<?xml version="1.0" encoding="UTF-8"?><?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.3.35 --><!DOCTYPE rfc SYSTEM"rfc2629.dtd" [ <!ENTITY RFC2119 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"> <!ENTITY RFC8174 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"> <!ENTITY RFC5912 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5912.xml"> <!ENTITY RFC5652 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5652.xml"> <!ENTITY RFC7696 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7696.xml"> <!ENTITY RFC5084 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5084.xml"> <!ENTITY RFC4086 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4086.xml"> ]> <?rfc toc="yes"?> <?rfc sortrefs="yes"?> <?rfc symrefs="yes"?>"rfc2629-xhtml.ent"> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" number="9044" updates="" obsoletes="" category="std" consensus="true" submissionType="IETF" ipr="trust200902" sortRefs="true" symRefs="true" tocInclude="true" docName="draft-ietf-lamps-cms-aes-gmac-alg-05"category="std" consensus="true">xml:lang="en" version="3"> <front> <title abbrev="Using AES-GMAC with the CMS">Using the AES-GMAC Algorithm with the Cryptographic Message Syntax (CMS)</title> <seriesInfo name="RFC" value="9044"/> <author initials="R." surname="Housley" fullname="Russ Housley"> <organization abbrev="Vigil Security">Vigil Security, LLC</organization> <address> <postal> <street>516 Dranesville Road</street><city>Herndon, VA</city><city>Herndon</city> <region>VA</region> <code>20170</code><country>US</country><country>United States of America</country> </postal> <email>housley@vigilsec.com</email> </address> </author> <date year="2021"month="April" day="02"/>month="June"/> <area>Security</area><keyword>Internet-Draft</keyword><keyword>Authentication</keyword> <keyword>Message Authentication Code</keyword> <abstract> <t>This document specifies the conventions for using the AES-GMAC Message Authentication Codealgorithmsalgorithm with the Cryptographic Message Syntax (CMS) as specified in RFC 5652.</t> </abstract> </front> <middle> <section anchor="intro" title="Introduction"> <t>This document specifies the conventions for using the AES-GMAC <xreftarget="AES"/><xreftarget="AES"/> <xref target="GCM"/> Message Authentication Code (MAC) algorithm with the Cryptographic Message Syntax (CMS) <xref target="RFC5652"/>.</t> </section> <section anchor="terms" title="Terminology"><t>The<t> The key words“MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”,"<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and“OPTIONAL”"<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shownhere.</t>here. </t> </section> <section anchor="message-authentication-code-algorithms" title="Message Authentication Code Algorithms"> <t>This section specifies the conventions employed by CMS <xref target="RFC5652"/> implementations that support the AES-GMAC <xreftarget="AES"/><xreftarget="AES"/> <xref target="GCM"/> Message Authentication Code (MAC) algorithm.</t> <t>MAC algorithm identifiers are located in the AuthenticatedData macAlgorithm field.</t> <t>MAC values are located in the AuthenticatedData mac field.</t> <section anchor="aes-gmac" title="AES-GMAC"> <t>The AES-GMAC <xreftarget="AES"/><xreftarget="AES"/> <xref target="GCM"/> Message Authentication Code (MAC) algorithm uses one of the following algorithm identifiers in the AuthenticatedData macAlgorithm field; the choice depends on the size of the AES key, which is either 128 bits, 192 bits, or 256 bits:</t><figure><artwork><![CDATA[<sourcecode type="asn.1"><![CDATA[ aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } id-aes128-GMAC OBJECT IDENTIFIER ::= { aes 9 } id-aes192-GMAC OBJECT IDENTIFIER ::= { aes 29 } id-aes256-GMAC OBJECT IDENTIFIER ::= { aes 49 }]]></artwork></figure>]]></sourcecode> <t>For all three of these algorithm identifier values, the AlgorithmIdentifier parameters fieldMUST<bcp14>MUST</bcp14> be present, and the parametersMUST<bcp14>MUST</bcp14> contain GMACParameters:</t><figure><artwork><![CDATA[<sourcecode type="asn.1"><![CDATA[ GMACParameters ::= SEQUENCE { nonce OCTET STRING, -- recommended size is 12 octets length MACLength DEFAULT 12 } MACLength ::= INTEGER (12 | 13 | 14 | 15 | 16)]]></artwork></figure>]]></sourcecode> <t>The GMACParameters nonce field is the GMAC initialization vector. The nonce may have any number of bits between 8 and (2^64)-1, but itMUST<bcp14>MUST</bcp14> be a multiple of 8 bits. Within the scope of any content-authentication key, the nonce valueMUST<bcp14>MUST</bcp14> be unique. A nonce value of 12 octets can be processed more efficiently, so that length for the nonce value isRECOMMENDED.</t><bcp14>RECOMMENDED</bcp14>.</t> <t>The GMACParameters length field tells the size of the message authentication code. ItMUST<bcp14>MUST</bcp14> match the size in octets of the value in the AuthenticatedData mac field. A length of 12 octets isRECOMMENDED.</t><bcp14>RECOMMENDED</bcp14>.</t> </section> </section> <section anchor="implementation-considerations" title="Implementation Considerations"> <t>An implementation of the Advanced Encryption Standard (AES) Galois/Counter Mode (GCM) authenticated encryption algorithm is specified in <xref target="GCM"/>. An implementation of AES-GCM can be used to compute the GMAC message authentication code by providing the content-authentication key as the AES key, the nonce as the initialization vector, a zero-length plaintext content, and the content to be authenticated as the additional authenticated data (AAD). The result of the AES-GCM invocation is the AES-GMAC authentication code, which is called theauthentication tag"authentication tag" in some implementations. In AES-GCM, the encryption step is skipped when no input plaintext isprovided, andprovided; therefore, no ciphertext is produced.</t> <t>The DEFAULT andRECOMMENDED<bcp14>RECOMMENDED</bcp14> values in GMACParameters were selected to align with the parameters defined for AES-GCM inSection 3.2 of<xreftarget="RFC5084"/>.</t>target="RFC5084" sectionFormat="of" section="3.2"/>.</t> </section> <section anchor="asn1-module" title="ASN.1 Module"> <t>The following ASN.1 module uses the definition for MAC-ALGORITHM from <xref target="RFC5912"/>.</t><figure><artwork><![CDATA[<sourcecode type="asn.1"> <![CDATA[ CryptographicMessageSyntaxGMACAlgorithms { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0)id-mod-aes-gmac-alg-2020(TBD)id-mod-aes-gmac-alg-2020(72) } DEFINITIONS IMPLICIT TAGS ::= BEGIN -- EXPORTS All IMPORTS AlgorithmIdentifier{}, MAC-ALGORITHM FROM AlgorithmInformation-2009 -- from [RFC5912] { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58)} ; -- Object Identifiers aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } id-aes128-GMAC OBJECT IDENTIFIER ::= { aes 9 } id-aes192-GMAC OBJECT IDENTIFIER ::= { aes 29 } id-aes256-GMAC OBJECT IDENTIFIER ::= { aes 49 } -- GMAC Parameters GMACParameters ::= SEQUENCE { nonce OCTET STRING, -- recommended size is 12 octets length MACLength DEFAULT 12 } MACLength ::= INTEGER (12 | 13 | 14 | 15 | 16) -- Algorithm Identifiers maca-aes128-GMAC MAC-ALGORITHM ::= { IDENTIFIER id-aes128-GMAC PARAMS TYPE GMACParameters ARE required IS-KEYED-MAC TRUE } maca-aes192-GMAC MAC-ALGORITHM ::= { IDENTIFIER id-aes192-GMAC PARAMS TYPE GMACParameters ARE required IS-KEYED-MAC TRUE } maca-aes256-GMAC MAC-ALGORITHM ::= { IDENTIFIER id-aes256-GMAC PARAMS TYPE GMACParameters ARE required IS-KEYED-MAC TRUE } END -- of CryptographicMessageSyntaxGMACAlgorithms]]></artwork></figure>]]></sourcecode> </section> <section anchor="iana-considerations" title="IANA Considerations"><t>IANA is asked to register<t> IANA has registered the objectidentifiers for one moduleidentifier shown in <xref target="IANA1"/> in the“SMI"SMI Security for S/MIME Module Identifier(1.2.840.113549.1.9.16.0)” registry for id-mod-aes-gmac-alg-2020.</t>(1.2.840.113549.1.9.16.0)" registry.</t> <table anchor="IANA1"> <thead> <tr> <th>Decimal</th> <th>Description</th> <th>References</th> </tr> </thead> <tbody> <tr> <td>72</td> <td>id-mod-aes-gmac-alg-2020</td> <td>RFC 9044</td> </tr> </tbody> </table> </section> <section anchor="security-considerations" title="Security Considerations"> <t>The CMS provides a method for authenticating data. This document identifies the conventions for using the AES-GMAC algorithm with the CMS.</t> <t>The key management technique employed to distribute message-authentication keys must itself provideauthentication, otherwiseauthentication; otherwise, the content is delivered with integrity from an unknown source.</t> <t>When more than two parties share the same message-authentication key, data origin authentication is not provided. Any party that knows the message-authentication key can compute a validMAC, thereforeMAC; therefore, the content could originate from any one of the parties.</t> <t>Within the scope of any content-authentication key, the AES-GMAC nonce valueMUST<bcp14>MUST</bcp14> be unique. Use of a nonce value more than once allows an attacker to generate valid AES-GMAC authentication codes for arbitrary messages, resulting in the loss of authentication as described in Appendix A of <xref target="GCM"/>.</t> <t>Within the scope of any content-authentication key, the authentication tag length (MACLength)MUST<bcp14>MUST</bcp14> be fixed.</t> <t>If AES-GMAC is used as a building block in another algorithm (e.g., as apseudo-randompseudorandom function), AES-GMACMUST<bcp14>MUST</bcp14> be used only one time by that algorithm. For instance, AES-GMACMUST NOT<bcp14>MUST NOT</bcp14> be used as thepseudo-randompseudorandom function for PBKDF2.</t> <t>WhenIVinitialization vector (IV) lengths other than 96 bits are used, the GHASH function is used to process the provided IV, which introduces a potentialoffor IV collisions. However, IV collisions are not a concern with CMS AuthenticatedData because a fresh content-authentication key is usually generated for each message.</t> <t>The probability of a successful forgery is close to2^(−t),2^(-t), where t is the number of bits in the authentication tag length (MACLength*8). This nearly ideal authentication protection is achieved for CMS AuthenticatedData when a fresh content-authentication key is generated for each message. However, the strength of GMAC degrades slightly as a function of the length of the message being authenticated <xreftarget="F2005"/><xreftarget="F2005"/> <xref target="MV2005"/>. ImplementationsSHOULD<bcp14>SHOULD</bcp14> use 16-octet authentication tags for messages over 2^64 octets.</t> <t>Implementations must randomly generate message-authentication keys. The use of inadequatepseudo-randompseudorandom number generators (PRNGs) to generate keys can result in little or no security. An attacker may find it much easier to reproduce the PRNG environment that produced the keys, searching the resulting small set of possibilities, rather thanbrute forcebrute-force searching the whole key space. The generation of quality random numbers is difficult. <xref target="RFC4086"/> offers important guidance in this area.</t> <t>Implementers should be aware that cryptographic algorithms become weaker with time. As new cryptanalysis techniques are developed and computing performance improves, the work factor to break a particular cryptographic algorithm will reduce. Therefore, cryptographic algorithm implementations should bemodularmodular, allowing new algorithms to be readily inserted. That is, implementers should be prepared to regularly update the set of algorithms in their implementations. More information is available in BCP 201 <xref target="RFC7696"/>.</t> </section><section anchor="acknowledgements" title="Acknowledgements"> <t>Many thanks to Hans Aschauer, Hendrik Brockhaus, Quynh Dang, Roman Danyliw, Tim Hollebeek, Ben Kaduk, Mike Ounsworth, and Magnus Westerlund for their careful review and thoughtful improvements.</t> </section></middle> <back><references title='Normative References'> &RFC2119; &RFC8174; &RFC5912; &RFC5652;<references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5652.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5912.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <referenceanchor="AES" >anchor="AES"> <front> <title>Advanced Encryption Standard (AES)</title> <author > <organization>National Institute of Standards andTechnology (NIST)</organization>Technology</organization> </author> <date year="2001" month="November"/> </front> <seriesInfo name="FIPSPublication"PUB" value="197"/> <seriesInfo name="DOI" value="10.6028/NIST.FIPS.197"/> </reference> <reference anchor="GCM" > <front> <title>Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</title> <author initials="M." surname="Dworkin" fullname="M. Dworkin"><organization>National Institute of Standards and Technology (NIST)</organization></author> <date year="2007" month="November"/> </front> <seriesInfo name="NIST Special Publication" value="800-38D"/> <seriesInfo name="DOI" value="10.6028/NIST.SP.800-38D"/> </reference> </references><references title='Informative References'> &RFC7696; &RFC5084; &RFC4086;<references> <name>Informative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4086.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5084.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7696.xml"/> <reference anchor="F2005">target="https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/cwc-gcm/ferguson2.pdf"> <front> <title>Authentication weaknesses in GCM</title> <author initials="N." surname="Ferguson" fullname="Niels Ferguson"> <organization></organization> </author> <date year="2005"month="May" day="20"/>month="May"/> </front><format type="PDF" target="https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/cwc-gcm/ferguson2.pdf"/> <annotation>Comments to the NIST Modes of Operation process.</annotation></reference></reference> <reference anchor="MV2005">target="https://csrc.nist.gov/CSRC/media/Projects/Block-Cipher-Techniques/documents/BCM/Comments/CWC-GCM/gcm-update.pdf"> <front> <title>GCM Update</title> <author initials="D." surname="McGrew" fullname="David McGrew"> <organization></organization> </author> <author initials="J." surname="Viega" fullname="John Viega"> <organization></organization> </author> <date year="2005"month="May" day="31"/>month="May"/> </front><format type="PDF" target="https://csrc.nist.gov/CSRC/media/Projects/Block-Cipher-Techniques/documents/BCM/Comments/CWC-GCM/gcm-update.pdf"/> <annotation>Comments to the NIST Modes of Operation process.</annotation></reference></reference> </references> </references> <section anchor="acknowledgements" numbered="false" title="Acknowledgements"> <t>Many thanks to <contact fullname="Hans Aschauer"/>, <contact fullname="Hendrik Brockhaus"/>, <contact fullname="Quynh Dang"/>, <contact fullname="Roman Danyliw"/>, <contact fullname="Tim Hollebeek"/>, <contact fullname="Ben Kaduk"/>, <contact fullname="Mike Ounsworth"/>, and <contact fullname="Magnus Westerlund"/> for their careful review and thoughtful improvements.</t> </section> </back><!-- ##markdown-source: H4sIAOkYZ2AAA61abXPiSJL+Xr+iwo64gA2EgbbdNhMXsRhjmxljewHP3MTG 7kYhFVCDkFiVZDfj83y+z/cT75fck1UlgTDd7Z6ZjmgjpHrJfDIr88kUnuex VKWhbPNHraIZT+eSd3oj73rQ6fJOOIsTlc6X/Bl/zbNusl6l8SwRq7ny+UBq LWaSj9ZRKj7xSncwqjIxmSTyKV+wWGyzxGDEgtiPxBK7BomYpp6S6dQLxXKl PX+pPSG1N1sK3xPhzGucsECkGNpqtJpe49hrtJiPGxBt3eY6DRhTq6TN0yTT aavROMdzkUjR5iPpZxB/zRZy/RwnQZv3o1QmkUy9S9qW+XGkZaQzbWZLxnQq ouBfIowj7BfFbKXa/O9p7Ne4jpM0kVONq/WSLv7BmMjSeZy0GfcYxz8VYZ1h nd/EmQ7l2tyzSg4zrUu342TW5j+qmQoLIWv89rZrHub4lZ+bRxoyyLTNT5qn HCpEUj+pMJR8GIvADPAxss1voGQQRzX+Y8fejQODX/Njw33PopTQexyZ73Ip VNjmcyvhX59oYy39uh8vGYviZClS9SShKB9edVvN5rm7PGt+PHaXJ+fNVn55 emIuYfm2Wd45WCd4EpEvA96LfPIiFUd8RICLJOAVjK5a9XNUeYHUnaDBIoT9 NBbLUsnjaTFXc3zysfTnURzGszWv3PVHY7tY7jmNptdsWghloiQ8cxrnWxxc 9R9G/CGbhMo3Gx20efP8I55edwclDQ6GEpAsJbY10k/jhF+Esb/gXbWay4QP ALQm2e5XMjFj2vwa7qT0UZcwd0N4BStXjdh0NA726G0d52BQ55dw3YWKDv5k QD5+ARAazkcr6StsUQbmrNHwPpxdMhpf9ouPp+enuQc0znK/OG6cmbtX2PKk 7A7QV0apW5o/S7GAP2vgpyJCfg8o5oTd1fmVTGaZjqMSVndKhrr8qFD2BFHE a1nnt3LnSz5cXsHx03Sl20dHvk78eqR0Wp/FT+bb0VIGShytkvgX6af6aELW 9nxjbS8lhNW/M6mPEM8y+AWN8JdH1knwxX/2vRluTJ1UrfoqmFrFIrhG143j aWwio8H9rQ9xbO8DmjpmDn58AySw4o8r0nUPZJ77dOBd1vnAv07kc3Hbgncp nlRQfrQz8/s6ApKciZ2J38fzyD7geyD/0Pw2yLujYddB/pBDbg6YZw+YN94H +UV3cJRDedT9qesBkSPA7mUGlT+IOfM8DzEZoVf4KWPjudI835trOiRTnB+z FvLJE7k00oqJDdnblOoyJtvx/i5FBZGnW/2+fMtMvuVCF2IEdHZw6jjFYCf6 UgVBiNx2iOSXxEHmmw1fDhV9ff2jCrGXF1y+vr68APTX10LCffpVML660bJQ kn2dVPCXF5dZXl+h1+FYJkvlotvLIeLqUhtVJEeu55TsNYLn42h8ULOf/O7e XA97f3vsD3uXdD266dzeFhd2BMOX+8db95yuNjO794NB7+7STsZdvnNr0PkZ H4i97OD+Ydy/v+vcHpBB0hLC4CbkexOJRxB8lcgUdoMR4YJ+oibGiOyi+/Af 0USvvmseW90p7QJfc015F9fPQNjsx+MoXLuvwHPNxWolRULriDDkvlipVITg LuQq8/g54jhLknD8krkK9qedk4ASmKef9xG5XIXxGhpM1kTztq3GFJ5JQkDY selcwN2y1QrMqnxG9rvU3iOz41JQiRbYuJgKaAZkTbQBHrFEpPaYmC03S8rg UqSCgXVuWC/mhYFb80mEiDrvWoRjkWLu4WFxVIx/fkXL9xwcllGWBEeliEUS TOMwjJ/paO7X/Bu0/c7adB4rX8IjV+A6tJW5q9WvxZaQnY5aDV6n/DmDd0gs An7TbJ3xiUrhbM3zlrtC5GidnJovbcZ+++03Cscg+fz+4vted8z7l727cf+q 3xvydvs/+Qv/JcbZ8JSOPZAbL620qjlnrTRPqwhDlbPjRrVIRZYWiUj9akCr NKsc2aTSbODCB3OvfKhyyjGFrpXjKm9yRAzKbgHVGxDbmuVzIpG455hCm21N O299fVrrvLQVoPj6nGOaQ0ixK6BHpzidg/s7+LXca2nnpCYIsELZ/ub5SiTI 2in5hLE2N6ERoQhRCJVQaqMJ2XczkpkxOOWpIGIGwR+KZxtrlu8bRUYItb27 bo+/5DwtBv3PDXbfHfdAMsfD/t11jSNPJTm3xskyngafarZ47Kcy1W6FUEYz 5Az7Dzve2u+XvavO4+2YhlugN49IkP7duHcNdCt4/t+8+YH+HNOfE/pzWrU4 0+Hc0cIKbJFSNtoZw6lIpaDGzt3YE+JinNQ5rWCnLMWaz8UTrBSteZQtJ8Ae lqMDALTTZykjfmawrrT+eXpc9Zo1NslSrtLCIogiWZgqxEyaac9UnfOfYFF3 nLUfr8xDbEKlbAoDeqIcPswRTQu5jH8UW2SGSWHRDtt+jBUL3JE7Iusfhg3B NMsYEVBOp8pX2Cdc15iObSx3xiGesLsjwNvKlfW9YOfTDdqpDEP9JugsXSbY UZLKW2jRd+CBavrzzVyg5XRxqxiR2DuCN4DJpSphojQra3PYL+U2BO1I41Ra Jons2Yl4OfsVUfTrJfEXysdt0bncrLAVGraoIWnskg1ptk8kk5tQTTijZ2Rv UBWcyxWVmLn/M2cHvscOlPnhLKgmcqb4ec9kQpdzycZt3JPyQeP2oCFI8V9l EnvWNmwVCmJSn9J8q00Uczcc3yoD5rYQQaBsMc3KzwNyhkqnc1kFXOSvCJE4 kVsJ0GCloqfYqWRDBCsy/B54XL6koT6CurRi7gxMxYyom46XcsdIFAH6Ub63 BWzL8DqVK2PzhQIBDAwjpDaWimA/vsEJQ6yNZFBglUgcXMgXwd6m1toaiaJB Bu7U5rGWpm2dgpwfvUkRKOwRMLQMYTs4ISwBe86iTYWzlZMCOVUR5KYQssGX WmBGvQ/1FqFvSWXj7NiWAp3RXb1J5yKjKmdcokP22dI844Y10Y5mG1V0cCCu 17m9vh/2xzcDNk3ipdvivGmrDUoPpRLFcTVboJC6W1SZMtMLcIuJhSwlhX5v Egdr4jCOt/BEi0CrSrP54eT4vMpdclstfE2T6NM7r+CBXqqlNIzHqqArBekB lcC9cqe01Wg1KuOLyyplQdipf9enKmTE+4OH2363P+bjzvWIUiK76F3376g+ 5L3/ergfjkdg+yFjGEhfqHn3lj28vNZ2sOL8ang/2BqbN4XiyKNOLKV1g+ff HZz/cNIXABXcJfBKDA6ELYiDCjRXrmWL0QXf064nWjkhiP055umlpm+rhfpU +Vh18FS2OGIO2D5ZG63KyVn1lX9nELmfUOOBbxRHBP/zyOrvJKq/h6V+M0X9 Vn5KaJmRm+PO2FeZ4B+kge/igN9IAEmRTSFUsjwOlyhBXzoCDhGSawumsrHo 4UNn2EE9PP75obcbHzvDHpT+d6YSaXr4/ZH3Q+/n3qVHm42Hjz3Sp5AiN+Ye KfYL4Sb8mUIUDvJeIfIJf4YQyDbkJsgD7w7Jht4f9jt3nTfMzNyEhwm9sFwn kTOcP6LrNgpsl9GULKjqdvlkq+5CtqbEcjAa9IsXNmb46GjQH/RcdtpyLLhi vVVHXKjbJFBv1vH/tN6oHjArQmIX+Fycp14wZ4fFZruKje2LtjzPa6onZDqP bXLdJhxIk0R1DMnZ6lOxQr139zbfdvZIhPqmL7cUEWxkumBF73zTMwL6ASmu JkQ2HcfcoY30Kk+jMtJUK4FUTHMFdzhUjcfEaZ6VliUiSArKUD1JcjEjJeWX mbUXZSow3yxaRNQj03GW+NQl+4lolKl7UOeAnj3HRFpSQkbPTTuPag148WeE tuSWQGbAZwZGs/NcUamZFpzM0PO12WNtSysSyJLLz+9gWHtO1QXxMerod7q1 DbvbhgIVY4ZCywoEwpurv95uLDk1CYP9decX2H2t7Bxb5SB7U4A+artgqWjc IG5LAiJ19GqLizQV/gKHKI3ZTEbk9NLp+yXubf1WJKikE4Hj5aDUNcfs4c95 VRjG2pSLO6vsNGl5Z0X9MfUJdaLhpba4+v1gva0DmMt2lSKhVYvyfao+GVbe n27UhieZqk3QgZ9kKjRlmHlrRQKLyByLrZNakfVZnRrDTPCVllkQewmoPVxh mkWGdldrW28vcsPRHqbpTM6SgqVS3Ueuyja9WLBDCmARvVT35e4q1D/PV3Kl WGl/lu9vrPZw8cPlVSs/i/0fHQvQ9phbLzm3HUbToqVlLabXN53RTaFMARBc x/U07Nbu6GHpokRzr0tM7FzFZDh6HQpTYnsfJYbSpiJjN/GzRECple8bMehU CzK7Dw5royIF5bdNh4n0BeSCEaZwxvkXPMVqkOE0rHnu/DaoSwGpnVO7oAu1 JmKiQgpv5nzpzCedp1lIU2YyMev58HfzUqL1z8r//c//plXCgMq2NK9pd3pY zrn31K1v/PUvZ9U8tURSJOGaEgtw3JkLSVNZmAiaKGBq9dqPmKltBXsPXF+A ifPCeqQm/b4i7/cYVw2QGwSFDo2idZ4Cc3OyCndycXLTJdpuU02kacmXugov L+ZNOPX97atc043p77wbcW+e4BGgp57hvrtNL4BtA1oexngMNTi1Ex1ZptCw s65JnPZ8bbnPF9KWdr0P8k1oh0wRgKDRnHKwcP7hVoxBlioPw7trXSWvKvYx yRtpirlWCtwIrplSizOhxkNe19n+VBHmqZuKij2g9ugyg/Wk0MqG/0S69oQB nrbkMnpSSRxZlkHJM29gmCEkQg0biQQu5gjMJvzrJXXatTRdnhWSgDKHR5kk ITahZpJQkgX6vtxZ63keh2YXplfClw4+h4DzGABoTmQJO224iaLGKoTBPNOD oJ9PvL4C+qkZsaSXZQKKzTIVUFQtXi/SL562DU7D9dykeOp8PVuaAjT80rvW rVfOEyq8pPkdhkwsN6LATrago/tsZ4LBhWtNUaF4E28iXYBDFMbUdKLGkKUh hOhKJqbONrIuKcy69xP0knbBp4I6eqY/BwUWFGmJcgACkZRFZdvsEkYCgcty fPPe1Wd0222isQ0whsqLxJILsiEpugWKbRxCtEDhwCCXUV8sMLsKCo61zWvN MuIreCZwyWsK2gQL2B8kWGJgnWyzl+MeKtnT8xsQFVKbjoWJkU9ChWISGh+4 6D7Q77us09AvcVxvzCfmGMrAsm7UBQPiIeTDC6McuxEICx3tz0WGIMhuwGcS teAXyI0L3IOCf8vWEcprEc1qbBjDknS9DtVzjY3VEvEzDOVEykWNXSAi/yCC DJcDtZD8Pos0rJzO7UvxgZhFmeY/Saqvwgx33KsCqOwDK0pKiXxSZAHTk4wz hFy66xzHqOB+1TBBaGD/Dz5Asp6+KAAA --></rfc>