1024-bit RSA keys in danger of compromise (fwd)
(forwarded w/o permissions, though this hit bugtraq earlier...t) ---------- Forwarded message ---------- Date: Sat, 23 Mar 2002 17:38:02 -0800 From: Lucky Green <shamrock@cypherpunks.to> To: cypherpunks@lne.com Subject: 1024-bit RSA keys in danger of compromise As those of you who have discussed RSA keys size requirements with me over the years will attest to, I always held that 1024-bit RSA keys could not be factored by anyone, including the NSA, unless the opponent had devised novel improvements to the theory of factoring large composites unknown in the open literature. I considered this to be possible, but highly unlikely. In short, I believed that users' desires for keys larger than 1024-bits were mostly driven by a vague feeling that "larger must be better" in some cases, and by downright paranoia in other cases. I was mistaken. Based upon requests voiced by a number of attendees to this year's Financial Cryptography conference <http:/www.fc02.ai>, I assembled and moderated a panel titled "RSA Factoring: Do We Need Larger Keys?". The panel explored the implications of Bernstein's widely discussed "Circuits for Integer Factorization: a Proposal". http://cr.yp.to/papers.html#nfscircuit Although the full implications of the proposal were not necessarily immediately apparent in the first few days following Bernstein's publication, the incremental improvements to parts of NFS outlined in the proposal turn out to carry significant practical security implications impacting the overwhelming majority of deployed systems utilizing RSA or DH as the public key algorithms. Coincidentally, the day before the panel, Nicko van Someren announced at the FC02 rump session that his team had built software which can factor 512-bit RSA keys in 6 weeks using only hardware they already had in the office. A very interesting result, indeed. (While 512-bit keys had been broken before, the feasibility of factoring 512-bit keys on just the computers sitting around an office was news at least to me). The panel, consisting of Ian Goldberg and Nicko van Someren, put forth the following rough first estimates: While the interconnections required by Bernstein's proposed architecture add a non-trivial level of complexity, as Bruce Schneier correctly pointed out in his latest CRYPTOGRAM newsletter, a 1024-bit RSA factoring device can likely be built using only commercially available technology for a price range of several hundred million dollars to about 1 billion dollars. Costs may well drop lower if one has the use of a chip fab. It is a matter of public record that the NSA as well as the Chinese, Russian, French, and many other intelligence agencies all operate their own fabs. Some may consider a price tag potentially reaching $1B prohibitive. One should keep in mind that the NRO regularly launches SIGINT satellites costing close to $2B each. Would the NSA have built a device at less than half the cost of one of their satellites to be able to decipher the interception data obtained via many such satellites? The NSA would have to be derelict of duty to not have done so. Bernstein's machine, once built, will have power requirements in the MW to operate, but in return will be able to break a 1024-bit RSA or DH key in seconds to minutes. Even under the most optimistic estimates for present-day PKI adoption, the inescapable conclusion is that the NSA, its major foreign intelligence counterparts, and any foreign commercial competitors provided with commercial intelligence by their national intelligence services have the ability to break on demand any and all 1024-bit public keys. The security implications of a practical breakability of 1024-bit RSA and DH keys are staggering, since of the following systems as currently deployed tend to utilize keys larger than 1024-bits: - HTTPS - SSH - IPSec - S/MIME - PGP An opponent capable of breaking all of the above will have access to virtually any corporate or private communications and services that are connected to the Internet. The most sensible recommendation in response to these findings at this time is to upgraded your security infrastructure to utilize 2048-bit user keys at the next convenient opportunity. Certificate Authorities may wish to investigate larger keys as appropriate. Some CA's, such as those used to protect digital satellite content in Europe, have already moved to 4096-bit root keys. Undoubtedly, many vendors and their captive security consultants will rush to publish countless "reasons" why nobody is able to build such a device, would ever want to build such a device, could never obtain a sufficient number of chips for such a device, or simply should use that vendor's "unbreakable virtual onetime pad" technology instead. While the latter doesn't warrant comment, one question to ask spokespersons pitching the former is "what key size is the majority of your customers using with your security product"? Having worked in this industry for over a decade, I can state without qualification that anybody other than perhaps some of the HSM vendors would be misinformed if they claimed that the majority - or even a sizable minority - of their customers have deployed key sizes larger than 1024-bits through their organization. Which is not surprising, since many vendor offerings fail to support larger keys. In light of the above, I reluctantly revoked all my personal 1024-bit PGP keys and the large web-of-trust that these keys have acquired over time. The keys should be considered compromised. The revoked keys and my new keys are attached below. --Lucky Green -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 7.1 Comment: Problems decrypting this email? Upgrade from PGP 1.x/2.x! mQGiBDQ1KMERBADzEw3bXeWGt7u7VcYPYtiXmOsEkgN48BB2DbC4+I0oepSNl6wb jt2J1294sFa4HOpxoHp1n+xCcP5SpXPWW94C/+v3eKljmj+n1amWnskmXIUcpshF Tzn3bgyvJFku+kmIZAlVo7qvCKb8AvsjzeshKlUEImATznM8ii2gRFO3dwCg/7de lcMz5OmUi9jMQEUFCZfDQvMD/jD+81uiZghp1C1WRpupswE23MLIGmFfyHBzlzlm d3ID8P6wV5v1pqK3ElGizFGbFIBdroBc2mu0px7oMUwDeVpLxw9UYgMka0LTXZEJ BJGFkT8zhcG7nlZGDPO44uIGyr8ruS4T6TkgINyp/Ov73fWbACdRTx7srvKsq69J elrHBADZeR9OvU4MctvqpVwpjw4Qc0eXxIbS/SbFGcoHuye0TXOACcuI9yOKz2gz gWJHmf3MWrQ5p8vVdjNhw86lp4EJwnUj7H25rLfYatcD7+VL9U5BvbiYZgi6xSpx vbAAyhvCKIaYCeh3hiXvsJXjmDSsmz8pSGzp+ti+VRa3XGeF0YkAPwMFIDydCmH1 1D08N1rZJBECe5gAn26wiRQO+uM1208FjQLL+xQNue/JAJ46zNHyIaExnFCrQtt/ VFZUSdWpIrQlTHVja3kgR3JlZW4gPHNoYW1yb2NrQGN5cGhlcnB1bmtzLnRvPokA SwQQEQIACwUCNDUowQQLAwECAAoJEPXUPTw3WtkkBX8AoL3HaY0zqwks6U6NFzFp 2v8GwTDpAJ9FMkH0SriG1BJFNPOVC6d1cboVbIkAlQMFEDQ1paYEkJHpt/K8BQEB WIED/2fSfucLhqk0fV7h4zBwRWE3MYlFdGx72QRcZ6Mfp3CSqgEEhs72ZUxPnlvf hs+aGpa1ff4el4H8WtwfQUhCNm594sUgcl2lBQhkQeoSp1SVF/iOepUKPMpIRPbG ZRdiX/HE6z1W1jCuojVQbVyr9oLWKSHyLVHliZz30o5tMvR8iQA/AwUQNDWl0olx n6e2Y7D9EQJFqgCfRDP3JCxfKcPSRh8u55f5rMibjQ4An1V5P9AogyZBAjWC+HKC vMn0rzajiQEVAwUQNEHnt/37pMWUJFlhAQGc9wf/TlPS4e1F2lVsA0Xl+SEzTz2X 3VEG38xQReJxqogMSCt68WvsHYs81k7+HYxO9evVvIEeAQQWsQzEIG803VIrR4ql pTKoijwYVofKhE3QOK00kolP8xEWRbFA/GkvPI1WgTE7Fz+bLuahnUoX6xBNEWcO 0Z8tn/i9FFHf0UFPY7qMEi8cw9qN+P4rLUQ9Bs3oVV/fros2BD6UBQe2lM+Jv2Nm IgdlSTn1CAluY1uLDQhFLlqLAwptJ9pdGg+p6xci3nsjLT7MkjqI6YoT5hgwJeBh j3dD4ypG539wsSEBsVrs+ytivg91cdn6NlUeLVTxX8n8/7w707n1gRXUofA3iYkA RgQQEQIABgUCNOBbcQAKCRCGehnt5gKpc2dJAJwLjr50wBS6ocrl0YFsTgzhrZzr /gCgpUkTTeYPYPHHbBtOc7TypRZSOl6JARUDBRA0wty8XprN4cSo7vEBAcpyB/4h tKK8E6qyWMpZwIZV8wosUr+lMhGqqpI8VNfISFsAu4l24khY1U8aBxYlPe/ImLdH xkOQMSUTsjxDaZWkGWYzPyJcrBS2usmTp3JIQ9qBoQsrRnHQWKp52D1KtgAA4dd6 7WhmmZrQhZQA2mRy385H0u6sT5at+EeviTVPH+g02z7ZY8GlxEvJczCnRpwbA6Lx x+GxBav2sftUZCH9iluh5T8VLKOWoqWdk720036818IZPKvO0Yfrg8lJeIfgF0m1 PKcfuQrUHwYOeODKVO8rpZB5n4sezlwFqXhuBZtKdPzFLbccgbyFDfLuR1Z4QqjQ w9DHfSib118BBN2dv63oiQBGBBARAgAGBQI0xQS6AAoJEGFbaB8sVMj6PXcAn0lZ Ldr3FSl7tT9eah94624IWAPSAJ92wIgrXxhFTJDeGSge9fAcm/mpk4kAPwMFEDT1 +xTWYCk/x74/YhECsrcAnie2TblGja4jtg2RPHeEUGYa7y8jAJ42zXrsBE42JLEf 5OcDnGootPcTgokAPwMFEDVftauue4Ib+69eRBECGpEAn1rR4CSOp+K8vOBfklAi Btgn4OPEAJ0RPACzo8N6Xjjwhg/MtIjpg6EebYkARgQQEQIABgUCNRuhHgAKCRAp 8VB1RpFAZrAvAKDRDCuyfwEDX/hw5j5ioRYlBknAxQCfSwhtJhuuGujC9JRGlqvS okMLspKJAD8DBRA1Y0wlkDMY9wUOyroRAvDGAKD2B/c3lnzfj1aV9huaqqF474TL YgCfcQINLij356NxHq0OU8cXayEwD52JAD8DBRA2EbdDmSJEz0fGxfIRApqRAKDd r6BiqhpZx7+vh/15ClpqboXs5gCZAdzptsQAeHRj9AXVYboBx1QJIbeJAEYEEBEC AAYFAjYGicUACgkQOIzbrnpVcCs19ACgjb0l85Y6RnJImZBJEoge2USBKK8AoJEi 9THemQUsJ9232updxqxwd//DiQBGBBARAgAGBQI2yjkzAAoJEK4MVGrDPt/e/1UA oLA8CTyTSE3T1zXqvB+MS1V0oGJOAJ42jnAYzerUu6f+jvO4XxFuTLjWlIkARgQQ EQIABgUCNso45AAKCRDsTU6t8w7FhYyMAJ4+BYgbjKdrUttYVdHpuGwytjWpAQCf fraiFg4BkzhbL7loY6QV5XixgnaJAD8DBRA2yjkxUBC7hzYSSRERAlkvAJ9iLEzd yPN3NK75IIvMPbgkrxny/ACgr3diRwaFSzdVb0wfmgOQDQ6yrzWJAEYEEBECAAYF AjbKOksACgkQzzXiXv7LrOU3BQCg8tCANqzZZgF2mNZS3iUWfq4CNnIAn1XC9FgT YfyoWdUy9W8KMnJIX7+5iQBGBBARAgAGBQI2yjsUAAoJEMxx1GBG2NPI5roAn2rx ir0baADJuidtj78J4tGs2u+vAJ99h7uQttdoZhkZgqyU612a/zZ6qIkARgQQEQIA BgUCNujeXwAKCRCFB8S80NSux0UDAKCNcl2wY39t+e+Ru9W9jXwI1zOHMwCg9CUk uK8s9N+H2ANkfoCxqkHweUWJARUDBRA26N6D01ThYrym29EBARv/B/4sTLmY3ZCq IWzW+3ghraqeobKcsSsPfC21jUyo99ia/sBQ28uSC5HJHcNonPbDLvjYcV3Evehp in9Rj+HGnug955Lu19PR62viQVqOkljbdIDIaI/ccxSNoEGQRk2lOBapDsqnla6A rcPjiNuCpOM7GHr/vGXlwCktpumFPUGWVZ8SPS9dX2VhNEwmhgpjNcAph2gwz82r U1vvJd2T5wmiGzzDNMpR+7bqcx7KSXGUcT90m22UXmRg0MG6q4ruuOYl3wQtFMY2 P4uHeq/qKAzwIH60drJ0enUo/uyc87cC61znqrKY6/cQnKdBXoqPR69atH6o+UGi 9c7OloyC/LejiQBGBBARAgAGBQI26FWWAAoJEOa/zS8QgaN8omMAoIOBsS3N7Ffp 4p1KkdtPMt1xnPCnAJ9bBqHH21Ibn4/4gaMe96i7eR+f5YkAlQMFEDbpKeGkUJAs CdPmTQEBkVYD/R/f29x2zgFkjnZhlHBzFZko14BA92RlNBHZhSUXMEaNnFeETkK9 XXNOv18kRo37Jj58+lHEFLuaoxFqcmnbKLcG4SzWT2ODOq2GRr/GFoh3AIU8frli vXwsiMxoaDItSpPt+P8ugc1OqL6WTjJ4PSmZ+9jO0Q7AQE74lDxVWtUEiQCVAwUQ NukqAvLlZUzmDiptAQFoBgP7BexRJFpnxYjlDTTPCq5yksQEaY+rtCDzWrR8UyYO BntBjuUVLdaTFqOoxGANoVeFaOyqeswMAs8OsOaXZPGKdlyc4DoF686AJGVuxaDE BnzgNQbdNzSFwrXTsB5V+p0zjTONKH1kvgpVDsTTZFbPSAA1DNKzISNV0ZLrY2JA hi6JAJUDBRA26W5jsLFxg026EJEBAZRzA/94bfWO8ssa0IEXVsCV+3T2p2mtB2mn tmBSMwj2LporcgCjzMgHVGXu67mDvwq39L+OipyDxD26ZnriGMSuQFHp8+qVp85T anNDDV/fjel+KPBdlNKVSQrUPE3qt37b4rAjheb7AjzIAWnpXfmRqG/HQs156aKw jhrH4q6zOJaXMYkARgQQEQIABgUCNwl7AQAKCRA+KCIzXT7WF6g/AKD+sUQk15WT YzXvJYvLaPvvTA18iQCg0/x6ccyEefE9bJGg+MxqEAgjcG6JAEYEEBECAAYFAjdv IVwACgkQz7+ehp5P1tkrlgCffrtHn9POJgk7DBIuyxnigAwNOfwAoINEWxH+idpP FwuKbcvFcWkUut+IiQBGBBARAgAGBQI3ziltAAoJEFIOUY03oJw44fMAn0gJE/a7 Cq/UYUabUvyvTdi888PgAKCML3I9TLXeXw+2hj0ZKt9vnDvMbokARgQQEQIABgUC OI9gUQAKCRCI5rIBP1q1aTaLAKCEavRDo3bNVuA2W9KKQa+8+EX+CQCeOmt7jGhA Xao6hfY5ZsUazWhv4f2JARwEEAEBAAYFAjmOF10ACgkQDXoNi1DA/qfJoAf+NN8/ a2cdSARGg8u0B3V+Vygc/a8t0u8kj9Vg9Ua1qScL2BtQlkHqjh751BQXWofatjAj /KL24w93KLBozOw8LzbCYSLm7+y878U/MH9T6GIlirpMFVvtlQOFDze4hCc788Xn zHzVVGHgrPzGa7BWaAjpvdzGTOoM3mIniQ+5mcaNTFqXUMvk0C6X676MUs+uxS1m m/ulW0TwBCbVo1i1YGohPavWl6PvQrW7VsJ0WLXbJ15/NwTjVEUjZPIJU+D5GmOC EttWv+rUTL5vnp9ZyI6ReBwToru1edQ1OP9Ppk0RFncCQJOYPWGv7uM3yfO+W7g8 ccRB9Dw73WueIxPCe4kARgQQEQIABgUCOY4XeAAKCRAeZBx+BnV9LUShAKCIF7On ikLfyDGhHLu/2/kgf+gVdQCgq7Viwfsk4q31mOyOVOwOhkZpuDqJAEYEEBECAAYF Ajih4FUACgkQ9SFBcfl3M1dpfQCfYHK+h9/YZsefF2QJGvKLNaVPOn8AnR6bxPNg ynpRHUHigyB13mu9E3F5iQBGBBARAgAGBQI4dDh/AAoJEP4m2aXOG0HnYcUAoMmR rF2/HItr1+Kka+6lbrNG2r5JAJ4vQsSuZE3E+xRimB1xr6qmVVcFbYkARgQQEQIA BgUCOOFZfwAKCRCu76+X9zEu/egHAKDeavas1NMuX1APJsH7jGh17YCWggCgqgRS ida/ktYJfxlwsl23chL7/yqJAEYEEBECAAYFAjjhjL0ACgkQWsSxj45E2cPjVgCg yJBzCGUZrFnH1GhuCPF6RFCVOq0AoL25jkVXTyc/EdLRUG7lDeK2293qiQBGBBAR AgAGBQI44ZwAAAoJEPSwcvgraImv7bUAoJnm0XnOOrHmweu8N0dHah7Nllt6AKCr v1WVifQmCGzKiQd455kYTsbNlYkASgQQEQIACgUCOOMDywMGPAAACgkQPYrxsgms Cmrf6gCgtMlCFtNtIs6fsj68EiLj642ZZhYAmgKIbrOTvdidyhsq+eV4a3eMEM50 iQEgBBABAQAKBQI5jth8AwUBeAAKCRDFAhsMZlnB4W0yB/4idRQK30JjleEcPyX5 rgxJTY46Zfawyg7iC2A/k8qBcaJo81cH5lwqJ3iuRDFzXLgohNGNICR2rLrlfCw7 KWJB8yVNgvos+wpQn+juh9NVYcGYBANz8fvJvCFMGCgacb+hulDr4F0Pl2NCsbyS pVSZd/l9hpRTk0iqHhIFGVc2OKY3btblNwsKwYWWy2oEFlnUrSETXO6pjkSSOagU pvuzaIDleTX7A12YZeHK/k948pu3u0meh9+jCUcwjjos7MdyEMaQtNKkCIM3Jn76 EgzHuol5xi2udy6K8SpOdYvDlCPrFXnJh21a+9IiZ2GKl7BPbdWJlVEX0wvsPc/F MuReiQBGBBARAgAGBQI5qVS5AAoJEPlK/7n/lNxvvvoAoNNYUWuz3Fao8aW0yT2P zBsXYrrjAKCFIH2iPDclbCwW3tV0Ox0aDHp9uIkBHAQQAQEABgUCOalU2QAKCRCI HBX3yeGy8aUDB/9nH6D2YqZ6Jt1muO+/APfMxda48A0sa79N6j0yT2SIQfmVYtqR vVbf68LfdRe6mkTBHqwT1+NV+eXW33Yg1+QiGhfLWzJ9AINr19H9qvgYDogsRrEK oBiacUlS2LybQ2CgQNa9gzWWPuAZwimVkR6I90DlyED4DpvTeNc105biOXVv00OL zOEIMuaG3FgjJYRui9+L5UeJckvCZCNlUkwe/B+lxU1KCEKUua0yPs4wNIGkCZjg kRfsVPoItJfqMGiHvnjaK8R3qJ1sQSyI0jQSXHkP+9IhAimB9ZukCY0k0aJKIxx5 IFivX578aC9ZMU+LLsm0oMDjdiXFeFuv0Z/RiEYEEBECAAYFAjui4y4ACgkQZwJH zybkSIykBgCfYZSLvCXsxNGk05eMiNs21H0b5tkAoJEbjspZG73GGimnG/uKjmrK a4LLiEYEEBECAAYFAjrb16wACgkQil7s0484MKWQbgCfdqbPLMBdsRKxpb7w6GYR dNVhE+MAoK83feX5ew+XiYeh9oKPEZbAgjg5iEYEKBECAAYFAjmOHrEACgkQ9dQ9 PDda2SRqrQCgurjcbkQhzbUA9jwJX4oEkdMpnkIAoMKUWUUH9K+OgrWw+ks84Xh/ vJeZiQBGBBARAgAGBQI8HciEAAoJEC2bUW7S8rtMxQ8AnR3EUqsAl8w5j5KrTfxR LeV2yxRmAKCmM8p3qcj+1jzmU3za3ZHtz2E9H4kARgQQEQIABgUCPB3LhwAKCRDS UouClLFScB9AAKDnLan0gSoMIkmDnsp/dQlstxutegCePnfMYDIORSvEQgzPWl8L lKbAawWJAEYEEBECAAYFAjw0d2MACgkQVOJabgRZ/N7L0ACguYpDmdew4IoEITxU Zh6X9i4WfrQAoKWSYMrAYhoSp5WTEhgp317UUjbIiQEVAwUQPHLmPHxdxabQEF4d AQH5jgf/WhJjYvlboWaIRFgw8zlfV9uUNtSE+tvrJ6KQ2ooFFtYGEfT+Nrp5u66K 2hwQmPgIMJ8PDS0JNr38CqnxysipUoHbKWSZKCcw2EBm/eYlp/nHfhfiTx3OTMP9 r2CH9V8gNrqPibeMyxvSF8e6WnYyPI6775SVO9aLmKvsif+vNqKd+mYQp8LtaR2Q GZEmsSUOmRdik75VbZ7baHQrX5jrDNt0WU8+jqvbx6ijhyp8LiLV+y6WrG2qDAM5 MBie3GsoutF2irVCJxhFd3c2q6FeleEMTnTr0OeK/RRei9b4E5Xn9SpyscxDC7lC 7O05qrVgKWxAHVfwjLPAaOVEfg+b+YhGBBARAgAGBQI8deunAAoJEMhTz3PoZU6X PbAAniyIEWAxx0USDvcJJxVfAQH8zlvRAKCh1fj6tEGKMCUtrexJlnLiyB1gVtHM 6/8AAA2mARAAAQEAAAAAAAAAAAAAAAD/2P/gABBKRklGAAEBAAABAAEAAP/bAEMA CgcHCAcGCggICAsKCgsOGBAODQ0OHRUWERgjHyUkIh8iISYrNy8mKTQpISIwQTE0 OTs+Pj4lLkRJQzxINz0+O//bAEMBCgsLDg0OHBAQHDsoIig7Ozs7Ozs7Ozs7Ozs7 Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O//AABEIAJAAeAMB IgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv/xAC1EAAC AQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQz YnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpz dHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbH yMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEB AAAAAAAAAQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEG EkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6 Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeY mZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery 8/T19vf4+fr/2gAMAwEAAhEDEQA/AN+iiityDgde+TxwjdP30B/Ra76uC8VKyeLY CB80nlFPfnH8xXe96mO7GwoooqxBSU1polba0ihvQkA1H9stxj96uD3HIqbodmT0 lIkiPnawbHXBp1NMVgooooAKSlopgJRS0UALWfJrukxTGGTUIFkU4I3dDWhXI6j4 ftNM12HWTCZbPfulixnYx6N9M4P1qWxoo+LL62l1qxureZJo4lUsYzuxhya7SyvI dQs47uAkxSgldwweuP6V5l4oaF/EN3JDIDE+xwU6H5Frr/CWuRak81nb6etpBAoZ Qrk9T0OahPUbR0tU9RvUtYiu/DsOPartc14guVWSQBC4CEMy9V7f40VJWQ4K7Ma9 1aUviLG3PJA6UiazGsIR5nlxzgDGP8+1bWl6JaXCkmNlUgAA8VdXwTZ7g29R7kZr ic7nfGi7XMiyu1uWllVmVVOVCr0/OtXTtTwwjlkZ0c4DN1B96q6roEtpF5li4Z+6 4C596x/MuILloLhT5jD5R2Y9c/pVQqa6GVWk1ud3RUFhP9psope5XDfUdasV3p3R xMSilooASilooAKzfEUksXh6+eGMuwhPAOCB3P4DJrToHXmkxnhzGWQ72J55xXaf DkFrq/dfuhEB+uTj+RrnJFZbiVU34BP3BxXRfD1wup3kZwC8W4c5PBH+NZx3Kex3 pIAJPaubjuLLEks4QEndK7ngYrfu8/Y58dfLbGPoa8rv2naA3DoREH2pn19xU1Vf Q0paO51U/jqwtpStrC90/di2xf6n9KWD4gzPIqvZxxxk4LDLEfqK85SV0kZsZJrp PCemNrd5MJ5JEgijydhwSew/nWXJCKN1Vqzdkbl943lgmCvFbXaNzmEshHtyTTYf Eun3kokCmNwD8kg598GuJv1ntL2W3cnKMRzTLZWlmVN2C5Ap+zja6JdWfwyPWvDs vnafI3H+ubGOh6H+tatcz4FMq6bcwyH7k3H4j/61dNXTHY5ZbhRS0VRIlFFFAC0o 6iiikM8dvQo1CcNs4dvv7j39q1/AzlPEihRxJG6lgDg8A4/T9azNQLJq90AWH71x 8smzuateEpQniy0yxJZmU5bPVGHWsluW9j0+4j822ljyRvRlyO2RiuLn01Slxpsi k7SDGZD1OOv867isHVbOSJxcbSY4+C5bPBPAx+NTWT3Rvh5Rs0zCsvCWnAM14WJ/ uxH+pFWFml8MMsdvaAJIpbzG757fgK14HSWQOACQOnbNMu7ea7geO9vIo8n7qRF8 enOR/KuPmbep6CguhjWmm2mvF7m9tirKdpKNjPU56VBc+GrezczW/KxnPznkVtWc E1tiKK4jmgUYPylWz+tVb2fO6EZLSPhR601J3siZxjbUu+D1H2O6cDhpzz74roqo aPp76bZGGV1dy5ZivToB/Sr9ehBWieVUd5NoKKRnVBycU1GBOM81VyLD6KDRQAtF FBOBk8AdaAPI9WGNbvOn+vf+Hf8AxGm6DMYfEdgckL9pQHjA5OOn41P4k2L4kvfs sgCGTdkNnJPJ6e5NHhS3NzrLq8RkYQSGNlBwj7TtJ/z1xWXUt7Hq1MnhS5geGT7s i7TSW1wl3axXMfKTIHX6EZqWtSUcRY6qlvIIrhsFTjNdHFe6Y6iSRkbA45rh9at3 h1G4RhgeYxU+2TWUwlJwH4+tec6ep6kZtI9AvtWsIYyYtvPTBrO0Py9S1pXYfLED IB6kdP1NciqS5AZuK6fwe6pq+wnlomA+vB/pVU4LmRFWTcWdzTHfbih5AoIzz2qv JKXHIHFdrZ56Qu4SkggN357U6FgZG+bP9Krbwjb1O7vipI51YsWAUVmpa6lWLJfP A4HrRVMzEMAM46g0Ue0Qcpo1zfjCQ/8AEptmP7me/jWVezrnofbmukrk/HEnlzaK fS8DfkV/xrVkHIeMbSK18T3UFugjjYK4VRgDKgnA+pNULDUptNvYri1YxvE4LKv3 Xx2I79/zrf8AGdqJ/GLoX2Brffn6If8A4muTfAncDkZ61m9yuh3nh/xd9ltobSS2 U28bNmQSfMqkk4C45xnHWtmfxrpkakxrNIfTAUfnmvOLDYysDGWOeoLf0q0AoJxC o+v/ANelzsdi7rWvHUMlYEUGQtnkkZ7ZqK5sJLSQbmDIwyrjowqncZeIhnx6Cte3 uLTUtIhhkuY4540wQ7Y6cA8+1ZPQ66MruzKCrz60+4e501La8RzE+7fH68d/pzRN LZWkW1JvtU+fuxj5B9T3/D86z7qae8fzLiTc5x9AB0AHanFa3HVnG1keiad4psNR tFllnjtpQv7yN2xg+2eoqc6nYSMqpfwOzNjaJQSx7YrzDIA+lVPtMomVkdlIYEFT jBrTc4z2KQeWQQSc1Wnmz90j61wcOu6pC25byZv99tw/XNX7PxNJ522+UFG/jRcE H6Vi4yNFY6yCVnXaeWxxRVeB0aFLmOQMjnAYdKKjbcZ0y8jmuL+IzmI6U/ZZHb9U rbj1pApQxuoHO89DXH+NrqbUHtEVvMwG2Bfw/wAK2Va7sS6dlcj8fkSeIkdeAbdc +3LCqdzpNunhWDVUUmXeRIGPysNxAxjn071n6vfz6ldmWVsbudo7e34f411xs0k+ FikIS6qX49pM5/KlJtWKpxTucNbXaxMSVJB7A4q2b0bd3lYH+01UFhLMPLy5IyQB yPWnXlvKkyoTuBGRjtV6EWdrlkXbzg7The4UYpjHy1JZeB6mqccrQPggYzzUlzKH ChTkdaLCuPF+qdIzj60ovA55Xb+tUsUqg59faqsK5f8AOicYL02NEeXcg+Vf1NRx JFKQgDK3fNXEQJhVHAFIpagzYwKGbnmkONx9hTT98D2pDNPR9RmtpvIaUrbykBlP Qe49KKzS2HoqXG40z0F5MtsEe4dMk1zXiidBLDHCR5oVt+0dM4x/Ktu7nW0tmlfo Bke57CuIvZpJneZ2y7EkmuainJ8xpN2VhjRSwSZlxkR7uoOeOK9J8BKup+FBaP8A MuXjcH0PX9DXmUaFrOUx5baAD6/54rufh1rdtZ2r2czBCZd2e3IH+FbVfhFQfvnW eHvD0Hh60MUIWXUJhh58Y4/oP51R8TeGbDU42SJljvo13ebHFkH/AHgO3vXQpq1l INqyjc44K8frWb4m1xNB0YPb229pX2Kx4Xce5PesE22djjFRt0PFLyOa3uJLadAs kbEMMdDTViMijb1rZ1/UJNUnS8nECXCrtYxj7wHSse3lKvt7E12Jux5zSuPSzOMu 2PYVZijVeQBxxTutOQYWi40kLtGckcik75p3amEgDNIY0dCfXNR59+1SKCVFRNxk expiGpwAB6CikH3j7ACigR0viG9Lstqp+VPmb3Pb9P51z7AOCPUVbuJGnmeV+rsS aqv8jA9qiEeWNipO7KpHlyB0HDdqfb3j2t2sqjA/iUdxTJSdw9M0iwGVuOMHmrau Sm09D0rRLuO5tgo2gnB9zVnxlAL7w+CH3NARIBnpjr+mawvDWlXn9nrdDGwEiPnJ I/pzmn61eyw2c0cx2fKQRnrXGlaWh3XvDU4mc7pdnvj6VG8TI4A5z0piud+7qa0E +4Cw5xzXZscG44cKM9eK2rfUdPihhU2qu6IQ+6EddwOc55+XcOemRWKelFrPAsjL ch24OFTgk4ODn64/DNKxR0SeJLdBkWKxuQQTDhBy2enPGBj8TUEuvQ3cwW7gzFgk 4QNlyQT36fr9axWJx3qN5Y/KCBQJA33snJH8sD+tFgZvyy6J9lIhRQ5hccoSQ27K 4/D+v0POXODLxwACahkkljbiQkGkkZt6f7Q5p2ESqOD9aKQckKPqaKAP/9mJAEsE EBECAAsFAjmOEv4ECwMBAgAKCRD11D08N1rZJDLwAJ47iss4Ddf0eJp9ubL9MkAW VHpvUACePJ9pIlrdVaZpCIbFw30japQQ3dKJAEYEEBECAAYFAjmOEzQACgkQhQfE vNDUrscFGACfanFPmIwy6GgrUYjRgBVXBmbhZlwAoI44nH6+do3m7BcbV6XRzLuk NfUGiQBGBBARAgAGBQI5jha0AAoJED2K8bIJrApqVYkAoLfbgfWyhX/sJZhYxN3a VTnhvJqNAJ48NMav1AANBpwIXK5oaaSvQhVykYkARgQQEQIABgUCOY47bQAKCRCx N51Zk4PeBpXBAKDaXABCd16mt5yFEkIuK+Uy3/LwKwCfTzHU1jdLNBd4j1RqTndi AgbTwECJARwEEAEBAAYFAjmOl0QACgkQdBl3GAtrPb1CbQf5AV/PgOO1Osy2ffBG RtiW3psSOljVytmFO+0BzP7funKpCSd+3sJn1fdZdUvlsN0tB56OA/Mtx+OHFLeT DakJLGZpTlYX3PiUnbE2DCiEXq3JNCRTc0Ll8+XrYMD6ymohsGlLfBWoK5/GBHif r0xnwrMu07lPZQiaEWcPUWEA3QJtUvhHtW+vQWlA09BxuXJ09rUHuBgHQt3jWAb2 0VZ4ay2IOTT09jFSc6VWeqvr2bl7Hth+8UZd7G+L1QR0+bWmphvYpgnJDaZKbB3t 9dsjjMBji8N7lYcgt5ond4uXm+3BXHI83ewhs3rrCNdl7tg1Pb9yrBq9u5+3tRs/ ey7UtokARgQQEQIABgUCOY4pWQAKCRCI5rIBP1q1aY6mAKCJMIcPrmwrwbtiuNw6 KweTr/h3KACg6s9+cyWJoNiBRMGmUXsi+QwQdTuJARwEEAECAAYFAjujhowACgkQ xQIbDGZZweFB4wgAoFPxTdpqpnoeguRMvoUW8TyT2DFw7dc77ubl4R4FWv3P+zSK fkHPv/DgyPJuL6IRxt2zcdPMYBkGw59bTNRSUAShhDXujMjzzN/2vMJv7r8ACTFU 2ER0gNiH1n/dYz2LL1olnM4e7qNbbTJ/VIj2JREmVjwW4M+uOVDFO0N/z8Tkaw5y NhJIiaV65capYNIObnPGrsjffeNF3D471clKG2acQQFH+jV9O891Q/gL2AuIf4lh /SuuFmf0f1uEf+6X6vws5e8ScllIVmF4GhJEO6Pg5Tw5Fu2fp3Ffq8Ms5yBdX2pV O3gWhwAh2mJk5ZtuzC7IOmAvgLvBMUPi56B5wYkBHAQQAQIABgUCO6MItgAKCRCI HBX3yeGy8Th3B/9F4RjVWvGP5oI4t6+O9VUikJRQHyqQJUmeVDTHjvetrIf5nKlK nk3a12hW6PxYmxfyauJHLbg55oXuNQMA8guAzrH9Xeat/RhpFdBAWyZoATw2OgHC hte8WdTkQ/j6FKQ8un+2N2OLhNIwJUVTMGvr8FpK3CiTQPNXJzdwBaZ55HOh5pje NS1NE+kWDrjsJb8PX525fg73zw6JV1xWn3VTtWQsWVtvYJ+qh9OYMTUnCpvUDG2X R2EX10pM7czvhs43N4BrxYtfrY/mHQeNKoRhOEkx6wKARktX4AN/9WWrTCYG5wY/ tDyY+AbyRo+tbcjiprX1bGWvWy8SGWgd0YIoiQEWBBABAgAGBQI7owjeAAoJEJoq G0bwRSuqQOUHz0mqIndUoImErQkilcHWBYdsbtsLZThqBxh+Ago2GB/zrVk9nqec QqSExd1VCRjiMt30thmmGyoI06+FLgP8eRhlrJK1vfpS++jFBrQoYTm2/ROhiqaM HSaAvNTTbQJ8PiEBxSGNvT/WTKFDu7KVEzLvxzdzxfGpUXRrsHykC4jXoYyFz/z1 BKRyTovSUN8MLsl6PbUZ3YuErUXS64qnYBcHRPrM3K70Tb3rFVYuRQ5oBLZ8kYiK wzim/tGzQAQcKj+Md3r3l5GeJvdJASefN98JHpSROQpdL/UdXwpMF2eLljNNGO5u e2cCeazekN/UdIDaehz41toAH1yJAHwEEAECAAYFAjujCQQACgkQ37fQKGvIT0XE AwL7BwQfXan6pKSIGT+QjzwLodVundOHzvWhOlzB+tliZ3VaRRByfKR5To85QQxw eVcCdhLLm50NwG45at98XAlGCxrLfXXS4Q1nWcYWzGcToe9rxnoBkGAgOLhdbZMF ZIJTiQBGBBARAgAGBQI7ouOYAAoJEGcCR88m5EiM++MAnjR2TSSXYnhknMQ4YYvw pgErQYz7AJ9E8SPgG1Scddg6MzY86uopAuIWYokBHAQQAQEABgUCOb6B5wAKCRD9 +6TFlCRZYTMVB/43IHrec5B9kJs7HyxnUneyWMplFLoCJdmOEaQUK04My8olTFB0 Y5hWj6JRc+N+Vqm+eLyms/zlhjXa2iLfpYAiDEPgorzMMRDHPFHLxYgSNO0GkSWG VieCt/xe5+ve5p0Kq8wkJGwjSG/kto1wxQj34m04ZzGQMNbShFWeT59TFo5YOOPV iZzMiBgTRPmjaYR2SomlaE4BsFqSrb2/fUc2is43jqDAxBKoB2Ja232fsrq2LAny p8uv8cscwnfshkAFNwXryi37EkIzoJMfecK2kFbIDXWJXGGs7wyqNklttWIniMV7 4VnABkBMZlMbUS0YLkaaBqMGVLH/ZZKoH8IBiQBGBBARAgAGBQI629ciAAoJEIpe 7NOPODClgfMAoOL7nXzK1pVByI33aBWdOP1BRynvAJ95NFT9umfxjol87BK5zduw DybB34kARgQQEQIABgUCOtvXVwAKCRANtdlcEzkPuL39AJ9E1bV3xFTNsdp4BX6c pO8Gv8RHmACfaHUf7/ex/XRcyrCWMNbxE0Ca0PG5AQ0ENDUpZxAEAPA9wzX5e35T Le0ZYBJSidn0zLAPUhM9cTT/slT7ljMKpA9t1P+rsqaM3G1EiIk4oJIn4fB+2i2/ ZW214yzBS2Zof/UkDexEE0o4DmLKOKbukOsMKmqJeWzyMMBm9jy3Tu0brQiAz+q5 x1PeLi4LyGOZBkrQWcMbttmdkawoIMXlAAICA/0XhUrrUx9uv085SHMsvm2WzpD4 M7piDIhvJyd9hb8CBes0xfGf2hkE9slwfXbqpAjjJyUewYvbrv/CTvrrJz0t6oml ZxTtmHUZM+DSDB/VGb7OxS7xcLj6A/FN5nC0zWJTYQc7rjBAwklCKYEk5riqezs0 Hzs5ZgaD9+B4K4IBzIkAPwMFGDQ1KWf11D08N1rZJBECjXUAoIFv7hcaoFk6yVj5 2nDDtOEDkUUMAJwPVU1gwFjE/dr9fvm7rXW+muNgJ4kARgQoEQIABgUCOY4esQAK CRD11D08N1rZJGqtAKC6uNxuRCHNtQD2PAlfigSR0ymeQgCgwpRZRQf0r46CtbD6 SzzheH+8l5m5Ag0EOY0M8BAIAPZCV7cIfwgXcqK61qlC8wXo+VMROU+28W65Szgg 2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh01D49Vlf3HZSTz09jdvO meFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscBqtNbno2gpXI61Brwv0YA WCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFstjvbzySPAQ/ClWxiNjrtV jLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISnCnLWhsQDGcgHKXrKlQzZ lp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVekyCzsAAgIH/iYlR859jj5v qIJBPceA7cf/Qmfcms90l5vbnWvJ//LM+w7dRmCKcDW4zF0NcobhaGHmkm8hia9O GiOYN/oBWnnxOS0xRodT4AeGqYNqHQxXxq8GlsnF4Gn8Oph8OPiWGYoWbdAocuIc /1h2uwGz8gVMmhLN5/bWJCIEVBo86Cr3bHCh4J5BakHnXZnh/nTT8WYSUD1KeEW5 uA8tnIR3EEocBTcNI2NBT7s0gPQVuIZ8UVQeBV6EtNnGk2t7v5Jd3k2066Twp2Ib GI8qL7a+yrVA3xeuZze8wN7vKtBmK9iFUHoe4mopXkw0A71DQlP1wDOLF2FXHptQ zOzJnHEOZzeJAEYEGBECAAYFAjmOHp0ACgkQ9dQ9PDda2SRfcACdGk867sHTVpbI WpEm3Td/rDcm59YAnjuwOWK3RrU8AhWpAbUVK8Z7jg6YuQINBDmPr/AQCAD2Qle3 CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoBp1ajFOmPQFXz0AfGy0OplK33TGSG SfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnhV5JZzf24rnRPxfx2vIPFRzBhznzJ Zv8V+bv9kV7HAarTW56NoKVyOtQa8L9GAFgr5fSI/VhOSdvNILSd5JEHNmszbDgN RR0PfIizHHxbLY7288kjwEPwpVsYjY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv88 4bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsi GSa6q6Jew1XpMgs7AAICCACa1fNUPevfIpEwGq76+jvzofKx48/HLLmio0+biAfL iEm84g3DFtTJ+89TO/fvPq+711bet9II/4TMVu6ELQvRu1REkR89usbK/3sASrUA n01EiBH9QJRzG6NMt1F3vo0+juHIxKelAKV55KigGlb6WCwf+2Q5yTihPXUtWUOd VspBF/AEbd+5KnN15K65H7+OTm5vgPswGuwNHA/thBQ/dIBUzwy8GS7uiuDKO3pJ FmWOCD/9zHA+hbaSBHy0rMJG/M2u7D24wbvPaUbk/g/fHCV8meojkfngi4DINynI 6xmmNSR8XcZrjZVJKjTaM66lVbo4YXCd3eT2J5sTswUBiQBMBBgRAgAMBQI5j7We BQkB4TOAAAoJEPXUPTw3Wtkkud0AoJP819YEQ2XJueIjcqZFv7iNDcGrAKDiafXG Sid4T9Kx/HUHgnclV1e5NbkCDQQ7cONwEAgA9kJXtwh/CBdyorrWqULzBej5UxE5 T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/c dlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaCl cjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD 8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZ yAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAgf/ Zg1EHGeCkWta0i9LgQGdGF/L/RpMtyMcF+K6REzsUy+fWXZ7yTOsC9PGkk9mjZSZ 79ioZpsP0Dhd8K2lq48mtpg/1IPr67TuoG9tDDA0ecUCs+IFnj6bgf1/S9nQfOsE jaKzijWwVEY/RiJ6BxkD4XEHGhg641OClEsaCjre0xoYqHo1DJNuuME8NZ5dcPOi 9wZ7OcfW8Kykp3yg4F2v/w2V7nCURK9/1OgNB1SaN/xUw53wlcu+XmwvgaDp7WOK 0XyGlzdz8oX9vFsmoPixWLayQ9glCL+Zl/PVGye+X7JEcGS1k4qB4ZESy+s8lTwi YBY4vp+fTgrvcpLse+CgL4kATAQYEQIADAUCOY+1xQUJAeEzgAAKCRD11D08N1rZ JAnJAJwLiOgybuFBpChsmNL1811OA7PbVwCfR/k0uEpBwOh7HIeHzaM2j7P53Di5 Ag0EPDOQ8BAIANKRLYV2aPaaPULsb1e/vbysTVMhcsZGPDIIsY4RkwXyLqJUstxB /uYBoHJuj4+8TiqDqUn5QPC1r/t07A23zlWe7yG8ko01jEGxpT0PQw5iWGXADWr5 HTMnnumbIF1Em5qfMPj5A0MFwwzGnaQe5Go1jpEGi+kz9qVdppdJ6zlUARgpT4Dq NPo+SpaQjRjoYvWDj5oEUqY9poi4bNJyjTk1D3Sf2KYdwemQHQBB0DgUBn4AzN91 pVqSqlKwDubwOdKdM+dRwlhhQ05tLwzQPZiTUECQaPw9wg1hry51vz0NRXU7M9uW +/eVn+SE+qY7TYtx/WUwmRyzXyYTHsuMxV8AAgIIAKCFfnoritTW85IdG10V1BJI 5TlhoTkMotN9VsacshjiMDkUhqF58vSQwmQIa/e0uIqlM9yXQFoyn6ZFC1QJhJG6 5ubtdNuOtYJBfnt5dsKZOWn9gd8YbQJIofvzWjMDLSGdWhFgKuE8e4e0vwjExwyJ 5541RbnYBdTEbkp++vJMS7UcSyXE61vUYlwVnQCxs9IcYqArFUkOBmq8JtQJPPO6 JCCOwoFLVK598117QkbsBzZt/q1PbTxXuoVm7Mupr3QDHpzNMBpyNPshCEUIizs1 pukGjy1wxuQj7LDCmcawKrpusEz8tslLK8v/R7bDA4vICh6/6rhSLqyvFiEBKRCJ AFIEGBECABIFAjw0g0gFCQL/SQAFGwwAAAAACgkQ9dQ9PDda2SQZEwCg7ws3YMZl xxpu2jR60OfRcwvvGZYAoKOZNe3FQlqqYw8mtsrpxqBLV+6umQCPAitWLv4AAAEE AJQxaXRGZ5tPk2b4JcXJjLJ02B3B/F77vIIg6MITwHX3VzXmWy4jHcpc1EUwA08S Hnd8Lio8E+1UFTTDSA2d6Y9wRODy+z1KxQ1PF1rCyZQbHbPhM60pSB+5WzkxxLq3 Eac+bUGUNw7pdRADqdSWeUrriPFUGv3aGQSQkem38rwFABEBAAGJAJUDBSA251hO BJCR6bfyvAUBAYb7A/98LlrYO4r5mFo7NWJ4/d6OY/GHZKvAViJBog6whRgwVxWj COBCA9u7xOlaM7p/+nbv1xLWK6OcpiPil1kNHp2T0SLXTj3ioVS0Bbda7641r/vE j9zOKwpkk1ImcSxFu0ikp7SzoYqV6vYyY+resbmLInlIYjaCg8Jx5aqyRBfU/rQh THVja3kgR3JlZW4gPHNoYW1yb2NrQG5ldGNvbS5jb20+iQCVAgUQLi+9zwSQkem3 8rwFAQGLEAQAi7oJiEktkqqIT0UczN4jqyyRX9l7AdH01tMH1KHiNTAm/M8NDdss nu1rCuwIFOQFJYJUTQxHKykTxFi9qAZszTnsrBJMEaY+slXfwjsBt+xM+Ll9gcDA A0dwDQUWmUBq7iBpxs3GFmGmscJCSOYzS5joEIAgHy+88iS9VtexNzuJAJUDBRAy bN11t2tvHcaqkuUBAWTYA/oCLXU9nj1WLxuWMwh3mKmBlR7BfFWCOJmDrgmHWSCd L7PO/Jx25SEvydITCx1RgIbeQGNOJa9uP+DbJzhYi9c4Dt+FmzcBtvwYW35aC98k PNOZNKVFXDcHOjxoqS877ip49Qn1DzREM8I3CE6hl27SaMJgoK+X60Rh/hvJAEJz uIkAWwMFEDG7ThwSwC+KjFpLZQEBx2ACKwSydvLWxLDYDNhjVNdkAGM7e9rJHa1q Z6faOObzyBYQSm3SZ+XsNLh3wpgTXn6aVTNvVPxwlzAdNlvylIGPSkTo6WTxt3CJ AJUDBRAxvHve8wXb6sBT5R0BASFLA/9HH15JuOpgy3MKnUh4KDuQOF6itWKFjJC6 hf2zcKDLmXAGL8z3hHt3IM25nztihF5tYkLE/BXG2HGzvP85l6abiMdMw/QyIMMW mrdm8wUpNVMfQOsnXVxzcDxKp4hDmMeZKwHBxTVOcqjiicWBVhKpv9aqSqfQrw+C QnGw4L5rJokAlQMFEDF6ceH1mUpZYXxtuQEBZosEALl9GvWeSTpsA4zrarPeC7Vc RCvtJL+Yc05MG72voWMZzNPuRiZoM3HBce5EoD6D/TaCy25lWdEY5OmMSYoyLUis n4GaJ0/jhj2eazB0geBzlQxZlciVdqhsKsnoUjuPM4dkcODy60kgVDS+mQOago2U CERZ0UTqxFh+ARbTS603iQB1AwUQMXpxnUjbHy8sKZitAQH4GAL/Thjl19k/kBqK FBIM9KWaFi3XzXryFfIkLjxLbl7d/4ci04pQbBOLDIEm0eZ6DiQKAT4QLKfyrAxS 11iJ4MRc8DRvg3KrS6fMjtHjEiMAuquMarmMYiR61PQbDY7hH4AFiQBVAgUQLw/b 17UPMZ11+Ju9AQEp9QIAsmpI+cBEEZorXYC4VnvUHYvNPuDqTvUUM/GCQTJB0Rbu FfCuarosQEauUS+h9yo6bbyzjEKjcLBQe1DLg+I/ZokAlQMFEC8Ib+lxzuIYxqwX oQEBZokD/RC8U4UI13w4itqgpRbZf4OZeQjiQxO5bQJxZsJlo9yagU9CFyrbXNSv zLb3hFnhFBh6J4YA4Agq8xKfODWf1R3Vsu5kGH6FHmSe1ZwicsUvwBvMjS8dkxgu IV+mZWL4hb+udVNvJ8svafnGmknAlQVnsBhrjxw46k81fPxB4B4XiQCVAwUQM2q9 N6HBOF9KrwDlAQHrsAP/SzNtSR9i3Kj4OMe4gbAnqmFOaMdyFY3AcKh4xXNMTkvO Jf6Iht10D+s6i5K/nlgsJRw/AZCdzKbQZiyrxi6JTHnMsB0lM+WVFumrjSnx0CWH 779ZS2dG3Tf2HCoHR98yPbkkNPYJ9Wdb3MH99KsNx1MERVC/rM3c/o8ECNS6/QOJ ARUDBRAyklgOCyZML+fkkMUBAeCkB/9HK/xJhdmKVxfegCmQXefOKYJXpqxhKViI uumKyCyVfvIn/0aKmnBL0g5DVKbetyV9bE2YZ+w3163bfYcXzS6ocdM1tGma8yXp HhziA3e7YFLFJ5x6ysklaqVV99h/f64e7bislsnJyfSSkuFg9FzB/FpiE3r1zu9a l1sFSOtszqQJbYSOXRS5kAf0xaYABdXs7dy7mzZs5d7Bk6pWfHoZ7fhZDSlB0d+B GyrPYjEeO9YVdk3k0IGqBOa0rWFjVOx9lS2hfCRAKM9PjD7aHjpWA0s00WM/m1Al lxl9bty18/hMT4VJmLaRowj+bctXcuduPdtAuhlOaw19Rk4XBb4LiQCVAwUQM93c ZR7EGV/WGT3FAQFIlwQArN6ZnzGQiWEdn8wBABe06P24y+YNL/tcOikBw5Is6M8K zdC9Y/Pc8AtKokUwXW6LQAzjFgSSCedpjcDV8So+/jibhzyuD0wVZM0exewFB0ia eIjVVMAVqLlZrnGw4JX48EIsIlzunbr4xdXh0QSjTlHB7yF2UOA8AhrAPCIdK0SJ AJUDBRAy/lUaL9/L6+SozE0BAbpQBACeB5X6kt5NPj9ZZfdsnHmCEhUPLmmT14C1 mTrQ9f7oGYC/Tt1HSgl172kuhuY/3sLqFYBf9sYPK/s9fpO6ztPSGchyzFSjtYou 2uVG+/DFCoMLRFt94AK75rWLywWHiRTOD0bq0UMh8osHixK75jaVEytsi+OBxHY3 PvRFoKchRYkAlQMFEDKLaYY7zI5sVceLDQEB5kEEALPzR926o0MxtbIReK3ICjww l0NMIDO8VKiCMqu29IDs/Jka09PYfRPoQHbX5ZD7qsTUIuRgoetBl1zEWk+KGf+o POMd9uUAN5/czxHUSjxIiCsVHyh9aAo5KoQwjXK6rnrLG+A9gHqPZmhAic4NUm2C zuEhVJV1QYC7BsavRM3AiQCVAwUQMtLTwEZRiTErSPb1AQHB7QP9GiuwBrdbs1JW uktsolD3dDzC8DNI0Lqa6E2pAyDDD2LmMwXRRegbvmMdYIZSEtUZhle6C9MF+TX8 It3TwsBKafH7AAn2MKfeFA6fZQdZ+iMoUzo1axvQXaOShB20pt9RoDMNOAGYPyuS vhyhmvrWTolQNs75nHCkIMOgasugRu2JAJUCBRAwdC8bUjvM1mAGTLEBAQFUBAC0 IIdUsirhqwdWwoDHVpwYCpdqcKgrszBA8fxWf1VgICmAElPvRjaXMPqny01Oe1E+ 1aXGM0DDuQj6FiMMZ52HiKogOt9S8o64uUXFHKnqq1/ohRPtSB6kCFfKPotNUX38 OTqMck0MKfNryYpLtxsSzQ3zDJiqQYIP36v+cI+TZokAlQMFEDQOxyRY3z5u/PIL fQEBGF4EAJ4lMQxjrIlTV/68cVVI+dEDgU0wpSzNPBxIq7WOK5BUvlJjbZU/hpVs G89Ot27LFR41BCO2SABjnJeWHkjVixMwGa4w99QqULd3GGaISHSGTZEY9IaRfBLC ZeYlGHd/9m7Ck3pCBwkBSVB43bCrAine7eGP2SErlfZdps0+WouUiQCVAwUQM/sE OHDIWC4O4jotAQGzCAP+Kb0R+42ZDW3Vci1i5BRlVL1v+ZrhBFUF6rQAL11RID/N nWbIso4QyjO+zJ69owGmtaMXRKL/TMswh6jk5Mgi1L8C+iwzmxMH1QhCPFv9OA9E AedmMb87RyupnuWwc1t8+mhu1Pqptkh5mzlChJriSho7mjRD71D7ZO+B/Ou87byJ AJUDBRAzwoLjhHIe+GLFgQEBAQKZA/9GCSqsen7GOn8OTljfiTu5B6VIQJlqqa3u WS7BHTb6u7fIoOxcqqOjAaeSxg2zvWHtyJ5H0D5O2HmvogxCKWNvFdUx+VifRXJZ 79phT++NmJVMQF6LfK2bsZa/XgjUjx15G+eRwg9tm2RXbt3kEDbieW82dEEwz1dp j1R3xobax4kAoQMFEzP1hZCRXk4s2wiTCQEBzcYEX0Ve3GGeXJkzG4i60yQO45Cv KVHJVTCKkVsFUGk/5iu75rTj3OGNVy0mpBHTyfW4fm5g5ZLHV1+BIlDeYKxPCm1f s6NtvFiyIMJUhicH/me0+EwD7r9F22tSEn/otOumYUUsMfpv51xK15uMDJ5FgBiI /DgwfQWDvzm0ecg2NgN1XG+7tLuRLfy749R3iQA/AwUQM/sDY+SNryotlGHxEQKZ dACg8tebCrRjam7q8qEiO6bEEAg1QoYAn0hgKF+flQ9Mc+bDrYg6YHpWATSviQBG BBARAgAGBQI04FuDAAoJEIZ6Ge3mAqlzaXoAn2TNiAUXylYo7UzkXLCATFfYrypA AJ0bRnd2QeBqG4IHye9DpNiavKrBtokAlQIFEDQeJaPIqTCI6nN7TQEBRvYEAI62 JartYK5VXWRY/+x0dbBRZ/yOYPVVIYbqpOogbQaYUL9V5eilAG+cS/BnTqc4hCxE HtWhdWiXpyziBS+RfhxZpboF3AkqxX4jW/Q6xsiQraQFhIu5Pyrjv+6dv2FcipL0 Rhw5tDZoo5ho07dZSpQTTcUSpTT7bDj7G6vcOpPfiQBGBBARAgAGBQI0ha/FAAoJ EGFbaB8sVMj6+kEAn242DS2/0B/y3HaNWWKjGHrtMdSaAJ92MzUI73Rz8v5WFt4i /oB6L/5xhYkAlQMFEDRscVqfE3lNvMBCsQEBQ2QD/0XXQj0PNwX7UphxMPijzfMj 3rjNQN7E7g9/EnOWRIIITTRzRf4w93xnhx2Fqm6ZonDoCZQoQuzMdGZglgn0oUp2 KI/BLBuRRF29ZYKOlgHgUy0iJXpuTs5jav/oRJFUZL8EXJUwcBedqT1F8VevCXFF Z8dV7wocDRCiBHQnFDlqiQEVAwUQNME8Ol6azeHEqO7xAQFKrAf/Su5nbiSyo7Iy SgvEe4AUaNFZE6mNHyGRbX/ROnpsgaZqbTw6vHcsMH1mqjTb9uAilwgDLTDo/r3d upRGgTe6rRm9SPQEvk81toue93HWXpNKSbWxDdPKxhF4//6Y3EM9o1MoeBhvZsN5 7rDZYpV13eAjzbqudPkrz4gntjMVBlLwzgWr59g7GHY2l3/LI4OWi4tCxwU3PJws v1unua2sOI0M14kYu3A1KozyDmk1pB/Jv3/bb998nzLTlubekIEHCOVX8XxVrdar rBRwVjMTpm1hPB8zEzak+V+dpOrX4RNazw7Zg12+q7CRcF4Lp2kVM2jzAwbxFVdM 6BJxuqkanYkAlQMFEDVftc1A4GfJTFZJ0wEBmLMEAJUY3AopjwoTOzvLBjzlI2e9 wHk/t26C0lpZStTj9IOrUxuUcJlWuMbUHaD6ELaU6fqewcKR+OMJRWViLSRTQSP7 Dxs3a97c7C2cE8Xz0RUYhkEYcjD9rrIBtuMDg5+EyQZyvG6dNXCpFYfyZNN+3aom sUyYRPigH4R+O99opqggiQBGBBARAgAGBQI1x+eXAAoJEIuia4DFOWVXMSwAn2Lt JDOp6dekG5WehZe5UQZi+n1XAKDfZ0dO3H0pXrwk34Ht8CX7UrvJg4kAPwMFEDVj TKaQMxj3BQ7KuhEC72kAnAyCgKXkc8odOkN8of2tL/T93A+OAJ0UxPWaTtdgeekr cxZ96Q3L9vWSPIkARgQQEQIABgUCNcfnzQAKCRCjwtEStjzoUXznAKDdNS+SQFzJ alvm76rn6cpbq7nURQCcDy/iq3jD2P2bKGB4b25xMyzDanuJAEYEEBECAAYFAjXH 5/YACgkQrNjAGYLybBPJZwCgnnhJ6v+gsKyE034KP2mzHfbsVi0AoPvrS5mDGsQ+ lKD1B6fitwKM1mp1iQEVAwUQNRuhax5YtoXW2EOVAQG9lAf/XSWL8usstSBCaHmx X6bI5WwOCKd0XfRz0S/4ZgfKon6ZqU/gnW4y2ssBoRFJcCv/KD4an7290pE2bRIQ BcuKXYYXsjU3WXVGmWniPbUdpuylMVMFCH5XPUA0yLqyZqjee6XnS9pFY25c9cKH l2ZBwCszM/Z7RvIJbjKf4iGwLTJwnsn3DF5xfFdQh719mDsSCdBSgkXfqCeY4/tE jYBFyoFwIw4GS4LxmUQreb6nypZGSrl/c5xaoz5Im5NUiSbmE0acJ6UWLIntAZDv /uJrYdnIFhRaiQRKwIt8ki9L4J38QZZzLVNw8wtZmstz+QjCnARBgRZKhMKzTGg/ aQz25okBFQMFEDP8Arw9+gcbCnuE5wEBYjMIAIhXAMy0BRZ0GcasIqmY3PjrzXC3 X4p2I0CoBQQAgVvfOgcMXAGMLD4FjqqBQnZusNHCzZItWTF54xyl+Hp19whCp+S9 0QrFG+PN7/NChn/YQxatSUo+09nkF+wybF/x2RHU4/kDcmyFhlsaLA6fmUEr+ET0 NB65J9wkUho0nYKZ9VBol8soHlGUeX6G5/tkU6d6JDjOG/xFsrW8bda2VVDyranV SxvoKzQUmwQN7YiQj31IcAtLx063NMuKrBBwOXJR0tkzM2mNKhndtx4rknDYpBbN WVucYtn2tZsGzQpy+IqSUWWEBWXJKJw+Lq2Ps0AJ/D2mDVTZp6Dl9037PbOJAEYE EBECAAYFAjXH52MACgkQZTmJBIzotpMwygCglL5Svr5kE+siMGaZaiasS+okaV4A n22d6A4hDXu9m4LIeLH2jiqRyA11iQEVAwUQNq/XaO21/PkonOMJAQGHKwf+I/SU ih9UKvMsO4sUaIy49LUlz752n9ws4BxFA0mqfd1f/XPvneWax+7YkqswwufQs9a1 khmZD2AksuwNIIHZeKwsVqSFwEUjUdJokXa88Ma9+n/o/sNJ/prtG05hY8mUnLdG fEBPFBMpesv5iMvdeb5RMYTSBcfnI6DoHbBtrKsltULjAlTDLCO9MHUfnRW1c40J PXBnwxkppfIueCDaPJSYocHFDJC/Tje2Qbm9DqztggHC99ireOFlWR62+o2SHnLE md6x1siHxp+/PDsTLDbiEd5sp3HxrzH1lzwslf6Upbtftv9ioWtk2syPqnYmR8hR cwpCwFLrI4wJV9qQ9ZkBogQzn5+5EQQA388nq8GOM+n5gnoYOpHc8RMRawp/YDDn YehSen8DsuyxMnv4rDB73jWDa6DQYow/fAkbkYg5Q+NCX8HPxeLjE/Jq/+VX9uit FHw2yaH4C9nxeI+TNlD3yZMw7boieok0QhfJ3eMNfLlsPs7CFTBEuGpLhX+ZcJuF p50DvLdQ+fUAoP/qCACNKiakbSDED69NzuM6OvdLA/4rBbfrLf5Gh39E2gAAz2Mn WJiEe5GS4cOYc3mmpVvohhpe+d/PCh2VbPVmuKaAu8X+LwHjT+oBJMEav8AxuL92 PALr+v46Nz/FUcbU3UCmbGFY82Sr0vvUchK7tMbqwhsrbM4tajO+AUiRPZkbAq3v JQFmWdmuOnAmhS36P0DukgP/asECrn6iLEfRz1W3iEvtEnyzdbQjj8F+AvhdtnUp 7sEfIMS7OEB0GDkRXz1YzAE+YC32/QZwUJ9+1gPxRe1TzQsjzIC1QB/6ok/fO+in KXpOIUsU+2nPnFrkCyHlNmJGutn6+AV13pd+zc2iVVWCp1TMmapFPyQvfl8QKiho aMuJAD8DBSA251hyiXGfp7ZjsP0RAvzyAJ41AyyMuIECYrNfpiBjUKe6NnZIvgCc DphlbtcNZXqp6pln3Ni2BHSkzfq0IUx1Y2t5IEdyZWVuIDxzaGFtcm9ja0BuZXRj b20uY29tPokASwQQEQIACwUCM5+fuQQLAwECAAoJEIlxn6e2Y7D9EcoAoIMRH38b YbAwgwshloi6hadsbxwGAKC77GwSr9/Ood2M4+3eDYdA+52GXokAlQMFEDOfn9QE kJHpt/K8BQEBmIwEAIS3SjlYEt/BXgGaR+jGnmwZjINYIHTlqCqhhV+U2QOcBmBE QPfj4qsNRJNtHUE3ohtkU3BsV2z8BbqHOQgee2eOKUfrvXpqwnSOMR8r/XudZDfa 9pXShBmpMG7gDF5+FYeVVph7+FFfJ3xMvaVrlg5Thft4XuNO94USHmLx4Px0iQCV AwUQM6K6My/fy+vkqMxNAQGX1AQArN+Uj5Yv4PBJzgireDb9zGhoLq6xku0EWgcJ HKNmR8NDltllOo92H9nrTF8IP8RNT0Y/DBTiQgQ+s1vBd22jAR6f9QTS4ANKsJH/ vR1yf1XUOY4KrGcZDvLtMrp9Oxw+ofi7//bHwkXvjg1C2j/z8LENhZN9asWIsJL8 xg8dfkGJAJUDBRAz+wQhcMhYLg7iOi0BAWzvA/9epfXM6qSdfCcLi2HU+fPdjzwu uveAMoV4BD7PE3TbxA7sQMlP7pUtAxw//RqNonv9hu1tM1coJYxucs6wEpAirp9X eKqsvTm/M7dYJeAPmaMijmeutOrg3c7wmUwwJtZ/nyGnT9EREsnNC9Qm5h6MGn1b wp6Il0CVqt2ri2Kz/4kAPwMFEDPd3HTbmAIeHVEqPxEC4WAAn0KcoPChnFa5Da+v aPywZ2lM83shAJ0XyIspQwvsg+vhNfj/V5qDshNZ1okAPwMFEDP7A4Hkja8qLZRh 8RECDkoAniF+oz1Y7z671BX8npuk5Z789YXhAKDgnwQSZWeilgQWMgF7Y1KK9+Lz bYkAPwMFEDOiuk7qOuX21ac3ExECPEQAn3+d1c+PXYAIoFZ1qmNGxy+9eEJqAJwN 9sGGzHjfMCkVIhgi4xXja2RwGIkAUAQQEQIAEAUCNhDUjAUDBh+HgAMFAXgACgkQ 8z64dbyKxFgBHQCgw51mZVIUlV/HC/SPZsYRABWKN/UAoPSZVH9brxBYi5Fo8o4t yqlonBYUiQEmBBABAQAQBQI2ENSiBQMGH4eAAwUBeAAKCRCjzyHdpXwH4aj1B/4w /P6rpkba8GhX14w5Yk+0sb97FZiupaC85dOxPmjpZO9XjckMwT9wA5kaSpOPzaAN kVz5OQMcUhGMVQ2BITGSfUMjDpILZsDb/c39EFOQ90/CAX8rEExf6zloheR3e4z+ aoLbzbZ9e1luVEPPPEel1DoorQ8kVgIdqPXgJS3bApTG79z+6QNqy1Pjs3xYO/6N qUC6ODcIjwh9a8Bwq4TOKq7hsKWCqn1pvoLRRE4nZEaCa04bjvOpKZHf7E9zorFL Fvc7zJTkDZCFSUQwtJCLIDTYstxLue6BM8wFlnB/b08GMtQ77jK2oz/GqCB4b6Uc +Q+eN8EGRMTN36o3ry4SiQBQBBARAgAQBQI2ENTXBQMCW88AAwUBeAAKCRCQTf6j KMAprwgKAJsH5egt/IkyJ39jxf8b5VwMByX7VwCgnM4tdyAxZ5G++F9QbzMSqabx XnGJAD8DBRAz+tQSecO8NWHAJf8RAk2iAJ9K1aUcyrcsMpjFHgTcBBspn0agngCg gDF+ZEPerXX1yKO31xYTqdgy4uuJAD8DBRAzy/q2PAK5NSZ7LAYRAk/5AJ9TuEvo rdtj4f9ePY8yscMEXCCHlgCgpelyxSBUzcu4hWCgSwgcOv+i1sKJAD8DBRA0Smje FiW/bhy4UHgRAnYlAKDbjcDwfdbOIYKpLWIk/euXPFCklQCfR0tUO3eaUV9OgvyE v88iNfh0lqSJAD8DBRA0RyG7VCQTEqNZfccRAiXoAKC+Fx6lWIMdwzm2TK6qq6dW /OvGYQCffLeH/06fmwGKg2LqEEVValjXEraJAD8DBRA0EqGBen4IqadeW9cRAr1W AJ9mvJe/NwmWKO3sOtxDR2lDRzqnTACgrel+HCi2dOsRAJZrhRc+7LP3f0mJARUD BRA0QeeH/fukxZQkWWEBAaWcB/0f3ZzhXBrmX3GsWi0pEqCdYEA7gAPR0PP1jdM7 zV+Fx3zgCzyCxND69IpFfDnhlm158Dm8KX6aTVDrqqI/MZb6QNZmq5M1xzSHM2WI XuSnRrNt9kcbN1sDKSxeFglwspLrzSvfUYUmDOEJSwznb6NnDu1sv2bxbEIvwjZ1 tyKHaBGeflP00XuKeDmYgnzeRHPTTY1RdX7FK4ovP6V7IJQvlF6pWtXTyrTHcbdt 5t3QHGdMTqia/dRmHhjv9JKKU+1ZLaPyyY5hV/DkEPYtaEbSwJwo8LLXT1z9hCc0 iiuuUkMUZ9CoSNgVWenGjozC/nJotD0VD8A27KrxiX4naC9jiQBGBBARAgAGBQI1 0ISCAAoJEEeeVUtkwAqT1wAAoNBrKCbAx55kXW4UEUpoKAWCEjBbAJ9HSyCQLaDT hbOZBmrcwCkuCd/Nv4kARgQQEQIABgUCNcfnYwAKCRBlOYkEjOi2k/nXAKDDfRNL /MKK2OO5Ln+Qbp8gautL7gCfasT4oi2NnZPVXh63IA+qHttEcg6JAEYEEBECAAYF AjXH55cACgkQi6JrgMU5ZVdtXACgoKtObAscfBiVMv5YYG0UBm4eKmIAn19/XCoc tmZcJXyW0pi3bJ/s5SSmiQBGBBARAgAGBQI1x+fNAAoJEKPC0RK2POhR6R8AoNF4 w8v3wJwaop5QufrIYjXa81Y8AJ9EUoyeVMDveInPGSW92hHq1AC6eokARgQQEQIA BgUCNcfn9gAKCRCs2MAZgvJsE4uLAJ47OfihoBkuSHDtQKQXfVtgq+nT6wCfXijY +V3PB4YWFj2NA8pmRaT+lqqJAEYEEBECAAYFAjXbUa8ACgkQYVtoHyxUyPp5PgCg yL2W25zJ9QJsly36JBfKHCZPj8UAn1VICqQxAltsM9C8uBoaIDfsmxDBiQBGBBAR AgAGBQI2BonFAAoJEDiM2656VXArmfYAoMv3g0wbLUrFIoUd5S62C+KaiiS0AJ93 Pgb3LGFsSujnig+2on9gQIPQz4kARgQQEQIABgUCNj7cngAKCRA5miDG9cmJmVwF AKD+0ZUVhQ0PzH5raEpfzKIsWufdbACg9pMYXDPk3TBU4+/Z/NXUT+IUHLa0JUx1 Y2t5IEdyZWVuIDxzaGFtcm9ja0BjeXBoZXJwdW5rcy50bz6JAEsEEBECAAsFAjQn KOEECwMBAgAKCRCJcZ+ntmOw/VXGAKCVzFQ3koz+6Ceb9zG/UzYTZXzopgCfUQI0 bpH0sCI1xCmLUtPutgzG8kC5Ag0EM5+fuhAIAPZCV7cIfwgXcqK61qlC8wXo+VMR OU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh01D49Vlf 3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscBqtNbno2g pXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFstjvbzySPA Q/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISnCnLWhsQD GcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVekyCzsAAgIH /R4Ap4zZKW7+woJqPvWBeDukKqcRSI8dnXBnk0Sjb9YW/lkvxosPQo7b3wtOd3iH HWW0l2IByrgS1H0EibHTGQwMtSNhTLd14Zo6sP4ZW6Kj6Hw/cYKakPqFYznejNbC pIr6LLyrAookWw1vRHHTcvy8XH4+IZR/5Gj2+vpmOpLUimvCSuxhnvu5QgxdT1bc mBXTco2+E1uRrSpBS+01mnpPIa2U8K/6cjkfpF8YCF/98yPYOasyqHd/BnhnllsM 1qNikdia9YibjrO43XyLhgEzUpohNgOtkFupsuUNdS56Ze7Q/vNo5IE1euin/0KK VMcUX3w1JpYSDig2h4/rTfuJAD8DBRgzn5+6iXGfp7ZjsP0RAnZbAKDgGg0o3T7X 0ps9PZWOGpykn8ic2QCgx4hI0ki5z3tOc4zx87GA3SL23uOZAaIENlt9GxEEAPr6 wc3ErBpfCY7A9KtlPjr/5e8qYsbkIe7F5554Y2LyBE1h5UhGZ1TbcKEYcLzFkGjh eZn1d9mTO0typ80JaGx7LqRWxjR5QbmZrXvyBTDhHz9dy0dDWCINaPKhXUqSvpFQ +E+cZJAhmhArXyk+fc/RX2hfiuO7UbPaUE017s5RAKD/p8180InjTAomDy6IhYC7 K8XuWQQA7K780nSo1E4Msuyi3GtbAiSHXGnkD5gMAXqDsGDW4HK4AXo8UQ747clN dTIe6VoxDO7vg/vG1n6rCogiyVJJvDm+/QhSkNQmj5iaoNwcDk2zNtrR2hxVN89b eXLwcxsKzYpr0nZB2Vfytylov+j+DpD2zF9O82U37/UjINnuNjgEAPWH/TJ8WnqY jy2Y7i753H7Do9nSeNcJOJZD0Fut0mE8lOAIXE3UMDanyQBXPworfrxhiTCKG0Xh Ao9LxU3DH3YooY6fc73vZHgCN/MuWsB2pxOY74uJDAOjOfdX/UC3Qp9720Htg73C U5Mk30GVkawvkywktKG3ygIIW+OuSQjEiQA/AwUgOY4gC4UHxLzQ1K7HEQKaPACc CkyGuIv5yswC86g6H+/IHKzA5v0AnA052dYFhAdUPWXtR3xX8j0JB8qGtCFMdWNr eSBHcmVlbiA8c2hhbXJvY2tAbmV0Y29tLmNvbT6JAFEEEBECABEFAjZbfRsFCQP0 gAAECwIDAQAKCRCFB8S80NSuxxDyAJ4gyngesLvwyunbUKtG2QgCMScXqgCcCmlv iLUdi0EjCoJZqEF0HuKql/OJAEYEEBECAAYFAjav1o0ACgkQ9SFBcfl3M1eL9wCc C76H6kQWtciMDyawh1armcfMNIEAmwQSYAH2/l3sRmcPxawVO9rNglsFiQBGBBAR AgAGBQI2yjhNAAoJEK4MVGrDPt/eiDsAn1gI+jJjLUlfifH2O5p8+zRgevCpAKDh USxTKC5/8OfEOZCDjw/mBOO34okARgQQEQIABgUCNso4WgAKCRDsTU6t8w7FhSxt AKCVaG6Eb2mz8qVAWF/GllLjlNbLuACfZ1eQGlyAKXVQz0LwWuzv33iSlFiJAD8D BRA2yjicUBC7hzYSSRERAl3FAKC88gT0fDbc5YvwraQMkYuArdZ9RwCgi/M88fSE /xS33D9SHIfkpdl+kViJAEYEEBECAAYFAjbmxMwACgkQOgCSKcyiDz8VFACfVLzB w2yESZ/38iNcKkyJoFUk78kAn2EzYNIMwBC0cz14xWxiCMQVo0bSiQBGBBARAgAG BQI2yjo0AAoJEM814l7+y6zlxWoAoOGmXkQFRbaivBOTMWgmJEHTyI6xAJ4mjyUt 1c0HPh/C5v8rzmvXAXmarYkARgQQEQIABgUCNso7EwAKCRDMcdRgRtjTyPE7AKCC At1a9/WrhixrnLbjSGhNDT8OlgCeK8MRoIdXMvg5p4EAUQZ2+1mzUJaJARUDBRA2 6N4d01ThYrym29EBASgsCACh3Hz63zQUCeB0Jq+Pq9kzxyq3gJIW5CbJwwvrJcti DT8yh8Wo/CxN2wrwUNX6QkMExQ4sEaZMO9kuLYsZKbh3ePD4toxyYF852ZXe6MYC IC+7k7c0XSZeb+uUbKVThBAZWUIu3m8ogtD1ga/LuMIp4EC2+R5tihzllDJjLlvO l2dFX/LhUhul+9yV2EzmVWKe3gZWaioDTB+jBS4APwHKucDxSyKt6f7l25S6zw2U WdVEFbBYgkSefKfz7YM3JHY7fMSgWoGuqnGra4PuuQhYvIIUR59PjoZ/cpccBOE+ ACrrFENuxnFTp6PVQD1mcGMWMbfh0H9Hc2kkGf8mxwUjiQBGBBARAgAGBQI26N48 AAoJEPXUPTw3WtkkeiQAoLfdfznCmlYd5FNefWlhcjMXYnclAJ9OEll0wwzLjdx7 ehwWftTNUNd7NIkARgQQEQIABgUCNvVDygAKCRAHrb4H0uAwH8RWAKCVnxwfE524 KmSGHVLKB0mmhsqTZgCfQi+pmpScDvho3LOdX/9yBNdQi3OJAEYEEBECAAYFAjbo VZYACgkQ5r/NLxCBo3wyVQCg+4tohbfAWEFVEVOTdDINu3YXxK8AoOV49SrjS9Ay szquDLk3tXom1iGhiQCVAwUQNukp4aRQkCwJ0+ZNAQG22QP/fiAbccB1KhUhU/j4 nxzI1T6MkTRo8WYfybxC/alWb3spSObUpelCuNOQFOU5kojz7Bba0cPzgGThjGzC T1WYKyRJkMK2R+jWCnIQ7gMvbTgJkRJR18Xox7BJE+otbfGkePs1Ybo2ahG0gtOs WLpIJGo+k9IsspaTIs5C2BdhjpyJAJUDBRA26SoB8uVlTOYOKm0BAYDeA/sEGiZn G2B0/YwKHbUHxVsRg0ZWo+lqROOhH6/k1znWnpBuzZxDfDDvzrj0H+DS+8D510GF 0MRYkPbYRXLobCvZRL+wsTHgn/Iod/gXRjnN1E6YFqrU3C9Zh9xDL1z9agQAmTCF D7kRl5xIFxJcsVwRHrHdot7KOpSUIkHgphwTR4kAlQMFEDbpbmOwsXGDTboQkQEB taUD+wdAP+XF7mRReDXnobyBQxF+alAKPVJqe/NaoS4KgIm/vZScKpnUjMthesjh VbKxisUW4933Bs4j2Ibs3OP1YoCaE6tX7fds91/GCh2b0maUd+NUfLGzktyBMsug B8A870oxCsrRR23Ha9DovqnbA2AVtaXkelbkcUsBvKX7dXRViQBGBBARAgAGBQI3 Fmd9AAoJEIZ6Ge3mAqlzIAsAnR3DxME+HJxgEJhqIen+raVqEs0LAKCwgros1Y41 TzQwQ/DwBuZer31tz7kDDQQ2fIRQEAwAwsbia43bONyqN60hQVZHIvPqO8Jg77Yu VgMcO45NIqAWBEfddya1R2E13Pz9U2CY4L2PHiNzO7/tdu+uY+nx7XVHVZshIrGs cwQJX+GFuRk9UFy/rCOQzqGaKB/1wMCKvuYiGW4xRFfflpRnyoccr+0T/QjeLlfz /+qCVNXQNXBlL9HlRdw3KnWaHxK39QMV74PN2/oS6h9hR//CWqg0ILq4+31cG1cb jZdFNkh3dXS5By/kkA2GHMFjwqK8FIiPYTvAfHh0+GJkxCWZARp68K+7rMpjGHry AmhVos1OIZbATORdYGubwHHYKMkJ9x5Mp3FMUnbOJWavLHnJ3OTzh3Ub/jwzBtyA FVzL/ZJ3yYDZsRrpDUjBtMnpiEBZefrhblqxNu6h3k8LSv9Kq6kqYbz/96fgsTcr FPxbZVe3aiS8Ns0Qrvv8JU73xlIFhFx3UFg1NJgT1hUIbd8bNQPetPB7kwvYMAT0 lKbDdBkT1caPvOZ0YoCT3Ag8zLmQeGl9AAICC/0ct9ANW9xEaUQqojIebV4KrfA8 bxEoHqjSvk7OiXbd5+Tl8uG7bjicgEE54q7EeLfQoDZaWbSgtTMF3Dnqv1+k6I6I 7lfgO4RIg93i61RNNAB6HM6oga1FmTxtreFa5Yo7qlxrFA6B1DpX0AFRWPDiOQA2 yMbgNX10h9ptPTMZ1rzuEDMB9kI9EbyHSEmcodfvyN3RsZT1M5erjMRmtYBrgWOC AbtOAkB8zLpgylZXQnEUzXuwGMsSdrx9sGC1RQkg9RthGZhYhBQP7ZeRCqyJ0oaE DhTZ0imRYulNFpOP9eYNaeEIBZl39nWvrCBio0VC5gwkTVdbODHEUK9ru4/mIa9B MvDILatBVAsuPeGYtn2GPWnQRHCA+EAsImsZ5kIXY4iwOgE+nenrUqHQwp89zPql PPBoMg1XYj7+KZ3enPHdgFxFcEYuVHNav9vnmLrZafPMPXARAfvbrQf7opqzKkUc edUtTFrearg3klvTsTwDdvWbZgZn2tmimAO93hWJAEwEGBECAAwFAjZ9sZcFCQHv tAAACgkQhQfEvNDUrsf8NgCdGXXGiKEqYtI+iDpCqsHS1beHnd4AnR5QUA7tGutF hKXFGT7uqg5/RZ5buQMNBDhtidAQDAD2YRdzV1jK5Z2eAmh8IQE7mB1japJle71N hX3sBLYOHP8E1843aFxRw1Ldl3sVb5B10ZTt1vzc4xqirTuWwQKKd6qFg7bxOHtb 7xfhO5ei11EeP9NqgpjxjJCJ5LW9pMpwVJ/lNs5h9w71qx4VIPTUbHnOC+rvoVQo QZjM7c2/Nd3ML+JxmNMlXAAToGQx19oVpcilpJ6nWH6bFtbLi/uV779j4MxTDx59 FYphJ7mXjbhEMHL6W50ofGucb+GqtvbFXK4BU/5fa39EE/ZRhN8SGuFGjbf+UUNF BaO5QVTCjoKLVd4qr7gRAyDEQ12IGhWRqp3I3cR10V6Wt20R/pfq7j4e7d6Wj4dj Ps7Dlg0WStaoEvEGluMvQ8jSh6b+KJ7Yt+KcC4Ac3kLpdwWKrfVf73EBU4NACGud aL2YP+jIsHVTvxLLTOL/3zkXDJWz39QgVf/Tzf+DPjhDrUpRxqB+v0W2Dm7X7om6 mkWQYRlyc9Ja0r4ipJpNrubQX5fUGxUAAgIL/RpROa+vnJx84J0k4aVN8z2DBgaY kt0E5bZyGwec/zCISdzFTIB6UPxdbqyJnmUAXLWIeq7psCiaZynkyh4W72UVxfNx oBIuosMH8fN+Abq2mdZ2FTlDlIXOrteLRf4c6x0Ebqx+R2ONbaGbQtnlQGC3QDxZ UmM9pCuH9JqWlk+QlgnawLg+kfs0iTwSnyKXbZAOBIMLKQEl96BweTM33mEYmmej 1U/aivwJk3PvX0pbsiEmTD/ASbZYQ/n6dOK+z61cr4iKkZy7mO7mgQF1XD/m/8mH wRZYh9iJZElhtee2Om1EUA8GYeoF99kGR1zECT4U4NJomclavsftY0BTseX5Jm3L oH1/tY41G6YK3xShEaGWQlKi/ya49D9WHETAP/5w6xSk1SnCsaUd6uQnPwFEvToF D32H/P1rmcUg7ud+djv5FS+nePjxtCS9avx6f8n64VK+jOUelCQh7BAovSTPxPwZ nVxyQsvIJmpW8NqCFhsHtwEOZO4L5Lk4TlW7pYkATAQYEQIADAUCNn22KgUJAeEz gAAKCRCFB8S80NSuxxo6AKDEzH9c1jzNqz5uqTml+o4assXr6wCfVab70zEQTXL9 0b3jg/clTv1/jkyZAQ0DNudcEAVwAQgAzqz9hv+7e1w7GJuso2HIKw5rVUdCz+rz WCvKDvrW1WpMg78lrSp2TF7YDe7aHC/XO8I81hVu8WBitzzNRyi4La+VtzceHW22 H2Xd2QAWY0Ei6SOSvluD/H2g1SCuFQK6BTGzZKNlXpyTMi0xfT06QU8ykenseMk0 S8jnuWtk7UQBACDO6t6epMnEl3heYkuKaivtY4YH1CNUDLOCCpSp+QKhptSElF/c 0q3P/f/IPwML10Qnp8Fr/WHYYRtNjrAIzfEkgw7yMuDOk7i9ZCP/UZ6jnaTo7dT9 SiSEx1YK5c6uvZSE4e95WFmRde8IPtOZB3MExemT+EvTVOFivKbb0QAFEYkBFQMF IDmOICjTVOFivKbb0QEBdu0H/RPiRBGWFhlepO1UtxLDYD3ZLosgdQM0sODX/4HT u33vstaPAl3NBorqXKJsThpomlLPaKN/SDqTzpm2CXBvBekpkyih9rhFrDzf3Qvc C5H9Zo+Nz3KTd76C50yoFd1J58CuacMMdLAqcaP9Q4xsp6qHAxiTJ0IX0JOhKLCK lZe3rg/EI9Uf5HEmWN0tffnI59Y5XZFqWpVnH0SezgkqOW/Fi9zv3vXIKcEALALQ RNVyLKQnrOWTGIr9cV52CyE5N2KuRkur/bmtlMQ7DFyyxAtNijwmlNZ7Sa4FQ9Gc n0y681CvJPPoGVrogS8ncSktogBa+D0zq6HTD9MyiOzcdCu0IUx1Y2t5IEdyZWVu IDxzaGFtcm9ja0BuZXRjb20uY29tPokBFQMFEDbnXBDTVOFivKbb0QEBBT4H/1Ui ECh4LrBhhq1VaTjvt9JbHHjZ32oba/HY+BMUmZSaye6dUmfcJFbgrkaKEEjyC8Te 08r9fmvCqyL7WLUYXzlC8hZgeLsU9J/fq6cpHgknocEVaMdRwIOYUVe8R1llxXj8 56EyIfl4Cqt8DedA8kVPsET/G3H1iLI5jJMLTGWn74mblE/7XoB6ZbtJzfr4TZ1S qFP9UwOrpuIXqObVOpTmTyCWjfTWocaq69SKZo1vP/Ljz1vD+jENsC1vT2eg+BQB 0UoECe7rHsOLqzvdd2qlvdtdzrXRAwJ09SYJnzmPpgEYpinu63s/U6dBWMar7ByO 6hCrGzwqR7Eygssd9+uJAEYEEBECAAYFAjbnXEkACgkQhQfEvNDUrse+AACgzSob 20OCEMvKi1jWa74dbnTr0X8AoIzZde8sRxL3OHG6xJdbZ8bkRjYAiQBGBBARAgAG BQI251xrAAoJEPXUPTw3WtkkTwkAnjgM2sTc6wcDJVK9WZfd5p6sKsaBAJwJUnuG 86bKRaqL/XNVtVLfwet3T4kAlQMFEDbpKeCkUJAsCdPmTQEBhrUD/iMgzNg0mSxY x6wP4Dhf0cESQ6TE6TMpC2qN7Zxn9rcYa2XBXzvR3Ao8a80z1ulnCUaPhXd6Wml8 s65Buuk3sLqz9PYyvrmn8lgLDOeDwkh05+VlivVUD2gtP2jehHLQors1IaML1U+L Bu82M3RjbpG7EIE29p+C9peTjHH97AfqiQCVAwUQNukqAfLlZUzmDiptAQFOVAP7 B3daff+2NWeJ8yBBtMJes7bDOPzE99M+r3jJgvb8m+XyyrCEYZK3CMd49LjfKwGc lD8mxbkABTNrXNe9paYC77hw1KCmYC+bIoxSdmJvHTvxBWcmy0L6UPrGRNrMTC6o BoyZpq9zwy/JrzFLZlddWuBicBebxXF9RjlQ3/ogZaKJAJUDBRA26W5isLFxg026 EJEBAcwLA/4h8SOQMiHE3xo2gYFP47d+Kn5HMDvh0ol4dhmbS6oh5831To+oJ7Db 0lqvCfJ27FNWIq86zJ9r6BoRqiXcUqivfLDaKwtL0ULprZVRwjEhRkUMpEs/lGlw 2c0nECTzzTDvj7lfU25+2wWR9zI/ge7ql07vDn9JC5g4aaz+clE2/4kAlQMFEDcW Z6IVBbtr4vVmaQEBeJ8EAMsSBi1auDhXTiev20fXxYpKUsKbW570LFGVjBL9XWpE SSfNHRUDwoSRS9DPiBDk3gFUIlzPUprkDPx4OtGhqQkAq+Lf/byvwNdwQsHNbsgU sEW8MgqOuPr4b4NiVZA5qKsvWfqzjfUQJEBKxYmKRlHgldzYRfnPCrQnQz+F7w60 mQENAzlD3GcAAAEIAPJ10sQfvurMDvBWtyZGALGSWVIj/J2fg2IlbstOdI9vxQ1f WXbMKGWDYJZAJFl8LxvJeamoupFo/36JKH9HPZQjJd75743rd7TYRFBAEgV74XAD lnkVdsJ4pO0I9x1dcVGkgLvnOX00/RKNei5dorYApRvbsXf16oylovgrBB18G2VN d5Tt9+fry67+MsS4cYT0pjqEfCwSQuCSC/24qX4xm2xJf5XbcFBVIrBeKNJqZFhV l1vBAvN4Ii7pdPWOvbRihPEysIa91uenASVZed2s3IBlaVFNsHn81XXPWTY01VG1 xw5lliuSyLD2pib3tNg+cFrTuR2zBpR3CO7oz/MABRGJARUDBSA8nQqFBpR3CO7o z/MBARBaB/95TZ+0dUKDdz3AOikEoFEruTSGw62zsZjrpGdlxlB2YIweY2BsP/nH QI9NxYCVHzktXpTcEO/RhBJXpTiXqL3KF2uxsypTYNNolvR4LZvNoaU12w2YaC79 IYDdMWNLdBduzO9FrmIyOX9aSxPMyVMcbC9memzkf70WjCUZneqxOzjJwWpcFmkb G5dssVDHPX6Yzrlm4PkiLIwjVLDm4ndUVEiBBcZsOJN4JTOmgmsyeoF2DY02IqNU s0AUJEoT8HlnETA/WR6xWLSWADFWjuLf4wahG5nAOMLrHB12vEcXntUu7kun/OJF 3sPeBC/0j10/uEZvy/mEiVDappMZ5L8KtCVMdWNreSBHcmVlbiA8c2hhbXJvY2tA Y3lwaGVycHVua3MudG8+iQEVAwUQOUPcZwaUdwju6M/zAQEA8Af+IU5ePXMJ8lj0 P/dRganw+XNkYFD7u4E4kWg8R0PxMXiUVz+ReRCnOGuki3iv4+zKD4SkWYa8rQFZ maN2zK4uxdytovU3qvaMoK8W9q9TtsOLhJde0LthFbaEic6VQj6RMwHNe1bW5U91 HPVMrvTSsrr5Ig5qVrctFeMrBoMkUhcRbRcCKU/t4D/wZZX8W56fatgN7cCfwxbR JoZaGADl/BXwE4h2g+nZdkXrgVT4JMBBX1lAFXzLuZQYvFSxrrE/HULmZLcMg/GS WHhMPxHo+8+JkB67CV0FYroN40yraO1lLxLhKdFK16BpDxCmts6iynNDSQsRsM2m +KIollfiv4kARgQQEQIABgUCOUPclwAKCRD11D08N1rZJEvkAKC4ENgjsZmCYzQ0 XFA+BlNWYo6elACg7AiF6IrrLxNfhMSM5x1cvTCH4ZOJAEUEEBECAAYFAjlD3PYA CgkQhQfEvNDUrseLPQCePSrdL0cZAMk0n1p9uhptVgVcSJQAmOGVb5Z7+pT6XJZL PFRDiCva/22JARUDBRA5jjwjDXoNi1DA/qcBAVdUB/4zAjE51NIOqFeWuDM2CcST +f7zyhr6k/+MIVqlbEBCGMRbPAA35JPp+iz9zLkqHk2CjSVtmkImBg0SUgIJTslJ B0R7TZiTCmBtQArOBZR5cJwkxeAKvVbuhhbDIEZjYpqhOUe9PuirfBYR59l7u9Xb V8ZhuhEijTBOIMbiuKGeMvrGs5kAvrBR8mEyUifdrJW+Kfki5UM18b3YzjI+rasY Yrg6IJCXeGI7pHhRsdYH+Mq1/QGSOmR4v9Ndh/foTGb1p0LvjiThl2F6oWCUXEji BAWaO5Q0Uz9Mf125CUYDUt3Rjc6b9WRjVmH/+GHcdiE8MpLDkIIVQ62bV613ebkC iEYEEBECAAYFAjxwq24ACgkQiOayAT9atWnUfwCfYL5wVLdoogrNkeKNUkNDuPQM vFQAoOYTT+HhXjkbeN5EHAFlJtlyitZRiQEVAwUQPHLnrXxdxabQEF4dAQHIlAf6 A0H2C56EhIcDBXp71jpIuyUaj5cRMENT1slaBkMaBlFBTpra8HgB1m30Z0LMFFv4 6fP6G5I9cZ7AdnnjRCvKeYdNWh42yzGa0SMvRyRNtZC1HljIA9KMnqXdVpA+48jn 1auSJy+DbfAUogEs8MyWbe/aJpJj21/aQH27vIgEXLLJ8MfB93kHL1mTFm48AC84 AtlHwdaY2ckwVomGv/vShnYq/jHAZWE4hJgNq21dFBzUx6aa5bg9C5u1ToZzNOaj Gk5DKRq/QJp0JVxqGtYXS6snexCOf2HnGaBlgtROnVIk6mlgyvK9BPnyZnSIJk/b yryYUwPPUaK7sVVoC+x/ApkBogQ1kIgYEQQAycC5ULZCLbCsrmpr6qMcjwDb4pAt Z7exJNlsYjVjaa+p0UuzraqHQ7u6PnYaui7yVpy/6KS4paY7EjD5gbgCK2z1fCT0 vldhPgW1X5Tt1ZR/0KNyxEZM7VXEiKid0KC7DwnmGC43OWRVxzmpftjDMEjup8HN /PstqJ9bdE1osmkAoP8gND8bGrvM/kqa2tkUUpzkfVYrA/4wxqs7lYjWO3Jj7eCn o1dJ9TRTG2k1L+4tuqzDji6qEZ7neTNGXDwJvEUwYR73RWix5ugG6cwoEA3g/fal jIwcGIVHK3pYesPfZ1Ur4Y6UkE/pvBIi89NK0d1B/JEakPYqRCOxBFtRQDtaXopb LOSXtpFKukzKwUmKRmwP9q8LqwQAx+kSRoxzOSsDApCErWFUTmE4S8iXEJAKRhl5 BTFCLMupWHT6d9TuyeLkjG1M9JgUG/f4K3MAKvem28otSVMO1iUZ98WhhneMb0ws VRIlHbt8TMaS/iX+pZEFvk9w0HgegKLy0iajkL/qnJFf6l+nlq0j/XWPCwRW42Qq sFo2e3+JAEYEIBECAAYFAjWQjJsACgkQJAedkxEyGeFTkgCgmFAMGCaVPPTUb724 IZxMglsN8IoAoJPRPQtez860lfVsB3Nah+QUIqzztCFMdWNreSBHcmVlbiA8c2hh bXJvY2tAbmV0Y29tLmNvbT6JAFAEEBECABAFAjWQiBgFCQD7zoADCwIBAAoJECQH nZMRMhnhWgUAoM2cu0r8bqcysyuQd9hJmQSjTRZ+AKD9OrwB9+jgXhgh+0FmZNoT 19Y1QYkARgQQEQIABgUCNZCJ0gAKCRCJcZ+ntmOw/UvxAJ9qQSL2CzzHoidfKb/O RKIZ8EdLOwCgmXCzPOtbkYrD+AcYDtUxvL/jj725Ag0ENZCJHBAIANN6/iJKt2pD lkTVWlS6x1dPCxP0GFA1omhtEiw8percEiXu2uosVYtB63HD/XYw42x4kGxZ55tt qD/3ha9xTMqbfSnX/LIPLejyCj/HAGBjjcfXpHXDbqKRpvw2oNHyx0aaz+LsA7MX 1196P5b0/cLqnl8ELpUqD05To3FoZj9Xw2w+aM+7XlnCo4FCPxpZBzWjbmbSJHfH F7AZ9fem+sXcnQgncwNsM6oOGVZE+weCefyCRogkg+b6pOqMlB9v1+tPJ9MmE5Am 7+hWQUdCTDiF/z6izEvVRqmjQc61oNOcUIE6+KGljx/n/lXKZFo5q6YxC/sPnuD3 z7TrJf15shMAAgIIANHHEYB3by11Ir6xs92PzF/2PrTCAIGuSGvRWkQ4GG9fH5IP rQVpb+WaJaVDqDHegsCbDoQ8hPYR9/s8FUiQEE5Ov7R0c6Ijb6wi3dPqdLwS2l0K dry91bndMk5RvF6/y5QJAUgO87YWMtaVKUpiyQiYy0QR+KP0Q/2jWlV9zcsS+HCB B0PiC9LjlBoCfHGN5kF1PU2i/Y1U+dWnl2N4GjYB+PBEBtR2WJ93uNHntkIXz70Q xh7yfGqEVDJcPpZRcPe0MZlzbmsPHvALltSAS+uWFHYdC2/lx2oI9xUeroCpYWDC Zx/01cKU+1xory8/1EUNYMdnYzDxXzrz52oiiauJAEwEGBECAAwFAjWQiRwFCQD7 zoAACgkQJAedkxEyGeEUXACeMphR03h4JPFwUFM0s9MDMQURiOkAoLU/WWKzNJHs ehW/XnZ5Z69Dm7MtmQINBDx8uBMBEADL5p8s35Ha9htctTVRHAzOWSopc7TGW24K H7Mtefww8DA0DIGLJFZ1Jpyz56zhBPNNUcEGu6InzUrM50o6V8t/mTGHXrv8Y9/l SVAUgRPsyYJW6+QIAW5iUV5ZASR7Q7n+3mUdzHmUmo/DBqZcWGkiOPrDwtedCMop RK95WCxMdEgKSiGu0NL/PYw7+CeI7YR8uZpRNcK2PSDyE0vN6JdNIFZxAjB9GlcB /+IITXU3S84gLO0ja9zNrOIpVH77eeuWE/IK6nNx89PH9yW+0NambK3e+grNDOoM ThHPb6hIWp7S4fvbdHziY+hRivQFzk2GfPzBhwhYJQjxa7/UaNWM9IiDjpIlay5V 05uneTBVYHzDG+0sAoi4oUxaJMq8sf30OAlVP4NL1VomT8SEI/XIjIEQtxg45AX4 1yAwTdJkckmv9/kTca+i8ckReAdvrCGXFLGihSk+vEoqu2UMffGhd+wwA8ne2sTo uw3sP7GkMvNXIAZOhhZUXcvtdcgZakjviqa0XPxdNMIf1WgKoqPHEd+uz+fbqXvS gcsxHdKs5916UCeYxoQNzHiAaQT26KkhONa3AxVH9C3QXX1i/IcCSVxQh9ZJ5EhK KlaS/6pcuGbha1fnETNDAmp92X9bHaxU356usrRBGbPN5pVzrPZUz0m5nQsNJ/j0 eXZAyfEgqQARAQABtCVMdWNreSBHcmVlbiA8c2hhbXJvY2tAY3lwaGVycHVua3Mu dG8+iQIuBBABAgAYBQI8fLgTCAsJCAcDAgEKAhkBBRsDAAAAAAoJEARVjUj9NCi0 DaYQALvDYVnecz7ncb6dtj3Kd0T6xwjTLtDGBth6UZRAm69TJxzDiSjwcDfmdp4J vlq0QN8M/goaaymMEknx67Coxi7kBUZj7AnAT90Ci+i8cFUOWDG5whhAQCrb9Cyx 9WoVDi3Uk72Uch8SBC0iivMWdSwVK92hYjNhz07syNbul04ejTdvfvDSJD9HTo51 s/ggCFvz9gSPeueI+SkevA7xcGaUg92m5BD7QVkza4c2Ep0tBjb3G5D7GzPTjTP1 aOVwJHyxlfU8p4YViunauyve4RpOOzsIzgZOXQabe4ojfMVypSvvEXSbF5WcGtb0 KQnL+nw1Dyqz4mHvMYZ1d8E6sJhN+KvrhSzb9dFgNLREJmG0xI9q/cqHEx+Wd0bx u7MTWQRJcY49JLmXv1XVO5N8EeSIIOA+/ZDlSvISiujnQtRmn5EGFGA5cfWepFSX eW0MwQtsYqGeKg2j96pbQkGTlWAfOf/OggUntXrywp5Nbg+8PqQQSCaNBIyEutlf RCUD6SLTRwEJeuV2ZWD2JH+ZD+whjyjERJ4bIZ6Lix9WHbsfocuIBnTV5WjnqweD OI/yAzd4KBgR+YCrliZSlwcYmhxJwN1Y1bZg/p9laghsysPUydfxdc2k19svPERO mkYBEQkJFU8V8KZXlf2j9TiLxwOEFaT6/Kt1CkUJRkoR8TYTiQBGBBARAgAGBQI8 fLg+AAoJEPXUPTw3WtkkVOAAn2lqzbWUwm3ugkV9YYOeElXmi2xbAJ4sfR/DbwI1 eMXTgO9GS2hSJrfesYkBFQMFEDx8uGMGlHcI7ujP8wEBfEYH/0y4di8Q5uTgqTTJ CSy49JRlYeZxGX94qgjkZgGpl7N+OFCjBUjJftrKn+yR52pgJA32XBhYLloOpHHU KoZLyLTHWZqih/pkLz13v8RocuMgqvgbR4mV8PwItk6nafjRf1AN/TGlEw8vSBrm ynXHjYndefFPWyNkRoxKhYl5i8/hNOnJfvBZiTPRR3xgCfi6CElpk9E7JJgzxKmw Fi1uY2LhHwjoEmd1V8QpsoOreZtVUxriwIX2tqITe/vJIczbQJB5ntr7Je6ViL0F Bo58WDPn5Sh8rH4nbaK1W+6j6aW+p1/BatbrMiADYYgkz9AdASCZ0zcdZYtC7rIP jdcS2WCIRgQQEQIABgUCPJVzzgAKCRAeZBx+BnV9LZxDAKDwaIEOfPRGrh+KBLjy Ra0nFU1bNwCgi+5fN0x7JT53aDjbrGyagbUafBWJARUDBRA8lXY5DXoNi1DA/qcB AcMEB/wI3oz97xwI67pFtJjhbjZW1rcPJ5S23lrMSizAekNmfazBz33/Q7uHfCUE 0mK9GWsrNXF5jhqsULsHJ3HdtLpBeASSVkw9tUI8TQCFPRAdERAaU8B4bGtT2SWT piEKvwWw/NI9BqJj5KTo41vxLb2S1athFrxz2S16UvxXLUSAUUZGUUg4W+Yt3TSW jwSNgmk3f43XdCHDpfA3v7sSMnPCfSx3eun/RTj63+VWHG9v73SK6TWg4Nx7AcDL LM54oCnrbSbm6GQCrScu5l3QxYUnDlKVjn8PAklhGcluQo5ZGUl5QVxL+KM1AA5o PKO5D5r75uPiB1nOXYlmYLM2/2LruQINBDx8uBwBEADPkrCPsnoMH7NK4oCcalMR x8NQpaLnjwDR8ktX3fHWYjHc2gWrvVl34R1JntnSMGeY2wMBdsuDXG+CtjFJ8bb0 w5PlUq5s1UWXYnVgry5/CPI2Zl94LuYpvAxd+Rm0nzSRJCkpBq2W5WNX0xWzJmmB b/Z1NpfuKDxso/DFJFvoO7zWPEPjCK6vDH7QyutadxuHR5xFMXyVk7O2u5LOjTh3 DUEhZaW1/8Hh4hwDZ4t+tyweLp/J2XAdgnREBqBNlJa2W1RYH7VSaNwpDOtljpWu RSxPONCNoWzIDnNYJ8guVkhlMWrVuoElitAL0Zd93CyP1boEd+DHdvnoRj/15niz UEdb68HvelSJX4xpCYoNxGobSbCMqttf/XGIyq9sza4ImDN+GXpe2f4dQYko/Z1M 8EfdRNk+4pWsk1Ul3E+uyJ16DdmXSjv23j5QdIh+QzT8HtUHESLSbKt2i7puBvZX ZU5Skj7iJVNPswmjw6ib1bEyXDhTmnPX+4fXLyN8Z/sXTvVbkYh1i3E3NBtCDLqS wa3aNTPJzcQ0aP1EebN2fleXeNMtI4fWD9ReHEDH3ezqSeFq9/aoEq+ZzqMANkCF YwV/33osb9tjZEYqUc1k6srpWutmhIdXMO/7b9RRo2c+6GjAWuQU5UmNAAj0bmTU pe+tOdEDwVX6NyglUCrrfQARAQABiQIiBBgBAgAMBQI8fLgcBRsMAAAAAAoJEARV jUj9NCi0YekP/3CIdTG+ieA3c5jAh+6fXEBD07DUcflwUhQlHPYHlVMsYxtz33jB eHoo3njt0b9fMvnkQWshLDGTzP1LPJzBbXuwyrgIqVqqy8ZKV0LiRmb2o+8c3fKK M7SF1Z8GBK5DzcYH6TgQPEBIwZ+hS2I2qqPkOSKkS6EvKv15hy5dj0dG2e2nHKLO 4Q+ScQgJpXWK5RSmoksTxwFFSjE8yKXyr3uc966hQ57cYuBFMB4wZQBqppIn8K8+ 1BDpbKXwUTtHL2bMAqAfWPifoJaz5UzLZcNfV+olE2vJJ3h5W0KAjvlxtPbRCMV5 ZQBrNdzBp3iHLC5+YA4Iia7doVjbvAFk0iEVhOHe6dSJW5S7kppzU1iKj58s49Rh g2ky5dM2RbIm4XwuKmqdIaG7bXqUKUbpy0rmInnzCT65WdVRnlQWjCNbutag85pW SuPSE4AoPxyCZGSerZPfx1N93oESnK/auTvbxsBDTA0CbRnfxb5dyHCt/tT94PEb yt/+RpC8iybs7WPuaC7gBMgVha8z3pg6lUA8c0YzL1tB6CWYUxb7v1MR14kQH4LT iqttvmdtMQbnwh17KmhvJkUr9ozvYb0uLiBJcHSZIuKwT9L10JL1tPFbHRRsMLOz YSkGuUX+w+pgpUKDSZ8Tr8Fp8Qz5l59jE0E+LWZRPT+PRnobEsxRY09y =GmB8 -----END PGP PUBLIC KEY BLOCK-----
I discussed this in detail with Lucky before he posted it. I'll give a summary of how this affects the readers of NANOG here -- feel free to forward if you like. Prior to Bernstein's discovery the row-reduction step in factorization could be made massively parallelizable, we believed that 1024 bit keys would remain unfactorable essentially forever. Now, 1024 bit RSA keys look to be factorable either presently, or in the very near future once Moore's law is taken into account. However, at a price tag of $2 billion for a specialized machine, we have a few years before anyone outside of the intelligence community attempts this. What is most concerning to me is a few discoveries that were made while looking into the problem of widespread use of 1024 bit keys: First: Verisign appears to have no minimum requirements for the key sizes it will sign. I have discussed at length Verisign's active contributions to the hindrance of security on the Internet in the past (see the archives of my presentation at DEFCON 9), but I somehow missed this gem. A few months ago, in fact, Verisign issued a 384 bit certificate. (You could factor this on your desk top machine in days.) 512 bit keys are also fairly commonly signed by Verisign. (Ugh.) Question for people who know: Does Verisign allow you to submit CSRs for 2048 to 4096 bit certificates? Second: As far as I can tell, OpenSSH (and I assume the commercial versions of SSH as well) offer no mechanism for enforcing the size of users' keys when public key authentication is turned on. This means that users could be placing (factorable) 512 bit keys in their ~/.ssh/authorized_keys files, which is in effect worse than using weak passwords (as an attacker would leave no false login attempts for you to detect in your logs). I've mailed Theo de Raadt asking if OpenSSH has an undocumented mechanism for specifying minimum permitted key size that I don't know about. If there is one, I'll certainly post a follow-up. Lucky also mentions S/MIME, which has so many flaws I'm not going to address it; PGP, which places the risks squarely on the key-holder and doesn't prevent the use of 2048 bit keys (which should be safe even taking Bernstein's findings into account), so I'm not to concerned with that; and IPsec, which sadly isn't in widespread use. So, my main concerns are TLS, (which is damaged due to poor engineering on the part of Netscape and Microsoft, and uncouth policy issues on the part of Versign) and SSH, which may suffer from an easily correctable engineering flaw. Note that the biggest concerns don't have to do specifically with 1024 bit keys, but rather, small key sizes in general. --Len. On Mon, 25 Mar 2002, Todd Suiter wrote:
(forwarded w/o permissions, though this hit bugtraq earlier...t)
---------- Forwarded message ---------- Date: Sat, 23 Mar 2002 17:38:02 -0800 From: Lucky Green <shamrock@cypherpunks.to> To: cypherpunks@lne.com Subject: 1024-bit RSA keys in danger of compromise
As those of you who have discussed RSA keys size requirements with me over the years will attest to, I always held that 1024-bit RSA keys could not be factored by anyone, including the NSA, unless the opponent had devised novel improvements to the theory of factoring large composites unknown in the open literature. I considered this to be possible, but highly unlikely. In short, I believed that users' desires for keys larger than 1024-bits were mostly driven by a vague feeling that "larger must be better" in some cases, and by downright paranoia in other cases. I was mistaken.
Based upon requests voiced by a number of attendees to this year's Financial Cryptography conference <http:/www.fc02.ai>, I assembled and moderated a panel titled "RSA Factoring: Do We Need Larger Keys?". The panel explored the implications of Bernstein's widely discussed "Circuits for Integer Factorization: a Proposal". http://cr.yp.to/papers.html#nfscircuit
Although the full implications of the proposal were not necessarily immediately apparent in the first few days following Bernstein's publication, the incremental improvements to parts of NFS outlined in the proposal turn out to carry significant practical security implications impacting the overwhelming majority of deployed systems utilizing RSA or DH as the public key algorithms.
Coincidentally, the day before the panel, Nicko van Someren announced at the FC02 rump session that his team had built software which can factor 512-bit RSA keys in 6 weeks using only hardware they already had in the office.
A very interesting result, indeed. (While 512-bit keys had been broken before, the feasibility of factoring 512-bit keys on just the computers sitting around an office was news at least to me).
The panel, consisting of Ian Goldberg and Nicko van Someren, put forth the following rough first estimates:
While the interconnections required by Bernstein's proposed architecture add a non-trivial level of complexity, as Bruce Schneier correctly pointed out in his latest CRYPTOGRAM newsletter, a 1024-bit RSA factoring device can likely be built using only commercially available technology for a price range of several hundred million dollars to about 1 billion dollars. Costs may well drop lower if one has the use of a chip fab. It is a matter of public record that the NSA as well as the Chinese, Russian, French, and many other intelligence agencies all operate their own fabs.
Some may consider a price tag potentially reaching $1B prohibitive. One should keep in mind that the NRO regularly launches SIGINT satellites costing close to $2B each. Would the NSA have built a device at less than half the cost of one of their satellites to be able to decipher the interception data obtained via many such satellites? The NSA would have to be derelict of duty to not have done so.
Bernstein's machine, once built, will have power requirements in the MW to operate, but in return will be able to break a 1024-bit RSA or DH key in seconds to minutes. Even under the most optimistic estimates for present-day PKI adoption, the inescapable conclusion is that the NSA, its major foreign intelligence counterparts, and any foreign commercial competitors provided with commercial intelligence by their national intelligence services have the ability to break on demand any and all 1024-bit public keys.
The security implications of a practical breakability of 1024-bit RSA and DH keys are staggering, since of the following systems as currently deployed tend to utilize keys larger than 1024-bits:
- HTTPS - SSH - IPSec - S/MIME - PGP
An opponent capable of breaking all of the above will have access to virtually any corporate or private communications and services that are connected to the Internet.
The most sensible recommendation in response to these findings at this time is to upgraded your security infrastructure to utilize 2048-bit user keys at the next convenient opportunity. Certificate Authorities may wish to investigate larger keys as appropriate. Some CA's, such as those used to protect digital satellite content in Europe, have already moved to 4096-bit root keys.
Undoubtedly, many vendors and their captive security consultants will rush to publish countless "reasons" why nobody is able to build such a device, would ever want to build such a device, could never obtain a sufficient number of chips for such a device, or simply should use that vendor's "unbreakable virtual onetime pad" technology instead.
While the latter doesn't warrant comment, one question to ask spokespersons pitching the former is "what key size is the majority of your customers using with your security product"? Having worked in this industry for over a decade, I can state without qualification that anybody other than perhaps some of the HSM vendors would be misinformed if they claimed that the majority - or even a sizable minority - of their customers have deployed key sizes larger than 1024-bits through their organization. Which is not surprising, since many vendor offerings fail to support larger keys.
In light of the above, I reluctantly revoked all my personal 1024-bit PGP keys and the large web-of-trust that these keys have acquired over time. The keys should be considered compromised. The revoked keys and my new keys are attached below.
--Lucky Green
Prior to Bernstein's discovery the row-reduction step in factorization could be made massively parallelizable, we believed that 1024 bit keys would remain unfactorable essentially forever. Now, 1024 bit RSA keys look to be factorable either presently, or in the very near future once Moore's law is taken into account. However, at a price tag of $2 billion for a specialized machine, we have a few years before anyone outside of
Len Sassaman <rabbi@quickie.net> writes: the
intelligence community attempts this.
What is most concerning to me is a few discoveries that were made while looking into the problem of widespread use of 1024 bit keys:
Out of curiosity, was there any indication that Bernstein's improvements might apply to the discrete log problem, DSA in general, and the 1024-bit limit on key size built into NIST's DSS standard? Revoking an RSA key and re-issuing a longer one might be a pain, but there's no option for that in the current GPG implementation. Cheers. -travis
On Mon, 25 Mar 2002, Travis Pugh wrote:
Out of curiosity, was there any indication that Bernstein's improvements might apply to the discrete log problem, DSA in general,
Bernstein's paper was geared toward RSA, but I believe he makes the claim that discrete log based algorithms are susceptible as well. I'm not a cryptographer, so my word shouldn't be taken as fact on this, but if there is a row-reduction step in solving DL, it would apply.
and the 1024-bit limit on key size built into NIST's DSS standard?
I'm not sure about the relative bit strength when the row reduction is taken into account, but I suspect that if the above assumptions are true, 1024 bit would be too small. NIST's limit was specified for purely technical reasons -- until recently, we did not have hash functions that were of sufficiently long bit-sizes to do provide equivalent security for DSA keys larger than 1024 bits, so DSS was limited to that size. (SHA-1, the hash function specified in the DSS, was 160 bits. So was RIPEMD-160). One could now do a larger DSA with a larger hash such as SHA-512, though an updated DSS standard has not been specified yet.
Revoking an RSA key and re-issuing a longer one might be a pain, but there's no option for that in the current GPG implementation.
A few details on GnuPG, since I have intimate knowledge of that software and OpenPGP in general: While the current version (1.0.6) of GnuPG cannot generate RSA keys, it *can* use them. If you have a version of PGP 7.x, you can generate RSA v4 keys up to 4096 bits, and then use them with GnuPG. GnuPG 1.0.7 is slated to allow for the generation of RSA v4 keys. I think it's safe for everyone to wait until that comes out, since the threat of 1024 bit keys being broken is not an immediate one for most threat models. Also, the major attacks to protect against with OpenPGP are ones that are undetectable by the intended users. For instance, if a flaw were found that allowed an attacker to decrypt PGP messages simply by "doing things" to them after they were intercepted over the wire, it would be huge. In PGP, you have a 1024 bit DSA key as the master signing key. Breaking this would allow an attacker to forge signatures of yours (bad, but detectable, and only a real concern if you are using signatures in a critical environment, such as part of an authentication scheme) or bind new subkeys to your key. It is the subkeys that are used for encryption, and these are ElGamal keys, which are also based on the discrete log problem, but are up to 4096 bits in size, so Bernstein's attack shouldn't be an issue if we're assuming they're roughly equivalent in strength to RSA, taking this into account. The way an attacker would exploit this weakness in order to read encrypted mail would be to modify your key to attach a bogus encryption subkey to it, and hope that people you communicate with encrypt to the bogus subkey instead of the real key. This won't go unnoticed for long, and doesn't get him past encrypted information, either. So, I'm not too concerned about GnuPG presently, though I am going to bring up the issue of stronger DSA keys with the IETF working group. Remember, the main change in opinion after Bernstein's paper is that 1024 bit keys are no longer "safe forever". Far more frightening is that 512 bit keys are still in use, and can be broken in weeks by anyone with a few grand to throw at it (even without Bernstein's improvements). --Len.
On Mon, Mar 25, 2002 at 03:32:08PM -0800, Len Sassaman wrote:
What is most concerning to me is a few discoveries that were made while looking into the problem of widespread use of 1024 bit keys:
Personally I'm not too concerned (yet). You're probably worse off due to implementation flaws. But on a list of things which "should be fixed" for the future: Any RSA implementation using RSARef (which until the patent expired was the only legal way to write RSA implementations in the US) is limited to < 1024 bits. I can think of a few vendors using embedded SSH who still suffer from this problem (Vendor F comes to mind, but their SSH implementation also doesn't work with OpenSSH w/freebsd localisations, so something else is afoot there as well). -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Since you are mentioning Verisign here, and CA authorities in general, has anyone considered that factoring the CA authority's key is far simpler than breaking the underlying key [no matter how large?]. Based on the implementation, the CA's key cannot be changed often or easily. Key revocations are not automatic or even respected, and the CA's key, once compromised, can sign any other key you'd like for a beautiful man-in-the-middle attack. The man-in-the-middle is the only attack these keys are designed to thwart, because if you can't access the physical bits, you don't have anything to decipher anyway. The beautiful thing about compromising the CA's key is that its not easily traceable. Regards, Deepak Jain AiNET -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Len Sassaman Sent: Monday, March 25, 2002 6:32 PM To: nanog@merit.edu Subject: Re: 1024-bit RSA keys in danger of compromise (fwd) I discussed this in detail with Lucky before he posted it. I'll give a summary of how this affects the readers of NANOG here -- feel free to forward if you like. Prior to Bernstein's discovery the row-reduction step in factorization could be made massively parallelizable, we believed that 1024 bit keys would remain unfactorable essentially forever. Now, 1024 bit RSA keys look to be factorable either presently, or in the very near future once Moore's law is taken into account. However, at a price tag of $2 billion for a specialized machine, we have a few years before anyone outside of the intelligence community attempts this. What is most concerning to me is a few discoveries that were made while looking into the problem of widespread use of 1024 bit keys: First: Verisign appears to have no minimum requirements for the key sizes it will sign. I have discussed at length Verisign's active contributions to the hindrance of security on the Internet in the past (see the archives of my presentation at DEFCON 9), but I somehow missed this gem. A few months ago, in fact, Verisign issued a 384 bit certificate. (You could factor this on your desk top machine in days.) 512 bit keys are also fairly commonly signed by Verisign. (Ugh.) Question for people who know: Does Verisign allow you to submit CSRs for 2048 to 4096 bit certificates? Second: As far as I can tell, OpenSSH (and I assume the commercial versions of SSH as well) offer no mechanism for enforcing the size of users' keys when public key authentication is turned on. This means that users could be placing (factorable) 512 bit keys in their ~/.ssh/authorized_keys files, which is in effect worse than using weak passwords (as an attacker would leave no false login attempts for you to detect in your logs). I've mailed Theo de Raadt asking if OpenSSH has an undocumented mechanism for specifying minimum permitted key size that I don't know about. If there is one, I'll certainly post a follow-up. Lucky also mentions S/MIME, which has so many flaws I'm not going to address it; PGP, which places the risks squarely on the key-holder and doesn't prevent the use of 2048 bit keys (which should be safe even taking Bernstein's findings into account), so I'm not to concerned with that; and IPsec, which sadly isn't in widespread use. So, my main concerns are TLS, (which is damaged due to poor engineering on the part of Netscape and Microsoft, and uncouth policy issues on the part of Versign) and SSH, which may suffer from an easily correctable engineering flaw. Note that the biggest concerns don't have to do specifically with 1024 bit keys, but rather, small key sizes in general. --Len. On Mon, 25 Mar 2002, Todd Suiter wrote:
(forwarded w/o permissions, though this hit bugtraq earlier...t)
---------- Forwarded message ---------- Date: Sat, 23 Mar 2002 17:38:02 -0800 From: Lucky Green <shamrock@cypherpunks.to> To: cypherpunks@lne.com Subject: 1024-bit RSA keys in danger of compromise
As those of you who have discussed RSA keys size requirements with me over the years will attest to, I always held that 1024-bit RSA keys could not be factored by anyone, including the NSA, unless the opponent had devised novel improvements to the theory of factoring large composites unknown in the open literature. I considered this to be possible, but highly unlikely. In short, I believed that users' desires for keys larger than 1024-bits were mostly driven by a vague feeling that "larger must be better" in some cases, and by downright paranoia in other cases. I was mistaken.
Based upon requests voiced by a number of attendees to this year's Financial Cryptography conference <http:/www.fc02.ai>, I assembled and moderated a panel titled "RSA Factoring: Do We Need Larger Keys?". The panel explored the implications of Bernstein's widely discussed "Circuits for Integer Factorization: a Proposal". http://cr.yp.to/papers.html#nfscircuit
Although the full implications of the proposal were not necessarily immediately apparent in the first few days following Bernstein's publication, the incremental improvements to parts of NFS outlined in the proposal turn out to carry significant practical security implications impacting the overwhelming majority of deployed systems utilizing RSA or DH as the public key algorithms.
Coincidentally, the day before the panel, Nicko van Someren announced at the FC02 rump session that his team had built software which can factor 512-bit RSA keys in 6 weeks using only hardware they already had in the office.
A very interesting result, indeed. (While 512-bit keys had been broken before, the feasibility of factoring 512-bit keys on just the computers sitting around an office was news at least to me).
The panel, consisting of Ian Goldberg and Nicko van Someren, put forth the following rough first estimates:
While the interconnections required by Bernstein's proposed architecture add a non-trivial level of complexity, as Bruce Schneier correctly pointed out in his latest CRYPTOGRAM newsletter, a 1024-bit RSA factoring device can likely be built using only commercially available technology for a price range of several hundred million dollars to about 1 billion dollars. Costs may well drop lower if one has the use of a chip fab. It is a matter of public record that the NSA as well as the Chinese, Russian, French, and many other intelligence agencies all operate their own fabs.
Some may consider a price tag potentially reaching $1B prohibitive. One should keep in mind that the NRO regularly launches SIGINT satellites costing close to $2B each. Would the NSA have built a device at less than half the cost of one of their satellites to be able to decipher the interception data obtained via many such satellites? The NSA would have to be derelict of duty to not have done so.
Bernstein's machine, once built, will have power requirements in the MW to operate, but in return will be able to break a 1024-bit RSA or DH key in seconds to minutes. Even under the most optimistic estimates for present-day PKI adoption, the inescapable conclusion is that the NSA, its major foreign intelligence counterparts, and any foreign commercial competitors provided with commercial intelligence by their national intelligence services have the ability to break on demand any and all 1024-bit public keys.
The security implications of a practical breakability of 1024-bit RSA and DH keys are staggering, since of the following systems as currently deployed tend to utilize keys larger than 1024-bits:
- HTTPS - SSH - IPSec - S/MIME - PGP
An opponent capable of breaking all of the above will have access to virtually any corporate or private communications and services that are connected to the Internet.
The most sensible recommendation in response to these findings at this time is to upgraded your security infrastructure to utilize 2048-bit user keys at the next convenient opportunity. Certificate Authorities may wish to investigate larger keys as appropriate. Some CA's, such as those used to protect digital satellite content in Europe, have already moved to 4096-bit root keys.
Undoubtedly, many vendors and their captive security consultants will rush to publish countless "reasons" why nobody is able to build such a device, would ever want to build such a device, could never obtain a sufficient number of chips for such a device, or simply should use that vendor's "unbreakable virtual onetime pad" technology instead.
While the latter doesn't warrant comment, one question to ask spokespersons pitching the former is "what key size is the majority of your customers using with your security product"? Having worked in this industry for over a decade, I can state without qualification that anybody other than perhaps some of the HSM vendors would be misinformed if they claimed that the majority - or even a sizable minority - of their customers have deployed key sizes larger than 1024-bits through their organization. Which is not surprising, since many vendor offerings fail to support larger keys.
In light of the above, I reluctantly revoked all my personal 1024-bit PGP keys and the large web-of-trust that these keys have acquired over time. The keys should be considered compromised. The revoked keys and my new keys are attached below.
--Lucky Green
On Mon, 25 Mar 2002, Deepak Jain wrote:
Since you are mentioning Verisign here, and CA authorities in general, has anyone considered that factoring the CA authority's key is far simpler than breaking the underlying key [no matter how large?]. Based on the
Well, that's not really the case. Breaking a 384 bit key is trivial. Breaking a 1024 bit key is probably not possible without a multi-billion dollar budget. 2048 bit keys are still in no danger of being broken any time soon unless further advances are made in factoring. But I see the point you are making, which is that targeting the CA lets you attack all of the browsers that trust keys signed by that CA, rather than specifically targeting that one site. However, MITM attacks are active attacks, and run the risk of being detected by the the victim. If you break the key a site is using for encryption, you can read the traffic without fear of detection. Other comments on this issue, which I covered in my DEFCON 9 presentation: it would probably be a lot easier to compromise a CA's root key by means of network or physical attack, rather than through cryptanalysis. It also doesn't have to be Verisign you target -- there are over a hundred trusted root certification authorities in IE, some of them issued to companies that have gone bankrupt, or sold their root as part of their assets. Remember, if you're attempting a MITM attack in TLS, you're really exploiting poor design of the trust-management features of the client, which is a whole can-o-worms in and of itself. --Len.
Since you are mentioning Verisign here, and CA authorities in general, has anyone considered that factoring the CA authority's key is far simpler
Exactly. Why think $2B is some insurmountable barrier when there are far cheaper ways of getting what you want. Most computer people think of security only in terms of computers. Bribing a few night security guards is far cheaper than even cryptanalysis and will give any sufficiently interested party access to the machines signing the keys. At present, if you have the sophistication to break an "interesting" key, you could have the sophistication to not be detected MITM. The difference between inserting/replacing a valid flow, and simply listening [unless the attacker is stupid] isn't that big a difference from a detection [of the attack] point of view. Again, I am assuming things about the attacker that makes them scary. If the attacker is a little kiddie using his home broadband connection, he is not necessarily going to be able to use that information for anything particularly harmful. Yes, but the trust architecture out there today are far more vulnerable [IMO] than the underlying key-encryption. Again, while key negotiation is interesting and important, RSA/DSA/etc are only used in that stage, and generally the underlying connection [for performance reasons] moves with a significantly less bulky encryption algorithm. Blowfish, IDEA and a few others come to mind. It is far more trivial to capture and compromise an instream algorithm than worrying about the key at the get go is [unless you are trying to permanently compromise a victim, at which point the CA is an easier target anyway]. This is especially the case when you allow for dedicated hardware. I have always been of the opinion that all of this internet-widely-available encryption is primarily to make customers feel safe and save credit card companies some liability. There wasn't enough thought put into it at all levels to make it more safe/secure than that. No one is going to spend millions of dollars to get at most the same millions of dollars of back in credit card fraud [good money after bad]. Anyone who is relying on these commercial architectures to secure gov't secrets or secrets worthy of an intelligence outfit's attention is a moron [for numerous reasons]. If all you are doing is trying to secure machines against script kiddies, starting huge public debates and initiatives and the like seems like overkill to me. [investment is greater than reward]. YMMV. Deepak Jain AiNET -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Len Sassaman Sent: Monday, March 25, 2002 8:14 PM To: Deepak Jain Cc: nanog@merit.edu Subject: RE: 1024-bit RSA keys in danger of compromise (fwd) On Mon, 25 Mar 2002, Deepak Jain wrote: than
breaking the underlying key [no matter how large?]. Based on the
Well, that's not really the case. Breaking a 384 bit key is trivial. Breaking a 1024 bit key is probably not possible without a multi-billion dollar budget. 2048 bit keys are still in no danger of being broken any time soon unless further advances are made in factoring. But I see the point you are making, which is that targeting the CA lets you attack all of the browsers that trust keys signed by that CA, rather than specifically targeting that one site. However, MITM attacks are active attacks, and run the risk of being detected by the the victim. If you break the key a site is using for encryption, you can read the traffic without fear of detection. Other comments on this issue, which I covered in my DEFCON 9 presentation: it would probably be a lot easier to compromise a CA's root key by means of network or physical attack, rather than through cryptanalysis. It also doesn't have to be Verisign you target -- there are over a hundred trusted root certification authorities in IE, some of them issued to companies that have gone bankrupt, or sold their root as part of their assets. Remember, if you're attempting a MITM attack in TLS, you're really exploiting poor design of the trust-management features of the client, which is a whole can-o-worms in and of itself. --Len.
On Mon, 25 Mar 2002, Deepak Jain wrote:
Exactly. Why think $2B is some insurmountable barrier when there are far
$2B isn't an insurmountable barrier. It is well within most intelligence agencies' budgets, and that price will only get lower.
At present, if you have the sophistication to break an "interesting" key, you could have the sophistication to not be detected MITM. The difference between inserting/replacing a valid flow, and simply listening [unless the attacker is stupid] isn't that big a difference from a detection [of the attack] point of view.
Passive attacks are, by definition, undetectable. Active attacks are not; some are simply more detectable than others.
No one is going to spend millions of dollars to get at most the same millions of dollars of back in credit card fraud [good money after bad]. Anyone who is relying on these commercial architectures to secure gov't secrets or secrets worthy of an intelligence outfit's attention is a moron [for numerous reasons]. If all you are doing is trying to secure machines against script kiddies, starting huge public debates and initiatives and the like seems like overkill to me. [investment is greater than reward]. YMMV.
Remember that there is no international law preventing a country's intelligence agency from committing industrial espionage for its own companies (and in fact this is common practice). Also, remember that the US Military has considered, and may very well be using, IPsec in the field to coordinate military maneuvers. I think you're really missing the main point with that $2 billion figure. The "big surprise" is that we might be able to put a price-point on factoring 1024 bit keys -- previously, they were thought to be "secure forever". A machine that costs $2 billion today, according to Moore's law, will cost about $200,000 20 years from now. Not counting inflation. That will be well within many people's budgets.
On Mon, 25 Mar 2002 18:05:53 -0800 (PST) Len Sassaman <rabbi@quickie.net> wrote:
A machine that costs $2 billion today, according to Moore's law, will cost about $200,000 20 years from now. Not counting inflation. That will be well within many people's budgets.
Hmm. Something very interesting about that, is the fact that someone could basically just dump tons of data to a hard drive, and have it available when they could afford to decode it. Some information is definitely quite valuable even five years down the road.
On Mon, Mar 25, 2002 at 09:34:28PM -0500, Brad Barnett wrote:
On Mon, 25 Mar 2002 18:05:53 -0800 (PST) Len Sassaman <rabbi@quickie.net> wrote:
A machine that costs $2 billion today, according to Moore's law, will cost about $200,000 20 years from now. Not counting inflation. That will be well within many people's budgets.
Hmm. Something very interesting about that, is the fact that someone could basically just dump tons of data to a hard drive, and have it available when they could afford to decode it.
Some information is definitely quite valuable even five years down the road.
Yep. The Venona program in the 40's and 50's is a good example of this - many of the decrypted messages were actually intercepted years and years earlier. Storage gets cheaper and cheaper every day. David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson
[snip] $2B isn't an insurmountable barrier. It is well within most intelligence agencies' budgets, and that price will only get lower. --- Agreed. Imagine what intelligence agencies could gain by turning your most valuable employees for secrets.
At present, if you have the sophistication to break an "interesting" key, you could have the sophistication to not be detected MITM. The difference between inserting/replacing a valid flow, and simply listening [unless the attacker is stupid] isn't that big a difference from a detection [of the attack] point of view.
No one is going to spend millions of dollars to get at most the same millions of dollars of back in credit card fraud [good money after bad]. Anyone who is relying on these commercial architectures to secure gov't secrets or secrets worthy of an intelligence outfit's attention is a moron [for numerous reasons]. If all you are doing is trying to secure machines against script kiddies, starting huge public debates and initiatives and
Passive attacks are, by definition, undetectable. Active attacks are not; some are simply more detectable than others. --- I disagree about passive attacks, but I won't go into all of the reasons here. Passive attacks, by my definition, only imply that they do not interrupt the flow they are observing. [interrupt, at least at a macroscopic level]. For an example of passive monitoring that can be detected, look at the example of how one would sniff live fiber in the field [without splicing or introducing electronics]. Or for a more common place example, think of an induction coil next to an electrical wire. Its a passive attack, but is _definitely_ detectable. the
like seems like overkill to me. [investment is greater than reward]. YMMV.
Remember that there is no international law preventing a country's intelligence agency from committing industrial espionage for its own companies (and in fact this is common practice). --- Sure, no argument. Also, remember that the US Military has considered, and may very well be using, IPsec in the field to coordinate military maneuvers. I think you're really missing the main point with that $2 billion figure. The "big surprise" is that we might be able to put a price-point on factoring 1024 bit keys -- previously, they were thought to be "secure forever". ---- I guess this is an assumption we don't all share. You know what they say about assumptions. A machine that costs $2 billion today, according to Moore's law, will cost about $200,000 20 years from now. Not counting inflation. That will be well within many people's budgets. --- Also agreed. Anyone who thinks the shelf life of their keys is 20 years, or the information captured today is valuable for more than a couple of years, then they are making generous assumptions too. If its a big surprise that any key of any arbitrary length can be cracked in finite time and in finite resources, I think people haven't been thinking about the information presented in the security books out there. Most of the estimates that say anything is "unbreakable" don't recognize that Moore's law is real, and accelerating... Deepak Jain AiNET
On Mon, 25 Mar 2002, Deepak Jain wrote:
If its a big surprise that any key of any arbitrary length can be cracked in finite time and in finite resources, I think people haven't been thinking about the information presented in the security books out there. Most of the estimates that say anything is "unbreakable" don't recognize that Moore's law is real, and accelerating...
That is a falicy. Moore's law is most certainly not accelerating -- in fact: 1965-1990 Moore's law stated that the number of transistors per square inch on integrated circuits (and therefore, the speed) doubles every 2 years. The pace has since slowed down a bit, but appears to be holding steady at doubling every 18 months (1995-present). http://www.physics.udel.edu/wwwusers/watson/scen103/intel.html However, this trend cannot continue forever. In 1997, Moore predicted we would reach the physical limits on transistor miniaturization somewhere around 2017. Whatever the actual date, we will need a break-through in computing to continue to obtain performance increases over time past this point. --Len.
If its a big surprise that any key of any arbitrary length can be cracked in finite time and in finite resources, I think people haven't been thinking about the information presented in the security books out there. Most of
On Mon, 25 Mar 2002, Deepak Jain wrote: the
estimates that say anything is "unbreakable" don't recognize that Moore's law is real, and accelerating...
That is a falicy. Moore's law is most certainly not accelerating -- in fact: 1965-1990 Moore's law stated that the number of transistors per square inch on integrated circuits (and therefore, the speed) doubles every 2 years. The pace has since slowed down a bit, but appears to be holding steady at doubling every 18 months (1995-present). http://www.physics.udel.edu/wwwusers/watson/scen103/intel.html However, this trend cannot continue forever. In 1997, Moore predicted we would reach the physical limits on transistor miniaturization somewhere around 2017. Whatever the actual date, we will need a break-through in computing to continue to obtain performance increases over time past this point. -------- If we are just limiting our analysis to computing power and their physical size limitations, there are plenty of such breakthroughs on the horizon: Like Molecular Transistors: http://www.lucent.com/minds/transistor/molecular/ This is WAY off topic for NANOG. I'm done with this publicly. Regards, Deepak Jain AiNET
On Mon, Mar 25, 2002 at 11:05:21PM -0500, Deepak Jain wrote:
That is a falicy. Moore's law is most certainly not accelerating -- in fact:
1965-1990 Moore's law stated that the number of transistors per square inch on integrated circuits (and therefore, the speed) doubles every 2 years. The pace has since slowed down a bit, but appears to be holding steady at doubling every 18 months (1995-present).
Not to be too picky, but how is going from "doubling every 2 years" to "doubling every 18 months" slowing down? :) -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
On Mon, 25 Mar 2002, Richard A Steenbergen wrote:
On Mon, Mar 25, 2002 at 11:05:21PM -0500, Deepak Jain wrote:
That is a falicy. Moore's law is most certainly not accelerating -- in fact:
1965-1990 Moore's law stated that the number of transistors per square inch on integrated circuits (and therefore, the speed) doubles every 2 years. The pace has since slowed down a bit, but appears to be holding steady at doubling every 18 months (1995-present).
Not to be too picky, but how is going from "doubling every 2 years" to "doubling every 18 months" slowing down? :)
Erm, yeah. Thanks for calling me on that -- I horribly condensed what I was trying to say. By the original definition (number of transistors per square inch doubles every year), it has slowed to every 2.5 years. See the graph I linked to. Data density is currently doubling every 18 months, and holding steady at that rate. (But this *is* off topic for NANOG...)
On Mon, 25 Mar 2002, Len Sassaman wrote:
I've mailed Theo de Raadt asking if OpenSSH has an undocumented mechanism for specifying minimum permitted key size that I don't know about. If there is one, I'll certainly post a follow-up.
the new CVS versions of OpenSSH (the current portable CVS version doesn't have the changes quite yet) allow you to specify a minimum key lentgh as a #define at compile time. see ssh.h: #define SSH_RSA_MINIMUM_MODULUS_SIZE 768 - brett
participants (8)
-
Brad Barnett
-
Brett Eldridge
-
David Shaw
-
Deepak Jain
-
Len Sassaman
-
Richard A Steenbergen
-
Todd Suiter
-
Travis Pugh