??ࡱ?>?? .c????+,-y?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????n?R????"{???S7?hJ??PNG  IHDR???M ?sRGB???gAMA?? ?a cHRMz&?????u0?`:?p??Q<??IDATx^??m??Izv?Ǟ+??l?l????QbѶ????#?G?zbmE??aQ??m?1?`??(j#? ???+?I??0???`?Dƚ8L??_??md[Ӗ"?xGʰ?]??ιι??U?G=U?|_/???[uW?U_?s?wU?G???H?B@! ?"??????7???\?z??ԁ??r?! ??B?./????˗??*?hh?B@! ?@/??\?t?7ڨ?rF?W…?B@????6??-??B`???l??UA! ??;E@,g? ?j ! ???<b9?obUP! ??N??ië?B@! 6??X??XB@!?S?rv??B@??# ???&V??B@??ų?'Ow??];\?zx??w??j???/?~???G;?K??ӧ???????C 1??{?????n?8?ȝ;? ?'??u봻a?az?ĂR1??????3????????;ܼy.}#??ѹ`kB?|?p??q|y????)?? ?@ȕ+???????7??????rr\????gL???z)pF?????Y??ǏL;dZ?>?`???a?Q/N|6!oT?????????z#?uTu?????ᬱ????????|??l?????k?C??o?I?w_???߽?_????L??߹??^ȓ??c!??/??=?????#?????ȁ?????2??Ψk:????m\??{tg,{C????s?r???*b9?x{?]????իߵ??G?/=Se?n?Qϼ?eݭ?? ķ? L?a?4?Er?_???6?0c??/?wx?_???݋?s?㻷???~???????Ӈ_d??|?????e?o?? ??_??o?0#??v?Q?o???>}@!????1?o???V/q?TV?@??{W>??b???????~?? ?4a{?N??bl??)-S ? O>??$8Oo?z??`?:??_???6 l? ?????IL|?toKc???c_??of??<T??3,??EQ??G??q??W_#q?1j??y??????c??B7???]?QY???V?A}?72p??A?nD?02γ?4-L?'?o'?޽??????7.|˹O??????`?7?:????W?ߔ??x???X??X?????>g ?5?>?[ c??+???y? ??h8??r?q??5??>?-(̩?>???d????ޢ?{'^ F??m?,?|? ?P??s??Zcڄ?tހ?l??D??a?-?xҼN ?V?>g~?Z??1?"??<???lv?3 ާ?L??٪?\??(?6???) yKc~'?/,?????k?????k?2]t?ɶ?,?8??Bx"???:??F???L,H??(??;????#pnh߭wȔC?L?x?}{?lW????U??kk?j???_{???«y#@?W? pj`|8V ??a???6("?%??1???E?\?$?|???;?nX???X???VLU???3? ?G^Xk??MW??s T?,?;????M#???????J??B?P?q?q??&????#G??z8ǜf?+?? ??&??S7d?i????-??+?'F?[?E=?????I??s?^X??);?2U??,R@??rw%ni?qPO?@.??`9g?V?????????_x??o???K]?y?S??V??zFE?OT>?\Ո3`!> y???s????3OFyp?`?????v?k1???~?޳Or??D43w??,sUc??? ?sf?-??ӯ?ʧ??3?'??g?2h???W???!?{_??Ai?#W???3o?SR3?/??d4?\q.gᅸ?? ??Q???Y?9?1????!??#???ǀ??M=ᰃX?!??8hH??F??A,8?c??q#???+ ??1??U!?O??? s??g??? Q*?%?B^,??_b9?B??n? V??Z??m?s??6???jd?4??|!ᘵ?nԧ1Ü3 _?}}?jD?6? G???+E ?/hw???????+,8?????| ??????*y c??? ??W?|???b- PG#????? ?:???e?ǀ=?b?????`???? ?~ޱ?&? ?l&? ???C>???????9?t?cL?z??6??1????^tS?d?*?1????????e?`???XdB? B?J?cZ?^BL?ˡ???ƊJ?WˡX??@?b?`?d????? ?:??? ?????????p?"? 5ᛜ???=??P?m?sĩ&?]???5O?gg?r? ???CXNp?W??g??\?Y?????^?#?]v?t%<ۓR?????????:BF?@FF?P|??EfQ?4??_?,??bF6C87g19?sA?z???l,n?}"?M'?:o??ī?殾?,?m& &?Cq?}@b{?|a??OnE@&????Ç?>K???????q???LLT? ?ݝ?oFB???ё???? ?\?YR??E ??D?|???C?4N|??????A ?M.??91???yF^????~?S???w?N????N2?8?????*UQD??[???I#????H6NVq?ɤo8?o.?3I??D>?Xi0q????g?????ǰd??4ӟXN??KTˡ??z???™o0ѿ2~ X?Arn?e|??!?A.xoCd?>??@?<h:'?;????^???ѣ????+ͥ?ؙ??A?=_?P??"?r?L??P??x?&C%?˶??f??????Yʟr?WdW?????kg?^????yt9+???r?@?Y?B㷽??~9?@5?F?H?{?D~²i??m?8?20????????^?????<}Q???7??čQ??????;DN?L??+??ov?,?mr?&?L5d??5M??ޛ ??\G?q?7?|????:?L?%??(??????rH&?????Xa?7??5???^ $1????*?? ?'^??Ƅ?l?s???r???J-??N?»???UF|!?V?!r0 ??$1?1?/???m?L?6ڣ?????$>?(?d?G????F??X??xL??(?Sg2?2??4???(?m???౓??Xeb.???=&??Y=ˁS???_??q??4????,a'y??B?Z??91?1$??,????63POc?#>????Jh?J,gA\d??b9M??g9~????X??͜??2?????X=??N??8??{?T??H? ?Q"r???????N???hQ, ?7(wTM4?G?f;?*?9?,hS?KbQ?r????c?U??Dt(dB a7????w?ՠ9Ŏ???Vd???f?P?@?b????x?|???M?I?? -w?mc???`??-?sq?2˱?*??7[??X ?S?Y ??Y????be?gq ?(|?X??}?q?'?3?0???`???? Ĉ.c??\ENjb0o??.?)??x 57??b???1?R??v??8??^5 ?Hq??? _??! Z" gA?G4?,?.ѫ8c????>???7?? N,g?`Ȏ-??:?3?????p O?b??0?m?tX???M?rE?N?r?+r???:ݺ?38?t9~ 1Oj????B????g9AdJ X?]??/1??0#???^1}?z,'?u5vm?:??Z?ŻwF?q?GL?c)SVcb??X???1?q)??2+?Vb9cw?S?b9?b9g?X?q?C?r0@k?I??\s????&c9|_BrN>? ?t*?K?Iλ?[???a???x??g9^ ?%[?5?B?t9??[??r&?` ???r ??|???>p?Bh]?? ? ??,??)|b?M?4?32UA????Yb9?*'?XκXΘ{??kl?=?M?&**f?oPt??;??^?????M?cɫL&d ,ʟh??TB???cT??x???0_o??W?z]???M?-??3[N?F,'? 𒄙?V*S??@?$???O?i0sq??W ?VssB?;UA?X?DJ,G,??/?+n_]L???o?j??????????Sɘ?????y(?Ǿ???D?r?? ?L5 t?J??ɽO|I?k????uc_?I?}.?ӟ?d???FR>?:??*??Ћ۷??wU?W_?q??AL????|?Ƨ????ǿ8?0\??_}??Ӟ|?F??Z??B??E??-??{?????Du??J???ξy?fvCb?????w?#???Ƨ?uێl?\??TC?I͸??<+ˁ?љ?k?>7???????1?P?>?]Y????>? ?`?/$??,?Q??W_??-?????_??h?y?|??kd?=ݣ|W?XS.?4?l >??_??XRsCAx??Uq??堽ќ6???????݉^۩?3????v:~ؿ?̂?????Rs?N???`O?Y?P}@??y??_??0|0???|?g?????FM1U???vT?c\`?ډ??b0????ƅi??<Ð?YkA?i?f9?Ȳ?dɚw??XZ?f????Dp?y??2?./HS??ޕO?.??п ???à_??]?R???N??::???鄠^????E!?N??B? ?!?B? A??C?"qAcl?=?w_??%U???=t???1w5-[e1-L?H?%???B]祲?/?;ict?}?H?ɉ𮆗???+?4????7???_??ύn?????Gw?Ϋ=?U???+ ???ѿM?ރ??8)BP*?,|?H?X??????pT?<>?|??_?|?X??Z??p?N??J,g,'8?@F?A?E?S0sg???XN ??1s??V?h?????F+??A}>h???X??Y?7Wq??N?A?E?{??r??XN/?D??*?b???F+???n??:?F+??????\??(?U??Q?^sU??J,?? "?*???U??rһ}`?b?d???rnܸq?Y}?2?Jo??1ҖѪ.?;??? ?Vb9K?N??JF??Q???h%??>.['?h?j??\%???? 2??J,'??w?N??J,g??Fs??V??E?Rh4W???rR`5N??JF+ü? 2??J,'??w?N??J,g?,???W?nj?u#?h?*1Z??????U2ZY?4D?6Z??$?????3Z??,?崙?d?J-?֋@????h%?? ????U2Z??ȨF+???n??:F+??岜s??V)Fqz?0We??rza5B??JF+ ?a?h%????{['?h%??\??a??h??*e?(N?l??Xμ]??\%???? 2??J,'e\??N??jy,G;ɛ????????8B?;?%G-R??V?n ??gʼ?{?$?b'????$?7????XN?&I??b'?䨝?0?+8????yT??????W^{??>???I?S'?????o??Vb?Sr??)QH?h??I-9??&?#]N??$I??b'?䤗\1;?????F*1?$tk?f???Ͽs??4???{q?(???????|?7??O)*ǩ?NjɩW=???z?I????Nj?I/?b ?<j0?Ԝk?݌Q|??N?c? (??|?I??I-9c?Q2??G??HE?F^?i40,Ń:??G?o_n!?m?'?ąl??2?j$???0#p I?"1^-vRKNb???,'?GNS?(???3?????Nj?Q?#??G?? |?#P?y??jyq'W???Z??>???????r??Z?H_?ʇ?<_??I&??#?J„????B??;?%'?? Ѧ?5? %???P??1j??Zr6?,?y??????yYN?)?)???Bhu??(???M?̇l?'7?? ?~%?"??w3K1?g9TU?b??I-9??'?ӄ?t9?z?$5#P??Ԓ?v*G`J]Eyi??01>8?5????w????^??8Ը???1鑅@Ed??c3Fe???.A?.???a?r?r?;? P??ԒSP%=E`?U|u??0?v+????#??????????=?p|7??mY??,?u??????b9??],G,'??(a?o|??????)??}?U?B?O?;΅ ǟ'O?H+d9d'?<???|??ךz? ?q,ľ??>~ ?~e?9&"?$?G!ԒSo?????M?$v???\????:Y??{??/?#???n?*!?x?r?D?,?v?????S5y@?????ꤍ?e۾??)? i;??q$?????-79xT)!"???=???c,??;?I???`' 4???S??ogI??8x?w!r?"???c=?vyc^Fn?[?o?qz\v?=?~???mr??T?ϝ ???o??w??;??/G,g??W???|???o?j????f?Å?? ?3l?X???ay;??o?O????\Ҡ}???o]???Cx?&70-{d?r(??)%??N?Ĵ?`K/G lg?3??۸Es??>A.?7w^?|?A?!??x? ?m???ظ?r:?LP?f!]Ew? ??Q?4L?|?œ??W_~???x?sc L??{'$??D b9Kd9h?k^#??0?owˡN???69?j?EU?ѣS?g??d??T?ˆ唃Y??`>??dL< ?O8??^N?- Q??rx%??????I9PEn??????@6??Zr??j˩?V??>?}?*??8??'?d?Zr??? C?? ????r?c֒??[X=??????Q|???C????r??Y???Aʅ&-?r?+Q??? %?x???ZrJPz6?XN=,%i?L?j?UK???n ??: W?%?e?2?????? ??rP}3ZU7Ua9?hU????/?????m?*?#?Zy??J?D?ML?@-?cF??ƠZ,njV?K??j1ˉo?ʕ??N?ǩH)޸?b)?????d?J?]q??,?b9??H B-?f?Z?? ???O??˙e?)??Z?#?Zy?h%sU ??? ???,j???0?b94Z?Q?z?.?SKIZ??GJ?+????U)????b?E??Td9?c?*???(a??0?????Y?׮?^=??B뭧m???%??/?o?}?۹?Z?^???m?????????O??3TNŕlh֊?L01$1?_???ū?" ?0Qc?Ƥ]???^???m???\?(????A??? ???19^K??-'fU???Γ?V,'?M???H??xߪ4L??#???{?F?>???7????O/]~??.?????RP??,??Ϸ??,??????z?D????g????P+C `?Gs?S7&p??`xbb??O????O>???|Ϝ???^??k??f9? ?e?׿?????????a???????&w>? ɨ8/P?y?H??mvY,??;!.??)??3??w$|M?ّ?~?+?˥??"????[??I??Y,g7d???MYb9E?%'???Y?7???".???w??Yp?rq^???YX??F?X?XN??#?S? ?NrW_?: ?\??޽{???gz???A,???u???a?A[,?>%b9 ??,'.?X??lXb9b9Es?XN|J?3p#ޠݬ?Vߝ=???p???3???????????????>?A??????[?1?ڧ_ǿ?|??ff#&?????q ?0????N?? ????b9b9?g?????????^?d???+'?4?B?[o???C??/??ҧN?|???̽??ey?y?7rP[H???#?`?H?;?V߅??b??y;,|??w?????o?Q???K??/?B???L?p#:?@>(?G??_ 1+????)?w?r??????矷dX??9y?%?E??$?!A*+z?????? .e?(???????뉟\?ݻ??)z?N??w?*?z8o??򆄆?þ?@P?c4?At?????5dK?⯌ ~?/???XN?(?*? ??I?Fu"A?????K?P?JR?d'??EJ?Ył?@S!w??3?w??r1?? ?uBH?_?!>y,?B?r?r?? 9 ?? ?؏?^??R?C??Awꭾ+?AQ?p?ˁ>?lId9?Lt4?LW?~??????b?)??b??^??H??3b????,fR?Bn?>i?Q ???"?8?1????@P??_?/??m^?O? ??^H?p|G?4?B? ?R?d?c?V?X?cԇr ???lTk-? ?XNݩ??.?e????a9ޟ?T8?Q?LN?r??S??4f?cJ Aȧ?Z??pp#?C??x?r?r????"?r??r??\@_??? ???/?!?y?ܰ2?,???B???|?r0?y?p? f?z??????S98J???S? n<}??4???2j\??/??ݍ??L? ??B^x?!???C~??|?ԟ:?l??? ?Yv???>?+?irYN?i??r@SL?B????iHe?N*i?A??!b???Ih,#?[??(r $S???`'wPk?ɘ4?Lb???"<`????YdB/B??'1t????:0??T?.?V-?d??5?BPls???X???r??y?\??????WP???h?ll????pO#n?> ?v????!?F!P???V5 ??l???rW?1;?e??e]??F?8?P?{???a9?P?B??q????????x8??oUE??M??h+ G??? ݨ???q???????c*?>??K?RǯdZ?F??`?˱?_???,'?X?De?5]YT?sRM? eu????\rW??b?.y.??g9??ƌr?t9??؋?ˡ?????_????y?6~L??jLT?S#??X???ؾ??z???Y'1???M??r?E???s$?'????e?%???u9~o?Y?X?s?s???O?????rK????F,g?YX?????w?h??:g??"???=??>N?;N?j,?'????X???@%??6??x8?2 ?P?c???[XI??}?vfF?.g?8?*ލ??ڣ_?#????砘???,?S?r?? F?;=;?;?c9??S??#4???M?)Ԇb?????I????A5?A??%?=Vc?eb9c!+?B ?v??3???8????????j?JNy??np"??? ?po?j?7.[J:/?T70f u???[??t9??*???]}wTa?sq?q?????}??kwJ???P?qŁ ????.?¿v????Q??6r$?U??p&?g??"(?1ߠl'??;b9??j???ю??2?]}?Y?喪Ϋd9??pI'?? Ȋ'7?,??+??""O??@x?Uc?ULZ????{~??r?lŒi?.?bw?(!0?z??lw??[`9 ??AE??R?C?Ëb9b9s????S??Վ#N?M&???Z?ܼ??H(j???<^?!?A ??&ۦ#?͵&ߍ???????Bqb????/"?'|?Z%Ȏ`L???W??Y??(?G4Jc?@?PT??_i.?c}!??x?N??p???&(???hf)3?e,???d9??e ?q?? Ib9????.??k)??X??MO6ddq?R>?av???b9S?{c9?z?BV\q5HZ?C?zs??p???T???PYgl??t?h?@??0???z????? ??|?\Bz:" Z?p?w30?F?'?*`?=??r??? ????hwC*j?????S?Ss?³?4?YQ?m?EI?f9Fn?̹??*?????J?C?`?Ř??p@???pܠ N?{4I???"{??O>?E??TY /??+??]Ȯx?g\$?S~ہ˱j?:?1'?n??Y?s.???0?r>???????NOF??I?G?3??r?r?z?8?P??өg? <??/??~_7B?n&??@?XU????@:;{ ??6???T;! rA???&??,F??J??rbr#?3q????۩?6Hbz32 ?)J??`6A??\??s*????o??l????%?%l3*_L?M???????t???W#b9b9?:Ӹ??k?9Iz6??t???l??????LZ?Y???TD???F?MNy???1?eu,??q??x?7{i?????Ie?=@Gj??/Kb9b9Ie?H???C%?@,'?܈?L܋걜?$??p ?^u?rh??Y?,1? vKQ~oF???=i?Zˡi???)? ??௠5??t??A?̇:????????.????'\e?az? ꞻ?n?Q?V??=u{?O?И=Ȝ??.~9d'????r?????W:??,?lɢQ?!?!?1??@?? ??86?-?b?????U?!???ZxX?+?????d;8`?b??m#̓{;??oTؔ?Bw?r?rF?V%T$ Po?M?l?Q????7C??d$??}?I???"?N??/?'??32?wj?!??C?T?X?.?cG_?????O?????[}g??³??? X?L?y9?~%???dS?$?o??%&D??:Ƚ??t?:?Yn??.'????????f?l??[}??TY????C??b~?vX_?[q6??,?XN?x?#?#?S6*??G???_?=????:X????l?2???????r???????{?buH?Q?ӏS?q.;??????~*A?W?O,p?^???@??w???ԴΫa9?b*%?}??e?y?1?ê???$??5k???̩J#???????X?8????r??9????݌?Z|???7D~??J?5??:??ܸqx???*`Ɣ.G????oh?䮾[ǥv?rq?9?X??X??r?=\=ݿ???T?ȍIˑ_N?U?@*??o?|?#?8???i?d'?X??f9???/???????&s???p?????l@Sbڝ<C?d A89 ?8?=?-V)?F,'q??IJф@??oFV?N???X杝?Fn?"hS?M?????@??{,??Crۈ?????^ ?3???~g;b?q>?S?Ι???DZ??=?????????}*Fc?y???aF????ϲ P=?/!?????Xe??YO???o?d?????c??'?r??N??????aBD;???A??y+??+????o? ʖAt?f9~F?+1o??!??/?T?`?-?p*D_"?? ~?o??Df???rSV????Gb>??f?,jE?c9虦??Kߺ??Q???~n?O???C? ??a??C ??????A ???s?y? C?[Q}9mN?-?z??h%?]}G+?F???Ө??1?Ѩ??M????akC?r?V??w?a??X?,???]???? @????cB??̕?/ Բ???R? ?Ӑ??|M?b,??c!>??r,??&[?X???Ʊ?dB???e ?I)m3?? ٭?????-?֭?~??G??{{?Th?p??:m?Of???H??Ns???X?ݻw???m§?+?-??????U =$?1~`??MZ)?fz?? ?z???rY????>@e?????$?V&?25?[?>?i?۷s$?0H?? kW??=~????????C >?\ ?\t????njx??h?b???b!?fU??pPB?K2?Їp? ???J?8??mE??,??\???1?eG???0??d??+WN??2?B???u??'bR??尷?qf?4??,??Ç????czV?C? ?'~Sw??H?Ct?p?.??A???A ???r,&? ?n?L?[u???X?r?_1?iJp?A?!@5????vѵ???`??0?ɴL?whӦX??.??M??4?0_ +\B !???}??[JiظS)w???1?a?Bv?O?2??˱=?#?s??z8???@?Ba???3?J^8?xGf??O?I9,?X?X???'?f??;???vY?????????4?Z??B7?:?C??ɇ?????vc??I??? ??F?%d????KeBRJ[?97????[ ?倻?c6?F?c?~9???qV)?!?p^+?ɣ&?H%?#?3`.??&?b??]?S?grb??IN??kC???[??2?z?8fQ?C6C}?%?R??B??,?St???I,G,?h?Hd9?????"??O?)???F???[??? J?2?+Y??>?R??B??<'???/>?%?]?X?XN?d1??Xf??n????B`?[}????r?y???r?4A,??ة?dg?????3?1????:???=qd?&Z???U|???U?.;??E҅???]}?V???'???7[?]??? p?? ??????[_~R?4?K?qN??ȴ???????O??T?M??^y??1 8r?n???F,qZ|?????A w??^^G_H???i???lQ???ρ?????X?NmU?cHO7Ӯ??U/???~9?:n???m??g?)!?rWߺ5??????'?? ???G???0??&z????L??Ctv?ׁC??????*?p?Fݑ?MiӮ?^axw[?o???E??g?)!?rWߺ50m?,E???_?U??I?rq^?auo?>\8qIq,???]W7?y?ٰ?/;*?IA`?U??ʠ??~9)ժgZ|?[???*?]}+V??)г?????񫽒? ????lRL?@??(??AQdwAT,?Q?8/????ƚ???g??^?t??80??ID`?U\,'?YM???շ"8`-?:c,??T?>Ndledp#j???T5m?F;?ǪX?.Q?8/??Xu???^?ᘌ?7??y?X???.? E`I,'??Amf? ??gh?)?X7??o?Z?W/c9?>^?6CBcYS??e?F?mE?` E??'???9f9??VI(?伏 ?(?~?*????g?cC5??շb?Y??=!/? ?浃?̶el&?[???,?Ί?-Q;D@??X??????r??(?X??x]T;@?9^g? ?w??mX??,d???b9b9???*??Xˡ5?H??????CCC?SA4?m?K?.gf?;?[g?????U@,G,g?N???? |??-;???ԾΌ?To??ȜI@h??1?c??HYh?2D?cH?e^?9F?C?e?]΢??p?)j%??????{v??Ӂ@??+P?!???X?0?{?TZš?1?K?r???f9???kb?????N?????a>?[d?_ ???ג ǎ????????????˗O1??z??]}??0rq???b/??8????3`9??۠?ʻ??)<> 14fu\C?? ????@?"?k?ST?U$???,??wWQ?) ??ѩW2??#?3o˙?>'5V??H??:*?A??r?z?_?OhĨ?ۜij???t???G?>???:t?80Z???OG???;4?r??_?ω@?U)??@?C??X? }?[???JO??}8?t?G,g?>P??L_ ?c5=??ʱ? vH?Q??r:???#.??/'c;?3 \?m??gk7[*rn??r5????????????f7?N????`???z,'??j?RS??r?Fx??w???I\??ˑ.'c??]}3??u?\??޽{?Y???;b9??*?U\,??IW!X??H?Sco?\? ??[??X?XNI??˩??rJ`?M+?? ?"l????kt??X?XN??#?3?#?3*??h?r&d9p??+???!?v??????x? ?N?z??kX????A????j?????w???c= ݵ?.???#?3?B??r?U?c5jCI???t?????c??֜??`Q?? ?N[?$?+?-f?S L?Nsn ?Bȵ??/i?f ?? -?z?r?$V?|w???S|t^Nc???l?D_b?\h?6׮??R?|F7;?z%??4?Z??av?)?3*??h?r?????r?c?*|1?d??uF Sa D8?Y?\rx???c?t??,???9??p1??o???A??s?????d7?wPWaO :UJ??,??Y???>v??XΨ?XΨ?J????n??ʕc????Ç`0ԦPIӸG&xG????劊??@R?Ӕf)? ??{??cw_??r???U?p!iU?x??꫐x??r%]N?.????5M??|>???R?|?:??<|8???????7?殾??TX?\?e?Z`c?H?Id95V?@??s?D????X4?D4,?"?y??BA??d?0 ??1rce????5?a??ߘ???_6wbW)??ȋ???>???/??M???8s?.?3 /??b9?hqL?,?jqbxJD%#?r????U???a?W??܈?$N5X??*β????0??I,??????]}?W?Srq?u9??Vc??{??Fx???r&d9K?L=,??܈?$?e=?????zXΠ?#]Ψ-W??Z?F?b9?c???rv?r6|A???8??$N?f9??i8/'????$???hb9y?)???1?i???G?z??W?aP4??>??G,?Bok!?3*??h?r?rJ:??V?X ?n?rWߡ?????8O`?R?X?????_,G,??iO\?k??+i????]}Z??+g???6? ???X?XNrgi?(?#?S???bUcoZ??^?a????tn???*?G,??޴?,?ƍׯ_?????b?ۼ?Љ?X?XN??˩??rJ`?M??rb?b9?`+????)?b9b9U??XN ??i?rz!R??" ?#?Sҹ?r?r????{ӊ??B??E@,G,??s???T??b9%0????H6??X?XNI??˩??rJ`?M+?? ?"l?????-?#?S?????؛V,?"E?,b9b9%?[,G,?J??)??7m.??N?^ha????tR???*?G,??޴?,'?7???`+????)?b9YΓ'?7??)?4????? ? &??_f??Z?a?)w???b??,????~?r?rJz?X?P??Fn?e9?J??>Ѧ??1_?w?M[?a8TA????Z??1?~B??/?l!?8?> I(B?q-?O宾????????yl?;???ý{?[??u??????q5ѐz?" ?#?3????b9?,?K_z?,e?&?rf?jd9?d-?ٚ???t????^ ???"??xFel???? B????0$???ַ?j?}??%?Pi{??r?????<~|x??S?gz??@? 7o?>??%֚?X?8,+?ܶ,?c????ȕ?1fF?L,??d??D?󱏥N??,LԤ??=??w?>?((&??#?J?????d?ň 8??B ????\????)??ftT%IE`k,??s?=3???o[??%?W???X?,?f ?2?n?>??=j  ?????GGG?+ W???o?v?R?+E,'?????>~???Խ???*K?+ӑ??t??x̓T??k??]?c, ???0;??%F1h?????Y?ƍ??ʕS44c?????a9?ax ;,V;Ql@}?} 6f0????6;=#??;u8 ?z?\?d?\:?C,-Ai ? ²?+?I?ͨ???t Ib9?,?bvӝ?kM?*??'.?Ξ?ވ/hS|???uHd"???Xg#ێY??C??p???/g??FXV?˗Ͻ???_.⣖ \?ޖ?]5?-??o???u?f|?˱????$\6<_i ?ƿ|?nd9? A&[?????b?2%K??"$???r??c9`??1???&????oJ???#??x?a`???V ??u^??XΨPukG??\x??;Q?6?M.?ӟtC~?}?AB????4? ??????Ç???+????/?b%f?Ө???ގ?1?/P?BU???????3w??V????y1;?AklE?ꮇX??n??%?V?u?,|<ˁ?Ĵ?`?M?H??]2???@?2??|ūdHn?????"[1???AZ?r??wSMj填x?? E>ݍ???n??LR?z8O??9??????;w&l=??OꜶF?Z????K:?o|??y?CO??@?C?O++?4t???d:,?g???X?t,E??[?'??"??H?~???'???5Uo???{?Q?X?R????V???C?E????z????|?4?3M*??5?HY?a???F"ґ???!!??ơ? !܊峦d?"㿌??\?b9b9%?B?շ??O[?9X?y:Nb?#?}gpW?#???:XN|T???ō?C?@???c??]o?-)?????y?[ ??[M????_|??O?????p?곕jtk?7N?!>z?r2?@?r:?!Z!??? 0???V????[R??????,??p?s~??x\oR?c?h?k?r?? ~???氣?l?ǰ ?g??^??ҞG??V??????̞q3|R?!Z??iX?S???I#?b??,P??:ͮ???,??` z?????E?ꈦ?~ ??3x8??#?g ??? ?J+P??W?ԭ?P??n ??{?*???ZC? ??c?????t? ?E??:|rY?ݻw??[R?c????b@e??????d??<Ƀ?,?????3?!?K ħ????~??,?g??T,?K???z?kɹw?F/??,*??i???ž?˕i??漗??#??x?????A?WY???1?H?E??c9(?)E??a.?p?<ܐ5?_N?r???r?x?u??B ??c2?X??Ek/??ƹ??H6?A?0?F??V?? ??c?f?"??s4$??1????R??@?d,?Ъ??h?N ?hb9b9?щ??s??^?ٓ?j?#9p]?x?Op??[? (??? ?? ????ڝV? ??+?z#?ph6???,A?y0]?U,p?X?q?\?6p???IG?>?cgu?{!?u?% ??t????ϟ??ރ\?"?W?????4o?|Hw????*???Y?f&?:? XZť?I???#y%??cPKd??;Ih?7??n?Nƽ9?XN!??$??IZ?i?$%??d?}CAM????6???W))?r?rR?ɠ80?`?\R???#~?X? ?c??l5?m3"????f?I??i??Ap?:????*???G?xI ,AZj?,????|?w>?əˉ)pU?Q??Ç???o??;????+?;?s??9"??MUA???˱?XI??y???1YZŻa>b9I?%?XN z+J ?iP?<[`9tW??????򶇚???r?ގ??~????8+?_??? ????? ????rbr#?????r?r?Jc4???֒&6??Y?H??Jo??d?!O???Uy'??,%?Cv?[E??15??l??6???s??o?y? ?Qi8???U??ؕRT3 k3?wIG??Zm?f nh????,q,r???>?!???W[F?oƈu9??0Z@"????džj??d?G,?d?Ū?U?5s?9[7Z???pmf? n??Z???:??Sl??S???,?R???˪:Ä,ǐ???Y??ld9f$¦3?nl?.g輠U\,gh??񵊋??? ?5s??V??ճ?6?tB:?X 㷱?X?O.?^?% X?7?????X?r???b?B?iĿԍ!???~?+???IJqhK/?#?Sҷ?r?rJ??Қ??,g[F???l??.?T;?҅6?6?c{¹??17?rP)?uV2???g›Í??.!? ?m?????C?pTsf??)?Ob9b9%?g?is??Vd9??ÎGŃ?Q?i?????m,??{jj???B,'??T=k?n?)M,G,g??7wށ?jsF? ???o??:??V (?????w??ȒC???Ҡ????P ???l?J,^????j?hb9b9%?L,G,????=m`?ڜ?ja,g?暖????c??>E???1fGr?S??/??T?NuA??#S??Fl???? :??????\?-??2X??",W5P3ZՐ7XF??z???}[5 p??)>O? ???}@,p0d?I?h?ږ?j?Uq??4{???ڵ?? K?^xa?,ז?J???jmp??18?Ez?*.]?>?F??jCփe??0?? ???xL????6?F????S;wStݸ18?N???줫??0Wն???bX?9Hj-??>r??(6\??(?FZ??m?G,g?,C??e|z? ?2a?͐?$???0Wm?h????x?rn??-޲??? X???S?7?D????WPڹ?(??^??ł?qާ{????yb? 6??{&?J??h???ۣ?Ϝn??h1,??_?|??$??p???;?Z~?k;???????Cw%|??:??X?zYJ??`?zR? ??A??s^??T?- Y??Z?q?:o??'??.=?\, ~L}P?l?Y?&+n????l?,g?u?(Go??Ԍ??J??,} ?DZ?Mg?`??t0_7??z_??Ů+&j񑭳????8 ????3?=??UÙav,{/=??3?$?5?&8$ث,^??%s?e9qߙކ??10??ֹ1G??`?މ^??8???=??????_R)?ׯ?[?1w???D???~??(?SgISN???*???LS?????g@?1?^v?}락???B"?3?w??t?????????<??S??i窬???)?Wf,??|??k+???ӥ?????U?F??z?x?-?S?:?2ř?T???_>8”7???<ڎ?c?&?_!?,? U,???.??Ml??M???5?]0??5????S~??? `?Ĭ???|EKO{h??&?#????E?c??>???w~g?4s ?M?J?@?PM????So 9::??_Lgj??fX@\CB?@?K???x/?????! 1?+?XYs?k???H%Il#7?г?oP?(?+?Xξ?[?-B??*;u?D?,?S?UO???l?? ??f?2??_? ?7O5??Ӕ??????]?Q?~?+E,'9??!??}%?\b9???S?❵6???`s\?)???J_\w?+?}????"&N?rƑ͖Z?$??{?X??-??W??????)1Z??,?ݧ\?;k obZ?R???~)?e????&?<$??E???S???????? ????:-!??n?\$*?hD???ʍVb9??fS??˩uzI??'a???@ ܢ?(H.?{s!??RSۑP??F㑒??? 3??1?fHh??1%P?r ??|?p?P?{??(??s?Uq?t^?ح,?5?U$:?F+??mRGƔ?x?O+eJ|?Vz;d??<%(?v??ܢJ?n"??O?n;?(????)j???w?????g9v???1?Y}?YM??cIWw??)??p??X,?6???UsU??J,g9?d?U|9?N/ɔ??????C\k??6????cD??? m?A??`H?U?)Y??'?;?\ҁ쉉? ????;}?w;? _Hg9???WVSy?@??4BA?cd?Z?G$?3??%bsU??J,g9?c?U?m?^yk?G?? ??" g9?ᥧ? &?>#??I,? 9 U?«?L&Y??0_,I?Ej?;?˻l?Mg9?? ??׾??,'?Sf????h??b9s!?|W?@????h%????g?2`?*???v`??Os?g9v*ҼBɦ?????0?){,I?r`?1+???????-?& ?W?R9.o????8%(?V?/|?kV:???6+?????Y??A 7? j ?????? ???)?h4W???r?Ӌ?YűTx?L? ??9???`9???3Z??π׳?*Ӛ?K????K???>&??????>m,?'"?ߛ?W????K?5?bB?X?r?i ܫ?*??z?V!f9??Ve9????q?F?1'm???XΜ-?lޓ?,???Бk V shm3ypu??j???\?mq?Ze?k?;>?%??v??I_? ??H?B??3.??g T?ۆ?yc4fj&*?m?c?X3???u9e͆"???I?k?)3d?-!???`?JKȐlb=??#?bCo??$?Ԓ???,?uT????Njə?-???*?[??O?E?q1g??e???x?[a,?n??e?K ??0?~?W?ZH?P?r?"??{B?;?%gO؏U?X???w+?^G?ŏ???X??W?ʄ?6?T?9f@????ʥ??)?>???T? ??TQ"6?@-vRK?f???b???,?-&?b?WjK?r???#??I?a? ?"N ?wo5???1?˙~e?:j??ZrV? ?U??Q??4??r=???憓S??B@,????j??Zr??????*.?3nK??w?E?? ?Q?C??Nj?Rv?mF@,G,g c????o?XB?X??5???<??I-9?!????r?rpc%?6 {{????V?Q?+?3*??9j??Zr6? ?Y??Q?/?????ڵ??5???yK???c??l5v?t???K????rp?????P<?qW?S?O8[?m/U?K????E???Q????.?]?4?l?z ???*?見?/?S?I%L?A????rM??G????@??,~ ??????@k?? ;??| ??G???`????]????vh???M[??? ?? !?pFX?AYH5?c?HL??/?VNp.?Qpa$?ǗM??? 8???? V?G???`?????c????Q?s??U?\,?:??A????????b=? h/??k?? B]?/\8?????O??????JOm?rj#*y?Co?4?? ?( (|?Fx?D,?V?Ar6??????K???P?V??7???@x??F?w?Y~5~??W&??'????9]?/]ڲ?N|?Ӛ??r2?4????)????Ӄ????H?ե?????H*g-0r?k???}RP??;???cwy???/0???ūv?ы??Oja??S?kH??hn.^?t??) ׁR\.,k`???8p?!??*ح???7?_??eO?{??j????xu ?/?q??l?h??p???1?rj?I2?E??*?YM???????S???M?ɜ??MТ???*???P??} ?? '?y?p????d|???H??@?R?d$A?? i???G?????????c??A X???#??4F??܉r???t5???{??`?y???????yGd??7r ?A?f9(?w *E?6>??恍???90E??/????5T???mu????7?TuS?&?У~?o???o???r }&~~??z?8????????-?????kA?_;???z??9q]?K?9I?!??39?@???Ze?Z????G?#??{?????'?????-???M?|?l?R?r?Bn??b9?????????ۊ???cBT??8]Ϊ?[CaGX??֧???Rp|??b?????l?c?Rs":b>?A9???2??????f??g?e??z&?:?j?yR3??J)?G@,g],?|???׷e??(^:m,?-??>??,?u?O?xw{ ?%??6??'????v?S??g?????oM? ~???ן??7?2?????{`r?J?5?@Q?ŋ,?#?x|iC ??׿?K4? ?ů(pw???ݿ?߼,???1????!?U\,g=}???`?'?????5?????Pj?l* EE ???lD??0?e?+?1}??o?`?????a??X/&쭵X?zƖJJ??㳟=?^?SK?ڥ????^4?????\???????:#??T??1ɀJ???앀8??0>? ?????u?L?'5H???V/? ?fb9S? ?S ??wO??(? z\?Zrj?k?r?r?r??????/?07j??E? ,?X???g??????i??O?o??(3-@|?dge??O{r??F???Q?9X??J?yА?+q???T?u3?ʉ?#???? ?e?U????gl??D?;?%G?R??X?XNy/?PB??HH>k?Y?@?zO? ^4????@Vh9??? =1ˡ>???F???QH?X) ?t?W????+?ȴ?? 0'>?1?E,g‘??? P??ԒS?R;"?#???!??rH;?C??C??????0??f????r?+Ŀ??x/?ԋ??f*ȱ闱?F???O?r;f?n??1Mmc?<???b9?[*?t9??b9b9??ؽ,?????b???Q2?k??????*`91?h?4?????|???d???+$?8S\? k?X???k?5??ể?b9?[*?X?&??X?X?z:v?_Wt󒡕'Xԍ+????????poW?W?.???10?b???????L??MP~??9P!p^??:/g=cK%?_?V??X?X?z?v?+zؘ??[?b??rRt9ݺ ?u??L#???S$?B?ַF:?吺y?ym??ỏ`l???醇? /?T??M?????t?t???? @?s ?dSٓ?r?/3R???)dz:????H??3H?Cg???&? 6@5?$?.;m???)E5Z?H???!?X?z??J*???> ?#??????r??ҙ????D?m?Ng9???q?????? ?I???Q?ܳ???l I?Cmw???~4Ƶ)??DZDx??E?Y??RI?r6??r?r?ӱ;nxh??x= ? ?x??2?8>m????/T?P??n??8&??????3???9ĵz?G@,G,g?^???X??LG??rr{??ͅ@?i~/?x?l???????\??u?b9b9?b9b9??*?(a9????ލ?F???A@,g=m??.?Z,???%`??2??嬽?????w?!?b'4Z?\5?????շ$w~?r?o?`M?b94Z?\?????YB?T?A@,g\%u!|??????n?^??|????+WJBT?_/T??????b??嬩???????b??'O?5%? ????|.\8ܸq?ELO"b9b9?]E?V?@?r?޽{?Ν?*?F?6??j?g?E?};?7X?k?s>???'>QMZ?R4?????[m???? ?{?K}y????z??N|??1)i? -?Kb??w??|G?@hn??ÿ???߰ ???U??F??.?ckGU?#?3Y?n=#???c??z?rJ??XN???^?8ȁg T??L?????? C? b??S?i?L ??W&!_?jd?? ~?|???? 1zB?h^? V$???F%}j޴I,?*?˙??7?;q?5?u???????k3р?????? ? `?ۖ??r?M? ???`-?J?)dP?'H#?X? >?02BhZb*~??mU????{?㳰??d?'?r????g `ˊ>??Ԡ;b9??k- 47?ػT۪?JL??.]:????UVa?B??$???[ky?M,?~?D?*?????34u??/?????? ? ? DA ?{}Rc1HYXDF??1(-3?L|!?1?????????8?\?p?6?IL?ݻUe?1K,g??|?Pu?????֫?\???q?bX?iC@,??o?Ϳ??-??+??/7??B?X???[ ?[?~?н?XyF?˱??B?5F?7`9 +?e? $_TPr?#?/uTT&y]?3??gW?%?]?m?p?L{?r?pR?L?s?pz8 s?>??@(?# ??? ?r???S?f`????F??_?Y?@PL#B???Jh???8??b.8V??? G?}U??﷢5?hV D࿭,gU???????????57??h?_!x??"G????`?"??9?m?Z,'??l?^?|QZd?a?L؏?'??.H? ?pc6?HxH&?/?$!T? ?š?!?նz1??E? ?0/D?b??????L?c|???}\??L?c/??,.xc?ݱ+]?L???liR?~??6?3???iD@,G,g?Р/?m??\?ۑ,_?BBl i??p?͛ۿ????#?9һ9>?1?W2?y? ??8|8N?(b9$7صZv$?X???`?%?~"?+p`ك?M?{??-#5?x?G?.???.)?ZVo6??D 䰜J??J#???Y????&?????ҹϬ?e??ڶ< K?? ???/[,'????d???d桬z??h˩Mn?r?m?I?:??x?????8d`k?[??i*?q.ZŻ>wHeW?T???6??R??.?j??PX?U??_Pl?)?IM[???VI,G,gu?VNF?yGUr?*?r???c!?Vq????#?Q??4.v?? !?i<??????A?d0?? ??tZ,G,g?ަ??F@,gjĕ_}???ˡ†?´=?LrÄ? ????g?2?`b9Sw(??????????VNc!P????p??V???V??-4?+R?B,?=????8f1?X?]?|T ??T+? Z?X??????'7GG~??rp?????^a??{;??7??ų@k?c^??<?b?Hh?݇ۙ???gg???#3?j???ҍ" ??S,g?%tD?Vq;????[F,??3G̫ ? ??)??B?:K1:?i$7?b9 4??+?߯?+?D`?)T@/??$? ?? ?? ?????H~C?u?????R+3"???a`??͔LcN#?????, ??U??U??jJ?N<'V???%Y?8???v???&7?b9???q-??&/??L?5???W?????B???_l^?D?$HHu h 5C????@l ???#/? ,J?U!???ҠV_?X ??,??[??F??r?4*X2?8?0?????rb?HFLRL ?&xZ???8Q?K??LK6& ??8?F?????\6!!???Y?|??b9?,??_>??1*???…c??z?_???c*?,#??_0?9u?_R?T?&??F8???ɢl?Amd^?????h?_?7^LԨ???b?Y?㋅Ϟs???/???^?p?^bg?8$??/?|??{t*`B????Uܛ??L???^?0)??????N8???V1??W|7??"Mf??ﴚ?R?@???P???֘@,'??|?c?7)gq>??6??o?kd9F8?M!D?Ç???1ҍ4?|`?Q??B<˱W#/?`?x?a?_Lc$ǺNkT?.??,?Q?u?yfaM???ҳE?C?:??o?N{b9?)B'??g9??? (x??L``?/=6Q?ˉ?? ?2|?u?? ?g????? ??E??Id9?圍\O?YG:?{ʂ??"j?,?'h??=??v??özQ??$???9???Ӈ????7Vc??? ^??ZY?>u9??*]?.???+Y??{V?Iǔ???^7???`9AdJ?,??_|?b.??`???????rYΉ????_t??Iu??oe?????4?5?4%?????;?>w??????;?y??/W?@? ??_??kn?l?aiɇ??$,?QFb???᱿??Y?3?(͗???7[?KOK)]NN?Ն@??? f(??r?Uۮ?????r?k5?~?3?@֣M???=??????r????6??!?cl?ޅ???p?f?M??Ϙ?B}?A?nr?qdڪ??65?S? 1?$]θ=8q? ?>?;b9[u?????Ң??,?ET??`V?s?? ?A?Җ??8I?? "@??{OJ?U,c?2Ziԡ??J??]?l|>??S ?@-?_?~???Z????b???R?!?K?r????s??G?O٫?N?>;i?V??ӧ????rb9????у?rn?^eF??͛??<}:?????*?݆?g?}\5??7[???X??o]>??rG?/n??Y?{?cp.]?J??DZ??rv??UEC`zO?u?b?? 9??"??ɓSEN??ӈ?X?X??ƞ??Sko??8??F?76S?: 5\??f?R?r?r??3U?q?WI?+WN?9?5??/F+=m???ht? ??=????j?ɱiPv+?,lU?š"G{z;??X?XΖfBե??>???b?? u?.??????3*?d???b9b9??D6??XΆsoU?f+?'?????;?|?d?(j?Yo????$??!?r6Ԙ;? lU׮?ߓ?3?qT?N XP_???9?ջ~???h=Z?K??X` zJ?<?r??&*?Pp< v?S??????'?/t98?XO Z??S???l?????????t????~???񝨯?trc9?5q??T?H????J???k?????`?uk?Z*???j޿??V???8z???>=1??U?b[L??Xζz?j#օ?^d9??KO???g?+?8B`??嬴?Tl!?x???NllO? ,?z???B@,' 6%B?v??ΏY?񄢋?m?*N?Y??d??DB@?B??uZ?݃&??Z?Mr???X???\5KC?????_z?????8z???E@,'9?B???>??ё? ??V?+ሉ????f??K?rv?쪴Xf???b??????8-?B????T????!j/??ׁ?? ????ouI?>??j]??zXJ?%`E??_v.6?8o',T?5?p%??.?NJ+N?QGB`I? 0???φ/AC??{?p?! j ?SE?B?"Pl?Mg?????p?ى??b??(!Ў?X?z?KE`'??A??{?t(?R??ʵj?)??i??}IEND?B`?n??e|8???'?'cA|)G???PNG  IHDRh??*sRGB???gAMA?? ?a cHRMz&?????u0?`:?p??Q<eWIDATx^?}=?Mv?}!!! !rbd!;1r???A?`?Lb???9?L?X?YM?a? ?"2p???蓥g???]?[??Owu???Z???>ݻ?V??U{?O???fs??뿎???V? \?|t?Š??ς??????,9O??ŋG?s0!???9?q??ѕ+?qևϟ7O?n?^???w?????ͷo{1?#???@U?y/? ?+@??P&???y?rs?????R?????Ç???5?Q?t ?s?\)E= ??ɓ t??D????;?#???=?,?x?js?b?\?WC?!c?8߽?\?p ?????և?Z?p?)3~/??'a???׌??R5ؠ4c ?$?'?Q??0b?aW?}?5A??JMJ ??^?7)??????sg???7??????d??8??%O?w?+!??@ۡL0???=??? ??!?ࢴ?5+??????? ?8?E?ܽ{?ٳg???N?}?????V???;?@pbdm??R ?&?? ޡ4?? ??F?4??9?\%:????K?޿as?ڵǏ?&??)?, ʋ???޽cC????????@??q~?f?)$_?x?(׸?[{?6??>ݛy?28???'?s??M??+?x9???????z';v?WĉN???a???@?w??9?+?????D??F?Љ??%F? ?kJ???-?S???4qOy2L?\t? Q?ęTfb&Ngf*?R?^?]???T????E?'?kv?"N]??????W?4?2$? ?]?? N )?I?hE@???k@()????8Q ,H8ȑ/??ꉚ???M@?zt 4H????|JI @Ri0???&?!?\OZ&N?z?u??v'N???nD?.? ?%?T?w8??^]LNa???-???)??F?e?" <1?fh ?86q?&Q2b?? ???UW8Gf??Qhqh9u??A!-g J?ɘ8M??iuk??g?|d,?Î]b?8?;D????I?`?c?J?2?"?d?,-N??ՅK??l?&N????@x?'铵B?ɾH\L?A??$A?(d?L*31??33?N?N/⬝??k??50?P<"????0?ĩ??+???z??Gx??.?!?`??Kha? ?4??x"?ͮ?Қ!J?K?i?Œ? ?????Ƞ݉?????C*?????^?3h??C'?S?:?Ar???L?>? ??"??Fcg??,\t?)??-?A??g0؜?????ʠ?g?QWۇ?Q?Ga?AZ?)??'?{;\???A)P4gJtʐ*??G?qJ?[?qR4?h5????XqM???.?8?66'?\?n ?Q?? ?i??.?kLA?=??H?8硕???ڏE:BX֥9k:j??*q63???H'?h A????[ q???R??~?}>?H9???@ŋ,N2+?^?7?KR?,N?A??p?_1Z?\8?;?ߡ????ʠ?'_v"??^j=???3???R?L'?;;'??m???G? ?+N? ?O???p`?Gpe???^c?E?ŝ?8>;k. ?`%?Vع??D??X???[N???_ ?:???8 q?;?|????z???I???(????B 3fJ^????q?SQ\???!??Ш???/?u>?A''N?N@?V?)"?8SQ??oە??G?-??????[?qt???,??ӼӐYS|T???Wћ\OS?L??D?Z??®??&?r????Y?*??H?.?m͚?S")?U?2?\??6?@h-?[?,R?9????????8???>?4?7Qt??|?1?J?? 2??#?"]?????ry'??̹?M??? ?g????]?D? "???K??0??%C[??^??J32v!&e.HD??p?3R?HG???f???????Aae??̰?m0F??5?b???N"?/?_4??y??&??Wl?g?Y??W??#g?`??K?Ɏ?k???+??\ԪhQ????q0??d?&΁????L?&΢???8?*?p:lC?&Z?V?C.?????K'?p????8qj?????|\萪??B????ǡi???Nm ??6_?SZZ&Ngi:?q?Hh)???rՎԊ??8?3???? G"N}\?[???d4??4?U\@?v$?p)??I??8????|M?+MQə8M?E)?h' $v????A??}Z?S%N??JZ?W!M ͪ?4ná?3?֦?r?m??t.??кd??y"y~t-?GI????.?]?\z?|?e???8????8&N????s ?qղ?N????6_@,Z???%? v???j??h?pJ?/_??ڝ>~@qB?< ????8q?C9h??ӧ?T?CM??v"?I??[t??;?mS??r?E?:??H|??A' ???Zem"FO?P82?/?Ç?T?CM߼????U?X]8?э /?O???/????Cip?}?fi?N?/ q?g???B?E??6}:T?̣?S?2?_?*??o? ??i?JA???ݘ ֧C??0?GrB@6????z??n????1q???c??? Edpx?Cihzۭ5?Ǐ??“a??jY??C?F?&? ?^??c???K?6?Kx)0??????8?/?,o?pv??,q??>?`?_pR?~?? ? ??????,??H?#????  ??????_?5?W?%^???? 7$*Ifb04???D??d???G?BJ?qC?8??`Zt a???ah??????CU?P?pXY?{?A????NkIn?Т(M?q"D?UG?lQL???6?? ?i?,?5?啞??P( T%??AD'????fѷ%d?!#?S{?J?|xa=?O?j0???aΪ8???r?e?????~??;?a??W?K?׮?Ö?W?t??nL ?aqwjF 2??XNi?f6?? ???sP8?XQ?J?qsۉW??Ϯl2&?d?,h"r%N? ???F?????E W?䷥????ھ??x#`?̸q]??Ȓ8?={???P:y#?&L?kj-?uYdI??Ӓ8??]?ι4?@?Ĺ?fp!V?@??)?????TJz L?S????????Ç?I,2^??Z$?.?0q???\f#`??? ?l?;c#`??X#&?5???<?>},?????K??????+?s6?#`?̿?]?Z@6?N‹/?B????f???[ԃ??~??ҥK?֌?:?F?n???s? ?⍅?ݻwIZ߿ٌ?M[??n?jiz?*?))? ???V?9?X>&?巑K8.`O?X ? f?y b?#a?5?r-?˞??J??US?I?L?g?%?????:" ?]0.U\.#????3)??I?v??,$???q?db¨%N?Q4?\??\?8??"?Z?$?/??9?S??[?n$?4?u ?;::?cAV???땂??3%?d???ЂD??B ??? ??)NED?q?|38q??L??i??O?I[?cX?Z?d?ae?3? ??U* ga ?? ڠ?Dk??_d ???k?(9???l"y??\???#??j5y??_?E?B.D?,a???1?x?F??T5?!???)W??H϶????#`?\{ ?????t??0_????????h?L8?ǥ4?X"M?#?V ?S??BR?n??D?7ذ^H4??T??R??C?X`՚FgxG6(J¼?:?A???_5?,?r??%Y+?[?????u?? fL??#p(0?r??3q???#&?[?u2F???0q??6F??0q?ت??4????\?5?V8?0q?Ȯ?H?J0??k$5p??!`?,??]?ȕ`r??P??t?G??Y? ???J0?֫wC;?8????a?"?+??Z????xF B??i?0]?s????ʕ???????ӛ?owIn??&?E6? ?L??i ?d ??醙????? ~?r??y7?kwP( T ?:%?Q?s綝?tF?#PG???ꡐ~?ڕ??n"??????߿gT???ʄz??? ??A=?r>?s? B?B??[^?x?5?? *??O??նv??lk?]a???çO?.]???????r?֭??2_?[?QAPjN????w??E?5? ?? ??2+D?,q?E0???􉗧?S??L ??? ?j N?*ZX????b?22X)?? Fc?~~????ڵk3??0? 5?S?????\????Ex?s?r*kE N $ŚؗVZנ?????w???|????g?? ??s?yو?s??]??? ??;?H\<~?2??k??}??߾} ??ϵ?(7lM?`?_?@=? ??rgf;p?mSW?'??y????e?y?p?G?A??1H?d?L??7Ȁ_)????.B??'(?ŋ? ?BDښ?SW?Y???)?^ ??D&?? ??б֏? qj,? "?YO??V?a?N???-??8L ?Pl?;?qQkq"z?b????]7q?'n?X? ?S?\?K-??%?? o$??W?dYɞ???ə-??dtr'??tK?##?v?]X??K?mB?1??8?̈́???Τ?x??*????-???E=;G+?c?[???6`S)?k???;w?ZbG??x?e?#?q?mK???k./?\?'?W??5S? @? `ܑ?W?ۅ?ѡ27?u(?4??K????ڹ,?c??z9?w?????? ???/?co1? ??Y%N=?SxVae??D??-/Ar?2Lw8'?e?xJ??$~?r#)Z? gL'C!/?X6?`?C?h;?Ͼv?C?cc???a????oo?b???VmX^tx??M?u̴ܢ?_2?t?[;>??aim?o???ެ???p??Y?V???H?ek?????̓?ś????ۿ?????j?{???o???lV????????m?MsboF?}??3???T??Zb?%??Z?{=~?5????`;??!plh????qi?[Dy?>???sJM??R?o~?=\Z!42q.?i\???s???X?? ?E???? ?w?r?V?p!????I??G)??o????????ę???g[?F?)?V]?? ???Zj?&?B-?m???B??z??օ?g?????A?#Np!??p[??p[?v??LZ?&?Pِ8?_wt?*?(?c?)?BʌŃ??L?&?5??:)&?6?[?s??G?r??;A?(?N*Ё>?3'D.??H?S??xw???~,?dP%ŭ?x?????%?A??Sg؂k???????&N??Tr???քqIC??墿8????B?Yϓ`?l??u'??Ձ?t.AXU???D?)?x?jÍ??!?2?7G# 5?,??^?s??s1?8uA?$U?ۈ߾M????? o-??????????J?$N? ?dx?^X[?fJ????)??Q'SVX?ħ?????7???@ּxѬ?kb??8oM?Iz?B??7OX;X???ɯ???c"q*e?Wu??0?I f1?4'&i?uI??1q?8?:??`e?$N???jثB???`???l?p?ĉJ?????F_??0?  J^ԺjI???Qg??????z̝(6?K`?.?????yb?lk??????#?4`?`?%?~X?`?_?rW?%? 8??;~?S?vag;F+?? ?$j`G}????MA~??t?!?.???wĉ?Ck G???0E??f$?ϣ?7S Іs0ڴ???'??HA????dO?%? ?y玉?MA? ? m?5v??uՂ/1?>^n??'??8?~?g??RqArx??q??3Ⴐ???ё~?\'?pg?K?f?~" ?c޿ժ1?M????wjՐ??1-?????:&??8?1q?7? ??????D?⠐/?????(???,H???9H??؎+?I??Z?????u>???x?a?gtjU??)???V?????0??UR;? ?3?E????"?x??X?^\?N???۷wG}???K8?&\??2?P??h?2+"I? y?????`???V?Q)??YuJs??????ĹL? GvT5??)??a?Q6?R??F?x'=N?Zs??boh$?u U??B -ݤM?F??б1;??C? ?p?V??R[?'!N?G????*q?+??A???L?L???M?M?W?!h?????8k??Z/H???H?j?N??7?,?j???@???Y??8#GV{m?Ȉ8?Î?#?Z%/%?S?? TSک?F:??s?s`5=???k?lpq???ɉ???/4??I?!?Z? r{???> %?V?oR??e?OC/?-?@??|m???=,?i?ݩrjȗ? ??=???yg???/W??ى8[?Rĉ??>?YE?/dž?k?????tS?A? g?N???Λ?$Y6??6:3YQ??k?=T/?"?p?*&?H+qjé?C??S??d&2??J?8?n???G.???U??C9???qO>q?Ű3߷?b?>4?#??>? g?"?$?ݰѹ_?v??"?h?Su?g?c??*?)r??? ??M?????? ????)?8?g?;?;st??6SL?=???@?l??????|?#?j?JV???,K?A???=0q&'??\0=St???N??????jE??6???%??*4"?ƥj?B?"?TS~ǚ??????=:??(˴85??e?Z{b??Kі?H??T??V&j?A??8??|??%Նf??Oj?nr?.??pPmt?rg55?l??,?9H?N???sjė?ߘ?Y???%֜???v{܀??ĩ?D :7q????4?t??dB???0??????? 3???4%j??bC??Xn &?Զ1q?"???8ĩS??Y"dڂ?.?Cc??G??C? ????T?Z?Ϟ?? 6??D??^?:??? ???N??]t??(?H??(?}??V?g?&?f?L???Ճ8?~?<?y?45 ?-?q?S????G֙p?ւ? ?~?S?6?ې8y?S?iO???wH?3??\X???s:%\{??? 'G! d?}? ?wZqL?&?4Mi?J'N??fݹӖ?????M%?3QӳѴ?.?? =T? V??FY??8?)l?}??ZygIymH??U?Ctʗ??Nm??'@?ʼn V?c??0dY?٘8Su&9[????J?_jմ??>WĩS:dU)Vّ?E{??a?B????%7q?/f?"?? Y{M???Y???V?q6?=??3?# ??9??????\ʇ'?)??e?K"ၽ?S??8??6q?j?>??Ǘs'^o?e%? ?m??ְ yx!y?' rɃ?՘,n? ?z??i?Ř,.?S?Ae?m[ܞ;?2?Ć??8?Y?\?|-? ?Sg????Bj?pL?Q??(?M?ج=??A?x??ŗJ??x4K??٦]??-=?_&N?:4u?R?z?sHz????????-,? ;L#g?ҙ8?1?Q??i??Q???/?p f??}?9i??Plq?酉? ????? V?>?*O?3q?8?????C?GϨc&?6??G?d?????j?p\??^??:?I?Z?}~??????( ?M͏? ?0???V3)?? %;????????&N?:??#`?<™Xq???N?wB?@o?R??oj?K? <~,??/H??f??嗨??j~???I~?Y_V?וgj??ٚ8M?}u??C??9?'?q??@i ?5?L:ZC??}}G??'?p?X?] a?9:: 3??????i??*?@#?y?????X.q???p?"?/???ڎ???Hs?ΝD?-f? ?h??r0 D 3????[?@?+?H&Φ??秵???7d?5͉8???֮Q9?(??????????dY?????Okom?ڻ?J?8????Oko?*???B?D? ~Z{k?T?%??ę? ظI?>N?b9#0 9g`???EI??!?8S?3q?"e??ȕ`r??????;#`?L??ę????F W?ɵ^s???32g*R???o߶_???ׯse??M??????#`?L??ę????8?8??թvF?ę ??3)??q0q???S팀?32g*R?;?O?>=~??J?$?gϾ\ ?????8?D?y?8S??ę????#ʼu??_?v???׉ ! %u??w???? 6?F?N?q1? %??U^??6????(?Op?f4????&??AX ?8??(m?f?n?[??A???F D?ę?&?T?,gb`k?n&??S2@˕???NS?+?ְ?u??;i#?&??v4q?"e??n f??? ex,_hq??D"Op??d=?NbL??(?8S??ܸ????N??K?/??????6"NΏ?[?1R7q????쁀?34g*R?????&?w律?;*???W???K9x&??!u??0q??f?LE?r! ????U??c????g*?&?T?,7?/??d?ݜ)???1q.?IJ-??3??M??HY?????s\?jgL????8S????|?????߇se??M??????#`?L??ę????F W?ɵ^s???32g*R???\ &?zͭ/ο3&?T?L??HYnnr%?\?5??8???8S!3q?"e??ȕ`r??????;#`?L??ę????@????????????ONo>}:G????9(?N??&?T?L??HYn??|???ݹ3G????9(?N??&?T?L??HYn>~l!?7o?(֠y?8?Ӊ?G?ę???3)?̈́???{????͏??T??5q??S:g*|&?T?,7 ?? ????9?f9?g?N?8S???L4xk3?Ӛ8gR+g[???3U-L??HYn>j??y?iM??s???WL?}?s???????5qN?FΩ [?m?<7q?"e???????5qΧV??g_0q?E??&E ??f?5qN?Fά[?? b?LE?r?"yk??Ӛ8gU+g~g?B?8S??ܬD??l??&?Y?ʙ?8{选?l?4????5qΠI?r?8SU?ę????F@?ڜ??&ι????"`?L?g*R??yks?Ӛ8?V+?o??&??9?l?[?????9?29? ?8S??ę????????iM? P+a???3UL??HYn&>|?<|??~}s?\?'ƚ?ܹ??W?n???d拞Iq?mgL????8S?????! ?U????pa?w?a1??S?A b?L??ę???&D_لK6d#?n޸???6˿??|?ӟnn??\?r??7|?]; ?.]?e?H?8S??ę???BT??????-'|??y?t???.`y;,??߿?5?|???Pa??+??h?J??'e?Ԕ???)??SE??G???ę???3)?M?lMt?,?2C??}?ܾ??NL???$J???ݻw?={Fy\#<~?8??0)?`;\?8?n݂?۷oqq?n?????S??S?? R?F??O??Ig*p&?T?,7 pW???H??????????@?c1@]"6??. ~??5n?kA?| ?$??"R??J?䝐8iz?;_?x????{be?L?ę????G?իO`nϬI??fw? ?Y???"?/?:? ?[?|`A??O ? ?Sʢ?Z?d?JY?YM?T&?T?L??HYnd???ڄg?+bv ??; D???a @W??bh}Ҳ?BH??E???<%"??B?]?H? ]s?~??8S?3q?"e?????>B?:٣%"$?&?ˋ??u1??>?9?Wu؊8Ʌ??0??8?7I????p?3????P?Q ?? k?~??8S?3q?"e??????q??-?̂!_j'??s8]Ҳ %??G??U?k??Sog*j&?T?,72???'9TЗa?N?Z?4qZ?z `?L?ę????D3y^????Z??̗&?1?5۴M??Mk?LE?rc"C?/-6`8Tx?n???????????9?Z~?a?*?w?k?½??p???l??aV?c\\۔T R?C?Z?????O?8?k_??|i????Һ??Z??Y&??vqb`??˗?s?R>???Y??;e?:?k|x???'?ն????~b?]??` &΅5???L???)????i5+]u?At?-??r]nt|AmyH?Xqb??1???j7?g?LaP?ZZ??v???5???$???'ci?6?P?O?eS?Oxā?X??p???[D??#?E??B?????l`P???/?y:X?1u?c?i????K?R6(e? ???H?g???@?1+:s?&Ι??/? ?YeP|j?a4??HcUWmD?!M⚱?2$T?(?????CF?ٲ6q.?=\?? `??8?Ү??????=?N???%y??8y<#?????̃?N?0?D?'(??9e????0q?8?????b)?8K?E??)?n?MG ?? wvJx??u.?????h N<"??[6?Z??8???ȯ?a??k?;??F B??i??Ka? 0?qj?C 4?]?"?* ?/??T1??? ?????9?9?<??8??\??3?P?hqV?S??\??g?V???8?Dj;???|??p???<;?#?z??F`??L??F???5?՝??$Mjٚ???Xg?????A??|LFq?"??? ???ߵ?Q?0q?A?q2A` ?-???? ?pᖾZΛ?T\?s????Z/????ȤM\?% 0q???4G?q???#?nN???s:?????8?k??ч????C?q\#p??2?SK??e6qZu?????8az????7S???|?ɕ????q???Έ?T[????̖???????V???Y?% tF`&?Ĥ&? \1^uՆ2??m:?c?? ?#???ę??If?D???/?쪝{? ?;˥ ? ~ҘQ?? %?(8Ǒ?n?uxG9??D???j????_?=B{?K??9!??jE?8M?C?k?UD??Bp???? N?\ʄ$?g?? c0"??Q????#ǐ???Y?ۮaa @ d^??'4?????v??,]??]???8M?C??6??e?|'(*:?8$-r-???q??|a?|?쐂?????̋??Z%WL?C+K??L?]???8? ?6O???\?H3?{?FaX???h֒?F?YD?a????S???^5q?U??7΅??? ??s???(M?/5Df%~??p0???zPC?7!?y?ZҢ)?jD?4"??5;Y??Z8???.XBY? ӴY???3?fu?F??y8q?|???&?h? ????=Z?S%N?(?2?U%? K?,nji.?O???p3?H{=?b??2(/?,%kˀ????yp??D??ٛ8k??ę?kRj?L?????݌???+q6??o\F?83jLWe@L?????_??_?}"p?΀?????? ???o޽[Z?M?Kk?g|????{?|ZX)?ϟ????:???1qئ?-L?7&Υ??˳ ?}????^?E$???? ??.??7? -??ի??L vj???????????w??9?R9?5!?????5?y???'>?-?A ގr`?pK х??WnG?? y??g????T?,72ׯo??…??Yg?O?s?6??XS0(,Q?@ rә8??? ?,?)E:?Oy ?Ħ??X?)??1??? ?8S?5q?"e??x?t??y3rNkK?HF?{?9?V#5q??6???H?????Re?qg!??x0????{??{r4t?????g*?&?T?,7-8d?;;?????;s?U??s3q?j??3)?́?#?l?????Ս??C?J??ę?&?T?,7??s??ٚ??????"a?P???|??? `?LUg*R?+ |d?????W?ę?&?T?,W?q??ty?&,?\?i0q??m?LE?r%!????@YR??^Wg??8S??\I?O?N??ڒ?????8S5?ę???A@~Z?#????W?ę?&?T?,W ?Ӳ?????/??&?T 0q?"e?b?????b???"`?L?g*R?+??Oˮ?9??0q?6??3)˕?@?]jWRFc???"?Tm?????L? Y? "?-??˗ B?U-gjӛ8S??\??i??-??]E?qv?g?,?9?~ڥ?3o Woz???v?N? ??$#P맵?6? ?gj???LE?r?#???????~?e????;?_??8S??ę??匀0Y#`?Lm^g*R?3F?d???3?yM??HYn|???}??>H???0??A2r"F`NL???8S??? ?{?ptt????A ??8?I=;)?ߺu+E?2F`~L??m`?LE?rkB' ? R?%Z?I[F'ep?@,HQ?ZNX?RN?2}^?????߮_?2cL???k?LE?r?@?F ?A?!??Z┥ΌB??;L?? a'.x????d1X??v??? \ʕ"`?Lm8g*R?3??)mGZ!rC?ęڢ&?T?,gv???KkC??8S?ę??匀0Y#`?Lm^g*R?3F?d???3?yM??HY.g?x?s?>?'?fvݚ0q?j??3)˭P#??Յ??????A?+???5&?T0q?"e??!P=ޝ?Txbu???????q?#???Au?p?}?\? ?j6!??z?T1?$E?.? ??T?CQ?/???H144A'????@?+?A??)(?˗a?IH??q%? ?]a?ܡdЃ?5?ƞ?`??S\V???2?k????̰Y#?S?? q??\4???>%# '?0ȡ??ő ><64?ç?????Ⱥ?w?????X?S??{A.?j?}mz2???*L?9u?ş?2q?Bk?Nb????y????<?u?7q?8ש????? ?-?T?2q?"?????ę?F'???i?LR?V!g+DY ?8M?Y*v 1?UkW???o?<?u?7q?8ש???g???Ν?=>?V??>;a???????A??)???\??A?T?*?x#?oJ+?_?|i??/?U???[p?I???>??Z??2??K?? ????NG? J?#ɑ?әa???????`P.)?⤾ɒQ?-?⸐C=?,kHu??S&??????dm??z?^?>P0?Q?kS[q?s??ʄ??k?ܡVch??s T???pĉ??2?&S????dB┇?p???\?7??a? :M????%L N?)?C?j9 ???????Z?!q?K>C?e??[??.ܰ? 4܁bft??'??aC ???(?QL??e)0q??dk?????o??E?^um!nh??:Z?X???4?1@??8qyI$g???#??8?????ϣ?8!??m?V?R ?8?4܁b?F????fPӡVc衉s T???p?Ib??D?????A:W?????s??k??oBL????ZP?>H??2Rl??-`?<?E?O Nr$???9?*'???v?µ??TTu?????8Y?05?5??Αk?ǹ????` Xp???7Qs???????8{??A??`?=???\^?C????Vz??ae??`f?0}?SL?k?J?R??ę???d҈S?&? u;:?*Z???m蔢?I?&???Ur?סڋ??????-[s????{?????J??c??90???8qyI????=U?L??H??LE*/??' ?G??&?q?)ug3?&?T?4q?"??ܒ?s??$?4??s??????9?N?8??qm?,?8 ??s? sX?L?&??4?$??sז?????L?k???8M?I??*d?l?(K??3K?N!?zJ??L})L??H?%g?4q??I??ř2???C?I??(!碚c?˜8M??)?r22qv&?w??| *??sA?1aQ>~ܰ?8T0>Yju?޽,+7@?N]?Y?z5@??%????j?r??u???mt?/_??????ŭ?߼?M{???7? G??U??߁?㏆?,8??}??Z'?????{??[??ի?f?re????>?t??? ??????7?.?*?|ٚ?????ׯo??…?S? E?'ιs??!??x??'Ov?|?p?}t???0XRb?_W?[?????Q?{???? ???&?!?!?ٛ?1qbv?? ?%B??'2`P???,LO????r*O???.:Z?K??,K'??????Ty??DB????Z???: ΄?oMP???h9??(??q?4??/{B??K?Vh?a `?;)??]٫?\q?.?$ى??X'.??8? XXK????@? `?8x#p?Db??%??%)0??hE??CQ???????????a??_? |?g??????ʾ?"o?liR0y?UT7?ZY84@U?0?Oj??????Pw?f??d :ޠ??|6??!???c?(5t??Y?'@͆?^?r.?Ie?zt? T??Ë?ð??uU?U????΂2???yͰ%??1????3ʁ =??O??U??`??]A?s7c??*҇?Y?r??#??{?J{?S͉?Vl???|???mo?* U??d?R??x?˜?Z?NYHXS5???#?-???kz3XA?e#IEND?B`?n?x&9~+??????U|??s??PNG  IHDR|U?= cHRMz%??????u0?`:?o????gAMA??|?Q?PLTE?????????????粬??????Š?????????????۫?ͤ???ԧ??????|||??ጌ????hhh??ǧ????????MMM?????????????op?$$$%%%&&&'''((()))***+++,,,---...///000111222333444555666777888999:::;;;<<<===>>>???@@@AAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLMMMNNNOOOPPPQQQRRRSSSTTTUUUVVVWWWXXXYYYZZZ[[[\\\]]]^^^___```aaabbbcccdddeeefffggghhhiiijjjkkklllmmmnnnooopppqqqrrrssstttuuuvvvwwwxxxyyyzzz{{{|||}}}~~~???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? cmPPJCmp0712Hs?"?IDATx^흇z?????߰NO????<4?CQ1??ݸ?:?jf@H? H? HXZL;u???cm?/-???7hh?~䧞?{ ?s?W˴?Y??0???\(??v???1?G?zx??$M?{P[=????.?A?|?x-6??{4?"?8?bx????ݹȔ?E???U]͕???A#??:?j\D?c????æ???π?CN?1??m5?????Q{48?~Ҭ?(?˔)?r?]h!????~? ???????d??ֱ?????u???=9?Z?Ȩ%?yY~i??0 ?q?????Ԅ???:?? e?0??s? r?c?????A?????~Ee+?#?)??x?乭Д??z?vxX?I??? M?x\?GA???O?????d?[үe?0Fr???X??q$?W?,2?{? ??*???|??Ã????B????ڻv?G?Y???p.?Q|?~???t./\?S?\N??kH0??$+C?FJp.V\?[?????(~E?)bη???*4=??{?DZ ME2=?=a`k??J?9iҹ? ??_x?? T??YPQ?a?4?,?j ??:d?Y??p<:???????#??_??؃??? ???¹,??T?Sx?T??#?3?]bn?%??h?y??ʌ_^nx/??̚j?8L????+1]???l=??iu??h?Ƈ???(OI?c#??=??2Ƃ?????a,?^06??I?2?????????a?c??x??.1??%=<:???h l)?????zD[Pэ=T|:v?7?mQ?-?!??5q{?A??Y?!Eo1?R@?9K?6:??Q??*6N:Y?xˀ?7/=??Ǹ/???CGc?Ǫ??A?e/???*!6?X:<???3??S???3??S??Y~?Q?N??пB?x?&ߍW ???P?0?Ŧ?aM?rM?Z??a ƣN?x????V_??l?????O?7???OY?뛸6??W??i?a?s#? ??Es$b?e?Ǭx??ϕ?'?!U?b?a?]?Q|V|HR???u.????????R?(?8??v䝟Jt?X{??E??hx??s??釟???$???????9u??dI7`?4|AY??s??^?Q?Oƒ??%?ٝ?,??+?? 5????R?a?P?@y(p?M?X6y֡v?1?c??[i????A腦^?á? ?????\?U??eĹ4?16?2Ҏ鑋C?eh??'??xt?UZ?B??bh{??iq>??fh?{?z`{j l?G.??5Lq??X?꫔M=?F?"?Mģ?:O????͚?zP?mKߏ=??C?n?{.F?6??2???l??:?aS???j?ZR˴??xP?<{?<J:?Ǣ???|t??r?{?۶c??,w?|kW?(??0??`?d)?G}Uٛ7L- ?[%??^R?;????uP?(ӫ[ϹL?4|着G/??JwO???#?2?? ?=??2-?|L??q7_:ȭB]????R?x??EF???b?="df<m:??B?w?vnF??t?#?L?g/(4????x????俎 o?yC?J?Q??bqL5͐$W<҉??Ǵ??@??J??????D ??G3???<̇-I?!?? ?s#??CS???j?n??sB?,񨤯tӖV??E??oe???N?v=7? ???/???ll?`??v_뮘.ɦ9^?l=::n?A??????GUց&????????-z{uɳ?Y?!*???????;???????guQ????B????W???[??'?? ?????o??ҏ????󏣡FwEwN??Ѹ|?L8?=???(>????*夀???8#??ĉ㑿?'\???~?g [}??n?I??T[?A??W??I?Zu??? ?џ+4ׇ??x>?? ?t? ????o?u?8_^k?ꬮ?Ҵ?Κ?K??M?+??!?6?? ???ŋ@?t.f¸ه?G?hL??rs.?k???ߔ???ymy?K?6ōw?Дb=z?O????oE?? K?G|F?xL?1b??/?]e3/>>???@@@AAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLMMMNNNOOOPPPQQQRRRSSSTTTUUUVVVWWWXXXYYYZZZ[[[\\\]]]^^^___```aaabbbcccdddeeefffggghhhiiijjjkkklllmmmnnnooopppqqqrrrssstttuuuvvvwwwxxxyyyzzz{{{|||}}}~~~????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????cف"?IDATx?b`?`??E?`??E?`??E?`??E?`??E`?Ȅ?`T???D?@?"0`?I?4??`??j?b)@?"0??????QS#;4??`?cj"b ?F0 tT?\@D??(??D:`????Q??t??@? F?@b??h??|3 ??dbde?M??/?; &??(x"edgb??L???9?D? ?I?4???H?????????????&/BA7 # P?\?Bԏ21? ?F ) ?$?`baabc?eb&DD"E*I??xy????XY? ??G??D @? Pۤ?BT??3bM???̼̌??( ?Hh??$??傷:Yy???*?D*,F9??F???D @? ?ڤ̼?L?????d???,\??Xt??????(T?( ?Hh?R"??:`G?怉???????=?P ?ֻ?`?G?VP??? @L"?Q???lL???QT?$R?E`@jb???G)1? ?F?&???$R?E`0?H ?Hh??h"(@L"?Q??t?1? ?F tT?\@L"?QU#?Hh??@G???$R?E`0?Q5??@? ?ꂔj:e("b ?FP3?)r?h"?4????CP? ?"?g3?H??q *HE?2?T?h"?4????D?ƅ ????H?E!£???D @? h?HE???Ju/#l?ʢT???/?Q4J?????=?{$?? ?8I? ʠv?F)^@? ??HGg???$R?E`@?t4? ?I?4??`?$(@L"?Q?M??'2]2?H1@?"0?v"%?%???(???????(??=?RF)?Q?3???B???3?1? ?FPΣ??@L"?Q??h"?;4????`M??"b ?FP?#n?'U?@? ?95 HD?@?"0M????E`0?H ;4??`4? f ?F?&ҁ?$R?E`0?H ?Hh??h"(@L"?Q?*?2??CM?g???E`0?)??`@y"?Q???v??D @? U"f??D @? F)?? ?F?&R??)@?"0M???'R?E`0?Hi(O?4??`4??P?Hh???J??CPh ?F ?D?????????G??* ?? ????(?? ??U?r???ʊ?J@oĆ_?-"l??^? ????&R A?T=\??mR ?? JI??H ێ??D?P?H)??)J??Ŭ48A???"laX q6T?ֻq??K?ڈI&X??UNh98?Y"? ?D:?? ?0?X?k??k???r"$?I#'??laSHs? ??Þh?jvd䰪G????HL?@R"?S?:??&D?iN? ?ZL?q?V??? I??k?HhX!")z?G??p%R?h0BW?Aׇ?V??!???v?P?/?=??(??HQZ?ꏓ?Hh??pN?$?? ?zd?8a+@?D(??s"?fI LP?7"b??hd ??4?? 9????&?)@??K???4?:?R=8?Hh? ?M'?aT?a?Hi??N?4Bj"eA???މ ?F?%);|L??w?I?4BЈm????O?4Bl?WmP%R??pL?4??`4??D @? ?u"`@y"?Q???v??D @? F)?? ?F?&R??)@?"0T?tP9?r@y"?Q?*] *?P(O?4????XM?x? ?FP ??/?I ?h]'R?E`@?DJĹ?@(? ?/)?]??>? ?*v(% ?8V^?h]?mR???D @? ??Z????^?d ?1??҂ ?҈?s??P E?Oi?Hh??n?!pn-TB98?Ѝ??$E?%?@??"? u$?Bц?p?q"?Q???׹?@??=??$?U8??\?8\Z ,%/?q?.CP?$R?E`@˫??[ ?L?8?R??P?b???ֆ?h]'R?E`@?DJ?$?"????? H"?Q?8?B??Q+?$??(?a?H? ??b)@?"0>? R?]?kI??1? ?F ?DJM@??#?Hh??0N?В??Ct?0呏~"?G?)@?"0>????? ? A?R??M?4??`?'R???D???"T|I @? ?"%?]0z>.?JJ?"??___PPT9? /? 0?z????-?bY.Demchenko. TF-EMC2. November 4, 2004. Amsterdam ? AIRG Update 2004O? ?=??O???uPolicy Enforcement Framework for Web Services and Grid Operational Security Advanced Internet Research Group Update?.vK /(??CYuri Demchenko AIRG, University of Amsterdam? D&"?"&  ??J??Outline? ???Goals AIRG projects and Generic AAA Architecture development Implementation in CNL project Access Control infrastructure Grid Operational Security and Grid Security Incident definition ????? ??K??Goals? ???Update TF-EMC2 on AIRG research and developments Discuss possible approaches for early detection of the security credentials compromise????? ??L??&Generic AAA Architecture by AIRG (UvA)?''%??Policy based Authorization decision Req {AuthNtoken, Attr/Roles, PolicyTypeId, ConditionExt} RBE (Req + Policy) => => Decision {ResponseAAA, ActionExt} ActionExt = {ReqAAAExt, ASMcontrol} ResponseAAA = {AckAAA/RejectAAA, ReqAttr, ReqAuthN, BindAAA (Resource, Id/Attr)}?&$?$??P$           ??_??Generic AAA implementations?%??,Bandwidth-on-demand (BoD) for optical network Using driving policy approach for multidomain optical path building Access control and privilege management for Collaborative environment Policy/role based access control to experimental equipment and resources Authorisation Web Service and Authorisation portType for Grid applications Policy binding to Web/Grid service definition Technology background AAA Policy Rule Based Engine (RBE) and XACML based policy exchange format XML Web Services Attempting to use WSRF and trying to avoid OGSI and ProxyCert??/EFIL.[>/EFIL. [>?N    ? ??`?? AIRG projects?  ??zGigaport NG - NL Further development of the Generic AAA architecture for policy/token based networking Collaboratory.nl Security Architecture for Open Collaborative Environment and RBAC EGEE and other Grid related projects - EU Grid operational security and WS/Grid security threats analysis Policy enforcement framework and Authorisation portType WS-Security and OGSA Security?|WB*?WB*? ?"  _ ??S???Distributed Security Architecture for Collaborative environment???Based on the Job-centric security model Extended RBAC functionality including RBAC administration terminal (using GAAA Toolkits) XACML based policy exchange and integration Uses WS-Security Framework and OGSA/WSRF Policy binding to WSDL and AuthZ portType definition VO functionality - policy based user and resource management Proxy-Certificate (Grid approach) vs SAML security credentials management????n&??U??&Security built around Job description ? ' ???Job Description as a semantic object defining Job attributes and User attributes Requires document based or semantic oriented Security paradigm Trust domain based on Business Agreement (BA) or Trust Agreement (TA) via PKI?<Q?NQ?N? ? ??X??$XACML implementation library for CNL???Contains specific modules for AAA services PEP, PDP, PAP and XACML messaging Implemented in Java Policy editor in XACML XACML provides standard solution for RBAC with powerful policy combination functionality Version 0.1 is available for policy construction and translating to AAA-policy format Set of typical policy profiles in XACML (with correspondent profiles in AAA) are under development?`+8?c+8?c??M??(Main components and dataflow in RBAC/PMI?))?,  ??N??'GAAA API flow diagram (implements RBAC)? ( ?? ??O??rGAAAPI implementation  XACML Request message format (1)?9 ?? ??P??rGAAAPI implementation  XACML Request message format (2)?9 ??} WHO740@users.collaboratory.nl Analyst JobID-XPS1-212 2SeDFGVHYTY83ZXxEdsweOP8Iok)yGHxVfHom90 http://resources.collaboratory.nl/Phillips_XPS1 ControlInstrument ??~Z'??'??'???'??'??'???'?? '??"'??'??'???'??'???'?? '??'???'??'???'??,'??'???'??'???'??A'??'???'??'??'???'?? '??"#'??'??'??"#'?? '??'??#'?? '??'??"#'??'??'??#'??'??'??"#'??'??'??#'??'??'??"#'??'??'??'#'??'??'??"#'??'??'??"#'??'??'?? '??'??"/#"'?? '??'??"#'??'??'??"#'??'??'??"#'??'??'??#'?? '??'??"#'??'??'??"'??'??'??"??&                                             8                                  ??Q??tGAAAPI implementation  XACML Response message format (1)?: ?? ??R??tGAAAPI implementation  XACML Response message format (2)?: ??w Permit Request succes7ful ?x'??'??'???'??'??'???'?? '??"'??'??'???'??'???'??,'??'???'??'???'??'??'???'??'??"#'??'??'??? '?? '??"#'??'??'??#'??'??'??"#'??'??'??"#'?? '??'???'??'??"#'?? '??'??#'?? '??'??"#'??'??'??"#'??'??'??"'??'??'??"?&                                                 ??Y??*Binding policy to WSDL service description???WS-PolicyAttachment defines two mechanisms that together allow to bind policy to the WSDL components (portType, Operation, Message) wsp:PolicyRefs="URI | QName" ?6?G?G?b? ??Z?? Binding policy to WSDL - Example??m ???? ??????? ??????? ??????? ??????? ???? <<< snip >>>> ???? ?ZnZ~KW)?(?.     -  ,+$??m 0?5??m 0?Ah??m 0?r???m 0?????m 0?? ??m 0?D??m 0?O|??m 0????? m 0?????^??'Security related activity in EGEE - FYI?' ???EGEE  Enabling Grids for E-sciencE JRA3  Security MWSG  Middleware Security Group JSPG  Joint with LCG and OSG Security Policy Group OSG Incident Handling Activity Recent Security related deliverables Grid User/Site Security Requirements  MJRA3.1 (https://edms.cern.ch/document/485295/1) Global Security Architecture (GSA) rev. 1 - DJRA3.1 (https://edms.cern.ch/document/487004/1.1) Grid Security Incident definition and exchange format  MJRA3.4 Ongoing development, current version - https://edms.cern.ch/document/501422/1 As a part of joint OSG/LCG/EGEE Operational Security activity??$ZeZ Z%Z?Z?Z$e % 0&@c`  '(@>??$ ?&(j  ??m 0??$??m 0?'D???m 0?S[??m 0?\??? m 0????[??)Grid Security Incident (GSInc) definition?) ??$GSInc definition Depends on the scope and range of the Security Policy, ULA, or SLA - TODO Should be based on threats analysis and vulnerabilities model  MJRA3.4 Should be based on Grid processes/workflow analysis - TODO GSInc definition is a base for GSInc description format What information should be collected and how to exchange and handle it Requirements to Events logging and Intrusion/compromise detection Common format is a basis for community wide statistics and coordinated response Incident statistics provides feedback for the Security Policy improvement Note. Grid Security model is based on delegation of security credentials to a service??Z?Z9ZGZCZ?ZWZJ?@9@G@A@@P @ K W? [ ?? ??\??3Security credentials related GSInc and audit events?3 ???Security credentials compromise (e.g., private key, proxy credentials, etc.)? patterns of credential usage broken chain of PKC/keys/credentials copy is discovered in not a proper place originated not from the default location sequent fault attempt to request action(s) PDP/PEP logging/audit Remaining problems and topics for discussion How to define at the early stage that a private key has been compromised? May require credentials storing (not caching) and adding history/evidence chain to credentials format X.509 credentials are not capable of this Does SAML have required functionality Note: Audit/log events together with related data can be also referred to as an Evidence?NZ?ZZ.Z?ZPZZZLbb?bb b - f ???f??Pf??f??fTf?#x ??I??5Discussion: security credentials compromise detection?5 ??%How to define at the early stage that a private key or other security credentials have been compromised? Will it require credentials storing (not caching) and adding history/evidence chain to credentials format? X.509 credentials are not capable of this Does SAML have required functionality ?J?P?d??Pd???i ?/?8? ??P?????^? `? ????????f??????`? ???3?????????????`? ???___?????????????>???" dd=??????????????" dd?=?????????????uA?4? d?O?" ?i ?n???" dd??????????   @@``P?P   4 O i`? p?@??@   $ ? ?)? ?( ? ??p ? ? ?H??????d???? ?'W??? ? ? ?Z????a????a?????????? ??x8???? ? ?T?? Click to edit Master title style?!? !?: ? ? ?T??!??a????a????????? ??Sg??? ? ???RClick to edit Master text styles Second Level Third Level Fourth Level Fifth Level?!    ? S? ?  ?`?5??a????a??????????? ?? ???? ? ?`??*? ???=44OOii?  ?   ?`? D??a????a??????????? ?? `???  ? ?b??*? ???=44OOii?2 ?!  ?`?PN??a????a??????????? ??!????? ? ????Slide_*?6  ???=44OOii?Z?F ?1?lY ?$ ??~???~ ?" ? ?N?????????2?????1?l$?~ ?# ? ?N?????????2?????1IlY??F ??? ?) ???c?8 ?% s ?B?C{DE?8F?@??????????????????@????????F??h??=?Zhz?zFz?\F3? @???????????????????0 ?& s ?B?C?DE?4F?<??????????????????@????? ????i??<?????<??#i?????@???????????????g?5?0 ?' s ?B-C?DE?4F?<??????????????????@????? ??o?????*l??,J??????Jz?o@???????????????Arn*? ?( ? ??BKCoDE?4F?<?????????? ??(%+(J27JQ+E%nEQ7@???????????????????H ? ? ?0??@??޽h??? ?? ??????????f?????? ?International?? ? ??@?% ?E?( ??4p? ~?p? ? ?^ ? ? ?6??????? ?@_??p ? ? ?H??????d???? ??_??? ? ? ?Z???}?a????a?????????? ???????? } ?T?? Click to edit Master title style?!? !?? ? ? ?Z???}?a????a?????????? ??HZjG ?? } ?W??#Click to edit Master subtitle style?$? $? ?  ?`?̚=?a????a??????????? ???????? } ?\??*????=44OOii? ?  ?`?\?=?a????a??????????? ???S ???  } ?^??*????=44OOii? ?  ?`???=?a????a??????????? ???????? = ?n??Slide 2_*?  ???=44OOii?H ? ? ?0??@??޽h??? ?? ??????????f?????????? 0 ??`??*?( ? ?? ? ? ?T?8?8?jJ??jJ??????? ???? :G??  8 ?h??*? ?? ? ??? ? ? ?T???8?jJ??jJ??????? ????~ ?G?? 8 ?j??*? ?? ? ???p ? ? ?0?????1? ????? ?? 8?: ? ? ?T? ?8??g?ֳ??g?ֳ?????? ??? Qg??? 8 ???RClick to edit Master text styles Second level Third level Fourth level Fifth level?!    ? S?  ? ? ?Z???8?jJ??jJ???????? ?? :l??  8 ?h??*? ?? ? ???  ? ? ?Z?0?8?jJ??jJ???????? ??~ ?l?? 8 ?j??*? ?? ? ???H ? ? ?0????g?@???? ?? ??????̙33????????? ?? ??0?( ? ??H ? ? ?0?????g?@??? ?? ??????̙33??????????? 0?(0????( ? ??? ? # ?l??=?g????g????????????? ? ??x$?? = ? ??? ? # ?l???=?g????g????????????? ? ?H????? = ? ??H ? ? ?0???@??޽h?? ?? ??????????f???????t? ???L  ?0?\??( ? ?\? ?\  ?`???%?????????????? ??x8????  % ? ?? ?\  ?`?x?%?????????????? ??Sg??? % ? ??< ?\ c ?$?@??޽h?? ?? ??????̙33?????????? ? ??P?d?<?( ? ?d?~ ?d s ?*?D?%????x8????  % ? ??~ ?d s ?*??%????Sg??? % ? ??H ?d ? ?0???@??޽h?? ?? ??????̙33????????? ? ???`?&&h?X?( ? ?h?~ ?h s ?*???%????x8????  % ? ??~ ?h s ?*?`?%????S? ??? % ? ??/?L ??6d ~  ?h# ? ??6?~~ ??R ?h  ?`?8[%???????jJ????????6d ~  ?@?? ? ??? ?h  ?`??T%?????????1???????8M 4  ?[?? Generic AAA? ?  ???L ?C? /?  ?h# ? ??? ]I? ???N ?C? ?C  ?h ????Q /? ?~ ? h ? ?N???????1???????C? ?C ??? ? h ? ?Z??N%????????1???????t( ?"  ?V??Policy?? ???N ?C? ?C  ? h ???q ?q ?~ ? h ? ?N???????1???????C? ?C ??? ? h ? ?Z?d<%????????1???????s( ?"  ?V??Policy?? ???N ?C? ?C  ?h ???C? ?C ?~ ?h ? ?N???????1???????C? ?C ??? ?h ? ?Z?h?}????????1???????t( ?"  ?V??Policy?? ???L ??k ? ?h# ? ???8?????N ?p ? ?h ?????k g?~ ?h ? ?N???????1???????p ???? ?h ? ?Z?]????????1???????f??? ?`??Request/Response?? ???N ?p ? ?h ???P69 ??~ ?h ? ?N???????1???????p ???? ?h ? ?Z??]????????1???????f??? ?`??Request/Response?? ???N ?p ? ?h ???p ??~ ?h ? ?N???????1???????p ???? ?h ? ?Z??]????????1???????g??? ?`??Request/Response?? ???L ?L? 8 ?  ?h# ? ??? gR ? ???N ?L? ? G  ?h ????U 8 ? ?~ ?h ? ?N???????1???????L? ? G ??? ?h ? ?Z?P]????????1???????}, s &  ?S??ASM?? ???N ?L? ? G  ?h ???z#  u ?~ ? h ? ?N???????1???????L? ? G ??? ?!h ? ?Z??]????????1???????|, r &  ?S??ASM?? ???N ?L? ? G  ?"h ???L? ? G ?~ ?#h ? ?N???????1???????L? ? G ??? ?$h ? ?Z?L]????????1???????}, s &  ?S??ASM?? ?I? ?%h  ?`?d]?????????1??????? ?? ? ????Translate logDecision => Action Translate State => LogCondition?@@?<       ??? ?&h ? ?T??]???????1???????\? ?k??Defined by Resource owner?? ?H ?h ? ?0???@??޽h?? ?? ??????????f????????? ? ???????$?( ? ???r ?? S ????_???x8????  _ ? ??r ?? S ??\?_???Sg??? _ ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ???????$?( ? ???r ?? S ??h?_???x8????  _ ? ??r ?? S ??4?_???Sg??? _ ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ??????<?( ? ???~ ?? s ?*?D?]????x8????  ] ? ??~ ?? s ?*??]????Sg??? ] ? ??H ?? ? ?0???@??޽h?? ?? ??????????f???????? ? ? j ?b ????? ?( ? ???~ ?? s ?*?l?]????x8????  ] ? ?? ?? s ?*?T?]????? ????? ] ?*??? ? ?@?`????L ??Z?  ??# ? ??Z?? ??? ?? ? ?T???]???????1???????F??b ?i?? Order Descr? ?"  ?? ?? ? ?T????????1????????Z? ?P?L ?QwB 7  ??# ? ??wQB 7 ?h? ?? ? ?T??/^???????1???????6?y +  ????nJobDescr --------------- Job# Job Attributes Job Priority --------------- User list User roles/attr Admin RBAC?$ fo?&  V ?? ? ? ? ?T????????1???????QwB 7 ???L ??j? ? ?# ? ??? ???? ? ? ? ?T??3^???????1?????????.J ?p??Scheduler/ JobMngr??"   ?? ? ? ? ?T????????1????????j??jB ? ? ? ?BD???jJ??????E&E?jB ?? ? ?BD???jJ??????g y??L ???#  ??# ? ????# ?1? ?? ? ?T??8^???????1????????5?#  ???!AccessCtr (AuthN/Z) UserDB Policy?$"?<      ?? ?? ? ?T????????1????????? ?jB ?? ? ?BD???jJ???????c u??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ?? ???<?( ? ???~ ?? s ?*?T?^????x8????  ^ ? ??~ ?? s ?*?p?^????Sg??? ^ ? ??H ?? ? ?0???@??޽h?? ?? ??????????f???????? ? ??p?l?P?( ? ?l?~ ?l s ?*??!]????x8????  ] ? ??? ?l ? ?T??%]?a????a????????? ??E?s ?H???PEP (Policy Enforcement Point)/ AEF (authorisation enforcement function) PDP (Policy Decision Point)/ADF (authorisation decision function) PIP (Policy Information Point)/AA (Attribute Authority) PA  Policy Authority ????Z DY?? ?l C ???A?~D:\My Documents\demch_html\airg-cnl\gaaa\pmi-rbac-xacml-02.png?c???H ?l ? ?0???@??޽h?? ?? ??????????f????????? ? t?l??p??( ? ?p?~ ?p s ?*?/]????x8????  ] ? ??v ?p ? ?N???????1?????????%???? ?p C ???A??D:\My Documents\demch_html\airg-cnl\docs\cnl-xacml-data_flow-01.png?????H ?p ? ?0???@??޽h?? ?? ??????????f????????? ? x?p??t??( ? ?t?~ ?t s ?*?84]????x8????  ] ? ??~ ?t s ?*??7]????S???? ] ? ??R ?t s ?*?????????gO?g?j? ?t 3 ?BA?0?aaa-cnl-policy-xacml-01?0?B?H ?t ? ?0???@??޽h?? ?? ??????̙33????????? ? ?????x?Z?( ? ?x?~ ?x s ?*??=]????x8????  ] ? ?? ?x s ?*?4 ]????Sg??? ] ?*??? ? ?@?`??H ?x ? ?0???@??޽h?? ?? ??????̙33?????????? ? p?h??|??( ? ?|?~ ?| s ?*???]????x8????  ] ? ??~ ?| s ?*?4?]????? ???? ] ? ??R ?| s ?*???????????b? ?| 3 ?:A?(?aaa-cnl-response-00????d?H ?| ? ?0???@??޽h?? ?? ??????̙33?????????? ? ??????<?( ? ???~ ?? s ?*?T?]????x8????  ] ? ??~ ?? s ?*?t-^????Sg??? ] ? ??H ?? ? ?0???@??޽h?? ?? ??????̙33?????????? ? ??0???<?( ? ???~ ?? s ?*?D?^????x8????  ^ ? ??~ ?? s ?*?h?^????Sg??? ^ ? ??H ?? ? ?0???@??޽h?? ?? ??????̙33????????? ? ???@???Z?( ? ???~ ?? s ?*?x?^????x8????  ^ ? ?? ?? s ?*?`?^????Sm??? ^ ?*??? ? ?@?`??H ?? ? ?0???@??޽h?? ?? ??????̙33?????????? ? ??????0?( ? ???x ?? c ?$?P?_????x8????  _ ? ??x ?? c ?$?t?_????Sg??? _ ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ??P???<?( ? ???~ ?? s ?*?\?_????x8????  _ ? ??~ ?? s ?*?d?[????Sg??? _ ? ??H ?? ? ?0???@??޽h?? ?? ??????̙33????????? ? ???`???Z?( ? ???~ ?? s ?*?D?[????x8????  [ ? ?? ?? s ?*?\?[????Sg??? [ ?*??? ? ?@?`??H ?? ? ?0???@??޽h?? ?? ??????̙33?????????? ? ???P?0?( ? ?P?x ?P c ?$??8????x8????  8 ? ??x ?P c ?$?ؿ8????Sg??? 8 ? ??H ?P ? ?0???@??޽h?? ?? ??????????f????????? 0 ???P??? ?( ????? ???X ?? C ??????? ??  8?? ?? S ??0k8???? Qg???  8 ?"?? ?H ?? ? ?0?????g?@??? ?? ??????̙33??????????J 0 ??@?`?L?( ? ?`?p ?` ? ?0?? ??????? ??  %?? ?` ? ?6?,?%???? ??? ;}???  % ??? ?B ?` s ?*????g?@??? ?? ??????̙33???????r?`?{ʂud?t?? J??R???*?????l???P? ?B? ???????`h???4?,?0??0"?ʢ???^? ???od?(`??`  ? ?T??@http://schemas.xmlsoap.org/wsdl/?^??Jhttp://schemas.xmlsoap.org/wsdl/soap/?T??@2 Times New RomanSymbolMonotype Sorts Courier NewArialArial Unicode MSInternationalvPolicy Enforcement Framework for Web Services and Grid Operational Security Advanced Internet Research Group UpdateOutlineGoalsAIRG projects'Generic AAA Architecture by AIRG (UvA)Generic AAA implementations@Distributed Security Architecture for Collaborative environment'Security built around Job description %XACML implementation library for CNL)Main components and dataflow in RBAC/PMI(GAAA API flow diagram (implements RBAC):GAAAPI implementation ? XACML Request message format (1):GAAAPI implementation ? XACML Request message format (2);GAAAPI implementation ? XACML Response message format (1);GAAAPI implementation ? XACML Response message format (2)+Binding policy to WSDL service description!Binding policy to WSDL - Example*Security related activities in EGEE - FYI*Grid Security Incident (GSInc) definition4Security credentials related GSInc and audit events6Discussion: security credentials compromise detection  Fonts UsedDesign Template Slide Titles? 8@ _PID_HLINKS?A?B!http://schemas.xmlsoap.org/wsdl/&http://schemas.xmlsoap.org/wsdl/soap/!http://www.w3.org/2001/XMLSchema1http://schemas.xmlsoap.org/ws/2003/03/addressing-http://schemas.xmlsoap.org/ws/2002/12/policy-http://schemas.xmlsoap.org/ws/2002/12/secext,http://schemas.xmlsoap.org/ws/2004/04/trusthttp://cnl.telin.nl/cnl'https://edms.cern.ch/document/501422/1)https://edms.cern.ch/document/487004/1.1'https://edms.cern.ch/document/485295/1?&_??????_Yuri DemchenkoYuri Demchenkomas.xmlsoap.org/wsdl/?^??Jhttp://schemas.xmlsoap.org/wsdl/soap/?T??@http://www.w3.org/2001/XMLSchema?t??`http://schemas.xmlsoap.org/ws/2003/03/addressing?l??Xhttp://schemas.xmlsoap.org/ws/2002/12/policy?l??Xhttp://schemas.xmlsoap.org/ws/2002/12/secext?j??Vhttp://schemas.xmlsoap.org/ws/2004/04/trust?B??.http://cnl.telin.nl/cnl?B? ?.http://cnl.telin.nl/cnl?`? ?Lhttps://edms.cern.ch/document/501422/1?d??Phttps://edms.cern.ch/document/487004/1.1?`??Lhttps://edms.cern.ch/document/485295/1??/? 0????DTimes New Roman???t?\?d? 0t? & 0??DSymbolew Roman???t?\?d? 0t? & 0? ?DMonotype Sorts???t?\?d? 0t? & 0P0?DCourier Newts???t?\?d? 0t? & 0?1@?DArialr Newts???t?\?d? 0t? & 0?"P?DArial Unicode MS?t?\?d? 0t? & 0???f???? ? .??@  @@``???  @?n???" dd@?????????  @@``?? : ?2 ????*&3?2 Ig) '="#$%&()*+_??b?$???"{???S7?hJ?Z???$??b?$|8???'?'cA|)G???eZ??b?$9~+??????U|??s??&L ?b?$??R?\?k??[]%g????1?S ?~??????????1???????????@???????n???f@???8???????g??4fdfdd? 0h?????????p?pp?0 ? <?4BdBd???@ 0$??u?ʚ;2N??ʚ;<?4!d!d???= 0??<?4dddd???= 0???F?>?___PPT9? /? 0?z????-?bY.Demchenko. TF-EMC2. November 4, 2004. Amsterdam ? AIRG Update 2004O? ?=??O???uPolicy Enforcement Framework for Web Services and Grid Operational Security Advanced Internet Research Group Update?.vK /(??CYuri Demchenko AIRG, University of Amsterdam? D&"?"&  ??J??Outline? ???Goals AIRG projects and Generic AAA Architecture development Implementation in CNL project Access Control infrastructure Grid Operational Security and Grid Security Incident definition ????? ??K??Goals? ???Update TF-EMC2 on AIRG research and developments Discuss possible approaches for early detection of the security credentials compromise????? ??L??&Generic AAA Architecture by AIRG (UvA)?''%??Policy based Authorization decision Req {AuthNtoken, Attr/Roles, PolicyTypeId, ConditionExt} RBE (Req + Policy) => => Decision {ResponseAAA, ActionExt} ActionExt = {ReqAAAExt, ASMcontrol} ResponseAAA = {AckAAA/RejectAAA, ReqAttr, ReqAuthN, BindAAA (Resource, Id/Attr)}?&$?$??P$           ??_??Generic AAA implementations?%??,Bandwidth-on-demand (BoD) for optical network Using driving policy approach for multidomain optical path building Access control and privilege management for Collaborative environment Policy/role based access control to experimental equipment and resources Authorisation Web Service and Authorisation portType for Grid applications Policy binding to Web/Grid service definition Technology background AAA Policy Rule Based Engine (RBE) and XACML based policy exchange format XML Web Services Attempting to use WSRF and trying to avoid OGSI and ProxyCert??/EFIL.[>/EFIL. [>?N    ? ??`?? AIRG projects?  ??zGigaport NG - NL Further development of the Generic AAA architecture for policy/token based networking Collaboratory.nl Security Architecture for Open Collaborative Environment and RBAC EGEE and other Grid related projects - EU Grid operational security and WS/Grid security threats analysis Policy enforcement framework and Authorisation portType WS-Security and OGSA Security?|WB*?WB*? ?"  _ ??S???Distributed Security Architecture for Collaborative environment???Based on the Job-centric security model Extended RBAC functionality including RBAC administration terminal (using GAAA Toolkits) XACML based policy exchange and integration Uses WS-Security Framework and OGSA/WSRF Policy binding to WSDL and AuthZ portType definition VO functionality - policy based user and resource management Proxy-Certificate (Grid approach) vs SAML security credentials management????n&??U??&Security built around Job description ? ' ???Job Description as a semantic object defining Job attributes and User attributes Requires doc  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????     0???? !"#$%&'()*j????????????/????123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ab????efghiklmnopqrstuvwxz????{|}~?Root Entry??????????d?O?????)?`Z??[??d?Pictures????????OKCurrent User????????????]JSummaryInformation(????? PowerPoint Document(???????????????DocumentSummaryInformation8????????, ????????????????????????http://www.w3.org/2001/XMLSchema?t??`http://schemas.xmlsoap.org/ws/2003/03/addressing?l??Xhttp://schemas.xmlsoap.org/ws/2002/12/policy?l??Xhttp://schemas.xmlsoap.org/ws/2002/12/secext?j??Vhttp://schemas.xmlsoap.org/ws/2004/04/trust?B??.http://cnl.telin.nl/cnl?B? ?.http://cnl.telin.nl/cnl?`? ?Lhttps://edms.cern.ch/document/501422/1?d??Phttps://edms.cern.ch/document/487004/1.1?`??Lhttps://edms.cern.ch/document/485295/1??/? 0????DTimes New Roman???????d? 0?? & 0??DSymbolew Roman???????d? 0?? & 0? ?DMonotype Sorts???????d? 0?? & 0P0?DCourier Newts???????d? 0?? & 0?1@?DArialr Newts???????d? 0?? & 0?"P?DArial Unicode MS?????d? 0?? & 0???f???? ? .??@  @@``???  @?n???" dd@?????????  @@``?? : ?2 ????*&3?2 Ig) '="#$%&()*+_??b?$???"{???S7?hJ?Z???$??b?$|8???'?'cA|)G???eZ??b?$9~+??????U|??s??&L ?b?$??R?\?k??[]%g????1?S ?~??????????1???????????@???????n???f@???8???????g??4fdfdd? 0??????????p?pp?0 ? <?4BdBd???@ 0\??u?ʚ;2N??ʚ;<?4!d!d???= 0??<?4dddd???= 0???F?>?___PPT9? /? 0?z????-?bY.Demchenko. TF-EMC2. November 4, 2004. Amsterdam ? AIRG Update 2004O? ?=??O???uPolicy Enforcement Framework for Web Services and Grid Operational Security Advanced Internet Research Group Update?.vK /(??CYuri Demchenko AIRG, University of Amsterdam? D&"?"&  ??J??Outline? ???Goals AIRG projects and Generic AAA Architecture development Implementation in CNL project Access Control infrastructure Grid Operational Security and Grid Security Incident definition ????? ??K??Goals? ???Update TF-EMC2 on AIRG research and developments Discuss possible approaches for early detection of the security credentials compromise????? ??L??&Generic AAA Architecture by AIRG (UvA)?''%??Policy based Authorization decision Req {AuthNtoken, Attr/Roles, PolicyTypeId, ConditionExt} RBE (Req + Policy) => => Decision {ResponseAAA, ActionExt} ActionExt = {ReqAAAExt, ASMcontrol} ResponseAAA = {AckAAA/RejectAAA, ReqAttr, ReqAuthN, BindAAA (Resource, Id/Attr)}?&$?$??P$           ??_??Generic AAA implementations?%??,Bandwidth-on-demand (BoD) for optical network Using driving policy approach for multidomain optical path building Access control and privilege management for Collaborative environment Policy/role based access control to experimental equipment and resources Authorisation Web Service and Authorisation portType for Grid applications Policy binding to Web/Grid service definition Technology background AAA Policy Rule Based Engine (RBE) and XACML based policy exchange format XML Web Services Attempting to use WSRF and trying to avoid OGSI and ProxyCert??/EFIL.[>/EFIL. [>?N    ? ??`?? AIRG projects?  ??zGigaport NG - NL Further development of the Generic AAA architecture for policy/token based networking Collaboratory.nl Security Architecture for Open Collaborative Environment and RBAC EGEE and other Grid related projects - EU Grid operational security and WS/Grid security threats analysis Policy enforcement framework and Authorisation portType WS-Security and OGSA Security?|WB*?WB*? ?"  _ ??S???Distributed Security Architecture for Collaborative environment???Based on the Job-centric security model Extended RBAC functionality including RBAC administration terminal (using GAAA Toolkits) XACML based policy exchange and integration Uses WS-Security Framework and OGSA/WSRF Policy binding to WSDL and AuthZ portType definition VO functionality - policy based user and resource management Proxy-Certificate (Grid approach) vs SAML security credentials management????n&??U??&Security built around Job description ? ' ???Job Description as a semantic object defining Job attributes and User attributes Requires document based or semantic oriented Security paradigm Trust domain based on Business Agreement (BA) or Trust Agreement (TA) via PKI?<Q?NQ?N? ? ??X??$XACML implementation library for CNL???Contains specific modules for AAA services PEP, PDP, PAP and XACML messaging Implemented in Java Policy editor in XACML XACML provides standard solution for RBAC with powerful policy combination functionality Version 0.1 is available for policy construction and translating to AAA-policy format Set of typical policy profiles in XACML (with correspondent profiles in AAA) are under development?`+8?c+8?c??M??(Main components and dataflow in RBAC/PMI?))?,  ??N??'GAAA API flow diagram (implements RBAC)? ( ?? ??O??rGAAAPI implementation  XACML Request message format (1)?9 ?? ??P??rGAAAPI implementation  XACML Request message format (2)?9 ??} WHO740@users.collaboratory.nl Analyst JobID-XPS1-212 2SeDFGVHYTY83ZXxEdsweOP8Iok)yGHxVfHom90 http://resources.collaboratory.nl/Phillips_XPS1 ControlInstrument ??~Z'??'??'???'??'??'???'?? '??"'??'??'???'??'???'?? '??'???'??'???'??,'??'???'??'???'??A'??'???'??'??'???'?? '??"#'??'??'??"#'?? '??'??#'?? '??'??"#'??'??'??#'??'??'??"#'??'??'??#'??'??'??"#'??'??'??'#'??'??'??"#'??'??'??"#'??'??'?? '??'??"/#"'?? '??'??"#'??'??'??"#'??'??'??"#'??'??'??#'?? '??'??"#'??'??'??"'??'??'??"??&                                             8                                  ??Q??tGAAAPI implementation  XACML Response message format (1)?: ?? ??R??tGAAAPI implementation  XACML Response message format (2)?: ??w Permit Request succes7ful ?x'??'??'???'??'??'???'?? '??"'??'??'???'??'???'??,'??'???'??'???'??'??'???'??'??"#'??'??'??? '?? '??"#'??'??'??#'??'??'??"#'??'??'??"#'?? '??'???'??'??"#'?? '??'??#'?? '??'??"#'??'??'??"#'??'??'??"'??'??'??"?&                                                 ??Y??*Binding policy to WSDL service description???WS-PolicyAttachment defines two mechanisms that together allow to bind policy to the WSDL components (portType, Operation, Message) wsp:PolicyRefs="URI | QName" ?6?G?G?b? ??Z?? Binding policy to WSDL - Example??m ???? ??????? ??????? ??????? ??????? ???? <<< snip >>>> ???? ?ZnZ~KW)?(?.     -  ,+$??m 0?5??m 0?Ah??m 0?r???m 0?????m 0?? ??m 0?D??m 0?O|??m 0????? m 0?????^??)Security related activities in EGEE - FYI?) ???EGEE  Enabling Grids for E-sciencE JRA3  Security MWSG  Middleware Security Group JSPG  Joint with LCG and OSG Security Policy Group OSG Incident Handling Activity Recent Security related deliverables Grid User/Site Security Requirements  MJRA3.1 (https://edms.cern.ch/document/485295/1) Global Security Architecture (GSA) rev. 1 - DJRA3.1 (https://edms.cern.ch/document/487004/1.1) Grid Security Incident definition and exchange format  MJRA3.4 Ongoing development, current version - https://edms.cern.ch/document/501422/1 As a part of joint OSG/LCG/EGEE Operational Security activity??$ZeZ Z%Z?Z?Z$e % 0&@c`  '(@>??$ ?&(j  ??m 0??$??m 0?'D???m 0?S[??m 0?\??? m 0????[??)Grid Security Incident (GSInc) definition?) ??$GSInc definition Depends on the scope and range of the Security Policy, ULA, or SLA - TODO Should be based on threats analysis and vulnerabilities model  MJRA3.4 Should be based on Grid processes/workflow analysis - TODO GSInc definition is a base for GSInc description format What information should be collected and how to exchange and handle it Requirements to Events logging and Intrusion/compromise detection Common format is a basis for community wide statistics and coordinated response Incident statistics provides feedback for the Security Policy improvement Note. Grid Security model is based on delegation of security credentials to a service??Z?Z9ZGZCZ?ZWZJ?@9@G@A@@P @ K W? [ ?? ??\??3Security credentials related GSInc and audit events?3 ???Security credentials compromise (e.g., private key, proxy credentials, etc.)? patterns of credential usage broken chain of PKC/keys/credentials copy is discovered in not a proper place originated not from the default location sequent fault attempt to request action(s) PDP/PEP logging/audit Remaining problems and topics for discussion How to define at the early stage that a private key has been compromised? May require credentials storing (not caching) and adding history/evidence chain to credentials format X.509 credentials are not capable of this Does SAML have required functionality Note: Audit/log events together with related data can be also referred to as an Evidence?NZ?ZZ.Z?ZPZZZLbb?bb b - f ???f??Pf??f??fTf?#x ??I??5Discussion: security credentials compromise detection?5 ??%How to define at the early stage that a private key or other security credentials have been compromised? Will it require credentials storing (not caching) and adding history/evidence chain to credentials format? X.509 credentials are not capable of this Does SAML have required functionality ?J?P?d??Pd???i ?/?8? ??P??????? ? ??????0?( ? ???x ?? c ?$?P?_????x8????  _ ? ??x ?? c ?$?t?_????Sg??? _ ? ??H ?? ? ?0???@??޽h?? ?? ??????????f??????r???O=?^???G???~d?(`??`  ? ?T??@http://sche  !"#$%&'()*+????-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\????^???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Oh??+'??0? px??? ? ( 4 @ LX`?? HTTP и CGI TP=D:\msoffice\Templates\Presentation Designs\International.potz?Yuri Demchenkop449Microsoft PowerPoint 7.0sen@?(P?@??G?}Y?@`??X7?@ ??[???G< ?????y  ?B&?????? &????&#????TNPP??2??OMi & TNPP? &????&TNPP   ?? ????-?-- !???-????-??-????--- !?T?F--?-&????u??&????-?-????- $u?u?~~????-? $~?~???????-? $???????>>?-? $????????-? $??????-?--&????&????--BPM:--???w@D! ??؟?w??w ?w?f]- ????@Times New Roman؟?w??w ?w?f]-? .?2 {j%Policy Enforcement Framework for Web        ' . .@2 ?v&Services and Grid Operational Security        .????@Times New Roman؟?w??w ?w?f]-? .B2 1?'Advanced Internet Research Group Update          .--O Gl-- ????@Times New Roman؟?w??w ?w?f]-? .?2 ??%Yuri Demchenko           . .32 ??AIRG, University of Amsterdam       .--??"System]?f] !???-?&TNPP &????????՜.??+,??D??՜.??+,????????? ? ?? ????  u?A4 Paper (210x297 mm)r???ument based or semantic oriented Security paradigm Trust domain based on Business Agreement (BA) or Trust Agreement (TA) via PKI?<Q?NQ?N? ? ??X??$XACML implementation library for CNL???Contains specific modules for AAA services PEP, PDP, PAP and XACML messaging Implemented in Java Policy editor in XACML XACML provides standard solution for RBAC with powerful policy combination functionality Version 0.1 is available for policy construction and translating to AAA-policy format Set of typical policy profiles in XACML (with correspondent profiles in AAA) are under development?`+8?c+8?c??M??(Main components and dataflow in RBAC/PMI?))?,  ??N??'GAAA API flow diagram (implements RBAC)? ( ?? ??O??rGAAAPI implementation  XACML Request message format (1)?9 ?? ??P??rGAAAPI implementation  XACML Request message format (2)?9 ??} WHO740@users.collaboratory.nl Analyst JobID-XPS1-212 2SeDFGVHYTY83ZXxEdsweOP8Iok)yGHxVfHom90 http://resources.collaboratory.nl/Phillips_XPS1 ControlInstrument ??~Z'??'??'???'??'??'???'?? '??"'??'??'???'??'???'?? '??'???'??'???'??,'??'???'??'???'??A'??'???'??'??'???'?? '??"#'??'??'??"#'?? '??'??#'?? '??'??"#'??'??'??#'??'??'??"#'??'??'??#'??'??'??"#'??'??'??'#'??'??'??"#'??'??'??"#'??'??'?? '??'??"/#"'?? '??'??"#'??'??'??"#'??'??'??"#'??'??'??#'?? '??'??"#'??'??'??"'??'??'??"??&                                             8                                  ??Q??tGAAAPI implementation  XACML Response message format (1)?: ?? ??R??tGAAAPI implementation  XACML Response message format (2)?: ??w Permit Request succes7ful ?x'??'??'???'??'??'???'?? '??"'??'??'???'??'???'??,'??'???'??'???'??'??'???'??'??"#'??'??'??? '?? '??"#'??'??'??#'??'??'??"#'??'??'??"#'?? '??'???'??'??"#'?? '??'??#'?? '??'??"#'??'??'??"#'??'??'??"'??'??'??"?&                                        ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????         ??Y??*Binding policy to WSDL service description???WS-PolicyAttachment defines two mechanisms that together allow to bind policy to the WSDL components (portType, Operation, Message) wsp:PolicyRefs="URI | QName" ?6?G?G?b? ??Z?? Binding policy to WSDL - Example??j ???? ??????? ??????? ??????? ??????? ???? <<< snip >>>> ???? ?ZkZ?%W)?(?@     -  ,+$??m 0?5??m 0?Ah??m 0?r???m 0?????m 0?? ??m 0?D??m 0?O|??m 0????? m 0?????^??)Security related activities in EGEE - FYI?) ???EGEE  Enabling Grids for E-sciencE JRA3  Security MWSG  Middleware Security Group JSPG  Joint with LCG and OSG Security Policy Group OSG Incident Handling Activity Recent Security related deliverables Grid User/Site Security Requirements  MJRA3.1 (https://edms.cern.ch/document/485295/1) Global Security Architecture (GSA) rev. 1 - DJRA3.1 (https://edms.cern.ch/document/487004/1.1) Grid Security Incident definition and exchange format  MJRA3.4 Ongoing development, current version - https://edms.cern.ch/document/501422/1 As a part of joint OSG/LCG/EGEE Operational Security activity??$ZeZ Z%Z?Z?Z$e % 0&@c`  '(@>??$ ?&(j  ??m 0??$??m 0?'D???m 0?S[??m 0?\??? m 0????[??)Grid Security Incident (GSInc) definition?) ??$GSInc definition Depends on the scope and range of the Security Policy, ULA, or SLA - TODO Should be based on threats analysis and vulnerabilities model  MJRA3.4 Should be based on Grid processes/workflow analysis - TODO GSInc definition is a base for GSInc description format What information should be collected and how to exchange and handle it Requirements to Events logging and Intrusion/compromise detection Common format is a basis for community wide statistics and coordinated response Incident statistics provides feedback for the Security Policy improvement Note. Grid Security model is based on delegation of security credentials to a service??Z?Z9ZGZCZ?ZWZJ?@9@G@A@@P @ K W? [ ?? ??\??3Security credentials related GSInc and audit events?3 ???Security credentials compromise (e.g., private key, proxy credentials, etc.)? patterns of credential usage broken chain of PKC/keys/credentials copy is discovered in not a proper place originated not from the default location sequent fault attempt to request action(s) PDP/PEP logging/audit Remaining problems and topics for discussion How to define at the early stage that a private key has been compromised? May require credentials storing (not caching) and adding history/evidence chain to credentials format X.509 credentials are not capable of this Does SAML have required functionality Note: Audit/log events together with related data can be also referred to as an Evidence?NZ?ZZ.Z?ZPZZZLbb?bb b - f ???f??Pf??f??fTf?#x ??I??5Discussion: security credentials compromise detection?5 ??%How to define at the early stage that a private key or other security credentials have been compromised? Will it require credentials storing (not caching) and adding history/evidence chain to credentials format? X.509 credentials are not capable of this Does SAML have required functionality ?J?P?d??Pd???i ?/?8? ??P?????? ? ???@???Z?( ? ???~ ?? s ?*?x?^????x8????  ^ ? ?? ?? s ?*?`?^????Sm??? ^ ?*??? ? ?@?`??H ?? ? ?0???@??޽h?? ?? ??????̙33???????r??? ??Z?_?+????d?(`??`  ? ?T??@http://schemas.xmlsoap.org/wsdl/?^??Jhttp://schemas.xmlsoap.org/wsdl/soap/?T??@http://www.w3.org/2001/XMLSchema?t??`http://schemas.xmlsoap.org/ws/2003/03/addressing?l??Xhttp://schemas.xmlsoap.org/ws/2002/12/policy?l??Xhttp://schemas.xmlsoap.org/ws/2002/12/secext?j??Vhttp://schemas.xmlsoap.org/ws/2004/04/trust?B??.http://cnl.telin.nl/cnl?B? ?.http://cnl.telin.nl/cnl?`? ?Lhttps://edms.cern.ch/document/501422/1?d??Phttps://edms.cern.ch/document/487004/1.1?`??Lhttps://edms.cern.ch/document/485295/1??/? 0????DTimes New Roman???????d? 0?? & 0??DSymbolew Roman???????d? 0?? & 0? ?DMonotype Sorts???????d? 0?? & 0P0?DCourier Newts???????d? 0?? & 0?1@?DArialr Newts???????d? 0?? & 0?"P?DArial Unicode MS?????d? 0?? & 0???f???? ? .??@  @@``???  @?n???" dd@?????????  @@``?? : ?2 ????*&3?2 Ig) '="#$%&()*+_??b?$???"{???S7?hJ?Z???$??b?$|8???'?'cA|)G???eZ??b?$9~+??????U|??s??&L ?b?$??R?\?k??[]%g????1?S ?~??????????1???????????@???????n???f@???8???????g??4fdfdd? 0??????????p?pp?0 ? <?4BdBd???@ 0\??u?ʚ;2N??ʚ;<?4!d!d???= 0??<?4dddd???= 0???F?>?___PPT9? /? 0?z????-?bY.Demchenko. TF-EMC2. November 4, 2004. Amsterdam ? AIRG Update 2004O? ?=?JP???uPolicy Enforcement Framework for Web Services and Grid Operational Security Advanced Internet Research Group Update?.vK /(??CYuri Demchenko AIRG, University of Amsterdam? D&"?"&  ??J??Outline? ???Goals AIRG projects and Generic AAA Architecture development Implementation in CNL project Access Control infrastructure Grid Operational Security and Grid Security Incident definition ????? ??K??Goals? ???Update TF-EMC2 on AIRG research and developments Discuss possible approaches for early detection of the security credentials compromise????? ??L??&Generic AAA Architecture by AIRG (UvA)?''%??Policy based Authorization decision Req {AuthNtoken, Attr/Roles, PolicyTypeId, ConditionExt} RBE (Req + Policy) => => Decision {ResponseAAA, ActionExt} ActionExt = {ReqAAAExt, ASMcontrol} ResponseAAA = {AckAAA/RejectAAA, ReqAttr, ReqAuthN, BindAAA (Resource, Id/Attr)}?&$?$??P$           ??_??Generic AAA implementations?%??,Bandwidth-on-demand (BoD) for optical network Using driving policy approach for multidomain optical path building Access control and privilege management for Collaborative environment Policy/role based access control to experimental equipment and resources Authorisation Web Service and Authorisation portType for Grid applications Policy binding to Web/Grid service definition Technology background AAA Policy Rule Based Engine (RBE) and XACML based policy exchange format XML Web Services Attempting to use WSRF and trying to avoid OGSI and ProxyCert??/EFIL.[>/EFIL. [>?N    ? ??`?? AIRG projects?  ???Gigaport NG - NL Further development of the Generic AAA architecture for policy/token based networking Collaboratory.nl Security Architecture for Open Collaborative Environment and RBAC Considered as a use case for EGEE and OGSA EGEE and other Grid related projects - EU Grid operational security and WS/Grid security threats analysis Policy enforcement framework and Authorisation portType WS-Security and OGSA Security?|Wm*?Wm*? ?"  _ >??S???Distributed Security Architecture for Collaborative environment???Based on the Job-centric security model Extended RBAC functionality including RBAC administration terminal (using GAAA Toolkits) XACML based policy exchange and integration Uses WS-Security Framework and OGSA/WSRF Policy binding to WSDL and AuthZ portType definition VO functionality - policy based user and resource management Proxy-Certificate (Grid approach) vs SAML security credentials management?6?6??6??n&??U??&Security built around Job description ? ' ???Job Description as a semantic object defining Job attributes and User attributes Requires document based or semantic oriented Security paradigm Trust domain based on Business Agreement (BA) or Trust Agreement (TA) via PKI?<Q?NQ?N? ? ??X??$XACML implementation library for CNL???Contains specific modules for AAA services PEP, PDP, PAP and XACML messaging Implemented in Java Policy editor in XACML XACML provides standard solution for RBAC with powerful policy combination functionality Version 0.1 is available for policy construction and translating to AAA-policy format Set of typical policy profiles in XACML (with correspondent profiles in AAA) are under development?`+8?c+8?c??M??(Main components and dataflow in RBAC/PMI?))?,  ??N??'GAAA API flow diagram (implements RBAC)? ( ?? ??O??rGAAAPI implementation  XACML Request message format (1)?9 ?? ??P??rGAAAPI implementation  XACML Request message format (2)?9 ??} WHO740@users.collaboratory.nl Analyst JobID-XPS1-212 2SeDFGVHYTY83ZXxEdsweOP8Iok)yGHxVfHom90 http://resources.collaboratory.nl/Phillips_XPS1 ControlInstrument ??~Z'??'??'???'??'??'???'?? '??"'??'??'???'??'???'?? '??'???'??'???'??,'??'???'??'???'??A'??'???'??'??'???'?? '??"#'??'??'??"#'?? '??'??#'?? '??'??"#'??'??'??#'??'??'??"#'??'??'??#'??'??'??"#'??'??'??'#'??'??'??"#'??'??'??"#'??'??'?? '??'??"/#"'?? '??'??"#'??'??'??"#'??'??'??"#'??'??'??#'?? '??'??"#'??'??'??"'??'??'??"??&                                             8                                  ??Q??tGAAAPI implementation  XACML Response message format (1)?: ?? ??R??tGAAAPI implementation  XACML Response message format (2)?: ??w Permit Request succes7ful ?x'??'??'???'??'??'???'?? '??"'??'??'???'??'???'??,'??'???'??'???'??'??'???'??'??"#'??'??'??? '?? '??"#'??'??'??#'??'??'??"#'??'??'??"#'?? '??'???'??'??"#'?? '??'??#'?? '??'??"#'??'??'??"#'??'??'??"'??'??'??"?&                                                 ??Y??*Binding policy to WSDL service description???WS-PolicyAttachment defines two mechanisms that together allow to bind policy to the WSDL components (portType, Operation, Message) wsp:PolicyRefs="URI | QName" ?6?G?G?b? ??Z?? Binding policy to WSDL - Example??j ???? ??????? ??????? ??????? ??????? ???? <<< snip >>>> ???? ?ZkZ?%W)?(?@     -  ,+$??m 0?5??m 0?Ah??m 0?r???m 0?????m 0?? ??m 0?D??m 0?O|??m 0????? m 0?????^??)Security related activities in EGEE - FYI?) ???EGEE  Enabling Grids for E-sciencE JRA3  Security MWSG  Middleware Security Group JSPG  Joint with LCG and OSG Security Policy Group OSG Incident Handling Activity Recent Security related deliverables Grid User/Site Security Requirements  MJRA3.1 (https://edms.cern.ch/document/485295/1) Global Security Architecture (GSA) rev. 1 - DJRA3.1 (https://edms.cern.ch/document/487004/1.1) Grid Security Incident definition and exchange format  MJRA3.4 Ongoing development, current version - https://edms.cern.ch/document/501422/1 As a part of joint OSG/LCG/EGEE Operational Security activity??$ZeZ Z%Z?Z?Z$e % 0&@c`  '(@>??$ ?&(j  ??m 0??$??m 0?'D???m 0?S[??m 0?\??? m 0????[??)Grid Security Incident (GSInc) definition?) ??$GSInc definition Depends on the scope and range of the Security Policy, ULA, or SLA - TODO Should be based on threats analysis and vulnerabilities model  MJRA3.4 Should be based on Grid processes/workflow analysis - TODO GSInc definition is a base for GSInc description format What information should be collected and how to exchange and handle it Requirements to Events logging and Intrusion/compromise detection Common format is a basis for community wide statistics and coordinated response Incident statistics provides feedback for the Security Policy improvement Note. Grid Security model is based on delegation of security credentials to a service??Z?Z9ZGZCZ?ZWZJ?@9@G@A@@P @ K W? [ ?? ??\??3Security credentials related GSInc and audit events?3 ???Security credentials compromise (e.g., private key, proxy credentials, etc.)? patterns of credential usage broken chain of PKC/keys/credentials copy is discovered in not a proper place originated not from the default location sequent fault attempt to request action(s) PDP/PEP logging/audit Remaining problems and topics for discussion How to define at the early stage that a private key has been compromised? May require credentials storing (not caching) and adding history/evidence chain to credentials format X.509 credentials are not capable of this Does SAML have required functionality Note: Audit/log events together with related data can be also referred to as an Evidence?NZ?ZZ.Z?ZPZZZLbb?bb b - f ???f??Pf??f??fTf?#x ??I??5Discussion: security credentials compromise detection?5 ??%How to define at the early stage that a private key or other security credentials have been compromised? Will it require credentials storing (not caching) and adding history/evidence chain to credentials format? X.509 credentials are not capable of this Does SAML have required functionality ?J?P?d??Pd???i ?/?8? ??P??????? ? ???????$?( ? ???r ?? S ??h?_???x8????  _ ? ??r ?? S ??4?_???Sg??? _ ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ??????<?( ? ???~ ?? s ?*?D?]????x8????  ] ? ??~ ?? s ?*??]????Sg??? ] ? ??H ?? ? ?0???@??޽h?? ?? ??????????f??????rg??( ?< ?`?C?,???d?(`??`  ? ?T??@http://schemas.xmlsoap.org/wsdl/?^??Jhttp://schemas.xmlsoap.org/wsdl/soap/?T??@http://www.w3.org/2001/XMLSchema?t??`http://schemas.xmlsoap.org/ws/2003/03/addressing?l??Xhttp://schemas.xmlsoap.org/ws/2002/12/policy?l??Xhttp://schemas.xmlsoap.org/ws/2002/12/secext?j??Vhttp://schemas.xmlsoap.org/ws/2004/04/trust?B??.http://cnl.telin.nl/cnl?B? ?.http://cnl.telin.nl/cnl?`? ?Lhttps://edms.cern.ch/document/501422/1?d??Phttps://edms.cern.ch/document/487004/1.1?`??Lhttps://edms.cern.ch/document/485295/1??/? 0????DTimes New Roman???????d? 0?? & 0??DSymbolew Roman???????d? 0?? & 0? ?DMonotype Sorts???????d? 0?? & 0P0?DCourier Newts???????d? 0?? & 0?1@?DArialr Newts???????d? 0?? & 0?"P?DArial Unicode MS?????d? 0?? & 0???f???? ? .??@  @@``???  @?n???" dd@?????????  @@``?? : ?2 ????*&3?2 Ig) '="#$%&()*+_??b?$???"{???S7?hJ?Z???$??b?$|8???'?'cA|)G???eZ??b?$9~+??????U|??s??&L ?b?$??R?\?k??[]%g????1?S ?~??????????1???????????@???????n???f@???8???????g??4fdfdd? 0??????????p?pp?0 ? <?4BdBd???@ 0\??u?ʚ;2N??ʚ;<?4!d!d???= 0??<?4dddd???= 0???F?>?___PPT9? /? 0?z????-?bY.Demchenko. TF-EMC2. November 4, 2004. Amsterdam ? AIRG Update 2004O? ?=?PP???uPolicy Enforcement Framework for Web Services and Grid Operational Security Advanced Internet Research Group Update?.vK /(??CYuri Demchenko AIRG, University of Amsterdam? D&"?"&  ??J??Outline? ???Goals AIRG projects and Generic AAA Architecture development Implementation in CNL project Access Control infrastructure Grid Operational Security and Grid Security Incident definition ????? ??K??Goals? ???Update TF-EMC2 on AIRG research and developments Discuss possible approaches for early detection of the security credentials compromise????? ??`?? AIRG projects?  ???Gigaport NG - NL Further development of the Generic AAA architecture for policy/token based networking Collaboratory.nl (CNL) Security Architecture for Open Collaborative Environment and RBAC Considered as a use case for EGEE and OGSA EGEE and other Grid related projects - EU Grid operational security and WS/Grid security threats analysis Policy enforcement framework and Authorisation portType WS-Security and OGSA Security?|Wm*?Wm*? ?"  _ D??L??&Generic AAA Architecture by AIRG (UvA)?''%??Policy based Authorization decision Req {AuthNtoken, Attr/Roles, PolicyTypeId, ConditionExt} RBE (Req + Policy) => => Decision {ResponseAAA, ActionExt} ActionExt = {ReqAAAExt, ASMcontrol} ResponseAAA = {AckAAA/RejectAAA, ReqAttr, ReqAuthN, BindAAA (Resource, Id/Attr)}?&$?$??P$           ??_??Generic AAA implementations?%??,Bandwidth-on-demand (BoD) for optical network Using driving policy approach for multidomain optical path building Access control and privilege management for Collaborative environment Policy/role based access control to experimental equipment and resources Authorisation Web Service and Authorisation portType for Grid applications Policy binding to Web/Grid service definition Technology background AAA Policy Rule Based Engine (RBE) and XACML based policy exchange format XML Web Services Attempting to use WSRF and trying to avoid OGSI and ProxyCert??/EFIL.[>/EFIL. [>?N    ? ??S???Distributed Security Architecture for Collaborative environment???Based on the Job-centric security model Extended RBAC functionality including RBAC administration terminal (using GAAA Toolkits) XACML based policy exchange and integration Uses WS-Security Framework and OGSA/WSRF Policy binding to WSDL and AuthZ portType definition VO functionality - policy based user and resource management Proxy-Certificate (Grid approach) vs SAML security credentials management?6?6??6??n&??U??&Security built around Job description ? ' ???Job Description as a semantic object defining Job attributes and User attributes Requires document based or semantic oriented Security paradigm Trust domain based on Business Agreement (BA) or Trust Agreement (TA) via PKI?<Q?NQ?N? ? ??X??$XACML implementation library for CNL???Contains specific modules for AAA services PEP, PDP, PAP and XACML messaging Implemented in Java Policy editor in XACML XACML provides standard solution for RBAC with powerful policy combination functionality Version 0.1 is available for policy construction and translating to AAA-policy format Set of typical policy profiles in XACML (with correspondent profiles in AAA) are under development?`+8?c+8?c??M??(Main components and dataflow in RBAC/PMI?))?,  ??N??'GAAA API flow diagram (implements RBAC)? ( ?? ??O??rGAAAPI implementation  XACML Request message format (1)?9 ?? ??P??rGAAAPI implementation  XACML Request message format (2)?9 ??} WHO740@users.collaboratory.nl Analyst JobID-XPS1-212 2SeDFGVHYTY83ZXxEdsweOP8Iok)yGHxVfHom90 http://resources.collaboratory.nl/Phillips_XPS1 ControlInstrument ??~Z'??'??'???'??'??'???'?? '??"'??'??'???'??'???'?? '??'???'??'???'??,'??'???'??'???'??A'??'???'??'??'???'?? '??"#'??'??'??"#'?? '??'??#'?? '??'??"#'??'??'??#'??'??'??"#'??'??'??#'??'??'??"#'??'??'??'#'??'??'??"#'??'??'??"#'??'??'?? '??'??"/#"'?? '??'??"#'??'??'??"#'??'??'??"#'??'??'??#'?? '??'??"#'??'??'??"'??'??'??"??&                                             8                                  ??Q??tGAAAPI implementation  XACML Response message format (1)?: ?? ??R??tGAAAPI implementation  XACML Response message format (2)?: ??w Permit Request succes7ful ?x'??'??'???'??'??'???'?? '??"'??'??'???'??'???'??,'??'???'??'???'??'??'???'??'??"#'??'??'??? '?? '??"#'??'??'??#'??'??'??"#'??'??'??"#'?? '??'???'??'??"#'?? '??'??#'?? '??'??"#'??'??'??"#'??'??'??"'??'??'??"?&                                                 ??Y??*Binding policy to WSDL service description???WS-PolicyAttachment defines two mechanisms that together allow to bind policy to the WSDL components (portType, Operation, Message) wsp:PolicyRefs="URI | QName" ?6?G?G?b? ??Z?? Binding policy to WSDL - Example??j ???? ??????? ??????? ??????? ??????? ???? <<< snip >>>> ???? ?ZkZ?%W)?(?@     -  ,+$??m 0?5??m 0?Ah??m 0?r???m 0?????m 0?? ??m 0?D??m 0?O|??m 0????? m 0?????^??)Security related activities in EGEE - FYI?) ???EGEE  Enabling Grids for E-sciencE JRA3  Security MWSG  Middleware Security Group JSPG  Joint with LCG and OSG Security Policy Group OSG Incident Handling Activity Recent Security related deliverables Grid User/Site Security Requirements  MJRA3.1 (https://edms.cern.ch/document/485295/1) Global Security Architecture (GSA) rev. 1 - DJRA3.1 (https://edms.cern.ch/document/487004/1.1) Grid Security Incident definition and exchange format  MJRA3.4 Ongoing development, current version - https://edms.cern.ch/document/501422/1 As a part of joint OSG/LCG/EGEE Operational Security activity??$ZeZ Z%Z?Z?Z$e % 0&@c`  '(@>??$ ?&(j  ??m 0??$??m 0?'D???m 0?S[??m 0?\??? m 0????[??)Grid Security Incident (GSInc) definition?) ??$GSInc definition Depends on the scope and range of the Security Policy, ULA, or SLA - TODO Should be based on threats analysis and vulnerabilities model  MJRA3.4 Should be based on Grid processes/workflow analysis - TODO GSInc definition is a base for GSInc description format What information should be collected and how to exchange and handle it Requirements to Events logging and Intrusion/compromise detection Common format is a basis for community wide statistics and coordinated response Incident statistics provides feedback for the Security Policy improvement Note. Grid Security model is based on delegation of security credentials to a service??Z?Z9ZGZCZ?ZWZJ?@9@G@A@@P @ K W? [ ?? ??\??3Security credentials related GSInc and audit events?3 ???Security credentials compromise (e.g., private key, proxy credentials, etc.)? patterns of credential usage broken chain of PKC/keys/credentials copy is discovered in not a proper place originated not from the default location sequent fault attempt to request action(s) PDP/PEP logging/audit Remaining problems and topics for discussion How to define at the early stage that a private key has been compromised? May require credentials storing (not caching) and adding history/evidence chain to credentials format X.509 credentials are not capable of this Does SAML have required functionality Note: Audit/log events together with related data can be also referred to as an Evidence?NZ?ZZ.Z?ZPZZZLbb?bb b - f ???f??Pf??f??fTf?#x ??I??5Discussion: security credentials compromise detection?5 ??%How to define at the early stage that a private key or other security credentials have been compromised? Will it require credentials storing (not caching) and adding history/evidence chain to credentials format? X.509 credentials are not capable of this Does SAML have required functionality ?J?P?d??Pd???i ?/?8? ??P??????? ? ???????$?( ? ???r ?? S ??h?_???x8????  _ ? ??r ?? S ??4?_???Sg??? _ ? ??H ?? ? ?0???@??޽h?? ?? ??????????f??????rp?Kt?`?L7v???d?(`??`  ? ?T??@http://schemas.xmlsoap.org/wsdl/?^??Jhttp://schemas.xmlsoap.org/wsdl/soap/?T??@http://www.w3.org/2001/XMLSchema?t??`http://schemas.xmlsoap.org/ws/2003/03/addressing?l??Xhttp://schemas.xmlsoap.org/ws/2002/12/policy?l??Xhttp://schemas.xmlsoap.org/ws/2002/12/secext?j??Vhttp://schemas.xmlsoap.org/ws/2004/04/trust?B??.http://cnl.telin.nl/cnl?B? ?.http://cnl.telin.nl/cnl?`? ?Lhttps://edms.cern.ch/document/501422/1?d??Phttps://edms.cern.ch/document/487004/1.1?`??Lhttps://edms.cern.ch/document/485295/1??/? 0????DTimes New Roman???t?\?d? 0t? & 0??DSymbolew Roman???t?\?d? 0t? & 0? ?DMonotype Sorts???t?\?d? 0t? & 0P0?DCourier Newts???t?\?d? 0t? & 0?1@?DArialr Newts???t?\?d? 0t? & 0?"P?DArial Unicode MS?t?\?d? 0t? & 0???f???? ? .??@  @@``???  @?n???" dd@?????????  @@``?? : ?2 ????*&3?2 Ig) '="#$%&()*+_??b?$???"{???S7?hJ?Z???$??b?$|8???'?'cA|)G???eZ??b?$9~+??????U|??s??&L ?b?$??R?\?k??[]%g????1?S ?~??????????1???????????@???????n???f@???8???????g??4fdfdd?      !"#$%&'()*+,-./0123???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 0h?????????p?pp?0 ? <?4BdBd???@ 0$??u?ʚ;2N??ʚ;<?4!d!d???= 0??<?4dddd???= 0???F?>?___PPT9? /? 0?z????-?HTF-EMC2. November 4, 2004. Amsterdam ? AIRG Update 2004O? ?=?PP???uPolicy Enforcement Framework for Web Services and Grid Operational Security Advanced Internet Research Group Update?.vK /(??CYuri Demchenko AIRG, University of Amsterdam? D&"?"&  ??J??Outline? ???Goals AIRG projects and Generic AAA Architecture development Implementation in CNL project Access Control infrastructure Grid Operational Security and Grid Security Incident definition ????? ??K??Goals? ???Update TF-EMC2 on AIRG research and developments Discuss possible approaches for early detection of the security credentials compromise????? ??`?? AIRG projects?  ???Gigaport NG - NL Further development of the Generic AAA architecture for policy/token based networking Collaboratory.nl (CNL) Security Architecture for Open Collaborative Environment and RBAC Considered as a use case for EGEE and OGSA EGEE and other Grid related projects - EU Grid operational security and WS/Grid security threats analysis Policy enforcement framework and Authorisation portType WS-Security and OGSA Security?|Wm*?Wm*? ?"  _ D??L??&Generic AAA Architecture by AIRG (UvA)?''%??Policy based Authorization decision Req {AuthNtoken, Attr/Roles, PolicyTypeId, ConditionExt} RBE (Req + Policy) => => Decision {ResponseAAA, ActionExt} ActionExt = {ReqAAAExt, ASMcontrol} ResponseAAA = {AckAAA/RejectAAA, ReqAttr, ReqAuthN, BindAAA (Resource, Id/Attr)}?&$?$??P$           ??_??Generic AAA implementations?%??,Bandwidth-on-demand (BoD) for optical network Using driving policy approach for multidomain optical path building Access control and privilege management for Collaborative environment Policy/role based access control to experimental equipment and resources Authorisation Web Service and Authorisation portType for Grid applications Policy binding to Web/Grid service definition Technology background AAA Policy Rule Based Engine (RBE) and XACML based policy exchange format XML Web Services Attempting to use WSRF and trying to avoid OGSI and ProxyCert??/EFIL.[>/EFIL. [>?N    ? ??S???Distributed Security Architecture for Collaborative environment???Based on the Job-centric security model Extended RBAC functionality including RBAC administration terminal (using GAAA Toolkits) XACML based policy exchange and integration Uses WS-Security Framework and OGSA/WSRF Policy binding to WSDL and AuthZ portType definition VO functionality - policy based user and resource management Proxy-Certificate (Grid approach) vs SAML security credentials management?6?6??6??n&??U??&Security built around Job description ? ' ???Job Description as a semantic object defining Job attributes and User attributes Requires document based or semantic oriented Security paradigm Trust domain based on Business Agreement (BA) or Trust Agreement (TA) via PKI?<Q?NQ?N? ? ??X??$XACML implementation library for CNL???Contains specific modules for AAA services PEP, PDP, PAP and XACML messaging Implemented in Java Policy editor in XACML XACML provides standard solution for RBAC with powerful policy combination functionality Version 0.1 is available for policy construction and translating to AAA-policy format Set of typical policy profiles in XACML (with correspondent profiles in AAA) are under development?`+8?c+8?c??M??(Main components and dataflow in RBAC/PMI?))?,  ??N??'GAAA API flow diagram (implements RBAC)? ( ?? ??O??rGAAAPI implementation  XACML Request message format (1)?9 ?? ??P??rGAAAPI implementation  XACML Request message format (2)?9 ??} WHO740@users.collaboratory.nl Analyst JobID-XPS1-212 2SeDFGVHYTY83ZXxEdsweOP8Iok)yGHxVfHom90 http://resources.collaboratory.nl/Phillips_XPS1 ControlInstrument ??~Z'??'??'???'??'??'???'?? '??"'??'??'???'??'???'?? '??'???'??'???'??,'??'???'??'???'??A'??'???'??'??'???'?? '??"#'??'??'??"#'?? '??'??#'?? '??'??"#'??'??'??#'??'??'??"#'??'??'??#'??'??'??"#'??'??'??'#'??'??'??"#'??'??'??"#'??'??'?? '??'??"/#"'?? '??'??"#'??'??'??"#'??'??'??"#'??'??'??#'?? '??'??"#'??'??'??"'??'??'??"??&                                             8                                  ??Q??tGAAAPI implementation  XACML Response message format (1)?: ?? ??R??tGAAAPI implementation  XACML Response message format (2)?: ??w Permit Request succes7ful ?x'??'??'???'??'??'???'?? '??"'??'??'???'??'???'??,'??'???'??'???'??'??'???'??'??"#'??'??'??? '?? '??"#'??'??'??#'??'??'??"#'??'??'??"#'?? '??'???'??'??"#'?? '??'??#'?? '??'??"#'??'??'??"#'??'??'??"'??'??'??"?&                                                 ??Y??*Binding policy to WSDL service description???WS-PolicyAttachment defines two mechanisms that together allow to bind policy to the WSDL components (portType, Operation, Message) wsp:PolicyRefs="URI | QName" ?6?G?G?b? ??Z?? Binding policy to WSDL - Example??j ???? ??????? ??????? ??????? ??????? ???? <<< snip >>>> ???? ?ZkZ?%W)?(?@     -  ,+$??m 0?5??m 0?Ah??m 0?r???m 0?????m 0?? ??m 0?D??m 0?O|??m 0????? m 0?????^??)Security related activities in EGEE - FYI?) ???EGEE  Enabling Grids for E-sciencE JRA3  Security MWSG  Middleware Security Group JSPG  Joint with LCG and OSG Security Policy Group OSG Incident Handling Activity Recent Security related deliverables Grid User/Site Security Requirements  MJRA3.1 (https://edms.cern.ch/document/485295/1) Global Security Architecture (GSA) rev. 1 - DJRA3.1 (https://edms.cern.ch/document/487004/1.1) Grid Security Incident definition and exchange format  MJRA3.4 Ongoing development, current version - https://edms.cern.ch/document/501422/1 As a part of joint OSG/LCG/EGEE Operational Security activity??$ZeZ Z%Z?Z?Z$e % 0&@c`  '(@>??$ ?&(j  ??m 0??$??m 0?'D???m 0?S[??m 0?\??? m 0????[??)Grid Security Incident (GSInc) definition?) ??$GSInc definition Depends on the scope and range of the Security Policy, ULA, or SLA - TODO Should be based on threats analysis and vulnerabilities model  MJRA3.4 Should be based on Grid processes/workflow analysis - TODO GSInc definition is a base for GSInc description format What information should be collected and how to exchange and handle it Requirements to Events logging and Intrusion/compromise detection Common format is a basis for community wide statistics and coordinated response Incident statistics provides feedback for the Security Policy improvement Note. Grid Security model is based on delegation of security credentials to a service??Z?Z9ZGZCZ?ZWZJ?@9@G@A@@P @ K W? [ ?? ??\??3Security credentials related GSInc and audit events?3 ???Security credentials compromise (e.g., private key, proxy credentials, etc.)? patterns of credential usage broken chain of PKC/keys/credentials copy is discovered in not a proper place originated not from the default location sequent fault attempt to request action(s) PDP/PEP logging/audit Remaining problems and topics for discussion How to define at the early stage that a private key has been compromised? May require credentials storing (not caching) and adding history/evidence chain to credentials format X.509 credentials are not capable of this Does SAML have required functionality Note: Audit/log events together with related data can be also referred to as an Evidence?NZ?ZZ.Z?ZPZZZLbb?bb b - f ???f??Pf??f??fTf?#x ??I??5Discussion: security credentials compromise detection?5 ??%How to define at the early stage that a private key or other security credentials have been compromised? Will it require credentials storing (not caching) and adding history/evidence chain to credentials format? X.509 credentials are not capable of this Does SAML have required functionality ?J?P?d??Pd???i ?/?8? ??P?????^? `? ????????f??????`? ???3?????????????`? ???___?????????????>???" dd=??????????????" dd?=?????????????uA?4? d?O?" ?i ?n???" dd??????????   @@``P?P   4 O i`? p?@??@   $ ? ?)? ?( ? ??p ? ? ?H??????d???? ?'W??? ? ? ?Z????a????a?????????? ??x8???? ? ?T?? Click to edit Master title style?!? !?: ? ? ?T??!??a????a????????? ??Sg??? ? ???RClick to edit Master text styles Second Level Third Level Fourth Level Fifth Level?!    ? S? ?  ?`?5??a????a??????????? ?? ???? ? ?`??*? ???=44OOii?  ?   ?`? D??a????a??????????? ?? `???  ? ?b??*? ???=44OOii?2 ?!  ?`?PN??a????a??????????? ??!????? ? ????Slide_*?6  ???=44OOii?Z?F ?1?lY ?$ ??~???~ ?" ? ?N?????????2?????1?l$?~ ?# ? ?N?????????2?????1IlY??F ??? ?) ???c?8 ?% s ?B?C{DE?8F?@??????????????????@????????F??h??=?Zhz?zFz?\F3? @???????????????????0 ?& s ?B?C?DE?4F?<??????????????????@????? ????i??<?????<??#i?????@???????????????g?5?0 ?' s ?B-C?DE?4F?<??????????????????@????? ??o?????*l??,J??????Jz?o@???????????????Arn*? ?( ? ??BKCoDE?4F?<?????????? ??(%+(J27JQ+E%nEQ7@???????????????????H ? ? ?0??@??޽h??? ?? ??????????f?????? ?International?? ? ??@?% ?E?( ??4p? ~?p? ? ?^ ? ? ?6??????? ?@_??p ? ? ?H??????d???? ??_??? ? ? ?Z???}?a????a?????????? ???????? } ?T?? Click to edit Master title style?!? !?? ? ? ?Z???}?a????a?????????? ??HZjG ?? } ?W??#Click to edit Master subtitle style?$? $? ?  ?`?̚=?a????a??????????? ???????? } ?\??*????=44OOii? ?  ?`?\?=?a????a??????????? ???S ???  } ?^??*????=44OOii? ?  ?`???=?a????a??????????? ???????? = ?n??Slide 2_*?  ???=44OOii?H ? ? ?0??@??޽h??? ?? ??????????f??????rsv 4????_?Ov???