<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.21 (Ruby 2.6.10) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-radext-review-radius-01" category="info" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.24.0 -->
  <front>
    <title abbrev="A Review of RADIUS Security and Privacy">A Review of RADIUS Security and Privacy</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-radext-review-radius-01"/>
    <author initials="A." surname="DeKok" fullname="Alan DeKok">
      <organization>InkBridge Networks</organization>
      <address>
        <email>alan.dekok@inkbridge.io</email>
      </address>
    </author>
    <date year="2026" month="July" day="03"/>
    <area>Internet</area>
    <workgroup>RADEXT Working Group</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 153?>

<t>This document provides a comprehensive review of security issues
related to the RADIUS Protocol.  This review motivates the changes to
RADIUS security which are made in
<xref target="I-D.ietf-radext-deprecating-radius"/>.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-radext-review-radius/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        RADEXT Working Group mailing list (<eref target="mailto:radext@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/radext/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/radext/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/freeradius/review-radius.git"/>.</t>
    </note>
  </front>
  <middle>
    <?line 160?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The RADIUS protocol <xref target="RFC2865"/> was first standardized in 1997, though its roots go back much earlier to 1993.  The protocol uses MD5 <xref target="RFC1321"/> to authenticate some packets, and to obfuscate certain attributes such as User-Password.  As originally designed, Access-Request packets were entirely unauthenticated, and could be trivially spoofed (<xref section="7.1" sectionFormat="comma" target="RFC2869"/> and <xref section="4.3.2" sectionFormat="comma" target="RFC3579"/>).  As much of the protocol data is sent in clear-text, packets can leak information about use names, devices, and locations.</t>
      <t>This document provides a comprehensive review of RADIUS security and privacy.  The discussion here motivates the changes to RADIUS security which are made in <xref target="I-D.ietf-radext-deprecating-radius"/>.  In order to simplify the protocol changes for implementers, this historical review is a separate document from the protocol changes.  While this document contains some operational recommendations, it does not change the RADIUS protocol.</t>
      <section anchor="history-of-radius-security">
        <name>History of RADIUS Security</name>
        <t>The insecurity of MD5 has been known for a long time.  It was first noted in relation to RADIUS in 1996 on the IETF RADIUS working group mailing list <xref target="MD5-1996"/>, which also discussed using an HMAC construct to increase security.  While it was common knowledge at the time, the earliest record of concerns about Access-Request packets spoofing was on the RADIUS working group mailing list <xref target="DATTACK"/> in 1998.  There was substantial further discussions about the lack of integrity checks on the list over the next few years.  The outcome of that process was the definition of Message-Authenticator as an optional HMAC-based attribute in <xref section="5.14" sectionFormat="comma" target="RFC2869"/>.</t>
        <t>Unfortunately, the use of Message-Authenticator was made optional.  This lack of integrity checks for Access-Request packets was deemed acceptable for some situations in <xref section="7.1" sectionFormat="comma" target="RFC2869"/>:</t>
        <ul empty="true">
          <li>
            <t>Access-Request packets with a User-Password establish the identity of
both the user and the NAS sending the Access-Request, because of the
way the shared secret between NAS and RADIUS server is used.</t>
          </li>
        </ul>
        <t>That conclusion now appears to be incorrect.  The text continues with an acknowledgment that:</t>
        <ul empty="true">
          <li>
            <t>Access-Request packets with CHAP-Password or EAP-Message do not have
a User-Password attribute, so the Message-Authenticator attribute
should be used in access-request packets that do not have a User-
Password, in order to establish the identity of the NAS sending the
request.</t>
          </li>
        </ul>
        <t>This text was non-normative due to the lowercase 'should'.  It appears that no implementation followed even this limited suggestion.</t>
        <t>The packet forgery issue was further discussed in 2004 in <xref section="4" sectionFormat="comma" target="RFC3579"/>, and again in 2007 in <xref section="2.2.2" sectionFormat="comma" target="RFC5080"/>.  That document suggested that implementations require the use of Message-Authenticator in order to prevent forgery:</t>
        <ul empty="true">
          <li>
            <t>However, Access-Request packets not containing a Message-
Authenticator attribute ...  may
be trivially forged.  To avoid this issue, server implementations may
be configured to require the presence of a Message-Authenticator
attribute in Access-Request packets.  Requests not containing a
Message-Authenticator attribute MAY then be silently discarded.</t>
          </li>
        </ul>
        <t>It appears that only one RADIUS server implemented even this limited suggestion.  At the time of publication of <xref target="RFC5080"/>, there was no consensus to require the use of Message-Authenticator in all Access-Request packets.  If this recommendation had instead been made mandatory, then the recent BlastRADIUS attack <xref target="BLAST"/> would largely have been prevented.</t>
        <t>The state of MD5 security was again discussed in <xref target="RFC6151"/>, which states in Section 2:</t>
        <ul empty="true">
          <li>
            <t>MD5 is no longer acceptable where collision resistance is required such as digital signatures.</t>
          </li>
        </ul>
        <t>That statement led to RADIUS security being reviewed in <xref section="3" sectionFormat="comma" target="RFC6421"/>.  The outcome of that review was the text in the remainder of <xref target="RFC6421"/>, which created crypto-agility requirements for RADIUS.  The main outcome of those requirements was not any change to RADIUS, but instead the definition of RADIUS/TLS in <xref target="RFC6614"/>, and RADIUS/DTLS in <xref target="RFC7360"/>.  Another outcome was the consensus that adding crypto-agility to RADIUS was likely not a good idea, and that standardizing RADIUS over TLS instead was a significantly better path forward.</t>
        <t>RadSec has now been standardized in <xref target="I-D.ietf-radext-radiusdtls-bis"/>.  That document standardizes TLS and DTLS transporst for RADIUS, which gives implementors and operators a way to secure the RADIUS protocol.</t>
        <t>As for RADIUS/UDP and RADIUS/TCP, they still depend on MD5 for all security.  The insecurity of MD5 was noted in <xref target="RFC6151"/>, which is over a decade old as of the time of publication of this document.  The recommendation to use Message-Authenticator in <xref target="RFC5080"/> is almost two decades old.  The knowledge that Access-Request packets lack integrity checks is almost three decades old.  Over that entire span of time, there has been no mandate to increase the security of Access-Request packets. This document explains why that mandate is now being made in <xref target="I-D.ietf-radext-deprecating-radius"/>.</t>
        <t>It is no longer acceptable for RADIUS to rely on MD5 for security.  It is no longer acceptable to send device or location information in clear text across the wider Internet.  This document therefore explains why insecure uses of RADIUS need to be deprecated. <xref target="I-D.ietf-radext-deprecating-radius"/> mandates the use of secure practices in RADIUS, including the use of (D)TLS via <xref target="I-D.ietf-radext-radiusdtls-bis"/>.</t>
      </section>
      <section anchor="radiusudp-over-the-internet-is-insecure">
        <name>RADIUS/UDP over the Internet is insecure</name>
        <t>Since the insecurity of MD5 has been well known for decades, RADIUS traffic over the Internet was historically secured with IPsec as described in <xref section="4.2" sectionFormat="comma" target="RFC3579"/>:</t>
        <ul empty="true">
          <li>
            <t>To address the security vulnerabilities of RADIUS/EAP,
implementations of this specification SHOULD support IPsec
(RFC2401) along with IKE (RFC2409) for key management.  IPsec ESP
(RFC2406) with non-null transform SHOULD be supported, and IPsec
ESP with a non-null encryption transform and authentication
support SHOULD be used to provide per-packet confidentiality,
authentication, integrity and replay protection.  IKE SHOULD be
used for key management.</t>
          </li>
        </ul>
        <t>The use of IPsec allowed RADIUS to be sent privately, and securely, across the Internet.  However, experience showed that TLS was simpler than IPSec in many ways simpler for implementations and deployments.  While IPsec required operating system support, TLS was an application-space library.  This difference, coupled with the wide-spread adoption of TLS for HTTPS, ensures that it was often easier for applications such as RADIUS to use TLS than IPsec.</t>
        <t>RADIUS/TLS <xref target="RFC6614"/> and RADIUS/DTLS <xref target="RFC7360"/> were then defined in order to meet the crypto-agility requirements of <xref target="RFC6421"/>.  RADIUS/TLS has been in wide-spread use for about a decade, including in eduroam <xref target="EDUROAM"/> <xref target="RFC7593"/>, and more recently in OpenRoaming <xref target="OPENROAMING"/> and <xref target="I-D.tomas-openroaming"/>.  RADIUS/DTLS has seen less use across the public Internet, but it still has multiple implementations.</t>
        <t>However, RADIUS/UDP is still widely used, even though it depends on MD5 and "ad hoc" constructions for security.  The recent BlastRADIUS attack shows just how inadequate this dependency is.  The details of the BlastRADIUS attack are discussed in more detail below, in <xref target="blastradius"/>.</t>
      </section>
      <section anchor="radiusudp-has-security-and-privacy-problems">
        <name>RADIUS/UDP Has Security and Privacy Problems</name>
        <t>Even if we ignore the BlastRADIUS attack, problems with MD5 mean that a hobbyist attacker who can view RADIUS/UDP traffic can brute-force check all possible RADIUS shared secrets of eight characters in not much more than an hour.  A more resourceful attacker (e.g. a nation-state) can check all much longer shared secrets with only modest expenditures.  See <xref target="cracking"/> below for a longer discussion of this topic.</t>
        <t>Determining the shared secret will also result in compromise of all passwords carried in the User-Password attribute.  Even using CHAP-Password offers minimal protection, as the cost of cracking the underlying password is similar to the cost of cracking the shared secret.  MS-CHAP (<xref target="RFC2433"/> and MS-CHAPv2 <xref target="RFC2759"/>) are significantly worse in security than PAP, as they can be completely broken with minimal resources.  Attacks on MS-CHAP are described below in <xref target="ms-chap"/>.</t>
        <t>The use of Message-Authenticator does not change the cost of attacking the shared secret.  The Message-Authenticator attribute is a later addition to RADIUS, and does does not replace the original MD5-based packet signatures.  While that attribute provides stronger protection for packets, it does not change the cost of attacking the shared secret.  Moving to a stronger packet signatures (e.g. <xref target="RFC6218"/>) would still not fully address the issues with RADIUS, as the protocol still has privacy issues unrelated to the the security of the Authenticator field.</t>
        <t>Most attributes in RADIUS are sent in clear-text, with only a few attributes such as User-Password and Tunnel-Password have their contents hidden.  The hidden attributes rely on "ad hoc" obfuscation methods using MD5, which have not been successfully attacked, but have not proven to be secure.  Peoples locations can (and has) been accurately determined, and people have been tracked using location data sent insecurely across the Internet (<xref target="privacy"/>).</t>
        <t>The implications for security and individual safety are large, and negative.</t>
        <t>These issues are only partly mitigated when the data carried within RADIUS use their own methods for increased security and privacy.  For example, some authentication methods such EAP-TLS, EAP-TTLS, etc. allow for User-Name privacy and for more secure transport of passwords via the use of TLS.  Some privacy can be gained through MAC address randomization, which can also limit device information identification to a particular manufacturer, instead of to a unique device.</t>
        <t>However, these methods are not always used, or are not always available.  Even if these methods were used ubiquitously, they do not protect all of the information which is publicly available over RADIUS/UDP or RADIUS/TCP transports.  And even when TLS-based EAP methods are used, implementations have historically often skipped certificate validation, leading to password compromise (<xref target="SPOOFING"/>).  In many cases, users were not even aware that the server certificate was incorrect or spoofed, which meant that there was no way for the user to detect that anything was wrong.  Their passwords were simply handed to a spoofed server, with little possibility for the user to take any action to stop it.</t>
      </section>
      <section anchor="simply-using-ipsec-or-tls-is-not-enough">
        <name>Simply using IPsec or TLS is not enough</name>
        <t>The use of a secure transport such as IPsec or TLS ensures complete privacy and security for all RADIUS traffic.  An observer of encrypted traffic is limited to knowing rough activity levels of a client or server.  That is, an observer can tell if there are a few users on a NAS, or many users on a NAS.  All other information is hidden from all observers.  Even with those limitations, it is not enough to say "use IPsec" and then move on to other issues.  There are many issues which can only be addressed via an informed approach.</t>
        <t>For example, it is possible for an attacker to record the session traffic, and later crack the TLS session key or IPsec parameters.  This attack could comprise all traffic sent over that connection, including EAP session keys.  When the cryptographic methods provide forward secrecy (<xref section="6.3" sectionFormat="comma" target="RFC7525"/>), then breaking one session provides no information about other sessions.</t>
        <t>The final attack possible in a AAA system is where one party in a AAA conversation is compromised or run by a malicious party.  This attack is made more likely by the extensive use of RADIUS proxy forwarding chains.  In that situation, every RADIUS proxy has full visibility into, and control over, the traffic it transports.  The solution here is to minimize the number of proxies involved, such as by using Dynamic Peer Discovery, as defined in <xref target="RFC7585"/>.</t>
        <t>There are many more security issues in addition to the need for a secure transport. The rest of this document discusses those issues in detail.</t>
      </section>
      <section anchor="overview-of-this-document">
        <name>Overview of this document</name>
        <t>This document begins with a summary of issues with RADIUS, including showing just how trivial it is to crack RADIUS/UDP security.  We then explain why mandating a secure transport is necessary, and describe what that requirement means in practice.  We give recommendations on how current systems can be migrated to using TLS.  We give suggestions for increasing the security of existing RADIUS transports, including a discussion of the authentication protocols carried within RADIUS.  We conclude with security and privacy considerations.</t>
        <t>As IPsec has been discussed previously in the context of RADIUS, we do not discuss it more here, except to say it is an acceptable solution for securing RADIUS traffic.  As the bulk of the current efforts are focused on TLS, this document likewise focuses on TLS.  We note that all of the issues raised here about the RADIUS protocol also apply to IPsec transport.  That is, when the application is not in charge of protocol security, the application is vulnerable to transport misconfigurations or attacks.</t>
        <section anchor="a-comment-on-specifications">
          <name>A Comment on Specifications</name>
          <t>While this document tries to be comprehensive, it is necessarily imperfect.  There may be issues which should have been included here, but which were missed due to oversight or accident.  Any reader should be aware that there are good practices which are perhaps not documented in a specification, and bad behaviors which are likewise not forbidden.  For example, documents such as <xref target="RFC5080"/> were written to both correct errors in earlier documents, and to address harmful behaviors which had been seen in practice.</t>
          <t>These harmful behaviors can have a large impact both on security and on interoperability, even if they are not expressly forbidden in a specification.</t>
          <t>There is a regrettable belief in some readers that a particular practice is "allowed" by a specification, simply because the practice is not forbidden.  This belief is wrong.  That is, a behavior which is not even mentioned in the specification cannot honestly be said to be "permitted" or "allowed" by that specification.    The most charitable description would be that these behaviors are undefined, or perhaps not forbidden.</t>
          <t>By their very nature, documents include a small number of permitted, required, and/or forbidden behaviors.  There are a much larger set of behaviors which are undefined.  That is, behaviors which are neither permitted nor forbidden.  Those behaviors are unconstrained by the specification, and therefore may be good or bad.</t>
          <t>Outside of published specifications, there is also a large set of common practices and behaviors which have grown organically over time, but which have not been formally written down.  These practices have been found to be valuable by implementers and administrators.  Deviations from these practices generally results in instabilities and incompatibilities between systems.  As such, implementers should exercise caution when creating new behaviors which have not previously been seen in the industry.  Such behaviors are likely to cause problems, where there would have been no problems if common practices had been followed instead.</t>
          <t>It is RECOMMENDED that implementations and administrators follow widely accepted practices which have been proven to work and to be secure, even if those practices are not written down in a public specification.  Implementers SHOULD NOT create features which depend on undefined behavior; such features are very likely to be wrong.</t>
        </section>
      </section>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <ul spacing="normal">
        <li>
          <t>RADIUS</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <t>The Remote Authentication Dial-In User Service protocol, as defined in <xref target="RFC2865"/>, <xref target="RFC2866"/>, and <xref target="RFC5176"/> among others.</t>
        </li>
      </ul>
      <ul spacing="normal">
        <li>
          <t>RADIUS/UDP</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <t>RADIUS over the User Datagram Protocol as define above.</t>
        </li>
      </ul>
      <ul spacing="normal">
        <li>
          <t>RADIUS/TCP</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <t>RADIUS over the Transport Control Protocol <xref target="RFC6613"/></t>
        </li>
      </ul>
      <ul spacing="normal">
        <li>
          <t>RADIUS/TLS</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <t>RADIUS over the Transport Layer Security protocol <xref target="RFC6614"/></t>
        </li>
      </ul>
      <ul spacing="normal">
        <li>
          <t>RADIUS/DTLS</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <t>RADIUS over the Datagram Transport Layer Security protocol  <xref target="RFC7360"/></t>
        </li>
      </ul>
      <ul spacing="normal">
        <li>
          <t>TLS</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <t>the Transport Layer Security protocol.  Generally when we refer to TLS in this document, we are referring to RADIUS/TLS and/or RADIUS/DTLS.</t>
        </li>
      </ul>
      <ul spacing="normal">
        <li>
          <t>NAS</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <t>Network Access Server, which is a RADIUS client.</t>
        </li>
      </ul>
      <t>In order to continue the terminology of <xref target="RFC2865"/>, we describe the Request Authenticator, Response Authenticator, and Message-Authenticator as "signing" the packets.  This terminology is not consistent with modern cryptographic terms, but using other terminology is inconsistent with historic RADIUS practices.  The reader is assured that no modern cryptographic methods are used with RADIUS/UDP.</t>
    </section>
    <section anchor="security-issues-with-radius">
      <name>Security Issues with RADIUS</name>
      <t>There are a large number of issues with RADIUS.   The most serious is the BlastRADIUS vulnerability, which means that subject to some limitations, attackers can leverage MD5 known-prefix collisions to cause any user to be authenticated, and then be given any authorization.  Multi-factor Authentication (MFA) systems can be bypassed, and in many cases the RADIUS server will not even be aware that an unauthorized user is on the network.</t>
      <t>Another issue is that RADIUS sends most information (but not passwords) "in the clear", with obvious privacy implications.  Publicly available data includes information such as names, MAC addresses, locations, etc.</t>
      <t>As for authenticating the packets themselves, even if Message-Authenticator is used for integrity checks, an average hobbyist who observes RADIUS traffic can perform brute-force attacks to crack even seemingly complex shared secrets.</t>
      <t>There is no way to fix the RADIUS protocol to address all of these issues.  The short-term fix is in <xref target="I-D.ietf-radext-deprecating-radius"/>, which requires the use of Message-Authenticator to authenticate Access-Request packets, and responses to them.  The long-term solution is in <xref target="I-D.ietf-radext-radiusdtls-bis"/>, which wraps the protocol in a secure transport.</t>
      <t>With the benefit of experience, <xref target="I-D.ietf-radext-deprecating-radius"/> errs on the side of security, while still allowing for backwards compatibility.  It is not acceptable to permit insecure practices in the RADIUS protocol simply because a small number of implementations or organizations find it difficult to upgrade.  Insecure implementations or practices have a concrete cost not only to the insecure organizations, but also to other organizations via secondary effects.  When insecure organizations demand that others follow insecure practices continue due to perceived local costs, they are effectively offloading their costs onto everyone else.  This practice both decreases security, and increases costs.</t>
      <t>We address these issues in more detail below.</t>
      <section anchor="the-blastradius-vulnerability">
        <name>The BlastRADIUS Vulnerability</name>
        <t>The BlastRADIUS vulnerability was first described in <xref target="BLAST"/>.  This section gives a short summary of why RADIUS is vulnerable to this attack.   <xref target="blastradius"/>, below, gives a longer explanation as to how the attack works, and why the mitigations defined in <xref target="I-D.ietf-radext-deprecating-radius"/> protect from the attack. The reader is referred to <xref target="BLAST"/> for a comprehensive description of the attack.</t>
        <t>The discussion below assumes that there exist plain texts "A", "B", "S".  Following the practice of <xref target="RFC2865"/>, we use "+" to denote concatenation.  The vulnerability then relies on the following property of MD5:</t>
        <ul empty="true">
          <li>
            <t>If MD5(A) == MD5(B), then MD5(A + S) == MD5(B + S)</t>
          </li>
        </ul>
        <t>This construction menas that if an attacker is given text "A", and can find text "B" which has the same MD5 hash, then the attacker can perform a chosen prefix attack.  The attack works even if the attacker does not know text "S".  That is, given M5(A + S), then the attacker can trivially calculate MD5(B + S): it has the same value.</t>
        <t>In RADIUS, the Response Authenticator field <xref section="3" sectionFormat="comma" target="RFC2865"/> is calculated via precisely this vulnerable construct:</t>
        <ul empty="true">
          <li>
            <t>Response Authenticator = MD5(packet + secret)</t>
          </li>
        </ul>
        <t>The attacker can generally observe or predict an Access-Reject packet, as they are generally empty.  Each valid Access-Reject
is signed with a shared secret unknown to the attacker.  With sufficient work, the attacker can create an Access-Accept which has the same MD5 hash as the Access-Reject.  The attacker then replaces the Access-Reject with this Access-Accept, using the Response Authenticator from the Access-Reject.</t>
        <t>The client will then receive the packet, calculate MD5(Access-Accept + secret), and verify that the Response Authenticator is correct.  The client will then follow the attackers instructions: give the user access, along with some authorization.</t>
        <t>This chosen prefix attack is root cause behind the BlastRADIUS vulnerability.</t>
        <t>We note also that this attack does not expose the contents of the User-Password attribute.  Instead, the attack simply bypasses all server-side authentication, and fools the client into accepting a forged response.</t>
        <t>While this attack requires that an attacker be "on path" and be able to intercept and modify packets, the meaning of "on path" is often "the entire Internet".  As such, the existence of this attack alone is sufficient reason to deprecate all uses of RADIUS/UDP and RADIUS/TCP.</t>
      </section>
      <section anchor="failed-attempts-to-improve-radius-security">
        <name>Failed Attempts to Improve RADIUS Security</name>
        <t>Independent of any cryptographic vulnerability, there are a number of factors which contributed to the ongoing failure to improve RADIUS security.</t>
        <t>A major factor is the continued use of MD5 for security, instead of mandating the use of an HMAC via Message-Authenticator.  This change could have been made in <xref target="RFC2869"/> in the year 2000.  The stated reason there for not mandating Message-Authenticator was the issue of backwards compatibility.  Unfortunately, experience shows that issues which are not fixed just grow larger over time.  The issue of backwards compatibility is significantly worse now than it was in the year 2000.</t>
        <t>The issue of unauthenticated Access-Request packets was raised again in <xref section="2.2.2" sectionFormat="comma" target="RFC5080"/>, and again was widely ignored.  If vendors had implemented this recommendation in 2007, then the BlastRADIUS attack would have been impossible.</t>
      </section>
      <section anchor="failures-of-the-protocol-state-machine">
        <name>Failures of the Protocol State Machine</name>
        <t>Another contributing factor to the BlastRADIUS vulnerability is the principle of "be conservative in what you do, be liberal in what you accept from others", often known as Postel's law, after John Postel.  This principle means that a client will accept packets that are well-formed, but which contain invalid signaling.  Specifically, the Proxy-State attribute is intended for signalling between a proxy and a "next hop" server.  It offers no value for RADIUS clients.  A NAS which originates packets therefore does not send Proxy-State in an Access-Request, and should also not receive Proxy-State in any response packets.</t>
        <t>If a NAS does receive Proxy-State in a response, where the request did not contain Proxy-State, this is arguably a violation of the protocol state machine.  It would be useful if such a packet would either trigger a warning message, or instead be rejected entirely.</t>
        <t>That is, when a NAS sees Proxy-State in an Access-Accept, that is a failure of signaling in the RADIUS protocol.  It indicates either a serious failure of configuration, implementation, or as seen in this case, an active attack.  If the specifications had instructed clients to discard responses which contained unexpected Proxy-State attributes, then this attack would have been prevented.</t>
      </section>
      <section anchor="privacy">
        <name>Most information is sent in Clear Text</name>
        <t>Even ignoring security issues, the RADIUS protocol has fundamental problems with privacy.</t>
        <t>With the exception of a few attributes such as User-Password, all RADIUS traffic is sent "in the clear" when using UDP or TCP transports.  Even when TLS is used, all RADIUS traffic (including User-Password) is visible to proxies.  The resulting data exposure has a large number of privacy issues.  We refer to <xref target="RFC6973"/>, and specifically to <xref section="5" sectionFormat="comma" target="RFC6973"/> for detailed discussion, and to <xref section="6" sectionFormat="comma" target="RFC6973"/> for recommendations on threat mitigations.</t>
        <t>When RADIUS/UDP or RADIUS/TCP is used across the public Internet, common configurations allow the location of individuals to be tracked in real-time (usually 10 minute intervals), to within a small physical location.  The users devices can be identified, and also tracked. Even when the packets do not contain any <xref target="RFC5580"/> location information for the user, the packets usually contain the MAC address of the Wi-Fi access point.  The MAC address and physical location of the user device and often W-Fi access points are publicly available.  There are multiple services selling databases of Wi-Fi access point location.</t>
        <t>More discussion of location privacy is given in <xref target="RFC6280"/>, which defines an "Architecture for Location and Location Privacy in Internet Applications".  However, that work was published too late to have any practical impact on the design of location information attributes, as <xref target="RFC5580"/> had already been published.</t>
        <t>The effect of these design decisions is that any observer of non-TLS RADIUS traffic is able to obtain a substantial amount of personal identifiable information (PII) about users.  The observer can tell who is logging in to the network, what devices they are using, where they are logging in from, and their approximate location (usually city).  With location-based attributes as defined in <xref target="RFC5580"/>, a user's location may be determined to within 15 or so meters outdoors, and with "meter-level accuracy indoors" <xref target="WIFILOC"/>.  An observer can also use RADIUS accounting packets to determine how long a user is online, and to track a summary of their total traffic (upload and download totals).</t>
        <t>These issues are not theoretical.  Recently, <xref target="BRIGGS"/> noted for the Diameter <xref target="RFC6733"/> protocol that:</t>
        <ul empty="true">
          <li>
            <t>Overall, I think the above three examples are just the tip of the proverbial iceberg of SS7 and Diameter based location and monitoring exploits that have been used successfully against targeted people in the USA.</t>
          </li>
        </ul>
        <t><xref target="BRIGGS"/> continues with a statement that there have been:</t>
        <ul empty="true">
          <li>
            <t>... numerous other exploits based on SS7 and Diameter that go beyond location tracking. Some of these involve issues like (1) the monitoring of voice and text messages, (2) the delivery of spyware to targeted devices, and (3) the influencing of U.S. voters by overseas countries using text messages.</t>
          </li>
        </ul>
        <t>While these comments mention only Diameter, the same location tracking and monitoring is also possible with RADIUS.  There is every reason to believe that similar attacks on RADIUS have occurred, but are simply less publicized than similar attacks on Diameter.</t>
      </section>
      <section anchor="md5-has-been-broken">
        <name>MD5 has been broken</name>
        <t>Attacks on MD5 are summarized in part in <xref target="RFC6151"/>.  The BlastRADIUS work substantially improved the speed of finding MD5 collisions, and those improvements are publicly available at <xref target="HASHCLASH"/>.</t>
        <t>While there have not been many other new attacks in the decade since <xref target="RFC6151"/> was published, that does not mean that further attacks do not exist.  It is more likely instead that no one is looking for new attacks.</t>
      </section>
      <section anchor="cracking">
        <name>Cracking RADIUS shared secrets is not hard</name>
        <t>The cost of cracking a a shared secret can only go down over time as computation becomes cheaper.  The issue is made worse because of the way MD5 is used to authenticate RADIUS packets.  The attacker does not have to calculate the hash over the entire packet, as the hash prefix can be calculated once, and then cached.  The attacker can then begin the attack with that hash prefix, and brute-force only the shared secret portion.</t>
        <t>At the time of writing this document, an "off the shelf" commodity computer can calculate at least 100M MD5 hashes per second.  If we limit shared secrets to upper/lowercase letters, numbers, and a few "special" characters, we have 64 possible characters for shared secrets.  Which means that for 8-character secrets, there are 2^48 possible combinations.  The result is that using a consumer-grade machine, it can take about 32 days to brute-force the entire 8 octet / 64 character space for shared secrets.</t>
        <t>The problem is even worse when graphical processing units (GPUs) are used. A high-end GPU is capable of performing more than 64 billion hashes per second.  At that rate, the entire 8 character space described above can be searched in approximately 90 minutes.  This is an attack which is feasible today for a hobbyist.</t>
        <t>Increasing the size of the character set raises the cost of cracking, but not enough to be secure.  Increasing the character set to 93 characters means that the hobbyist using a GPU could search the entire 8 character space in about a day.</t>
        <t>Increasing the length of the shared secret has a larger impact on the cost of cracking.  For secrets ten characters long, the search space is approximately 2^60.  One GPU can search a 64-character space in about six months. A 93 character space (2^65 complexity) would take approximately 24 years.</t>
        <t>This brute-force attack is trivially parallelizable.  Nation-states have sufficient resources to deploy hundreds to thousands of systems dedicated to these attacks.  That reality means that a "time to crack" of 24 years means "24 CPU years", and does not mean "wall clock" time.  A thousand commodity CPUs are enough to reduce the crack time from 24 years to a little over a week.  This attack is feasible for any organisation with a modest amount of resources.</t>
        <t>Whether the above numbers are precise or only approximate is immaterial.  These attacks will only get better over time.  The cost to crack shared secrets will only go down over time.</t>
        <t>If the shared secret is long, then "cracking" the secret is expensive, and different trade-offs occur.  Rather than cracking the secret, it is cheaper to perform the BlastRADIUS attack at a cost of approximately 2^53 per packet, and less than $100 in purchased CPU time.  While cracking the shared secret would break all RADIUS packets using that secret, forging one packet is likely enough to give the attacker administrator access to a NAS, where the shared secret is likely to be visible in the administration interface.  The conclusion, then, is that increasing the security of the shared secret offers minimal protection when the Access-Request packets are unsigned.</t>
        <t>Even if the shared secrets were enough to secure all RADIUS packets, administrators do not always derive shared secrets from secure sources of random numbers.  The "time to crack" numbers given above are the absolute best case, assuming administrators follow best practices for creating secure shared secrets.  For shared secrets created manually by a person, the search space is orders of magnitude smaller than the best case outlined above.  Rather than brute-forcing all possible shared secrets, an attacker can create a local dictionary which contains common or expected values for the shared secret.  Where the shared secret used by an administrator is in the dictionary, the cost of the attack can drop by multiple orders of magnitude.</t>
        <t>Implementers and administrators should assume that a hobbyist attacker with modest resource can crack most shared secrets created by people in minutes, if not seconds.</t>
        <t>Despite the ease of attacking MD5, it is still a common practice for some "cloud" and other RADIUS providers to send RADIUS/UDP packets over the Internet.  It is also common practice for administrators to use "short" shared secrets, and to use shared secrets created by a person, or to use secrets that are derived from a limited character set.  Theses practice are simple to implement and to follow, but they are highly insecure, and do not provide adequate security.  Any system using these practices is vulnerable to all of the issues which are outlined in this document.</t>
        <t><xref target="I-D.ietf-radext-deprecating-radius"/> gives suggestions for how strong shared secrets can be created.</t>
      </section>
      <section anchor="tunnel-coa">
        <name>CoA-Request packets might leak Tunnel-Password contents</name>
        <t>There are a number of security problems with the use Tunnel-Password attribute in CoA-Request and Disconnect-Request packets.  A full explanation requires a review of the relevant specifications.</t>
        <t><xref target="RFC5176"/> Section 2.3 describes how to calculate the Request Authenticator field for these packets:</t>
        <artwork><![CDATA[
Request Authenticator

   In Request packets, the Authenticator value is a 16-octet MD5
   [RFC1321] checksum, called the Request Authenticator.  The
   Request Authenticator is calculated the same way as for an
   Accounting-Request, specified in [RFC2866].
]]></artwork>
        <t>Where <xref target="RFC2866"/> Section 3 says:</t>
        <artwork><![CDATA[
   The NAS and RADIUS accounting server share a secret.  The Request
   Authenticator field in Accounting-Request packets contains a one-
   way MD5 hash calculated over a stream of octets consisting of the
   Code + Identifier + Length + 16 zero octets + request attributes +
   shared secret (where + indicates concatenation).  The 16 octet MD5
   hash value is stored in the Authenticator field of the
   Accounting-Request packet.
]]></artwork>
        <t>Taken together, these definitions mean that for CoA-Request packets, all attribute obfuscation is calculated with the Reply Authenticator being all zeroes.  In contrast for Access-Request packets, the Request Authenticator is mandated to be 16 octets of random data.  This difference reduces the security of the obfuscation.</t>
        <t>For Tunnel-Password, <xref target="RFC5176"/> Section 3.6 allows it to appear in CoA-Request packets:</t>
        <artwork><![CDATA[
   ...
   Change-of-Authorization Messages
   
   Request   ACK      NAK   #   Attribute
   ...
   0+        0        0    69   Tunnel-Password (Note 5)
   ...
   (Note 5) When included within a CoA-Request, these attributes
   represent an authorization change request.  Where tunnel attributes
   are included within a successful CoA-Request, all existing tunnel
   attributes are removed and replaced by the new attribute(s).
]]></artwork>
        <t>However, <xref target="RFC2868"/> Section 3.5 says that Tunnel-Password is encrypted with the Request Authenticator:</t>
        <artwork><![CDATA[
   Call the shared secret S, the pseudo-random 128-bit Request
   Authenticator (from the corresponding Access-Request packet) R,
]]></artwork>
        <t>The assumption that the Request Authenticator is random data is true for Access-Request packets.  That assumption is not true for CoA-Request packets.</t>
        <t>That is, when the Tunnel-Password attribute is used in CoA-Request packets, the only source of randomness in the obfuscation is the salt, as defined in <xref target="RFC2868"/> Section 3.5;</t>
        <artwork><![CDATA[
 Salt
   The Salt field is two octets in length and is used to ensure the
   uniqueness of the encryption key used to encrypt each instance of
   the Tunnel-Password attribute occurring in a given Access-Accept
   packet.  The most significant bit (leftmost) of the Salt field
   MUST be set (1).  The contents of each Salt field in a given
   Access-Accept packet MUST be unique.
]]></artwork>
        <t>This chain of unfortunate definitions means that there is only 15 bits of entropy in the Tunnel-Password obfuscation (plus the RADIUS shared secret).  It is not currently known if this limitation makes it sufficiently easy for an attacker to determine the contents of the Tunnel-Password, as the obfuscated value still depends on the shared secret.  However, such limited entropy cannot be a good thing.</t>
        <t>Due to the above issues, the use obfuscated attributes in CoA-Request or Disconnect-Request packets needs to be avoided.</t>
      </section>
      <section anchor="secure-transports-can-still-leak-information">
        <name>Secure Transports Can Still Leak Information</name>
        <t>The above analysis as to security and privacy issues focuses on RADIUS/UDP and RADIUS/TCP.  These issues are partly mitigated through the use secure transports, but it is still possible for information to "leak".</t>
        <t>When TLS-based EAP methods such as TTLS or PEAP are used, they still transport passwords inside of the TLS tunnel.  It is possible for an authentication server to terminate the TLS tunnel, and then proxy the inner data over RADIUS/UDP.  The design of both TTLS and PEAP make this process fairly trivial.  The inner data for TTLS is in Diameter AVP format, which can be trivially transformed to RADIUS attributes.  The inner data for PEAP is commonly EAP-MSCHAPv2, which can also be trivially transformed to bare EAP, or to MS-CHAPv2.</t>
        <t>This forwarding of the inner tunnel data to another system removes all of the privacy and security benefits of the TLS tunnel.  The inner identity will leak, negating all privacy.  If attributes such as NAS-Identifier or Calling-Station-Id are copied from the incoming packet to the proxied packet, it allows observers to correlate user identity with location and devices.</t>
        <t>Where the inner authentications credentials are PAP, the User-Password attribute is secure, as discussed below in <xref target="pap-security"/>.  Forwarding inner CHAP data is insecure (<xref target="chap-password"/>), as is MS-CHAP (<xref target="ms-chap"/>).</t>
        <t>Similar issues apply for proxies even when RADIUS/TLS and IPsec are used.  A proxy which receives packets over IPsec will terminate the IPSec tunnel, but it then might forward the packets over an insecure transport protocol.  While this process could arguably be seen as a misconfiguration issue, it is never the less possible due to the design of the RADIUS protocol.  As RADIUS security is "hop by hop", there is no way for one "hop" to know anything about, or to control, the security of another "hop".</t>
        <t>The use of channel binding <xref target="RFC6677"/> does not prevent these attack, as they made by parties within the trusted RADIUS system.  Instead, channel binding protects from an unrelated attack by an untrusted third party.</t>
        <t>One solution to the above issues would be to create a new protocol which is secure by design, but that solution is not practical.</t>
      </section>
      <section anchor="all-short-shared-secrets-have-been-compromised">
        <name>All short Shared Secrets have been compromised</name>
        <t>As a result of the above analysis, administrators can assume that any shared secret of 8 characters or less has been compromised as soon as it is used in RADIUS/UDP or RADIUS/TCP.  Administrators can assume that any shared secret of 10 characters or less has been compromised by an attacker with significant resources.  Administrators can also assume that all private information (such as User-Password or Tunnel-Password) which depend on such shared secrets have also been compromised.</t>
        <t>As the analysis in [](#user-password} below shows, a strong shared secret protects the contents of User-Password, no matter how weak the end-users password is.  As such it is acceptable (for a short time) for RADIUS/UDP to continue to carry User-Password and Tunnel-Password, but only when a strong shared secret is used.</t>
        <t>Using a strong shared secret is only a partial protection from known attacks.  RADIUS can carry end-user credentials such as CHAP-Password and MS-CHAP which are not protected with the shared secret.  Many of those credentials have been compromised, too.</t>
      </section>
      <section anchor="many-end-user-passwords-have-been-compromised">
        <name>Many End-User Passwords Have Been Compromised</name>
        <t>The analyis in <xref target="ms-chap"/> below shows how the construction of MS-CHAP can allow attackers to determine the underyling password in milliseconds.  <xref target="chap-password"/> also shows how a different attack on CHAP-Password can recover the underlying password in milliseconds.  This section explains the effects of those attacks.</t>
        <t>As the security of CHAP-Password and MS-CHAP depends only on the strength of the end-users password, those methods can be safe only if the user chooses a strong password.  That is, a password which is 10 characters or more, and which is derived from a cryptograpically strong pseudo-random number generator. This requirement is unlikely to be met by a large percentage of end users.  As such, the use of CHAP-Password and MS-CHAP needs to be deprecated.</t>
        <t>To be perfectly clear: if a CHAP-Password, or MS-CHAP data has been sent over the Internet via RADIUS/UDP or RADIUS/TCP in the last decade, you should assume that the underlying passwords have been compromised.</t>
      </section>
    </section>
    <section anchor="blastradius">
      <name>The BlastRADIUS Attack</name>
      <t>This section gives more details on the BlastRADIUS attack, so that the reader can be informed as to why <xref target="I-D.ietf-radext-deprecating-radius"/> makes its recommendations.  In the interest of simplicity for implementers, {I-D.ietf-radext-deprecating-radius}} omits all explanation of the attack.  That document also gives minimal explanation for each of the protocol changes.  This document contains the full details instead.</t>
      <t>The attack depends on a few related factors.  If any one of these factors are not present, the attack is not possible.  These factors are outlined below:</t>
      <ul spacing="normal">
        <li>
          <t>The Access-Request packets are not authenticated, and can therefore be modified without detection.</t>
        </li>
        <li>
          <t>The use of MD5 within RADIUS is subject to known prefix attacks.</t>
        </li>
        <li>
          <t>The improvements to MD5 collisions in <xref target="HASHCLASH"/> make the attack feasible.</t>
        </li>
        <li>
          <t>The structure and behavior of Proxy-State makes it the perfect vector for an attacker to inject the "MD5 garbage" (<xref target="BLAST"/>) which is needed to force the MD5 collision.</t>
        </li>
      </ul>
      <t>The attack works by having An "on path" attacker who modifies an Access-Request packet, and injects one or more Proxy-State attributes with special contents. The Proxy-State attribute itself will not trigger any overflow or “out of bounds” issue with the RADIUS client or server.  Instead, the contents of the attributes allows the attacker to create an MD5 known-prefix collision when the server calculates the Response Authenticator.  In effect, the attacker uses the RADIUS server, and its knowledge of the shared secret, to unknowingly authenticate packets which it has not created.</t>
      <t>The behavior of the Proxy-State attribute is extremely useful to this attack.  The attribute is defined in <xref section="5.33" sectionFormat="comma" target="RFC2865"/> as an opaque token which is sent by a RADIUS proxy, and is echoed back by RADIUS servers.  That is, the contents of the attribute are never examined or interpreted by the RADIUS server.  Even better, testing shows that all known RADIUS clients will simply ignore any unexpected Proxy-State attributes which they receive.  Finally, implementations generally add Proxy-State to the end of response packets, which simplifies the attack.</t>
      <t>This attribute is therefore ideally suited to an attackers purpose of injecting arbitrary data into packets, without that data affecting client or server behavior.   The reasons for this behavior are outlined below in <xref target="proxy-state"/>.  While those reasons were transient and decades in the past, the impact of those decisions has continued to impact RADIUS until the present.</t>
      <t>While it is possible to use other attributes to achieve the same effect, the use of Proxy-State is simple, and is sufficient to trigger the issue.  For example, it is theoretically possible to use the User-Name attribute for this attack, so long as it is echoed back in an Access-Accept, or even as part of the the contents of a Reply-Message in an Access-Accept.  There is no much benefit in further researching that attack, as the mitigations for attacks using Proxy-State will also protect clients and servers from a similar attacks which use other attributes.</t>
      <t>The injected data and resulting MD5 collision allows the attacker to modify the packet contents almost at will, and the client will still accept the modified packet as being authentic.  The attack allows nearly arbitrary attributes to be added to the response.  Those attributes are simply part of the MD5 collision calculation, and do not substantially impact the cost of that calculation.</t>
      <t>We reiterate that since the RADIUS server can be convinced to authenticate packets using a prefix chosen by the attacker, there is no need for the attacker to know the shared secret.  This attack succeeds no matter how secure the shared secret is, the only mitigation against the attack for RADIUS systems to use TLS, or to require that packets contain a is valid Message-Authenticator.</t>
      <section anchor="detailed-description-of-the-attack">
        <name>Detailed Description of the Attack</name>
        <t>The specific details of the attack are outlined below, as steps which are numbered the same as in the original paper (<xref target="BLAST"/>).</t>
        <ol spacing="normal" type="1"><li>
            <t>The attacker requests network access from the RADIUS client (NAS).  This action triggers the NAS to send an Access-Request packet to the RADIUS server.</t>
          </li>
          <li>
            <t>The Access-Request is observed to obtain its contents, including the Request Authenticator field.  The attacker prevents this packet from reaching the server until the MD5 collision data has been calculated.  The NAS will retransmit the packet one or more times after a delay, giving the attacker time to calculate the chosen prefix.</t>
          </li>
          <li>
            <t>An external resource is used to calculate an MD5 collision using the Request Authenticator, along with the expected contents of an Access-Reject.  As Access-Reject packets are typically empty or can be observed, the expected packet contents are known in their entirety.</t>
          </li>
          <li>
            <t>Once an MD5 collision is found, the resulting "MD5 garbage" data is placed into one or more Proxy-State attributes in the previously seen Access-Request.  The attacker then sends this modified Access-Request to the RADIUS server.</t>
          </li>
          <li>
            <t>The RADIUS server responds with an Access-Reject, and includes the Proxy-State attributes from the modified Access-Request packets.  The packet contains the malicious Proxy-State(s), along with a Response Authenticator which depends on both those malicious attributes, and the shared secret.</t>
          </li>
          <li>
            <t>The attacker discards the original Access-Reject, and uses the chosen prefix data in the Proxy-State(s) to create a different (i.e. modified) response, such as an Access-Accept.  Other authorization attributes such as VLAN assignment can also be added, modified, or deleted.  This modified packet is sent to the NAS.</t>
          </li>
          <li>
            <t>The NAS receives the modified Access-Accept, verifies that the Response Authenticator is correct, and gives the user access, along with the attackers desired authorization.</t>
          </li>
        </ol>
        <t>The result of this attack is a near-total compromise of the RADIUS protocol.  The attacker can cause any user to be authenticated.  The attacker can give almost any authorization to any user.</t>
        <t>While the above description leverages Access-Reject responses, we reiterate that the root cause of the vulnerability is the unauthenticated Access-Request packets.  The attack will therefore succeed even if the server responds with Access-Accept, Access-Challenge, or Protocol-Error <xref target="RFC7930"/>.  The ability for the attacker to avoid Access-Challenge allows MFA to be bypassed, as the attacker simply replaces the Access-Challenge with an Access-Accept.</t>
        <t>In addition to forging an Access-Accept for a user who has no credentials, the attacker can control the traffic of known and authenticated users.  Many modern Broadband Network Gateways (BNG)s, Wireless LAN Controllers (WLCs), and Broadband Remote Access Servers (BRAS) support configuring a dynamic HTTP redirect using Vendor Specific Attributes (VSA)s.  These VSAs are not protected in any way, and could be injected into an Access-Accept in order to redirect a users traffic.  The attacker could then set up a malicious website to launch Zero-Day/Zero-Click attacks, driving subscribers to the website using an HTTP redirect.  This issue is compounded by the fact that many devices perform automatic HotSpot 1.0 style walled garden discovery.  The act of simply connecting to their home WiFi connect could be enough to compromise a subscriber's equipment.</t>
        <t><xref target="I-D.ietf-radext-deprecating-radius"/> defines mitigations which will protect clients and servers from this attack when using RADIUS/UDP or RADIUS/TCP.  However, we reiterate here, and in the rest of this document, that the only long-term solution is to deprecate insecure transports entirely.  In the long term, implementers need to remove all uses of RADIUS/UDP and RADIUS/TCP from their products.  Administrators need to stop using RADIUS/UDP and RADIUS/TCP.</t>
      </section>
      <section anchor="configuration-flags">
        <name>Mitigating the Attack</name>
        <t>While <xref target="I-D.ietf-radext-deprecating-radius"/> defines the mitigations that are mandated for clients and servers, we give a summary description of those mandates here for clarity.  These descriptions are not normative, and readers are instructed to refer to <xref target="I-D.ietf-radext-deprecating-radius"/> for the full list of normative changes to RADIUS.</t>
        <t>Clients</t>
        <ul empty="true">
          <li>
            <t>Clients are required to include Message-Authenticator as the first attribute in all Access-Request packets.</t>
            <t>Clients are required to have a new boolean configuration flag for each server, called "require Message-Authenticator".</t>
            <ul empty="true">
              <li>
                <t>When this flag is set to "false", client behavior remains unchanged from legacy RADIUS.</t>
                <t>When this flag is set to "true", clients discard all responses to Access-Request packets which do not contain a Message-Authenticator attribute.</t>
              </li>
            </ul>
            <t>Clients still need to validate the contents of Message-Authenticator when it is present.  Clients also need to accept valid and authenticated responses, no matter where the Message-Authenticator is located in the response.</t>
          </li>
        </ul>
        <t>Servers</t>
        <ul empty="true">
          <li>
            <t>Servers are required to include Message-Authenticor as the first attribute in all responses to Access-Request packets.</t>
            <t>Servers are required to have a new boolean configuration flag for each client, called "require Message-Authenticator".</t>
            <ul empty="true">
              <li>
                <t>When this flag is set to "false", their behavior remains unchanged from legacy RADIUS, except that the "limit Proxy-State" flag below is also checked.</t>
                <t>When this flag is set to "true", clients discard all Access-Request packets which do not contain a Message-Authenticator attribute.</t>
              </li>
            </ul>
            <t>Servers still need to validate the contents of Message-Authenticator when it is present.  Servers also need to accept valid and authenticated Access-Requests, no matter where the Message-Authenticator is located in the request.</t>
          </li>
        </ul>
        <ul empty="true">
          <li>
            <t>Servers are required to have a new boolean configuration flag for each client, called "limit Proxy-State".</t>
            <ul empty="true">
              <li>
                <t>When this flag is set to "false", server behavior remains unchanged from legacy RADIUS.</t>
                <t>When this flag is set to "true", servers discard all Access-Request packets that contain a Proxy-State attribute.</t>
              </li>
            </ul>
          </li>
        </ul>
      </section>
      <section anchor="why-the-mitigiations-work">
        <name>Why the Mitigiations Work</name>
        <t>This section explains the rationale for the mitigations defined by <xref target="I-D.ietf-radext-deprecating-radius"/>.</t>
        <t>Adding Message-Authenticator as the first attribute in packets means that the first attribute contains data which is impossible for the attacker to predict.  That is, for the purposes of MD5 known prefix attacks, the unknown suffix begins with the Message-Authenticator, and continues for the remainder of the packet.  The attacker is therefore unable to leverage the attack using a known prefix, and the vulnerability is prevented.</t>
        <t>When this change is made on clients, it is necessary to prevent the attack, but it is not sufficient.  When a server does not require that Access-Request packets contain Message-Authenticator, an attacker can simply remove it from the Access-Request.  The attack can then proceed, as the server will receive, process, and respond to, an unauthenticated Access-Request packet.</t>
        <t>In contrast, when both clients and servers requires that packets contain a valid Message-Authenticator, the BlastRADIUS attack is impossible.  Therefore the "require Message-Authenticator" flag is needed on both clients and servers in order to secure the RADIUS protocol.  In order to enable compatibility with legacy systems, this protocol change must be enabled by a configuration flag.</t>
        <section anchor="protecting-clients">
          <name>Protecting Clients</name>
          <t>A client is fully protected from the attack if it requires that all responses to Access-Request contain a Message-Authenticator, and it validates the contents of Message-Authenticator.  The client is also protected when the server sends Message-Authenticator as the first attribute in all responses to Access-Request packets.</t>
          <t>That server behavior secures one client to server connection, even if the server does not require Message-Authenticator in Access-Request packets, and even if the client does not examine or validate the contents of the Message-Authenticator.  As noted above, this location of the Message-Authenticator ensures that the unknown suffix is the entire packet, and the attack is impossible.</t>
          <t>In contrast, when the Message-Authenticator is the last attribute in a packet (as was historically common in many implementations), the attacker can treat the Message-Authenticator itself as an unknown suffix, as it does with the shared secret.  The attacker can then proceed with the attack, with no additional effort.</t>
          <t>The analysis is similar if the Message-Authenticator is in the middle of the packet, with attributes existing both before an after the Message-Authenticator.  Attributes before the Message-Authenticator can be modified, discarded, or added, while attributes after the Message-Authenticator need to remain in the packet.  We direct the reader to <xref target="BLAST"/> Section 7.2 for a more complete description of these issues.</t>
          <t>In short, the only solution which mitigates the attack is that servers need to place Message-Authenticator as the first attribute in all responses to Access-Request packets.</t>
        </section>
        <section anchor="protecting-servers-and-proxies">
          <name>Protecting Servers and Proxies</name>
          <t>Ugrading all client equipment can be  difficult, if only because there are many more clients than servers.  Some client products may no longer be supported, or the relevant vendor may have gone out of business.  Even if upgraded software images are available, the upgrade process may impact production networks, which has a cost.  As a result, any mitigations must work even when clients have not been updated.</t>
          <t>A server is vulnerable to the attack when it proxies packets, even if it adds Message-Authenticator is added as the first attribute in responses to all Access-Request packets.  Due to the limitations of RADIUS, a proxy has no way of knowing whether or not a "next hop" RADIUS server has been upgraded.  It therefore has to protect itself from attacks when it is the only upgraded party in a RADIUS proxy chain.</t>
          <t>In this scenario, a legacy client sends Access-Request packets to an upgraded proxy, which in turn forwards the packets to a legacy next hhop server.  Responses from the next hop server are sent back to the proxy, and then to the client.</t>
          <t>Upgrading the proxy will protect only the responses from the proxy to the client.  The attacker can still modify packets from the client to the proxy, or it can modify all request and response packets that are sent between the proxy and next hop server.  The result is that the upgraded server is still vulnerable to the attack.</t>
          <t>The "limit Proxy-State" flag allows servers to detect and prevent attacks when Access-Request packets do not contain Message-Authenticator.  This configuration is only necessary when the server is a proxy.  When the server enables the "limit Proxy-State" flag, legacy clients to be used without substantially compromising security.</t>
          <t>The proxy is likely to still be vulnerable to attacks on the link between itself and the next hop server.  However, the proxy can use the client "require Message-Authenticator" flag defined above to protect itself.  Even when the proxy cannot set that flag, the link between the proxy and the next hop server is much more likely to be protected via TLS or IPSec than the link between the client and proxy.</t>
          <t>In addition, it is generally easier to upgrade servers than clients.  The focus of the mitigations, therefore, has been on securing the link between clients and servers, not between proxy servers.</t>
        </section>
        <section anchor="other-attributes">
          <name>Other Attributes</name>
          <t>While it is theoretically possible to perform the BlastRADIUS attack via attributes other than Proxy-State, no such exploits are known at this time.  Any such exploit would require that the server receive fields under the attackers control (e.g. User-Name), and echo those fields back in a response.  Such attacks are therefore only possible when the server is configured to echo back attacker-controlled data, which is not their default behavior.</t>
          <t>As a result, the configuration flags described above in <xref target="configuration-flags"/> allow the maximum amount of security while adding the minimum disruption to operational networks.  For the remaining attack vectors, is is RECOMMENDED that servers which echo back user-supplied data in responses do so only when their "require Message-Authenticator" flag is set to "true".  If such user-supplied data is echoed back in responses when the "require Message-Authenticator" flag is set "false", then the BlastRADIUS attack is theoretically still possible, even though no exploit is currently available.</t>
          <t>The server configuration flags will protect it even if clients have not been upgraded or been configured to be secure.  The server configuration flags will not protect clients (NASes or proxies) from servers which have not been upgraded or been configured to be secure.</t>
        </section>
        <section anchor="requirements-for-full-mitigation">
          <name>Requirements for Full Mitigation</name>
          <t>The attack will only be mitigated in either of the following two circumstances:</t>
          <ol spacing="normal" type="1"><li>
              <t>The client implements the "require Message-Authenticator" flag, and has set that flag to "true",</t>
            </li>
            <li>
              <t>The server places Message-Authenticator as the first attribute in all responses to Access-Request packets.</t>
            </li>
          </ol>
          <t>Since RADIUS has no feature negotiation, the server has no way of knowing whether or not the client has been configured securely.  The only remaining choice then for server behavior then, is the second item.  <xref target="I-D.ietf-radext-deprecating-radius"/> therefore mandates that all RADIUS servers send Message-Authenticator as the first attribute in all responses to Access-Request packets.  This change is the simplest possible fix to the RADIUS protocol which will protect systems from the attack.</t>
        </section>
      </section>
      <section anchor="limitations-of-the-mitigations">
        <name>Limitations of the Mitigations</name>
        <t>The above mitigations have some limitations.  The design of the mitigations had to allow for backwards compatibility with legacy RADIUS systems, while still allowing for (but not requiring) whole-sale network upgrades.  There is a trade-off to be made between perfectly secure networks which are unusable, and networks which are usable but somewhat insecure.  The mitigations defined in <xref target="I-D.ietf-radext-deprecating-radius"/> create as much security as possible, while still not breaking existing networks.</t>
        <t>The result is that there are situations where a network is functional, but insecure.  In addition, there are situations where existing client implementations are not compatible with the mitigations.  This section outlines those limitations.</t>
        <section anchor="vulnerable-systems">
          <name>Vulnerable Systems</name>
          <t>A RADIUS server is vulnerable to the attack if it does not require that all received Access-Request packets contain a Message-Authenticator attribute.  This vulnerability exists for many common uses of Access-Request, including packets containing PAP, CHAP, MS-CHAP, or packets containing “Service-Type = Authorize-Only”.   The vulnerability is also transitive.  If any one RADIUS server in a proxy chain is vulnerable, then the entire chain is vulnerable.  The attack can proceed on the vulnerable systems, and the attacker can gain unauthenticated and/or unauthorized access to any systems which depend on that proxy chain.</t>
          <t>Similarly, simply having the Message-Authenticator attribute present in Access-Request packets is not sufficient.  In order to be protected, a server must require that the attribute is present, and must also discard packets which are missing it.  Similarly, the client must also require that the attribute is present, and discard packets which are missing oit.</t>
          <t>Similarly, clients are vulnerable when they do not require that all responses to Access-Request packets contain Message-Authenticator.  Note that clients which validate Message-Authenticator are not vulnerable even if Message-Authenticator is the last attribute in a response.  The HMAC construct of Message-Authenticator makes the attack impossible in that situation.</t>
          <t>The requirement on servers to place Message-Authenticator as the first attribute in all responses to Access-Request is there only to protect legacy clients which do not validate Message-Authenticator.  There is no need for a client to discard responses where the Message-Authenticator is valid, but is also not the first attribute.  Such behavior is incorrect, and will cause interoperability problems.</t>
        </section>
        <section anchor="unaffected-systems">
          <name>Unaffected Systems</name>
          <t>There are a number of systems which are not vulnerable to this attack.  The most important ones are systems which only perform EAP authentication, such as with 802.1X / WPA Enterprise.  The EAP over RADIUS protocol is defined in <xref section="3.3" sectionFormat="comma" target="RFC3579"/> which states explicitly:</t>
          <ul empty="true">
            <li>
              <t>If any packet type contains an EAP-Message attribute it MUST also contain a Message-Authenticator.</t>
            </li>
          </ul>
          <t>This requirement reiterates that of <xref section="5.13" sectionFormat="comma" target="RFC2869"/>, which defines EAP-Message and Message-Authenticator, but which does not get into details about EAP.</t>
          <t>This requirement is enforced by all known RADIUS servers.  As a result, when roaming federations such as eduroam <xref target="EDUROAM"/> use RADIUS/UDP to transport EAP, the attack is not possible.</t>
          <t>Other roaming groups such as OpenRoaming <xref target="OPENROAMING"/> require the use of TLS, and are not vulnerable.  Other roaming providers generally use VPNs to connect disparate systems, and are also not vulnerable.</t>
          <t>802.1X / WPA enterprise systems have an additional layer of protection, due to the use of the master session keys (MSK) which are derived from the EAP authentication method.  These keys are normally carried in an Access-Accept, in the MS-MPPE-Recv-Key and MS-MPPE-Send-Key attributes, and are used to secure the link between the NAS and the supplicant.  The contents of the attributes are obfuscated via the same method used for Tunnel-Password, and are not visible to an "on-path" attacker.</t>
          <t>While an attacker could perhaps force an Access-Accept in some situations where EAP is used, or strip the Message-Authenticator from packets, it is not currently possible for an attacker to see, modify, or create the correct MSK for the EAP session.  As a result, when 802.1X / WPA enterprise is used, even a successful attack on the Access-Accept packet would likely not result in the attacker obtaining network access.</t>
        </section>
      </section>
      <section anchor="implementations-with-incorrect-mitigations">
        <name>Implementations with Incorrect Mitigations</name>
        <t>This section summarizes the various implementation issues, and the recommended fixes to them.  While this section does not contain normative text, it refers to normative requirements in <xref target="I-D.ietf-radext-deprecating-radius"/>.  This summary is necessary because multiple implementations failed to follow the normative requirements of that document. Instead, those systems either implemented behavior which was forbidden by the normative text, or else failed to implement behavior which was mandated by the normative text.</t>
        <t>It is therefore necessary to reiterate to the reader that the normative text in <xref target="I-D.ietf-radext-deprecating-radius"/> is, in fact, normative, and that the mandates of the normative text need to be respected.  The reader should understand that any non-normative text in this specification does not over-ride the clear mandates of the normative text in <xref target="I-D.ietf-radext-deprecating-radius"/>.</t>
        <t>The following list outlines the problems seen, in no particular order.</t>
        <ul spacing="normal">
          <li>
            <t>Some implementations discard packets which contain
Message-Authenticator.</t>
          </li>
          <li>
            <t>Some implementations discard responses where the
Message-Authenticator is not first, in violation of <xref section="5" sectionFormat="comma" target="RFC2865"/>.  It should be reiterated that the requirement in
<xref target="I-D.ietf-radext-deprecating-radius"/> "Server Responses" to place
Message-Authenticator first is a requirement on the server, and is
not a requirement on the client.</t>
          </li>
        </ul>
        <section anchor="discarding-packets-with-message-authenticator-is-wrong">
          <name>Discarding Packets with Message-Authenticator is Wrong</name>
          <t>Nearly all clients which do not validate Message-Authenticator are known to accept responses which contain it, due to the provisions of <xref section="5" sectionFormat="comma" target="RFC2866"/>:</t>
          <ul empty="true">
            <li>
              <t>A RADIUS client MAY ignore Attributes with an unknown Type.</t>
            </li>
          </ul>
          <t>These RADIUS clients are compatible with the protocol change outlined in this document.   We note also that Message-Authenticator has been defined for almost twenty-five (25) years, since <xref target="RFC2869"/>, so there are few reasons for equipment to not support it.</t>
          <t>Since the publication of the original BlastRADIUS notification, it has become known that some implementations do not behave as expected.  That is, instead of ignoring an unexpected Message-Authenticator attribute, they discard all responses with contain Message-Authenticator.  That behavior is entirely unreasonable, and is not required by any standard.</t>
          <t>The unfortunate reality is that the only way that RADIUS servers could be compatible with such systems is for them to never send Message-Authenticator in responses.  However, doing so would open up significantly more systems to the BlastRADIUS attack.  As such, there is no attempt made to be compatible with implementations that fail to implement RADIUS correctly.</t>
          <t>The only way to secure those systems is to upgrade them.  Failing that, the administrators of those systems will need to accept the fact that their systems are vulnerable.</t>
          <t>The solution adopted by <xref target="I-D.ietf-radext-deprecating-radius"/> is to declare that clients or servers which discard packets containing Message-Authenticator are not compliant with the RADIUS specifications.  It is not acceptable to decrease the security of the RADIUS protocol in order to be compatible with insecure and non-compliant implementations.  That specification attempts to prevent such issues from happening in the future, by mandating behavior for unknown attributes in <xref target="I-D.ietf-radext-deprecating-radius"/> "Unknown Attributes".  There is no reason for an implementation to discard response a packet simply because it does not recognize an attribute in the packet.</t>
        </section>
        <section anchor="checking-the-location-of-message-authenticator-is-wrong">
          <name>Checking the location of Message-Authenticator is Wrong</name>
          <t>Nothing in any previous RADIUS specification requires attributes to be placed in any particular location in a packet.  Nothing in any previous RADIUS specification requires implementations to discard packets which contain unrecognized attributes.</t>
          <t>Further, the construction of Message-Authenticator allows for a RADIUS implementation to authenticate packets (other than Access-Request), even if the Message-Authenticator is not validated.</t>
          <t>This issue is addressed in <xref section="TBD" sectionFormat="comma" target="I-D.ietf-radext-deprecating-radius"/>, which clarifies and extends the requirements on attribute ordering and location.  <xref section="TBD" sectionFormat="comma" target="I-D.ietf-radext-deprecating-radius"/> also clarifies and extends the requirements on receiving unknown attributes.</t>
        </section>
      </section>
      <section anchor="less-effective-mitigations">
        <name>Less Effective Mitigations</name>
        <t>There was substantial discussion around the design and effectiveness of the mitigations defined in <xref target="I-D.ietf-radext-deprecating-radius"/>.  This section outlines some obvious mitigations which were considered and rejected.  As protocol design is subject to a complex series of trade-offs, it is useful to explain what those alternative mitigations are, and why they were rejected.</t>
        <t>An alternative configuration flag with a similar effect to the “limit Proxy-State” flag could be one called “this client is a NAS, and will never send Proxy-State”.  The intention for such a flag would be to clearly separate RADIUS proxies (which always send Proxy-State), from NASes (which will never send Proxy-State).  When the flag is set for a client, the server could then discard Access-Request packets which contain Proxy-State.  Alternatively, the server could also discard Proxy-State from all responses sent to that client.</t>
        <t>Such a flag, however, depends on network topology, and fails to correct the underlying lack of packet authenticity and integrity.  The flag may also work for one NAS, but it is likely to be incorrect if the NAS is replaced by a proxy.  Where there are multiple different pieces of NAS equipment behind a NAT gateway, the flag is also likely to be correct for some packets, and incorrect for others.</t>
        <t>Using configuration flags which control the desired outcome is preferable to using flags which depend on network topology that is outside of the control of clients and servers.</t>
      </section>
      <section anchor="non-mitigations">
        <name>Non-Mitigations</name>
        <t>It may be tempting to come up with other "ad hoc" solutions to this vulnerability which are simpler than the ones outlined in <xref target="I-D.ietf-radext-deprecating-radius"/>.  Such solutions are likely to either break existing RADIUS deployments, or else they will not protect systems from the attack.  The mitigations described in <xref target="I-D.ietf-radext-deprecating-radius"/> not only prevent the attack, they do so without negatively affecting normal RADIUS operation.  There is therefore no reason to use any other methods.</t>
        <t>Other attempted mitigation factors are discussed in the BlastRADIUS document (<xref target="BLAST"/>).  For example, <xref target="BLAST"/> Section 7.4 explains why decreasing timeouts simply increases the cost of the attack without preventing it.  Decreasing timeouts also can negatively affect normal RADIUS traffic.</t>
        <t><xref target="BLAST"/> Section 7.7 explains why clients validating Proxy-State, or looking for unexpected Proxy-State does not protect them from the attack.  The attacker can just change the form of the attack, and bypass those checks.</t>
        <t>There is therefore no reason to implement “ad hoc” solutions when a solution exists which has passed reviews by both the BlastRADIUS cryptographers, and by the relevant RADIUS experts.  There is every reason to believe that cryptographic operations designed by experts and subject to rigorous peer review are better than random guesses made by programmers who lack the relevant cryptographic and RADIUS experience.</t>
        <section anchor="switch-to-other-protocols-is-not-appropriate">
          <name>Switch to Other Protocols is Not Appropriate</name>
          <t>Switching away from RADIUS to another protocol will not protect from the attack, as there is no other protocol which can replace RADIUS.  No other protocol is supported by medium to low-end networking devices for end-user authentication, authorization, and accounting.  Outside of situations where Diameter is used, the choice for nearly every use-case which controls network access is limited to one protocol: RADIUS.</t>
          <t>Despite this reality, some "security" sites have recommended "securing" the network by switching to "alternative" protocols.  Such recommendations are incorrect and inappropriate.</t>
          <t>Diameter <xref target="RFC6733"/> is the closest protocol in functionality to RADIUS, but the Diameter use-case is applicable to large-scale telecommunications and internet service providers (ISPs).  Support for Diameter is rarely present in equipment which is available to consumers or enterprises.  As such, replacing RADIUS with Diameter is not an option.</t>
          <t>Other proposals for protocols to replace RADIUS are even less effective.  TACACS+ <xref target="RFC8907"/> has some overlap with RADIUS for administrator login to network devices, but it cannot be used outside of that limited scope.  TACACS+ does not support 802.1X, end-user authentication, or end-user accounting.  It is therefore impossible for an ISP or enterprise to replace RADIUS with TACACS+.</t>
          <t>Kerberos <xref target="RFC4120"/> is also not a option.  It is most generally used to authenticate applications, when the underlying system already has network access.  Kerberos also does not support 802.1X, and does not support accounting.</t>
          <t>The situation is much the same with any proposal to replace RADIUS with IPsec.  While IPsec does authenticates devices prior to bringing up the VPN, those devices must already have network access.  IPsec also requires that the end-user traffic be transported over the IPsec connection, where RADIUS does not transport any end-user traffic.</t>
          <t>In conclusion, recommendations to use alternate protocols are, at best, misguided.  We do not recommend following any "security" advice which is based on a fundamental misunderstanding of networking protocols.</t>
        </section>
        <section anchor="intrusion-detection-rules">
          <name>Intrusion Detection Rules</name>
          <t>Intrusion detection systems can be updated to detect and/or warn about the BlastRADIUS attack with the following rules.  In the interests of brevity and generality, the rules are written as plain text.</t>
          <ol spacing="normal" type="1"><li>
              <t>Access-Request does not contain a Message-Authenticator attribute.  </t>
              <t>
Action: Warn the administrator that the system is vulnerable, and should be upgraded.</t>
            </li>
            <li>
              <t>Access-Accept, Access-Reject, or Access-Challenge does not contain a Message-Authenticator attribute.  </t>
              <t>
Action: Warn the administrator that the system is vulnerable, and should be upgraded.</t>
            </li>
            <li>
              <t>Access-Accept, Access-Reject, or Access-Challenge contains a Message-Authenticator attribute, but it is not the first attribute in the packet.  </t>
              <t>
Action: Warn the administrator that the system may be vulnerable, and should be upgraded.</t>
            </li>
            <li>
              <t>Access-Request packet received by a RADIUS server contains Proxy-State, when the RADIUS client is a NAS.  </t>
              <t>
Action: Alert that an attack is likely taking place.  </t>
              <t>
Note that the check should be for packets received by the RADIUS server, and not for packets sent by the NAS.  The attack involves packets being modified after they are sent by the NAS, and before they are received by the RADIUS server.</t>
            </li>
            <li>
              <t>Access-Accept, Access-Reject, or Access-Challenge sent by a RADIUS server contain Proxy-State, when the RADIUS client is a NAS.  </t>
              <t>
Action: Alert that an attack is likely taking place.  </t>
              <t>
Note that the check should be for packets sent by the RADIUS server, and not for packets received by the NAS.  The attacker can modify packets to "hide" Proxy-State in another attribute, such as Vendor-Specific.</t>
            </li>
            <li>
              <t>Any RADIUS traffic is sent over UDP or TCP transport, without IPsec or TLS.  </t>
              <t>
Action: Warn that the system uses deprecated transport protocols, and should be upgraded.</t>
            </li>
            <li>
              <t>Any RADIUS traffic is sent external to the organization over UDP or TCP transport, without IPsec or TLS.  </t>
              <t>
Action: Warn that this is an insecure configuration, and can expose users private data, identities, passwords, locations, etc. to unknown attackers.</t>
            </li>
          </ol>
          <t>These rules should assist administrators with ongoing security and monitoring.</t>
        </section>
      </section>
      <section anchor="summary">
        <name>Summary</name>
        <t>The RADIUS protocol as defined in <xref target="RFC2865"/> is vulnerable to an attack due to Access-Request packets being entirely unauthenticated.  This issue has been known and ignored for decades.  It was first raised as a vulnerability in 1998 <xref target="DATTACK"/>, and a fix was rejected in <xref target="RFC2869"/>.  A practicl fix was suggested in 2007 in <xref section="2.2.2" sectionFormat="comma" target="RFC5080"/>, but it took until <xref target="I-D.ietf-radext-deprecating-radius"/> before a fix was mandated,  That mandate only occurred because an exploit was demonstrated in 2024, in <xref target="BLAST"/>.</t>
      </section>
    </section>
    <section anchor="other-radius-problems">
      <name>Other RADIUS Problems</name>
      <t>Independent of the above security and privacy issues, there are a large number of other problems with the RADIUS protocol, and with the historic practices around the use of RADIUS.  This section discusses those problems.</t>
      <section anchor="authentication-methods">
        <name>Authentication Methods</name>
        <t>There are a number of problems with authentication methods that are transported in RADIUS attributes.  Even independent of security issues with a particular authentication method, the choice of authentication method can in fact decrease security, as noted below in <xref target="password-security"/>.</t>
        <section anchor="ms-chap">
          <name>Attacks on MS-CHAP</name>
          <t>MS-CHAP (v1 in <xref target="RFC2433"/> and v2 in <xref target="RFC2759"/>) have major design flaws, and are not suitable for use outside of a secure tunnel such as PEAP, TEAP, or TTLS.  As MS-CHAPv1 is less commonly used, the discussion in this section will focus on MS-CHAPv2, but the same analysis applies to MS-CHAPv1.</t>
          <t>MS-CHAP has been broken since 2004, as seen in <xref target="ASLEAP"/>.  While the attack there mentions LEAP, the same attack applies to MS-CHAP.  This information was apparently insufficiently clear in the <xref target="ASLEAP"/> attack, as and no previous sp=ecification has deprecated MS-CHAP.  As a result, most implementations still support it.</t>
          <t>The attack relies on a vulnerability in the protocol design in <xref section="8.4" sectionFormat="comma" target="RFC2759"/>.  In that section, the response to the MS-CHAP challenge is calculated via three DES operations, which are based on the 16-octet NT-Hash form of the password.  However, the DES operation requires 7 octet keys, so the 16-octet NT-Hash cannot be divided evenly into the 21 octets of keys required for the DES operation.</t>
          <t>The solution in <xref target="RFC2759"/> Section 8.4 was to use the first 7 octets of the NT-Hash for the first DES key, the next 7 octets for the second DES key, leaving only 2 octets for the final DES key.  The final DES key is padded with zeros.  This construction means that an attacker who can observe the MS-CHAP2 exchange only needs to perform 2^16 DES operations in order to determine the final 2 octets of the original NT-Hash.</t>
          <t>If the attacker has a database which correlates known passwords to NT-Hashes, then those two octets can be used to returns a small subset (1/65536) of candidate hashes.  Those hashes are then checked via brute-force operations to see if they match the original MS-CHAPv2 data.  Limiting the number of candidate hashes allows the attacker to use greatly increase the size of precalculated hashes, with minimal additional cost.</t>
          <t>This process lowers the complexity of cracking MS-CHAP by nearly five orders of magnitude as compared to a brute-force attack.  The attack has been demonstrated using databases which contain hundreds of millions of passwords.  On a consumer-grade machine, the time required for such an attack to succeed is on the order of tens of milliseconds.</t>
          <t>While this attack requires a database of known passwords, such databases are easy to find online, or to create locally from generator functions.  Passwords created manually by people are notoriously predictable, and are highly likely to be found in a database of known passwords.  In the extreme case of strong passwords, they will not be found in the database, and the attacker is still required to perform a brute-force dictionary search.</t>
          <t>The result is that MS-CHAP has significantly lower security than PAP.  When the MS-CHAP data is not protected by TLS, it is visible to everyone who can observe the RADIUS traffic.  Attackers who can see the MS-CHAP data can therefore obtain the underlying NT-Hash with essentially zero effort as compared to cracking the RADIUS shared secret.  This attack means that from a cryptographic perspective, using MS-CHAP is essentially the same as sending passwords in clear-text.</t>
        </section>
        <section anchor="chap-password">
          <name>CHAP-Password</name>
          <t>This section describes a viable attack on CHAP, which does not appear to have been published before.</t>
          <t>The contents of CHAP-Password are calculated using MD5 to hash an identifier, a password, and a challenge.  From <xref target="RFC1994"/>:</t>
          <ul empty="true">
            <li>
              <t>The Response Value is the one-way hash calculated over a stream of
octets consisting of the Identifier, followed by (concatenated
with) the "secret", followed by (concatenated with) the Challenge
Value.</t>
            </li>
          </ul>
          <t>That is, the CHAP-Password contents are MD5(ID + password + challenge).  While this construction is different from the one used to sign the Authenticator fields, attacks on CHAP-Password have substantially the same cost as for cracking the RADIUS shared secret (<xref target="cracking"/>).</t>
          <t>That is, checking all 8 character passwords from a 93 character set is possible for a hobbyist in about day.</t>
          <t>The attack is made easier by the human practice of creating insecure passwords.  An attacker can create dictionaries of hashes of potential passwords.  For CHAP-Password, this also means a 256 times increase in dictionary size, due to the need to calculate the prefix of MD5(ID + password).  However, that calculation can be done once, and the results then stored on disk.  The only ongoing cost is the need for more disk space.</t>
          <t>Once the attacker sees a CHAP-Password, the ID field is used to select one of 256 dictionaries, and then every password hash in that dictionary extended with the challenge, and checked against the contents of CHAP-Password.  As these pre-calculated dictionaries generally contain hundreds of millions or low billions of passwords, that number bounds the total number of hashes which need to be checked.</t>
          <t>As noted above in <xref target="cracking"/>, a high-end retail GPU is capable of performing more than 64 billion hashes per second.  Which means that most CHAP-Password attributes can be turned into the equivalent clear-text passwords in sub-second time.  The main gating factor in this attack is the time taken to stream billions of candidate hashes from disk to the GPU.</t>
          <t>This attack means that from a cryptographic perspective, using CHAP-Password is essentially the same as sending passwords in clear-text.</t>
        </section>
        <section anchor="user-password">
          <name>User-Password</name>
          <t>While the obfuscation method used for the User-Password attribute has not been shown to be insecure, it has not been proven to be secure.  The obfuscation method depends on calculating MD5(secret + Request Authenticator), which has a few helpful properties for an attacker.  The cost of brute-forcing short secrets is not large, <xref target="cracking"/> discusses that cost in detail.  Even for longer secrets which are humanly generated, the MD5 state for hashing the secret can be pre-calculated and stored on disk.  This process is relatively inexpensive, even for billions of possible shared secrets.  The Request Authenticator can then be added to each pre-calculated state via brute-force, and compared to the obfuscated User-Password data.</t>
          <t>The MD5 digest is 16 octets long, and many passwords are shorter than that.  This difference means that the final octets of the digest are placed into the User-Password attribute without modification.  The result is that a brute-force attack does not need to decode the User-Password and see if the decoded password "looks reasonable".  Instead, the attacker simply needs to compare the final octets of the calculated digest with the final octets of the User-Password attribute.  The result is a signal which indicates with high probability that the guessed secret is correct.</t>
          <t>The only protection from this particular attack is to ensure that the secret is long, and is derived from a cryptographically strong pseudo-random number generator.  To put it more clearly, if the RADIUS packet is secure due to the use of a strong shared secret, then the User-Password attribute is also secure.</t>
        </section>
        <section anchor="eap">
          <name>EAP</name>
          <t>There are too many EAP methods for them to be discussed here in any detail.  Instead, we can make a few simple observations:</t>
          <ul spacing="normal">
            <li>
              <t>EAP-MD5 is essentially the same as CHAP-Password, and shares the same security analysis.  EAP-MD5 is not suitable for use outside of a secure tunnel such as PEAP, TEAP, or TTLS.</t>
            </li>
            <li>
              <t>EAP-MSCHAPv2 (any variant) is essentially the same as MS-CHAP, and shares the same security analysis.  EAP-MSCHAPv2  is not suitable for use outside of a secure tunnel such as PEAP, TEAP, or TTLS.</t>
            </li>
            <li>
              <t>TLS-based EAP methods (e.g. TTLS, PEAP, etc.) benefit from the security of TLS, and are therefore secure.</t>
            </li>
            <li>
              <t>Other EAP methods are not discussed here.</t>
            </li>
          </ul>
        </section>
        <section anchor="summary-1">
          <name>Summary</name>
          <t>There are no known security issues with User-Password, or with many EAP methods. In contrast, MS-CHAP and CHAP-Password are insecure, and can only be used safely within a TLS tunnel.</t>
          <t>While the "on the wire" encoding of User-Password is secure, the passwords still have to be stored somewhere, typically in a database.  The next section explains how the interaction between authentication methods and password storage methods can increase, or decrease, security of the system as a whole.</t>
        </section>
      </section>
      <section anchor="password-security">
        <name>Password Visibility and Storage</name>
        <t>An attacker can ignore the wire protocol entirely, and bypass all of the issues described earlier in this document.  One such attack is to focus on the database that holds user credentials such as account names and passwords.  At the time of this writing, databases such as <xref target="PWNED"/> claim to have records of over twelve billion user accounts which have been compromised.  User databases are therefore highly sought-after targets.</t>
        <t>The attack discussed in this section is dependent on vulnerabilities with the credential database, and does not assume an attacker can see or modify RADIUS traffic.  As a result, issues raised here apply equally well when TTLS, PEAP, or RADIUS/TLS are used.  The success of the attack depends only on how the credentials are stored in the database.  Since the choice of authentication method affects the way credentials are stored in the database, the security of that dependency needs to be discussed and explained.</t>
        <t>Some organizations may desire to increase the security of their network by avoiding PAP, and using CHAP or MS-CHAP, instead.  These attempts are misguided.  If simple password-based methods must be used, in almost all situations, the security of the network as a whole is increased by using PAP in preference to CHAP or MS-CHAP.  The reason is found through a straightforward risk analysis, which we explain in more detail below.</t>
        <section anchor="pap-security">
          <name>PAP Security Analysis</name>
          <t>When PAP is used, the User-Password is obfuscated "on the wire", but the RADIUS server sees a clear-text password from the user.  The server then compares that password to credentials which have been stored in a user database, and either accepts or rejects the user.</t>
          <t>In many cases, the credentials stored in the database can be salted and/or hashed in a form which is commonly referred to as being in "crypt"ed form.  The RADIUS server can take the users clear-text password, performs the same "crypt" transformation, and then compares the two "crypt"ed passwords.</t>
          <t>Any compromise of the RADIUS server can result in the compromise of clear-text passwords for users.  However, in most cases, the clear-text password is available only in the memory of the RADIUS server application (i.e. not "on the wire"), and then only for a short period of time.  An attacker who desires to obtain passwords for all users would have to wait for all users to log in, which can take a substantial amount of time.  During that time, an administrator may discover the breach, and resolve the issue.</t>
          <t>When PAP is used, the credentials in the database are stored securely "at rest", presuming that the administrator only stores "crypt"ed credentials.  Any compromise of the database results in the disclosure of minimal information to the attacker.  That is, an attacker cannot easily obtain the clear-text passwords from the compromised database.</t>
          <t>The result is that the user passwords are visible in clear-text only for a short time, and then only on the RADIUS server.  The security of this system is not as good as seen with EAP-pwd <xref target="RFC5931"/> for example, but it is not terrible.</t>
          <t>Storing passwords securely "at rest" is significantly more secure than storing clear-text passwords in a database, even when PAP authentication is used in RADIUS.</t>
        </section>
        <section anchor="chap-and-ms-chap-password-storage">
          <name>CHAP and MS-CHAP Password Storage</name>
          <t>In contrast with PAP, when CHAP or MS-CHAP is used, those methods do not expose a clear-text password to the RADIUS server, but instead a hashed transformation of it.  The design goal of those methods was to make the hash output secure even if an attacker can observe it.  However, as noted above, those methods have been shown to be insecure.</t>
          <t>For the purposes of this section, we will ignore the previous attacks, and instead focus on the implications of using these hashing methods.</t>
          <t>The hash transformations for CHAP and MS-CHAP depend on a random challenge.  The intent was to increase security, but their construction makes strong requirements on the form in which user credentials are stored.</t>
          <t>The process for performing CHAP and MS-CHAP is inverted from the process for PAP.  Using similar terminology as above for illustrative purposes, the "hash"ed passwords are carried in the CHAP method, and are sent to the server.  The server must obtain the clear-text (or NT hashed) password from the database, and then perform the "hash" operation on the password from the database. The two "hash"ed passwords are then compared as was done with PAP.  This inverted process decreases system security substantially.</t>
          <t>Critically, when CHAP or MS-CHAP are used, all credentials must be stored as clear-text (or clear-text equivalent) in the database, all of the time.  Even if the database contents are encrypted, the decryption keys are necessarily accessible to the application which reads that database.  Any compromise of the application means that the entire database can be immediately read and exfiltrated as a whole.  The attacker then has complete access to all user identities, and all associated clear-text passwords.</t>
          <t>It should go without saying that having an attacker obtain all clear-text passwords is more of an issue than having the same attacker obtain passwords in a "crypt"ed form.  Similarly, it is more secure for a RADIUS server to have limited clear-text passwords (i.e. some of the time), rather than having unlimited access to all of the clear-text passwords, all of the time.</t>
        </section>
        <section anchor="on-the-wire-user-password-versus-chap-password">
          <name>On-the-wire User-Password versus CHAP-Password</name>
          <t>There is one more security myth which should be put to rest about PAP versus CHAP.  There is a common belief that CHAP is more secure, because passwords are sent "in the clear" via the User-Password attribute.  This belief is false.</t>
          <t>The User-Password attribute is obfuscated when it is sent in an Access-Request packet, using keyed MD5 and the shared secret, as defined in <xref section="5.2" sectionFormat="comma" target="RFC2865"/>.  At the time of this writing, no attack better than brute force has been found which allows an attacker to reverse this obfuscation.</t>
          <t>There have been claims that it is preferable to use CHAP-Password as it does not "send the password in clear-text".  This preference is based on a misunderstanding of how CHAP-Password and User-Password attributes are calculated.</t>
          <t>The CHAP-Password attribute depends on the hash of a visible Request Authenticator (or CHAP-Challenge) and the users password.  The obfuscated User-Password depends on the same Request Authenticator, and on the RADIUS shared secret.  For an attacker, the difference between the two calculations is minimal.  Presuming that the user password has similar complexity to the shared secret, they can both be attacked with similar amounts of effort.   As a result, any security analysis which makes the claim that "User-Password insecure because it uses MD5" ignores the fact that the CHAP-Password attribute is constructed through substantially the same method.</t>
          <t>The difference in security between the two methods is due instead to the practice of people creating their own insecure password, versus a RADIUS administrator creating a strong shared secret.  The CHAP-Password contents depends only on the strength of the users chosen password.  The User-Password contents instead depends on both the RADIUS shared secret, and on the users password.  As such, even though their constructs are roughly similar, in practice User-Password is significantly more secure than CHAP-Password.</t>
          <t>An attacker who can crack one users password can gain network access as that user, or even administrator access to network devices.  In contrast, an attacker who can crack the shared secret can gain network access as any user, and perform any authorization.  The result is that it is more valuable to crack shared secrets, even if the underlying attacks are similar.</t>
        </section>
        <section anchor="pap-vs-chap">
          <name>PAP vs CHAP Conclusions</name>
          <t>A careful security analysis shows that for all of PAP, CHAP, and MS-CHAP, the RADIUS server must at some point have access to the clear-text version of the password.  As a result, there is minimal difference in risk exposure between the different authentication methods if a RADIUS server is compromised.</t>
          <t>However, when PAP is used, the user credentials can be stored securely "at rest" in a database, while this secure storage is impossible with CHAP and MS-CHAP.  There is therefore a substantial difference in risk exposure between the different authentication methods, with PAP offering substantially higher security due to its ability to secure passwords at rest via the "crypt" construct mentioned above.</t>
          <t>In contrast, CHAP or MS-CHAP are highly insecure, as any database compromise results in the immediate exposure of the clear-text passwords for all users.  The security of those methods are best described as near zero, independent of any database compromise.  The construction of MS-CHAP makes it easier to crack than CHAP-Password, which makes MS-CHAP the worst of all possible choices.</t>
          <t>This security difference is shown not just in the <xref target="PWNED"/> database, but also in attacks on RADIUS systems <xref target="EXPLOIT"/>, where attackers identified a vulnerable RADIUS system, and then:</t>
          <ul empty="true">
            <li>
              <t>utilized SQL commands to dump the credentials [T1555], which contained both clear-text and hashed passwords for user and administrative accounts.</t>
            </li>
          </ul>
          <t>The attack proceeded to leverage those passwords to gain more permissions:</t>
          <ul empty="true">
            <li>
              <t>Having gained credentials from the RADIUS server, PRC state-sponsored cyber actors used those credentials with custom automated scripts to authenticate to a router via Secure Shell (SSH), execute router commands, and save the output.</t>
            </li>
          </ul>
          <t>This attack is only possible when systems store clear-text passwords.</t>
          <t>The result is that when the system as a whole is taken into account, the risk of password compromise is substantially less with PAP than with CHAP or MS-CHAP.  Administrators should therefore prefer PAP over CHAP or MS-CHAP.  Administrators should also store passwords "at rest" in a secure form (salted, hashed), as with the "crypt" format discussed above.</t>
          <t>That being said, other authentication methods such as EAP-TLS <xref target="RFC9190"/> and EAP-pwd <xref target="RFC5931"/> do not expose clear-text passwords to the RADIUS server or to any intermediate proxy.  Those methods therefore lower the risk of password exposure even more than using PAP.</t>
          <t>The conclusion is that administrators should avoid password-based authentication methods where at all possible.  If passwords ahve to be used, wrap them in TLS (e.g. TTLS or PEAP).  Where TLS cannot be used, prefer User-Password to CHAP-Password or MS-CHAP.</t>
        </section>
        <section anchor="the-weakest-link">
          <name>The Weakest Link</name>
          <t>RADIUS security is done on a “hop by hop” basis, which means that an attacker can take advantage of the weakest link in a proxy chain in order to attack other systems which have fully implemented the above mitigations.  If the packets are passed through one or more proxies, then any one vulnerable proxy will still allow the attack to take place.</t>
          <t>If proxies are used, then the weakest link in the proxy chain limits the security of the entire chain. That is, it does not matter if one hop implements RadSec, if another hop implements RADIUS/UDP without sending or requiring Message-Authenticator.</t>
          <t>Even worse, proxies have full control over packet contents.  A malicious proxy can change a reject into an accept, and can add or delete any authorization attributes it desires.  While proxies are generally part of a trusted network, there is every benefit in limiting the number of participants in the RADIUS conversation.</t>
          <t>Proxy chains SHOULD therefore be avoided where possible, and <xref target="RFC7585"/> dynamic discovery should be used where possible.  RADIUS clients and servers SHOULD also be configured with static IP addresses, and with static routes.  This static configuration also protects the systems from DHCP related attacks where an attacker spoofs DHCP to cause clients or servers to route packets through the a system of the attackers choice.</t>
        </section>
      </section>
      <section anchor="proxy-state">
        <name>Note on Proxy-State</name>
        <t>As the BlastRADIUS paper points out in Appendix A:</t>
        <ul empty="true">
          <li>
            <t>The presence of this attribute makes the protocol vulnerability much simpler to exploit than it would have been otherwise.</t>
          </li>
        </ul>
        <t>To see why Proxy-State has this particular design, we go back to the original discussion in May 1995 <xref target="MAY-1995"/></t>
        <ul empty="true">
          <li>
            <t>The RADIUS proxy may place any state information (subject to the length
limitations of a RADIUS attribute) that it will need to transform a
reply from its server into a reply to its client.  This is typically
the original authenticator, identifier, IP address and UDP port number
of the proxy's RADIUS client.</t>
          </li>
        </ul>
        <t>There appear to be few, if any, RADIUS servers which implemented this suggestion.  In part because later discussions note:</t>
        <ul empty="true">
          <li>
            <t>This works only if the NAS is
prepared to accept replies from a proxy server for a request issued to
a different server.</t>
          </li>
        </ul>
        <t>This stateless proxy design has a number of additional issues, most notably violating the <xref target="RFC3539"/> "end-to-end" principle.  It therefore negatively impacts the stability of a RADIUS proxy system.</t>
        <t>This definition for Proxy-State later changed in <xref section="5.33" sectionFormat="comma" target="RFC2865"/> to</t>
        <ul empty="true">
          <li>
            <t>Usage of the Proxy-State Attribute is implementation dependent.  A
description of its function is outside the scope of this
specification.</t>
          </li>
        </ul>
        <t>In practice, the utility of Proxy-State is limited to detecting proxy loops.  Proxies can count the number of Proxy-State attributes in received packets, and if the total is more than some number, then a proxy loop is likely.  We offer no advice on what to do if a proxy loop is detected, as RADIUS has no ability to signal protocol-layer errors.</t>
        <t>It is likely that a "hop count" attribute would likely have been simpler to implement.  But even in 1996, it was likely difficult to change the behavior of proxies due to multiple implementations.</t>
      </section>
    </section>
    <section anchor="other-protocol-failures">
      <name>Other Protocol Failures</name>
      <t>There are many other issues with RADIUS which are not directly related to security or privacy, but still have negative affects on security, privacy, and on operation of the protocol.  At of the time of writing, those issues are being collated in <xref target="ISSUES"/>.</t>
      <t>Although the focus of this document is a review of RADIUS security, it is still important to discuss problems with the protocol in general.  For example, there is implicitly a RADIUS state machine which correlates multiple types of packets, but that state machine is not defined anywhere.  There are common practices which are secure but which are operationally expensive.  RADIUS accounting is known to be inaccurate and is often inconsistent, as seen in <xref target="WBA-ACCT"/></t>
      <t>Some of the issues noted in the above Wiki could potentially have security impact.  For example, if a RADIUS server is not implemented correctly, an attacker can perform a resource exhaustion attack on it, and effectively take it offline.  Proxies are subject to Denial of Service attacks even from trusted clients, because those clients originate packets at the request of untrusted and unknown users.  Rate limiting for RADIUS requests is a poorly tested or documented process, and largely relies on mutual trust of administrators.</t>
      <section anchor="accounting-is-imperfect">
        <name>Accounting Is Imperfect</name>
        <t>The use of RADIUS/UDP for accounting means that accounting is inherently unreliable.  Unreliable accounting means that different entities in the network can have different views of accounting traffic.  These differences can have multiple impacts, including incorrect views of who is on the network, to disagreements about financial obligations.  These issues are discussed in substantial detail in <xref target="RFC2975"/>, and we do not repeat those discussions here.  We do, however, summarize a few key issues.  Sites which use accounting SHOULD be aware of the issues raised in <xref target="RFC2975"/>, and the limitations of the suggested solutions.</t>
        <t>Using a reliable transport such as RADIUS/TLS makes it more likely that accounting packets are delivered, and that acknowledgments to those packets are received.  Reducing the number of proxies means that there are fewer disparate systems which need to have their accounting data reconciled.  Using non-volatile storage for accounting packets means that a system can reboot with minimal loss of accounting data.  Using interim accounting updates means that transient network issues or data losses can be corrected by later updates.</t>
        <t>As RADIUS does not provide for end-to-end signaling or transport, using RADIUS/TLS provides for reliable transport only when the client originating the accounting traffic is connected directly to the server which records it.  If there are instead one or more proxies involved, the proxies increase overall unreliability.</t>
        <t>Systems which perform accounting are also subject to significant operational loads.  Wheres authentication and authorization may use multiple packets, those packets are sent at session start, and then never again.  In contrast, accounting packets can be sent for the lifetime of a session, which may be hours or even days.  There is a large cost to receiving, processing, and storing volumes of accounting data.</t>
        <t>However, even with all of the above concerns addressed, accounting is still imperfect.  The obvious way to increase the accuracy of accounting data is to increase the rate at which interim updates are sent, but doing so also increases the load on the servers which process the accounting data.  At some point, the trade-off of cost versus benefit becomes negative.</t>
        <t>There is no perfect solution here.  Instead, there are simply a number of imperfect trade-offs.</t>
        <section anchor="incorrect-accounting-data">
          <name>Incorrect Accounting Data</name>
          <t>Even if all accounting packets were delivered and stored without error, there is no guarantee that the contents of those packets are in any way reasonable.  The Wireless Broadband Alliance RADIUS Accounting Assurance <xref target="WBA"/> group has been investigating these issues.  While the results are not yet public, a presentation on the topic was made at IETF 118 in the RADEXT working group <xref target="WBA-ACCT"/>.</t>
          <t>The data presented indicated that the WBA saw just about every possible counter attribute in RADIUS accounting packets as containing data which was blatantly wrong or contradictory.  One example is extremely short sessions which have impossibly large amounts of data being downloaded.  Other accounting packets allege that large amounts of data were downloaded via octet counters, while at the same time claiming negligible packet counters, leading to absurdly large packet sizes.</t>
          <t>The only conclusion from this analysis is that some RADIUS clients act as if it is better to produce incorrect accounting data rather than to produce no data at all.  This failure to follow reasonable practices is expensive for network operators.  In effect, vendors have offset their costs to produce quality data onto their customers, who have to take difficult and uncertain steps in order to sanitize or verify the confusing data which vendors provide in accounting packets.</t>
          <t>It should go without saying that accounting systems need to produce correct data.</t>
        </section>
      </section>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>The primary focus of this document is documenting historic privacy and security considerations for RADIUS.</t>
      <t>The use of insecure transport protocols for RADIUS means that personally identifying information is sent "in the clear".  As noted earlier in this document, such information can include MAC addresses, user identifiers, and user locations.</t>
      <t>In addition, this document suggests ways to increase privacy by minimizing the use and exchange of PII.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The primary focus of this document is documenting historic privacy and security considerations for RADIUS.</t>
      <t>The BlastRADIUS vulnerability is the result of RADIUS security being a low priority for decades.  Even the recommendation of <xref section="2.2.2" sectionFormat="comma" target="RFC5080"/> that all clients add Message-Authenticator to all Access-Request packets was ignored by nearly all implementers.  If that recommendation had been followed, then the BlastRADIUS vulnerability notification would have been little more than "please remember to set the require Message-Authenticator flag on all RADIUS servers."</t>
      <t>Similarly, the MS-CHAP, was not officially deprecated, even though it has been proven to be insecure for decades.  This continued use of MS-CHAP has likely resulted in the leaking of many the clear-text passwords for many users.</t>
    </section>
    <section anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>Thanks to the many reviewers and commenters for raising topics to discuss, and for providing insight into the issues related to increasing the security of RADIUS.  In no particular order, thanks to Margaret Cullen, Alexander Clouter, and Josh Howlett.</t>
      <t>Many thanks to Nadia Heninger and the rest of the BlastRADIUS team, along with Heikki Vatiainen, for extensive discussions and feedback about that issue.</t>
      <t>The author is deeply indebted to the late Bernard Aboba for decades of advice and guidance.</t>
    </section>
    <section anchor="changelog">
      <name>Changelog</name>
      <ul spacing="normal">
        <li>
          <t>00 - copy from draft-ietf-radext-deprecating-radius, and edit to contain only historical review contents.</t>
        </li>
        <li>
          <t>01 - word smithing and updated analysis of CHAP-Password.</t>
        </li>
      </ul>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="BCP14">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC2865">
          <front>
            <title>Remote Authentication Dial In User Service (RADIUS)</title>
            <author fullname="C. Rigney" initials="C." surname="Rigney"/>
            <author fullname="S. Willens" initials="S." surname="Willens"/>
            <author fullname="A. Rubens" initials="A." surname="Rubens"/>
            <author fullname="W. Simpson" initials="W." surname="Simpson"/>
            <date month="June" year="2000"/>
            <abstract>
              <t>This document describes a protocol for carrying authentication, authorization, and configuration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2865"/>
          <seriesInfo name="DOI" value="10.17487/RFC2865"/>
        </reference>
        <reference anchor="RFC6421">
          <front>
            <title>Crypto-Agility Requirements for Remote Authentication Dial-In User Service (RADIUS)</title>
            <author fullname="D. Nelson" initials="D." role="editor" surname="Nelson"/>
            <date month="November" year="2011"/>
            <abstract>
              <t>This memo describes the requirements for a crypto-agility solution for Remote Authentication Dial-In User Service (RADIUS). This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6421"/>
          <seriesInfo name="DOI" value="10.17487/RFC6421"/>
        </reference>
        <reference anchor="I-D.ietf-radext-radiusdtls-bis">
          <front>
            <title>RadSec: RADIUS over Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
            <author fullname="Jan-Frederik Rieckers" initials="J." surname="Rieckers">
              <organization>Deutsches Forschungsnetz | German National Research and Education Network</organization>
            </author>
            <author fullname="Margaret Cullen" initials="M." surname="Cullen">
              <organization>Painless Security</organization>
            </author>
            <author fullname="Stefan Winter" initials="S." surname="Winter">
              <organization>Fondation Restena | Restena Foundation</organization>
            </author>
            <date day="5" month="May" year="2026"/>
            <abstract>
              <t>   This document defines transport profiles for running RADIUS over
   Transport Layer Security (TLS) and Datagram Transport Layer Security
   (DTLS), allowing the secure and reliable transport of RADIUS
   messages.  RADIUS/TLS and RADIUS/DTLS are collectively referred to as
   RadSec.

   This document obsoletes RFC6614 and RFC7360, which specified
   experimental versions of RADIUS over TLS and DTLS.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-radext-radiusdtls-bis-16"/>
        </reference>
        <reference anchor="I-D.ietf-radext-deprecating-radius">
          <front>
            <title>Deprecating Insecure Practices in RADIUS</title>
            <author fullname="Alan DeKok" initials="A." surname="DeKok">
              <organization>InkBridge Networks</organization>
            </author>
            <date day="15" month="March" year="2026"/>
            <abstract>
              <t>   RADIUS crypto-agility was first mandated as future work by RFC 6421.
   The outcome of that work was the publication of RADIUS over TLS (RFC
   6614) and RADIUS over DTLS (RFC 7360) as experimental documents.
   Those transport protocols have been in wide-spread use for many years
   in a wide range of networks, and have recently been standardized in
   [I-D.ietf-radext-radiusdtls-bis].  TLS has proven to be a useful
   replacment for UDP (RFC 2865) and TCP (RFC 6613) transports.  With
   that knowledge, the continued use of insecure transports for RADIUS
   has serious and negative implications for privacy and security.

   The publication of the "BlastRADIUS" exploit has also shown that
   RADIUS security needs to be updated.  It is no longer acceptable for
   RADIUS to rely on MD5 for security.  It is no longer acceptable to
   send device or location information in clear text across the wider
   Internet.  This document therefore deprecates many insecure practices
   in RADIUS, and mandates support for secure TLS-based transport
   layers.  Related security issues with RADIUS are discussed, and
   recommendations are made for practices which increase both security
   and privacy.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-radext-deprecating-radius-09"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC1321">
          <front>
            <title>The MD5 Message-Digest Algorithm</title>
            <author fullname="R. Rivest" initials="R." surname="Rivest"/>
            <date month="April" year="1992"/>
            <abstract>
              <t>This document describes the MD5 message-digest algorithm. The algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. This memo provides information for the Internet community. It does not specify an Internet standard.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="1321"/>
          <seriesInfo name="DOI" value="10.17487/RFC1321"/>
        </reference>
        <reference anchor="RFC2433">
          <front>
            <title>Microsoft PPP CHAP Extensions</title>
            <author fullname="G. Zorn" initials="G." surname="Zorn"/>
            <author fullname="S. Cobb" initials="S." surname="Cobb"/>
            <date month="October" year="1998"/>
            <abstract>
              <t>The Point-to-Point Protocol (PPP) provides a standard method for transporting multi-protocol datagrams over point-to-point links. PPP defines an extensible Link Control Protocol and a family of Network Control Protocols (NCPs) for establishing and configuring different network-layer protocols. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2433"/>
          <seriesInfo name="DOI" value="10.17487/RFC2433"/>
        </reference>
        <reference anchor="RFC2759">
          <front>
            <title>Microsoft PPP CHAP Extensions, Version 2</title>
            <author fullname="G. Zorn" initials="G." surname="Zorn"/>
            <date month="January" year="2000"/>
            <abstract>
              <t>This document describes version two of Microsoft's PPP CHAP dialect (MS-CHAP-V2). MS-CHAP-V2 is similar to, but incompatible with, MS-CHAP version one (MS-CHAP-V1). This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2759"/>
          <seriesInfo name="DOI" value="10.17487/RFC2759"/>
        </reference>
        <reference anchor="RFC2866">
          <front>
            <title>RADIUS Accounting</title>
            <author fullname="C. Rigney" initials="C." surname="Rigney"/>
            <date month="June" year="2000"/>
            <abstract>
              <t>This document describes a protocol for carrying accounting information between a Network Access Server and a shared Accounting Server. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2866"/>
          <seriesInfo name="DOI" value="10.17487/RFC2866"/>
        </reference>
        <reference anchor="RFC2868">
          <front>
            <title>RADIUS Attributes for Tunnel Protocol Support</title>
            <author fullname="G. Zorn" initials="G." surname="Zorn"/>
            <author fullname="D. Leifer" initials="D." surname="Leifer"/>
            <author fullname="A. Rubens" initials="A." surname="Rubens"/>
            <author fullname="J. Shriver" initials="J." surname="Shriver"/>
            <author fullname="M. Holdrege" initials="M." surname="Holdrege"/>
            <author fullname="I. Goyret" initials="I." surname="Goyret"/>
            <date month="June" year="2000"/>
            <abstract>
              <t>This document defines a set of RADIUS (Remote Authentication Dial In User Service) attributes designed to support the provision of compulsory tunneling in dial-up networks. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2868"/>
          <seriesInfo name="DOI" value="10.17487/RFC2868"/>
        </reference>
        <reference anchor="RFC3579">
          <front>
            <title>RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)</title>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <author fullname="P. Calhoun" initials="P." surname="Calhoun"/>
            <date month="September" year="2003"/>
            <abstract>
              <t>This document defines Remote Authentication Dial In User Service (RADIUS) support for the Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication mechanisms. In the proposed scheme, the Network Access Server (NAS) forwards EAP packets to and from the RADIUS server, encapsulated within EAP-Message attributes. This has the advantage of allowing the NAS to support any EAP authentication method, without the need for method- specific code, which resides on the RADIUS server. While EAP was originally developed for use with PPP, it is now also in use with IEEE 802. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3579"/>
          <seriesInfo name="DOI" value="10.17487/RFC3579"/>
        </reference>
        <reference anchor="RFC5176">
          <front>
            <title>Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)</title>
            <author fullname="M. Chiba" initials="M." surname="Chiba"/>
            <author fullname="G. Dommety" initials="G." surname="Dommety"/>
            <author fullname="M. Eklund" initials="M." surname="Eklund"/>
            <author fullname="D. Mitton" initials="D." surname="Mitton"/>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <date month="January" year="2008"/>
            <abstract>
              <t>This document describes a currently deployed extension to the Remote Authentication Dial In User Service (RADIUS) protocol, allowing dynamic changes to a user session, as implemented by network access server products. This includes support for disconnecting users and changing authorizations applicable to a user session. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5176"/>
          <seriesInfo name="DOI" value="10.17487/RFC5176"/>
        </reference>
        <reference anchor="RFC5580">
          <front>
            <title>Carrying Location Objects in RADIUS and Diameter</title>
            <author fullname="H. Tschofenig" initials="H." role="editor" surname="Tschofenig"/>
            <author fullname="F. Adrangi" initials="F." surname="Adrangi"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="A. Lior" initials="A." surname="Lior"/>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <date month="August" year="2009"/>
            <abstract>
              <t>This document describes procedures for conveying access-network ownership and location information based on civic and geospatial location formats in Remote Authentication Dial-In User Service (RADIUS) and Diameter.</t>
              <t>The distribution of location information is a privacy-sensitive task. Dealing with mechanisms to preserve the user's privacy is important and is addressed in this document. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5580"/>
          <seriesInfo name="DOI" value="10.17487/RFC5580"/>
        </reference>
        <reference anchor="RFC6151">
          <front>
            <title>Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms</title>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <author fullname="L. Chen" initials="L." surname="Chen"/>
            <date month="March" year="2011"/>
            <abstract>
              <t>This document updates the security considerations for the MD5 message digest algorithm. It also updates the security considerations for HMAC-MD5. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6151"/>
          <seriesInfo name="DOI" value="10.17487/RFC6151"/>
        </reference>
        <reference anchor="RFC6218">
          <front>
            <title>Cisco Vendor-Specific RADIUS Attributes for the Delivery of Keying Material</title>
            <author fullname="G. Zorn" initials="G." surname="Zorn"/>
            <author fullname="T. Zhang" initials="T." surname="Zhang"/>
            <author fullname="J. Walker" initials="J." surname="Walker"/>
            <author fullname="J. Salowey" initials="J." surname="Salowey"/>
            <date month="April" year="2011"/>
            <abstract>
              <t>This document defines a set of vendor-specific RADIUS Attributes designed to allow both the secure transmission of cryptographic keying material and strong authentication of any RADIUS message. These attributes have been allocated from the Cisco vendor-specific space and have been implemented by multiple vendors. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6218"/>
          <seriesInfo name="DOI" value="10.17487/RFC6218"/>
        </reference>
        <reference anchor="RFC6613">
          <front>
            <title>RADIUS over TCP</title>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <date month="May" year="2012"/>
            <abstract>
              <t>The Remote Authentication Dial-In User Server (RADIUS) protocol has, until now, required the User Datagram Protocol (UDP) as the underlying transport layer. This document defines RADIUS over the Transmission Control Protocol (RADIUS/TCP), in order to address handling issues related to RADIUS over Transport Layer Security (RADIUS/TLS). It permits TCP to be used as a transport protocol for RADIUS only when a transport layer such as TLS or IPsec provides confidentiality and security. This document defines an Experimental Protocol for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6613"/>
          <seriesInfo name="DOI" value="10.17487/RFC6613"/>
        </reference>
        <reference anchor="RFC6614">
          <front>
            <title>Transport Layer Security (TLS) Encryption for RADIUS</title>
            <author fullname="S. Winter" initials="S." surname="Winter"/>
            <author fullname="M. McCauley" initials="M." surname="McCauley"/>
            <author fullname="S. Venaas" initials="S." surname="Venaas"/>
            <author fullname="K. Wierenga" initials="K." surname="Wierenga"/>
            <date month="May" year="2012"/>
            <abstract>
              <t>This document specifies a transport profile for RADIUS using Transport Layer Security (TLS) over TCP as the transport protocol. This enables dynamic trust relationships between RADIUS servers. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6614"/>
          <seriesInfo name="DOI" value="10.17487/RFC6614"/>
        </reference>
        <reference anchor="RFC6973">
          <front>
            <title>Privacy Considerations for Internet Protocols</title>
            <author fullname="A. Cooper" initials="A." surname="Cooper"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <author fullname="J. Peterson" initials="J." surname="Peterson"/>
            <author fullname="J. Morris" initials="J." surname="Morris"/>
            <author fullname="M. Hansen" initials="M." surname="Hansen"/>
            <author fullname="R. Smith" initials="R." surname="Smith"/>
            <date month="July" year="2013"/>
            <abstract>
              <t>This document offers guidance for developing privacy considerations for inclusion in protocol specifications. It aims to make designers, implementers, and users of Internet protocols aware of privacy-related design choices. It suggests that whether any individual RFC warrants a specific privacy considerations section will depend on the document's content.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6973"/>
          <seriesInfo name="DOI" value="10.17487/RFC6973"/>
        </reference>
        <reference anchor="RFC7360">
          <front>
            <title>Datagram Transport Layer Security (DTLS) as a Transport Layer for RADIUS</title>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <date month="September" year="2014"/>
            <abstract>
              <t>The RADIUS protocol defined in RFC 2865 has limited support for authentication and encryption of RADIUS packets. The protocol transports data in the clear, although some parts of the packets can have obfuscated content. Packets may be replayed verbatim by an attacker, and client-server authentication is based on fixed shared secrets. This document specifies how the Datagram Transport Layer Security (DTLS) protocol may be used as a fix for these problems. It also describes how implementations of this proposal can coexist with current RADIUS systems.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7360"/>
          <seriesInfo name="DOI" value="10.17487/RFC7360"/>
        </reference>
        <reference anchor="I-D.tomas-openroaming">
          <front>
            <title>WBA OpenRoaming Wireless Federation</title>
            <author fullname="Bruno Tomas" initials="B." surname="Tomas">
              <organization>Wireless Broadband Alliance, Inc.</organization>
            </author>
            <author fullname="Mark Grayson" initials="M." surname="Grayson">
              <organization>Cisco Systems</organization>
            </author>
            <author fullname="Necati Canpolat" initials="N." surname="Canpolat">
              <organization>Intel Corporation</organization>
            </author>
            <author fullname="Elizabeth A Cockrell" initials="B." surname="Cockrell">
              <organization>Independent</organization>
            </author>
            <author fullname="Sri Gundavelli" initials="S." surname="Gundavelli">
              <organization>Cisco Systems</organization>
            </author>
            <author fullname="Seb Adamski" initials="S." surname="Adamski">
              <organization>IronWiFi</organization>
            </author>
            <date day="12" month="June" year="2026"/>
            <abstract>
              <t>   This document describes the Wireless Broadband Alliance's OpenRoaming
   system.  The OpenRoaming architecture enables a seamless onboarding
   experience for devices connecting to access networks that are part of
   the federation of access networks and identity providers.  The
   primary objective of this document is to describe the protocols that
   form the foundation for this architecture, enabling providers to
   correctly configure their equipment to support interoperable
   OpenRoaming signalling exchanges.  In addition, the topic of
   OpenRoaming has been raised in different IETF working groups, and
   therefore a secondary objective is to assist those discussions by
   describing the federation organization and framework.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-tomas-openroaming-08"/>
        </reference>
        <reference anchor="BLAST" target="https://www.blastradius.fail/pdf/radius.pdf">
          <front>
            <title>RADIUS/UDP Considered Harmful</title>
            <author initials="" surname="Goldberg, S , et al" fullname="Golberg, Sharon, et. al">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="DATTACK" target="https://www.ietf.org/ietf-ftp/ietf-mail-archive/radius/1998-11.mail">
          <front>
            <title>CHAP and Shared Secret</title>
            <author initials="A." surname="DeKok" fullname="Alan DeKok">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="MD5-1996" target="https://www.ietf.org/ietf-ftp/ietf-mail-archive/radius/1998-02">
          <front>
            <title>MD5 Key recovery attack</title>
            <author initials="I. R. W." surname="group" fullname="IETF RADIUS Working group">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="MAY-1995" target="http://ftp.cerias.purdue.edu/pub/doc/network/radius/archive/ietf-radius.9506">
          <front>
            <title>Proxy-State radius extension to support stateless proxies</title>
            <author initials="M." surname="O'Dell" fullname="Mike O'Dell">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="EDUROAM" target="https://eduroam.org">
          <front>
            <title>eduroam</title>
            <author initials="" surname="eduroam" fullname="eduroam">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="EXPLOIT" target="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a">
          <front>
            <title>People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices</title>
            <author initials="A. C. D." surname="Agency" fullname="America's Cyber Defense Agency">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="BRIGGS" target="https://www.fcc.gov/ecfs/document/10427582404839/1">
          <front>
            <title>Comments on the FCC’s Public Notice DA 24-308 on SS7 and Diameter Vulnerabilities</title>
            <author initials="K." surname="Briggs" fullname="Kevin Briggs">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="HASHCLASH" target="https://github.com/cr-marcstevens/hashclash">
          <front>
            <title>Project HashClash - MD5 &amp; SHA-1 cryptanalytic toolbox</title>
            <author initials="M." surname="Stevens" fullname="Marc Stevens">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="OPENROAMING" target="https://wballiance.com/openroaming/">
          <front>
            <title>OpenRoaming: One global Wi-Fi network</title>
            <author initials="W. B." surname="Alliance" fullname="Wireless Broadband Alliance">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="WIFILOC" target="https://www.wi-fi.org/discover-wi-fi/wi-fi-location">
          <front>
            <title>Accurate indoor location with Wi-Fi connectivity</title>
            <author initials="W.-F." surname="Alliance" fullname="Wi-Fi Alliance">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="SPOOFING" target="https://networkradius.com/articles/2021/08/04/wifi-spoofing.html">
          <front>
            <title>Wi-Fi Spoofing for Fun and Profit</title>
            <author initials="A." surname="Cudbard-Bell" fullname="Arran Cudbard-Bell">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="ASLEAP" target="https://github.com/joswr1ght/asleap">
          <front>
            <title>asleap - recovers weak LEAP and PPTP passwords</title>
            <author initials="J." surname="Wright" fullname="Joshua Wright">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="WBA" target="https://wballiance.com/radius-accounting-assurance/">
          <front>
            <title>RADIUS Accounting Assurance</title>
            <author initials="W. B." surname="Alliance" fullname="Wireless Broadband Alliance">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="WBA-ACCT" target="https://youtu.be/wwmYSItcQt0?t=3953">
          <front>
            <title>RADIUS Accounting Assurance at IETF 118</title>
            <author initials="W. B." surname="Alliance" fullname="Wireless Broadband Alliance">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="PWNED" target="https://haveibeenpwned.com/">
          <front>
            <title>Have I been Pwned</title>
            <author initials="T." surname="Hunt" fullname="Troy Hunt">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="ISSUES" target="https://github.com/radext-wg/issues-and-fixes-2/wiki">
          <front>
            <title>Issues and Fixes 2</title>
            <author initials="" surname="RADEXT" fullname="IETF RADEXT Working Group">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="RFC5080">
          <front>
            <title>Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes</title>
            <author fullname="D. Nelson" initials="D." surname="Nelson"/>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <date month="December" year="2007"/>
            <abstract>
              <t>This document describes common issues seen in Remote Authentication Dial In User Service (RADIUS) implementations and suggests some fixes. Where applicable, ambiguities and errors in previous RADIUS specifications are clarified. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5080"/>
          <seriesInfo name="DOI" value="10.17487/RFC5080"/>
        </reference>
        <reference anchor="RFC7593">
          <front>
            <title>The eduroam Architecture for Network Roaming</title>
            <author fullname="K. Wierenga" initials="K." surname="Wierenga"/>
            <author fullname="S. Winter" initials="S." surname="Winter"/>
            <author fullname="T. Wolniewicz" initials="T." surname="Wolniewicz"/>
            <date month="September" year="2015"/>
            <abstract>
              <t>This document describes the architecture of the eduroam service for federated (wireless) network access in academia. The combination of IEEE 802.1X, the Extensible Authentication Protocol (EAP), and RADIUS that is used in eduroam provides a secure, scalable, and deployable service for roaming network access. The successful deployment of eduroam over the last decade in the educational sector may serve as an example for other sectors, hence this document. In particular, the initial architectural choices and selection of standards are described, along with the changes that were prompted by operational experience.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7593"/>
          <seriesInfo name="DOI" value="10.17487/RFC7593"/>
        </reference>
        <reference anchor="RFC7525">
          <front>
            <title>Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
            <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"/>
            <author fullname="R. Holz" initials="R." surname="Holz"/>
            <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) are widely used to protect data exchanged over application protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP. Over the last few years, several serious attacks on TLS have emerged, including attacks on its most commonly used cipher suites and their modes of operation. This document provides recommendations for improving the security of deployed services that use TLS and DTLS. The recommendations are applicable to the majority of use cases.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7525"/>
          <seriesInfo name="DOI" value="10.17487/RFC7525"/>
        </reference>
        <reference anchor="RFC7585">
          <front>
            <title>Dynamic Peer Discovery for RADIUS/TLS and RADIUS/DTLS Based on the Network Access Identifier (NAI)</title>
            <author fullname="S. Winter" initials="S." surname="Winter"/>
            <author fullname="M. McCauley" initials="M." surname="McCauley"/>
            <date month="October" year="2015"/>
            <abstract>
              <t>This document specifies a means to find authoritative RADIUS servers for a given realm. It is used in conjunction with either RADIUS over Transport Layer Security (RADIUS/TLS) or RADIUS over Datagram Transport Layer Security (RADIUS/DTLS).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7585"/>
          <seriesInfo name="DOI" value="10.17487/RFC7585"/>
        </reference>
        <reference anchor="RFC2869">
          <front>
            <title>RADIUS Extensions</title>
            <author fullname="C. Rigney" initials="C." surname="Rigney"/>
            <author fullname="W. Willats" initials="W." surname="Willats"/>
            <author fullname="P. Calhoun" initials="P." surname="Calhoun"/>
            <date month="June" year="2000"/>
            <abstract>
              <t>This document describes additional attributes for carrying authentication, authorization and accounting information between a Network Access Server (NAS) and a shared Accounting Server using the Remote Authentication Dial In User Service (RADIUS) protocol described in RFC 2865 and RFC 2866. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2869"/>
          <seriesInfo name="DOI" value="10.17487/RFC2869"/>
        </reference>
        <reference anchor="RFC6280">
          <front>
            <title>An Architecture for Location and Location Privacy in Internet Applications</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="M. Lepinski" initials="M." surname="Lepinski"/>
            <author fullname="A. Cooper" initials="A." surname="Cooper"/>
            <author fullname="J. Morris" initials="J." surname="Morris"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="H. Schulzrinne" initials="H." surname="Schulzrinne"/>
            <date month="July" year="2011"/>
            <abstract>
              <t>Location-based services (such as navigation applications, emergency services, and management of equipment in the field) need geographic location information about Internet hosts, their users, and other related entities. These applications need to securely gather and transfer location information for location services, and at the same time protect the privacy of the individuals involved. This document describes an architecture for privacy-preserving location-based services in the Internet, focusing on authorization, security, and privacy requirements for the data formats and protocols used by these services. This memo documents an Internet Best Current Practice.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="160"/>
          <seriesInfo name="RFC" value="6280"/>
          <seriesInfo name="DOI" value="10.17487/RFC6280"/>
        </reference>
        <reference anchor="RFC6733">
          <front>
            <title>Diameter Base Protocol</title>
            <author fullname="V. Fajardo" initials="V." role="editor" surname="Fajardo"/>
            <author fullname="J. Arkko" initials="J." surname="Arkko"/>
            <author fullname="J. Loughney" initials="J." surname="Loughney"/>
            <author fullname="G. Zorn" initials="G." role="editor" surname="Zorn"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>The Diameter base protocol is intended to provide an Authentication, Authorization, and Accounting (AAA) framework for applications such as network access or IP mobility in both local and roaming situations. This document specifies the message format, transport, error reporting, accounting, and security services used by all Diameter applications. The Diameter base protocol as defined in this document obsoletes RFC 3588 and RFC 5719, and it must be supported by all new Diameter implementations. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6733"/>
          <seriesInfo name="DOI" value="10.17487/RFC6733"/>
        </reference>
        <reference anchor="RFC6677">
          <front>
            <title>Channel-Binding Support for Extensible Authentication Protocol (EAP) Methods</title>
            <author fullname="S. Hartman" initials="S." role="editor" surname="Hartman"/>
            <author fullname="T. Clancy" initials="T." surname="Clancy"/>
            <author fullname="K. Hoeper" initials="K." surname="Hoeper"/>
            <date month="July" year="2012"/>
            <abstract>
              <t>This document defines how to implement channel bindings for Extensible Authentication Protocol (EAP) methods to address the "lying Network Access Service (NAS)" problem as well as the "lying provider" problem. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6677"/>
          <seriesInfo name="DOI" value="10.17487/RFC6677"/>
        </reference>
        <reference anchor="RFC7930">
          <front>
            <title>Larger Packets for RADIUS over TCP</title>
            <author fullname="S. Hartman" initials="S." surname="Hartman"/>
            <date month="August" year="2016"/>
            <abstract>
              <t>The RADIUS-over-TLS experiment described in RFC 6614 has opened RADIUS to new use cases where the 4096-octet maximum size limit of a RADIUS packet proves problematic. This specification extends the RADIUS-over-TCP experiment (RFC 6613) to permit larger RADIUS packets. This specification compliments other ongoing work to permit fragmentation of RADIUS authorization information. This document registers a new RADIUS code, an action that required IESG approval.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7930"/>
          <seriesInfo name="DOI" value="10.17487/RFC7930"/>
        </reference>
        <reference anchor="RFC8907">
          <front>
            <title>The Terminal Access Controller Access-Control System Plus (TACACS+) Protocol</title>
            <author fullname="T. Dahm" initials="T." surname="Dahm"/>
            <author fullname="A. Ota" initials="A." surname="Ota"/>
            <author fullname="D.C. Medway Gash" initials="D.C." surname="Medway Gash"/>
            <author fullname="D. Carrel" initials="D." surname="Carrel"/>
            <author fullname="L. Grant" initials="L." surname="Grant"/>
            <date month="September" year="2020"/>
            <abstract>
              <t>This document describes the Terminal Access Controller Access-Control System Plus (TACACS+) protocol, which is widely deployed today to provide Device Administration for routers, network access servers, and other networked computing devices via one or more centralized servers.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8907"/>
          <seriesInfo name="DOI" value="10.17487/RFC8907"/>
        </reference>
        <reference anchor="RFC4120">
          <front>
            <title>The Kerberos Network Authentication Service (V5)</title>
            <author fullname="C. Neuman" initials="C." surname="Neuman"/>
            <author fullname="T. Yu" initials="T." surname="Yu"/>
            <author fullname="S. Hartman" initials="S." surname="Hartman"/>
            <author fullname="K. Raeburn" initials="K." surname="Raeburn"/>
            <date month="July" year="2005"/>
            <abstract>
              <t>This document provides an overview and specification of Version 5 of the Kerberos protocol, and it obsoletes RFC 1510 to clarify aspects of the protocol and its intended use that require more detailed or clearer explanation than was provided in RFC 1510. This document is intended to provide a detailed description of the protocol, suitable for implementation, together with descriptions of the appropriate use of protocol messages and fields within those messages. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4120"/>
          <seriesInfo name="DOI" value="10.17487/RFC4120"/>
        </reference>
        <reference anchor="RFC1994">
          <front>
            <title>PPP Challenge Handshake Authentication Protocol (CHAP)</title>
            <author fullname="W. Simpson" initials="W." surname="Simpson"/>
            <date month="August" year="1996"/>
            <abstract>
              <t>This document defines a method for Authentication using PPP, which uses a random Challenge, with a cryptographically hashed Response which depends upon the Challenge and a secret key. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="1994"/>
          <seriesInfo name="DOI" value="10.17487/RFC1994"/>
        </reference>
        <reference anchor="RFC5931">
          <front>
            <title>Extensible Authentication Protocol (EAP) Authentication Using Only a Password</title>
            <author fullname="D. Harkins" initials="D." surname="Harkins"/>
            <author fullname="G. Zorn" initials="G." surname="Zorn"/>
            <date month="August" year="2010"/>
            <abstract>
              <t>This memo describes an Extensible Authentication Protocol (EAP) method, EAP-pwd, which uses a shared password for authentication. The password may be a low-entropy one and may be drawn from some set of possible passwords, like a dictionary, which is available to an attacker. The underlying key exchange is resistant to active attack, passive attack, and dictionary attack. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5931"/>
          <seriesInfo name="DOI" value="10.17487/RFC5931"/>
        </reference>
        <reference anchor="RFC9190">
          <front>
            <title>EAP-TLS 1.3: Using the Extensible Authentication Protocol with TLS 1.3</title>
            <author fullname="J. Preuß Mattsson" initials="J." surname="Preuß Mattsson"/>
            <author fullname="M. Sethi" initials="M." surname="Sethi"/>
            <date month="February" year="2022"/>
            <abstract>
              <t>The Extensible Authentication Protocol (EAP), defined in RFC 3748, provides a standard mechanism for support of multiple authentication methods. This document specifies the use of EAP-TLS with TLS 1.3 while remaining backwards compatible with existing implementations of EAP-TLS. TLS 1.3 provides significantly improved security and privacy, and reduced latency when compared to earlier versions of TLS. EAP-TLS with TLS 1.3 (EAP-TLS 1.3) further improves security and privacy by always providing forward secrecy, never disclosing the peer identity, and by mandating use of revocation checking when compared to EAP-TLS with earlier versions of TLS. This document also provides guidance on authentication, authorization, and resumption for EAP-TLS in general (regardless of the underlying TLS version used). This document updates RFC 5216.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9190"/>
          <seriesInfo name="DOI" value="10.17487/RFC9190"/>
        </reference>
        <reference anchor="RFC3539">
          <front>
            <title>Authentication, Authorization and Accounting (AAA) Transport Profile</title>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <author fullname="J. Wood" initials="J." surname="Wood"/>
            <date month="June" year="2003"/>
            <abstract>
              <t>This document discusses transport issues that arise within protocols for Authentication, Authorization and Accounting (AAA). It also provides recommendations on the use of transport by AAA protocols. This includes usage of standards-track RFCs as well as experimental proposals. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3539"/>
          <seriesInfo name="DOI" value="10.17487/RFC3539"/>
        </reference>
        <reference anchor="RFC2975">
          <front>
            <title>Introduction to Accounting Management</title>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <author fullname="J. Arkko" initials="J." surname="Arkko"/>
            <author fullname="D. Harrington" initials="D." surname="Harrington"/>
            <date month="October" year="2000"/>
            <abstract>
              <t>This document describes and discusses the issues involved in the design of the modern accounting systems. The field of Accounting Management is concerned with the collection the collection of resource consumption data for the purposes of capacity and trend analysis, cost allocation, auditing, and billing. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2975"/>
          <seriesInfo name="DOI" value="10.17487/RFC2975"/>
        </reference>
      </references>
    </references>
  </back>
  <!-- ##markdown-source:
H4sIALXLR2oAA8y9/XLc2JEn+j+fAkFvXJPuKkqkvrUxM1stqlvcbkncJtvt
ubMzN1BVKBasKqAGQJEqd/SGX2MjZl/OT3Lz++Q5QFFsjx2x3h2bIoGD85En
P3+ZOR6PD7qyWxWvs0n2Q3FbFndZvch+mJxf/HiVXRWzbVN2uyyv5tllU97m
s91BPp02xe3Dn5/XsypfwwfmTb7oxmXRLcZNPi8+d+OGBsB/ldt2/Pj04KDt
4NX/L1/VFbzQNdvioNw09FPbnT1+/Orx2UHeFPnr7KLqiqYquoO7m9f4+bd/
uM5+qptPZXWTfdvU283Bp7vw1Pgcv30wy7vXWVkt6oN2O12XbVvW1fVuA5+6
eHv9zcHBpnydwX9+k83yKtu2RZY3Tb7LjspFlq9W2a5oj7O6yZZ5u8yWRVMc
ZFlXz17jH+DHtm66pli0r2mIebHIt6uuhSf077s1/xn/eZBvu2XdvD44GMOM
4JeTk+y8+K7+BA/ydk1WMAn9Vd3c4Go+fd2U85si+1B0d7BYHLVY5+XqNcwv
r07mxaf6038rq09TeuykrA8OqrpZ5115W7yGh79+c3n6FPbrmzcvT188hV/A
T2cvnz97zT8+f3p2ij9ejM9PonOiA5p3q3Y8LduhJ+bFpilge2H75WlYGe60
+zh84PQJfwA/+/TJE/3xxbNXr20yz8OPL+XHJ89e6APPTl/oA8+evXysEz99
puM+PzvV154/P30SfnyqP756ob998eT5Y11NV6/zdlxviqqp8zWsg/br+8nV
Nf4A/5Frcsi0/ujH88vsTV215RwIYZ69y5v1Yrs65Gf1cDP+Dx3wt/VqPi2a
m1F2dTLKiu4Ezkwf4BOHJ+SBZd7UVfwQb6UNef2Ha6CzZddt2tePHt3d3Z1M
V3nb8d6fLIAmHm3mi0fyb/gRXjyfXF9P3nyXrOfNu8klXVj8KqwELnFTdMML
GaDMh0wNKeUESPgRkcyi2/APSLnjvJktgUBkpo9OX716OT49PcG/wYDvz5+N
4VfPkznDr7Pvil0GNFffFg0wnK7LZ5/umzTecOVTyihuiFH8fdYAnAqmP/ln
nP6zZPqXTf15N77q8q7I+J0MLlFRIT9CftFuNxtgJlmLT6yKts028EZZtPct
8H35qcg+/va8WH2JYmBFMP+TWdGUOdDGtplvi5Nivn202U4fAbt+VDF70fXo
8vTCI0W9evb4OYz89vzHHz5O3ifrg7HwEt03W3nkAZsvT+Le4wf/cPn9x4v0
Tl4W9WZV/OXP/7sFoQSrWJUzFEtvlmWVZ7TP46sNXNYaCfzNDm5ZNpl1ddNm
bz9vVnXZKUcFqVXf4pVu6Uqcg4Ca3b/tkzVs4yz/bSvjnhcLOMgim9wUFUi/
hxHXrGzzk5v6Fnb+rh0Xt0XVtY9mOF4rInWcz29LmD8QwaM8Pzsbnz57mSOH
+uHi22+v0itdr9c4RIbktCyyb968ob255J35UHewKmAH2dnT8ZPHL/Gxq6sX
vOISVgVCM/v9dlUVTT4tV2X3Bcr7DnapykA03dy0+xfs17uYzWi5xWzRIsVt
cbqPTh8/BVHw8uzp46cvn7x6dAqvv5tcvXsDTPhd/wb9sZh1wHbb5ZsVyuMx
8ors/8mu3k3Gp9ms2W1AlchXO1gqXCngrPXne28PEDlQCm79A9ZwU3bL7fRk
Vq8fzRrgAc2s5VcfoW4wwwnBex8v337A23Hx4dtk+h9BzPwgYib7WBXZzaqe
5qvsp3L8TZnJ9btvuj+VDTOGr+FuzKd4cpPVqsyrWfEQkoNv8cO0BCf0HsEL
P118c/H9xzfJlCczIERkWGU1r0EJWtUo7oFy7mAvZOKzuqrgVMpbINj7Zn/I
j+uMDx9GNHfleFESC56XLfH9Mf3qEf33WCcE719dfvz4TX/X+avACOoFcn/4
XvbNthJlFX53r9A7nIAuWGVvtrDbzXz8NbDZB8xbjlKYJm523gBFwtE9Ont8
dvro8ctHj5/CAmD+rczrZNmtkYNPrr5/O7lMlpC3qyLfALGL5GuzuyL/lOGT
vI7L68tsk7ctfHV+76X973W73ObZT3Brl92vovg/1u1dcwpvPeLZIMl8PRnU
koDLzupthWphNmlbIKBw3PsoYy9hP4RMYsIWwyK3SYxzncQjnvV48ubNsII3
OHXQM1iROD19+Xdcxq7edtuTaQFkv/7nq4tu9j+6x//U/cOTV8+ewPOXP314
e57M+V1+W2QX2bQoquzyrirm987uuql32TtY3APmsoSRSxx3g8PStqLGfHX1
49tU7FzANhUsOL8pP8NPZ/eow2yzDetofWNu7zSHCFRskjvQ1WhGY5gRcAiY
0fgM7tqn8uAAePWWjBJSAd1s2JriEf6b6nz4HA3/Ols0RSFqUWS9nsADYMuN
x1k+RTV8Bv+6XpZtptINVTjULGB/gE+uwVxaosIHx9aYGa3CPuN5HwANAced
o0qIYlwIE3gVWJ316gS2AL8g769Bqt/C4y09O1vm1Q3+XB/Iazb43bKcLcG0
LWCxc+TnBz///GV77pdfTnh963I+XxUHB79B67qp59sZcV1Yrc1wIzPMfv5Z
DMxffsnu8jZblE1Lam01ByZa/gnWBpoDaMgvRjDrenuzzEpQW5q6hv++qbMp
KPXZegvTLfJmVYJaAlsBjz+htRfhQ2Cst6QA0BfRzIQvwrNIebD5oKCB5Grr
NbwCQxZdOyIyhSfq6WLb0p9BH+5ymA7YEk053eJOtvhpmPePLQibS2Gr8O0J
qFbAOEG7XK12YOq35Q1cjhHyDLj04x+Kf4fj6/RbwKNhs3EacKC7bFv5Wc15
JsBrVnO4vxl8+7akYUkgwA4d6S6+GqFxRkL3xQkuEF+kP6KBHP749OTJydkv
vxzzRGn7gLg6v1/zvMuByoAogDJhzSCR8mbcwdGPbNboBFmhdDE7HsbOp8Cb
yDeCVxa2cc4qMq9CZXB78ldQf0qnOOCGnUhy3Cj3t+S1IffLXpLvDdUj+eyB
JA+croKjnjPlteV6syoXu3gv9buoT+ADBS4YRDOSNGwB/B9YGnDWK11ribvQ
Fpuc9CnbokVTrwdHhln8tCxXBY9nz4O2hfTaMl2DEtfQ3tN3ZmQBzPkwRnCp
4DWYYlV3MqhnKPo9OLTf/CZ7R/PdDbj1+I7DF3Vb4RG8c6DzsuT5VNV3Fe1D
DqQAzLsr1wXuYeduP8yBrz1xN7F45UvMDJ6r3eJt9jtvsxObxn+tYLJwluom
+OWXkZ71qq2VXuBz2xafBoJ+937yBncOeDQwLvx0Wc2aIgeC1mXZdpc8bdzL
mhe3KtD7BkoAzg4XN6KfmDnBTHDjmznuC3wC+AkcDl+YPYxBdT76jiz6IesV
Tw6wAN6xl3xBgL5xoHY7RRbbARvJFtsGBm3c1dEp4bdWyF9htiUQ7A0d6WxZ
zD7ZXOhzqGfSvyq4JtkCCHgHC27lTsJQM6I/5DA5XXRcKk0EX5oXsMCSzhnJ
Bf6U3xTjSeCASC2oNAAFC/niGY2nOZ6b8WK+sz0++Ozk9ClJph+RR3XAWjtg
sXwqyKT2fhKnR7xAv6rSdO+WIFnv4+8w2LyAew8ThifA8pwC+eALdDXbstvy
TdyzCuLmrw8O/nHvB9DGymMxlMED8J0SbF9cLTBXWBxdShhnWndL3YSGRR38
48MEeWI1R0rCf8dfG8ElnuWya/BnGOYuZ17XsmuwJdcgPNbd4XXH4XBo47YN
UgrsIYwxJwmQE5earbbEs+ECZflmg8SDF2+Khwr3BS5NJ8SEAoj4WlmhJsnL
BqEz08tHjA/p7Iu7hW7NsFdwFGAijYUWgBkSK0TdFoZJN9aIbgTnR+vfQ7b6
HIzRLlWA4+LxnHOeXJNMji6J+75+HcbQCYzwdRM6e4956EhhFPmgSmDaUiTQ
qq7GFgzI5ttC1cpVDfrJDDngb3kVv2WWbUeFM67qINuYay/qFb4JdAjKNIum
Vbkukbm32xsQW/jUCcsMXjzeiBv01pJ6yyIhZk+8c2ePHz+1m5KoNsjhkeby
G1TV+OEX/PA/YUzg8cvH4emzkzNUhIi4aNdFcsr8ULPG38cLa2kHQVX7MhPx
xwTKwy1JcV4j0ec72B+4Env1QhLHLMVJPNlnkLaHSS07OTlBK2WHl9xri/Rd
1E2vQeu9rcs5Hwlt9cjuZrJSGwdmsShvtg0bG34DYF1AXzPahXx4H/AKeT49
vFqYmvymv3AY4QtXDF3pOJ8KZ9uCdK461LyBbMCQIG6TUmxdwQN1VaTsyTS0
L1AuKM9BzuPq2a+cqygLBIc02Zn0hZuC+gWot9s23cwvURNGGffu3sWC5xpr
d8BE8NIANedz1sJIrK3RxEI9bsS7hl+HF5FCv8ZAkWwKx01gLRTpQiuN2Ngq
B2KC7SMGRYMKeQtfLzg0oQpg0LNRktPNjC40XWSM0QX9jN4neWiXla4MDlfS
JqICibIrCNQ72mNQVIEb4htAmSUqOkCcpd3auRltczDQOlAn0DjLO6DtVmUS
fZw4wYoJPrUXpgWSJavrfglPz04Dd3kinKWvA4meryoQseBSzwBUuQp5BpGQ
DBr2BXVRJERyYNfj/Ab97ztdHHv1UbHgGcv3cch4EnVbxO8wZcIVqXZmAei6
QfBvO6OhvtImEc/r76/CTjw/NVYsfz73f8fIKm3PBD6KDF5np3virgjuWD4n
CZasOpwMvrYqPyFN0iqym7qeozDMxZCXYxW/Ao4lb5L2ylPj9RGNElGUC7h5
xEdAo8GYxyYHxQF29w4GAVr5IZ/DWZN5g6oL3YPUd9G3I+Ng+ZD0CUO0NDOK
u+APXZNXYBKglRTOWCnjBsR2G9hXLSEqtvvoX6yu1UzG+yy8iacfimK7M7x+
c0n8YgeTLIEXgU1c4Dcqupdk2MFvnaE0bBAKse29/HBb6Vhy+MCMlHDgOWgB
Le5juJH1K99OeCEsHlnsXv7qeTaZ4at1DZvd3dUykxanImMHg4+oa48MJ3uh
Zyy4sZdNUSSjf2SLCgZlpxDYgTkvUU1K+J1Z1cALmZsXkblKernb+H1yI/bD
FJ83K3Ia3C13PAUdu1Qqx8vzK90kJH33se1AbiwOSSwbQTliumcMomqgRPY2
ZT7+5L1T6slilpvPmrpldnOHMV2DA6mtZ7tCOw7DFPH+CGUX7F4MDpGqYLEx
xYPl7UDV62GbpRveeo1AvrNBxzG603Alev1LNKDMZpMXjs6PkWOA8vcQFkSO
HXflzaTXHcGN19UeHFyVKFO7+509dwWwguDxEQof2VE3+WKBYfjep5A7BKcY
Ojrps3O22y4u4Z8kvot2BrqfYyKpl/NMjGbUeOfzppCzthnfxiFsJ8rAFhzB
i6k6rEym3RQzEg70oat3H3/8/txAGTRBePmIQEyPT4+znHxdPPvv3uofXh3T
vnwCZgonDuxI2BYv8O3VZRjj+TG/TSbaFraVBAGStX4clV7+vjqMdRowkLoH
7HXQ11GQEke0kchqCgwRffb/aIsKnyHzlewZcthmIF7GYr6RkUD2Z47iGXcw
HnDkGCF+ringMu1I+vCh4fJhh+xrB/S1gW1iJVNoXUhCzM3ASnBT2LdMXmD0
++BXmZzoX4EBuKtvVhnc9aIpybgBw/dOzUG8V+RGI/IgRl3BHFAVKFG7rlDP
3YW/R35foaSceNVmVe9I/TKXIi/FVFVx2gL1tDvQTtZ6HiObBHo/NhsVg2MQ
FDN0y02bvNkZGysXC+BfsI4RxhE2K71LyvngtQZVn3zO3i7cVPwAzvzd9fUl
MBnUxZpCtDFxfNaLDu45CJtSVulmEmIj4TzwuEiN4Q2DlaISFZRHpzn2FEen
NXK4hKwW0kOZA5ihvS4KtsvuU5Fj5RpNzzAN42BlFe0OTp9WSe5R1U08/4UX
BI0Eowv0CebLWsWLZ6+eqEq8RlHC5tYKxUjmAB/wuAOGWBRnEIPop36uc29x
7hRcJohqoHEBPimpi1rfiS6Hr663q67coGs7plc4J7sVTkwgK6R3cZswctUi
9xGrWaJ1oiO2KtNxNYewm8t6dhgc7UQxibi/vtckxRvZZn/cgioDP8Eewln8
+5aUIKJ5+ipCrGCWGh4qurxcmRo5MChGgCLLlA6K3wOaAAZDvrd/+dej3zg4
5XFPfr6DvRwCO2NsFtSVdXtw8BZ3qVwAMWdgatSij/fnNEL2SO/wncU9XBd5
JXYRLH463aEbnh+HO3C3rCk2Rzamm5RKXPzbtNl2xRg2fFawSkqK+wYopUR1
Su1d79alfSsQDYIGIioiCC8pKzK4KIi45lUgS6pgXtsG7Tul9Rb+PSsW21WY
6FFxcnOCckl4F1rdxzS9MCUaWPS9ZDq0HeTFWddzVGmRX1fzkk35DA6goJOa
wVwxVHLMJ+jiT1Hcw6R7V29K5EzniHNbsweq7+S+Q7qnKBJ8Da4N6ZYYuazX
JYsl2lGF2sCyGpAlc7Xz93iUYdpEGByPSnzUyMXhjsKM1vnKSc1RZkYzhmMW
ma6YFUL0Jqx2+E+dDV3ccl2u8kadvIOvRiuGqb2/GhMaWCLOT588EfYkf7g9
k+gF8Lpffjmm6xQb0vD1lgwHU8KIXi5B35JF7Jg+C9rMVYFiG6i1/lQIkkyX
rxTVkiMOKYpZjEyRbrJpiHzwcnPX7RgIeHMcKxHDNuFQVFS3iul4315dfzks
wIFehHA05OCIg50sKWgCNgtSmET1VoABYaA5GiZ6mHNohchw3rkPW7QdWBjf
g0BNdD8MBbEnMvywPXgPX8E/1ehQsS+lkxQ+wPL47PQlUg67GVm44KeBbwAd
eC2eITBME7ZhbRwfD4JNcAL61rZKoDOpsUzRr+jUFmWxQqfP+7rtPATEDDGm
9gG8ROBTOUVHv4QfoXO/3lZVsQq/I08rzKdsyDFOSsyynIOEE1rjf/jB1ZI2
aatQFjzkdQESet4KowESUt8LfQi3nN1ZW/IayPYz456z4mAPIjEVlSncqFzD
nBhy3QbIB93rI1wbHMgxD58LaJRAMsxt1X7Z0PvOw4ygqU8WqjfznpAqsu2q
2Q8p9tkR3n2hg2O9/ATY0Al6/YPmUII0gXuyRSdxvijwt03Bzm+eZFXcULiM
R2uNKvExOvFN3iDbW8PdviF6u1NnO81bhQKSSCCkbatHjcaznhSZEeLcme9D
wXwDDxWfc+ScIw4uxxaYjUaUhyFP0BpH/AP9VHSzEzal6INEmB9yxEXJDcLv
4V9IrKsnUfySxBKCyEPng3NJwPgolWs3mLB6jAiQddWQ0ogQDL3qMPIcJOqf
xH4UJziqGCh6KSyjTp/I0UNmqJnoxIE2BK3dotADI227AA0GJt+MzPOL9x4f
3Fblv28LGdarvh2dsW4hHjI5m1dk7rHyi/w9/n1+C8ojOqlUtpeLZCCyZ8jS
3U7hy2VXb1sBKew0FCz8mZQK4U9+veY3ZR0fr4B+lj0s3rnTOHduODsSpJUE
vYhM4cBEsCB82C+b15oatXRXI88NW4jtp3KzwZhF0ciZFNltvirncqjAK+ci
J0xDcaoUaBsK2GbQ2oVY2RiTBhGFEAbZRNwpmn9+lzci9Zi1U2zPTwANWIMX
4J4InE5pDHXszkYIsTv0oSP9G3iiq4l3zeRhmBjeZYbs3KHMYwZdNu5m0GTJ
P4AxNFDQ5iIkBdLH8xXRAdZrB8fIyjnbsukEuvxTQaGbfKb0DqewAenNpskV
f4pZJ/sYaol6sGgvKrx5kUKU92+3iqtoBPUMqL4WcQpjUxobiL1/RHIgl+R8
0MBg1xRuiJgrLvoKy0KHIsXeiFPkkkwAJHRbsGUHTHVVojggZo7DaoClJBBi
+BpykQ6dlHwhm4JIm2U00xTiGRFBQdeaSC7+PU4f7yNFsCL2o8KZQXt0aeWz
rbIB8cBgJI7W57B40aHQYQLRHeK50M4fKmAH7dPbIuMDl1mQADK4F0MaK1N8
Av8k8QS8Vxgt7C6y61z95QhV2sANzGdLIKFIrPAEzVakk62CVUc+fIK58c1j
40pOU2CgpPKSqUEPIRnpg+jogxGZxBACSelGrfqyxFBnOCwxCWQROftEiV5I
F6gtgqI5J+x9VE8NMjT3RVaURTKz3+imyTewWcb21N8p4T9WcoHKj9S7c/Ys
+J6fn4BldCyh9SmIbFKREWygHzUNHIEzPfwsn6U824qusiBtXzbAth9RAdlk
MlEPYdlKHBy/hiJvFx6BvUAKNBoNTJYQUM0WJotaKthX5awEKcQDJHtfCjKO
NAAJuk4ZByZZirfGREJ88fNOt44CuUsMojAv59isYuDIf9Ts4jeXBAWCQ74t
jQeWVVcrNhqB5is6dIb2Ge/oYvlGyIR6te0MIkz2PhuV5Z/YDqi26ykzI8mq
hE/d1qtblA3KAafKTM93Vb6GL10WmNsneUe7EQcozDmpNPLyGQVbkrsZVKmA
7adDczYh4yvFGd5nzSfiLWOrLMYBq0OrFW4TPsCOLRYRGHNUpHX0forUnhY3
FP/imEK7Xa9zRgMPWWThxqG/Dv/XPHYCTRJ2AktkfuAUFQ+4FYevhN8o+sZx
MgZG9UQVstACTZe8Ebe/egPg3bxTHIa5hEne06ZojI2/esMY9AgvjQwXVwCf
bChgTzevVW12Xd40alsykbDmq6MFDFGk1JsR7czQ4jNoUw6sEIjZb23e82L1
1H41idthk4Nnx1DMecFHOGRhkMMWQ6XmFp6oNmBe8+A/RUxQSbqser3IdP3c
Bc4wQv+nqLjyIhIE3Qi8JBiEwSCvCkEmlrzysV+70MF+i3ZMFQ22B6fb1Sfd
JD3AYoHgYFZtF0DnxA9J/x0ldwnZ3V3Z6mOtPMb7h5AGUQKdls63osmJy/LF
N3x1mg9DRg1GUQinwRvr7njQY8yMdCEXVRvQ/bBEG1VYmPhC5DhHQ69pJJQj
6eEWrZGhMfJPSb8RMdAS2/hNNskkm5iyhH1gtD04GEpL6DBHWbwFUaqHqT5y
b0ukm/WmaBYGACaOSWpLpM8IuDb4CvhuyH6zu4KfJMUbK3vA3wTiSmmS5Nau
CVJApiMpphgzyufkeFbwbmxXCBMnrFEIzYdkEpj7Mt/wqej6Bfwbx5CZQ00J
oQerKBGuE4YxoiNPWN1M1e8TqWX6geBVitAstPI7oIBOfDWIAFfzp2iamp35
mkdlo1kilFrkS65k0ZvpUvGFrcTOjJGqc6T/JnJMATmTVwXPG17iydVVzIMI
vwG6IAVFWQmQYBMr8DuzvEFK4FQZ9cq7NbDpJojJDdsUN03RMUeZFrAHC3JT
o7eCqUCRaN6PoEvEIQ4lAH3IOlRyvmLsKYKe3ZTh5fRkSeTqNLwdqXaMbWIw
/c34xXODj4ZgQ4xXgE0ncDk80TK4DVhrqYCVww264YBKYCEwerQq1tSiPaRE
S4QYolsU2U7JW8jSlqPJd5a7JvemLRwNkD+hEmWJLC1/bcKmHBx8vRO3GCmI
7D32dC+3Hjd/jRzYKXK6ppHF1omuH9WNIxGbU2Q+5RKDQvpE+ULSa+ia2iL8
QQ09WBUl6fc2K1hpkxx/PbBHHC1lX5ko3ANcJGCVhFUSe4IPAHuBTfy47VCC
G36uXaK/IeLbijAjkBoKJLmcsnbJdwoMj3hXjxvArb5p0IFZNzd5pQ4hsssI
xRaYcuxyJlsIn1VmNYdB+ERaj4AK3H5Rbysl39t8teU7vIuS7RjeMkdFH/ew
41PG+h3q/JXsuugbNwWKRZwMB/mIRaK7MICG2E+MggwGst9qCoyohqx+IF8e
xbMSyVJ8LpoZcnjgDuLPg5cJ64u6TFXcDW8wewZNy4rYL7sI56BuExLkCok4
piix3VD1JqakgeaRWJDi90pka1WHiHQ5QA0mBywBRPyrhgL84e2bj+/fv/1w
/vY8G0yw6J+VDKZAA9b+ir7U9YB0jUpQ3ZbcKIRNBS856ujMVYh48mPpIfiJ
lAFe+AMV6NKHj9cC1c4WhYS5eIYBMmv8wo7lv7LotjdwKsTrwkmh/ULCABOs
ryliUq/qm93Bwe9EmyTEG+qWxRr10UlsCJyDyTUGoxsd+9kVmnyzEDDrm62W
nj2yfzxXEAv9AuttYRB4jRA3clugYvg7Z8bhfDzWWqPf2Xne5WAprS1hPXwd
VWSKqvzOuaqHBro2VfWNOAEuo9xyLPH1yy9+nO+v7h/n+3xHOyOKxyYd7mk0
3Pme8WxtXx7YQ5twZBnxQbMC6vvWWBTxjDtUVxbshhPAfaR+k8GVN/JUI253
h34SqejWR8fwYUKz0jJIDCYmAiI/teogue4EO2HxyjtolmbusY8mEK/BsZTW
7kLwnu0kAS1HIdkR/LrFqk1F+nuCJOzLJD0kREJ1c8hKmKXPSDZcmFRpeUiY
RoKmCwMQalhNlXgJ8b2WZRqb/OzBS4Yrq3QwjZYES1DYkOGfyADBncUaIwpB
RMj30DTSGI13xuBdJK5hVHTRc9h415RK/aBF9R08J177gztNPsOy7UGZPNJ2
5yMsolS32ymVa0IrHzXuyCGunmWtOAAUhzmaCIQiePEYJOCi/BwSf9og0tRn
L6xzoLBCJzlj6JqpOIZC1Ugk5IgoBgTFjTFciBm+MTs9ev/N5Dh1AE13GOnR
D5Q+WuWtfglD3CnGgQRSbGNimclK50OxbyYGSb+W6kHohqmc+59PAF63DyH+
js7Iu5qPkFpJg9C41HF2qI4axC8cKnZhesvOYAVRuKA5Rvr7IUcuH8HqeBt9
VG1TqQ7hQr34TwMLcCDaslG8N0vcZCFfFna+WN3i6yrS9+R3cIxWfG5xQgZF
hnKhLIPUIZJO4jZt4lCis0bfBEKnPZpOvCPBoUmTAqUM8ZqrnYTJPidgNm+L
SpARBkCqHnITOWs8eJrMs6t+biCabowciMYp24fna+gNFVspykQY3tu0lMpw
sslIUN/MtVvxa69lwojI4/maR2/fpNMEBp3wXYN2Y4QBYrs/dZcfHPykAOgp
CNBF2bG7VQHfo4cma4AMteuodlVwtd2R/4thSGRIa10xLFyDsRCOwajl4JNc
uiS9hY3FkHISpYIMEUnicegbxb3shkZMtT+pSVQi++oIP44OD+LP280N7geF
bmQqAwMlZlpOvuUGo8OEHMPlUQBSIhu2qmgCLE/JBLX4ZjxDDFnCmzXmy+3Q
jQtCxGJ5w4OCYrG2jEBWWNW4GNhb01jEWQinMCtAUnApmxWtph0F7xNPAR4g
8MNiVeeamEPArZZqLmLSPqr1GKErVm2hyoc5hMj9NS8Y69M6ehJjU35P4yEp
Fx4ZF0V4evhlDvZcJ/LZF3OUMi57xbcr1ZKk4EiOsC6nlWAoJybmzJB8wAiD
OFrYpeeDDgFHVDJSxPVI0dg6uMB5KT5USSiVGAyFmpbKl8kYFD7EGW6FgrOE
OJzx8yAGoMAcq86jk47VN1a3OSgUsqk5mBcXPPKeMw3m8JB8MC7Ww7BW1AzX
mprBNjvFjTIOlWHABbTeCUjzw6/xv64OyXWs7ChyRQ4o4sg8Dr86ZJwLhTjw
LgOTr1RBwlnFJEJKVYPuS2OOC/vghjy4ljFGKVoX9OMR6FL/8A/009caPadf
Z19lV+FP9C8JS/oMAnR85pqisohACfAkK3gUfqLNoMgxPENcjn/99aG5ESRV
DJFvktW2dJnyNq7XAuAg0ZVAufAocY16rxPy807rMJTBbFGplQnRUZkvkVfw
Xvdj33xCzQfgUOin7gq3b6+Ro0frQ5dZwZaaBuXY5hoyrhgHG4gkSncnTIF+
kwEleGPKlpwXy/iS28kRAez5Gp+4QIa/Em3pmC9CtOjgqROFjaVQMS9npEab
QkJ2Bg8YIOcUxbERivWGRPHbHEiBgGrx6wcEn8eKbhYFj1IDthWnPYpw03mi
XKLA6hbFKWGUkBxG/RMUz1GY9oRUgfuIU7HP0UQj2mPPRKUY8oHHFZIEy4u+
OxKb9j6qUO4Xf58PSgBZZOjIFEiIOj1+lNBqvG47eL61IDu5yJqg+/bMibiD
rx7Um4fIfb//lOZqKUmvOWLfKdSOa/aMfEangWyDyaisaYAbkCio0atAStm0
WJZSe2mvvGUBT4yXVSFedsDjGOMA4Ve3is8XjLhIkP3pJhfsnPVUaKoj27Gt
JPWjtTomHTfN6mRMMKILurDNiM8RHZZBClyBxtT/kyg8LF92Fgebv0a7GJpC
P3PeLQ8l4pCpskBhQaIUTq6bI3mYzUEyvsgpjwe2I4xSagrjIT4iqfaKFz/0
Pnv6+2dy3MwKQ8ho0hh2o6CUmnCxUUNj4I4lgNMuxoniA+UVWD/7BvQ12KpJ
1yEvIj3mYk0e7X7NvYtKc904IwNdDZFTKHG+dM7DE4wBdm8YQBCdqUQhliEB
BF+T9QJTI1uKCj75KRlcB8z2bJ3/EdkCO01Kq+lByvTcbMkkxz+CYgd4j7M+
tUIfipZBS1SVT8lVmSXBi1C34J+kyhrXyMNPYNU6LBf1WA3ojqSYHiVtG86W
8t1scvvLx3WK/qCA4V6DL6lMlyQdqzrj4Q4aocCStXMGVGGkTUOUFmPT+htf
mEMm4izN0iI1BLOzJN23t02SQqHDJ3VL7yuGJ2gYK9J1T3EuX86LINUcAeKc
yTmXPQK1aI7ES6WOXP2moXJIUhLMKU8DeaBpzAsGFbxluJ8UoRH2akEH7tnw
HhQHMCOCW87uE9+gmbhM7uX7ems2DVh8lJSLzGsqpXGaW67TRlg4IJBdvQVB
gGYRZn+jIhP9ifkwi2k2ekEDZubHugrs7CWYk8Xqt1iyBAyrfIEY3f9eLyv5
Q7BSdT7OgZtHwlW+FpW0Q6LFkhBjRhf7+K9U+kKYJSlblBqG5SwxbKnBtpWW
bfTNMaJUOpQCBKUnlkJjUE1MjcXmAiYlesoOqVrlst4cBpj4RadJllXNarEv
TsIrpFguldXjyUsaHiZcOZekROBNNFNxEj/zsoq0UimwSJB5DgmTrOecP1aW
em/vTJRaFAOkwYKh6fzpfe/amy7Uq4UBwcCc+wJs/mWBw6Hsa24wzo5Il9uy
XuXeXHX5d/jBNd8GqfPqyiAiFgisIHYJa14gPyAIiQ57RlAhIOBbJMDXzG4J
JxKqmsHcUd/Ekm1SRVlLeRlYLpdSiLAre89B1V1huaiziLRDr55S5R6Hm/ju
qjmxv1aXkFtcxI0VgerSRBpOImpdIJ/MqrZgJzW5l4JxebHoA0FaK/qGiixm
3jDpkj7CJfGcFza6hCicK5RB9N7gXWuNdwYdKGWYvhwc8Mv3aezBlZZ+QwV5
rvE2/qz5eb9ofjxyeUIPx+jo0aDHk1HiwOhpK1dJ4rwmyTnXL2NLhXIflpw5
GshisdXE0ROmOzadJO+ql3D11idbaYRi8BtHAe8bTeiYfGclJwNwXRbErFv8
EGEr+BKFZMhC2ErxqH6AL86SZVCrRZM5AP7qhRWxaB1rjh5w5XfFx8UeSMRc
mvPKcIUDrz2X1wZw11guC4tSBZ8d2RFF5VXqOMNN4z73VcIQFEsCds3NPLR0
U6r8q1mhCmPV1FQqWp2vxlSg7GjbbmlrTh9jfgHXvuxQcK/Qf4nAFIZgq2d+
s9y1VAZcPyZnyDlHUkddY4ya4KhRRjYNeR4njqx8qExw1srXUYIwhuMZIUQH
K2b5TLNRNJouT4fDv/nMTREG3FSFDedsAyaEJce7Zwlini5fRyDLW3I8CQdK
astP6bAc9e7nP8a5UFrgpGXoC15c1hLwfkxzMc/6kw6HgingTZFA7m3O4QqJ
u8602+dnXAlUYUDoaCYo++EE+2ehE3krFsb3Ohou1/6hNURgREtqnriKO4e+
dhGJMIJqoNIckH5dXVP6FbnGKTRT7dT9izoj42/FZ8uNC6L1RblKTiIQ3DjQ
EsqffIXub0Gl2QzEauBASQhdyqfm6C2ku1eaD2AXJQhiESvklX0WrN6Aesrk
HdU5z9fYrEWwoC2VEdcrlHMalQuMX15cHIdOBqGUeS9zEAPEmJ9Y39yoYqCp
Oh379kgD17trvkYSCk73ksTyMAwq6oZPKBvOxftcrvHk7CyMw8xAMh6re1H/
nFZIb4fAXXxciCfGhf42pOsreDSk5TuOdfqMsiux1hKB3mCjsOeTxlVwFof0
pzHlZUqaP5EuPXcIH5cuUlIENN5bYmZo8atVFlrtmI5dh6lRjIc8crlDSMCt
LkzIEGeM05V4Y7saNQUTstsNhuyk8sZdRf+gR9rjoRx/ZKcwDvADuj5UwpiL
OmEAmXuvwW3gWpfKSq2FmvCFF1RGJQT3tXo5ZmTB8Y6yC1S1Kk6VJGBcxkUj
BfrPUyE3AD4B/M0p4jDGlLKsZgX2jsS/9Fq5MaGsPNMBYVh2rHoV3AFPrmNQ
8UimxvUh0EjHWaBaQehMruGgJW+uJrCHblvSQu6u7q6LZdkXaVOwvDUoLEWD
GjUb1zZBXsdQszoaDvvFFLvatSFhsiBD88pK49IRc8KfHjXCL7Oj02N2JYat
gedvaxVLFLER8wRuwtHZsfDQVUkYTjQhNjvG9tRhj6L+KEdPjiUevgDjE8xs
/siPJ1cn8CW6a1MGUbcFdZ7YVpxOIw56P4WTLDhYcU0zbfon6QEcgNctGoWQ
Qm93UopQXLjloMaIsGsFsnAiZ3CFUj7DrUCbtP6Q4mVqK39BB17PKDlL/AR5
SJfndpck5QkSRR6qgcF0YWKA+MqUXE7o4MCXDcLKZPgR4g9avBczPYxVcola
EQXea0NS1skaTlvCqzdX06wgjyZGGqXaigOrKZun1Ex+j89pWJ3B7iI//2x9
Dymf1I5Zr4uB6Ql5xtekYuuGVlyqfKfqui2V83SLjHUGUSbMlxGqj2l1fh1W
FEzylBuUxacJhxrSDGIUx/mqrj8pMsZNk4/ujVLhcFEyAcss0ab92Wp9/SKR
p7SqVd4L1lkuPLAHgnqb+zTj3i6brTQ0mKI1ghr4ssg3UlZA3Z+aE82e07hP
BqG5pG65Vs+MwFJqxzoo6lBcmEsA1S5ShoNT8M9wxxLEiOOb/IyiJKW6VgjT
1oR3MizkLJ8ti3k6C1J5GCp5U/qgswYNSTbYZyShzeHiGO6zTMuooSHMWnVS
TR/h9+z8j9DLqC/XC/F5LIvV4pBttzlh+ei0NIhq25RjHXe4r2CJPX5vEVN0
2FFCD8KH2JFyJ8jTlMYI9gQPPwqtMFZUERwuL1vPcovZh3BIlnG+OnSF8ghK
QSf4/GlgnK6QHjktY0wgFe+KgbL41MuxvaaP+qjO2b89fem+UK+nZWVYzeAT
MAVbWh+RWxkF65jwXeq1o6RMOnwqMUI68ZMzsJZ2bPy6E3b09xL4dwen+whX
62ZL1UkHVipdQNhfI6KjkstEZqzEstipgxoHznlbodQ/+vbyx/bYIM8n2SRb
ljfLMXpc4U+MSdhwJZyFgjXIlWjlCmGS0xL4MXVL6FPGRNPFxQPqlpmuLSCi
WFGT2wbSusFbRe7GoMrDjXilzgGDoEt+s1wuBdYvMEOcDZy5VKAJtR8JvBEn
kWMxA81ydtTScehluFwgy9q48ogv6ZV8Ix4Xnn31xBO0o1riQQqqVXrDs+Hw
HO/O/RtbVqHuar7rL3hVVDed9bGLeYxzdjWJhZtugSTV2sUvKr8ktDFEUeIp
y9za5FDP/u05BhGxcS+tEjUUfiEHWhvvXVsL/Bn0rG7ZIhX77ZQnj2DkZwoh
RqNPHK98OeM5PJU2XIJG6GOUiQMYVghLraxWoKH9SZwmH1xVToFxRgFuKb8o
Me5VvcuW22oO2y64XlDQc6r7ujB8/LyYS2yQzeTW4NIKc0L3GXLyKLR0SDJB
AdWHOKKuTh48hH+/gZ2m3x26yommrxzeoYttBrotDCDB0YnN0skQGIZVr3AH
YE1b4W9SswbnQ7E0mweVb5JKTdK74K4oPvVLp9hF5ro5O0GnSlEWMYSkoGlw
WoRql+Tt5OCImYMig1hjZMAVoXmp5qDzHCB3WeNPTSkNzdwRcOiOVSFu4tUN
BJPpwhi2vVeR1UZIlSkOTfXvZuluFZyS3sNDuWX6DJV25SIBdLZS0ZrKu8yL
MWgELZsMaILnsj2EpPLlKWk4LTMgapygegnBtycazPFNrXiZ3PRnT0hYmMaF
5iUjceHz/wU0DjIk4OyWZJ0ilcp2sta+v+CqxsqwfJCPCAQHLL+GxpSsDCE2
WmlI4mmlNUYJBG2gJlPvomxLdXwSTVP5qxAk7J+eT03UOIRqiGHUUrP3F/ks
0JK2fuPjH5lOck9JlP4k9tbFDR7wPVAETqtmKN9JKMnc+4R1aLV6XIwT7x/K
KM1bFZNIagHO4ebd9gYnTiJDKlfFO0+lD/Vyy56lvFCvvqQvETvI5azyKSVS
oD2CyfkcQUSwMAngwfxaejLA35FHWRayzjBVUr/p6XPWpQjrLJJ0oZII7Hkd
FqCUI9gy7ucG9DrM46ewiN5kfMnWgR7HFTklOVE0vvRB1NFCfWHreJ6jCGHm
kZcC70f0KBASegyjKKk1/aQCHBIsJcBAa26+tBjuT3vuEJmEuD9VcgvLYKfb
NEaR1uKsMJz8vKk3OJIFOQY2Ffnw/WnxBkAgWLnK4IEy45oM2QZtQPYQJ8Qp
gcNkAXMMrkFRf0d48xgqgWp3SwW4200pZi61tIkKDlPNWmblkmCT5qKHDpuH
IPi3c8YNsjckxI6xDBsLcAJpuDCisoleixLzbZAbbOiryZZK84NDSoE4HKDC
uT6yf8fC/WHw0LYtgp6qCBtmMHMpO2iFEyNVXQW/Szgx/5ri+phAdGLMHNg8
sGgFGlmr0ANHlS4rCUxAUa3J70p5YV0dqVVnsOIoAb+XC9KvphRwcMYI0kRn
cjU/KIODU0jSqlwYU+Ca1b0zEQ8KH404qepJT7qsqagQdchOqzkbPPfn33T8
p1md/xJn34awfOvSvh2gQWKjvcGjXot+YuwSb6Ui4kAHwQkX2fNJNAbIzV0n
bkYLrYpbLJEaI09o20NdgADme2K2ccs5OakjazDHW9INhKcGpNPrg4P/Bf85
GHzp4CCjwoK97ENSBaLhGeRFUJ/T52N2WgBjwQH+RRrF/6ukiG7XBFJfiVd3
8Mt8tfDt4dXE+RHmcUcHYS6ZrhW+PbGAV8CGyT4zqf+L1GL41xPehwOWLq5G
Q8jLwMJptmGSsJ205nUBNgnDEc1z5mSoZy9zoRkOnBK39kwmHtrFq+jMUT0d
4yDqGCXHofdIsgEF16/I10hwdDCtpuJLVKTjnX4DIij7KrtQQEQD//ievQFf
waFmfyqaWgf4ykBuLiz6FY4Sy+QjVni/cnCuKOnpWDYEho9ohhZiNIWp/aEI
09COhVXs3Tg94Ov8E5UzuSHjT2tRh0aMrffLwwcGOBLjigJ78PXgY8o0/vJD
gTGXeOrcAQ6Hwq0tpIonQVxz6Uy4L/13/z0nBzr1PdM6Lbq3XhdGkIaa1KGr
kRjoSXcv4VNukVLINuGXo2yIYT05ec7wH6pH2NXSOzZlqQk7goM8OTkhqiT8
ORimBAy33BCFi7f4jOcTQAFvvsvoPx8m+MNvMuprIQ2kw8CPv8rkP4+jH56/
wqudiIKjD5g28uzYva+/0hxZKZRnWCS3OiWycFdwgKbglr+cnhEtTkD32mHa
dF6aVTIMspf+10M8OZ5ITmJJ7j6PR4M4cAPVNFlT1M16i81CpazKg/uOMJzP
98oQM8o7X0ZU8Iy4J1+rdHfRL2Hlqt2VGaBvRyBvck4/SliOZN1t2mI7r8dC
76dnL8dToL+9jPfIEq8o1QkhnRRiHLyAx9kPI+UmaDmggi9d4EIq1Z7L6S4g
+w0FG723GzG589wnJE5nLw7coh5mF2d0j3bTWi/1QWZHtx+dUWKbGBup0Lkh
XDnhgSySV92+SkgJcfxXPdYreEdlK/6sErGl3qHCx8pK3dSUxx2igVxCXUUB
tx+oHIbO9evD8tjhNfo12EYYI6ik1XG9wEHu3zqOrgvWKBfnQQSCxjFEAPkS
LyFNJEO6PFoViw7/cqxTDYvHEd7/eHXNIYQO8RPB72PJaTR3v2M2H5GKLg1Q
PFo6KO+T3ONMc+6o1TEmo1hWTU9IRqnSjBXaIaZpWsqcsJLUxorWptvoSeZo
s9rGRV38pT6O6jlItVn4FqdclJJGFordgAj8VJDACZ52dNzl7W6ozHoAQHXL
fspfT8xJMFinrx6LqJVvqGWReC+MTRIqWu1K3SkpKYkpeVxukFogoAm/LSwN
lnxTHr9NIfIwm7ipjr/SdXOP3UJlsRWJS53t1Si7YoeVVdFqgfdW2RUt93s0
yy4C6E9YIvvPqny1a6nmkjn70kLIYoi6MsD7U/rU0e6AY72+MNr7RPclrVjS
Wrc+83dEFfg9fhHmfIhm56FCo4cbeSi+HRu/4BZfvpW+WYxB70Kb51AQOLSw
KCstd0LEhm0dieCM5HsNAuLKSWJnIHEQEasZGEZymARO3CEHAPylYTGU9DU5
0SZ/ilmlKhrX2kCbVof3iy+dhJExKaNB9zXHwRTTET6Ck78WbH4ZUEXZ5PeX
XKmy801pCAuuETVrrVr4HvKByoc/RvMs1cEIw2BvnvdX3F6t1wDnvg9O8Syx
k604jKxJm4YEXT1+aymDcxF9jaaEmq8ksYnThpUsX3louOOH1NVpB0kkLJxR
uFhWBCkNyXYkbZXUd2vNjS4WQ+kZYMqOnfGHqgUnflHeCoYwL+ZE1rN6U6pr
jBcLexwwpcqnOIFibhGdslNDwFp4cC27hnuICeQ0LMNhcKXwPCH8TtRIDxsd
Xwny9kn7XOYS1BYPH9+Tvs2JJ+J9a13l9ajf3SbfjPVUjtlfr8fO06CGearZ
WREc6peFjfLGeumPj+kz8JA1AvT99BAheyVAPGV1VMqcGspJK4XQXSiuOahN
fA3FkU3k1mspKspka2OnLL/ECf0RF+F2vMpHhHMSK2GvnHbxoAP3I+aubpBj
eyHHy+WsKw9hFINlxJG+U1BKZd6roM47E0qdq2uZYY3KMudBbAZ+5rQMN59J
m+ZfUzHqJYcCML/RlfN1/YswRHhI6Y/SVSd0LiIwgnINaa6hUZtgXCtboEHi
XopoByIHmQrgUYDOz1+8APXZ4vKSIxYBAUJJDoLTTbmDWikQYVHIwIZoUWbq
uokv+VIG6fclJCiRNiqqp/3/JHzC8RdE0/LQ8K1mLt1PDg4QyGE1yQbUGVfh
ug4hJLQ4DdVtQB6hrelOTla96hjFdWXPeIMkLYPVGWw1xDWUrlg5uxKHdMBk
u4YuVDsvV7CXBosi/aYXrCSx4sM+6KpPYq0em0OlvlZcFL7tzYByGGsuxMTk
rubavlQtJOe/Ykanjx88JYmzRTEsb9REXUUHpkLlsP18VEB1SQrJcGfHvvfp
uFcWmN5MQg6cqcMCP14R10iks1WtVdg+iiVj3b+ISKCSAiNrx5mCMfWepPZE
kgKJ5UdzgoegJ/8OVWk2U+djTlZzjWZDGQ1t3hHK2h1JMxsiagxsH7t8a+5Z
7IvG1tS8ZPflbpl8p0h7ktzfweUKRcIW/iiYtH2PSfdO4kUxxIA4iqTQG5RJ
E8YJhYoz1p2JJLySSNzl17XTTco9yFe9r6nXcJUARVrT2n9skEdgFmItAHl8
8y1Mk0ozX5qa/w7f+xrfe+N5y7USXKA3VQM8pVn1tahMF1b+kBXypaIqZlaA
p2fZUgfj3SruYIySHCH0Ei3mEnGxusI3Jkwkd7gh4fswm3j7cUKYdqpyebB7
cu/bUb076VHEt0hqEoZDCdj2Sd9hvZ8UgnnOTV3pza6JUI/9+zeSj6rJp3DU
fCGusdKlWM6Wdd1ypT6+BjpK3HjCtsFEWo//IrJWa+zJM0lgOlSokfxh/WTk
/pQQKFfmovDaNVf0CG2b8A5XEQZpjeC1nWU3U8XGqsu5HQ7yWE3pi6r7iOay
/wC8l8Fq+lA2I/1K2tRgMh4mf7+mAnTxcKRR2Xmium0iyvescy1rscrN/rRm
JgKEq0kix4hKfQzAN/YQ8h6uwKXlEygc58pkP/sqjL+IHRkXenQlJ82bNNTW
PpSysjqJmttsHQhpw7FO4wND+eo/S6u+WKc5ycGWPmktVzLW/pS+M8Moe9gX
Ycu6VsITIWoe122U62MdkIgtyWYJaM2/jFMht2haToPDK8ZvbDyLrOLTFMHX
7Q+dF64DVMh5+jhfQXVhqQElljZKksrlxGmFqCCOKAoUFQ5TxVWL5ajny79r
iA2SE6+p5P39ED0C0PUrd0tKipRawZuPhb+0txniqbkvK0f+fqe59Fp4Ku65
TOW7rAg5C/SocltrY0RJWuhXidK5OFrg8rPU6WSbpAhgG5AlIwEKXScVnKev
v2G+YaIJZjfZbUG1hAacw2XFi0HMIM7wJm+mwAQPsWGllB89DuwZuVshWB/N
5YjWFZMQl7FE+zKnDu+TyhdnM+16WeuZtP1qNxFklmfbMsVJc+nh4iOis3OG
jSmpXG51T2mgri1Wi1Bn3YrKVJxKuUD1Az76lz//B/XeRM8hcMv2L3/+P5Ld
FWJ7vhJQ1GE2KqOXuuJ9mJJdSYEcpDOCVXzcX9Y+xMQsVVoC9hKBGCyDyJyP
1ZCk1OR2sCC9HAjMHqexKuY35uWN1E0qYcGlLrmyeZTTZtW+mMI4CYOiIAab
ul4WEbF3+08QAeAdSnxqYkyFg3o1gq+XyStDjUxcaZITSrvOiTLrTf7vZGF8
KipvqleiSvhmpCON3hWgMCEbE/9BtImt15nuJQnpCHVbcCs3mrEUqG82TdGF
CHb0Aa0dwzB9+EbBsXFXMw6FEjOyuIAV3wRJp+U6atwn4Ut1f2RnyD0j/jh0
J2JbWkx4T8uAh4Kq+TweUlwoZPAuelWs1MnN0pmYhxOmonNEJx2kQDkvWJ3c
asNoxxYxp7WhEplUxQU5Dpl9zbQEjQbMNGlbgBkBNhURJZwCi3/PucQ3NrFN
2IBRs7bF4NRnhQRjEo6Se18QmreW9omybo6duxFnrcMRGJ2ck6WCNFkBtKg2
aHhy2TXdSc2PUGBjmYfy5nOBfeKjQiwIRlqJ/kGC3vKMk/7PAkVlZ6AjFqr+
uZSEbwG6eTYkojgqxtUKCtXumMs4oioOzLk7RYKeJD0QpZdsqMiAiU3JRM2f
/gFnFOjIDskpqFxUQt1X/sIP1g3Dqdyy55dSx+Wup/c/Z1jVWLBAQ2P5NHr0
tnDzLm5UgOVBJPEaTwZx9JYIEntRo9Lmi9C6U4C3fuu5bh9l9UtBc+UWHNTh
uIdYb2m6Pd/XISrQGpGVlGfjG8RNIKQwVaRm7JOPUtM1uOvDhuYrgibkXHvQ
goZRQUIBiDOMgDZGVUUZjQwxYgYqxOK63TKtCttj7hzHiOmd26lbelsodasd
/RK8kvBgTyvxbqiEt3pZgq/uVRvIRdULmQHY+jy8zUWEmwK4YpNrl1rO+++J
FgM419UtPtFPWI8zkHJLLeeCxyKu9Pji8IP1sE5PmKueD/i0fP4cwcPQDo89
kBqv6YGqSg8DCpchVCpxWnko9KjpisIwqA1wLY3tyfPA25cAWzMKn3EFy+HS
tORoO9dSaOf9Ov9sZPOVUVh1MKWjfI++AKFLDxPfRGViyYPiscahkKtUrlzB
QjCDzdkFMNPTkzj/XzB9rVY20hwxi6bGqvHRh8nVsR3eTMqJEPfmy40AZE25
2Gca6DWKFZ+Dg7OTIYuxtADt3FWBKuWAiirumc0K817EeVr+QGJVrQT+eHq0
9qbIlf+aYh5kZ3ydY6dPwNueBFA2sSsgXZTuazX2+HPeNkJneSs1WnOsMZPv
qD+ATiTcLE0Xi7D2UWly2NEnJ2jCgY5dNEgQls7jMGqunEKVLMtXhx/s0+bK
pZPep2pmJBSrXu36STtYtp95Z7dT1yGV68edEb6lVDCKP9aTGzCIALHoPpSN
ZJ9TyO/pSfaxmg0slnATYB6OlMOLGIuNbI2mCwaVdMoH2LaqvoWWnhRJjil9
sKo/9/gi6jTZllyQPbfpGd+mWAQIlFQrMyVnY41ouL/XXsPNsYd9k4qLnrgz
MofWOkcXHZZ7ct84whKKjqzyfU0AfHSNXF6EChKvuI0cVbIT/SGWQwcHzxOO
KIVU25iXDuyTmdlxQwAxNtLdg5VFUeQQsjgqT0CT0I08djV8NZI0oEV+ZIUs
gmkPgGh+//3kA7qMwRxkl6IDGJFKM7IPkywEjlMo4/IkF5KOW9XZmbHBBr44
MS5naI4h0lBtmto8lK6xzZcbPfCG39jQ+5o2eBbZUiAej7rfxaGI4udRHn9O
yuCY68cF7/l+oEZEPBwa/FKHwqG3KHdbdd60WyEbvDxgVP9LIv++t5A2UkyZ
rBUGHnEz0UhlJJ4X+lfIYgfrlj+sHHzSHkdac4g1L+pe1C9nkEEllCP/fLPE
dK1KqkVrjfbxW2x2L5iUF6+ePLaiXrqAIfWUgKW9gdUueP/NRM7P9X5MrBhR
9ofar4TxEnYr15h688A1LPWMNc+/1yGGA+pET+h9ZaebDwQPdZuRzrlkqkoh
RDhYCWpX85gmLXxGEWPpQvp1U+fzKT6rDWK/hWcp5f3o6w/fHsNnf8Ky3Kgx
IqeRZr0rvH1HP33/ppXOLmEc7V7s+8ziYD+AXgl0sSFYliKr2AqZ76p8DXN/
d319iSlBJXIEUU5+Tx0CrJp8yKyBMX9/NTluLVQB/2oHQu5SL/cuF//fTBE/
Ztpyv5P0QErX/tbmlEtNX9nt3jXnmi4s1mEFG8SRmay6K6ZtyU60Vb6tgH//
v0VTj8/z3SP64Q08+ElN81E2b1grRJOR0i8b7btoI4kZV8U7F+oRSYEzZHKo
+QSP5ILNzrzjOnNa5tQaYm27GvEwcCR1d7WB/Tw9eQwmyg5LBnImJShMc+yx
jSg5rBaoWzEL8TmqMFyJy41nXqLZt8bawt+U+tdwIqFMg2PLuduA37YZ2nGb
X5cmrBV7vU9Fuk4SGvtLbpOoXHqoDH4PFsow9xEfRu5onWVFBw0CKlRKM35N
xu9wc82oP00f99iGcvoWPyUhigMlnezJsCciXxPG7CHNbkw9LAkgOt9y98YE
eKUjt1296W/aUPuc93JEYpVY7DpCYo4Xq/wGY9gsJH8lFaTeNcvAtyxGqp3R
JwY6TRbiVo221/KPtVMaqM2s8cxslUsO/bXWTNbXAsuqGIOmlXI4st5Kup01
BKCDssLuD1q5SkUKMK9Kpjn7mganA9IdjuINLx/rtr7RnWgK9aKw05mNiP3t
uumT1G0yymtH+tqjURz84z3fk3akiM2c1vWqyJOi7xlSRQjBa0hMEr8P1QE0
ON1D+vQ/cmYl3UYajJRh0oUPFyCBi8ORekksHACXhuwdZOe4jYKTWRU3CKvX
/fzHL4yOuXU2eGudHnLyKLieu/sa87CplBSJ33cy1kIs2m52tOqNJWeY+Ryc
sb+naRJlpHJ0QWIOWThI6ociA4snl51tfRXFqbDBURhqGO1tD02w/cIzVu1U
JgoIUrLqIg+m5C/S8QMOh3d536d/JVEzgfzNiZr5+K+i6ZG04AjC6pALcDqD
+JA/KEEyrbmCJRkwivyfuBN/h2ugB/S3vwZ29L/iGsQL/E9fBnY+3XcF/pN0
2D/6B9NeEoD92zJUVeMeQDwcdzGiGfSKwRaikvKTtB8mZaUUNeInsJ0SVF0E
J+V9zFeFieOh7sXThwLmEIU6n+9vY7efb1mRm7jKZ/qkefLI22XIitBPbdDY
lr6tHkOhj0kEv1UU1xBSS+LL0oWVQsifuW6xq5wzuGC17bQuvX6VyWleGE4l
So22qUdQhG2l9YvU0+LjNxo68/MPvseeQ8X3Uwr0KvUWSik+jQFD5nMhvwip
FFVM3lXNt7E4ccgp5bCiRttPpId6rjfLsnaiENieW6AXYO8exw4I84yQ5VB2
A91k+47vUJGa0rCcx0VmLJEUcjSONFdLlWJyHsGmjDjt5wGeKnbCaJUTKVBA
zuQhiy/uY9qPFN4TJmTqHShDGd0bBQgsauHjX5DixtsE6VffM3nvs3Ch1YF+
Z+7BopKuzr6zJCdDMtOVqKq0kEtArdka21eQ8Y7DSMGzvvAg++435MsTj4DZ
GBNrPNtm3I8ieG+S5uzoSyy75JC+pIl9QRVQ2JxJ+34Wzf6GpYWbuwdhIJY1
Af1xoOevMZcepGZyBY5UnDIVMDxTZkq0wXABcc8gRmHAU9vjHHs0jj1BYLmy
fmCZget7TLi5jOt5Datae1k+xxm5Qws5yYVA0y5Uw7Pmyh1OACZSR3zhRVKW
X9j84MUe4jP3Kmrklcl7J66xmKOce67CorB/x0yadlHNwlI6RCTQveMBL3FH
fdfumQijbDkKFe/CSCBUdGB7c5d6kQ7P3NOwDQPzUKFVtziC6BdY8+PEZSdR
OlxreKXyvqMM5TbX5Xy+KmJRLx90oTMrR0R8dMqcGEXbohOI2l56C4NMAwMf
npXEtEPwTZRQicNJbO6OXFgeXXT/JLy3TlrwRlrNT1hztFH8uGRnkKtIICIG
o31xciZBB4prc2nyrui7tEIBDKZwSvqLivSIW5KVRK2M0SYXpQvsKXgGKaLy
d+SJicgx80d6upYFiJ8fsW2C1iwQDmVeZj1GiuaWsy0WGAJipIVrs5AuNKnj
yEpThL6d1OTGkMXUrEi+oX5TathVMWSRWLdGSYRS+CClZiM3TKZXyGa7IWyC
gN9RNYV9UIQxzHO7oZ4QcFnrRUcdjMo1RQ6pRqB2phG1m5+15Hj8hgDUZKp4
yIIiMqwvl+hH9BrzY01cHlHUxds4pChQiCmUEtBtinvfbDdzQZpPVBb1Sos6
4lKzWysVmPhR0YOFIOZ7ZS9KbsL+7Se4iNjucWBmmSubE6oDOV/6yJoZS4QP
s/olZoc0eCcl4mvuVh51O46BHoZG0jPm+i3BjFlyEpaGN4TNMxDU4J/msLDr
bCRDOfQskDyKnis1MSsgedvOQPVrStTIVWMUCmeNZ5/BTTG38DVG6IuhCUNv
m0qLPbSOx2nBfv4Qbw6WTDBw/Q92VqY76hbq1hGCk9y4SD6uesjOVa6RX/NS
MNN4o3zCno7jR9Ynp+nPQMrgREMOCE72PglkVtcbCsWZ/ubmSwKcXpbXmDmG
urEpSD8EPHgLpMd2mCW+lOzYcP8ZxzTm7p7yIvbdVhHye72FEpd39Vo4F0xq
OLEhHNHvHvpK/ID7VXgKkMaFPvgsgw2eqvKEIqHdUnPb/ZENofZep+govimK
QSbIniYuxFBhi4j6psqh/c7nXVzSnw9hWqQFmUPjNGZR1SejANUDRcXtk4Br
UarfRLpTaL6Q54PMWfV3SVPElEudZGkjXP0a1xkXtzPvZG8hMSkPMQD0uyB+
ync44xMI5hum8Ep9LalJo8Xsex+TlTOFIlFEsA916YSsGkwjZLVMZa6RO7W+
sHb1eLhUqExVWidPR4HVj4IwoPpcMwZW9OY6GNRkqcsP8K6pusLqE+PQguYb
J5N0ezM2vtCaA7fXqb2cfkDLj7rWg4QkpJu1igzgT+JAOAXpCYMFRtyjUtol
8nq5Wyr+JQYNt5xkHdlOrcFrjoqTm5OQeSKIF8wpyTjgK2NYeolPH7ginJ5c
O+nvIAKamExoxdjnMcqWpGgkfpC+oVMczxSNw/kZo+Cnlf6mJQL+FjlybUtx
iurLWI5b4q5pew2xJMtpIBJ/7Nptr/PP5Xq7dg1wrEqCmDpzk6GUQg3PgmHU
bDeKkKo3hfrKTdmUbKHg0CV1XQiJEmlbakEC//+Ht28+vn//9sP52/PY5OCt
CZtIVVZQ016Vmt4SaXogP9ralSLh3Xyosy4KRHBeNhHn0Fd7+UlhEkYUv+a7
Pq63L4u/f3fj0oSiPKMkuiFrXW8VkqWVwwytuiX1wfxKPXKKVCUYR3XzfRaA
qBVUtbqokqvge5s95LsOEWYfxESHgopeiN1wrO1cPL38tdNi3vlDqHfBIYlv
EILx3ph4nJptPZimhasvCfRQlGwTsAzgng50ie7qbFY2s+2aK8hiNWtJ/1Cv
pLqH2gdTEXM3FCiRnHVhNcvjkG0XWOTfz4q/onQnazJLdtOiyCnxvipu6q6U
RCvHPh9kXjnh7YpO2ZHyYa4U20ZnE/gP3NmSs7C48kPqeu1CY6RCeqMA4VO9
swcCd4KoMEiRObzjpGVOx/l7nYBqyRa0ohURbbWdKxdafk5SFZIiahEP0Fyt
xMPPOLDvY9u502gr/8qXfPUeBm51hy4WZ3v3qosmehR1vGezHmQYHiSyYTY7
98dE4oQz9eNJtqLeTxzsSDsz8tWDX2PxhnpVjFsMBmtSlnCW1qeP5qFHmlbI
odJ6qqxZ4RoJ9ai0dFlk22rbsoeHrbr+A/Rniibixt1xD6+IuQ7FqSkz/0E0
rOkQonGHkrytkzV+94jZYuc0bmEurlrTBCJwv7NEG+2F020N4llwOxbZYoou
VdyPSUtLhpVGCvs949mMUg6bx2g+JZ2VK0LhdjItPSUZga1olJ5+WZT8Pthx
V0x06B2LXUL3OcnYDTYcDM5DvHUf2v9X4GlkZXEknLaNZSA5SSWMoUDT+KM+
3S/5PmU/Y3FVrMU00qJM5AYZePIvf/4PdPkCmx5f7zZF9g+Z9nQoxh+Bm//l
z/9HM/57gXuK5nGufsf1ElxtnWTfK/PqcRnz6CCcHibRpIGH+hFyjZ+Iqe4O
1phOHI3SNBMcOw2Mw5OP6kZ+XXObdNcr0Bo7GYjKihpyGDxy/EmpWKwcIQAA
KSazP2oRxI62oNgbNRyENPh4tbfSRwHnQO7lnrUXVZuwwke4cfQ8HbKig2Ic
GfnzS+5XXBKQKyzb6Q1hmF/x7S9/EVTteKfNdm8iWlADYaf+roGL/WUA6Zec
ZNR5hBFSWomEZmxB2z2nLrzQzVfV/l8dE40y8ovs3fvJm1CbcD8kj2sveT4Y
AEylULfxeBMuoUqd1Ttv/37hKgUfiQc5OMMSH2GEb7x/65MqFJa7nzsnshJh
ZG1+CVtInxXhqZjGehBBpr4P04cpTBul+5E+yDE0qppDpr9wYO2YJuLvx4qr
t2DxXBV/18M91yJGNkCCg/WHKCsPaaNBlyvyeCn0EI3GHhtxbFHR/agOeMjn
JJH/8vHZyekfskfZT5eT7C2XBSqNgvF1Vwg/6MoDBZCePHvxauTal2D9Iym1
w02e0TrHcnir3WuEeYqk0mR8FH2hiVfFhemlhImvtsUNOqQ14r3iXov5+Kti
iS6ilMFZcKre2cvnr3z5plOY/sgEDWdlRFPaZ8ow3ek1EE0GWx5TBpeWW+CO
3DDg0CTR2VJRpTRGKqWVlkKoNnKSEZtt6pyqzi+KubioQhpuMd/in2HFb89/
/OHj5D2cENJ1XBE31CV/qwXi99TfOzhgv6t+86apt5vwuY8gnn+QP/3888fL
tx/wmxcfvoXPBglgpXqoEAbBjHvXwTKN9UuhsWZwWOMwv7/8IOXzOWsL2Ad2
Hu8SfYSuo7IF95mDg+g6FHYd7IoxBrnyuJBVvuNLHer2jnyJdZfJugaZQSCr
tpVuO2129P7qu2PHCKJSpp3cwaS7BRdctUwdGod3rVlzICZvmlLzCtP8VYFj
gFr6/vLyLXD42e34u2Kn9Ujpl1dY7ZV+meSuawn9BL3XCzdoC0CywsmViBWw
B1r0REqI1HB0PWTKnIfA4iK8bP78YqjVWkQ9pXn5c6ofOI7rB1rBqQgvSu54
YJ7LfNNKscKhpEuy33tml/TW4AYn6GyBVW3uEVV0xAYECEDZ4LvsdTlxMOa2
KCRtniOsYsSyq5wEGJzmdwYyxskJ4Q0yjn2Ubwvi2lO+h1puVY7xA4PdlDi+
IdErVv3YKK5io4DrqTgjWjR/9rRcJPYrSa6LypYZe12cxcopcGBJsN5zixCA
bZvYw5l2DVJ6tequSGfl50JTWtdxgwb9iHF5lUchba0rPnOPD0qHo3HCHxvv
eH2ws8KMcsnui3DYivaxHs2p5b/g6kCddt3lyOPwlLTQk/W89WUoa8cUxfUb
EjZdmVFxqnH/0Wk5n4cSTuk2IeBxReVcdY6hVfDAeJYKOTgchjeD1kr+yQiu
7ioPaDUthqGpYRQP9yucSSVVAqLs5VGaL2mjm69UOGDyNYWeTRmoQTql4Rto
nlKHmUKC6FiXsVGjqoDX9WfPJOu76QbCRRVv3GDDJTYasRXlF2b4cHpleyUE
BDi5M7iSitB4GMvR0OZVNVfDx5pADVvVVM+WoGkpTQ8bqnIZD7K9yuEXhhsw
OfYNpoybrAtaANDqygC+oT7oQRZUTLrKF52e5NRlYTtCifRCXM0DqfCQYYQB
aXRotuHeVbBxVLJoiMzLELPQ2okwCGO/Bp40OBIaRee8neQT0wNC9r13I3/C
Uu0HBx+kGJ7hHX+VbelC8CGTzZ+oIxHgz5HCRsplq259a3o88kdHFswkKUv2
fvLPWvHUgXC16IailtHJx5eiTeqatdJIqu+UTfMZ9vclzwhei4BzcQ4iIQ1v
kUWT1JIjJYNrv4AiV3W78QLv+9HZs+NsB8fRjqSoXzCZ0Eiir6iVyxW/Q2HS
AFLttLggV9cQ35HWCNxspyvlS9pbV6se+cgwDGEMbKSVf6cosO28udnN0M2u
JUrKWnxr1bt8KpgUNacirniWUrzCla/9gvdQetsN50fTiX4Z7pV3kUuikDoJ
1FkI9zaES8rIVS4taDBQjuy70ULIvl8ljBAK6fgiDhiGpN8kYTsrfZFSJveS
ESWgtHy2NR11oekk+zMybFs8bmteE3isFtWx3lBI27fRWQl82RVS7AbxA0kX
BvM0YZLqetNxpIqlbLq0lHQ4xJyXq1gt0evLiuhKsW5hO52R5DUmLo6hwCpR
Lb+B4bXUqtjdcakKK95gDh+fB+zqj4bKKR0BQvT52C+reAiFxufzetP9mvxO
q/GBpSMS36vFmo1tJ1LaRUDud8wS6L/MqdhqXCg90mbaqBuqawPEM8R7U2iU
O2rh3XNtxW78HmVoHRMKVoKqFeaXEI3e5FjpEuJrfc4k9y+Snp9oFC6xH3gl
HXTpRLcd9eGb7kQxo9QQZRELCptYnyBX7++h2sKP8naQW4eJe5YZjxqiiQU1
4KkNKUISf1HbJI7wzWq4139SKzz4o0kmaGok6hFvMCffEIMufeqLikTNfeek
xpJWPxwkopC01yu9a7UWxWtp2qnNxaVFcTjir/hsj+/si/yoDEGJIHvoe9xi
M3qu4mzgubhD0vCVY1wzO+G1dUXvpAeL9R45cGQcOjiO8/buVaBVqZurW9TK
Q+XzOexP+/CwflDXrr8+D75cqnIjLSPmVJO0Euh+bPt6ciR2wHrA3I77gQiZ
ZBriuH7wJDjijd/u329BoWB89C1Xjb/tI1Cagoxlh9PWRp7EjBosuUVfFuwJ
TUhH813C/1MIi71IAtLT6ilfjYHaV0XDtIvOXg4Rw5b8UZW2icv0lfmXUaeV
XFLGPqMwKsWYVbyK+dxCzwephpDdseykotorKltLm+snmIcmVDvW+GiyNruD
g0kVvTxQq0KKi2oCIe+76jN/+fN/9ID52DSE3jSdjHJmucIFvMB5+yHZF92w
LozllLJ4UOuZi25Z7RLEfnyZqW9BuWLTrC3Et+4yb3CPj8SZvaIKfenXgB2Q
iGNk45EDXQ3P7thnL3gEqQ8VRqg6V+BOeee9xViUlbqPIm2Fo9NoejR+FJX3
lTg4eSnS+kO1UtOQ0PgJ+zvCQuOi/4ZisuoK7epNvapvJPFnQQGkrjYvLwUZ
Qv+tFflkF1Z7Xvms9hjHQ74Jlb54TzGPjlZEH9QOrkQ9oYhDlIRgYVJl7Ojx
p0CWSErKsXf5JworZwiBOihDAdpNif45nDmOFOxG0HJK9OvDr6+zGy78OIqo
gSYeTU6nRmSMLCbK9g5Tp4XirFpr0ziIzzU60UqWWtQVGBmZngyeWIToLVfg
8K8HuEp6rkwXmNGz7Xzbc/1gvRjKimD2/wE00IjnX3R0mHhVUc+UsoY0STCj
iONIZ10wcpf17NAMgNaizjHOKMSmGE4pUp7txqKNnBEPFgdE/OHLeZTjIg5l
QtgFMJuwGRhwVe9IQgafMTPgFEa9D745hBnURIKHK83kOaVg+0Dpk07gLnil
JFeK+44jO3FdXjhkp2uzvAKvfDsPtqnhHTcPIKgX7ZX0YLSYrJgZsCDXmMA3
SgvtvMs+/t6av/my/Uk3lKFs7aehnhCKRbG7iAbLdYHkbZ2BKjbJtI5F27lg
ICPNeddkcw3hdD4wJitVedXf4mR/tSQqluXsz/5FPHu9c6KUJj1NiPZWdf1J
QbR7Ghy5htRMlOQhGabICCP3RwRtib+PuB3iOaI9Ym7GNYFFW6HKZQJAvZd6
gg8D1AbmBKhchBuprW3VOyDgyJBQzZWIM7Rrijtq1ybFz2NSCr04l5TKxVMW
ZVcSxuVR3L+mi+DFKBN3btrTYiU9f1CShqGxqPDGAA+sC7IMkkGZcwbNsClv
6gaVzk1BiVa4CLoX3PKKWZw0Cr3ZouXRhqbhDX50vWbnRs0SN1pQPLNQRJRn
A2Q1K8SsvQI6n1E5Wb63WkeafERgQ2aTDXxu05RAS6Ay0NNkilCndaQiJW2M
czMvCIj2lCEmZKdFjczIT99nuUdNaxlWJrXN0LxNHybNW2oCkJ+iAD5JvkAw
KsdFgHbj9LWYL7mItX1xClSKio9LdH82w5wtGAIxIUFc9mLx52W+xja/IX5N
fIbTIRZUo4KUWCYweGI8QwdRJOl77UhIB1pr7y/UkHT1r0NZ0nNQ+6iCMsN6
yNk6Yi3kUH1PhzjhQuAkPtx8qImRhxx0k+/DdrZ29Jjk4gyLQ5tEq3I1aU8q
5VlV6WEVKA90hZPW7WLX/vMX1L5OoI6zFdZE6yIXWUCpo4pgZVm137w7ANtb
1NQYCKKVy7CF7hg0aPwnXB2c9LZSf54pq9SstmWItEP+HF1cXbbHtGSOKOCp
+mNvcvKZOzBvUCotB9GywwQ2hG1tuc1wwEBE7Xz5Jjh9hFQq/13yP2LXP4Fr
ftR7sqlbbJa9qMOtaTkW7S8XnRZ5TKiguRnjyBYnbyZvrr6SQ3r56vELOCTK
giIzGkh5lYuOJ2ORkeS9yHAZb8qKPfRMW3IVTdGXBGbN9I50UmC6egHaGTBc
NyeTcxrgYUDJaP/1jq6+v9dp4D6p5wd7C0cfH9HANtI2yOzgFL4rmmnR1K1s
3tPTs8dM4QYEy/XIdAYUCYsAZv1mVULRku1sqZDOHmMlFD6DkXspqRFjXLLM
JsdW5b6t5B5dyR/d1olDX3mhpZB3iqCSWOTOqHHfvl1cAiMyuAv9i7/sF9+G
muxNyS2spsi7yF3FwKffX35QtIg+K2B03Y3bor8d/D0PWHexKqMZ7SYwdTXF
kWCt0TWN4uuHsWgwHVc2MgAecWfS4a1i1my1bWmUlLuqLi4suXCXm51EeJkQ
F7Au25ttyVVQsAZSbT5wGs5hJHAiTljkc+J9xrSmectJFzny4XlO7tkVjh/w
IATQX3iZG8QEqx4XIORoSdg1TJTgH7YrzJ4Pf7Imx2ZMSbEhqX8TF7/A/I27
vKkE3zoclgtxnLDgBr970mujTe6AKWpn4ryQ20gilTQufI845h1sVSfdEcmH
Jyig05PU+9PDaz2g/O5BBiKA9uF19hMusBeeCwQqFz7JryH906AeVg+H8lSH
G4xolx8Yu9fJ4/+yNTz5a9YQ0N5fDqnHlUS74RyGKGb06xcrbpMHLfhpj6rE
3WYpar6zb0j95gVHZqTJjBhMou7beCmTFRgzCvVyuGz1nXBGIvFzfjFkxbD+
W2CfQ1vRwqWk+Zn7IKuD/RDGyb2iLYzF/Rfnh5XVbb26DaWupAWm9WOyInI7
V+jHxhJD0QrY7aQc9D1z5G5jv54Oe42Y4+P6v/O0/HY94KTSjUtPS3wOSVUn
tDSWILAO4z66lVma7oZary8q/jbWXjjc2gzrnsQuGPbiV4w9zKQ/CTbtMGkc
uiOzIMe/f381eLPje0z5mtZ4ZO7ku0nAe272i3tna00MJUhTNzd5pe2x/mZL
4SohGGZXsEHklZY60jlV70bVivv9gBJ2Sx4nqrJSUk+mrkTNfiMIefhRw5dY
ea4DDa+rfWSRi8oYOo2lq2wT9m9DjhtjUtihXN3UvuQT5y7WVdkRfoo91VcM
WGYdNQVd5MMN1VlDT8pD2U0SzN6e4A6zGwed6jc/swCzQeFCWyoG8jEoTvpf
s2FAWGYSPk1etlySL09Tc6vs9NWrl7CQ88k12CDfYQCa/BdUgACH0EChX+8r
co1PYFuwqelsZQ+325sbWBs/ffb48Qt769njl49DjPnsBP4ffkvkZVfXn6Rf
6AOd2lpp1D6tMOuRoFnk3+z5rmeUqzA3cAfTJJc2ojNdE/Agt6mfPR3x3MX9
irQhri+hiUtBA6MWyjGTogrOYaqnENEZkf1sZyj+EGTK2cPg8u7MZcV44xRQ
pOSoIVP5q9a21XMhjdMC55LfY56xKNCtXnb1z0YZg77RID78nn342c+/iU3l
sTj3f9mXThgvaDBZyJXU88ZSaUllDlegpTnj7bdNF6CSBK8dEmbww5HjDTux
Dj1EzExA8wGtpV8kNyXXUI6b2QtbG+uDx2LZTEIFOUm+hz1dt+PZMt/AJurv
jm5Pw+17Sh4vPPfbs/DbF8/gTh6zmbrO/0i8gHAGi1V+18YZR+22ZMQZRQPa
wrtOcsMBUs6SSctLyrG7fivlAa5RLJCzSeaIM2zZEcTVCMQPwbvqkByG8BfC
I9evlGWzXbg9C/45btesZYzJjcFYJ/vySdgp44/Tpv6EjeMItwuM6Cn3habS
fLhnk6vvYS3Exlx3SGbXfDHXjDBos+8tvZCnIp2nexMxTo0Y1jVTDfIWeDKX
NCkQk5aIj9lvlMAgBkGYk3d6s44UUFnt5h88HmuZRxpEmEmUN6X5uBFiiwuE
RChnpxQ3Ba2OTPeeyOg80lvxLI4SA59/efKU0wcU7qweDo5CCAJPdBQ9xJlp
vAgSsfbQkmPXFEV2/taFIK16LkVF1OOAA54+H9cgurrsw/X4Xd4uo9CUXsq0
FmM0dnDrvMh4KMxhVCh5/wPBJzkv0f3LFdvp5GWRZ6c8EHkMKCHSINGaARfN
IAW/xjfebzQRm/h4guH5wn2OFOqwFe4p/CRMZiTO/M/uPX1Qii7Zk0C7hPei
q36WPr0gQLw8rAAO/ztCInCpYGLQf0K3oishGlCArreKzyzEgBZyY+lz7Sno
DPspSQIC1x4t5q0vo3j2b6fPEyKK4LToKGqomH5Yy1mykYb6lx1F/5sPekrZ
rJzU3KmP2YAisiKvpHQ9UaUXvyyDiX5QiTTG2mTydfVqtVq5HGv74mdazKgl
/BxWuz999PzZsyfPjwmTgV420oWWNDTtMg7L/9RCipW2k6KLNm1AxI45s9Tt
EudzCpQGMb6duG1tO4yF08LhW1R+SgGxQRdIZ6WgzmgHhZxvMGXUBeOZIBGO
S0pF4ZjEUnaPiIqKIsKcXBY0FdcW0KYW54bvcr1Qrdz+WWDXM9CjyPRV1jTd
aTyOMk6IYIgi1vkNWBHY+CyXSldSxi7eyYEouk9vcUoo43KUdlII2BKUugaJ
Gj8NfFyTgIyWMOpYce8QihSNGcG/zjE0JzXKEZYQcx+W9ma3dLX1Hi6tzC1f
ErwERRW+z9yhPQnNlq0ohMMqh7tgnXWdyUdfDyum8FLeUtBuURIiaUVzZw++
pBGjnYhBD4oYs9eVUsQk7IcbcWkXjN+Zo22wpbcwSF7UiO8S5ahupOO8NF8K
7jV8YFneLLGLqIdwLUjBJs/mPasLLmNgroibzWbyIBx4TaWZbB+6CCPkP0G6
lHxkoGKR1Yv23cisDW1EiLg2vBANwiPzZrYcrgXm9ao4s4XuTNC1udgsqR4G
gtSXtTBn3EoYtp4qKbC31GXBU6QbY9ZDHD7Bx2SiQivCgep+F0X/89JJQ4vF
UhZ3GgBT0UisA5EUWi4aZZO01Uivt3EI79/qtfQId8EJM8ZfJhAMOC1Ko6VM
XOYBug5EmbhJBYWUsaulJyIkFtIuxxJdoMwEGMWKEGAfWLAyxvrKL0lGugLN
yGdQkrkQ0ui5TFhSOwRTQXK6mmSFEEujbDlgyOohFSrzdRXiWVFiYeDmsgPn
z3jYlrgTe4wWJfkQbc3qtzDtEXFguMUcRz199eqppEOSX0d1z9/nq62VYQSq
G99RNwjS5Wwa5DDL8aoWOSqQMIiKY8R8M+xP9IILNzuOGzGxH2FoDkbDyNsc
BkAqO6Y3DplSDu953j1t/mAYgyav3YpK6fgWb6htNe4sbOTRxXn2lW0a/Gj7
dRxXDYh0MMzcNACsgXPwklqNDTQC8Jdpqi5Wcx75Wunx/LjMZFSd3Sib0Hac
kf/li5YdUUVleez42G/LTHNyUEV6iUtGBwl6WOzCyG189cT9FTWpsk2KW2TL
ejrdoYex1PDhPN/F1lMpGCypTS6+7OV2TaXo2DfD+kXBeD3zn3qBMUkaxInE
M9YteQKiPqH0rztmD9EwCIaM9lxaO1HYmvlRnp09e076QBt0rLKKpARoW1H2
sabz2TURs5BaEHJbwpjWjmNLC3Fx8ipSmOi1c2rBAka7r3KBIqllFRUdXGzg
zctWFSl28Ylvl4hG7rOV6qI8THwDDGgOYnzUhF7bYpAbuBO9rYIrfc50rBgt
1oJX3KeCDhK3z5+La33BwK1NoPd2acXS3P5yco1v8WQXU9zoopznWJOwlcDL
Pj7KHoCOnONwJGPHyyLyCaCR+zVLhOPcZdMhTVPOUhT7KaoqvPldjbH+oPAL
nbLUcIUjrIntQdyBzIqk65VGbo8aGGH0GipQlX17+SN7CTYkonBirO9wCI+z
Pavs+VOdvE5jw9oLKK3M9rCBQZDN5DFJJFNItBNaRcuLXJNyI1Dpus1XyCKD
7I1lMjC6sRjSUmkf6ZeaT0mndoY+m5ssKjDOGnuXf+KOKiKO/Kn0jCpia0T4
MknYMDV//nqVJN6Z/7RiQt0AnGJCdd2dYhI8dFpxyXlkrcoS/j0eKQTduYC1
FB5vl1JugbJDmPFair49hQC+Qh+LavgOTMIlwxhTY8XlSKTTV5nGfSIBeRy3
fsKqBMtitcE0rw2V8MPAWFpVyapTMRg96PUU28KOYiITrf4nxRdG8XWKfP7U
r5dlGpd+U+f6gu4+NdPSMYO3jSQaHLnYXeruRX2t5RwjLt+wVMEtmyEXKOFM
FOrs83dnqBNQdaXI+ZKA7KB/3WqFfSo47ZmUSu5IU9Aq1oMHEnruTQtpZYU2
CTZqTqbLK0x8Jdo6N1gInmzhNzGFkouEVQfctHl5IzUsT5+rhombL0VWOaFX
bxKBEfCwQ6JLbuaGamuzot+bGN0gsS9LvosjWvqwTH3fjdJAMcMkLNV0wIYc
8oAEq0EFwRy4otT1ST5JmUTqcpLn5kGgHmJuQ5uFehPUISIUgPISnlM6zB0o
x7R3WyKpSTsUEGEDj+/Zqt6u5KQs5wpbL4FFMkqRRkcJR4EydbjbyTG83/Rd
0tEJKe2rOYTifqqnk6M1xL6CQKmlb6cDJtjIgeqogqYr9ZeIB2l3wT6MttjO
67FkI4jkN58M7kMNFiEFfKWvX8H1eMu4wgEjlNgYxfn1ixTm+snoYrvi0PvI
VvVeYegsf95OLn3EsqtrvmtYik6jkr5myNRnJXFWAifPG+s0+rsrGK8CMlvY
O+emiVODvaqvscYTFe0EHnCPNE1UU4aG5I3kJtFTLuLMETPk42Hkv2X4zyZ9
Jf7eI9wCLF0HltzxfeuwQuO/agX6mb/HOuB/xxw68mfOvYquyU3FbyIU5RjO
vwIrxxnCvlRHVB40uJyM4H4nKAL/IY3MxlSlmTcOj9Koo1L8i4Ox7oj2aZ3s
DE9IGsvkuQ676mbCqfd9MkFPUkiPNlch/avNFyiR8TvkCcVeX7z1J159OxQf
8l3ZFIfAfYCVi+ckvq929UdRqE7dm+QzEMWM9QVut1DQC7uNcKXIJytcmGJb
6uOyLLqlFBgkOG/Of9QioXtQCoTo0PniLLDYrv6RUQJsR9MBKFRg1Kvqoqh7
FAvUyoIRF7YVv0fHKAsC/OSVfOnnPqjgF87k9x4DKfKlWx6Ctoo2ijLz0Dki
sxJyCtmmyKjLItglro7Xx6qQ++VFi4X0vc+aJQ2sck6GNNUCnTOLCOV4JU8g
q/J1Ee8zOUW6YAnRZOFzCKkuUV6F4IEO9vPPlz99eIsFLWZw1GvzTiKYvWEr
l3H4d8UKnZZiJPpcj6h7kXS1kfaBBM9C0k3CFuHaS8Sgxc5P3VigpKiMd23s
MkrSXJ0nlgSw4VuqKBxf+lbSYTOTIEFw0bYYDIoryYrHnJwkBKrsu9g9lkAo
QyBlzJE2qFWBMk23DjZyxehTzzhrhU09QtagxXm14xSXak0Sa4NNRd4du6Se
ZkgHZhaQhEeox4D6eL6E6uEcXBZC6P992CdGPd7PTh05rJnTNCONgWupEOsh
twdVd/QATW4XzKn7lANb7S8LVTY++S6/rcu5tfXADwWDHc/AJK9Uj7PSzFbt
SfomWP4H9lpjjcUYDgtK5XWUJiNyYMQV+sl7QtFoy3Yc2iuXUGPcTwrb03LJ
Dc7zv8T4RyWlC8iqgW1JFhXqjrZ8axYCfWuo7RqpjDlcx04a4WYNukVUy1A7
/K6w4iplJX5DdjURpEvbYMOXr3QxEwUnIVPeeH5MobBLX225r5tiZDWYh5GE
DCCoGPAtnsoBJ1NQSZCDxQ3dSDcWk0dMM3uN46lG8ynDC/SfM2uM+YuUQeBa
ZuQtZNBoG2ZCyUncrAa55Kh3k4evmHoKWkxass4r5NuS6VBs0xKODHtGhKIh
eMXYwguHZLwcsstorY6AGE6PpjTq6zr5dminR+podKqrDM7ARQOBOV+w230G
dYTpBBmHYty1qLUqG/1ZxjWq4zcGPZCiKTdRIUMic0zhdwczQFlRDmrNmCZ6
eF3ALUmr1Glz6JB1mB2VJ8CVUQxFRH7s9oeG5SgLu7EwCb2mGpfWmDRGADGT
JB4rQd14tciF+Ay5MpCqjnd52SUPUAI4EsnI5ZN3bLj5slShG6fM6Vw7xKIV
Db8aceF9n8JD/BwEgOX8YckQzNKVptKYgBIUr5N9nMNfmPSmODmlrfayw5yK
yWJoEbOLt+swz2WaZUR7TwO0jizdF0+4LWyfMG0KGqnRqcGCVzV5GCiYwFgc
D4/sfFetwkqKlu0o1VGQbDCahqpACN4PE7m1+A5qWlAL9rU8Y74We9cUlBD5
rPtEqmfuibiu+rfB2LEXgqjoWQ4b62jZTV3PDa5K6h0awJu7ucSyn716cgoa
7cJXOUkSz4D5SeuLK85t8EZUjzzI4BooXKolQXMWAdypbTiykTuZUFi76ct+
TwiNoRmi26ETtLUD/WwSUmwezW8le5W35ZJhCEWV6gL+2iDSTZUVSWWVdJRh
EdrV/aOzDndUcjdXCRQzeirFq60jBBZ7U+erUA9VpyFIzbVKGQoK1tsOnWOy
6VqKMNXVFQxDHzIenkeRs3TVTpAPhD6wBKOETzbbBjemDaRpGckFI5KcRWmY
ZInta80q3qPI/kMF0solwNis1HF4UsMDoTDQte5IvL3M0HtkEspV5VoHxUNA
rpdaLk533bTpANsXNatsEuQp9bsST2Na8ZC8wKh8UBm+UtoR7zEdQm95MnQo
4y3EKXtrIiUYDrYrnEbnX2akFRcC06p8DFnlQl15KzFUfBjObUtcHiGLesQs
UA5xnyP1QxA41palE0SJZUmoayvUiitS/hZayA3z6iOY1IdruUTHA8prD+NW
RR3QedYOpV1rTu2+gbjFLmlcwyv26hnxXsoKIhSaMJoA75eD0fNQ344xcmPw
EawFSOAN+inIN7WHa6ldPOJy8o6U1MoSCZ+36X66f4Y49PEAaDA4eUR9eeuK
nga928OGwOBCfcCyOQr6Z6mdgXLXswIFNJdHUDgfCXinBvJdwaoKInydxT6s
X/i3k2AW+7F65kK5xqI+YFCRJZCryb0oV4Kude62JLuUCGEpKL9VgZUzQmtH
0RWjnEW6D9iotm3rWUmjD8lI7vMhKYo3odham+9MKZPOj57lywXi7gJDkrdl
UV2TpOAkQZLXroukS1sJIybCu2cXuW6JZWefEeEUFd5V81I8a1p3ZXC6bANw
FZhAhGACwLFYWV6Z+rbSoeIT0ODcwPh98mbd4mM1ht+MyQcaW99YoHCbRFZc
UTJkAGHheKfXO2AH0i7O0nJRbhMYH/0eBAlDxceN7UuF5dqvlWqEidNI2b7b
5ZElKyYxX2S8h56rHlr7qftCkFiPg7+IvhHsai9S6Z5YmfNMEMMqO8swjlp2
xTmtChMB7oBJSefPQoetOFy3J5vW97c741TT+7y+XCkfXYa+JhoFnaU1lkHs
2SWkdV8p3yDpVoVV/JpWMJAO6WGl6pwbGD3Kwox4Y9LSmikYE6bhq4ofUg3Z
SHJFpsZhwD+Y3yuuqjJUSQX9pMlnqxR3kDQyC4FuIYk90CePcwl664Igwszw
hzEVRwpBNPDqsZGE5IQH4Nr1vYCJeALE2ga/yYw5McMSYPY3MaxGcxUNOeH7
xKHu4PCKzHnZpMUUg751HdmTAqBnRc3lmKj+1Iti71iUYaHCqTFvAQfqOOyI
IIWawenYVCVy1lOHjTSeKuQfmrlKZAQnfpj4JhWW6mriU9UCuNOHYgtIp1bf
yWEv+XhYcRFcs3vgv9I9kCnSHUvp4p7pEanJg0GTbWHWiHXMCdhbyfswCC7r
/2ge9cC4I2XlJvNi14mNMQxLEJreg8tOwxy0/A5WetMtVZSJFxKNuiq9KvGJ
2bC6cndhrOzl0HWI7kvvTlpVOTJLUXO5WaYWE7MSOlH0JDGRjthtL9vej/Le
73SIMa1xfFPTPQjPplB0N+vQvzspjpgLy8bHubgbNQyMTjRoHEn1Oc7jCVHz
oYxEnlHvXt83IbyoPB+Kd2rKDvw2qi05DLBy+hmo/VsrEkjTiJFvcYsDl/ui
+HypnoxH50Idt6zFZG+supgGO24tWX2CViPVp+9zHHQ7KMRUfK5A2a71vDN+
RwNuZC7FJt2SNjXY89Lg1I4p0QjxvpahQ1NMyYE/dqqTqXMy5jIUICJfEfPA
wGpCMsQeeAB6btLG9m0UOD44MO/N3aCzt+dO0FjIPidv6oa7i1pAbsUZkXNe
tatVSEIl9UEMF3bOkwYNf5vdGpmRDQe24BYWsUzAMLpPNxNEWIlMR2Fy1sLI
qcu8M6Yea4Am9DqXLH/1nJ1ETsbRoIEuIX2HiOH762xns2ATj7jZpWGf7rFm
4vjEoPfYe/m4KDDWjTPUBpVwBE0BE9hGaZ2MPXM2cHHSiEV2gNWGstPcFmM0
fYY9ijQNHYACP3XD0GVcndEhR+nbk5CJJoftyKwVFyaqz1R42qonKM4j0D96
9QjsV1bG3+rQnFrKBP7889s/XH7/8eKae68QoMFyCi3VbO7qIKyKeIzgpaL0
sm0HBIldbq7+x/dk6uUVgwDm2/WmF8b5n/9yffrs2bP/+a8WdeJEDIx+o7x2
hIFfEcdzP6THfoggxEpmj6QhnmQR1IQcV4Ugm1fIgvIbbfwVJaOTsCK5skHf
IhXwaGmN79hEv+GJ+vWY6y3xn1/+8IYR02NKvCMWNttNKWxMBZo4sYaLg/tQ
NDWig5NG6OkW/pux10Dg0psqqnJKCdeggqAViJf+ijnC1RJBKUdXV++wyc9n
+GVX6GN6QoJGzCUQx974JFWiFDUtsE7KSRJKIsa8z/kzILetRFsPA0aPUJoH
4bDlHKVqBrJZl4Dj2U3ZJnyTCrIYc6UrGrh9BJ2YxOWyxLcROD+boMyjUZo9
dARG29LOBNpKRFbwKq2zIw71j9Q7TOzVIE7KwDko4DE1wr2lJSFJkLxE9CP5
lfZIaUWJYXgNcUkcXnt1+uqxlNgZjLvFQaRBzj0UQ5K8dWS7hDNUUaCtR64j
bh52njOtB4/epAhpdSHdyUAzId9W9LaAyh8+LcQPpUifPZunvDJi4owYchJ4
aVBN1mzumpyYIMVNcM8DyBY3CNFix9aHBX8Zl3keKSHGpoSggcIvHGWyGovb
8FOBkqjLvi+rTwcHdjgGodXsQyDJv/z5P5b1BgFI8D/YcAC2IoCE9pQkCYCB
OVbXR64q4v1Ovkzt57n/Gp46RqoYaGSlRzTJmsjW+icGPA4o2Kh8uBbW5CKn
YI9rFMLnwLovl5nL5QY6u5tWK8mR0hRJIPTUr6PyNUZlwhQEZBRubn25Q7kI
Wr3WibxYWKulENjolOmlWyIhLtsUcv4KuCaBjYnXn547cR1RnWttnZMnENRw
XAYepW1Zm/2Qz0EwjDi8yjudPsFYRayRaI56SWUjdBOGAvd2hISlU0wFtZxi
ZHtgxxf65dwWWvnSDHeqqwemSDmj2KrsCFqVXNAmF2yVSIZKUFcBl53P54w4
5uBFakJGfRc7xc9Y6rc/sJAcivkj7OfDcstIdGLCOhOK81wVGq8H2K/7wrko
5Savgl5s7Ukxttaqv/UyUEObXb37+OP3544tolsMuRW7ppGChQXxVjDHfvHs
JdZmnO+qfF3ODIKz8yU1294IsBtpv+P/v7ir6W0jOaJ3/wpCOSQBxMU6Cyeb
Iy07sAI4MFbeeHMcaYbUQCOOMENa5i7039P16tVHU9Qit9xskezp6Y/q6qpX
74WckfUEB9t1MF56dE4Itm4Wl59cCnBONH38FL6H0x3xj7WiE9pnNc+c3AS6
WO8+XHzSYriude+WJjmZpOJsjetZv41i7f3cLU5on0rkW/oUlKq0Edjf5qFU
AF2GpHpKhCgn7FjR0EqQAP+D5/eECl9pIHNtPzRSiotLPSSaZE2sRFW07b8t
Vk7YoOoINxH+j6hiRDId315TloFb3jWhRmd+xFkpDJABDUNgHybhsdcEiRIe
ic5OfrFbRJHq0iqFfAArsSlLw0zibSJHqonwPjYHod98Uxbrx9V/lvLPpydn
qAixugPwY0p+T9Fk0NsG8uRPSTFGHjggfFhawiYM4EXzjEXxzx5DqkR6HXqx
aEorwrxPip0enL4a0Niqu40PeRunaJyTlkY5RmmmGoqmjtZnUo/YO5q6KFYY
JHVqRIR8Yx3HxR/nerN6oib4SK4h9017fzg/1o0merQ6UnvnMqXQwlaNoAXC
Zd9NaToVf8PVKjH2Yhx5Wahk58rnZSUHO5QJviuZIAvsdM45ypprnZjjQIZX
floaalJgxZml3aB08P21KYKRtMY4THGixTJSUiBBy6uUI/9QblDj4MFxWtQf
3vwgvHNnIj+wG6UUX3Rd+u2NqOQp8WzY6CRzVYa3cUO2s52ZlyTfGpbGXgTZ
wd6VHvMO1BnQU/Hl9CHIMstoleH6eU4OWW5plfMTRzKyHjGRc7k0orGVh4B7
zU41lYXx8JYiPGLmqvy0UtLVQJMFxhnw2/mgVDTWlZgPdQ5UJuGb8DCNDyC5
4sENVwEA1frYzS3W0stOuV1rDzKJDhIHCy8rElCCsNqweYupL0EbruIRCOgh
RavaEKOJlop8iIZJ6x/rCwID4ztbC/OrUJ9W0JrBXw7NoTymm6ZxItSiD/py
rUI+Ex8PQ3OW65hh+/nNBJSL08JXRHmht+V80gg6iJP/CqdToEJsQDaknAZ4
v6SJ5grYY/jEjGG6wuSxKncQDpvWFpTXi6cx51rA+9DWy0WAJpLitfpaX6jy
7+44WNAUy24yimINnaVaO9vHXigzRgruPH7FDFLCZa2rY1kT+QmeIf/2NL7G
fvgOGsxUPpdhMFrm3367vLr6+f0V6JhXQ+ShDG5I38BlAXuN9kM0zbmPU9eJ
Z8CbSkR8ktAJ1qZa9hMUzFlcih7yseKg+8SKe+xlxCMbgC1IIr7nnJC+HMrB
SVYf25aKUpQ0SNUEIb8GpCjLAW6gB/CR4FfESfBCJ61MZnj3u/RHn0K4/06z
EI5xiPnI87UY1WCljZBtw85o+fi43mHHkCsLMrgVGe+Xt6vl6uLiszg/Vwkb
xLWgyFZeFfSm+6W/66lv66RHtn/jQo8j53hyTmdmZASzB8DKeq2QrG/4Qagn
wP294Eu6b7fFK7DrFUnSel7KXBhLlRSQRC9WUbgMk93GVIQT967b9oocvqKg
mPn4SnSBKCvvYnTnAy/EKKp7+fC4km/PLL35FALI3VpjqBkj0b7lHX7CeWvX
ubXX8lkLqgJQZmIUZsydEsDLHZTbMMCSOiJgI1ErRJLh+/1uL2IF0555gSo6
RRLyWHKX8+LyXuahjJZGuCpyc9zb12NW66pCNtXa7be3HemZRaN+ANedgGv9
Py80E86XgQFtjVp+90bBbDkBphqU8obRZlRafgYiOvIdczSRjwlxpCSdczPs
W61rMsk8b15y0b3DZOK2DsvWbKaOgQ5FqwmbRfHgZMFdDymEpP1JJrmqUq1S
gVojh+0sbuJf/v63N6Yl8JgkpIpLboLl2XmmwYLYVNKYnlH6Ljyvyp2gvMHS
GyAUd27IQOkfI8oruoQIHpvp2J6wdvVkX3F5qu9M8OVc18CFR12IuVn4QgkF
D4ssp6JXz5zBlap8k+h5jta1pdmvIidvXcNXZWsOXbvR+cN9TxM38UPz6GTr
du3+5kQQhlanhtPysCgjrXcbyqbXUUi7Id4yU9JX2wxkm1JcXZbTwPJolQ/e
Lr/iNjFEGvpoi9or5K1qkQctd7sex13N7DuM8/F2Iu2wPheR9v4+f66CYPW7
y7xBH8e2LpfKqKWOeEwQf3G3aYGq3kPYqJKYHQu3UQvSRUT13kQfljHFpMGi
0fu0cvh7TfadWGy4Zno2iUo/ZvZt8p8bHMKxtvoq7htWmH6Ha2u5PKpONLDM
xWI4oxOx5AWVlYhniL+y/kIicUhv09LCuZeKpWq9+XEb/YesBPJKcWAmJFH2
XsrMNe1sCYX5OJeBpGkVHpVIi1gTt7fufj3fZ8DBgtVeQzrFGk67VLOw7VAD
uUGY+gg39HzZG7wDFJssyBn6dWeOcmPPibw6CDiKE0whUPEM2uZQCRObtgjY
vYBvFdsAh5tncm9MP1biVSZtf9+d3FYJtKJFXtDWCMy1emey+zuwkjMC2p4f
HbrucesZ7qhPLSiSEvzjsnd1Km8OJ3pFxonq6+p/un4qrYBtfZs89alb1QQa
DSyQBb9l+Tgqr4oXWfnH0d6i9VllsBLptoWBe1k8P5TnynQQVWgx82sRWBST
wdtWVsfeKpEzxOJNCoCHZua64qYk0VWO9fhYRz9CX9Hch+RivSvvwTxGrziN
E0v2scvHVCZws6wJbuTpRlTeY7Mvx0qZkCwglngsn28zkivJqgiWLy6ZL0Jj
ItPwdiozdS09WA3FmGxDJzS91KpY9Qmf4dLx9LTYTOP+IfDhUtwzaxLNC9Tc
4QgeG4P12L360O2U6vgGjMQq5FuVJu3Gh2JwVaeoxcq8fP/5H4vXr39MOZD3
v3xemAimdizfjQwIKyuej4AXo+xhbYxm+clibh4VH6MOHklIHWkjA5Jl0aIa
86QzMhsqxbccyRJk3MoBqPDNR0Bfx4lmTohGx+lAhhjev5ApUgb04eBchfQC
U5rT4WkH2q8EdkYHNDjQlmuKbFF4GhosOdX/Yeg2XG6nW9OF7I0BO6LKHhyq
2eB0xpQmAGVYZqCn4eJ0m+I7Y3w9p2e/HcoGpSR2c13WYOvvxa8Kva7BRHCc
p5R98Lg5oNKy+LAxx7mqGxQR92tGN6woAtmk4g1WEtvHnlsqw0k/KLsWH2uy
36L7a41GKdsPksGxPVOoATPOAAIVzdXH0mN6nAiq1XuyYK1FmI/5UjFTXRRn
zuryWr+EcgYIMencSMpC+SLwQpw1c1WZnY4QnV51y0mFgqhiRB9qFZC5kdDz
r/Bryv4Rbhwaq3WoM3DRWqfN1eu3Jxbi/1IDln5lfrd53PbWNnk8kf+w+ERl
sQsJsLSm1WElp72wh/1OgMz+LY9MCmLapCY+GVC5qdpPgYDvqku44+dPCBrm
6EFywIVjlsEmJoIO6r1HisvqjurKJ0X0aoToJY4qKkvkxkjQNYhgx8fVRU7V
pgI/yUbNRqPTTaFJqNF7S5+cH40pL4vwY2rPxEa1XBtwgel/Ne9cNenaJFyz
Xny6vMT0OtHM/3t+c9r2SBRqTufiiUgrzXUDGmmIcMsfa8nC9195gal1q6U1
wq9OSQhy16A+kvavbV/Q6WUB4Qs6jHKYmZhi6Lw06qcyMDg5sKbZHffztmmt
yExZ/BPY5eWRK0s35LyOE9HlG7uhS7mXs9IRZdq47+DZIYAf4TyBxZx+9/XQ
bABtKu9T5z+/OytXrqj2lKYciv9IRuQRqmXYnyE3VleDkD/5OXeym4N6uk3o
qaxLyWjSdmTBEYZIdFFFBLiMwB1L3ZD7cGNwCj59b5UVmk9ZefhE418ADG7v
HLCHr2u+QDx9cvly6vX63fRKXiAO3ZxSBWonUNmPM4C0/kI4FWy6FoGK9Att
QyJIdqiTKzVebuH/B9IARxSI19n3j8WXaKTG5GIv9XXnouj7rZHyjsXFAJyr
du+f43wrrBFD8QlENk/Hz1r5V3FSmsWHTtw8Ioq5qz1rkxdyuXUI9lmoYvUi
+KHr7+76xb/LYhZg8PacFCU7Hv454ofBKgcbYBKmwt7snABH7I3ezDUpCJCB
INivd8GrDNmBtyJ0OxW//3q8bvIi00CyBs9Fkn3ft+L7YyFcwMoO40YIOb//
frEs8/xAiEM7Nevd8vcVSBnab3vN9JE8H56b2dhmsMyTY7vwsNflYcoaeQ+6
zI0eMJSpdxfvGaX/q1fL5RKwklf/BSPB92mQpgEA

-->

</rfc>
