BJD~JJ0m53M*Kjxǒi ky{sgUGc6dF4:vLqQg mǴ/-whۑ5j%:]'#?&xoYS >7:t͝U3qLV$Vo]ot'4Yv<^˷C_niEueO:;c7ciҍ7}CxėzumuZzԗ1g'f=/>쉛WN>v~^{׎fE+<_nx];n|OjҧXQ{ ?$^W4?.펿*Dr>Wvԉg=ֿv9Km|\z{|?z7x_*oV+7?7*F_}n!֮9󮄬^+n\ʹWQMP7Wc7CWi ڴ͚]<'lcz79,s|?_O}v[o|S~zek^oc޶u] u/?z܍nR봬 ,vM=" <sbÞmL\]ͯ>)/޺3cj竇[?z?^+YLYq`gwwD>___v渤_^}՗1ww秷$Ugenuw;^oɩGm]ߞ{M &{LUpxg$VKZ=^EQ< .ǝObRG=w5nԗb_6y_%-'xs$~ىs|&.*%1篿rO;>'8ܭ7Ͽph~ۇkrd8ՓPN͝^Gۛ8{OUjl'-38`,Qӽy[F;~ٹ?:q}Hwikk?jVL>g9yoܩu82C2 o<*'u( KTww{e?zBQ웓'gʎfܓkG\IGvrB~_{/ g?Mki_ N]9r{%+F\f^6uw9?i!W7u0!4ˌڸqSK{}ɓ? iAbRE!w鳲(0^ӡHg[4+ ~iz8l.*]]^~b>Nd9a_B\ͥE%0ev1/H`1wXef?pC`1r./d"⾶}ypx{;Ś!H@V}s㛾R&pk`Ɠ 'WƬY`a! X-3 j]ߏ}e^ޱGX&sʥ⳯r;1#37rStzer}ĊhUf#άl$0h/imA2aovE(<[~D̡D0pN [ V<.p0(q}[Ib֧\O&rB&:wP8z.w.7s]d/DoBHAkb/ЌFKp P7u5ΠI> CTbpO!U @$"R#`NtTȠ17.Ii/*jHY7{W]&6vKAJ]ј42K;=Gy%݆Op3qF.{vquBݥ 9er}hbh{}!':=تr"r[ChK!}^"NF@DG t }AӛFܧ3V빏K~bo pab#{__lM -b ѪFР 3ngμ)B&uy\^{.k4zm#;~v+A')X:to ڜjVԑv8Sv'&oWyэv~JU]ʮ%fc +q/nsM,ٻ_!9g!Pҹ*ѕCSVˈʧt=kIoaAEo0C"ifDMz7E~%^,aŻ58`8{>3oMS7[?YEoDN/X)LꩆYml s 8(a(j0)zyr=((Ec/߫Ma6NwM{۵Nޮy^/Vn/d;O41xZ^뱚;ŌD+rLv{qe!PPb'U:飷B&z Ajۛ9KP(t?PﶧƣCuзť-OS > %!Y SqjYS< D C.Aji&.fnDZ|)neX-]@%@X|"6"diЇ>f݅n/69hh.EI={渒mm&fk]U5aqe>}`6j7;Z,&uL:! ~ql4z_XtP)nFRvѦ"v])Mt̹;bM SFڐWbzvyŤ@ܷ2R)ny~1}?wC~ tVz?6r⾒m}}<p֋5zD5KaÚw05&V zgPQk{s?|F݈6 +Evxh+.v4pMO0Qsx0ck 8. q?%:׽t[^ԟoGpE /2 FKCZܭOdtĨq; o'b3=u1ђgg6H@`=ڵsq.YL%VP]ѳ\w[w/{_^=$r"+|f GL1we:^z̽yO!s/aG_ Xi:}_䒽ֈV_mA#cDt3ea%.kXuNBy CIme e\E vz^& 汄l(] .y=Ʀ4BiX\gSn!e{ FeUCM`IqTmAM{$3[Tٻj&6D+fV{$ֽnqz`sĝI^<$tW=g*F0$HB́hd<' uUVʩ9/Y}=c% D7wLO7-J:^@t-԰)JyB=J"0˦@z$L]bj=DU^,HtWaƨiCWmr;?cZpk@JPĽ_\@hrW9m eB蒵)G׶Uĺs%]?|zȷpH _?7;,W$y$C_[xb0,sI̽Cd ٠s+UA&/߽d({uBw?7>Qv.V֭we!f{|̃jykmnns?~_t*ޛa\lRܭ+{XGhE(&Ä3 ˞>jnt.}7χ?SGC4aD lREU%.'ZVVHD~5F#BrSpOΤq&}rןy۷z:{N@[|emoe׎L̃.^Xy;vȏ;o=H4bt ۰G3/]+&=T pSwyk9ԓ:ie;zv!W3]|qYlREUssįu/ ґsX8"_0XH? _{iOXE܊{ ylm^m-ߟm m׮Ew5tfev8c l506 n "F!@&{|((lݻwʕ7ץs~ta9<]2+!Fq_ۈeSvD;o?}J?6Qߣ5 v=vE]Yy;%_7]:'$?G 5vvtx DC@l ?bt(rI%iVdwv1Dk{wkPx+>1(Ĝ\e];ct3m՞AdqobJ*/q7^ǫS!(tɩB[DܻQ7ta;z&1~+yfw.a;Zjz 0 ={;H7s^1&ڸ71,^ʣz:P-?&{e]&T軐/Hڠ=ҀRfmě+Q(hAP"vl=Mlwn5kOv=&ԭ +]u<!ˎNO?Umbi$,K`W[(^#E[W71FGAD l2,w]Re'IqPfP+=o9!x6sPv/ծX{SbM|&K5{KFy}DW:0 B`1R@{!e$ Cqg:,L`ܛ9t-SlE OqgE {ӌv 3OUH@ܙK&&Eԗ?^1}ŃSiɾ2ɪm^$A!/4x T׫Ja})[3ML7.:5TbA;]uv ${>#S *u 0MLFҧ+; B11(3)obJ׸s}{$^"m{g6wwx`˸/YOR9>nh(O`[=t[ٜ:**^c^96/gěҦ4xH'5L?/yRvw.:ܙ64ߟz/yvMLrx-yڃzƑ^]ċ0B OTߣZ'z0gذ;9Ģ0>r:]JjK$x/Csv. Y5&1 4DEOIɯFDA@` ŤpMVmwݧj%UUg/h^8c&0^qPa  &CN`1L(@`! @ܙvHq%@;s ;T@qg@!}J  @;$sqz"/#nu^t v.}3kL7ƫA_c!ʞC< ݯ9ݘq2}3" ` !9CF<\ J]GɸW/i|^3@jx9Um^em$̖?l=Ru9!e "ј{F%F.j y}m|u@ @)ơl*_३ 5sn X> +7h=R5ma~_ K`P^FqʜwN4 10*!`3KNkphɣw^^DdhCu4xP[y3w{Tu(l@ޡiLSőbJ#@}҈(2X&!>u.˜Y2SL !@w4t;s xp P.swW^E T6& n>a> qb" P2@d hn79{ӆC }nĽ l⾽1b@^Dd piow8MyYϝ-/=@%pʕA0w.2CXOϨe D߮Lq素W@'݇Iq+@p{C&}jň{%@XG~陛]/9eV!dݕzA➉lVA@=_]f/9>]h ^^d 5:7TZD2lB* k*ZzGF=<x̲ O<]!s3q/J7!O` .{}L>s5Pe C 3"w s*ʳq@Y@`bt]xwA#/>˜hްL⾶"5L$&8 mp^Cu=c% L|=tMasN@ qj!4 u@9.X@`}> CX'ԬJ 4)7#7Ty@`+nnt1@?b@`s CK@ܙ%vHq%@4{isB{# q0@(]{U"EM: 슀*{!}W#Mg rXe'^θS@`}I 9 =AN}B{ ЫaMLafT zGML9@k&<:@`*,{'!0 xWf@?!!mIENDB`n@*!PI٤D]Z6PNG  IHDRݡsBIT3 sRGB)IDATx^흻ǕLJ8P&3x% EXp Q dсA8 *imof_D`NTw70,W}3w ;F7B& ay@`~~&Xqo.U;_^vnމ—ח~{{syr: _^.>^>u_%ܻ{&|*{7&zvJ8\ksw;]Z.oKhmwr }k H9nDjaIG}=k/vm6f%_G^_k^}sm7-&] ~2/o\|$>%-%oݽ& ߻{sy gd`F˽WaVj|jʾLvc㫰-FΥ#һy_N{iOϖ)aTޭZp].bCz;dvWBGXLK)%xwU;%>sU^ٵZmgڗѪVQ9Pئc(3iI4F^]ȇ]ۼFKjh#Ѯ!l)i\8"&McʄmvQX{P w6J' r:EB5U˩cV$lZ=N s]D5%LyU6FJR'U[ݷL$|4w<5S!>XXݷ;הHE {[aFYVZe礕WRO]ϥ>Z| zM۩3V{%~[g~&c kayV/uFW+u?[zK=hVk׬{+?K`K,Y@AGV?S|Eժ\GscUb* \fВ|*lURI)\>Ϭ7֧.)axX.&Ԯan캕ƷxnҸo7߽xGRZJ޽QJ &yw+5I\o]Ê®LIc͖ UC-Rf]|C)مZ4M+7EV-pc^H˵ʌÖߣ1p541ra?Fpg6JȧxX]>heM}.^ɻ_lk}F~j֧]aY%c[駒&z}QحX9_Lm߫4Ɔ Q69]Ւfzէ\u|O~BFK~xֻXxgIşlqTK6giYvi?󗶨{Yu^W'FþN/%Mc^[ے=K5>S#䤝 "Ot̮B̷: ;_w[y Kwy8,믚הlDG8TŘ43OJAi22?cLƛo|O'0n?7$ks:8y.m64nm񪞹a22߉?5Zf66|Ԩmc}fpy*ĈPZ#s%auɪְt})7a&j5bJ\Q4ZY,i9D6/6% ѝj|bja#je[ i=-H=,NO}靜-]2qjƋZIƛ2C o%ɬ/Ш{E{_!M/Ho$lתPa'^VBҼV&j)/_$lS~jM [N|>ޟv`X99,W}J(aSn]VKC%~?Q1Bg~~^aI>TPh_Rd%`Ļ_Kv\8*5/YMajoa'ڐDG]E kX>]G^.Y49r*+~uXq3%82b5gɎMpDȖOWņ'7FWޣ+_uUװu1XmkXҼ[㫓3ɹu%R3Z͒3Y1T<1 _?hqQ]&]57T4 þ~tFnJ^a K4,OJֹgB^5ӶO*-wsXRawװTd +j0+cR=rag s@jU3IkXM(UՂ/<%i*>寏,3{>bUjxqFg9,_Y_)LM^/ySyUwt0ށ%F_QXa㝙u(yW\^ ) ]wS_F|yUVu{8*gIkeQN?%M=G:~$3D#RnZU:t\8m-d?sX5R5.y:%ԥ((l ۘײ>vo0Op8k%Zuu K{TiV3>}Pzh UªV-ޤ|bV٥] eְur*Si;%aL7ne*xO^S uK_}_̧~ϴYa9ts$qU89])֟kÃWƷa"! 9u\_|k +M^3=e7@Lr=:.߾osXa_ϝq]W|ObW:V,a+k'{pf= OP6gz|XF% jZKȜDywū*Sv"0kh}Be{ծ>|5:{Z2~xX%%ۯgVF=_"ϠTOkŒʝnj}i\68usXk$KhN,!B"O-4{G͉䅚C9G}bv`߳y5_tSgBM?eOkLќ&ЅJl6C`@ܹcjZqC0 1W=o@Wf2WdѼZB DX`0DحY9qҌg/NB%,SKBdZth*9Ҟ:獧qiI:N! ۈv'W2F^Wwꊃ&Ҥ++Xk[zn?il%̊s'/=JТ֒4 'ߜ'6ɠkjٕ2vd$q&q|&駃IʤRwϕ+XzǖYrZ6,b6 ɲqƫ2Wfr͜1q:J4_~ssZBOujiRE1>W``duW$qպ+;K̕FƔcmjή^Y\!hN(%M`Nxpsd^6&{4VɎf(kX626Nz^]OFNw`LgeIu%Ze6 (^ؒZŵ8FjJOOUƔ< KgiFTN;'qd(լA&]7#Nkul=%X]ӥ8^ QzMZAgzMjiN3MYI]%H24$  N9,&-:/-*mlM g'l4oRuڣgk߇e+jmmaPF[W͓x3I}gp.C Bj!kX,Ş@aE:3_"yJb$&\q V)d@R PU4@lxY,ӥ+]u.у[8mh lmm ;, 0% ppɤo׽Ev=|4"`k-vMxoz;;~kvI҄)D|L |-=҄)Dpt׃] Kxk_Ek!pj֩C`_}@'ƘLYfA`27O*bB`MPC`&ѭDF"!vK E_B-mZc_]Yl帢qH=ai/Z?C]o~+Kvׁ`˟!!P(V!]]?Ռ׽Ş[_Z)_.j=a!K.!y X4@`Aւp)5/OJ$.p) GZ0埈?U`TN:)XZoHzS3 05! X뱧f@`"k"0C@cODD`$#`Ǟ!HGZ=5C XX{j&@&#9 k= L$`MFr@`=zHzS3 05! X뱧f@`"k"0C@cODD`$#`Ǟ!HGZ=5C XX{j&@&#9 k= L$`MFr@`=zHzS3 05! X뱧f@`"k"0C@cODD`$#`Ǟ!HGZ=5C XX?6j. F&XNO3!-rZ2J C@5@2@ @*X|5Y$K `{T,cafP N,S1*B@$u$& .QkX$Q:Lek\kmҘ>m6M(6'֓485Â9`s;e]e:L>55F+U? "5(]or 5bwA`X+:BbUj8I=5^\A@O)Rճ] YF V%s6_K9Iy >HUQâZ VӤ^GqRPpڔOu 8 I7 pF>B  dn^dNayM2[@q"0՜ ]u ZkœČk*5#޳u9!XgϜDru`dwbK sB0@`7  ,l`3룃pˌ|4S9y9a|$//AOoHY"5L)>|!3DF`N!=  #K/@9!XS["|! œ𰰁B >m5ӢM愇]aaa}joEG񰰁o[L}&oNL 7<h8M7'8ְDOoK2wJ ߜ}f 5j@ ߜ=zm̿%vj|sB67jP-qSݡ17'kzĭ$oNVaUv&/E ߜ^B ߜYⰅM'oNtgʑK<-:@ ߜ,@-P`aN}o7' s *O7 v "Uiɿ%Jȿ%n1m@91%nixX4!ߜX=ɿ%.*)|sBv:􅚝K,P|sB01^۩ys ܠnAMuƬK ߜuGpCW@9!XkUwi|sBcK<z1 |sBfK<,:6@9!Xө)G-L|sB0>DB@ 9ȿ%J ߜ,  (DVK<-::$oNxX6PV!Ч&xZtt (M XԷaĔpûam`ӄ|sBc K$D(s jv-PCf 8[zm7'ks7.|sBמKzi_A`VKaiR ZjlQn-, e [H-ht`M~3Ѣ  %oNG _(|sB0'<,l1:gdA \gNV63Q+vuo }`]yP3}jN֌RY{~N2'k8hAvn7'kV@ CZj}wGfH Ӝ<;KV$` U12 M @VQ r."XX&ꄃhER8 0'kN0KW,c3@fIQ-,bF֌0)eEy=ҿ hyc֞#Xm+|~Ӝ)r?zspszx4O~sM ^ #sO%u.9n7WH_>(uV3* OG=&nܢּ.UTrwڹ&ša]Eu@ WEm)6{r\4NnOm֣9}//%47}BoO\r>iN0b61\V2bb8Is+/(k8#xI)Qru=E*a|jJ x|w 1ry33s(Cg1\6+VRuqngcـma;l6g)osaJOkpQi:rRN1#Sv8[|aatħy!9>A8:F]Ť(|*_nWVy;IM:x`{Ƭ#fveQ:*GZ1P™E'1q4-m|UG}.@mZ?>C,('7(}D:4yI|jvO[ۣuy黿lE{IGaAc8鼲=j>|;6;5Im~ B'Rɦ-k:+*cix| :ߚ 56MKMLCڵ5 G+Z&⃰4chw^k%F<-2 h i &w c l\RS>7}i輏[K_˱5&nimVn+!ʙIyU2:׃/]Ms O 4k.}[yzUsXh$ja d{&5w^q\kIu˗քGC뎭١'VܮߧYb3Q_-նטWUub Z]VM-?v/!]yM7zmwM#&oɦT5`nԤyQWBc|L߬|s':/z}`#2m.Oe ϭP>jE7 .alٷa%mmGivʏ~(܄΃9v0, p8{ڞSsYY1(ym_烶Ե=)`,|؁wt+Wmu1֪4nc|\wӚϟ 7K8Z}3Kp&5,MDఆd+ }.zb>"+Ṱr}~S)-% [ϊ ` grJ\&9VuG6ݰy}^DWL^p|>ōbgva=>oQ{VwUy;˥cuy_=^;}~{(/[Q6d{p}s1ߺE4?o HOI'ꪨWв:M˔rDՅPxa(:"1^[?ly{j`}xP͏4{i/ |*k1ALt=򭧁..@<5 =Yuxr+xH&adXU):Uymg9!*]y%۾os~N) >|Ut}XKsѫZX8/gU+ >{Ơ-w+fv*iSR"mZY8f3B'@TQ,0C~Ttҋy|nyŵzx2'v{^rZlk`w[iT}H%ES_W*K8Һ\[s/v=F};Zu;nUK]{%14i-0,ޭxl'^[ɻ!,ѳnxWZ5c{;g駿^=xS{y&췗ٟ/hwxV)kSf*a_Jx7,~^9W?c_wWgڹʩ0[ř739;)sqXOty{޺paU8[ק7mmqgU1p5vCO -W9᱗.UN{`mV@,Ïx|>lwW힥o:bFx:?,ا*s|~Yz]ϳ+e:oGjJ@&* E$Cm,bͱ!ߤ+Y[Bz7TׁT}k;ҮF~G;[:d%FKؐ*<~,3gZý_NPC/S-mcUШ"ULPu@gu% naWqHӪ=/g>ˠlj~i[U Dse7`n6`"HӳGEhhlՐo\wڮ ՟HN;h1~ bN7T}%Z82Sx,UE%UǢCfψ-5_}#SQ ٣^eFS¸C&UmD3SǍp~zPêPo,mcG{I캓Dgqy4ݴ$2>KXZv[_]h/*q|-Hu вD`IP hN‡"C~Eͦc~Eͦc~Eͦc~EͦzGɟon\ExɿS9K ?פ/"@9Kx)޽{3+D ; TO!D`>$| Y8H*VG!K  0]Ŋ1d D` XQ"0~>, $t+J#@ǐ%A?bE|H"p04%F`uoOxy[h+I@0nOxN!=:U%A`vK!D`ǘO A_LW"D`ǘO A_LW"D`ǘO A_LW"D`ǘO A_LW"D`L=Z+v}'["02 f#wi#ԙ!D`_}!rbb#G=,,~]Ê#@SH خaň w)K$E_lװbD`ǔ%"0,bp;hP+.hH *F[D}d7GL 2~ O,g'dDx%[B6"@o @O_Dϓŭ&XE7Oh$ ?O"dErs $HI0q";4~Um,پ'l WsnU#_UwWKίjzc |9@[H¯>7|nůa(ke$<X$:M%$<XMEt6~/6;fp޾0yΣ?-m O\mG&w!@ @BG՝l G!+B_QgD +B_QgD +B_QgD +B_QgD 3wGo."D`- :Y9IENDB`nV?{"s5PNG  IHDRݡsBIT3 sRGB>IDATx^}=-櫅 f 8pQ8qqh0-+:      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxz{|}~9yo@7 𲻺THy..*lv>^@BzpzQ! O>~=/ pnˇzyy3[/oWofcWWo^hWoz/oD囗/SO w~|\(MrOPdNѝ$'$;oҦ///gCjێNly$~Cgny:Z|;o^j?7_|>[9fl&c4!BP3x{L}<~rt$“ I|Sf!BͭhC.h5oIiiX**D(̫9טO 1yRg~x^ddg$g9%k/gYjɼs+\xέZvyBw)zDF9q1PL#[2)mɰo*No> M1yTYPCъ(Nlk<'cn%lFYYq.mNQ=1Ybƞbʜ|d^E kʶ[cWfX\x#VJS׿܊sq$VazKdOqYU;:g[s'S4#8AbC9)^hk#)GmÑ!ϒ.S%s"ȭŖ(9(˝.EqIHCų$oΧ(_2ϧհo5*[Qo5ӌ{%~{z(܊<˔N};5F,#DyI45KdWx ~ٿb`{ZY8,/Q˓OO={ZK6f]oI>G>bͩܩ#ŵd՝ DGsW!MΫ`i6*[s+ZGWk^w[Y~GZBagq;wT%, @B8T9PUC% 5~˜IQ}_4(ZkιƫDCxqZ捇JjlEyqϩ~Yʔ[ъy?k 8Lٖh2sbe"jJd9I)ףwQh? Mr.Yco1wlVX(gol&6惱jK8ydɚfK 'cIjW8=e aˆ!έBhU|&~pZV,^lk<_>MB|^TGL4_Mm,+ CС_/k,i 4tuWK?0/I(ːkYhP8ۂ$[}Úb}>y57EgFslh$dUkC ޑWC, PldmeMAOs!tQǵa%d-{X~sXrI89ۜa?Ur, C^0ҙVCB8'!Q9|B9,"9G!,Aձj(Z!T4ss5d^;3V8sXo㒐ΛVC>5o5t?hٴre)~!LOBaݫ,x?iϋv1n#"{XC<-L%N6}Dy{h=c eAyd, $C Z!_Qִ5y|i+U8ގOV<VWRVmV?A/?{~99ΕsXhHʿޞrpuYt&k?! ùzZe3,M؈wC&%tb}ܷaMybP؆sM]3-dRbxh9E=,k%$ 1qV [$WC.6T {X.I`˂"~V>Q_7X]2ᐝ}((amSH9SCYK}7e(3%Z^-ϧΦ3M?ʶHZ9NÆKB AIˑ, aM>7-~a-cCUq$%䭨@$ R.5ohk:0u 糼ó7ˠ#=afgl~Y)Ԉ2PMeʳeP(1 āf{X$J)-'?fXWԜ= C6]2$eSn5KKZ{^-{ 5Ha=(OT)*ypA_5aSϰW6ECYKHV=+'dC\̟b9cVtxi sx"dK X5&m@$cn#,%ӹvY.pr3I=Ús |.i>>l|.aM?pq>|G EyiGy?{=sO]3l:s79yןϝθ]^|$|}:O>gӡ9&>fs+y4c,a3zxpCbsˮD%05c0Mx7E.Άkũd =#@쉀%緾l$;!EΠ*`^ෝ D c7/V>cɢLM*U9ς@! jm!ޥYL=~ 2HQz?OV ŒCCM&1Zik9ԋVKD15K]R4U *E8*O^aʑYq`GEsL]'F\j-ZZFٶ"_[,+*$bҰTEw,<eQs"@+A;:_W60% DSBtgo5Y˒ }v2hQ̊hx̳t]#ѴdBXj`DRvum?2Eu('rcKՐpXҫ'y%@1 Xx,^9KaX˄̞2t 8 2 9!uoڜ+es,ғaU$ l@g6 X6){?ɬ1=V]lHj#uϭ9MSJhm;gS's pQw `IQ<6ɕT'JC͌L@e8_c 68WZK*tUw݉+(=j(Їi2]$es?]]# X68>+HIhFa;VN"T)\KZAE8yC_Al  `=ա-?AeRe$OiM@5z) fD)#`k/ `uC@^H @ -vz:Cg NoGok$}[C? BK­_ p~G$2@:  X .eLA]BB?g@@@gg 8K6O><XײOSk!u-{AZ D ('cc, pګt; C2(5]C\Xn@.Q/;X2#QMǾRM#V%` Dae3荀u+@ ->d.m+k;ցk H<խC<|"R?ebwWJ?z<x[æ&6́, 7Xu7 6DkCpu@ZOp@`CppCp|mme!@FO8%@z@J@q `=z@J@q `=z@J@q `=z@J@q `=z@J@q `=z@J@q `=z@J@q `=z@J@q `=z@J@q `=z@J@q `=z@J@q `=z@J@q `=z@J@q `=z@J@q `=z@J@q `=z@J@q `=z@J@q `=z@J@q `=z@J@q `=z@J@q `=z@J@q `=z@J@qٟwዿ%W_w=K"#_D뇀p Hڮ3p@ @ {X=-"+ t?~ SsϦkpLP}{>.^|g?6̩)Tx<*@.`YjGjXEFl<-%SNƬ`uR:*ْRr,7AFsUVr2M wC@-ΎBPv eV%389uNAǨGIޫN*4o$̫_8hi_u#qR" 3cD=VV7Gsaӻ$c4O:ÌO(mXՁ.VJq洼s$_q}uwb~%@a,TK¢l),)e\)xdls*wXyшW̴Tiy;;Gt=А{U9Y38yw"vS~qGBPգ]P+?z!0̌FeGSK!l\YL~dJ;Y^fwаY=.$u*+Ȑ3چ*zܩ%`egJѰy8uߝY4{@\=|m$]E<6w,R9amIXps?}`5h;9T2E5 0u{$xZ mveVyK5* fpSGZ/)> {~wjXg)y|M)ӯǗ,$4{"NaVU' DOG*Ь@;,عӪ;M)1ڝ}|o_Uwܳ'joȧO >Y m#JJO˧R6Stzr=\Z ívZݩ}IxZP ؊o:( X]~wBl+Ô@~e ^)q{ew]~f\-9O R@;3. O ]w=O)Cw=\ O`Ŋ #N8}-tP"N˓a*OW2o@;%|A?~TC";؜xH?%(<>fSdxt&<@Ծ$<e+jk+9-a3%76 @;!`]{J?%)-:9ur,^xL֙y>YCߝ3%:/&~wBRWJ{ k܈ex#0J/k{Bߝ:) i  CJ@w',S)FߝNȰ;! k')i~wBB dX;OO G)qo߉w', Ol FuoB)q EMSN+ NXWq2OɎO@;!`ΨJ<:X X )Bw'u * Bߝ=OZ@;!`b2o GߝQS3] ,@|#NXpS"@;!`avBN@?s7ɂwg {8D 䧦 i_}0Ay_V wBTa+{n}E_ +A@ֱw *@ @ֱ_j]Iz& L6<,}]%?qsn!Ihs'bI' *sN yhp'!Z]Z֝No HN|DUuI.4&~wBݡ 9X770wBNDOUI`z;:'zְ՗uJPp*ߝt SۉN`JN-?VAv*`\=,@8'aMsZR A@a$ y%tGVH3#`o:X3tE  {X5$Cs?B# pgz~5'$|L5򸪤QX,uM_6h嫤S}'bF ^)fv0W?YՁhm}^e &K(BAmmw1A}S7m"JgeQ~(3DEIŵ3s"f!M%jeK % f,5YjeLYkZ}nr{XrfS<#ui7H?T*3bm6tRi*5G曐VT3*r3(Wtӿ|D*8*>?yRʢ2G6VU"5(5D: e pkZWR-$ A~$,V*}IFcf_Ag O<Ď5T-E6W3RhJ&ȫl"D'UȤ9̹:KiPG6*yH9>Z-8%Y3*ÁxUZ($s _"T_OcUSF'qTZD~WA5]F kJK\b򣑚j}r9VDECh-48ޢ}e$S*> )|2Z [^fX `I;l?ŧ6Dcc=2_•R#KtPBJOv,e%W}EAk#4bƂgkKߟaU,ˢU&ʧi̍vࡾ!êg1ERJ$+agj!{I }ԷN,UWٸ*D{Ҥ('A*CHdCVxۗɈj}#(gnQL$E+*U_RI1JtGC IF1kGq<A*RT_ $ZLpvr;*{t %` @yĭ-SJ eŁ~SC::$!/y:JN L@AGiyFgY5 hQldщ$X* eA<ֹV AOҊZ\\_F+5ms{wE6,ћ8T|Ne*[%)镇?ldj d,{+OˣchBXN[×8{bh*-2g:wRG;U|@|zy4G9ÊrSASJټ; ˙dWEMry>^h]kiyls?(hW1@Z)dn"zTmHn)bjD k2Kb*52F5K4S֎d)Z%UsUy/fR\GB'=VBNt@`l!/U c `/ ɀGuaֽíJQe({8C譽m6ha %Xa7j V>\\%(xyvj蚶{8?e0&[E’/b R6ڧk, W[k+w;?&GH'㭃~dwoS8÷ɭ*B s)ةضzjsل,RJ_ #ѐyM"VkQLTM˖Ky5P۾#kjzL)ѱj5Cm }s" N(OxfFBs@r~n*sׯ\A&V0Y~캟2a? ԥ(b\)MhR|>leqۨ92mjE([7|J&Ӕ . =;R Tiޝ!RʃsC_~MNBd%WR#?u8Y#[ /vs6rE4"QM1f<MQ2JPHTE٤@jғ< +2j/$zL̕E W}~$ei,(**Q=|4, G/?~ʖ6?|'4sU5D&GvH6ܢH(xKExv& 2|dj)L}6<&~~T+N~hʗR&eh2(z+MjKQb=f-KνJ{I ¼ЙRqfRBEnR(rPJA9ך8 <~yU(2mk;8P8"lR|NG+@>_Uq*/[f˶0ZaALX$`'bVb~]DIQyӅ8l'3+gù6V=,̓0A_QꙉSiQm-vKRI+W -OYju  @3XС!{# X ;{x&rok8|L@(8 %!T3$@@ Ώ@Tt[Lcԥ(1M19?L3 Z2Ug2 p\(6|U`@WbA:T (,zR>!#dO?@Bt=g.di ΀~> { P^f@9 X@`5>T]{X)F@<'BǯM" tOO,, /hI .@@!uYCp pM_R!`]<%XOiv( 5S"f@h1dY( U@}N G <V'X  k)~ ˏ*(8, $@( p<XAz[CS pm{{ڐ@z n@~ڍ4*@.F䍣wP: pGhՄNΝη>o*֍YR%6gN~uF۬*V̀-o VEkU8 -@]@`UV9w֞`~ `9?{l!`" .fuqL|^-\TD^v2]F˘"$Q 1=X'4}D+GG[h=Xc=dJn?70оFIeРu_t%!3Dnd]XCk=ګ(׀OY 8~*񶆫Xj9 X+ <5'p@X@2 `]T,A2@XS@K~qw ʓ?Fޛnob(B>jA n@XT3; uIENDB`n<!LN^"=|1bzPNG  IHDRsRGB;IDATx^M%Ǖo 2vŀk Y hZ I+@c1`[xaUk!K^tKm,fVVRMøb@ vε j"d{nDddϽW"#N<''OFF^?@;"򷞽;] P4޻lO C ~@88ܝޏg ѲÃǪ۟鎒9A=E?ܮ ?>vxy}xp59c?LlK=Rl>pxt[$>X)e/ۭB糮S/vKxzGzTp̝wΏ bra[ַ]~pdf12z+?v7T_!I}7w-iߡVg'wםeG _ѝ9<ÃVm|_eO.?@VOo`SVQԘj㤢ٿrYK+Q5QF.7%6*r`Pln7*hQn#_k_˕ķoh|ECSy}mԳ\4|6*,ZۡVQB$>KL]>Qll_o>~7F͏0w/۱ϫ]}XY<>\}D?6d\X?|Xzx5ի'>G {O X%H]q?VߜV m래~~6sh_|9r=~?ك#N&8g4|Inb7fq} */1<9Ou7N~i|$e'Y繬E{:əyelr8!qw)kiv]h?MI)_gcc,y֊&bQ7Slo˴嶭~Ɍef1 _f۳m9z,UyzS}x3d?33bak2۵Osq2p-Gִc9OH|-猎CM |/7Qۮ)Rv3n͵uic29HyMy4zIulo''S9[Rmgo?_ok%Xnɹ7un|56{d^]]T9wnW}g?~?~C>+{~;q_kuV?@_gsLrrK?,r_T7Ѯn7Wy%.Gq-Y \m_*mлѶzRknL[LcajJ#s?mֳf򣔗1\oכSFvS >7::_yd2'ZO֥Oc]#ដ>O͞Jڿe fwu/bh%q`}%:O>}?=oos߷j٨#^nVU/Q뵱ўӘߛ;K?ȧq+n[-(^~$rxw~j}s{<ơvSdqm~茋HƹlvF3Wbp<ٽ܎{%|q[hh>GE=({1Gmͭ/x֛5zkzۜ&msgUL~3ߥ)lkyv͏7qux7v<^˷C_n=6A\|ؼnc='ЫshO%=͹`釿o_O1eg莝.]W7%eR~jls2y[269wş̐EUZʴyuH#x^k8d+s? y#h9sw2Ӧ9s27\ܣhͿpw YdKj{p׾yy11ɂfH]Qjܛzy2ќffΘߩ'e6{ޖ{3If-#f$Z?ߙޮ19΂?Ιigy2@Ky\gf6` el/V}×U][F/:OF`{#=\:Mj\D/w_U*tw&u{=CT;:\?2un*XSͽ6\5my*ig`s <2v%]~_jkLL5DNemygg ]Yy2t挷er k =Dזw`ap%ϣ{\d{>{pgPs>Ͼ1yr8k#yȕtd%W9+dzw|p h+kU `=!{uY]Y<:{ aZoڐM9!ffqsy2290v_U#A`r2 ?Ґo"%*q+GZ yxxF!ZL˨.:| rq%Vr!d`nYk+vIOC)U+y6L_w=cR Ew !Qcadۀ*ݚcg~'.A u-3i_o2^x=d3lv t uĠYF@`[=%e^DWh{P]v׾ii) CAqj}:C/G$|>B,0Q87'9sټsqkP|zYNzk%ع|L=7uzRvfmK+W2Xv ]Ź]ˏ w ESsLK{h~ BpU< [P30r5ahFo%8(}:]OWugu$qq&gHnIcZ̉zE䳋q!@⮢pq1 w%UFfn)3B+SZ.zً s>Y ;o»Ϸ0>qG:Un9sLv{'qђn>6J 7A`bmEIX5K|S&1>;/Фwܗ5!0#BIՁ}0} 5מXZ[Z !:Իp] /M@jCzO lH8e[O^xh9 r%?IT)J0U d Mz%k*6'';+/-#y1hwYտ'&C >:5-c=.S[ n;KɸƧezћ!* @Ep!|I8+s0Ľ@gG `[ir/䅽w_O}/t`;p_f}i/(/䒿ۈ nr$h}ܯW37.#CN1gLm[ v;ݐҐOlU%UcT܇ށh>T,q u}p /f]պޡzw5/zӈt0#}T~Ja@$I1]qmߐ_Ztm:4*{V5ކ8.)Zt QCQv./N鿞cĸkT~{j-6kUؠ;C{E V.e1$q&FԠG᐀CuUtД2") \kIoڋcJ4Qp(s,b2ea{""Ziv&xQ\V mj5Ƴ<*z` GgưL(vYmG2="Tz$4ϻQ9(%w3C/9 =4P|Ur6zoTeEc(!5˔J tzz۵ޮyGz |P(p{M3t^Dޏ6㴶2SH.:׈eeVOF0z(/pwV^q%䄮3G]M)u힃BOjERnFԤ%X'Tݎ~otXCSZi9m&k]Bte޸10lc+R>{{YgDЕޞzN GTq;'Te}m(, Q L<pv; @} UI(q0?` unEv[;ca}^I}&u-Dq_<ͮn`]?m̖%J`+/vn;A(dZ0dHieF K&~;&KFG'@Zfq` vuLZfʒ CLKn4-'e6..uA o=n[ZwWUqߒj`L>)o'vђ^URPuql Ǚq)6j g;q'aQSwd+jp>Ψ߆iAG*ZP8"Ce uewr)羛Essճ.`@@`_ omnˆzЛ =R-nw`uٳk6홤}Oõ^,oICqg+˚IR}r/xVTQ wMBMcՌDZ)׺6wm.+ؓtyN M&۳B:dNHX"M/u_<۩֣w{yWI5q߯oKޓDj"Y2S#dcyST烉9sPΙ >F6GaڔbCz뉦P.cIOˬȮ0S/h +]å6W)T[۶ˤBۺ2Ҭmږ ˯Y]Ɛلvfev֩zHO}m+/&EUj4YOq[6r*ًAwA=En;wz~Az"?#66GjQ{yԼ%||ʱ9⑻3+4dިLedH׹=z27o%. @W&w]j) Uo8umfPRa2JT-,&0 P {C"a`؝VgU 郞Y?Z{Ɂb@QJvv}]Il;-ݑM`is=ksKUno쾳KA.]Ľ4obiD~.XBw ;6jmzgD3jOڔGc5^NߙԠ8S,L4kƙ5@q_aPrⰍyY0^Nk}L{A$M c,zĶ8A&V(KL9we:^zνqO!s/[KRɯݖwjJYlX} ^Nvňb˲뺝U9 ;3چ#0qx @/f%`#PMhKbMXl(}\zM>zCTﯳ&/%:gw=eg\mM'8@Q:'XTٻj&6Dx)C~{Z^ sEʊZ"l QLm G;㭨GF:Vʩ9/Y}=Fsx'C~{t ޱ-Xb[yB=zef4Dn]bj#DU^.HwYһw}pP ߿Γd~m~_IH𿶒P #F;ɹwEވ d:Qeuwo;Y7^ݨ:A_+Vǻ mX3={ -<^[[os,pֿ.fk7^?}:`oƵQXMU|er{=[ѝDy}PxwٓUc\~mpO>rjhF6C hC BwQUtM=VVHDy5F3BSi&}Coxҽw>39z C(lU]ժ]c]ۙ]Aʱ/I$.v<=zƋ*-t3O$+]Sۅ_mB`.@#S|A)7f_B!P(mUtYkHKGNRY[6/Pݖve-+wҙCL+9&՜h AEq n` QQ8h>߿Õ+o˯ſ ʤWˬbX}m)ÿ=yn+|ď:D}>Z {vE͌ݱHv%_7]:o+LmFÝ^&bQK@/Im&&$5]˻[w'&8,kqu3?,sؤ{(. 2dyDmiB)[,6ML]ٕKTNP"vl=M,wn5kMvnhX'6(wDkr.;V8pK>L5]^& ,]-{wm]Go4B J`iCUb/ 8MJFg~4AuJa|( @#ɜ{Cٽ;Tr]M`5姞,U-EvK ;TKJ1  @g!՜Y`P) @I@@ &>"]};F4!'糢ƽiF;F,h}3OUH@K&&]Eԗmb`ڬobLx0IRK %^j{M)Z@ob2VsNݟyxX ?tP~(ļхstDMDS79C]i~!sq'?̐x{4U+DwvR X4&FAGؿϬK OE>=9e K`➐oLUʹn`CHعKV$kd?kJcIߡT2J-c#Rڻ*W[uʇ#FѶ5 2X?Cu>L͸ C7Hwni @`8܇3@'oޅt@HqgT@!}NKw @wT@qg @!}NKw عwttN7[:xh/Xel`;􊾙5xՠZͱeϡD]nk#3N/|&7Q@E`c'p>}H!& "pC7I@4{i@"L'! yBE@܋p3J#q Aq/t(^/ PĽ7I@4{i@"L'! yBE@܋p3J#q Aq/t(^/ PĽ7I@4{i@"L'! yBE@܋p3J#q Aq/t(^/ PĽ7I@4{i@"L'! yBE@܋p3J#q Aq/t(^/ PĽ7I@4{i@"L'! yBE@܋p3J#q Aq/t(^/ PĽ7I@4{i@"L'! yBE@܋p3J#q Aq/t(^/ PĽ7I@4{i@"L'! yBE@܋p3J#q Aq/t(^/ PĽ7I@4{i@"L'! yBE@܋p3J#q Aq/t(^/ PĽ7I@4W~o]'J9!c}|뉛9PX7EFu(.CK/wr0= &|_3@` U)] Ib@^D piow8MyY[ϝ%/Iڃ r ,;!,CǿCgJ28V!tp3 Oĝ@`){לw" x!RȽAg! rߪ@; Щt ;c Щt ;c Щt ;c sI/(PȠK =7>U}c!}]ۙ9aA O+@p{C&}jň{%@X'nz tؒ2U@;ewGuqDJ1@ 0*<DsbvqgDA|eGܷQ 0Pb @iznt3O,ܑ|GBX +W $*qj paa{΃O6 @Žx @ HvkAIq i5{ X-ɛ_' ⾢) )) w:"ŝRB.RӮ1N xi/%P9 q߇ ;$/Y9f˩ʖI{䙌j4!K˯TM~14쟀 v8%hAL4 @`(%i#wp쟴1Ȁ]Sv/dDdvR0]hht C9Vqfe& 0ڮy,zDac(@`"^ޕz:@KM2Rh90Hݜ q([lMg·uN$z &Erݫ\}sfqy^ a[hf%@ hOU=Mt*d׹H$j&裇HaݐJڼC:Q/@!edfY[fP$(\ܪu'q׌Eٽ>sZ&ߌ%ghUA!f9vكstX@`rt]z;H ΗsaL޴L⾶"x&MLr8 mp[]Cu=@`&>sGoJƦ9pS'  âi: VADq!Ieji%VA@+ݖ雑< Q7T7Ă O{?#J@}s.`@z ; ;t*]J#6/ 7@EZq/jY@`WT×!4!`{9~ xE}o. *5K)@`N}c@ { ާ> $>]N w?  Ofm@>@,oǜ~DĔse @`xӚm&2{B 2|͕Y9 0IENDB`n=_f IBۜd FAPNG  IHDRݡsBIT3 sRGB=1IDATx^},O 8'g0BnđB+ a8Bp`h7+G(908,`]SS?E{ FŪl;O/x G?;?^U(7 a}׿\ ꛯ+-~vVシ~땹q}jzqyrVޚ,[Ͼ_ڒENu*#o2IN8nkN *X7c3'd.wY v$TfUQV%wW!Ys9>y֭(L%RI*rdU+E*]ޘeB Jg|YkqnJ}9˒g͂hW"梗,Gwn%G-j_.Tμr|Mn/ǭ\C1}nԖY&ՙ6I κɔyN!Im{vk/\joWT嘫9[Me!S'1.|Mg}!>ˋlhw-3dEK*LΧ(ZS~;ksѧUZ%^rS> SsgݗLmʡn(P;FJujt]9[9S|e*DOi}`@-S[%I^`. +lQ kw:p^!%|3\Lʭd"ju+sTeɳ_/ʭLk͒ kG2e)eLr oպ5UxevISW(vĶâ_|{=sd7}ٷ9Ȓ=Qefʙ( +LcUo;iJЪA^>&w e~rAJ#?v|^הm,2y2}!3U2ןG2iEc[TZ+8%Gl{9,$$dbʱ${Rw yHg+li:^8*=& oSix&2_QpO*a){; Sy*-IPίӒ-m }!> < ݧ,+|J@L&S5V˔Oͯ: g ⥢2gaA>-~f./lM b8u;5y|ۢ-aQT Z/une. u&)zI;YӨTEBDrJpki\3gQWtkwCf ׻isxh+\ 3bYiߊ^E+ASjrvn+a {X){iK[yb{XsX4VD/~)[o'gԹqkyU"an)\|R=+ݭyTӘn熘‡|"t=gRtot 1-G׳3,ge*셅K{G k&F-9ay܊N\g\#]"A(F[gsX%'Z?us3egړ_s3,Dze.sW簖n'ָyZ-r`*v͵{˛sX3p-Yڲ>}r)#׉|7׏gI E}8%ҝAtZ[M_tn01U۩MYBފF8N͖r<]yK{X Mpy=;=KHY$ &Unlޥ՟c҇[cd Ei/lúrͰˮH$}6g D.7z]Źs/ºr|JS% H^…ܳw =tvSE+ Rt0[,Oyټ %Suά4oMyO%әl+] w ~,N6+~uO0zߐ*;C?]#׶%\OYbʼw(l/,w c0r<$wŞk1g|+ӥs\lT-Lj~"g]\o:|Ci/rĞVH#Σ1~:!ҞtOfX5/|Vq$/1J~72/>#>NWg iBn%slպ̐+Lcg t_.Þg Je2GhgE>ϭyg o9.45%tRGvbeB *9,U^6?K(ֆ4̫i/y}j.F%=e|g o߰M˽B` ܞ[ȑO`O,]]ԥwssq'q)Frpx?x_$tE x;ݟ@` W{GÉa%y d! O ذ"JVJ aEx 07 g@bµ( N}rThС ioY%*!#0d^\5ja틕  {^JIm6آP" Z֯X_Gզ-Qd%V@<*˂ŋ8H]Y LՒ/bVS۔ VBtqz@aϫ0Z3啺㥟gu],Ljh_YQs 4ok ϛFZ?<=5"ɟ2{m]r M`vs re&2HSI EyC P}^ #.>"zRWW$+Wm]LL.*rY憩8ܗZ0nC/B7 Q@`8rC%:ZrA+ ;ROJS;Dᚧm! ",a > ^@`P4a}?I U闀Cap>>ݢ; nbqЄx yA .@nI睋3x.=,H?k@$%%3.,ScQ<5 e{W!$ÉuUeG^&,NTk@IY!-9I,*z;ep;!rJ!;e²]aLd6ÒͰ,-V4i@'$9k 8_N|(rr(~=mSUx"*@lH5#T5Nb \&SNrVAe&jݳzrGO%E)͊uJUYu<0**TBaC!g (@61/Im\b,ep]=ҥ7BnhByCm{۞2v~!EcShi`oz\ڦLjݺQh6B8hMKB.OkQӄ{,S=ti ©9\cSR fUtbնRu׋&n,db10S1?܁pe|pΰq1-j~[_.@%򐶊VRsT%GP*SokTQ &ƌLpB8ḭRAKqE86a@O29Μуe,'T.ZI=2)m&G7:3Ntp>J=Na(OJj"J)OFahB8@?V|zpB8ɐޞ\,Gпq%60#SՑ|B,2aɈP4{ +?%v"iZNFڜw^o5<zt9xi©TUWIj5Ң2P*0^M.X"DR 6'UHj} t͇ٝ0nCNO&,:Zrm076iO$,NApz2am@m=B3t09uaꇟX<͟*C쿭#<]©;t呜蝻9]jS"O˃٧4S-bג\=9XJ,vᩀpt:aE+pӂQ.^J@ȉCBƃSITpj',WTTLDxP*r72ے:tBS(S;a:SPx(ss's=xģ[@84*@89OVl@86qiO#N zԯԢJZ@8d9D pa!rO0B8!B <dXO[  bA zЗJ,t0bOp’=jȰN DO{h"N A] )nF@?@X#y:O=paΩRJ<9P6Av&`B\@ڰ¦1 @8KBJ+4@؛8px@3u\A3 p>9),gFWsKB$l|EWu1GV.j& !+t.?VUNʩ^+ uTՂ }a8um^^WnwtYyG}@)"Q^leIɃ<QkURY;5'E63fqY,:JR1L y8 *dSTax[$)iT?^=z|6Ad|\p[>[ʄ Ur Wp=z괩DyI lСE+rTrRGQQOUclwCT|)en$j=Uկ/@<rh}H7){plIYJyɢԄTW.T߂P5Uϖv*/•ǣqW^ gΡ%,Fs>@t]n>6:\B fX)c)(X'7sZb:E?sTk.&(?aJ^3<Ɗ{GѺjpF4 `+'x :ѾYL&3aV ?d@ϰ~O0"Z@ٖ325u% YQ>SgiJs<+vJ 龨+VHDtzH9:݂iauHu=2Re3ɣ#*<ʰU?j!Dj?ܔ7FhY,{Wy9صi6bˋҪh#-:T#J9WܗVo&RNؚEɗDldS*Qbe*TʩͰIjd%ńE!EUXŌ+ln^m`mʧm4ԩ+{${Xӻ=6S{V'OpDyM/tf[B,D&Z4(GDR>QQ=S;M:#hOdWf[Tbα $cEmeK>K(W$j?bRPTdneU!Z_=U[R&zѴ%ӻE WJ(L46RX0ճz2Pq^ *)9(M8mY5A$GD4BR] <~|- ~jRٷ#}-t CW@`kjZm[ڰj@`t@X Пa/ݿT[rѹU݂h%[{Ŵ7"lُ, ƶʕvv+k:G!@읦""e[iGOgMrviNh&hb!D*AK#ou+VpՀ9;Y)KNu=sYUaY1yVCޣrRlUQbq!#]:RNt5=S¨\fʱ|) 1z._ͱ݉XT3otEVΐ wZeZeXeʤFTը(R==V%ٲ{!z%#X'ۆJ.KvG{.޸Q&LKR9I|PNBh_q,J< WAF@'E}R3Ebe3 75wz 7>~Jú%aQENC L ydUzѸ\Um㑶V*ɪx߱*ʊDW7t:ǨXOÆ:~(U+KxM5qcT"5+#PnҢ]B7ͶŒ&?/O:BV7$.7IudYF2vVYTmP+(UlDuHO틥E[@Ps%:9:rE*$l}~iSO:П%EmB5aebb;eǪQִbg UjT<<2l]j]Rψkbϼ!+
    <(ÉA醎@QגC# 3c!Wjh>V&' ,'P%:Ϸ  p:r?UϷi%grPA@גгgs"",3*#kL=E -{XRZ-3x @ 뗟 ^ /\BnN< W E[K0l|Xv hF`UGC C?2( @#{XU=tnrU@\"L ꛯR2êB}6w$ϑ@ ϿOEmazhD૿/ekHCi pM@X;C"mP\5)݆֓5~^ V"T@`$g9a @rrj@삀3AXBB& V@`@X{ @a!27 @@.nGG2 p%@Xs~ÇrLaș%S^Ys)AXGͦ:qaSP! =a.d ) M0 D' 6ےŵ'["/UGu4  a oG9ePs(!WDR|E2%[z0ꎉWȰ[[ QȻG@%SrPZ@X}]bIHj@L'~2S6ŒkhG{UT )t;9aOm綄Bۉam%(E{X A5( , UPkD wj*vXxS҈G3.@<+c,@I-Y@U|t\IENDB` 2EDGE Diagram  Pacestar.Diagram0EDGE Diagram/ 00DTimes New Romand 0 & 0 DCourier Newmand 0 & 0 1 DArialr Newmand 0 & 0 "0DSymbol Newmand 0 & 0  ` .  @n?" dd@  @@`` 62       !"#$%&'()*+,-./012 3452$@:6]2b$ 0x֩g2b$ #( #) 9c*g,2b$rO'[-V2b$S^t ݶ&/T2b$_7Uxn61z2b$[bKMDc <0~YM32b$tJN̖.Т2b$"N5,kw)%7=8hR!72b$jw6[> <HY2b$!PI٤D]Z6H*32b$/WضFLq,{2b${"s5^?u2b$!LN^"=|1bz#<2b$_f IBۜd FA=P2c $@{uʚ;2Nʚ;g4XdXdd 0ppp@ <4!d!dg? 0`|<4ddddg? 0`|<4ddddg? 0`| ? %V$Security and Certificate Management mDiscussion of AG security in the abstract How does the AG approach security Using the AG security mechanisms User goals of AG securityPrivacy of venue interactions when desired Privacy of audio and video Privacy of documents and applications Restriction of access to venue Determination of identity of fellow venue participants Protection of software from attack6+`Z+`Z'Classic components of computer securityIn the abstract: Identification of users and services Authentication of the identity of these users and services Authorization for access to resources Confidentiality of data (files, streams, control, etc.) (Non-repudiation) More concretely& - *IdentificationEach user identified (*) Each server or service identified (*) Similar to mechanism used by SSL-secured websites (do you check their certificates?) Z?U#UAuthenticationMechanism by which an assertion of identity is verified In the AG, authentication performed each time a client/server transaction occurs (Provided by underlying toolkit) AuthorizationDetermination if the authenticated identity of the requestor is allowed access to a resource AG toolkit defines role-based authorization mechanisms Access control to venues Administrative access to venues, venue servers&HHConfidentialityPrivacy of control connections (SSL) Privacy of media streams (media tools + AES/Rijndael) Privacy of venue data, other venue app interactions (SSL) Q=How are these accomplished?Key supporting technology: Public-key Infrastructure Identity asserted by X.509 Identity Certificate Contains a name and a public key Digitally signed by a Certificate Authority Signature asserts that the CA believes the holder of the private key has the identity asserted in the certificate Application protocols use challenge/response mechanism to verify the presenter of a cert holds the private keyeZZoZ  o PKI in the AGEach user has an identity cert Each server and service has an identity cert Communications use SSL (via Globus Toolkit"!) SSL provides mutual authentication on each connection Each peer knows identity of the other SSL provides confidentiality <Z&ZZ&hWe re all set?XWell..  Digitally signed by a Certificate Authority Verification of this requires the identity certificate of the CA How is that verified? Chain of certificates leading to a Root CA Certificate Root CA cert is self-signed Where does it come from? Applications configured with set of CA certificatesZ.ZXZSZZ4Z.X# 4   PKI in the AG, in practiceEach user has an identity certificate Issued by a CA: Globus Project CA (ending service this year) Access Grid Developer s CA (integrated with software) Other CAs DOE Science Grid NCSA EUROGRID Verisign, Thawte, & @6m46m4P6b !Managing Trust:Each client and server has a set of trusted CA Certificates For a connection to be allowed from a peer, both peers must have CA certs for their peer s identity certificate AG software ships with AGDev CA cert, Globus CA cert. Additional CA certs may be imported via Certificate ManagerZP= ("!AG Certificate ManagerHolds user identity certificates Holds trusted CA certificates Provides GUI interface for manipulation of certificates Operations: Importing initial Globus environment Requesting certificate Retrieving approved cert Importing other CA or identity certs.ZzZz,[#Importing Globus environment  Upon first execution of AG code, Certificate Manager (CM) will attempt to import an existing Globus environment user cert CA certs proxy location Where possible, integrates properly with other Globus applications on system Mostly applicable to Linux systems jq"M#q"M#>]>;$"Initial import(Prompts for private key passphrase: $%#Certificate RequestOIf no certificate is found, client prompts to request a cert via the AGdev CA: E& User Information2Prompts for information to enter into certificate:'Final confirmationVerification of data:($ What now?The submission will send a certificate request document to the AGdev CA. A private key is created and protected with the password specified by the user When the AGdev CA signs the key, a confirmation email is sent and the signed certificate is available for retrieval. 6 ,?]g)%Retrieving a Certificate At the next startup of the AG client, the following window will appear:  Not Ready means the certificate has not been issued yetZ*&Retrieving, cont.yClicking Update Status messages the CA server to detect changes in status. When cert is ready, the window will look thus:$z d+'Retrieving, cont.Click on the certificate name in the dialog, and press Import Certificate. If all goes well, you will be prompted to create a Globus proxy for the new certificate: 27  Y }!,(Retrieving, cont.8And if all is successful, the following dialog appears: -) Importing existing Identity Cert!Bring up the certificate manager:.*Importing, cont. /+Importing, cont.NPress Import. Browse to your identity cert file PEM format: -----BEGIN CERTIFICATE----- MIICHTCCAYagAwIBAgICM64wDQYJKoZIhvcNAQEEBQAwRzELMAkGA1UEBhMCVVMx DzANBgNVBAoTBkdsb2J1czEnMCUGA1UEAxMeR2xvYnVzIENlcnRpZmljYXRpb24g -----END CERTIFICATE----- If cert file does not contain a private key, browse to your private key file (also PEM) 1 Y% # " @# " @# " #  W   (0,Importing, cont.sA passphrase dialog will open: Enter passphrase and press OK. If import is successful, certificate will appear:$t>41-Importing, cont.&Click on the name to view the details.2.Default IdentitiesOne identity is tagged (DEFAULT). Default identity is used in connections to servers. To change the default, select the identity and press Set as default identity.6 k3/Importing existing CA Cert!Bring up the certificate manager:40Importing CA, cont. 51Importing CA, cont.Press Import and browse to the PEM-formatted CA certificate. Also must supply Globus signing policy file Normally named like the CA cert but ending in .signing_policy CA certs often named xxxxxxxx.0 where x is a number or a letter a-f. Zi>FI>F>NU )62End of new stuff Security: AuthenticationAssumptions: Authentication takes place on a transaction between a client and a server Client and server each hold an identity cert Authentication is mutual: After completion, client and server have verified identity of the other party Secured communications in AG2 use Globus& & which uses SSL/TLS SSL/TLS defines protocol for a secure handshake with mutual authentication.X ZZZ Pb Security: AuthorizationYAuthorization is the process of gating access to a resource based on some criteria. Many different approaches, few standards. Access control lists Role-based authorization Attribute certificates AG2 approach: provide building blocks for applications to define authorization. Reference implementation uses a basic role-based authorization scheme.X~ZEZZ3CE Security: Privacy^Usually what people think when they think security Straightforward, once authentication and authorization issues overcome Globus Security Infrastructure uses SSL/TLS mechanisms for privacy Typically, symmetric encryption with session keys negotiated at session startup. Media data uses AES encryption with session keys distributed by secure channels._Z_z Practical security issues8In AG2.0 Alpha, each user must have an identity certificate Identity certs issued by Certificate Authorities AG Development CA Globus test CA DOE Science Grid CA Commercial CA (Verisign, Thawte, & ) Certificate Safety If the private key for a cert is compromised, the cert cannot be trusted Hence, users have responsibility for maintaining safety of their keys The use of identity certificates is often cumbersometmZYZZZ5ZmY5PE4, !Identity Maintenance Alternatives""NCSA MyProxy Online proxy storage for standard identity certificates Medium-term expiration proxies kept at central server Proxies created via username/password authentication Online CA with username/password support Identity certificates held at an online CA Proxies created via username/password authentication No requirement for user storage of certs Integration with Shibboleth or other single sign-on infrastructure tZZ)ZZZ),PF   Trust issuesIf a CA is not trusted by a service, then no certificates issued by that CA are trusted CA trust is a minimum requirement for access ZX-X   +Goals of the Security Services Architecture+Provide a concrete implementation of the things we know we want Identity Basic services for obtaining and managing identity Secure control communications Access control for venues Privacy of media streams API for use throughout the system Provide hooks / APIs / Protocols for future extensibility  Correct solutions not yet clear Single Sign-ont@ZZ\Z"ZZ@\" Identity#X.509 Identity Certificates Problems Key management Semantics of identity Establishing trust Casual / one-time users Host Certificates Initial implementation: Globus identity certificates Globus Project runs a CA Other entities can run CAs as desired (trust) Enough to bootstrap the project t%ZbZ5ZgZZ%b5g>)4 Proxy CertificatesMechanism to support single sign-on Create short-lived proxy identity certificates from long-lived certificate Why? Proxies kept without passphrases Delegation mechanism used in Globus for information access, process startup, etc. Restricted proxies *vZZv, B Key ManagementZPrivate key lives on disk in one location But I want to use my identity anywhere MyProxy: QKey ManagementPossibly not ideal MyProxy server possible single point of failure Paranoia factor: Do I want a proxy held by someone else? But limited lifetimes and restricted proxies help Other solutions Online CAs where keys retrievable at any time  Username/Password registration certificate ??? Answers here provide for single sign-onZiZBZaZ(ZiBO(,~Secure communicationswAuthentication Ensure both sides have certificates Verification rules (trusted CAs, etc) SSL / GSI XMLRPC over HTTPS 6JJO&Access ControlXHard problem: dynamic groups, dynamic resources Multiple mechanisms Simple ACLs Directory-based group authorizations (mod_ldap_auth) Globus Community Authorization Services Akenti Capability Certificates Initial choices& Likely simple ACLs or LDAP solutions Still to be decided & may depend on contexttDZZZ9ZZD9bK*!7=Stream Security\Current vic / rat support AES/Rijndael encryption Key distribution via venues services mechanisms Per RFC1889 Vague worries& Are keys recoverable (in face of many gigabytes of encrypted data) Rekeying intervals? IETF Secure RTP draft (draft-ietf-avt-srtp-02) Implementations? Who s interested? However& t}ZWZ/Z#Z Z}W/# t  (1How much do we care?_What is the level of paranoia? What is the acceptable level of inconvenience for security? Do we want military level cryptographic protections, or just to keep the demo folks out of our group meeting? Auditing? Interested in user perspectives GGF ACE-RG draft Informational Document on Security Scenarios Possibility of spinning up GGF ACE Security WG`Z` FirewallsBHow paranoid are the firewall admins? Current solutions Put AG outside the firewall Burn holes through the firewall Interested in usage scenarios, acceptable practices from firewall admins Future solutions AG media / control proxies on firewall? Mutual authentication agreements between firewall and AG infrastructure ???\9Z<ZZZtZ9<Zt,  2*(  r  S P   r  S K  R  s ***<  3 A?  H  0޽h ? ̙33  2*(  r  S RP   r  S   R  s *WW<  3 A?0 H  0޽h ? ̙33  2*(  r  S P   r  S @  R  s *? ?<  3 A? ` CH  0޽h ? ̙33  2*(  r  S  P   r  S "  R  s *a<  3 A ?  H  0޽h ? ̙33  2*(  r  S P!P   r  S   R  s *d<  3 A ?p(H  0޽h ? ̙33  2*(  r  S 0P   r  S 0  R  s *<  3 A ?@PH  0޽h ? ̙33  $(  r  S 0P   r  S t  H  0޽h ? ̙33  2*(  r  S 3P   r  S (  R  s *P<  3 A ?M H  0޽h ? ̙33  2*(  r  S HP   r  S    R  s *<  3 A ?H  0޽h ? ̙33  $(  r  S P   r  S   H  0޽h ? ̙33    ((  x  c $'P   x  c $  R  s *dR  s *d<  3 A?d H  0޽h ? ̙33  2*0(  r  S _P   r  S P  R  s *<  3 A? PH  0޽h ? ̙33  @$(  r  S P   r  S ,^  H  0޽h ? ̙33  P$(  r  S P   r  S j  H  0޽h ? ̙33x]yyI2Y0ƀ[+.ÀgfZ.K"Jnbvz=;$cIlNCPlGb/l #q*WS©1lcZIPo}{׳7L3f^]Xpgu&#WBk (C+S+Nc&ytgpMo8p-0 X 8pBEo\\t08 ~0=jۙW܎'p }vv?2j苉Lj`QĘ'`L/cY{&6Ax<qHO\ퟞ$2۾ obi˿ѾFՅ9_v{ӟ;ҁ?6MJ}⌺TW _+պ\W \VTsn;UpW ^k=Y,Hkws5+?xPwU]5l;ρ U/yg9pjy;wI:͏]z;a l{cxSPlȟFQQ3k9V1(Ʊ2&E  6C Ow2PnS4N4Xj])BK]-RAegmnܯ@sS9uϮ+'9] SI <'cҾʞ1k`'}{}zUi6 -vn-@nAfofSTM,V!:Hq(B:D׆5(p Zcj9ntmCCbeRLR}qI ')tK>n/ q\:jqHF t5g#0,W ƧK,8 k^;qI]-N&14櫾 a,Oka*JY#UqF, =: EH1R2R3_1_+*~;ogW)u/X1M;5ͤ|5Q.fkZƾY#&$nK*S"N&pY⩜ZT9ͪR((JIDY)BITtdPIzT)F35@T)P/uf$c70;0[(̰Ec 3\;M~&s,PX(PkkQ ;,|8N APe(ꌟ|AaPx7X$](05/ #\@Ks ݣ%]^2rHR}3(TT[Ãkꏙcx۪o 6k4 2ݘS}o+ Py31)y($BZ*&<4qDkDTU1%Q)fc=TOȢ&ugGxgŋb$Y1SH^VI}NTX0Y+mS95i/'oJ!M0,&),sd*'ΰ]fI~Hw~io?7]U'lKra9jc..I;$i%F-lu76LY-F6ёz4w:W-$jc9;5F!/kd&W<146 ΔAkz, 3d%qRgDŽz~I6jY4h4ZÅĀKbBR hHvigS# BH4m:͉ T }& Tj|m3vڬ@_5:SK,XhA X8;""8mzHb\R4+QCwRhFbhFr"!VK,FĚl$\a4 BfFFl$0cl՟-VW|}Cm-n0h8NŲ]Si5P{Z1+sӡn-Yy]k]HY yφ<ۅxNPW󒙆c(@~g6+F")[sZЮ"ݞ$`QXת B QiY3w 1iB "*&t[,RM^àx,z6K:n*eR=áׂFIDx"mղtY9S/0" Ǧt2:иa bu.`>*`j9A;y2baj:gnp SC6 ktWj5l^ֆۜm4 m4>9-O)T'k݇ؤb'Qw--cJsx+-8#۩6kyljߑN@  -&SLdژF9+XIXL%uoq]GzHa׈粯Epq0B#rB X6u 5RZ\TK @>v˭gY+ 4cd60bWTTOWnsEʷ^G8x$Olԩs1gv0P&z6mẊ5Ôē6vETXlӞKnҴŚr>= H1DKVl/릂U}uӲCt}1pNr9f_W-7ը'{"wжskrb jya_/eY}: &E6)rOē`NIT'57.kR5uFXY(1bZ^@{diUBȸ> ;¨enB.%. *#ST<-, H9䄑NN9SE=y w2ݰlgfJ2ʤ\=fnzBFCE`$.W\;^줢 ȘJiꊜ2~<ɍfШ^G2 aZ)bR, kBpJRe [/p\:MYbi2t"r:4ΗC8&O`qG]8q6O,]syi]fHJB{p~qSF4jؿ=3fAtdf^GEg L$s1 ڐa8}VH\H / f߼Z/g t8vTMfj܂8QP!&,9oA^N).]+F/3`p,iO-E#k^=ܐbV)VM9\Z(m6HtiqC!i>Yhs`ƘqV‰sR!HcFjNMwK,7Jo)բeC5b!#&#/:iicP)T퀦tZO+U=W2{p]zn,NձjվZ(Ԟ⼏ ~k}Ў4޺+F3`̫iYV>[u$uQIz4f?֓ }"H]pC6䋕}\[?_a$<3 >Nz{Dzb{Щ `F8(_lٕO?ӿYҍ"K'V ^/V;Զ'/U';? ew-MIY)ΗkCٳcp$ LP~87"d;E]{+]zXy)q7"l҈|Ts] xz==з8 -b0(*J'pTjK&4 ?PЦkת 3#nNTtu2_f8[}_G<)q,i^7[-zev_a- OcT3>)ԉ6ULD,7'!7Ҏcull}+{6U>l?dq'?a԰c. M#7Cb(ks n?wq,^O9cci ڒ]29\w4c:>uG-y#C5[̩FFgu68,X_lRS>7_ÂSw:@:vXnMH^nچ,0OO)LPLkgMI:m˔_jm@LYbGS3)R2Veztg; tJԼ8P]'HUpa{|czVR/ɐWM~Q2 yaoO✯n+NNCyqLg=VYmaX14 6bQvvutKu#Zagb3jɶehA19l#Np,.MXA9#)if^s!#Ԝ2KV~e_ `i(8Wg2e)~ޗm|g{1}:G`MCkL`ԡ3L1ۇ+(&z\E1S1Lb|`rƭ5HZwn9f#,rr]сFv*ec [Y6{.ޛ=Y?tn-wF%6V`~M1S),."*0s`L+?3Ϯ~$?c~"?#s Søߛ}F)S,s=_Gw7g?ۀyr ""*,&$!U"e59!R9~/%B_q#ُ"};p!VE,W+2i5%Gyyv_BA/ݳi),+em,G[fm+! <4_l/o^ 8fC ҝwB| FۣE|4?*% -gKg&0lZ;(4IU|Ō L!,%+r~٨zu9+)sDzX~ rL}zF3mVf3 ⣀eya+)'y I'#'S쾓,gi ԏfm0[lv4$0I K 6sJ+SV 4cŠt|DP^l,1Җ]scmF^!%޹f?XGeM1R`bK̢̳Z˹ 9R))bIkf|b&3")(f:V0ŔA Qo~6ZVIIYW-+J˗KZ8UPf_FY~P9+^/e_|D#Y@ pe]+}>G5Z,5)!2*GQDz%pw*ʜ瀧~_!9yNz$[&Ǘ pEC(`݀ p3+ i?H eоm4 9ԟGP?@hk?ڼmσ9)4%6(hEAZhfAgla@H]_{'sJGi|b\d doSՓ/QL-F1>sͺ2cA)rwP̸I ésE(w-/Q-vAIUʷo)OH+*=t'1ţżyDRA2qU-*ߑƔ~Aڠ<,]|Y*(H+\<Ҍ"puBQhcQj۔yV:rrp=7w#nB)ާ%w&w6wr~zʥ.Q.VE ^ 0֠ܧʽʰrHYܣ\{@㣀ۅ(A݀Q&<ͽW.LR9.D|"oe({߀+C ~I=vAw;n@è)4?(#V.E^^h ݉  (A {A^)+:=o.V>v;/+IC'%v(W>vS%?w(*ICŷo+j=P~$}lZ{_g_fJ, RMz\e|I>GAAP O!C(g+OSOW>B\>;67D u&F3VGlqqsқ5R6>9*.3\)0Q)BG2Sf\wҙ~un#ʷ7){˗Vt{!aRo(f^2MaeG6{??ʟgwX9Mal'}l&Y~}iVrH is)QyTWY\^+ace+hjmo}q26^(   Be care? Firewalls  Fonts UsedDesign TemplateEmbedded OLE Servers Slide Titles1EDGE Diagram  Pacestar.Diagram0EDGE Diagram/ 00DTimes New Roman5hPv 0h( 0hDCourier Newman5hPv 0h( 0h1 DArialr Newman5hPv 0h( 0h"0DSymbol Newman5hPv 0h( 0h ` .  @n?" dd@  @@`` 62 ,+*)('&%$#"!      210/ .-2$@:6]b$ 0x֩gb$ #( #) 9c*g,b$rO'[-Vb$S^t ݶ&/Tb$_7Uxn61zb$[bKMDc <0~YM3b$tJN̖.Тb$"N5,kw)%7=8hR!7b$jw6[> <HYb$!PI٤D]Z6H*3b$/WضFLq,{b${"s5^?ub$!LN^"=|1bz#<b$_f IBۜd FA=Pc $@{uʚ;2Nʚ;g41d1dv 0\ppp@ <4!d!d` 06<4dddd` 06<4dddd` 06 ? %EU$Security and Certificate Management mDiscussion of AG security in the abstract How does the AG approach security Using the AG security mechanisms User goals of AG securityPrivacy of venue interactions when desired Privacy of audio and video Privacy of documents and applications Restriction of access to venue Determination of identity of fellow venue participants Protection of software from attack6+`Z+`Z'Classic components of computer securityIn the abstract: Identification of users and services Authentication of the identity of these users and services Authorization for access to resources Confidentiality of data (files, streams, control, etc.) (Non-repudiation) More concretely& - *IdentificationEach user identified Each server or service identified Similar to mechanism used by SSL-secured websites (do you check their certificates?) Basis for authorization 67U7UAuthenticationMechanism by which an assertion of identity is verified In the AG, authentication performed each time a client/server transaction occurs (Provided by underlying toolkit) AuthorizationDetermination if the authenticated identity of the requestor is allowed access to a resource AG toolkit defines role-based authorization mechanisms Access control to venues Administrative access to venues, venue servers&HHConfidentialityPrivacy of control connections (SSL) Privacy of media streams (media tools + AES/Rijndael) Privacy of venue data, other venue app interactions (SSL) Q=How are these accomplished?Key supporting technology: Public-key Infrastructure Identity asserted by X.509 Identity Certificate Contains a name and a public key Digitally signed by a Certificate Authority Signature asserts that the CA believes the holder of the private key has the identity asserted in the certificate Application protocols use challenge/response mechanism to verify the presenter of a cert holds the private keyeZZoZ  o PKI in the AGEach user has an identity cert Each server and service has an identity cert Communications use SSL (via Globus Toolkit"!) SSL provides mutual authentication on each connection Each peer knows identity of the other SSL provides confidentiality <Z&ZZ&We re all set?XWell..  Digitally signed by a Certificate Authority Verification of this requires the identity certificate of the CA How is that verified? Chain of certificates leading to a Root CA Certificate Root CA cert is self-signed Where does it come from? Applications configured with set of CA certificatesZ.ZXZSZZ4Z.X# 4   PKI in the AG, in practiceEach user has an identity certificate Issued by a CA: Globus Project CA (ending service this year) Access Grid Developer s CA (integrated with software) Other CAs DOE Science Grid NCSA EUROGRID Verisign, Thawte, & @6m46m4> !Managing Trust:Each client and server has a set of trusted CA Certificates For a connection to be allowed from a peer, both peers must have CA certs for their peer s identity certificate AG software ships with AGDev CA cert, Globus CA cert. Additional CA certs may be imported via Certificate ManagerZ>='("!AG Certificate Manager.Holds user identity certificates Holds trusted CA certificates Holds private keys Generates certificate requests Provides GUI interface for manipulation of certificates Operations: Importing initial Globus environment Requesting certificate Retrieving approved cert Importing other CA or identity certs.ZzZz)#Importing Globus environmentUpon first execution of AG code, Certificate Manager (CM) will attempt to import an existing Globus environment user cert CA certs proxy location Where possible, integrates properly with other Globus applications on system Mostly applicable to Linux systems jq"M#q"M#~$"Initial import(Prompts for private key passphrase: $%#Certificate RequestOIf no certificate is found, client prompts to request a cert via the AGdev CA: E& User Information2Prompts for information to enter into certificate:'Final confirmationVerification of data:($ What now?The submission will send a certificate request document to the AGdev CA. A private key is created and protected with the password specified by the user When the AGdev CA signs the key, a confirmation email is sent and the signed certificate is available for retrieval. 6 ,?]g)%Retrieving a Certificate At the next startup of the AG client, the following window will appear:  Not Ready means the certificate has not been issued yetZ*&Retrieving, cont.xClicking Update Status queries the CA server to detect changes in status. When cert is ready, the window will look thus:$y c+'Retrieving, cont.Click on the certificate name in the dialog, and press Import Certificate. If all goes well, you will be prompted to create a Globus proxy for the new certificate: 27  Y ,(Retrieving, cont.8And if all is successful, the following dialog appears: -) Importing existing Identity Cert!Bring up the certificate manager:.*Importing, cont. /+Importing, cont.Press Import. Browse to your identity cert file PEM format: -----BEGIN CERTIFICATE----- MIICHTCCAYagAwIBAgICM64wDQYJKoZIhvcNAQ DzANBgNVBAoTBkdsb2J1czEnMCUGA1UEAxMeR2 -----END CERTIFICATE----- If cert file does not contain a private key, browse to your private key file (also PEM) 1 Y  % #"&#"&#"# W    (0,Importing, cont.sA passphrase dialog will open: Enter passphrase and press OK. If import is successful, certificate will appear:$t>41-Importing, cont.&Click on the name to view the details.2.Default IdentitiesOne identity is tagged (DEFAULT). Default identity is used in connections to servers. To change the default, select the identity and press Set as default identity.6 k3/Importing existing CA Cert!Bring up the certificate manager:40Importing CA, cont. 51Importing CA, cont.Press Import and browse to the PEM-formatted CA certificate. Also must supply Globus signing policy file Normally named like the CA cert but ending in .signing_policy CA certs often named xxxxxxxx.0 where x is a number or a letter a-f. Zi>FI>F, )62End of new stuff Security: AuthenticationAssumptions: Authentication takes place on a transaction between a client and a server Client and server each hold an identity cert Authentication is mutual: After completion, client and server have verified identity of the other party Secured communications in AG2 use Globus& & which uses SSL/TLS SSL/TLS defines protocol for a secure handshake with mutual authentication.X ZZZ P Security: AuthorizationYAuthorization is the process of gating access to a resource based on some criteria. Many different approaches, few standards. Access control lists Role-based authorization Attribute certificates AG2 approach: provide building blocks for applications to define authorization. Reference implementation uses a basic role-based authorization scheme.X~ZEZZ3CE Security: Privacy^Usually what people think when they think security Straightforward, once authentication and authorization issues overcome Globus Security Infrastructure uses SSL/TLS mechanisms for privacy Typically, symmetric encryption with session keys negotiated at session startup. Media data uses AES encryption with session keys distributed by secure channels._Z_ Practical security issues8In AG2.0 Alpha, each user must have an identity certificate Identity certs issued by Certificate Authorities AG Development CA Globus test CA DOE Science Grid CA Commercial CA (Verisign, Thawte, & ) Certificate Safety If the private key for a cert is compromised, the cert cannot be trusted Hence, users have responsibility for maintaining safety of their keys The use of identity certificates is often cumbersometmZYZZZ5ZmY5>Eg !Identity Maintenance Alternatives""NCSA MyProxy Online proxy storage for standard identity certificates Medium-term expiration proxies kept at central server Proxies created via username/password authentication Online CA with username/password support Identity certificates held at an online CA Proxies created via username/password authentication No requirement for user storage of certs Integration with Shibboleth or other single sign-on infrastructure tZZ)ZZZ),PF   Trust issuesIf a CA is not trusted by a service, then no certificates issued by that CA are trusted CA trust is a minimum requirement for access ZX-X   +Goals of the Security Services Architecture+Provide a concrete implementation of the things we know we want Identity Basic services for obtaining and managing identity Secure control communications Access control for venues Privacy of media streams API for use throughout the system Provide hooks / APIs / Protocols for future extensibility  Correct solutions not yet clear Single Sign-ont@ZZ\Z"ZZ@\" Identity#X.509 Identity Certificates Problems Key management Semantics of identity Establishing trust Casual / one-time users Host Certificates Initial implementation: Globus identity certificates Globus Project runs a CA Other entities can run CAs as desired (trust) Enough to bootstrap the project t%ZbZ5ZgZZ%b5g4 Proxy CertificatesMechanism to support single sign-on Create short-lived proxy identity certificates from long-lived certificate Why? Proxies kept without passphrases Delegation mechanism used in Globus for information access, process startup, etc. Restricted proxies *vZZv f Key ManagementZPrivate key lives on disk in one location But I want to use my identity anywhere MyProxy: QKey ManagementPossibly not ideal MyProxy server possible single point of failure Paranoia factor: Do I want a proxy held by someone else? But limited lifetimes and restricted proxies help Other solutions Online CAs where keys retrievable at any time  Username/Password registration certificate ??? Answers here provide for single sign-onZiZBZaZ(ZiBO(,~Secure communicationswAuthentication Ensure both sides have certificates Verification rules (trusted CAs, etc) SSL / GSI XMLRPC over HTTPS 6JJO&Access ControlXHard problem: dynamic groups, dynamic resources Multiple mechanisms Simple ACLs Directory-based group authorizations (mod_ldap_auth) Globus Community Authorization Services Akenti Capability Certificates Initial choices& Likely simple ACLs or LDAP solutions Still to be decided & may depend on contexttDZZZ9ZZD9PK*/7=Stream Security\Current vic / rat support AES/Rijndael encryption Key distribution via venues services mechanisms Per RFC1889 Vague worries& Are keys recoverable (in face of many gigabytes of encrypted data) Rekeying intervals? IETF Secure RTP draft (draft-ietf-avt-srtp-02) Implementations? Who s interested? However& t}ZWZ/Z#Z Z}W/# t  (1How much do we care?_What is the level of paranoia? What is the acceptable level of inconvenience for security? Do we want military level cryptographic protections, or just to keep the demo folks out of our group meeting? Auditing? Interested in user perspectives GGF ACE-RG draft Informational Document on Security Scenarios Possibility of spinning up GGF ACE Security WG`Z` FirewallsBHow paranoid are the firewall admins? Current solutions Put AG outside the firewall Burn holes through the firewall Interested in usage scenarios, acceptable practices from firewall admins Future solutions AG media / control proxies on firewall? Mutual authentication agreements between firewall and AG infrastructure ???\9Z<ZZZtZ9<Zt,  ``$(  `r ` S P   r ` S   H ` 0޽h ? ̙33  $(  r  S -P  - r  S - - H  0޽h ? ̙33  2*p(  r  S -P  - r  S - - R  s *WW<  3 A?0 H  0޽h ? ̙33  $(  r  S -P  - r  S @- - H  0޽h ? ̙33r(v$"*/+ Rr6t^(   BEDGE Diagram  Pacestar.Diagram0EDGE Diagram/ 00DTimes New Roman5hPv 0h( 0hDCourier Newman5hPv 0h( 0h1 DArialr Newman5hPv 0h( 0h"0DSymbol Newman5hPv 0h( 0h ` .  @n?" dd@  @@`` 62 ,+*)('&%$#"!      210/ .-2$@:6]b$ 0x֩gb$ #( #) 9c*g,b$rO'[-Vb$S^t ݶ&/Tb$_7Uxn61zb$[bKMDc <0~YM3b$tJN̖.Тb$"N5,kw)%7=8hR!7b$jw6[> <HYb$!PI٤D]Z6H*3b$/WضFLq,{b${"s5^?ub$!LN^"=|1bz#<b$_f IBۜd FA=Pc $@{uʚ;2Nʚ;g41d1dv 0\ppp@ <4!d!d` 06<4dddd` 06<4dddd` 06 ? %EU$Security and Certificate Management mDiscussion of AG security in the abstract How does the AG approach security Using the AG security mechanisms User goals of AG securityPrivacy of venue interactions when desired Privacy of audio and video Privacy of documents and applications Restriction of access to venue Determination of identity of fellow venue participants Protection of software from attack6+`Z+`Z'Classic components of computer securityIn the abstract: Identification of users and services Authentication of the identity of these users and services Authorization for access to resources Confidentiality of data (files, streams, control, etc.) (Non-repudiation) More concretely& - *IdentificationEach user identified Each server or service identified Similar to mechanism used by SSL-secured websites (do you check their certificates?) Basis for authorization 67U7UAuthenticationMechanism by which an assertion of identity is verified In the AG, authentication performed each time a client/server transaction occurs (Provided by underlying toolkit) AuthorizationDetermination if the authenticated identity of the requestor is allowed access to a resource AG toolkit defines role-based authorization mechanisms Access control to venues Administrative access to venues, venue servers&HHConfidentialityPrivacy of control connections (SSL) Privacy of media streams (media tools + AES/Rijndael) Privacy of venue data, other venue app interactions (SSL) Q=How are these accomplished?Key supporting technology: Public-key Infrastructure Identity asserted by X.509 Identity Certificate Contains a name and a public key Digitally signed by a Certificate Authority Signature asserts that the CA believes the holder of the private key has the identity asserted in the certificate Application protocols use challenge/response mechanism to verify the presenter of a cert holds the private keyeZZoZ  o PKI in the AGEach user has an identity cert Each server and service has an identity cert Communications use SSL (via Globus Toolkit"!) SSL provides mutual authentication on each connection Each peer knows identity of the other SSL provides confidentiality <Z&ZZ&We re all set?XWell..  Digitally signed by a Certificate Authority Verification of this requires the identity certificate of the CA How is that verified? Chain of certificates leading to a Root CA Certificate Root CA cert is self-signed Where does it come from? Applications configured with set of CA certificatesZ.ZXZSZZ4Z.X# 4   PKI in the AG, in practiceEach user has an identity certificate Issued by a CA: Globus Project CA (ending service this year) Access Grid Developer s CA (integrated with software) Other CAs DOE Science Grid NCSA EUROGRID Verisign, Thawte, & @6m46m4> !Managing Trust:Each client and server has a set of trusted CA Certificates For a connection to be allowed from a peer, both peers must have CA certs for their peer s identity certificate AG software ships with AGDev CA cert, Globus CA cert. Additional CA certs may be imported via Certificate ManagerZ>='("!AG Certificate Manager.Holds user identity certificates Holds trusted CA certificates Holds private keys Generates certificate requests Provides GUI interface for manipulation of certificates Operations: Importing initial Globus environment Requesting certificate Retrieving approved cert Importing other CA or identity certs.ZzZz)#Importing Globus environmentUpon first execution of AG code, Certificate Manager (CM) will attempt to import an existing Globus environment user cert CA certs proxy location Where possible, integrates properly with other Globus applications on system Mostly applicable to Linux systems jq"M#q"M#~$"Initial import(Prompts for private key passphrase: $%#Certificate RequestOIf no certificate is found, client prompts to request a cert via the AGdev CA: E& User Information2Prompts for information to enter into certificate:'Final confirmationVerification of data:($ What now?The submission will send a certificate request document to the AGdev CA. A private key is created and protected with the password specified by the user When the AGdev CA signs the key, a confirmation email is sent and the signed certificate is available for retrieval. 6 ,?]g)%Retrieving a Certificate At the next startup of the AG client, the following window will appear:  Not Ready means the certificate has not been issued yetZ*&Retrieving, cont.xClicking Update Status queries the CA server to detect changes in status. When cert is ready, the window will look thus:$y c+'Retrieving, cont.Click on the certificate name in the dialog, and press Import Certificate. If all goes well, you will be prompted to create a Globus proxy for the new certificate: 27  Y ,(Retrieving, cont.8And if all is successful, the following dialog appears: -) Importing existing Identity Cert!Bring up the certificate manager:.*Importing, cont. /+Importing, cont.Press Import. Browse to your identity cert file PEM format: -----BEGIN CERTIFICATE----- MIICHTCCAYagAwIBAgICM64wDQYJKoZIhvcNAQ DzANBgNVBAoTBkdsb2J1czEnMCUGA1UEAxMeR2 -----END CERTIFICATE----- If cert file does not contain a private key, browse to your private key file (also PEM) 1 Y  % #"&#"&#"# W    (0,Importing, cont.sA passphrase dialog will open: Enter passphrase and press OK. If import is successful, certificate will appear:$t>41-Importing, cont.&Click on the name to view the details.2.Default IdentitiesOne identity is tagged (DEFAULT). Default identity is used in connections to servers. To change the default, select the identity and press Set as default identity.6 k3/Importing existing CA Cert!Bring up the certificate manager:40Importing CA, cont. 51Importing CA, cont.Press Import and browse to the PEM-formatted CA certificate. Also must supply Globus signing policy file Normally named like the CA cert but ending in .signing_policy CA certs often named xxxxxxxx.0 where x is a number or a letter a-f. Zi>FI>F, )62End of new stuff Security: AuthenticationAssumptions: Authentication takes place on a transaction between a client and a server Client and server each hold an identity cert Authentication is mutual: After completion, client and server have verified identity of the other party Secured communications in AG2 use Globus& & which uses SSL/TLS SSL/TLS defines protocol for a secure handshake with mutual authentication.X ZZZ P Security: AuthorizationYAuthorization is the process of gating access to a resource based on some criteria. Many different approaches, few standards. Access control lists Role-based authorization Attribute certificates AG2 approach: provide building blocks for applications to define authorization. Reference implementation uses a basic role-based authorization scheme.X~ZEZZ3CE Security: Privacy^Usually what people think when they think security Straightforward, once authentication and authorization issues overcome Globus Security Infrastructure uses SSL/TLS mechanisms for privacy Typically, symmetric encryption with session keys negotiated at session startup. Media data uses AES encryption with session keys distributed by secure channels._Z_ Practical security issues8In AG2.0 Alpha, each user must have an identity certificate Identity certs issued by Certificate Authorities AG Development CA Globus test CA DOE Science Grid CA Commercial CA (Verisign, Thawte, & ) Certificate Safety If the private key for a cert is compromised, the cert cannot be trusted Hence, users have responsibility for maintaining safety of their keys The use of identity certificates is often cumbersometmZYZZZ5ZmY5>Eg !Identity Maintenance Alternatives""NCSA MyProxy Online proxy storage for standard identity certificates Medium-term expiration proxies kept at central server Proxies created via username/password authentication Online CA with username/password support Identity certificates held at an online CA Proxies created via username/password authentication No requirement for user storage of certs Integration with Shibboleth or other single sign-on infrastructure tZZ)ZZZ),PF   Trust issuesIf a CA is not trusted by a service, then no certificates issued by that CA are trusted CA trust is a minimum requirement for access ZX-X   +Goals of the Security Services Architecture+Provide a concrete implementation of the things we know we want Identity Basic services for obtaining and managing identity Secure control communications Access control for venues Privacy of media streams API for use throughout the system Provide hooks / APIs / Protocols for future extensibility  Correct solutions not yet clear Single Sign-ont@ZZ\Z"ZZ@\" Identity#X.509 Identity Certificates Problems Key management Semantics of identity Establishing trust Casual / one-time users Host Certificates Initial implementation: Globus identity certificates Globus Project runs a CA Other entities can run CAs as desired (trust) Enough to bootstrap the project t%ZbZ5ZgZZ%b5g4 Proxy CertificatesMechanism to support single sign-on Create short-lived proxy identity certificates from long-lived certificate Why? Proxies kept without passphrases Delegation mechanism used in Globus for information access, process startup, etc. Restricted proxies *vZZv f Key ManagementZPrivate key lives on disk in one location But I want to use my identity anywhere MyProxy: QKey ManagementPossibly not ideal MyProxy server possible single point of failure Paranoia factor: Do I want a proxy held by someone else? But limited lifetimes and restricted proxies help Other solutions Online CAs where keys retrievable at any time  Username/Password registration certifica      !"#$%&'()*+,-./012345678te ??? Answers here provide for single sign-onZiZBZaZ(ZiBO(,~Secure communicationswAuthentication Ensure both sides have certificates Verification rules (trusted CAs, etc) SSL / GSI XMLRPC over HTTPS 6JJO&Access ControlXHard problem: dynamic groups, dynamic resources Multiple mechanisms Simple ACLs Directory-based group authorizations (mod_ldap_auth) Globus Community Authorization Services Akenti Capability Certificates Initial choices& Likely simple ACLs or LDAP solutions Still to be decided & may depend on contexttDZZZ9ZZD9PK*/7=Stream Security\Current vic / rat support AES/Rijndael encryption Key distribution via venues services mechanisms Per RFC1889 Vague worries& Are keys recoverable (in face of many gigabytes of encrypted data) Rekeying intervals? IETF Secure RTP draft (draft-ietf-avt-srtp-02) Implementations? Who s interested? However& t}ZWZ/Z#Z Z}W/# t  (1How much do we care?_What is the level of paranoia? What is the acceptable level of inconvenience for security? Do we want military level cryptographic protections, or just to keep the demo folks out of our group meeting? Auditing? Interested in user perspectives GGF ACE-RG draft Informational Document on Security Scenarios Possibility of spinning up GGF ACE Security WG`Z` FirewallsBHow paranoid are the firewall admins? Current solutions Put AG outside the firewall Burn holes through the firewall Interested in usage scenarios, acceptable practices from firewall admins Future solutions AG media / control proxies on firewall? Mutual authentication agreements between firewall and AG infrastructure ???\9Z<ZZZtZ9<Zt,  @\$(  \r \ S ܓP   r \ S pޓ  H \ 0޽h ? ̙33rtY `[6t^(   BEDGE Diagram  Pacestar.Diagram0EDGE Diagram/ 00DTimes New Roman5hPv 0h( 0hDCourier Newman5hPv 0h( 0h1 DArialr Newman5hPv 0h( 0h"0DSymbol Newman5hPv 0h( 0h ` .  @n?" dd@  @@`` 62 ,+*)('&%$#"!      210/ .-2$@:6]b$ 0x֩gb$ #( #) 9c*g,b$rO'[-Vb$S^t ݶ&/Tb$_7Uxn61zb$[bKMDc <0~YM3b$tJN̖.Тb$"N5,kw)%7=8hR!7b$jw6[> <HYb$!PI٤D]Z6H*3b$/WضFLq,{b${"s5^?ub$!LN^"=|1bz#<b$_f IBۜd FA=Pc $@{uʚ;2Nʚ;g41d1dv 0\ppp@ <4!d!d` 06<4dddd` 06<4dddd` 06 ? %EU$Security and Certificate Management mDiscussion of AG security in the abstract How does the AG approach security Using the AG security mechanisms User goals of AG securityPrivacy of venue interactions when desired Privacy of audio and video Privacy of documents and applications Restriction of access to venue Determination of identity of fellow venue participants Protection of software from attack6+`Z+`Z'Classic components of computer securityIn the abstract: Identification of users and services Authentication of the identity of these users and services Authorization for access to resources Confidentiality of data (files, streams, control, etc.) (Non-repudiation) More concretely& - *IdentificationEach user identified Each server or service identified Similar to mechanism used by SSL-secured websites (do you check their certificates?) Basis for authorization 67U7UAuthenticationMechanism by which an assertion of identity is verified In the AG, authentication performed each time a client/server transaction occurs (Provided by underlying toolkit) AuthorizationDetermination if the authenticated identity of the requestor is allowed access to a resource AG toolkit defines role-based authorization mechanisms Access control to venues Administrative access to venues, venue servers&HHConfidentialityPrivacy of control connections (SSL) Privacy of media streams (media tools + AES/Rijndael) Privacy of venue data, other venue app interactions (SSL) Q=How are these accomplished?Key supporting technology: Public-key Infrastructure Identity asserted by X.509 Identity Certificate Contains a name and a public key Digitally signed by a Certificate Authority Signature asserts that the CA believes the holder of the private key has the identity asserted in the certificate Application protocols use challenge/response mechanism to verify the presenter of a cert holds the private keyeZZoZ  o PKI in the AGEach user has an identity cert Each server and service has an identity cert Communications use SSL (via Globus Toolkit"!) SSL provides mutual authentication on each connection Each peer knows identity of the other SSL provides confidentiality <Z&ZZ&We re all set?XWell..  Digitally signed by a Certificate Authority Verification of this requires the identity certificate of the CA How is that verified? Chain of certificates leading to a Root CA Certificate Root CA cert is self-signed Where does it come from? Applications configured with set of CA certificatesZ.ZXZSZZ4Z.X# 4   PKI in the AG, in practiceEach user has an identity certificate Issued by a CA: Globus Project CA (ending service this year) Access Grid Developer s CA (integrated with software) Other CAs DOE Science Grid NCSA EUROGRID Verisign, Thawte, & @6m46m4> !Managing Trust:Each client and server has a set of trusted CA Certificates For a connection to be allowed from a peer, both peers must have CA certs for their peer s identity certificate AG software ships with AGDev CA cert, Globus CA cert. Additional CA certs may be imported via Certificate ManagerZ>='("!AG Certificate Manager.Holds user identity certificates Holds trusted CA certificates Holds private keys Generates certificate requests Provides GUI interface for manipulation of certificates Operations: Importing initial Globus environment Requesting certificate Retrieving approved cert Importing other CA or identity certs.ZzZz)#Importing Globus environmentUpon first execution of AG code, Certificate Manager (CM) will attempt to import an existing Globus environment user cert CA certs proxy location Where possible, integrates properly with other Globus applications on system Mostly applicable to Linux systems jq"M#q"M#~$"Initial import(Prompts for private key passphrase: $%#Certificate RequestOIf no certificate is found, client prompts to request a cert via the AGdev CA: E& User Information2Prompts for information to enter into certificate:'Final confirmationVerification of data:($ What now?The submission will send a certificate request document to the AGdev CA. A private key is created and protected with the password specified by the user When the AGdev CA signs the key, a confirmation email is sent and the signed certificate is available for retrieval. 6 ,?]g)%Retrieving a Certificate At the next startup of the AG client, the following window will appear:  Not Ready means the certificate has not been issued yetZ*&Retrieving, cont.xClicking Update Status queries the CA server to detect changes in status. When cert is ready, the window will look thus:$y c+'Retrieving, cont.Click on the certificate name in the dialog, and press Import Certificate. If all goes well, you will be prompted to create a Globus proxy for the new certificate: 27  Y ,(Retrieving, cont.8And if all is successful, the following dialog appears: -) Importing existing Identity Cert!Bring up the certificate manager:.*Importing, cont. /+Importing, cont.Press Import. Browse to your identity cert file PEM format: -----BEGIN CERTIFICATE----- MIICHTCCAYagAwIBAgICM64wDQYJKoZIhvcNAQ DzANBgNVBAoTBkdsb2J1czEnMCUGA1UEAxMeR2 -----END CERTIFICATE----- If cert file does not contain a private key, browse to your private key file (also PEM) 1 Y  % #"&#"&#"# W    (0,Importing, cont.sA passphrase dialog will open: Enter passphrase and press OK. If import is successful, certificate will appear:$t>41-Importing, cont.&Click on the name to view the details.2.Default IdentitiesOne identity is tagged (DEFAULT). Default identity is used in connections to servers. To change the default, select the identity and press Set as default identity.6 k3/Importing existing CA Cert!Bring up the certificate manager:40Importing CA, cont. 51Importing CA, cont.Press Import and browse to the PEM-formatted CA certificate. Also must supply Globus signing policy file Normally named like the CA cert but ending in .signing_policy CA certs often named xxxxxxxx.0 where x is a number or a letter a-f. Zi>FI>F, )62End of new stuff Security: AuthenticationAssumptions: Authentication takes place on a transaction between a client and a server Client and server each hold an identity cert Authentication is mutual: After completion, client and server have verified identity of the other party Secured communications in AG2 use Globus& & which uses SSL/TLS SSL/TLS defines protocol for a secure handshake with mutual authentication.X ZZZ P Security: AuthorizationYAuthorization is the process of gating access to a resource based on some criteria. Many different approaches, few standards. Access control lists Role-based authorization Attribute certificates AG2 approach: provide building blocks for applications to define authorization. Reference implementation uses a basic role-based authorization scheme.X~ZEZZ3CE Security: Privacy^Usually what people think when they think security Straightforward, once authentication and authorization issues overcome Globus Security Infrastructure uses SSL/TLS mechanisms for privacy Typically, symmetric encryption with session keys negotiated at session startup. Media data uses AES encryption with session keys distributed by secure channels._Z_ Practical security issues8In AG2.0 Alpha, each user must have an identity certificate Identity certs issued by Certificate Authorities AG Development CA Globus test CA DOE Science Grid CA Commercial CA (Verisign, Thawte, & ) Certificate Safety If the private key for a cert is compromised, the cert cannot be trusted Hence, users have responsibility for maintaining safety of their keys The use of identity certificates is often cumbersometmZYZZZ5ZmY5>Eg !Identity Maintenance Alternatives""NCSA MyProxy Online proxy storage for standard identity certificates Medium-term expiration proxies kept at central server Proxies created via username/password authentication Online CA with username/password support Identity certificates held at an online CA Proxies created via username/password authentication No requirement for user storage of certs Integration with Shibboleth or other single sign-on infrastructure tZZ)ZZZ),PF   Trust issuesIf a CA is not trusted by a service, then no certificates issued by that CA are trusted CA trust is a minimum requirement for access ZX-X   +Goals of the Security Services Architecture+Provide a concrete implementation of the things we know we want Identity Basic services for obtaining and managing identity Secure control communications Access control for venues Privacy of media streams API for use throughout the system Provide hooks / APIs / Protocols for future extensibility  Correct solutions not yet clear Single Sign-ont@ZZ\Z"ZZ@\" Identity#X.509 Identity Certificates Problems Key management Semantics of identity Establishing trust Casual / one-time users Host Certificates Initial implementation: Globus identity certificates Globus Project runs a CA Other entities can run CAs as desired (trust) Enough to bootstrap the project t%ZbZ5ZgZZ%b5g4 Proxy CertificatesMechanism to support single sign-on Create short-lived proxy identity certificates from long-lived certificate Why? Proxies kept without passphrases Delegation mechanism used in Globus for information access, process startup, etc. Restricted proxies *vZZv f Key ManagementZPrivate key lives on disk in one location But I want to use my identity anywhere MyProxy: QKey ManagementPossibly not ideal MyProxy server possible single point of failure Paranoia factor: Do I want a proxy held by someone else? But limited lifetimes and restricted proxies help Other solutions Online CAs where keys retrievable at any time  Username/Password registration certificate ??? Answers here provide for single sign-onZiZBZaZ(ZiBO(,~Secure communicationswAuthentication Ensure both sides have certificates Verification rules (trusted CAs, etc) SSL / GSI XMLRPC over HTTPS 6JJO&Access ControlXHard problem: dynamic groups, dynamic resources Multiple mechanisms Simple ACLs Directory-based group authorizations (mod_ldap_auth) Globus Community Authorization Services Akenti Capability Certificates Initial choices& Likely simple ACLs or LDAP solutions Still to be decided & may depend on contexttDZZZ9ZZD9PK*/7=Stream Security\Current vic / rat support AES/Rijndael encryption Key distribution via venues services mechanisms Per RFC1889 Vague worries& Are keys recoverable (in face of many gigabytes of encrypted data) Rekeying intervals? IETF Secure RTP draft (draft-ietf-avt-srtp-02) Implementations? Who s interested? However& t}ZWZ/Z#Z Z}W/# t  (1How much do we care?_What is the level of paranoia? What is the acceptable level of inconvenience for security? Do we want military level cryptographic protections, or just to keep the demo folks out of our group meeting? Auditing? Interested in user perspectives GGF ACE-RG draft Informational Document on Security Scenarios Possibility of spinning up GGF ACE Security WG`Z` FirewallsBHow paranoid are the firewall admins? Current solutions Put AG outside the firewall Burn holes through the firewall Interested in usage scenarios, acceptable practices from firewall admins Future solutions AG media / control proxies on firewall? Mutual authentication agreements between firewall and AG infrastructure ???\9Z<ZZZtZ9<Zt,r[ x[J6t