draft-ietf-suit-firmware-encryption.xml

<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.17 (Ruby 3.0.2) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>

<?rfc rfcedstyle="yes"?>
<?rfc tocindent="yes"?>
<?rfc strict="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc text-list-symbols="-o*+"?>
<?rfc docmapping="yes"?>
<?rfc toc_levels="4"?>

<rfc ipr="trust200902" docName="draft-ietf-suit-firmware-encryption-20" category="std" consensus="true" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title abbrev="Encrypted Payloads in SUIT Manifests">Encrypted Payloads in SUIT Manifests</title>

    <author initials="H." surname="Tschofenig" fullname="Hannes Tschofenig">
      <organization></organization>
      <address>
        <email>hannes.tschofenig@gmx.net</email>
      </address>
    </author>
    <author initials="R." surname="Housley" fullname="Russ Housley">
      <organization abbrev="Vigil Security">Vigil Security, LLC</organization>
      <address>
        <email>housley@vigilsec.com</email>
      </address>
    </author>
    <author initials="B." surname="Moran" fullname="Brendan Moran">
      <organization>Arm Limited</organization>
      <address>
        <email>Brendan.Moran@arm.com</email>
      </address>
    </author>
    <author initials="D." surname="Brown" fullname="David Brown">
      <organization>Linaro</organization>
      <address>
        <email>david.brown@linaro.org</email>
      </address>
    </author>
    <author initials="K." surname="Takayama" fullname="Ken Takayama">
      <organization>SECOM CO., LTD.</organization>
      <address>
        <email>ken.takayama.ietf@gmail.com</email>
      </address>
    </author>

    <date year="2024" month="July" day="08"/>

    <area>Security</area>
    <workgroup>SUIT</workgroup>
    <keyword>Internet-Draft</keyword>

    <abstract>


<?line 93?>

<t>This document specifies techniques for encrypting software, firmware,
machine learning models, and personalization data by utilizing the IETF
SUIT manifest. Key agreement is provided by ephemeral-static (ES)
Diffie-Hellman (DH) and AES Key Wrap (AES-KW). ES-DH uses public key
cryptography while AES-KW uses a pre-shared key. Encryption of the
plaintext is accomplished with conventional symmetric key cryptography.</t>



    </abstract>



  </front>

  <middle>


<?line 102?>

<section anchor="introduction"><name>Introduction</name>

<t>Vulnerabilities with Internet of Things (IoT) devices have raised the
need for a reliable and secure firmware update mechanism that is also
suitable for constrained devices. To protect firmware images, the SUIT manifest
format was developed <xref target="I-D.ietf-suit-manifest"/>. It provides a bundle of
metadata, including where to find the payload, the devices to which it
applies and a security wrapper.</t>

<t><xref target="RFC9124"/> details the information that has to be provided by the SUIT
manifest format. In addition to offering protection against modification,
via a digital signature or a message authentication code,
confidentiality may also be afforded.</t>

<t>Encryption prevents third parties, including attackers, from gaining
access to the payload. Attackers typically need intimate knowledge
of a binary, such as a firmware image, to mount their attacks.
For example, return-oriented programming (ROP) <xref target="ROP"/> requires access
to the binary and encryption makes it much more difficult to write exploits.
Beside confidentiality of the binary, confidentiality of the sources
(e.g. in case of open source software) may be required as well to prevent
reverse engineering and/or reproduction of the binary firmware.</t>

<t>While the original motivating use case of this document was firmware
encryption, the use of SUIT manifests has been extended to other use cases
requiring integrity and confidentiality protection, such as:</t>

<t><list style="symbols">
  <t>software packages,</t>
  <t>personalization data,</t>
  <t>configuration data, and</t>
  <t>machine learning models.</t>
</list></t>

<t>Hence, we use the term payload to generically refer to all those objects.</t>

<t>The payload is encrypted using a symmetric content encryption
key, which can be established using a variety of mechanisms; this
document defines two content key distribution methods for use with
the IETF SUIT manifest, namely:</t>

<t><list style="symbols">
  <t>Ephemeral-Static (ES) Diffie-Hellman (DH), and</t>
  <t>AES Key Wrap (AES-KW).</t>
</list></t>

<t>The former method relies on asymmetric key cryptography while the
latter uses symmetric key cryptography.</t>

<t>Our design aims to reduce the number of content key distribution methods
for use with payload encryption and thereby increase interoperability
between different SUIT manifest parser implementations.</t>

<t>The goal of this specification is to protect payloads during end-to-end
transport, and at rest when stored on a device. Constrained devices often
make use of XIP, which is a method of executing code
directly from flash memory rather than copying it into RAM. Since many of
these devices today do not offer hardware-based, on-the-fly decryption of
code stored in flash memory, it may be necessary to decrypt and store
firmware images in on-chip flash before code can be executed. We do, however,
expect that hardware-based, on-the-fly decryption will become more common in
the future, which will improve confidentiality at rest.</t>

</section>
<section anchor="conventions-and-terminology"><name>Conventions and Terminology</name>

<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.</t>

<t>This document assumes familiarity with the IETF SUIT manifest <xref target="I-D.ietf-suit-manifest"/>,
the SUIT information model <xref target="RFC9124"/>, and the SUIT architecture <xref target="RFC9019"/>.</t>

<t>The following abbreviations are used in this document:</t>

<t><list style="symbols">
  <t>Key Wrap (KW), defined in <xref target="RFC3394"/> (for use with AES)</t>
  <t>Key-Encryption Key (KEK) <xref target="RFC3394"/></t>
  <t>Content-Encryption Key (CEK) <xref target="RFC5652"/></t>
  <t>Ephemeral-Static (ES) Diffie-Hellman (DH) <xref target="RFC9052"/></t>
  <t>Authenticated Encryption with Associated Data (AEAD)</t>
  <t>Execute in Place (XIP)</t>
</list></t>

<t>The terms sender and recipient have the following meaning:</t>

<t><list style="symbols">
  <t>Sender: Entity that sends an encrypted payload.</t>
  <t>Recipient: Entity that receives an encrypted payload.</t>
</list></t>

<t>Additionally, we introduce the term "distribution system" (or distributor)
to refer to an entity that knows the recipients of payloads. It is important
to note that the distribution system is far more than a file server. For
use of encryption, the distribution system either knows the public key
of the recipient (for ES-DH), or the KEK (for AES-KW).</t>

<t>The author, which is responsible for creating the payload, does not
know the recipients. The authors may, for example, be a developer building
a firmware image.</t>

<t>The author and the distribution system are logical roles. In some
deployments these roles are separated in different physical entities
and in others they are co-located.</t>

</section>
<section anchor="arch"><name>Architecture</name>

<t><xref target="RFC9019"/> describes the architecture for distributing payloads and
manifests from an author to devices. It does, however, not detail the
use of payload encryption. This document enhances the architecture to
support encryption and <xref target="arch-fig"/> shows it graphically.</t>

<t>To encrypt a payload it is necessary to know the recipient.
For AES-KW, the KEK needs to be known and, in case of ES-DH, the sender needs
to be in possession of the public key of the recipient. The public key and
parameters may be in the recipient's X.509 certificate <xref target="RFC5280"/>. For
authentication of the sender and for integrity protection the recipients
must be provisioned with a trust anchor when a manifest is protected using
a digital signature. When a MAC is used to protect the manifest then a
symmetric key must be shared by the recipient and the sender.</t>

<t>With encryption, the author cannot just create a manifest for the payload
and sign it, since it typically does not know the recipients. Hence, the
author has to collaborate with the distribution system. The varying degree
of collaboration is discussed below.</t>

<figure title="Architecture for the distribution of Encrypted Payloads." anchor="arch-fig"><artset><artwork  type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="384" width="472" viewBox="0 0 472 384" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px">
<path d="M 8,32 L 8,96" fill="none" stroke="black"/>
<path d="M 8,160 L 8,224" fill="none" stroke="black"/>
<path d="M 8,288 L 8,352" fill="none" stroke="black"/>
<path d="M 96,32 L 96,96" fill="none" stroke="black"/>
<path d="M 96,160 L 96,224" fill="none" stroke="black"/>
<path d="M 96,288 L 96,352" fill="none" stroke="black"/>
<path d="M 128,64 L 128,320" fill="none" stroke="black"/>
<path d="M 328,160 L 328,208" fill="none" stroke="black"/>
<path d="M 344,48 L 344,80" fill="none" stroke="black"/>
<path d="M 384,88 L 384,152" fill="none" stroke="black"/>
<path d="M 432,48 L 432,80" fill="none" stroke="black"/>
<path d="M 448,160 L 448,208" fill="none" stroke="black"/>
<path d="M 8,32 L 96,32" fill="none" stroke="black"/>
<path d="M 344,48 L 432,48" fill="none" stroke="black"/>
<path d="M 104,64 L 128,64" fill="none" stroke="black"/>
<path d="M 344,80 L 432,80" fill="none" stroke="black"/>
<path d="M 8,96 L 96,96" fill="none" stroke="black"/>
<path d="M 8,160 L 96,160" fill="none" stroke="black"/>
<path d="M 328,160 L 448,160" fill="none" stroke="black"/>
<path d="M 104,192 L 320,192" fill="none" stroke="black"/>
<path d="M 328,208 L 448,208" fill="none" stroke="black"/>
<path d="M 8,224 L 96,224" fill="none" stroke="black"/>
<path d="M 8,288 L 96,288" fill="none" stroke="black"/>
<path d="M 104,320 L 128,320" fill="none" stroke="black"/>
<path d="M 8,352 L 96,352" fill="none" stroke="black"/>
<polygon class="arrowhead" points="392,152 380,146.4 380,157.6 " fill="black" transform="rotate(90,384,152)"/>
<polygon class="arrowhead" points="112,320 100,314.4 100,325.6 " fill="black" transform="rotate(180,104,320)"/>
<polygon class="arrowhead" points="112,192 100,186.4 100,197.6 " fill="black" transform="rotate(180,104,192)"/>
<polygon class="arrowhead" points="112,64 100,58.4 100,69.6 " fill="black" transform="rotate(180,104,64)"/>
<g class="text">
<text x="52" y="52">Device</text>
<text x="48" y="68">1</text>
<text x="388" y="68">Author</text>
<text x="424" y="116">Payload</text>
<text x="464" y="116">+</text>
<text x="428" y="132">Manifest</text>
<text x="52" y="180">Device</text>
<text x="176" y="180">Payload</text>
<text x="216" y="180">+</text>
<text x="260" y="180">Manifest</text>
<text x="388" y="180">Distribution</text>
<text x="48" y="196">2</text>
<text x="388" y="196">System</text>
<text x="56" y="260">...</text>
<text x="52" y="308">Device</text>
<text x="48" y="324">n</text>
</g>
</svg>
</artwork><artwork  type="ascii-art"><![CDATA[
 +----------+
 |  Device  |                              +----------+
 |    1     |<--+                          |  Author  |
 |          |   |                          +----------+
 +----------+   |                               |
                |                               | Payload +
                |                               | Manifest
                |                               v
 +----------+   |                        +--------------+
 |  Device  |   |  Payload + Manifest    | Distribution |
 |    2     |<--+------------------------|    System    |
 |          |   |                        +--------------+
 +----------+   |
                |
      ...       |
                |
 +----------+   |
 |  Device  |   |
 |    n     |<--+
 |          |
 +----------+
]]></artwork></artset></figure>

<t>The author has several deployment options, namely:</t>

<t><list style="symbols">
  <t>The author, as the sender, obtains information about the recipients
and their keys from the distribution system. There are proprietary as well as
standardized device management solutions available providing this functionality,
as discussed in <xref target="RFC9019"/>. Then, it performs the necessary
steps to encrypt the payload. As a last step it creates one or more manifests.
The device(s) perform decryption and act as recipients.</t>
  <t>The author treats the distribution system as the initial recipient. The
author typically uses REST APIs or web user interfaces to interact with the
distribution system. Then, the distribution system decrypts and re-encrypts the
payload for consumption by the device (or the devices). Delegating the task of
re-encrypting the payload to the distribution system offers flexibility when the
number of devices that need to receive encrypted payloads changes dynamically
or when updates to KEKs or recipient public keys are necessary. As a downside,
the author needs to trust the distribution system with performing the
re-encryption of the payload.</t>
</list></t>

<t>If the author delegates encryption rights to the distributor two models are possible:</t>

<t><list style="numbers" type="1">
  <t>The distributor replaces the COSE_Encrypt in the manifest and then signs the
manifest again. However, the COSE_Encrypt structure is contained within a signed
container, which presents a problem: replacing the COSE_Encrypt with a new one
will cause the digest of the manifest to change, thereby changing the signature.
This means that the distributor must be able to sign the new manifest. If this
is the case, then the distributor gains the ability to construct and sign
manifests, which allows the distributor the authority to sign code, effectively
presenting the distributor with full control over the recipient. Because
distributors typically perform their re-encryption online in order to handle
a large number of devices in a timely fashion, it is not possible to air-gap
the distributor's signing operations. This impacts the recommendations in
Section 4.3.17 of <xref target="RFC9124"/>. This model nevertheless represent the current
state of firmware updates for IoT devices.</t>
  <t>The distributor uses a two-layer manifest system. More precisely, the distributor
constructs a new manifest that overrides the COSE_Encrypt using the dependency
system defined in <xref target="I-D.ietf-suit-trust-domains"/>. This incurs additional
overhead: one additional signature verification and one additional manifest,
as well as the additional machinery in the recipient needed for dependency
processing. This extra complexity offers extra security.</t>
</list></t>

<t>These two models also present different threat profiles for the distributor.
If the distributor only has encryption rights, then an attacker who breaches
the distributor can only mount a limited attack: they can encrypt a modified
binary, but the recipients will identify the attack as soon as they perform
the required image digest check and revert back to a correct image immediately.</t>

<t>It is RECOMMENDED that distributors implement the two-layer manifest
approach in order to distribute content encryption keys without requiring
re-signing of the manifest, despite the increase in complexity and greater
number of signature verifications that this imposes on the recipient.</t>

</section>
<section anchor="parameters"><name>Encryption Extensions</name>

<t>This specification introduces a new extension to the SUIT_Parameters structure.</t>

<t>The SUIT_Encryption_Info structure (called suit-parameter-encryption-info in
<xref target="parameter-fig"/>) contains the content key distribution information. The
content of the SUIT_Encryption_Info structure is explained in <xref target="AES-KW"/>
(for AES-KW) and in <xref target="ES-DH"/> (for ES-DH).</t>

<t>Once a CEK is available, the steps described in <xref target="content-enc"/> are applicable.
These steps apply to both content key distribution methods described in this
section.</t>

<t>The SUIT_Encryption_Info structure is either carried inside the
suit-directive-override-parameters or the suit-directive-set-parameters
parameters used in the "Directive Write" and "Directive Copy" directives.
An implementation claiming conformance with this specification
must implement support for these two parameters. Since a device will
typically only support one of the content key distribution methods,
the distribution system needs to know which of two specified methods
is supported. Mandating only a single content key distribution
method for a constrained device also reduces the code size.</t>

<figure title="CDDL of the SUIT_Parameters Extension." anchor="parameter-fig"><artwork><![CDATA[
SUIT_Parameters //= (suit-parameter-encryption-info
    => bstr .cbor SUIT_Encryption_Info)

suit-parameter-encryption-info = TBD19
]]></artwork></figure>

<t>RFC Editor's Note (TBD19): The value for the suit-parameter-encryption-info
parameter is set to 19, as the proposed value.</t>

</section>
<section anchor="extended-directives"><name>Extended Directives</name>

<t>This specification extends these directives:</t>

<t><list style="symbols">
  <t>Directive Write (suit-directive-write) to decrypt the content specified by
suit-parameter-content with suit-parameter-encryption-info.</t>
  <t>Directive Copy (suit-directive-copy) to decrypt the content of the component
specified by suit-parameter-source-component with suit-parameter-encryption-info.</t>
</list></t>

<t>Examples of the two directives are shown below. These example focus on the
essential aspects. A complete example for AES Key Wrap with the Fetch and Copy
Directives can be found in <xref target="example-AES-KW-copy"/>. An example illustrating
the Write Directive is shown in <xref target="example-AES-KW-write"/>.</t>

<t><xref target="encryption-info-consumed-with-write"/> illustrates the Directive Write.
The encrypted payload specified with parameter-content, namely
h'EA1...CED' in the example, is decrypted using the SUIT_Encryption_Info
structure referred to by parameter-encryption-info, i.e., h'D86...1F0'.
The resulting plaintext payload is stored into component #0.</t>

<figure title="Example showing the extended suit-directive-write." anchor="encryption-info-consumed-with-write"><artwork><![CDATA[
/ directive-override-parameters / 20, {
  / parameter-content / 18: h'EA1...CED',
  / parameter-encryption-info / TBD19: h'D86...1F0'
},
/ directive-write / 18, 15
]]></artwork></figure>

<t>RFC Editor's Note (TBD19): The value for the parameter-encryption-info
parameter is set to 19, as the proposed value.</t>

<t><xref target="encryption-info-consumed-with-copy"/> illustrates the Directive Copy.
In this example the encrypted payload is found at the URI indicated
by the parameter-uri, i.e. "http://example.com/encrypted.bin". The
encrypted payload will be downloaded and stored in component #1.
Then, the information in the SUIT_Encryption_Info structure referred
to by parameter-encryption-info, i.e. h'D86...1F0', will be used to
decrypt the content in component #1 and the resulting plaintext
payload will be stored into component #0.</t>

<figure title="Example showing the extended suit-directive-copy." anchor="encryption-info-consumed-with-copy"><artwork><![CDATA[
/ directive-set-component-index / 12, 1,
/ directive-override-parameters / 20, {
  / parameter-uri / 21: "http://example.com/encrypted.bin",
},
/ directive-fetch / 21, 15,
/ directive-set-component-index / 12, 0,
/ directive-override-parameters / 20, {
  / parameter-encryption-info / TBD19: h'D86...1F0',
  / parameter-source-component / 22: 1
},
/ directive-copy / 22, 15
]]></artwork></figure>

<t>RFC Editor's Note (TBD19): The value for the suit-parameter-encryption-info
parameter is set to 19, as the proposed value.</t>

<t>The payload to be encrypted may be detached and, in that case, it is
not covered by the digital signature or the MAC protecting the manifest.
(To be more precise, the suit-authentication-wrapper found in the envelope
contains a digest of the manifest in the SUIT Digest Container.)</t>

<t>The lack of authentication and integrity protection of the payload is
particularly a concern when a cipher without integrity protection is
used.</t>

<t>To provide authentication and integrity protection of the payload
in the detached payload case a SUIT Digest Container with the hash
of the encrypted and/or plaintext payload MUST be included in the
manifest. See suit-parameter-image-digest parameter in Section
8.4.8.6 of <xref target="I-D.ietf-suit-manifest"/>.</t>

<t>Once a CEK is available, the steps described in <xref target="content-enc"/> are applicable.
These steps apply to both content key distribution methods.</t>

</section>
<section anchor="content-key-distribution"><name>Content Key Distribution</name>

<t>The sub-sections below describe two content key distribution methods,
namely AES Key Wrap (AES-KW) and Ephemeral-Static Diffie-Hellman (ES-DH).
Many other methods are specified in the literature, and are even supported
by COSE. AES-KW and ES-DH cover the popular methods used in the market
today and they were selected due to their maturity, different
security properties, and because of their interoperability properties.</t>

<t>The two content key distribution methods require the CEKs to be
randomly generated. The guidelines for random number generation
in <xref target="RFC8937"/> MUST be followed.</t>

<t>When an encrypted payload is sent to multiple recipients, there
are different deployment options. To explain these options we use the
following notation:</t>

<figure><artwork><![CDATA[
   - KEK(R1, S) refers to a KEK shared between recipient R1 and
     the sender S.
   - CEK(R1, S) refers to a CEK shared between R1 and S.
   - CEK(*, S) or KEK(*, S) are used when a single CEK or a single
     KEK is shared with all authorized recipients by a given sender
     S in a certain context.
   - ENC(plaintext, k) refers to the encryption of plaintext with
     a key k.
]]></artwork></figure>

<section anchor="AES-KW"><name>Content Key Distribution with AES Key Wrap</name>

<section anchor="introduction-1"><name>Introduction</name>

<t>The AES Key Wrap (AES-KW) algorithm is described in <xref target="RFC3394"/>, and
can be used to encrypt a randomly generated content-encryption key (CEK)
with a pre-shared key-encryption key (KEK). The COSE conventions for using
AES-KW are specified in Section 8.5.2 of <xref target="RFC9052"/> and in Section 6.2.1 of
<xref target="RFC9053"/>. The encrypted CEK is carried in the COSE_recipient structure
alongside the information needed for AES-KW. The COSE_recipient structure,
which is a substructure of the COSE_Encrypt structure, contains the CEK
encrypted by the KEK.</t>

<t>To provide high security for AES Key Wrap, it is important that the
KEK is of high entropy, and that implementations protect the KEK
from disclosure. Compromise of the KEK may result in the disclosure
of all data protected with that KEK, including binaries, and configuration data.</t>

<t>The COSE_Encrypt structure conveys information for encrypting the payload,
which includes information like the algorithm and the IV, even though the
payload may not be embedded in the COSE_Encrypt.ciphertext if it is
conveyed as detached content.</t>

</section>
<section anchor="deployment-options"><name>Deployment Options</name>

<t>There are three deployment options for use with AES Key Wrap for payload
encryption:</t>

<t><list style="symbols">
  <t>If all recipients (typically of the same product family) share the same KEK,
a single COSE_recipient structure contains the encrypted CEK. The sender executes
the following steps:</t>
</list></t>

<figure><artwork><![CDATA[
     1. Fetch KEK(*, S)
     2. Generate CEK
     3. ENC(CEK, KEK)
     4. ENC(payload, CEK)
]]></artwork></figure>

<t>This deployment option is strongly discouraged. An attacker gaining access to
the KEK will be able to encrypt and send payloads to all recipients configured
to use this KEK.</t>

<t><list style="symbols">
  <t>If recipients have different KEKs, then multiple COSE_recipient structures
are included but only a single CEK is used. Each COSE_recipient structure
contains the CEK encrypted with the KEKs appropriate for a given recipient.
The benefit of this approach is that the payload is encrypted only once with
a CEK while there is no sharing of the KEK across recipients. Hence, authorized
recipients still use their individual KEK to decrypt the CEK and to subsequently
obtain the plaintext. The steps taken by the sender are:</t>
</list></t>

<figure><artwork><![CDATA[
    1.  Generate CEK
    2.  for i=1 to n
        {
    2a.    Fetch KEK(Ri, S)
    2b.    ENC(CEK, KEK(Ri, S))
        }
    3.  ENC(payload, CEK)
]]></artwork></figure>

<t><list style="symbols">
  <t>The third option is to use different CEKs encrypted with KEKs of
authorized recipients. This approach is appropriate when no benefits can
be gained from encrypting and transmitting payloads only once. Assume there
are n recipients with their unique KEKs - KEK(R1, S), ..., KEK(Rn, S) and
unique CEKs. The sender needs to execute the following steps:</t>
</list></t>

<figure><artwork><![CDATA[
    1.  for i=1 to n
        {
    1a.    Fetch KEK(Ri, S)
    1b.    Generate CEK(Ri, S)
    1c.    ENC(CEK(Ri, S), KEK(Ri, S))
    1d.    ENC(payload, CEK(Ri, S))
    2.  }
]]></artwork></figure>

</section>
<section anchor="cddl"><name>CDDL</name>

<t>The CDDL for the AES-KW binary is shown in <xref target="cddl-aeskw"/>.
empty_or_serialized_map and header_map are structures defined in <xref target="RFC9052"/>.</t>

<figure title="CDDL for AES-KW-based Content Key Distribution" anchor="cddl-aeskw"><artwork><![CDATA[
SUIT_Encryption_Info_AESKW = #6.96([
  protected   : outer_header_map_protected,
  unprotected : outer_header_map_unprotected,
  ciphertext  : bstr / nil,
  recipients  : [ + COSE_recipient_AESKW ]
])

outer_header_map_protected = empty_or_serialized_map
outer_header_map_unprotected = header_map

COSE_recipient_AESKW = [
  protected   : bstr .size 0 / bstr .cbor empty_map,
  unprotected : recipient_header_unpr_map_aeskw,
  ciphertext  : bstr        ; CEK encrypted with KEK
]

empty_map = {}

recipient_header_unpr_map_aeskw =
{
    1 => int,         ; algorithm identifier
  ? 4 => bstr,        ; identifier of the KEK pre-shared with the recipient
  * label => values   ; extension point
}
]]></artwork></figure>

<t>Note that the AES-KW algorithm, as defined in Section 2.2.3.1 of <xref target="RFC3394"/>,
does not have public parameters that vary on a per-invocation basis. Hence,
the protected header in the COSE_recipient structure is a byte string
of zero length.</t>

</section>
</section>
<section anchor="ES-DH"><name>Content Key Distribution with Ephemeral-Static Diffie-Hellman</name>

<section anchor="introduction-2"><name>Introduction</name>

<t>Ephemeral-Static Diffie-Hellman (ES-DH) is a scheme that provides public key
encryption given a recipient's public key. There are multiple variants
of this scheme; this document re-uses the variant specified in Section 8.5.5
of <xref target="RFC9052"/>.</t>

<t>The following two layer structure is used:</t>

<t><list style="symbols">
  <t>Layer 0: Has a content encrypted with the CEK. The content may be detached.</t>
  <t>Layer 1: Uses the AES Key Wrap algorithm to encrypt the randomly generated
CEK with the KEK derived with ES-DH, whereby the resulting symmetric
key is fed into the HKDF-based key derivation function.</t>
</list></t>

<t>As a result, the two layers combine ES-DH with AES-KW and HKDF,
and it is called ECDH-ES + AES-KW.
An example is given in <xref target="esdh-aesgcm-example"/>.</t>

<t>There exists another version of ES-DH algorithm, namely ECDH-ES + HKDF, which
does not use AES Key Wrap. It is not specified in this document.</t>

</section>
<section anchor="deployment-options-1"><name>Deployment Options</name>

<t>There are only two deployment options with this approach since we assume that
recipients are always configured with a device-unique public / private key pair.</t>

<t><list style="symbols">
  <t>A sender wants to transmit a payload to multiple recipients and all recipients
receive the same encrypted payload, i.e. the same CEK is used to encrypt the payload.
One COSE_recipient structure per recipient is used and it contains the
CEK encrypted with the KEK. To generate the KEK each COSE_recipient structure
contains a COSE_recipient_inner structure to carry the sender's ephemeral key
and an identifier for the recipients public key.</t>
</list></t>

<t>The steps taken by the sender are:</t>

<figure><artwork><![CDATA[
    1.  Generate CEK
    2.  for i=1 to n
        {
    2a.     Generate KEK(Ri, S) using ES-DH
    2b.     ENC(CEK, KEK(Ri, S))
        }
    3.  ENC(payload,CEK)
]]></artwork></figure>

<t><list style="symbols">
  <t>The alternative is to encrypt a payload with a different CEK for each
recipient. This results in n-manifests. This approach is useful when payloads contain
information unique to a device. The encryption operation then effectively becomes
ENC(payload_i, CEK(Ri, S)). Assume that KEK(R1, S),..., KEK(Rn, S) have been generated
for the different recipients using ES-DH. The following steps need to be made
by the sender:</t>
</list></t>

<figure><artwork><![CDATA[
    1.  for i=1 to n
        {
    1a.     Generate KEK(Ri, S) using ES-DH
    1b.     Generate CEK(Ri, S)
    1c.     ENC(CEK(Ri, S), KEK(Ri, S))
    1d.     ENC(payload, CEK(Ri, S))
        }
]]></artwork></figure>

</section>
<section anchor="cddl-1"><name>CDDL</name>

<t>The CDDL for the ECDH-ES+AES-KW binary is shown in <xref target="cddl-esdh"/>.
Only the minimum number of parameters is shown. empty_or_serialized_map
and header_map are structures defined in <xref target="RFC9052"/>.</t>

<figure title="CDDL for ES-DH-based Content Key Distribution" anchor="cddl-esdh"><artwork><![CDATA[
SUIT_Encryption_Info_ESDH = #6.96([
  protected   : outer_header_map_protected,
  unprotected : outer_header_map_unprotected,
  ciphertext  : bstr / nil,
  recipients  : [ + COSE_recipient_ESDH ]
])

outer_header_map_protected = empty_or_serialized_map
outer_header_map_unprotected = header_map

COSE_recipient_ESDH = [
  protected   : bstr .cbor recipient_header_map_esdh,
  unprotected : recipient_header_unpr_map_esdh,
  ciphertext  : bstr        ; CEK encrypted with KEK
]

recipient_header_map_esdh =
{
    1 => int,         ; algorithm identifier
  * label => values   ; extension point
}

recipient_header_unpr_map_esdh =
{
  ? 4 => bstr,        ; identifier of the recipient public key
   -1 => COSE_Key,    ; ephemeral public key for the sender
  * label => values   ; extension point
}
]]></artwork></figure>

<t>See <xref target="content-enc"/> for a description on how to encrypt the payload.</t>

</section>
<section anchor="context-information-structure"><name>Context Information Structure</name>

<t>The context information structure is used to ensure that the derived keying material
is "bound" to the context of the transaction. This specification re-uses the structure
defined in Section 5.2 of <xref target="RFC9053"/> and tailors it accordingly.</t>

<t>The following information elements are bound to the context:</t>

<t><list style="symbols">
  <t>the protocol employing the key-derivation method,</t>
  <t>information about the utilized AES Key Wrap algorithm, and the key length.</t>
  <t>the protected header field, which contains the content key encryption algorithm.</t>
</list></t>

<t>The sender and recipient identities are left empty.</t>

<t>The following fields in <xref target="cddl-context-info"/> require an explanation:</t>

<t><list style="symbols">
  <t>The COSE_KDF_Context.AlgorithmID field MUST contain the algorithm identifier
for AES Key Wrap algorithm utilized. This specification uses the following
values: A128KW (value -3), A192KW (value -4), or A256KW (value -5)</t>
  <t>The COSE_KDF_Context.SuppPubInfo.keyDataLength field MUST contain the key length
of the algorithm in the COSE_KDF_Context.AlgorithmID field expressed as the number
of bits. For A128KW the value is 128, for A192KW the value is 192, and for A256KW
the value 256.</t>
  <t>The COSE_KDF_Context.SuppPubInfo.other field captures the protocol in
which the ES-DH content key distribution algorithm is used and MUST be set to
the constant string "SUIT Payload Encryption".</t>
  <t>The COSE_KDF_Context.SuppPubInfo.protected field MUST contain the serialized
content of the recipient_header_map_esdh field, which contains (among other fields)
the identifier of the content key distribution method.</t>
</list></t>

<figure title="CDDL for COSE_KDF_Context Structure" anchor="cddl-context-info"><sourcecode type="CDDL"><![CDATA[
COSE_KDF_Context = [
    AlgorithmID : int,
    PartyUInfo : [ PartyInfoSender ],
    PartyVInfo : [ PartyInfoRecipient ],
    SuppPubInfo : [
        keyDataLength : uint,
        protected : bstr,
        other: 'SUIT Payload Encryption'
    ],
    ? SuppPrivInfo : bstr
]

PartyInfoSender = (
    identity : nil,
    nonce : nil,
    other : nil
)

PartyInfoRecipient = (
    identity : nil,
    nonce : nil,
    other : nil
)
]]></sourcecode></figure>

<t>The HKDF-based key derivation function MAY contain a salt value,
as described in Section 5.1 of <xref target="RFC9053"/>. This optional value is used to
influence the key generation process. This specification does not mandate the
use of a salt value. If the salt is public and carried in the message, then
the "salt" algorithm header parameter MUST be used. The purpose of the salt
is to provide extra randomness in the KDF context. If the salt is sent
in the 'salt' algorithm header parameter, then the receiver MUST be able to
process the salt and MUST pass it into the key derivation function.
For more information about the salt, see <xref target="RFC5869"/> and NIST
SP800-56 <xref target="SP800-56"/>.</t>

<t>Profiles of this specification MAY specify an extended version of the
context information structure or MAY utilize a different context information
structure.</t>

</section>
</section>
</section>
<section anchor="content-enc"><name>Content Encryption</name>

<t>This section summarizes the steps taken for content encryption, which
applies to both content key distribution methods.</t>

<t>For use with AEAD ciphers, such as AES-GCM and ChaCha20/Poly1305,
the COSE specification requires a consistent byte
stream for the authenticated data structure to be created. This structure
is shown in <xref target="cddl-enc-aeskw"/> and is defined in Section 5.3 of <xref target="RFC9052"/>.</t>

<figure title="CDDL for Enc_structure Data Structure" anchor="cddl-enc-aeskw"><artwork><![CDATA[
 Enc_structure = [
   context : "Encrypt",
   protected : empty_or_serialized_map,
   external_aad : bstr
 ]
]]></artwork></figure>

<t>This Enc_structure needs to be populated as follows:</t>

<t><list style="symbols">
  <t>The protected field in the Enc_structure from <xref target="cddl-enc-aeskw"/> refers
to the content of the protected field from the COSE_Encrypt structure.</t>
  <t>The value of the external_aad MUST be set to a zero-length byte string,
i.e., h'' in diagnostic notation and encoded as 0x40.</t>
</list></t>

<t>Some ciphers provide confidentiality without integrity protection, such
as AES-CTR and AES-CBC (see <xref target="RFC9459"/>). For these ciphers the
Enc_structure, shown in <xref target="cddl-enc-aeskw"/>, MUST NOT be used because
the Additional Authenticated Data (AAD) byte string is only consumable
by AEAD ciphers. Hence, the AAD structure is not supplied to the 
API of those ciphers and the protected header in the SUIT_Encryption_Info
structure MUST be a zero-length byte string.</t>

<section anchor="aes-gcm"><name>AES-GCM</name>

<section anchor="introduction-3"><name>Introduction</name>

<t>AES-GCM is an AEAD cipher and provides confidentiality and integrity protection.</t>

<t>Examples in this section use the following parameters:</t>

<t><list style="symbols">
  <t>Algorithm for payload encryption: AES-GCM-128
  <list style="symbols">
      <t>k: h'15F785B5C931414411B4B71373A9C0F7'</t>
      <t>IV: h'F14AAB9D81D51F7AD943FE87AF4F70CD'</t>
    </list></t>
  <t>Plaintext: "This is a real firmware image."
  <list style="symbols">
      <t>in hex: 546869732069732061207265616C206669726D7761726520696D6167652E</t>
    </list></t>
</list></t>

</section>
<section anchor="aes-kw-aes-gcm-example"><name>AES-KW + AES-GCM Example</name>

<t>This example uses the following parameters:</t>

<t><list style="symbols">
  <t>Algorithm id for key wrap: A128KW</t>
  <t>KEK COSE_Key (Secret Key):
  <list style="symbols">
      <t>kty: Symmetric</t>
      <t>k: 'aaaaaaaaaaaaaaaa'</t>
      <t>kid: 'kid-1'</t>
    </list></t>
</list></t>

<t>The COSE_Encrypt structure, in hex format, is (with a line break inserted):</t>

<figure><artwork><![CDATA[
D8608443A10101A10550F14AAB9D81D51F7AD943FE87AF4F70CDF6818340
A2012204456B69642D31581875603FFC9518D794713C8CA8A115A7FB3256
5A6D59534D62
]]></artwork></figure>

<t>The resulting COSE_Encrypt structure in a diagnostic format is shown in
<xref target="aeskw-aesgcm-example"/>.</t>

<figure title="COSE_Encrypt Example for AES Key Wrap" anchor="aeskw-aesgcm-example"><artwork><![CDATA[
96([
  / protected: / << {
    / alg / 1: 1 / AES-GCM-128 /
  } >>,
  / unprotected: / {
    / IV / 5: h'F14AAB9D81D51F7AD943FE87AF4F70CD'
  },
  / payload: / null / detached ciphertext /,
  / recipients: / [
    [
      / protected: / h'',
      / unprotected: / {
        / alg / 1: -3 / A128KW /,
        / kid / 4: 'kid-1'
      },
      / payload: /
        h'75603FFC9518D794713C8CA8A115A7FB32565A6D59534D62'
        / CEK encrypted with KEK /
    ]
  ]
])
]]></artwork></figure>

<t>The encrypted payload (with a line feed added) was:</t>

<figure><artwork><![CDATA[
2F59C3A34D9570FB99A5382E66466A3221A8AD85CE508BA306FB431A60EF
A5AAAA078355070205A4B196832DF17F
]]></artwork></figure>

</section>
<section anchor="ecdh-esaes-kw-aes-gcm-example"><name>ECDH-ES+AES-KW + AES-GCM Example</name>

<t>This example uses the following parameters:</t>

<t><list style="symbols">
  <t>Algorithm for content key distribution: ECDH-ES + A128KW</t>
  <t>KEK COSE_Key (Receiver's Private Key):
  <list style="symbols">
      <t>kty: EC2</t>
      <t>crv: P-256</t>
      <t>x: h'5886CD61DD875862E5AAA820E7A15274C968A9BC96048DDCACE32F50C3651BA3'</t>
      <t>y: h'9EED8125E932CD60C0EAD3650D0A485CF726D378D1B016ED4298B2961E258F1B'</t>
      <t>d: h'60FE6DD6D85D5740A5349B6F91267EEAC5BA81B8CB53EE249E4B4EB102C476B3'</t>
      <t>kid: 'kid-2'</t>
    </list></t>
  <t>KDF Context
  <list style="symbols">
      <t>Algorithm ID: 1 (A128GCM)</t>
      <t>SuppPubInfo
      <list style="symbols">
          <t>keyDataLength: 128</t>
          <t>protected: { / alg / 1: -29 / ECDH-ES+A128KW / }</t>
          <t>other: 'SUIT Payload Encryption'</t>
        </list></t>
    </list></t>
</list></t>

<t>The COSE_Encrypt structure, in hex format, is (with a line break inserted):</t>

<figure><artwork><![CDATA[
D8608443A10101A10550F14AAB9D81D51F7AD943FE87AF4F70CDF6818344
A101381CA120A40102200121582038876D8B4552E6BC9484A3F06E3646B3
0AEFF51B95583CFFA0B5776D5273494222582034577AB5DD17276BB6BF15
AA465310371557AFF61FAC5BA5A1EFF46698DD8B7B5818C36BF2E8843246
F0E148DBA607375204A040D8B19629B2B5
]]></artwork></figure>

<t>The resulting COSE_Encrypt structure in a diagnostic format is shown in
<xref target="esdh-aesgcm-example"/>.</t>

<figure title="COSE_Encrypt Example for ES-DH" anchor="esdh-aesgcm-example"><artwork><![CDATA[
96([
  / protected: / << {
    / alg / 1: 1 / AES-GCM-128 /
  } >>,
  / unprotected: / {
    / IV / 5: h'F14AAB9D81D51F7AD943FE87AF4F70CD'
  },
  / payload: / null / detached ciphertext /,
  / recipients: / [
    [
      / protected: / << {
        / alg / 1: -29 / ECDH-ES + A128KW /
      } >>,
      / unprotected: / {
        / ephemeral key / -1: {
          / kty / 1: 2 / EC2 /,
          / crv / -1: 1 / P-256 /,
          / x / -2: h'38876D8B4552E6BC9484A3F06E3646B3
                      0AEFF51B95583CFFA0B5776D52734942',
          / y / -3: h'34577AB5DD17276BB6BF15AA46531037
                      1557AFF61FAC5BA5A1EFF46698DD8B7B'
        }
      },
      / payload:
        / h'C36BF2E8843246F0E148DBA607375204A040D8B19629B2B5'
        / CEK encrypted with KEK /
    ]
  ]
])
]]></artwork></figure>

<t>The encrypted payload (with a line feed added) was:</t>

<figure><artwork><![CDATA[
2F59C3A34D9570FB99A5382E66466A3221A8AD85CE508BA306FB431A60EF
A5AAAA078355070205A4B196832DF17F
]]></artwork></figure>

</section>
</section>
<section anchor="aes-ctr"><name>AES-CTR</name>

<section anchor="introduction-4"><name>Introduction</name>

<t>AES-CTR is a non-AEAD cipher, provides confidentiality but no integrity protection.
Unlike AES-CBC, AES-CTR uses an IV per AES operation, as shown in <xref target="aes-ctr-fig"/>.
Hence, when an image is encrypted using AES-CTR-128 or AES-CTR-256, the IV MUST
start with zero (0) and MUST be incremented by one for each 16-byte plaintext block
within the entire slot.</t>

<t>Using the previous example with a slot size of 64 KiB, the sector size 4096 bytes and
the AES plaintext block size of 16 byte requires IVs from 0 to 255 in the first sector
and 16 * 256 IVs for the remaining sectors in the slot.</t>

<figure title="AES-CTR Operation" anchor="aes-ctr-fig"><artset><artwork  type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="320" width="248" viewBox="0 0 248 320" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px">
<path d="M 56,96 L 56,176" fill="none" stroke="black"/>
<path d="M 88,48 L 88,88" fill="none" stroke="black"/>
<path d="M 88,184 L 88,240" fill="none" stroke="black"/>
<path d="M 120,96 L 120,176" fill="none" stroke="black"/>
<path d="M 176,96 L 176,176" fill="none" stroke="black"/>
<path d="M 208,48 L 208,88" fill="none" stroke="black"/>
<path d="M 208,184 L 208,240" fill="none" stroke="black"/>
<path d="M 240,96 L 240,176" fill="none" stroke="black"/>
<path d="M 56,96 L 120,96" fill="none" stroke="black"/>
<path d="M 176,96 L 240,96" fill="none" stroke="black"/>
<path d="M 56,176 L 120,176" fill="none" stroke="black"/>
<path d="M 176,176 L 240,176" fill="none" stroke="black"/>
<path d="M 64,208 L 96,208" fill="none" stroke="black"/>
<path d="M 184,208 L 216,208" fill="none" stroke="black"/>
<g class="text">
<text x="88" y="36">IV1</text>
<text x="208" y="36">IV2</text>
<text x="40" y="148">k--</text>
<text x="80" y="148">E</text>
<text x="160" y="148">k--</text>
<text x="200" y="148">E</text>
<text x="52" y="212">P1</text>
<text x="172" y="212">P2</text>
<text x="92" y="260">C1</text>
<text x="212" y="260">C2</text>
<text x="32" y="292">Legend:</text>
<text x="32" y="308">See</text>
<text x="84" y="308">previous</text>
<text x="156" y="308">diagram.</text>
</g>
</svg>
</artwork><artwork  type="ascii-art"><![CDATA[
         IV1            IV2
          |              |
          |              |
          |              |
      +-------+      +-------+
      |       |      |       |
      |       |      |       |
   k--|  E    |   k--|  E    |
      |       |      |       |
      +-------+      +-------+
          |              |
     P1--(+)        P2--(+)
          |              |
          |              |
          C1             C2

Legend: 
  See previous diagram.
]]></artwork></artset></figure>

<t>Examples in this section use the following parameters:</t>

<t><list style="symbols">
  <t>Algorithm for payload encryption: AES-CTR-128
  <list style="symbols">
      <t>k: h'261DE6165070FB8951EC5D7B92A065FE'</t>
      <t>IV: h'DAE613B2E0DC55F4322BE38BDBA9DC68'</t>
    </list></t>
  <t>Plaintext: "This is a real firmware image."
  <list style="symbols">
      <t>in hex: 546869732069732061207265616C206669726D7761726520696D6167652E</t>
    </list></t>
</list></t>

</section>
<section anchor="aes-kw-aes-ctr-example"><name>AES-KW + AES-CTR Example</name>

<t>This example uses the following parameters:</t>

<t><list style="symbols">
  <t>Algorithm id for key wrap: A128KW</t>
  <t>KEK COSE_Key (Secret Key):
  <list style="symbols">
      <t>kty: Symmetric</t>
      <t>k: 'aaaaaaaaaaaaaaaa'</t>
      <t>kid: 'kid-1'</t>
    </list></t>
</list></t>

<t>The COSE_Encrypt structure, in hex format, is (with a line break inserted):</t>

<figure><artwork><![CDATA[
D8608440A20139FFFD0550DAE613B2E0DC55F4322BE38BDBA9DC68F68183
40A2012204456B69642D315818CE34035CE5C2E2666E46D4C131FC561DD1
90A6D26CFA1990
]]></artwork></figure>

<t>The resulting COSE_Encrypt structure in a diagnostic format is shown in
<xref target="aeskw-aesctr-example"/>.</t>

<figure title="COSE_Encrypt Example for AES Key Wrap" anchor="aeskw-aesctr-example"><artwork><![CDATA[
96([
  / protected: / h'',
  / unprotected: / {
    / alg / 1: -65534 / A128CTR /,
    / IV / 5: h'DAE613B2E0DC55F4322BE38BDBA9DC68'
  },
  / payload: / null / detached ciphertext /,
  / recipients: / [
    [
      / protected: / h'',
      / unprotected: / {
        / alg / 1: -3 / A128KW /,
        / kid / 4: 'kid-1'
      },
      / payload: /
        h'CE34035CE5C2E2666E46D4C131FC561DD190A6D26CFA1990'
        / CEK encrypted with KEK /
    ]
  ]
])
]]></artwork></figure>

<t>The encrypted payload (with a line feed added) was:</t>

<figure><artwork><![CDATA[
2BB8DB522AE978246CC775C3B0241BD4B0333FFDD2DB70C7EE7A4966E3B7
]]></artwork></figure>

</section>
<section anchor="ecdh-esaes-kw-aes-ctr-example"><name>ECDH-ES+AES-KW + AES-CTR Example</name>

<t>This example uses the following parameters:</t>

<t><list style="symbols">
  <t>Algorithm for content key distribution: ECDH-ES + A128KW</t>
  <t>KEK COSE_Key (Receiver's Private Key):
  <list style="symbols">
      <t>kty: EC2</t>
      <t>crv: P-256</t>
      <t>x: h'5886CD61DD875862E5AAA820E7A15274C968A9BC96048DDCACE32F50C3651BA3'</t>
      <t>y: h'9EED8125E932CD60C0EAD3650D0A485CF726D378D1B016ED4298B2961E258F1B'</t>
      <t>d: h'60FE6DD6D85D5740A5349B6F91267EEAC5BA81B8CB53EE249E4B4EB102C476B3'</t>
      <t>kid: 'kid-2'</t>
    </list></t>
  <t>KDF Context
  <list style="symbols">
      <t>Algorithm ID: -65534 (A128CTR)</t>
      <t>SuppPubInfo
      <list style="symbols">
          <t>keyDataLength: 128</t>
          <t>protected: { / alg / 1: -29 / ECDH-ES+A128KW / }</t>
          <t>other: 'SUIT Payload Encryption'</t>
        </list></t>
    </list></t>
</list></t>

<t>The COSE_Encrypt structure, in hex format, is (with a line break inserted):</t>

<figure><artwork><![CDATA[
D8608440A20139FFFD0550DAE613B2E0DC55F4322BE38BDBA9DC68F68183
44A101381CA120A40102200121582050364E4DF3F5E8749D98E4378C04FA
FE643B6ACEE7138382D83F768C7186FB8522582099E6C96BEF3952B12EF8
3921B1749475D767284AA42D74D8923C137B01EDF5A05818E8599DCEE494
4EECA9781D3ECDE3D9C34E1C9FCE8906617F
]]></artwork></figure>

<t>The resulting COSE_Encrypt structure in a diagnostic format is shown in
<xref target="esdh-aesctr-example"/>.</t>

<figure title="COSE_Encrypt Example for ES-DH" anchor="esdh-aesctr-example"><artwork><![CDATA[
96([
  / protected: / h'',
  / unprotected: / {
    / alg / 1: -65534 / A128CTR /,
    / IV / 5: h'DAE613B2E0DC55F4322BE38BDBA9DC68'
  },
  / payload: / null / detached ciphertext /,
  / recipients: / [
    [
      / protected: / << {
        / alg / 1: -29 / ECDH-ES + A128KW /
      } >>,
      / unprotected: / {
        / ephemeral key / -1: {
          / kty / 1: 2 / EC2 /,
          / crv / -1: 1 / P-256 /,
          / x / -2: h'50364E4DF3F5E8749D98E4378C04FAFE643B6ACEE7138382D83F768C7186FB85',
          / y / -3: h'99E6C96BEF3952B12EF83921B1749475D767284AA42D74D8923C137B01EDF5A0'
        }
      },
      / payload: / h'E8599DCEE4944EECA9781D3ECDE3D9C34E1C9FCE8906617F'
        / CEK encrypted with KEK /
    ]
  ]
])
]]></artwork></figure>

<t>The encrypted payload (with a line feed added) was:</t>

<figure><artwork><![CDATA[
2BB8DB522AE978246CC775C3B0241BD4B0333FFDD2DB70C7EE7A4966E3B7
]]></artwork></figure>

</section>
</section>
<section anchor="aes-cbc"><name>AES-CBC</name>

<section anchor="introduction-5"><name>Introduction</name>

<t>AES-CBC is a non-AEAD cipher, provides confidentiality but no integrity protection.
In AES-CBC, a single IV is used for encryption of firmware belonging to a single sector,
since individual AES blocks are chained together, as shown in <xref target="aes-cbc-fig"/>. The
numbering  of sectors in a slot MUST start with zero (0) and MUST increase by one with
every sector till the end of the slot is reached. The IV follows this numbering.</t>

<t>For example, let us assume the slot size of a specific flash controller on an IoT device
is 64 KiB, the sector size 4096 bytes (4 KiB) and AES-128-CBC uses an AES-block size of
128 bit (16 bytes). Hence, sector 0 needs 4096/16=256 AES-128-CBC operations using IV 0.
If the firmware image fills the entire slot, then that slot contains 16 sectors, i.e. IVs
ranging from 0 to 15.</t>

<figure title="AES-CBC Operation" anchor="aes-cbc-fig"><artset><artwork  type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="400" width="232" viewBox="0 0 232 400" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px">
<path d="M 40,112 L 40,192" fill="none" stroke="black"/>
<path d="M 72,48 L 72,104" fill="none" stroke="black"/>
<path d="M 72,200 L 72,256" fill="none" stroke="black"/>
<path d="M 104,112 L 104,192" fill="none" stroke="black"/>
<path d="M 120,64 L 120,224" fill="none" stroke="black"/>
<path d="M 160,112 L 160,192" fill="none" stroke="black"/>
<path d="M 192,48 L 192,104" fill="none" stroke="black"/>
<path d="M 192,200 L 192,256" fill="none" stroke="black"/>
<path d="M 224,112 L 224,192" fill="none" stroke="black"/>
<path d="M 48,64 L 80,64" fill="none" stroke="black"/>
<path d="M 120,64 L 200,64" fill="none" stroke="black"/>
<path d="M 40,112 L 104,112" fill="none" stroke="black"/>
<path d="M 160,112 L 224,112" fill="none" stroke="black"/>
<path d="M 40,192 L 104,192" fill="none" stroke="black"/>
<path d="M 160,192 L 224,192" fill="none" stroke="black"/>
<path d="M 72,224 L 120,224" fill="none" stroke="black"/>
<path d="M 24,384 L 40,384" fill="none" stroke="black"/>
<g class="text">
<text x="68" y="36">P1</text>
<text x="196" y="36">P2</text>
<text x="36" y="68">IV</text>
<text x="24" y="164">k--</text>
<text x="64" y="164">E</text>
<text x="144" y="164">k--</text>
<text x="184" y="164">E</text>
<text x="76" y="276">C1</text>
<text x="196" y="276">C2</text>
<text x="32" y="308">Legend:</text>
<text x="28" y="324">Pi</text>
<text x="48" y="324">=</text>
<text x="96" y="324">Plaintext</text>
<text x="164" y="324">blocks</text>
<text x="28" y="340">Ci</text>
<text x="48" y="340">=</text>
<text x="100" y="340">Ciphertext</text>
<text x="172" y="340">blocks</text>
<text x="24" y="356">E</text>
<text x="40" y="356">=</text>
<text x="92" y="356">Encryption</text>
<text x="172" y="356">function</text>
<text x="24" y="372">k</text>
<text x="40" y="372">=</text>
<text x="88" y="372">Symmetric</text>
<text x="144" y="372">key</text>
<text x="56" y="388">=</text>
<text x="80" y="388">XOR</text>
<text x="136" y="388">operation</text>
</g>
</svg>
</artwork><artwork  type="ascii-art"><![CDATA[
       P1              P2
        |              |
   IV--(+)    +-------(+)
        |     |        |
        |     |        |
    +-------+ |    +-------+
    |       | |    |       |
    |       | |    |       |
 k--|  E    | | k--|  E    |
    |       | |    |       |
    +-------+ |    +-------+
        |     |        |
        +-----+        |
        |              |
        |              |
        C1             C2

Legend: 
  Pi = Plaintext blocks
  Ci = Ciphertext blocks
  E = Encryption function
  k = Symmetric key
  (+) = XOR operation
]]></artwork></artset></figure>

<t>Examples in this section use the following parameters:</t>

<t><list style="symbols">
  <t>Algorithm for payload encryption: AES-CTR-128
  <list style="symbols">
      <t>k: h'627FCF0EA82C967D5ED8981EB325F303'</t>
      <t>IV: h'93702C81590F845D9EC866CCAC767BD1'</t>
    </list></t>
  <t>Plaintext: "This is a real firmware image."
  <list style="symbols">
      <t>in hex: 546869732069732061207265616C206669726D7761726520696D6167652E</t>
    </list></t>
</list></t>

</section>
<section anchor="aes-kw-aes-cbc-example"><name>AES-KW + AES-CBC Example</name>

<t>This example uses the following parameters:</t>

<t><list style="symbols">
  <t>Algorithm id for key wrap: A128KW</t>
  <t>KEK COSE_Key (Secret Key):
  <list style="symbols">
      <t>kty: Symmetric</t>
      <t>k: 'aaaaaaaaaaaaaaaa'</t>
      <t>kid: 'kid-1'</t>
    </list></t>
</list></t>

<t>The COSE_Encrypt structure, in hex format, is (with a line break inserted):</t>

<figure><artwork><![CDATA[
D8608440A20139FFFA055093702C81590F845D9EC866CCAC767BD1F68183
40A2012204456B69642D315818E198FF269626EC43299D33586FC7B2646B
13292261160422
]]></artwork></figure>

<t>The resulting COSE_Encrypt structure in a diagnostic format is shown in
<xref target="aeskw-aescbc-example"/>.</t>

<figure title="COSE_Encrypt Example for AES Key Wrap" anchor="aeskw-aescbc-example"><artwork><![CDATA[
96([
  / protected: / h'',
  / unprotected: / {
    / alg / 1: -65531 / A128CBC /,
    / IV / 5: h'93702C81590F845D9EC866CCAC767BD1'
  },
  / payload: / null / detached ciphertext /,
  / recipients: / [
    [
      / protected: / h'',
      / unprotected: / {
        / alg / 1: -3 / A128KW /,
        / kid / 4: 'kid-1'
      },
      / payload: /
        h'E198FF269626EC43299D33586FC7B2646B13292261160422'
        / CEK encrypted with KEK /
    ]
  ]
])
]]></artwork></figure>

<t>The encrypted payload (with a line feed added) was:</t>

<figure><artwork><![CDATA[
9C09156CF4ACE0401086D98586E0B09FA5B5CF78F2BCCBF6C914DDB42BF0
E21E
]]></artwork></figure>

</section>
<section anchor="ecdh-esaes-kw-aes-cbc-example"><name>ECDH-ES+AES-KW + AES-CBC Example</name>

<t>This example uses the following parameters:</t>

<t><list style="symbols">
  <t>Algorithm for content key distribution: ECDH-ES + A128KW</t>
  <t>KEK COSE_Key (Receiver's Private Key):
  <list style="symbols">
      <t>kty: EC2</t>
      <t>crv: P-256</t>
      <t>x: h'5886CD61DD875862E5AAA820E7A15274C968A9BC96048DDCACE32F50C3651BA3'</t>
      <t>y: h'9EED8125E932CD60C0EAD3650D0A485CF726D378D1B016ED4298B2961E258F1B'</t>
      <t>d: h'60FE6DD6D85D5740A5349B6F91267EEAC5BA81B8CB53EE249E4B4EB102C476B3'</t>
      <t>kid: 'kid-2'</t>
    </list></t>
  <t>KDF Context
  <list style="symbols">
      <t>Algorithm ID: -65531 (A128CBC)</t>
      <t>SuppPubInfo
      <list style="symbols">
          <t>keyDataLength: 128</t>
          <t>protected: { / alg / 1: -29 / ECDH-ES+A128KW / }</t>
          <t>other: 'SUIT Payload Encryption'</t>
        </list></t>
    </list></t>
</list></t>

<t>The COSE_Encrypt structure, in hex format, is (with a line break inserted):</t>

<figure><artwork><![CDATA[
D8608440A20139FFFA055093702C81590F845D9EC866CCAC767BD1F68183
44A101381CA120A401022001215820BC6A2DCD5025C8C0F7A5D120EB3E45
8CA722F8FB94BD56A24709CB15A869748922582010136574F673511540FE
2A8589A7EDA372CB7B1AF94A8E1B4B94F6BDBD98AA185818AC8CDFB54264
22298FCF235EB5F24D9E4C44C1689167473A
]]></artwork></figure>

<t>The resulting COSE_Encrypt structure in a diagnostic format is shown in
<xref target="esdh-aescbc-example"/>.</t>

<figure title="COSE_Encrypt Example for ES-DH" anchor="esdh-aescbc-example"><artwork><![CDATA[
96([
  / protected: / h'',
  / unprotected: / {
    / alg / 1: -65531 / A128CBC /,
    / IV / 5: h'93702C81590F845D9EC866CCAC767BD1'
  },
  / payload: / null / detached ciphertext /,
  / recipients: / [
    [
      / protected: / << {
        / alg / 1: -29 / ECDH-ES + A128KW /
      } >>,
      / unprotected: / {
        / ephemeral key / -1: {
          / kty / 1: 2 / EC2 /,
          / crv / -1: 1 / P-256 /,
          / x / -2: h'BC6A2DCD5025C8C0F7A5D120EB3E458CA722F8FB94BD56A24709CB15A8697489',
          / y / -3: h'10136574F673511540FE2A8589A7EDA372CB7B1AF94A8E1B4B94F6BDBD98AA18'
        }
      },
      / payload: / h'AC8CDFB5426422298FCF235EB5F24D9E4C44C1689167473A'
        / CEK encrypted with KEK /
    ]
  ]
])
]]></artwork></figure>

<t>The encrypted payload (with a line feed added) was:</t>

<figure><artwork><![CDATA[
9C09156CF4ACE0401086D98586E0B09FA5B5CF78F2BCCBF6C914DDB42BF0
E21E
]]></artwork></figure>

</section>
</section>
</section>
<section anchor="integrity-check-on-encrypted-and-decrypted-payloads"><name>Integrity Check on Encrypted and Decrypted Payloads</name>

<t>In addition to suit-condition-image-match (see Section 8.4.9.2 of 
<xref target="I-D.ietf-suit-manifest"/>),
AEAD algorithms used for content encryption provides another way
to validate the integrity of components.
This section provides a guideline to construct secure but not redundant
SUIT Manifest for encrypted payloads.</t>

<section anchor="validating-payload-integrity"><name>Validating Payload Integrity</name>

<t>This sub-section explains three ways to validate the integrity
of payloads.</t>

<section anchor="image-match-after-decryption"><name>Image Match after Decryption</name>

<t>The suit-condition-image-match on the plaintext payload is used after decryption.
An example command sequence is shown in <xref target="_figure-image-match-after-decryption"/>.</t>

<figure title="Check Image Match After Decryption" anchor="_figure-image-match-after-decryption"><artwork><![CDATA[
/ directive-set-component-index / 12, 1,
/ directive-override-parameters / 20, {
  / parameter-uri / 21: "http://example.com/encrypted.bin"
},
/ directive-fetch / 21, 15,

/ directive-set-component-index / 12, 0,
/ directive-override-parameters / 20, {
  / parameter-image-digest / 3: << {
    / algorithm-id: / -16 / SHA256 /,
    / digest-bytes: / h'3B1...92A' / digest of plaintext payload /
  } >>,
  / parameter-image-size / 14: 30 / size of plaintext payload /,
  / parameter-encryption-info / TBD19: h'369...50F',
  / parameter-source-component / 22: 1
},
/ directive-copy / 22, 15,
/ condition-image-match / 3, 15 / integrity check on decrypted payload /,
]]></artwork></figure>

<t>RFC Editor's Note (TBD19): The value for the suit-parameter-encryption-info
parameter is set to 19, as the proposed value.</t>

</section>
<section anchor="image-match-before-decryption"><name>Image Match before Decryption</name>

<t>The suit-condition-image-match can also be applied on encrypted payloads
before decryption takes place. An example command sequence is shown in
<xref target="_figure-image-match-before-decryption"/>.</t>

<t>This option mitigates battery exhaustion attacks discussed in <xref target="sec-cons"/>.</t>

<figure title="Check Image Match Before Decryption" anchor="_figure-image-match-before-decryption"><artwork><![CDATA[
/ directive-set-component-index / 12, 1,
/ directive-override-parameters / 20, {
  / parameter-image-digest / 3: << {
    / algorithm-id: / -16 / SHA256 /,
    / digest-bytes: / h'8B4...D34' / digest of encrypted payload /
  } >>,
  / parameter-image-size / 14: 30 / size of encrypted payload /,
  / parameter-uri / 21: "http://example.com/encrypted.bin"
},
/ directive-fetch / 21, 15,
/ condition-image-match / 3, 15 / integrity check on encrypted payload /,

/ directive-set-component-index / 12, 0,
/ directive-override-parameters / 20, {
  / parameter-encryption-info / TBD19: h'D86...1F0',
  / parameter-source-component / 22: 1
},
/ directive-copy / 22, 15,
]]></artwork></figure>

<t>RFC Editor's Note (TBD19): The value for the suit-parameter-encryption-info
parameter is set to 19, as the proposed value.</t>

</section>
<section anchor="checking-authentication-tag-while-decrypting"><name>Checking Authentication Tag while Decrypting</name>

<t>AEAD algorithms, such as AES-GCM and ChaCha20/Poly1305, verify the integrity of
the encrypted concent.</t>

</section>
</section>
<section anchor="payload-integrity-validation"><name>Payload Integrity Validation</name>

<t>This sub-section provides a guideline to decide
how to validate the integrity of the payloads with the SUIT manifest.
<xref target="payload-integrity-decision-tree"/> illustrates a decision tree
to decide how to establish payload integrity.</t>

<figure title="Decision Tree: Validating the Payload" anchor="payload-integrity-decision-tree"><artset><artwork  type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="400" width="408" viewBox="0 0 408 400" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px">
<path d="M 8,32 L 8,64" fill="none" stroke="black"/>
<path d="M 8,352 L 8,368" fill="none" stroke="black"/>
<path d="M 24,64 L 24,328" fill="none" stroke="black"/>
<path d="M 64,240 L 64,272" fill="none" stroke="black"/>
<path d="M 80,272 L 80,328" fill="none" stroke="black"/>
<path d="M 96,352 L 96,368" fill="none" stroke="black"/>
<path d="M 136,128 L 136,176" fill="none" stroke="black"/>
<path d="M 136,352 L 136,368" fill="none" stroke="black"/>
<path d="M 152,176 L 152,232" fill="none" stroke="black"/>
<path d="M 192,272 L 192,328" fill="none" stroke="black"/>
<path d="M 208,240 L 208,272" fill="none" stroke="black"/>
<path d="M 248,352 L 248,368" fill="none" stroke="black"/>
<path d="M 288,352 L 288,368" fill="none" stroke="black"/>
<path d="M 384,64 L 384,120" fill="none" stroke="black"/>
<path d="M 384,176 L 384,328" fill="none" stroke="black"/>
<path d="M 400,32 L 400,64" fill="none" stroke="black"/>
<path d="M 400,128 L 400,176" fill="none" stroke="black"/>
<path d="M 400,352 L 400,368" fill="none" stroke="black"/>
<path d="M 8,32 L 400,32" fill="none" stroke="black"/>
<path d="M 8,64 L 400,64" fill="none" stroke="black"/>
<path d="M 136,128 L 400,128" fill="none" stroke="black"/>
<path d="M 136,176 L 400,176" fill="none" stroke="black"/>
<path d="M 64,240 L 208,240" fill="none" stroke="black"/>
<path d="M 64,272 L 208,272" fill="none" stroke="black"/>
<path d="M 24,336 L 80,336" fill="none" stroke="black"/>
<path d="M 152,336 L 232,336" fill="none" stroke="black"/>
<path d="M 304,336 L 384,336" fill="none" stroke="black"/>
<path d="M 24,384 L 80,384" fill="none" stroke="black"/>
<path d="M 152,384 L 232,384" fill="none" stroke="black"/>
<path d="M 304,384 L 384,384" fill="none" stroke="black"/>
<path d="M 24,336 C 15.16936,336 8,343.16936 8,352" fill="none" stroke="black"/>
<path d="M 80,336 C 88.83064,336 96,343.16936 96,352" fill="none" stroke="black"/>
<path d="M 152,336 C 143.16936,336 136,343.16936 136,352" fill="none" stroke="black"/>
<path d="M 232,336 C 240.83064,336 248,343.16936 248,352" fill="none" stroke="black"/>
<path d="M 304,336 C 295.16936,336 288,343.16936 288,352" fill="none" stroke="black"/>
<path d="M 384,336 C 392.83064,336 400,343.16936 400,352" fill="none" stroke="black"/>
<path d="M 24,384 C 15.16936,384 8,376.83064 8,368" fill="none" stroke="black"/>
<path d="M 80,384 C 88.83064,384 96,376.83064 96,368" fill="none" stroke="black"/>
<path d="M 152,384 C 143.16936,384 136,376.83064 136,368" fill="none" stroke="black"/>
<path d="M 232,384 C 240.83064,384 248,376.83064 248,368" fill="none" stroke="black"/>
<path d="M 304,384 C 295.16936,384 288,376.83064 288,368" fill="none" stroke="black"/>
<path d="M 384,384 C 392.83064,384 400,376.83064 400,368" fill="none" stroke="black"/>
<polygon class="arrowhead" points="392,328 380,322.4 380,333.6 " fill="black" transform="rotate(90,384,328)"/>
<polygon class="arrowhead" points="392,120 380,114.4 380,125.6 " fill="black" transform="rotate(90,384,120)"/>
<polygon class="arrowhead" points="200,328 188,322.4 188,333.6 " fill="black" transform="rotate(90,192,328)"/>
<polygon class="arrowhead" points="160,232 148,226.4 148,237.6 " fill="black" transform="rotate(90,152,232)"/>
<polygon class="arrowhead" points="88,328 76,322.4 76,333.6 " fill="black" transform="rotate(90,80,328)"/>
<polygon class="arrowhead" points="32,328 20,322.4 20,333.6 " fill="black" transform="rotate(90,24,328)"/>
<g class="text">
<text x="136" y="52">Q1.</text>
<text x="184" y="52">Payload</text>
<text x="252" y="52">Delivery</text>
<text x="44" y="100">in</text>
<text x="88" y="100">Content</text>
<text x="348" y="100">others</text>
<text x="200" y="148">Q2.</text>
<text x="252" y="148">Mitigate</text>
<text x="320" y="148">Battery</text>
<text x="236" y="164">Exhaustion</text>
<text x="312" y="164">Attacks</text>
<text x="172" y="212">No</text>
<text x="360" y="212">Yes</text>
<text x="88" y="260">Q3.</text>
<text x="124" y="260">AEAD</text>
<text x="172" y="260">cipher</text>
<text x="104" y="308">Yes</text>
<text x="172" y="308">No</text>
<text x="48" y="356">NOT</text>
<text x="192" y="356">AFTER</text>
<text x="340" y="356">BEFORE</text>
<text x="52" y="372">Required</text>
<text x="188" y="372">Decryption</text>
<text x="340" y="372">Decryption</text>
</g>
</svg>
</artwork><artwork  type="ascii-art"><![CDATA[
+------------------------------------------------+
|              Q1. Payload Delivery              |
+-+--------------------------------------------+-+
  |                                            |
  | in Content                          others |
  |                                            v
  |             +--------------------------------+
  |             |      Q2. Mitigate Battery      |
  |             |       Exhaustion Attacks       |
  |             +-+----------------------------+-+
  |               |                            |
  |               | No                     Yes |
  |               v                            |
  |    +-----------------+                     |
  |    | Q3. AEAD cipher |                     |
  |    +-+-------------+-+                     |
  |      |             |                       |
  |      | Yes      No |                       |
  v      v             v                       v
 .+------+.      .-----+-----.      .----------+.
|   NOT    |    |    AFTER    |    |   BEFORE    |
| Required |    | Decryption  |    | Decryption  |
 '--------'      '-----------'      '-----------'
]]></artwork></artset></figure>

<t>There are three conditions:</t>

<t><list style="symbols">
  <t>Q1. How does the recipient get the encrypted payload?
If the encrypted payload is an integrated payload,
its integrity is already validated with the suit-authentication-wrapper.
Hence, an additional integrity check is not required.</t>
  <t>Q2. Does the sender want to mitigate battery exhaustion attacks?
If yes, the encrypted payload has to be validated before decryption.</t>
  <t>Q3. Is the payload encrypted with an AEAD cipher?
If yes, the additional integrity check is not required because the recipient validates
the integrity of the payload while decrypting it. If no, validating its integrity
may take place either before or after decryption. Validating the integrity
before decryption is RECOMMENDED.</t>
</list></t>

</section>
</section>
<section anchor="flash"><name>Firmware Updates on IoT Devices with Flash Memory</name>

<t>There are many flavors of embedded devices, the market is large and fragmented.
Hence, it is likely that some implementations and deployments implement their
firmware update procedure differently than described below. On a positive note,
the SUIT manifest allows different deployment scenarios to be supported easily
thanks to the "scripting" functionality offered by the commands.</t>

<t>This section is specific to firmware images on microcontrollers and does
not apply to generic software, configuration data, and machine learning models. 
The differences are the result of two aspects:</t>

<t><list style="symbols">
  <t>Use of flash memory: Flash memory on microcontrollers is a type of non-volatile
memory that erases data in larger units called blocks, pages, or sectors and
re-writes data at the byte level (often 4-bytes) or larger units. Flash memory
is furthermore segmented into different memory regions, which store the
bootloader, different versions of firmware images (in so-called slots), and
configuration data. <xref target="image-layout"/> shows an example layout of a microcontroller
flash area.</t>
  <t>Microcontroller Design: Code on microcontrollers typically cannot be executed
from an arbitrary place in flash memory without extra software
development and design efforts. Hence, developers often compile firmware such
that the bootloader can execute the code from a specific location in flash
memory. Often, the location where the to-be-booted firmware image is found is
called "primary slot".</t>
</list></t>

<t>When the encrypted firmware image has been transferred to the device, it will
typically be stored in a dedicated area called the "secondary slot".</t>

<t>At the next boot, the bootloader will recognize a new firmware image and will
start decrypting the downloaded image sector-by-sector and will swap it with
the image found in the primary slot. This approach of swapping the newly
downloaded image with the previously valid image requires two slots to allow
the update to be reversed in case the newly obtained firmware image fails to
boot. This adds robustness to the firmware update procedure.</t>

<t>The swap will only take place after the signature on the plaintext is verified.
Note that the plaintext firmware image is available in the primary slot only after
the swap has been completed, unless "dummy decrypt" is used to compute the hash
over the plaintext prior to executing the decrypt operation during a swap.
Dummy decryption here refers to the decryption of the firmware image found in
the secondary slot sector-by-sector and computing a rolling hash over the resulting
plaintext firmware image (also sector-by-sector) without performing the swap operation.
While there are performance optimizations possible, such as conveying hashes for
each sector in the manifest rather than a hash of the entire firmware image,
such optimizations are not described in this specification.</t>

<t>Without hardware-based, on-the-fly decryption the image in the primary
slot is available in cleartext. It may need to be re-encrypted before copying it
to the secondary slot. This may be necessary when the secondary slot has different
access permissions or when it is located in off-chip flash memory. Off-chip flash
memory tends to be more vulnerable to physical attacks.</t>

<figure title="Example Flash Area Layout" anchor="image-layout"><artset><artwork  type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="544" width="424" viewBox="0 0 424 544" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px">
<path d="M 8,32 L 8,528" fill="none" stroke="black"/>
<path d="M 416,32 L 416,528" fill="none" stroke="black"/>
<path d="M 8,32 L 416,32" fill="none" stroke="black"/>
<path d="M 8,64 L 416,64" fill="none" stroke="black"/>
<path d="M 8,256 L 416,256" fill="none" stroke="black"/>
<path d="M 8,448 L 416,448" fill="none" stroke="black"/>
<path d="M 8,496 L 416,496" fill="none" stroke="black"/>
<path d="M 8,528 L 416,528" fill="none" stroke="black"/>
<g class="text">
<text x="60" y="52">Bootloader</text>
<text x="48" y="84">Primary</text>
<text x="100" y="84">Slot</text>
<text x="360" y="100">(sector</text>
<text x="404" y="100">1)</text>
<text x="212" y="116">..................................................</text>
<text x="360" y="148">(sector</text>
<text x="404" y="148">2)</text>
<text x="212" y="164">..................................................</text>
<text x="360" y="196">(sector</text>
<text x="404" y="196">3)</text>
<text x="212" y="212">..................................................</text>
<text x="360" y="244">(sector</text>
<text x="404" y="244">4)</text>
<text x="56" y="276">Secondary</text>
<text x="116" y="276">Slot</text>
<text x="360" y="292">(sector</text>
<text x="404" y="292">1)</text>
<text x="212" y="308">..................................................</text>
<text x="360" y="340">(sector</text>
<text x="404" y="340">2)</text>
<text x="212" y="356">..................................................</text>
<text x="360" y="388">(sector</text>
<text x="404" y="388">3)</text>
<text x="212" y="404">..................................................</text>
<text x="360" y="436">(sector</text>
<text x="404" y="436">4)</text>
<text x="36" y="468">Swap</text>
<text x="76" y="468">Area</text>
<text x="72" y="516">Configuration</text>
<text x="148" y="516">Data</text>
</g>
</svg>
</artwork><artwork  type="ascii-art"><![CDATA[
+--------------------------------------------------+
| Bootloader                                       |
+--------------------------------------------------+
| Primary Slot                                     |
|                                        (sector 1)|
|..................................................|
|                                                  |
|                                        (sector 2)|
|..................................................|
|                                                  |
|                                        (sector 3)|
|..................................................|
|                                                  |
|                                        (sector 4)|
+--------------------------------------------------+
| Secondary Slot                                   |
|                                        (sector 1)|
|..................................................|
|                                                  |
|                                        (sector 2)|
|..................................................|
|                                                  |
|                                        (sector 3)|
|..................................................|
|                                                  |
|                                        (sector 4)|
+--------------------------------------------------+
| Swap Area                                        |
|                                                  |
+--------------------------------------------------+
| Configuration Data                               |
+--------------------------------------------------+
]]></artwork></artset></figure>

<t>The ability to restart an interrupted firmware update is often a requirement
for unattended devices and the same is true for low-end, constrained IoT devices.
To fulfill this requirement it is necessary to chunk
a firmware image into sectors and to encrypt each sector individually
using a cipher that does not increase the size of the resulting ciphertext
(i.e., by not adding an authentication tag after each encrypted block).</t>

<t>When an update gets aborted while the bootloader is decrypting the newly obtained
image and swapping the sectors, the bootloader can restart where it left off. This
technique offers robustness and better performance.</t>

<t>For this purpose, ciphers without integrity protection are used to encrypt the
firmware image. Integrity protection of the firmware image MUST be provided
and the suit-parameter-image-digest, defined in Section 8.4.8.6 of
<xref target="I-D.ietf-suit-manifest"/>, MUST be used.</t>

<t><xref target="RFC9459"/> registers AES Counter (AES-CTR) mode and AES Cipher Block Chaining
(AES-CBC) ciphers that do not offer integrity protection. These ciphers are useful
for use cases that require firmware encryption on IoT devices. For many other use
cases where software packages, configuration information or personalization data
need to be encrypted, the use of AEAD ciphers is RECOMMENDED.</t>

<t>The following sub-sections provide further information about the initialization vector
(IV) selection for use with AES-CBC and AES-CTR in the firmware encryption context. An
IV MUST NOT be re-used when the same key is used. For this application, the IVs are
not random but rather based on the slot/sector-combination in flash memory. The
text below assumes that the block-size of AES is (much) smaller than the sector size. The
typical sector-size of flash memory is in the order of KiB. Hence, multiple AES blocks
need to be decrypted until an entire sector is completed.</t>

</section>
<section anchor="complete-examples"><name>Complete Examples</name>

<t>The following manifests exemplify how to deliver encrypted payload and its
encryption info to devices.</t>

<t>HMAC-256 MAC are added in AES-KW examples using the following secret key:</t>

<figure><artwork><![CDATA[
  'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
  (616161... in hex, and its length is 32)
]]></artwork></figure>

<t>ES-DH examples are signed using the following ECDSA secp256r1 key:</t>

<figure><artwork><![CDATA[
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgApZYjZCUGLM50VBC
CjYStX+09jGmnyJPrpDLTz/hiXOhRANCAASEloEarguqq9JhVxie7NomvqqL8Rtv
P+bitWWchdvArTsfKktsCYExwKNtrNHXi9OB3N+wnAUtszmR23M4tKiW
-----END PRIVATE KEY-----
]]></artwork></figure>

<t>The corresponding public key can be used to verify these examples:</t>

<figure><artwork><![CDATA[
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhJaBGq4LqqvSYVcYnuzaJr6qi/Eb
bz/m4rVlnIXbwK07HypLbAmBMcCjbazR14vTgdzfsJwFLbM5kdtzOLSolg==
-----END PUBLIC KEY-----
]]></artwork></figure>

<t>Each example uses SHA-256 as the digest function.</t>

<section anchor="example-AES-KW-write"><name>AES Key Wrap Example with Write Directive</name>

<t>The following SUIT manifest requests a parser
to authenticate the manifest with COSE_Mac0 HMAC256, to write and 
decrypt the
encrypted payload into a component with the suit-directive-write
directive.</t>

<t>The SUIT manifest in diagnostic notation (with line breaks added for
readability) is shown here:</t>

<figure><artwork><![CDATA[
1   / SUIT_Envelope_Tagged / 107({
2     / authentication-wrapper / 2: << [
3       << [
4         / digest-algorithm-id: / -16 / SHA256 /,
5         / digest-bytes: / h'AAB6A7868C4E43D5983BDE019EF22779
6                             21F6F8EF1FCAF9403CA97255BED2CD30'
7       ] >>,
8       << / COSE_Mac0_Tagged / 17([
9         / protected: / << {
10          / algorithm-id / 1: 5 / HMAC256 /
11        } >>,
12        / unprotected: / {},
13        / payload: / null,
14        / tag: / h'93B4B774A5D0421ED6FB5EBF890A284C
15                   DAC7816CBC048BF47EE7FA7FF3BC02C3'
16      ]) >>
17    ] >>,
18    / manifest / 3: << {
19      / manifest-version / 1: 1,
20      / manifest-sequence-number / 2: 1,
21      / common / 3: << {
22        / components / 2: [
 *          /!!! component identifier for component index #0 !!!/
23          ['plaintext-firmware'],
 *          /!!! component identifier for component index #1 !!!/
24          ['encrypted-firmware']
25        ]
26      } >>,
27      / install / 17: << [
28        / fetch encrypted firmware /
 *        /!!! destination component index #1 = ['encrypted-firmware'] !!!/
29        / directive-set-component-index / 12, 1,
30        / directive-override-parameters / 20, {
31          / parameter-image-size / 14: 46,
 *          /!!! source uri of #1 !!!/
32          / parameter-uri / 21: "https://example.com/encrypted-firmware"
33        },
34        / directive-fetch / 21, 15,
35
36        / decrypt encrypted firmware /
 *        /!!! destination component index #0 = ['plaintext-firmware'] !!!/
37        / directive-set-component-index / 12, 0,
38        / directive-override-parameters / 20, {
39          / parameter-encryption-info / 19: << 96([
40            / protected: / << {
41              / alg / 1: 1 / AES-GCM-128 /
42            } >>,
43            / unprotected: / {
44              / IV / 5: h'F14AAB9D81D51F7AD943FE87AF4F70CD'
45            },
46            / payload: / null / detached ciphertext /,
47            / recipients: / [
48              [
49                / protected: / << {
50                } >>,
51                / unprotected: / {
52                  / alg / 1: -3 / A128KW /,
53                  / kid / 4: 'kid-1'
54                },
55                / payload: /
56                  h'75603FFC9518D794713C8CA8A115A7FB32565A6D59534D62'
57                  / CEK encrypted with KEK /
58              ]
59            ]
60          ]) >>,
 *          /!!! source component index #1 = ['encrypted-firmware'] !!!/
61          / parameter-source-component / 22: 1
62        },
 *        / consumes the SUIT_Encryption_Info above /
63        / directive-copy / 22, 15
64      ] >>
65    } >>
66  })
]]></artwork></figure>

<t>In hex format, the SUIT manifest is:</t>

<figure><artwork><![CDATA[
D86BA2025853825824822F5820536EC695E423342FF57FA89B3E3C12C0F9
257992F7D96F017281782D2DF1C50F582AD18443A10105A0F658203B7057
1169B0FEE5E6220BF86E5E973F7F32875495908EDAA91EC994BCA44B2903
589DA4010102010357A102818152706C61696E746578742D6669726D7761
726511587C8414A212582E2F59C3A34D9570FB99A5382E66466A3221A8AD
85CE508BA306FB431A60EFA5AAAA078355070205A4B196832DF17F135843
D8608443A10101A10550F14AAB9D81D51F7AD943FE87AF4F70CDF6818341
A0A2012204456B69642D31581875603FFC9518D794713C8CA8A115A7FB32
565A6D59534D62120F
]]></artwork></figure>

</section>
<section anchor="example-AES-KW-copy"><name>AES Key Wrap Example with Fetch + Copy Directives</name>

<t>The following SUIT manifest requests a parser to fetch the encrypted
payload and to store it. Then, the payload is decrypted and stored into
another component with the suit-directive-copy directive. This approach
works well on constrained devices with XIP flash memory.</t>

<t>The SUIT manifest in diagnostic notation (with line breaks added
for readability) is shown below. Line numbers and additional notes
(see /!!! text !!!/ ) have been inserted to provide further
information about the manifest processing.</t>

<figure><artwork><![CDATA[
/ SUIT_Envelope_Tagged / 107({
  / authentication-wrapper / 2: << [
    << [
      / digest-algorithm-id: / -16 / SHA256 /,
      / digest-bytes: / h'AAB6A7868C4E43D5983BDE019EF22779
                          21F6F8EF1FCAF9403CA97255BED2CD30'
    ] >>,
    << / COSE_Mac0_Tagged / 17([
      / protected: / << {
        / algorithm-id / 1: 5 / HMAC256 /
      } >>,
      / unprotected: / {},
      / payload: / null,
      / tag: / h'93B4B774A5D0421ED6FB5EBF890A284C
                 DAC7816CBC048BF47EE7FA7FF3BC02C3'
    ]) >>
  ] >>,
  / manifest / 3: << {
    / manifest-version / 1: 1,
    / manifest-sequence-number / 2: 1,
    / common / 3: << {
      / components / 2: [
        ['plaintext-firmware'],
        ['encrypted-firmware']
      ]
    } >>,
    / install / 17: << [
      / fetch encrypted firmware /
      / directive-set-component-index / 12, 1 / ['encrypted-firmware'] /,
      / directive-override-parameters / 20, {
        / parameter-image-size / 14: 46,
        / parameter-uri / 21: "https://example.com/encrypted-firmware"
      },
      / directive-fetch / 21, 15,

      / decrypt encrypted firmware /
      / directive-set-component-index / 12, 0 / ['plaintext-firmware'] /,
      / directive-override-parameters / 20, {
        / parameter-encryption-info / 19: << 96([
          / protected: / << {
            / alg / 1: 1 / AES-GCM-128 /
          } >>,
          / unprotected: / {
            / IV / 5: h'F14AAB9D81D51F7AD943FE87AF4F70CD'
          },
          / payload: / null / detached ciphertext /,
          / recipients: / [
            [
              / protected: / << {
              } >>,
              / unprotected: / {
                / alg / 1: -3 / A128KW /,
                / kid / 4: 'kid-1'
              },
              / payload: /
                h'75603FFC9518D794713C8CA8A115A7FB32565A6D59534D62'
                / CEK encrypted with KEK /
            ]
          ]
        ]) >>,
        / parameter-source-component / 22: 1 / ['encrypted-firmware'] /
      },
      / directive-copy / 22, 15 / consumes the SUIT_Encryption_Info above /
    ] >>
  } >>
})
]]></artwork></figure>

<t>The default storage area is defined by the component identifier (see Section 8.4.5.1 of <xref target="I-D.ietf-suit-manifest"/>). In this example, the component identifier for component #0 is ['plaintext-firmware'] and the file path "/plaintext-firmware" is the expected location.</t>

<t>While parsing the manifest, the behavior of SUIT manifest processor would be</t>

<t><list style="symbols">
  <t>[L1-L17] authenticates the manifest part on [L18-L65]</t>
  <t>[L22-L25] gets two component identifiers; ['plaintext-firmware'] for component #0, and ['encrypted-firmware'] for component # 1 respectively</t>
  <t>[L29] sets current component index # 1 (the lasting directives target ['encrypted-firmware'])</t>
  <t>[L32] sets source uri parameter "https://example.com/encrypted-firmware"</t>
  <t>[L34] fetches content from source uri into ['encrypted-firmware']</t>
  <t>[L37] sets current component index # 0 (the lasting directives target ['plaintext-firmware'])</t>
  <t>[L39-L60] sets SUIT encryption info parameter</t>
  <t>[L61] sets source component index parameter # 1</t>
  <t>[L63] decrypts component # 1 (source component index) and stores the result into component # 0 (current component index)</t>
</list></t>

<t>The following attributes and features from the SUIT manifest specification are used:</t>

<figure><artwork><![CDATA[
| Attribute Name                             | Abbreviation  | Manifest Reference |
|--------------------------------------------|---------------|--------------------|
| component identifier                       | CI            | Section 8.4.5.1    |
| (destination) component index              | dst-CI        | Section 8.4.10.1   |
| (destination) component slot OPTIONAL param| dst-CS        | Section 8.4.8.8    |
| (source) uri OPTIONAL parameter            | src-URI       | Section 8.4.8.10   |
| source component index OPTIONAL parameter  | src-CI        | Section 8.4.8.11   |
]]></artwork></figure>

<t>The resulting state of SUIT manifest processor is shown in the following table:</t>

<figure><artwork><![CDATA[
| Abbreviation  | Plaintext              | Ciphertext                               |
|---------------|------------------------|------------------------------------------|
| CI            | ['plaintext-firmware'] | ['encrypted-firmware']                   |
| dst-CI        | 0                      | 1                                        |
| dst-CS        | N/A                    | N/A                                      |
| src-URI       | N/A                    | "https://example.com/encrypted-firmware" |
| src-CI        | 1                      | N/A                                      |
]]></artwork></figure>

<t>In hex format, the SUIT manifest shown above is:</t>

<figure><artwork><![CDATA[
D86BA2025853825824822F5820AAB6A7868C4E43D5983BDE019EF2277921
F6F8EF1FCAF9403CA97255BED2CD30582AD18443A10105A0F6582093B4B7
74A5D0421ED6FB5EBF890A284CDAC7816CBC048BF47EE7FA7FF3BC02C303
58B7A40101020103582BA102828152706C61696E746578742D6669726D77
6172658152656E637279707465642D6669726D776172651158818C0C0114
A20E182E15782668747470733A2F2F6578616D706C652E636F6D2F656E63
7279707465642D6669726D77617265150F0C0014A2135843D8608443A101
01A10550F14AAB9D81D51F7AD943FE87AF4F70CDF6818341A0A201220445
6B69642D31581875603FFC9518D794713C8CA8A115A7FB32565A6D59534D
621601160F
]]></artwork></figure>

<t>The example above does not use storage slots. However, it is possible to specify this functionality for devices that support slots in flash memory. In the augmented example below we refer to the slots using [h'00'] and [h'01']. The component identifier [h'00'] would, in this example, specify the component slot #0.</t>

<figure><artwork><![CDATA[
1   / SUIT_Envelope_Tagged / 107({
2     / authentication-wrapper / 2: << [
3       << [
4         / digest-algorithm-id: / -16 / SHA256 /,
5         / digest-bytes: / h'AAB6A7868C4E43D5983BDE019EF22779
6                             21F6F8EF1FCAF9403CA97255BED2CD30'
7       ] >>,
8       << / COSE_Mac0_Tagged / 17([
9         / protected: / << {
10          / algorithm-id / 1: 5 / HMAC256 /
11        } >>,
12        / unprotected: / {},
13        / payload: / null,
14        / tag: / h'93B4B774A5D0421ED6FB5EBF890A284C
15                   DAC7816CBC048BF47EE7FA7FF3BC02C3'
16      ]) >>
17    ] >>,
18    / manifest / 3: << {
19      / manifest-version / 1: 1,
20      / manifest-sequence-number / 2: 1,
21      / common / 3: << {
22        / components / 2: [
 *          /!!! component identifier for component index #0 !!!/
23          [h'00'],
 *          /!!! component identifier for component index #1 !!!/
24          [h'01']
25        ]
26      } >>,
27      / install / 17: << [
28        / fetch encrypted firmware /
 *         /!!! destination component index #1 = [h'01'] !!!/
29        / directive-set-component-index / 12, 1,
30        / directive-override-parameters / 20, {
31          / parameter-image-size / 14: 46,
 *          /!!! source uri of #1 !!!/
32          / parameter-uri / 21: "https://example.com/encrypted-firmware"
33        },
34        / directive-fetch / 21, 15,
35
36        / decrypt encrypted firmware /
 *        /!!! destination component index #0 = [h'00'] !!!/
37        / directive-set-component-index / 12, 0,
38        / directive-override-parameters / 20, {
39          / parameter-encryption-info / 19: << 96([
40            / protected: / << {
41              / alg / 1: 1 / AES-GCM-128 /
42            } >>,
43            / unprotected: / {
44              / IV / 5: h'F14AAB9D81D51F7AD943FE87AF4F70CD'
45            },
46            / payload: / null / detached ciphertext /,
47            / recipients: / [
48              [
49                / protected: / << {
50                } >>,
51                / unprotected: / {
52                  / alg / 1: -3 / A128KW /,
53                  / kid / 4: 'kid-1'
54                },
55                / payload: /
56                  h'75603FFC9518D794713C8CA8A115A7FB32565A6D59534D62'
57                  / CEK encrypted with KEK /
58              ]
59            ]
60          ]) >>,
 *          /!!! source component index #1 = [h'01'] !!!/
61          / parameter-source-component / 22: 1
62        },
 *        /!!! consumes the SUIT_Encryption_Info above !!!/
63        / directive-copy / 22, 15
64      ] >>
65    } >>
66  })
]]></artwork></figure>

</section>
<section anchor="example-ES-DH-write"><name>ES-DH Example with Write + Copy Directives</name>

<t>The following SUIT manifest requests a parser to authenticate
the manifest with COSE_Sign1 ES256,
to write and decrypt the
encrypted payload into a component with the suit-directive-write
directive.</t>

<t>The SUIT manifest in diagnostic notation (with line breaks added for
readability) is shown here:</t>

<figure><artwork><![CDATA[
/ SUIT_Envelope_Tagged / 107({
  / authentication-wrapper / 2: << [
    << [
      / digest-algorithm-id: / -16 / SHA256 /,
      / digest-bytes: / h'CEF034223D7F2C39D676876995B4ED4E
                          8221AC5BF184B6606EE62C41C149C266'
    ] >>,
    << / COSE_Sign1_Tagged / 18([
      / protected: / << {
        / algorithm-id / 1: -7 / ES256 /
      } >>,
      / unprotected: / {},
      / payload: / null,
      / signature: /
        h'65E59AAB8A35BDE9547458316D1C769F
          FB2CEA304C9FB6151E5C8A88A002A292
          C5B8C63C81B5AC0AE31948B610834E12
          CBDBB2753EA221544B6733076A92EE20'
    ]) >>
  ] >>,
  / manifest / 3: << {
    / manifest-version / 1: 1,
    / manifest-sequence-number / 2: 1,
    / common / 3: << {
      / components / 2: [
        ['decrypted-firmware']
      ]
    } >>,
    / install / 17: << [
      / directive-set-component-index / 12, 0
        / ['plaintext-firmware'] /,
      / directive-override-parameters / 20, {
        / parameter-content / 18:
          h'344FA2D5AD2F43F6F363DA6FF2C337FE69E33E3D63714D
            23985BF02499EB0E8B231D45C378245DA3611C160CC511',
        / parameter-encryption-info / 19: << 96([
          / protected: / << {
            / alg / 1: 1 / AES-GCM-128 /
          } >>,
          / unprotected: / {
            / IV / 5: h'DAE613B2E0DC55F4322BE38BDBA9DC68'
          },
          / payload: / null / detached ciphertext /,
          / recipients: / [
            [
              / protected: / << {
                / alg / 1: -29 / ECDH-ES + A128KW /
              } >>,
              / unprotected: / {
                / ephemeral key / -1: {
                  / kty / 1: 2 / EC2 /,
                  / crv / -1: 1 / P-256 /,
                  / x / -2: h'FF6E266DABAF51B7207569E31CF72646
                              183E94CEE64FCDC8695AD9A505AEFDEA',
                  / y / -3: h'5FBC4A29844450B3AC22AB30C7F7004B
                              B59D8BD60D7997734A9FA0124B650895'
                },
                / kid / 4: 'kid-2'
              },
              / payload: /
                h'B0E21628283F3E409F8158D8FFCA567F340E379AC39E49C9'
                / CEK encrypted with KEK /
            ]
          ]
        ]) >>
      },
      / directive-write / 18, 15
        / consumes the SUIT_Encryption_Info above /
    ] >>
  } >>
})
]]></artwork></figure>

<t>In hex format, the SUIT manifest is this:</t>

<figure><artwork><![CDATA[
D86BA2025873825824822F5820CEF034223D7F2C39D676876995B4ED4E82
21AC5BF184B6606EE62C41C149C266584AD28443A10126A0F6584065E59A
AB8A35BDE9547458316D1C769FFB2CEA304C9FB6151E5C8A88A002A292C5
B8C63C81B5AC0AE31948B610834E12CBDBB2753EA221544B6733076A92EE
200358ECA4010102010357A1028181526465637279707465642D6669726D
776172651158CB860C0014A212582E344FA2D5AD2F43F6F363DA6FF2C337
FE69E33E3D63714D23985BF02499EB0E8B231D45C378245DA3611C160CC5
11135890D8608443A10101A10550DAE613B2E0DC55F4322BE38BDBA9DC68
F6818344A101381CA220A401022001215820FF6E266DABAF51B7207569E3
1CF72646183E94CEE64FCDC8695AD9A505AEFDEA2258205FBC4A29844450
B3AC22AB30C7F7004BB59D8BD60D7997734A9FA0124B65089504456B6964
2D325818B0E21628283F3E409F8158D8FFCA567F340E379AC39E49C9120F
]]></artwork></figure>

</section>
<section anchor="example-ES-DH-dependency"><name>ES-DH Example with Dependency</name>

<t>The following SUIT manifest requests a parser to resolve the dependency.</t>

<t>The dependent manifest is signed with another key:
~~~
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIIQa67e56m8CYL5zVaJFiLl30j0qxb8ray2DeUMqH+qYoAoGCCqGSM49
AwEHoUQDQgAEDpCKqPBm2x8ITgw2UsY5Ur2Z8qW9si+eATZ6rQOrpot32hvYrE8M
tJC6IQZIv3mrFk1JrTVR1x0xSydJ7kLSmg==
-----END EC PRIVATE KEY-----
~~~</t>

<t>The dependency manifest is embedded as an integrated-dependency
and referred to by the  "#dependency-manifest" URI.</t>

<t>The SUIT manifest in diagnostic notation (with line breaks added for
readability) is shown here:</t>

<figure><artwork><![CDATA[
/ SUIT_Envelope_Tagged / 107({
  / authentication-wrapper / 2: << [
    << [
      / digest-algorithm-id: / -16 / SHA256 /,
      / digest-bytes: / h'6A1D9F42E7B4047D2F54046019AE3ED4
                          3A8ACC467AC16576B17D6F8E633042D2'
    ] >>,
    << / COSE_Sign1_Tagged / 18([
      / protected: / << {
        / algorithm-id / 1: -7 / ES256 /
      } >>,
      / unprotected: / {},
      / payload: / null,
      / signature: /
        h'DF493BDBF167EFFB40593C5910D33B66
          429721467DF05800EA66A88B91729CD5
          1007981F151FC324745FF43E6F75AAF5
          197DD5EC4AA6BCEFCE43E4B1E35C948E'
    ]) >>
  ] >>,
  / manifest / 3: << {
    / manifest-version / 1: 1,
    / manifest-sequence-number / 2: 1,
    / common / 3: << {
      / dependencies / 1: {
        / component-index / 1: {
          / dependency-prefix / 1: [
             'dependency-manifest.suit'
          ]
        }
      },
      / components / 2: [
        ['decrypted-firmware']
      ]
    } >>,
    / manifest-component-id / 5: [
      'dependent-manifest.suit'
    ],
    / install / 17: << [
      / NOTE: set SUIT_Encryption_Info /
      / directive-set-component-index / 12, 0
        / ['decrypted-firmware'] /,
      / directive-override-parameters / 20, {
        / parameter-content / 18:
          h'344FA2D5AD2F43F6F363DA6FF2C337FE69E33E3D63714D
            23985BF02499EB0E8B231D45C378245DA3611C160CC511',
        / parameter-encryption-info / 19: << 96([
          / protected: / << {
            / alg / 1: 1 / AES-GCM-128 /
          } >>,
          / unprotected: / {
            / IV / 5: h'DAE613B2E0DC55F4322BE38BDBA9DC68'
          },
          / payload: / null / detached ciphertext /,
          / recipients: / [
            [
              / protected: / << {
                / alg / 1: -29 / ECDH-ES + A128KW /
              } >>,
              / unprotected: / {
                / ephemeral key / -1: {
                  / kty / 1: 2 / EC2 /,
                  / crv / -1: 1 / P-256 /,
                  / x / -2: h'FF6E266DABAF51B7207569E31CF72646
                              183E94CEE64FCDC8695AD9A505AEFDEA',
                  / y / -3: h'5FBC4A29844450B3AC22AB30C7F7004B
                              B59D8BD60D7997734A9FA0124B650895'
                },
                / kid / 4: 'kid-2'
              },
              / payload: /
                h'B0E21628283F3E409F8158D8FFCA567F340E379AC39E49C9'
                / CEK encrypted with KEK /
            ]
          ]
        ]) >>
      },

      / NOTE: call dependency-manifest /
      / directive-set-component-index / 12, 1
        / ['dependenty-manifest.suit'] /,
      / directive-override-parameters / 20, {
        / parameter-image-digest / 3: << [
          / algorithm-id / -16 / SHA256 /,
          / digest-bytes / h'1051324059C5193317CAC9A099BBC0B6
                             AFB56184C04277F566A3A4131F4A1C25'
        ] >>,
        / parameter-image-size / 14: 247,
        / parameter-uri / 21: "#dependency-manifest"
      },
      / directive-fetch / 21, 15,
      / condition-dependency-integrity / 7, 15,
      / directive-process-dependency / 11, 15
    ] >>
  } >>,
  "#dependency-manifest": <<
    / SUIT_Envelope_Tagged / 107({
      / authentication-wrapper / 2: << [
        << [
          / digest-algorithm-id: / -16 / SHA256 /,
          / digest-bytes: / h'1051324059C5193317CAC9A099BBC0B6
                              AFB56184C04277F566A3A4131F4A1C25'
        ] >>,
        << / COSE_Sign1_Tagged / 18([
          / protected: / << {
            / algorithm-id / 1: -7 / ES256 /
          } >>,
          / unprotected: / {},
          / payload: / null,
          / signature: /
            h'55990F3745DC4F200FF946643A6DE30D
              DCE57B080B7D68DE9896D8190B9A63E2
              D60E7C3D9693B67221AA6D07BBF0AB45
              314C236827A242C22B5E688DDC467269'
        ]) >>
      ] >>,
      / manifest / 3: << {
        / manifest-version / 1: 1,
        / manifest-sequence-number / 2: 1,
        / common / 3: << {
          / components / 2: [
            ['decrypted-firmware']
          ],
          / shared-sequence / 4: << [
            / directive-set-componnt-index / 12, 0
              / ['decrypted-firmware'] /,
            / directive-override-parameters / 20, {
              / parameter-image-digest / 3: << [
                / algorithm-id / -16 / SHA256 /,
                / digest-bytes / h'36921488FE6680712F734E11F58D87EE
                                   B66D4B21A8A1AD3441060814DA16D50F'
              ] >>,
              / parameter-image-size / 14: 30
            }
          ] >>
        } >>,
        / manifest-component-id / 5: [
          'dependency-manifest.suit'
        ],
        / validate / 7: << [
          / condition-image-match / 3, 15
        ] >>,
        / install / 17: << [
          / directive-set-component-index / 12, 0
            / ['decrypted-firmware'] /,
          / directive-write / 18, 15
            / consumes the SUIT_Encryption_Info set by dependent /,
          / condition-image-match / 3, 15
            / check the integrity of the decrypted payload /
        ] >>
      } >>
    })
  >>
})
]]></artwork></figure>

<t>In hex format, the SUIT manifest is this:</t>

<figure><artwork><![CDATA[
D86BA3025873825824822F58206A1D9F42E7B4047D2F54046019AE3ED43A
8ACC467AC16576B17D6F8E633042D2584AD28443A10126A0F65840DF493B
DBF167EFFB40593C5910D33B66429721467DF05800EA66A88B91729CD510
07981F151FC324745FF43E6F75AAF5197DD5EC4AA6BCEFCE43E4B1E35C94
8E03590170A501010201035837A201A101A101815818646570656E64656E
63792D6D616E69666573742E73756974028181526465637279707465642D
6669726D77617265058157646570656E64656E742D6D616E69666573742E
73756974115901138E0C0014A212582E344FA2D5AD2F43F6F363DA6FF2C3
37FE69E33E3D63714D23985BF02499EB0E8B231D45C378245DA3611C160C
C511135890D8608443A10101A10550DAE613B2E0DC55F4322BE38BDBA9DC
68F6818344A101381CA220A401022001215820FF6E266DABAF51B7207569
E31CF72646183E94CEE64FCDC8695AD9A505AEFDEA2258205FBC4A298444
50B3AC22AB30C7F7004BB59D8BD60D7997734A9FA0124B65089504456B69
642D325818B0E21628283F3E409F8158D8FFCA567F340E379AC39E49C90C
0114A3035824822F58201051324059C5193317CAC9A099BBC0B6AFB56184
C04277F566A3A4131F4A1C250E18F7157423646570656E64656E63792D6D
616E6966657374150F070F0B0F7423646570656E64656E63792D6D616E69
6665737458F7D86BA2025873825824822F58201051324059C5193317CAC9
A099BBC0B6AFB56184C04277F566A3A4131F4A1C25584AD28443A10126A0
F6584055990F3745DC4F200FF946643A6DE30DDCE57B080B7D68DE9896D8
190B9A63E2D60E7C3D9693B67221AA6D07BBF0AB45314C236827A242C22B
5E688DDC46726903587BA601010201035849A20281815264656372797074
65642D6669726D7761726504582F840C0014A2035824822F582036921488
FE6680712F734E11F58D87EEB66D4B21A8A1AD3441060814DA16D50F0E18
1E05815818646570656E64656E63792D6D616E69666573742E7375697407
4382030F1147860C00120F030F
]]></artwork></figure>

</section>
</section>
<section anchor="operational-considerations"><name>Operational Considerations</name>

<t>The algorithms described in this document assume that the party
performing payload encryption</t>

<t><list style="symbols">
  <t>shares a key-encryption key (KEK) with the recipient
(for use with the AES Key Wrap scheme), or</t>
  <t>is in possession of the public key of the recipient
(for use with ES-DH).</t>
</list></t>

<t>Both cases require some upfront communication interaction
to distribute these keys to the involved communication parties.
This interaction may be provided by a device management protocol,
as described in <xref target="RFC9019"/>, or may be executed earlier in
the lifecycle of the device, for example during manufacturing
or during commissioning. In addition to the keying material
key identifiers and algorithm information need to be provisioned.
This specification places no requirements on the structure of the
key identifier.</t>

<t>In some cases third party companies analyse binaries for known
security vulnerabilities. With encrypted payloads, this type of
analysis is prevented. Consequently, these third party companies
either need to be given access to the plaintext binary before
encryption or they need to become authorized recipients of the
encrypted payloads. In either case, it is necessary to explicitly
consider those third parties in the software supply chain when
such a binary analysis is desired.</t>

</section>
<section anchor="sec-cons"><name>Security Considerations</name>

<t>This entire document is about security.</t>

<t>It is good security practise to use different keys for different purpose.
For example, the KEK used with an AES-KW-based content key distribution
method for encryption should be different from the long-term symmetric key
used for authentication in a communication security protocol.</t>

<t>To further reduce the attack surface it may be beneficial use different
long-term keys for the encryption of different types of payloads. For
example, KEK_1 may be used with an AES-KW content key distribution method
to encrypt a firmware image while KEK_2 would be used to encrypt
configuration data.</t>

<t>A large part of this document is focused on the content key distribution and
two methods are utilized, namely AES Key Wrap (AES-KW) and Ephemeral-Static
Diffie-Hellman (ES-DH). In this table we summarize the main properties with
respect to their deployment:</t>

<figure><artset><artwork  type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="464" width="520" viewBox="0 0 520 464" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px">
<path d="M 8,32 L 8,448" fill="none" stroke="black"/>
<path d="M 136,32 L 136,448" fill="none" stroke="black"/>
<path d="M 144,32 L 144,448" fill="none" stroke="black"/>
<path d="M 248,32 L 248,448" fill="none" stroke="black"/>
<path d="M 376,32 L 376,448" fill="none" stroke="black"/>
<path d="M 512,32 L 512,448" fill="none" stroke="black"/>
<path d="M 8,32 L 512,32" fill="none" stroke="black"/>
<path d="M 8,128 L 512,128" fill="none" stroke="black"/>
<path d="M 8,272 L 512,272" fill="none" stroke="black"/>
<path d="M 8,368 L 512,368" fill="none" stroke="black"/>
<path d="M 8,448 L 512,448" fill="none" stroke="black"/>
<path d="M 128,32 C 136.83064,32 144,39.16936 144,48" fill="none" stroke="black"/>
<path d="M 152,32 C 143.16936,32 136,39.16936 136,48" fill="none" stroke="black"/>
<path d="M 128,128 C 136.83064,128 144,135.16936 144,144" fill="none" stroke="black"/>
<path d="M 128,128 C 136.83064,128 144,120.83064 144,112" fill="none" stroke="black"/>
<path d="M 152,128 C 143.16936,128 136,135.16936 136,144" fill="none" stroke="black"/>
<path d="M 152,128 C 143.16936,128 136,120.83064 136,112" fill="none" stroke="black"/>
<path d="M 128,272 C 136.83064,272 144,279.16936 144,288" fill="none" stroke="black"/>
<path d="M 128,272 C 136.83064,272 144,264.83064 144,256" fill="none" stroke="black"/>
<path d="M 152,272 C 143.16936,272 136,279.16936 136,288" fill="none" stroke="black"/>
<path d="M 152,272 C 143.16936,272 136,264.83064 136,256" fill="none" stroke="black"/>
<path d="M 128,368 C 136.83064,368 144,375.16936 144,384" fill="none" stroke="black"/>
<path d="M 128,368 C 136.83064,368 144,360.83064 144,352" fill="none" stroke="black"/>
<path d="M 152,368 C 143.16936,368 136,375.16936 136,384" fill="none" stroke="black"/>
<path d="M 152,368 C 143.16936,368 136,360.83064 136,352" fill="none" stroke="black"/>
<path d="M 128,448 C 136.83064,448 144,440.83064 144,432" fill="none" stroke="black"/>
<path d="M 152,448 C 143.16936,448 136,440.83064 136,432" fill="none" stroke="black"/>
<g class="text">
<text x="52" y="68">Number</text>
<text x="92" y="68">of</text>
<text x="180" y="68">Same</text>
<text x="216" y="68">key</text>
<text x="280" y="68">One</text>
<text x="312" y="68">key</text>
<text x="408" y="68">One</text>
<text x="440" y="68">Key</text>
<text x="64" y="84">Long-Term</text>
<text x="176" y="84">for</text>
<text x="208" y="84">all</text>
<text x="280" y="84">per</text>
<text x="324" y="84">device</text>
<text x="408" y="84">per</text>
<text x="452" y="84">device</text>
<text x="44" y="100">Keys</text>
<text x="192" y="100">devices</text>
<text x="52" y="164">Number</text>
<text x="92" y="164">of</text>
<text x="188" y="164">Single</text>
<text x="292" y="164">Single</text>
<text x="408" y="164">One</text>
<text x="440" y="164">CEK</text>
<text x="56" y="180">Content</text>
<text x="176" y="180">CEK</text>
<text x="208" y="180">per</text>
<text x="280" y="180">CEK</text>
<text x="312" y="180">per</text>
<text x="408" y="180">per</text>
<text x="456" y="180">payload</text>
<text x="68" y="196">Encryption</text>
<text x="192" y="196">payload</text>
<text x="296" y="196">payload</text>
<text x="436" y="196">encryption</text>
<text x="44" y="212">Keys</text>
<text x="92" y="212">(CEKs)</text>
<text x="188" y="212">shared</text>
<text x="292" y="212">shared</text>
<text x="440" y="212">transaction</text>
<text x="180" y="228">with</text>
<text x="216" y="228">all</text>
<text x="284" y="228">with</text>
<text x="320" y="228">all</text>
<text x="408" y="228">per</text>
<text x="452" y="228">device</text>
<text x="188" y="244">devies</text>
<text x="292" y="244">devies</text>
<text x="40" y="308">Use</text>
<text x="76" y="308">Case</text>
<text x="188" y="308">Legacy</text>
<text x="304" y="308">Efficient</text>
<text x="432" y="308">Point-to-</text>
<text x="184" y="324">Usage</text>
<text x="296" y="324">Payload</text>
<text x="416" y="324">Point</text>
<text x="472" y="324">Payload</text>
<text x="316" y="340">Distribution</text>
<text x="444" y="340">Distribution</text>
<text x="76" y="404">Recommended?</text>
<text x="176" y="404">No,</text>
<text x="208" y="404">bad</text>
<text x="280" y="404">Yes</text>
<text x="408" y="404">Yes</text>
<text x="196" y="420">practice</text>
</g>
</svg>
</artwork><artwork  type="ascii-art"><![CDATA[
+---------------++------------+---------------+----------------+
|               ||            |               |                |
|  Number of    ||  Same key  |  One key      |  One Key       |
|  Long-Term    ||  for all   |  per device   |  per device    |
|  Keys         ||  devices   |               |                |
|               ||            |               |                |
+---------------++------------+---------------+----------------+
|               ||            |               |                |
|  Number of    ||  Single    |  Single       |  One CEK       |
|  Content      ||  CEK per   |  CEK per      |  per payload   |
|  Encryption   ||  payload   |  payload      |  encryption    |
|  Keys (CEKs)  ||  shared    |  shared       |  transaction   |
|               ||  with all  |  with all     |  per device    |
|               ||  devies    |  devies       |                |
|               ||            |               |                |
+---------------++------------+---------------+----------------+
|               ||            |               |                |
|  Use Case     ||  Legacy    |  Efficient    |  Point-to-     |
|               ||  Usage     |  Payload      |  Point Payload |
|               ||            |  Distribution |  Distribution  |
|               ||            |               |                |
+---------------++------------+---------------+----------------+
|               ||            |               |                |
|  Recommended? ||  No, bad   |  Yes          |  Yes           |
|               ||  practice  |               |                |
|               ||            |               |                |
+---------------++------------+---------------+----------------+
]]></artwork></artset></figure>

<t>The use of firmware encryption with IoT devices introduces an battery
exhaustion attack. This attack utilizes the fact that flash memory
operations are energy-expensive. To perform this attacker, the adversary
needs to be able to swap detached payloads and force the device to process
a wrong payload. Swapping the payloads is only possible when there is no
communication security protocol in place between the device and the
distribution system or when the distribution system itself is compromised.
The security features provided by the manifest will detect this attack and
the device will not boot the incorrectly provided payload. However, at this
time the energy-expensive flash operations have already been performed.
Consequently, these operations may reduce the lifetime of devices and
battery powered IoT devices are particularly vulnerable to such an attack.
See <xref target="flash"/> for further discussion about IoT devices using flash memory.</t>

<t>Including the digest of the encrypted payload in the manifest allows the
device to detect a battery exhaustion attack before energy consuming decryption
and flash memory copy or swap operations took place.</t>

</section>
<section anchor="iana-considerations"><name>IANA Considerations</name>

<t>IANA is asked to add the following value to the SUIT Parameters
registry established by Section 11.5 of <xref target="I-D.ietf-suit-manifest"/>:</t>

<figure><artwork><![CDATA[
Label      Name                 Reference
-----------------------------------------
TBD19      Encryption Info      Section 4
]]></artwork></figure>

<t>RFC Editor's Note (TBD19): The value for the Encryption Info
parameter is set to 19, as the proposed value.</t>

</section>


  </middle>

  <back>


    <references title='Normative References' anchor="sec-normative-references">



<reference anchor="RFC2119">
  <front>
    <title>Key words for use in RFCs to Indicate Requirement Levels</title>
    <author fullname="S. Bradner" initials="S." surname="Bradner"/>
    <date month="March" year="1997"/>
    <abstract>
      <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="2119"/>
  <seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>

<reference anchor="RFC3394">
  <front>
    <title>Advanced Encryption Standard (AES) Key Wrap Algorithm</title>
    <author fullname="J. Schaad" initials="J." surname="Schaad"/>
    <author fullname="R. Housley" initials="R." surname="Housley"/>
    <date month="September" year="2002"/>
  </front>
  <seriesInfo name="RFC" value="3394"/>
  <seriesInfo name="DOI" value="10.17487/RFC3394"/>
</reference>

<reference anchor="RFC9052">
  <front>
    <title>CBOR Object Signing and Encryption (COSE): Structures and Process</title>
    <author fullname="J. Schaad" initials="J." surname="Schaad"/>
    <date month="August" year="2022"/>
    <abstract>
      <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR.</t>
      <t>This document, along with RFC 9053, obsoletes RFC 8152.</t>
    </abstract>
  </front>
  <seriesInfo name="STD" value="96"/>
  <seriesInfo name="RFC" value="9052"/>
  <seriesInfo name="DOI" value="10.17487/RFC9052"/>
</reference>

<reference anchor="RFC9053">
  <front>
    <title>CBOR Object Signing and Encryption (COSE): Initial Algorithms</title>
    <author fullname="J. Schaad" initials="J." surname="Schaad"/>
    <date month="August" year="2022"/>
    <abstract>
      <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines a set of algorithms that can be used with the CBOR Object Signing and Encryption (COSE) protocol (RFC 9052).</t>
      <t>This document, along with RFC 9052, obsoletes RFC 8152.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9053"/>
  <seriesInfo name="DOI" value="10.17487/RFC9053"/>
</reference>

<reference anchor="RFC8174">
  <front>
    <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
    <author fullname="B. Leiba" initials="B." surname="Leiba"/>
    <date month="May" year="2017"/>
    <abstract>
      <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="8174"/>
  <seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>


<reference anchor="I-D.ietf-suit-manifest">
   <front>
      <title>A Concise Binary Object Representation (CBOR)-based Serialization Format for the Software Updates for Internet of Things (SUIT) Manifest</title>
      <author fullname="Brendan Moran" initials="B." surname="Moran">
         <organization>Arm Limited</organization>
      </author>
      <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
         </author>
      <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
         <organization>Fraunhofer SIT</organization>
      </author>
      <author fullname="Koen Zandberg" initials="K." surname="Zandberg">
         <organization>Inria</organization>
      </author>
      <author fullname="Øyvind Rønningstad" initials="O." surname="Rønningstad">
         <organization>Nordic Semiconductor</organization>
      </author>
      <date day="5" month="February" year="2024"/>
      <abstract>
	 <t>   This specification describes the format of a manifest.  A manifest is
   a bundle of metadata about code/data obtained by a recipient (chiefly
   the firmware for an IoT device), where to find the code/data, the
   devices to which it applies, and cryptographic information protecting
   the manifest.  Software updates and Trusted Invocation both tend to
   use sequences of common operations, so the manifest encodes those
   sequences of operations, rather than declaring the metadata.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-ietf-suit-manifest-25"/>
   
</reference>

<reference anchor="RFC9459">
  <front>
    <title>CBOR Object Signing and Encryption (COSE): AES-CTR and AES-CBC</title>
    <author fullname="R. Housley" initials="R." surname="Housley"/>
    <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
    <date month="September" year="2023"/>
    <abstract>
      <t>The Concise Binary Object Representation (CBOR) data format is designed for small code size and small message size. CBOR Object Signing and Encryption (COSE) is specified in RFC 9052 to provide basic security services using the CBOR data format. This document specifies the conventions for using AES-CTR and AES-CBC as content encryption algorithms with COSE.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9459"/>
  <seriesInfo name="DOI" value="10.17487/RFC9459"/>
</reference>


<reference anchor="I-D.ietf-suit-trust-domains">
   <front>
      <title>SUIT Manifest Extensions for Multiple Trust Domains</title>
      <author fullname="Brendan Moran" initials="B." surname="Moran">
         <organization>Arm Limited</organization>
      </author>
      <author fullname="Ken Takayama" initials="K." surname="Takayama">
         <organization>SECOM CO., LTD.</organization>
      </author>
      <date day="6" month="July" year="2024"/>
      <abstract>
	 <t>   This specification describes extensions to the SUIT Manifest format
   (as defined in [I-D.ietf-suit-manifest]) for use in deployments with
   multiple trust domains.  A device has more than one trust domain when
   it enables delegation of different rights to mutually distrusting
   entities for use for different purposes or Components in the context
   of firmware or software update.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-ietf-suit-trust-domains-07"/>
   
</reference>




    </references>

    <references title='Informative References' anchor="sec-informative-references">



<reference anchor="RFC9019">
  <front>
    <title>A Firmware Update Architecture for Internet of Things</title>
    <author fullname="B. Moran" initials="B." surname="Moran"/>
    <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
    <author fullname="D. Brown" initials="D." surname="Brown"/>
    <author fullname="M. Meriac" initials="M." surname="Meriac"/>
    <date month="April" year="2021"/>
    <abstract>
      <t>Vulnerabilities in Internet of Things (IoT) devices have raised the need for a reliable and secure firmware update mechanism suitable for devices with resource constraints. Incorporating such an update mechanism is a fundamental requirement for fixing vulnerabilities, but it also enables other important capabilities such as updating configuration settings and adding new functionality.</t>
      <t>In addition to the definition of terminology and an architecture, this document provides the motivation for the standardization of a manifest format as a transport-agnostic means for describing and protecting firmware updates.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9019"/>
  <seriesInfo name="DOI" value="10.17487/RFC9019"/>
</reference>

<reference anchor="RFC9124">
  <front>
    <title>A Manifest Information Model for Firmware Updates in Internet of Things (IoT) Devices</title>
    <author fullname="B. Moran" initials="B." surname="Moran"/>
    <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
    <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
    <date month="January" year="2022"/>
    <abstract>
      <t>Vulnerabilities with Internet of Things (IoT) devices have raised the need for a reliable and secure firmware update mechanism that is also suitable for constrained devices. Ensuring that devices function and remain secure over their service lifetime requires such an update mechanism to fix vulnerabilities, update configuration settings, and add new functionality.</t>
      <t>One component of such a firmware update is a concise and machine-processable metadata document, or manifest, that describes the firmware image(s) and offers appropriate protection. This document describes the information that must be present in the manifest.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9124"/>
  <seriesInfo name="DOI" value="10.17487/RFC9124"/>
</reference>

<reference anchor="RFC8937">
  <front>
    <title>Randomness Improvements for Security Protocols</title>
    <author fullname="C. Cremers" initials="C." surname="Cremers"/>
    <author fullname="L. Garratt" initials="L." surname="Garratt"/>
    <author fullname="S. Smyshlyaev" initials="S." surname="Smyshlyaev"/>
    <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
    <author fullname="C. Wood" initials="C." surname="Wood"/>
    <date month="October" year="2020"/>
    <abstract>
      <t>Randomness is a crucial ingredient for Transport Layer Security (TLS) and related security protocols. Weak or predictable "cryptographically secure" pseudorandom number generators (CSPRNGs) can be abused or exploited for malicious purposes. An initial entropy source that seeds a CSPRNG might be weak or broken as well, which can also lead to critical and systemic security problems. This document describes a way for security protocol implementations to augment their CSPRNGs using long-term private keys. This improves randomness from broken or otherwise subverted CSPRNGs.</t>
      <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8937"/>
  <seriesInfo name="DOI" value="10.17487/RFC8937"/>
</reference>

<reference anchor="RFC5652">
  <front>
    <title>Cryptographic Message Syntax (CMS)</title>
    <author fullname="R. Housley" initials="R." surname="Housley"/>
    <date month="September" year="2009"/>
    <abstract>
      <t>This document describes the Cryptographic Message Syntax (CMS). This syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="STD" value="70"/>
  <seriesInfo name="RFC" value="5652"/>
  <seriesInfo name="DOI" value="10.17487/RFC5652"/>
</reference>

<reference anchor="RFC5280">
  <front>
    <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
    <author fullname="D. Cooper" initials="D." surname="Cooper"/>
    <author fullname="S. Santesson" initials="S." surname="Santesson"/>
    <author fullname="S. Farrell" initials="S." surname="Farrell"/>
    <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
    <author fullname="R. Housley" initials="R." surname="Housley"/>
    <author fullname="W. Polk" initials="W." surname="Polk"/>
    <date month="May" year="2008"/>
    <abstract>
      <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="5280"/>
  <seriesInfo name="DOI" value="10.17487/RFC5280"/>
</reference>

<reference anchor="RFC5869">
  <front>
    <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
    <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
    <author fullname="P. Eronen" initials="P." surname="Eronen"/>
    <date month="May" year="2010"/>
    <abstract>
      <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="5869"/>
  <seriesInfo name="DOI" value="10.17487/RFC5869"/>
</reference>


<reference anchor="iana-suit" target="TBD">
  <front>
    <title>IANA SUIT Manifest Registry</title>
    <author >
      <organization>Internet Assigned Numbers Authority</organization>
    </author>
    <date year="2023"/>
  </front>
</reference>
<reference anchor="ROP" target="https://en.wikipedia.org/wiki/Return-oriented_programming">
  <front>
    <title>Return-Oriented Programming</title>
    <author >
      <organization>Wikipedia</organization>
    </author>
    <date year="2023" month="March"/>
  </front>
</reference>
<reference anchor="SP800-56" target="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf">
  <front>
    <title>Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, NIST Special Publication 800-56A Revision 3</title>
    <author >
      <organization>NIST</organization>
    </author>
    <date year="2018" month="April"/>
  </front>
</reference>


    </references>


<?line 2260?>

<section anchor="full-cddl"><name>Full CDDL</name>

<t>The following CDDL must be appended to the SUIT Manifest CDDL. The SUIT CDDL is defined in
Appendix A of <xref target="I-D.ietf-suit-manifest"/></t>

<figure><sourcecode type="CDDL"><![CDATA[
SUIT_Encryption_Info = #6.96(COSE_Encrypt)

$$SUIT_Parameters //= (suit-parameter-encryption-info =>
    bstr .cbor SUIT_Encryption_Info)

suit-parameter-encryption-info = 19
]]></sourcecode></figure>

</section>
<section numbered="no" anchor="acknowledgements"><name>Acknowledgements</name>

<t>We would like to thank Henk Birkholz for his feedback on the CDDL description in this document.
Additionally, we would like to thank Michael Richardson, Øyvind Rønningstad, Dave Thaler, Laurence
Lundblade, Christian Amsüss, Ruud Derwig, and Carsten Bormann for their review feedback. Finally,
we would like to thank Dick Brooks for making us aware of the challenges encryption imposes on
binary analysis.</t>

<t>Reviews from the IESG include Deb Cooley and Roman Danyliw.</t>

</section>


  </back>

<!-- ##markdown-source:
H4sIAAAAAAAAA+2963bbRpoo+p9r8R0wzl7HUlukcCep2ZkZkABjta+x7KTT
fbyyIBKS0CYJBiAtK47nOc6jnB/n37zY+S5VhQIIXuQ4szPdYc/EIlGo63ev
79LpdNqtVbqaJWdGtJjkd8tVMjVexnezLJ4WRrowLt6cvzaexYv0KilWRbsV
X17myftDW0+zySKeQ+fTPL5addJkddUp1umqc5Xm89s4TzoJ95Nmi45ttluT
eJVcZ/ndmVGspu1Wu5Uu8zNjla+LlW2aA9OGGeRJfGZcJJN1nq7u2q3bLH93
nWfr5RkN3269S+7gt+mZcb5YJfkiWXVCHB17K1bxYvpjPMsWMKe7BGa4TM/a
LcPIrybJtFjdzeTvhrHKJvrf6WKaLFbqlyLLV3lyVZQ/3M2r31d5OinbT7L5
HN4vn6eLWbrQRks+rDqztFh1oKPLbAYNO9mfHuEj2MR5vFymi2t9Pj/OkvcJ
NnNxYfF6dZPluJQOPqdPuoCnj7vG62Jyk10li/RaPeJDeRwvFknR9DyZx+ns
zLihBt2VavAf1/MPXdhRHLI+0quu8ThbF7PkrjbMq3VRbDzK8msAk59jPPkz
47v0Op2pMz0xnj4dqZYS4qptNqbK/f/He2xVJJMubHh1ljTJYdd4luXxQv7I
MxzmyWIaL6qPqjMM8rnxNJ2nAPGygRhZvNyll/8jzudbhg670DS7rQ0dxu/T
afVBdeCn6SLOs9qYU3yre4lv/ceMGnThrYZBn8Dxx+/iu3geV8d9kiw2nlQH
vohGL54ZoxddOI7XYbc2g3fJorsS73cRrwE04IFc+yLL59DP+4Sw69V4ZFvW
QP7tOANX/j0wPVv725F/960etznvhN2SbswFbVGvuN6goRkRjM40gynBLhAd
WVzVpzQwyykNLFtNqT9wevJvzy+n59l9U/3d9/ndNF7ENOYZb1CJiHJLSzpk
BEWRXi+AZj5fzy+TvDACaq3AWVDi8+B5UCWlxqvkGmhDLtpNgUqeGbZpO+K9
OL9OgNa8HoY0vxcvd8zm+/RdukymaVwZ81WyWueLzos8BSqFVD3PrvN4Pgeq
o49p+l3T6W6OfLNaLYuz01OAilvZP4LkKX47FZ1novMfl9XOL172TbPj+Tsm
/fz84nVtvkxRpwStBhwuMKI073yfFgkA950RAa2/BIJ6g2TXuJjcJHOgdW8K
GNMI02KSJ6vEeJpdx7D9N3NjhFwIZ7W8AfqDwxkXy2SSxjPj5Rr6mfA4PNEA
hn+fFviDo+9OsMyBRNmm1d/cHdicxfvZcn1ZdBdwlN3r7P0p/oG/nIqhtJGK
U5xD9+JlVwyZO93l9ApBudPpAFEEaIgnRIhf36QFMok1rbTArq5SWOsqmdws
0p/W8Cduj+S0sP4iu1oh9z0xJB8+abfm8eQGOJIxS+J8ga3m2RQYzIkBLNNY
ArRmi3gmqAOuNzYu74z1KoXfsPXqJjHOo9fjdosgVyJqlw4jvs6ThKYHU4XT
B+oFMAbvJ0s8lzyedeC4VunEOIoujtutML2CJXQeJ7MZdGQchY+PaRpBdEH9
fQ/nZBzBt86T74+7BvwbPjbWBax0SVsI5AlQZaKdqXF7k84Sg1/hpjHMJOkU
N7D8Kb7QlUINLjC7whWBfDADEoLMGWceTwDolghU8MYtwA2w9cV7WFaKe4Mi
wDxBto+9GfroXXlu83Q6nSX47SsD6UKeTdcTfB1/+m49W8BeXMKWrvAAaQRF
PGBGcNKL68I4Os9eHxtTAMEJtLqJ3ydGHgPcT3nKiwT+whOPjTyZpYAFCW1e
gawzUUdurJcItcYcwAQOq5jD2zEvc1YAw0GiRu9iV7BOBLgUiZcYGDhLhmcJ
YLYqO03n8XUCQIPgUAGEdosJsHEbF9hFMsuAShgfPzYT+E+fusb5SsIKHtbl
egFbB9sAoJqsYoTAE2Byk9l6ivB3e5PA8KsMprKgjTCWLJjyXORuQQOAhMmN
kcKMQKqa4Ubj7sS8P0CLjVs4MwB4OrSPHwV3+PQJ+lgBiyuoP8VPAFZo325i
6vwyqcC33AZEL0HK+T1Y3cKIp9OUe8hgXVdJjgsRW4o/x9fIv1aIiYDSTBgA
U9+nMUx3CpLOCqEOWEq8wpOlIwcqV8AREBVFyBSEawLIDK/COV6lKMgCtcGl
zuM7Om6cd3wFU4N507o1VAAsQRjHdac5kII4R+jU9z5ereLJOyARQFDybG7g
tIm2A8LAdHB52oF0jUC2N1Z3S5jhbHZnENQCqgEAAVC+W2S3s2R6DeAMcA+H
j0IOEOZiDUcXIzhUIe4Ex5hna6AwMFKaiykVsJYx0r4PMeAttMqrnMjQOJFx
BHzzGAAS/oHDzpOf1mmeENLDGkBN4kXwTAhkSt0F9vEdNE3hqHCC8wzmNUUa
NlnPVgRzAFgJTGM5y9IVzmqYFHAORv08mOyo5W55XGTrfIKawFHSve6i4jWJ
C0QNA3BqIR4rKn9MpwwHLJY0xQ28BdKKExOH227hvzl0kiyuAcsZFGGRp7B7
ebJUdKo6Q3UKBDPfE4nFp7C/0AsA5zwDiSsmpgM0V01zVWFZSBFkR+1WuauM
uWt+pUJMCkK3ywQWC6QZpACkfYBD0D5XAxW4KFwxjo5E/JqwG0+uvq8lzikQ
I6mxozYRgHfyjkgb/trEDukBdXy9zrWfcUB8tIW/omDdbj2GVQN43vJycdlA
9ecSY3Bt1wnwBoEroGjCOuHHGA/xJsMduvw7LKDoskCgcA3JeaJU9TVJP7HG
qGC+KzyCctNJfz4RRHICzBcAJ5GylNbHexCcEgZJxUGKf6WTJb2fj3aaADlG
snubqbGQOU5Rmk0v14w8CaxhylIKLh/5HuCbECiqJ39C+svsThxPpOSHi1J+
MBrEB3UMzSKE3DYkzrC1PCNinzB5pMTbebuQLIj1zoDsMAQW+6SBF+scdgeJ
txGnc6KRgJrrCZ/+ghQE3Nx9u0Z8VW2bOneNNsXMD/ME+BHQ7DxBJER8yIFa
CHEDpKXLZHWLCIV0Cxqj0KxvPNL9AqaUIiHFs2UxVe3cdQboLlFbCKGC96QF
UxoWFZbSXjRdE2YC9nZWWSfB4wERY1Ess3zFUiew1RyHBt4OVG2VIe3CBQlu
3jVGm2IJzAH2C/ntO0U7/nL+UkI0ijfyeOFJ8gGYPpEnZJAAuEAfJytAMeJj
V7O4AGqeAD0HpIuJugCzR266vCOqssKNzIxXwbOucQGbm+B+3ZGQAq0LXe6Y
AhGeZsYiWzGvBxKWT8kGdgkHAmJKtujAO50rGH2aaIIocm1gFWL9QOz1aZ0Q
02H6vkiQUyFZhimJLljyw1cBUKpCGnYFYwJVWoouL5Mr5Fw0nER92iAQCozv
YTHZiXGT3SKnAGoH3AzPU0g/h6zlNgV6dYmaW8I8EnU4BJAFo/vVGuUYeVTU
GsANxKlNRilAo8ui9EiJ4SzMvQbimS6yWXZ9J+ET8QfNgoXx4Nmbi9cPTvhf
4/kL+vtV9O2b81dRiH9fPA6ePlV/yBYXj1+8eQrP2y3xZ/nq6MWzZ9HzkN+G
X43aT8+CHx4wRD948fL1+YvnwdMHuPs1YhmzAHspsHOJKioxa6ATE8B7Pv3h
6OX/tbgslv9quQZJp2haAYGF/kazyadP7RZiDI+YLWZ3Bn+FLYaNA9E2zrEj
ZB6TeIlCJGp5gLVwtgsDKUV3U6+Mi2KNGvRVPAeCEbOgjBSnmU7vEOxP+LCp
uS5GEz80NIH7RJIubhvnAKpIQlDW5WYmrlwj3rNZdkvsiWyGaSwgIidKMJVb
rhZFTORPGjsAVnAieBa1plHQXAX7e1ShswHpqfRuR5OVsaujJ9GTY/1VbDdi
Mr7RdqTaoqmJ2x7M1OQuyBeDUuaH+WtD8ZSLIpuk9ChE9R2YXxDSIiJGclzx
y1kMROwIKOax3FaURAA4UMrK6USARKZLFKBZ91xVtn6exCjdiK29oLfwumCF
AEO0AntCNNUEE6kZ4CuvZO/Vt2DQJH2fbH2x3QqENoUiEolSqdCvNYHqQYWF
FnfFKpk/MI7gZNWDLD8mYb8UsnDAciKomrAOqPYBmY7ia6S3ApAB5QJGFqNs
vSKyn/D7pI1uzgJfuQLEJLpITAZ1HBAsgOkCve0aoMe0W4Kh1WXkpv6SlPhV
OV3dNCKk+PIkCbrJjgIYkOX0FOCYf69LSWyh01gqkOIlYFqqzAUgZKykVUjp
4dMMjg82AkRMmFRtC7tG2XOBHO2ErVZSc0MFVdkNcuNync6mrGPWVMHaLBUN
adojfAmYBIrVRp7N0KhxjvrTHEWBBJS1u7nQfJGXUwt6p0hAGiJMSnWBCWS7
gvoieElRA8HRkc/iWRSCAhPj68wyQlPBwYIKcfsKad2n0v5AdE6xAT7OCjm8
0iGYrAhSyiKxt9SbSK5B4OLNIUFBmHMAbPGEShZPsgobPVi8FdC3KWPi4enM
IlkAAE+aJroiy9ISUaMuo378iC07oD/BWpEXkUJNIjPrPXyymXwPDXhSyyGM
q8g/myAmbAEMzCcKwtHwIE03+BJN5kRXqgkt+AVBBekdwmti1sYyK0DkLzT9
uEQ2o45rDOlaAzoiBCiQSxMGftFv5b2HhfGXrmcOjEmSr1i6FnwQbybQYEYk
omb4kSaDknwjrJTqsGZuqiIkQM0a+Lg0aOHipNUz5htZ6G2CQETieVyyfrbx
Yq9SX0Qs3bBXgUjJLz4LRvgOsWhNUcDpqD5X1BRgp6JVyRkKI64wuJVUTeI+
r56NFLiAOv0U2AAyL4L837FXImGJvqwrQRYF0DFukwKXgr5SkPQPgFiatCS9
a4BFQDeh8hNiifGFDXECzDS+zJDAlCJWA/liQAJFnHSRaYJGdiLtZQdC/YKX
J+sC9/cS6OctbcR//ud/GnFcvMcrmEcd9cEr518MIySqYOCfuz6bLxqGRU9+
+d/w0/YXoSVffsGf8kX1ZNeotRH1r7tf5M7VvXFlvJ2vSA8H49HnvPxM2b/v
++77eyxPa7flEOH/1TrKe0V6EOqgpU7D5kniMXa2fKjdBbNS434H2TDh+lob
dkz+1O126z9VWzX0Vd8POdlFuc7a/DcQA1AGOPKZ8ZVkVHwb+fWDoM6LNzAW
2ciGy0z3waeasIIUoEDmC4SyFECMjGhVUTF+/UkTmEh9KwkdSHCXK7w6qOhX
QBHWqw0ib0gimeZIUoWEsIvi5AmJMECml2gCJGu4MCjHwvUFuozzafqzMssg
FQXZjG8os9laKGbvQbSgOya+M2GJEQXh9WLCojy6g9AkdSImNTOh/+GkFmQI
AckQ18t7ocQBnlOyJOIqhYfqhQRahWYxIAS2w56Y/KPtj+5VSCpXUhQ5Q7xW
t0pHxbEcWbd2kAVrgpqzTvfrRwesFEYqtouo8r4pRdNHTYqgnRHdKLZD1sdX
0cVrI3h5XuDsb5NL/JXZfn4Vi4sw+oYzlEyGvI22nPoOTUOsuRDKofTpKmSX
UkqTF4nrOW+QYNcCQo4k2rA8etwFdJ0l16UesYqLd2QOM7RBakqGvGpqmiZZ
3QC2ZsmHlI2eLLmIWZYmV2WzQ3WN7qVIHST9c1P3LAy0fqM9bXoH6MmHgB1K
yYjvWWnHQd6kAykllFIMZM1CAa0AyikIpHhTREigiSpKamVJbNua2SbMsCm2
qrZ/msiq6dLnV/pgUz6IpNBF9jy9vlkVGxuOp3ibicsNJhQgHKNmSFTLYqFF
b54DnYulsjB6cRH9KCillICVBCYo1YKkLgFe5UO8dUQfNKG8bPQGI66ZQgOF
QbM6241xi9AaZrBvDt2R0iOl4C5BvSU1ED0GMljJ/ExMWkJfZRwhIi+SW6Qe
7RbZMSexvNgBORinKza9FHAzAUcnylhP3+UQpdgsLHNoaCkaTApIrYRYTKQV
OiYhlUnireaZcX4lLJAp7z3qOye8wfUe6SKaQUKgDsmpC95TQ0rCmqYpNy9G
w1CxCSMKukRnNEe6pTYSQNQJemohHonNl9ug90EbfbXG3c3Q1DMzsvdJXle2
hgntPdr21av6xbOk3MwCa5hBTpqkwOdTtgbBmZAHB/KL/DppIBsETKsUGbVx
FRc3pGUIDRWUAYkOZFpK8851vGSDqDY/UPVwP3DRdEfDVy2sZKfzJdBsZYHS
vKAKMqRfCG3O7Tpdq4cT00yqog82tS4QUaCbGd7R4yUv7TSDwjrP6VoY3XJI
Ca65jfBt3Xn2WtkPELvtTewWrjZAEzqz+A7v1iTES+byLCNpAk6sSNByV9sL
QkiGs0KglaYVAvTjoefkJLKBinxZyVxliaLRYnKHOqRgW5qdd4f/oNo10PDW
ADqxsjOCsgVj3yTx9IwEhfKJ5pUBLcqrMLbIV1qqm02AKSVGMX7ojejyOL/b
sAoQJxAOP/oigVIhJ4H1i9knH1Z5bJADEzBAurklfsi/S+cXaT1DYqWRcXQR
kfBR2rtWNyi7IFFES2WxKflmqHMLXqIDBV1KoKy7wU8E/UELlXASATqSGZcw
0OQGDWr1rvCeirpj7w9AS/bSFe+fsc1tUlqNUaUnfxqk9dLR4nJDMhbXT3Tl
dMWCCvdINyUZ3Qlz34KA8NSUjwXZIiWxh6njiyQeIc4Zl9gREgA4kByvHEX7
FLB5ijZ6Ye1iU7J2ncQgXyFl6kaWpaQNRCM/pzyL0VSrETLVR9LgBcACCRJY
1BmUGwV6VHQUZapyMLw4KZbpKhHyqrpo1mEOt+CaRGvA65J0NmOL4m7Cml7w
XXzdqIfmU+2uI0KHkIJe//hVaVX7pK60apfT8pJAEpdEvi9FG7x8+vFlaZ5T
coSyNFOLcgo/noPWpYkbR8hoACSItKgZ6aEPqKYR8f74sXxOhtBjKakIFr3N
G0BT9IRmIJuKY9ozRyIQ5OwoKSLbSfFiSb8DMIRB++NHsorKezG+OWDHBrSD
xcYoekKX7VLFE/ZTUsMq95kfP4qZ4oZAf8hjyDFvgq91JTXiN/EBiQuXGXtf
7vYoqQzEsk7B7PHQs8N94YuUSQxchnoizy0SPulE2WcAxJWO5EQdzZgrSGKt
ZZFokFBUrL/lTWViPAjlG8b36EH2gC+Ry19H2fLugaH6RS4cLGo+GsYEjnXO
Pg4MJXhCQuer44Ow+pY0RRrrBW0XfKGcr/R7kE4ZRDeBFir5ioiz7IXU6avd
oCwO76RG6zWtRik/ZFhlORN7hYlJ9+dp6R+DS+Th0Y3hWUzSEtIvnBiK/Yvr
2fbpkLcpeouwR+2mIywzR/bdkUiK7hrpz4m0s7JPtE5DTk+/No520wM2bH39
bwa6ehvdySWM3wSsdE+7h7R8jaEB1kCzYFXIjDRjjcLwaYVeaDNWZFUYrUCk
NCKQT0hYfY63m0c0xvGZsErP1qUpbN9K1SPEN8ANPFtroKxaaGrKEC2oV0ny
peOfwoZiC4lnF0F5i1cii/Ahq+GYOJcSV8l381j3qdHBtwS4y7uNc5CNCNl2
b0K3OhVE7I2ZoNvR1okotAJOuWDZXZtafXT2Ee2o1gdOsd2K+EK2kOMh0pVb
yrej5EfCNw0GU29xjQsAMVlLJt5ugXzKHj1w0EtyXzQCIS2s9HfyqteeuhMZ
JyvUMIEk4nZh2ICah3BfugKhUHAZ0V2HGRntJUr2wUINBIRrjci9IkkHB2CA
KE8llU4yTT0SnAh3FHhY3bsOG76SaQdnL9uWQwrSUYNF5n6bNicN6oTXXw3i
pKW43bp5GAVWt9sdReFDyVbUpTpeDSVV79BtsgKqgpIpkmtEznYxAK2tAAMD
dJPuiXHzMOz7MAdrbD4USwJdYj3jm2oVYaH5rCpnNzIzSBj9yiwp6qmxm++e
GrZ5YnxEKnq6uT/wm9U/M/TNOak3rRPRUyaiZ5XltFvoz6RPhl29sf8Tw/I0
knsAREhCLJCMgE0einJ0biJPn0OUvyg93gfwjG474B0xGJVF4aIlcXLVCP54
RUCYLYxfb16dA6xM2fEJtLq72gJBtWVYNB6IWCzRP8Yrnqr+u6AOPhDi8+ag
wnuRTLL4A+qY0rlyKvUcAagWg7kwmuu3MAIF94idEsPYx2AvilVA8kTNVNyo
oy/LJr+oTVjdlTdgJgJEdQ/uh58o7apWHYyk/oAIYgOCnHw2JsOZ4iPr7IAz
PdlE0yviHdgBounJoRM2P3/CB9GTDSq0waihd/vMsDZXhChGT+9Fd+itzyA7
+N7vQxR8Xb3+udQJhnClQSemyQ0j7AmjIFAOtneTZRYjluEHPM3Sj6Qxwgof
oMOK9JsR26Ss6qAuv6ZJzDWz5km59Kp7TkfEmpWCChM8dnNTdxEFx3s13Rto
9ASoKTUZyQuM7rEhN2iGBicMpap6B7E23+ALVL0Toh2iwK/JehbnpDfB1CZJ
vpDeP5N0iVqyNBk1doq9IE2SjlwiUu4zJ4VB3cK2K05XzpYct+LmPSmlx5u4
uFGekCXIiKCnTbGE3MXJLwvj3pSSXt55gCqcbAA42fU64vA04F4YwlDfbvW7
brff9dlUvzUc8ndmWyk976kZCudhRW1muCvWlx1hcilYJVAzPCgoCGgcS7LN
gTsEKxv+0nVXaWWdekbBGWTOkSYiUliUNC0gapbizTgHI9A1PjTCOLnSkEBC
Bt41dGVMMc2EApEn6hpqmS0RX9Rgum1nHufvEnIOxsgQwX3vjNuE/Etn7D03
XSfCDJmiQXcl8mMoEzzZs9YST5aJCM3E3i753ksgTZpvhPxobyg6elCclrBx
83UL3mgT1W23chg2m8NRUawaObcSA7heA5LPKA4MuQA3kxdnoi2BjPTrwAwM
AK0S4di5XJCN78X1QKNQyPdXmTFHCQY5WWnPF9eqlD9Gu8LYdLKhuGZhCxUm
A/FEC8/DqCvp8Q6cg1NmKNnHMIwO3vUfvQLh4uKYpbmC7f3ocirdFUXEVXmX
88piZ1DyP1opfx7jois6HTV3OtrslLuqvvknehGO4In6omIjBBkX1jDskOxd
/F3M6AnTHTES33PjdRXf46K3j3Z/colM4jolrKFViE4u+IIUnVhjkkGJyspp
Rs9HR4r0nhjv9HVqdFpwg5JIc8wgDRAT5L7risMAKrWdTKlgjpK0fPxKWL75
1a82wvQRpLcQo9l1xukk0g1CrKJBRCSiMFBIp9fycmoTiwyNiGv3Mxw8gv4F
5G9QTWaw0RaDUhgdkWppiQtk3CUZPSQtqxNFeanc73pdu7xTpsgTeSUg2/hd
u2uRo45s5AgnLQ1pBQsrjerq8vb//rHEB6UQAdrOssW1tLxXNCrtApSnXy6z
sa8TDI9SsYDAoEq1SwgD/OqG38hJ9S4GlqCriUJohH2uizc36fVNmV2gbs6S
vgEqXkT5dLRbAuFgWtRHgpC4vJNxUfGqHo1Z8Z1+gvMjbz70nJtlBflcjzKM
qJunijMQVqOczIqfPIryHQ7BBzynpB+lZ7cQpGAW0IOeDoAuVRUf2gyJVtxm
yz4zcN5VvRdrKUw0ObA8TxbMqu/N0ncMMiVySk33/LsT5uoosl4LDzjJTXBH
UCdAdQIY1XRahVI56y7LvZwh5EoqE7wAGbwnpFOBxV1JV8KS9bxgBiP2RThY
4u160sCgKnHSVUqET5R0XFIAYeg+52PUaPSRdk0j4gRA2DJEuD/H+t0dM8Ev
H+NxowOM5BXbEK2KLhXcZxQV3E3EmIrL/ZKxklha4aqGYXWF1VexMPHA7hrf
CILJmEm/Ol3iKCME0CdELelnl39WkUlMSAW74FCW+razVTIHIjQjsWgCejlI
9lOyICtfBZH5wlCJL3hNiGLSdCKdshTFp9QsC82fUAT2a+ckcUgYhFgIgQlJ
YkNnq7WnuLxSyEG3Q+FYoSSjradWsIiktBx0jahelQnaTZqcEaFfwQ66XSeZ
GhwoTYzcIslJYZmj84O4a2PhQb/qR6C5hFO+Slcq1rx0btC84RrTH9AqMnn5
iRCM81Hh+3zbu8gI3DUHBzy8eJJnRcWPV8ZvlMIPOkeoEyhWeNxCWiThe5oC
M1jHM+qvdoeD8yCqlBE/AvkaOkHrPftx85KkrCNwhx2a43eJcqSVMT55UkUa
wJkG3ACE4VCgry0cV6WfM9hyBQ1icrIv0e1VWuKbfUkPdeQSz4/Ljj7xn4CE
O9CtQ8vh3DIlqgkoL2GYFI0a7LA77ZWMn6lJoMLvSYcPHcZI4F1kEp7oygiz
IBAOozyBnFPjOHQ+mJ9gnq6qIXYKrtBnF01ruqqxqPoUMcQDQKwpNRcvQVcW
TjC4QezngkV0FBdFc9yFCu1UV+GCiBp7Sai179ytXedu8bnr4FR9PtHhQjxq
AA9rqtrpYFFthCD6SRPjQY4Pw6dKesDbamlWFIKrSEtTvaebTKezTpwU727J
jJLMl6u7H7P8xyLJMZsAQM2Pc2CeeMDoy5fk/BVlYEUUN6LCWfat3fDXDPo/
wqxgUl8bX/ndgX/0N/SFV+KTYZwZGZxY/mM56I/q8Qm0XS/K1g1ttcfYWhNE
oDU5DZwai3R2Qv7eCgTh2d+MRyzDqJ/FRN+23h63WtsnBSvZsnmbL+mT/1rb
11arceivjc3dYccHdKQwTFiL5gfBs4DeNrep7FiMiY9pRgQBW3ZKfP61iUMB
7LbetlpqTJjrx0+t1p6BjK9bHxnS0YcjxSvZchRNUWQHwzTJofG/G650+Dgp
G5dNdI6kqXuKj6opQV9/MmbxZTLD/shUXlBfpXPbMoM5tT5p9wQlmlT8QUq9
ipN7bNWl+TLgeSXQXeqTcr0nLBErVJI6ow06o0NaY0VVxuQYIoaSRBoRLaHd
tdBIGALJiWGWaHFdvM+EJRkmnCpWzaJYCSt8bBWhvkmIJS3x8m5F1ICUZJjk
z0meGbNkcb266R5kYthno/z4FfvTbTM6HGjjFDotZbvkvVEZ9PTwf804wEJW
XAkzLpvqAV9KdMTUTzEFj6l8PzQgZ38qo8ABQsn7e3Wj3tluVfCotzppfV3h
ZmidZN/WyvGgICpUnKf01MTcxgXfUeiOrTquKCVEtqldFXXL7qwz441cR0Xd
KtG4Fli2acNpt0jW1CReGCmHvRdTEjHmtyL0o3oRq4KeKTkX3X7Ly1ds+PhJ
OBa4STZb7FcozSKOjvNjFHTM2OmJct2h7UQFY36JkQ5swJaKpTRr4wAnIpfB
is025NAajcLHHdiQR9LwQt6Hyp2mEMDFzjLF9Aapy/Vk3hEtyjNG8/qHtKAQ
MjbPYzI6GTdJc9JIiLgQKEen+bEfoEYxUH7Uj0sm5sBnNYu/BrUHq+ck9ZH3
06aGXjpXKumT48NvE5FIh5CzojHQ3czsNr7T1T0ZTMSuhh0hBQr8PAXkxpPm
5EbLOM2FMhhI6fA2XogQLSG4ajkTms3kfN1R0T5plhT7piwAG8Z34YagGmgq
4ragS7zN2mU8wFvR8nfZmYBBXatk1GpWK8mYL5FQYV5yqM4a1+WkdLGoUB90
f4jzXNe/gH6qrLZMbWlLFzofl1Krtu8azVV3Z/9dKl75aimnC3cwQr6Kyvd5
Ol+DyhfPMLNtLB3rVk2JPST462ogmwJjxPVKNCznoQGQphCsRacM191UBAGW
rtYz1gHLOE4+di1ZOBAggXJ0zSLTzmmmbKJRMkSLTSxa+JpIdgYopO3Fj2lF
1dGURjalSkWwrgeSBEQ5LzWuUobcyB3SYEo7Qp50TTFUwa3orhBj/rsKmH2e
3ngYMAk9cq8iebAmuUeVFKB5iCop+MqjvSolsjTiYS+IFeCdbrpI5+u5FhSo
iaqyh+42JYopxRdWQaMLYJ7/AzRQmuf/EQVU7NA2/ZMUzg1lD0fA87+PAirb
f57+uXUKn6NpHqgd7tJytaEP1Vubwt7p2pdmTsfyBJPP8mQUE9VSJSkvMiJQ
n6/m0uTrWi6Rp4OUXPTzqfvWsM2ab31l9DCm0tou/wg6xBfgxrnGdC5KWYQJ
lLglr9xsbehAPFKxzvVMc0LJgM2j7HwYeZdi5Cq88+ASnc4eyKt1OYZ07EeR
MZ5o6b2qURW6dqfJTg3Kfe3K2BFXxphXjOIXV5RYP8e7w9ldg9qnLzrh604W
l2n+temL3ChS1c8m2QxpBkjo8toQb8c1HYm9Wk7wpeZsKVzjIJlu0f3KLJUI
oMomUE6hYm0AdJhNVXrlbaF9emY0OU4pFjZlYmRko7IBlNQuuVoxqWzYT5pD
oTEysXXkgVmmPicvG/SDWcTaJaK8t/0RdK4fBex2AznJ85B7Z98dsb7a9WtJ
F1h82aJSy21vBD4FeWpV7Rbj/5kRWHYf+PYR+512HBAaAmtgaz+5nOMwsD1f
+9U73rHCi/Vy+XJ9iUjahRPCBJpP6ai3rbcEBuVjqG2BZnPavY9wAHlCSW+E
AyyLFtTnJaaSNyinHS95pbxtYcPgJ06hKBZffTiwT1QyON4HNo9xC/ihe+Bm
sLrOk53ES5ZUKtiHEjXDO0lXwkVui49ZxYVGaXzSE4z9gXmmFIkXs+KGUP2A
3D1ljqtSDHpw6EpKXN1ypKXEsRFdu505NyP8UTzP8Iax3LzimJe1yTX3+OOp
ZG4s0NaXKCQbw9Bh64zEBPr5ZZyv7t5Q+AHKZfQVv3HmVuOt1uq7zVYqWats
qG0otlSydxVnzoy1mgB+dPmJpAj1hHbozHi45XAfUkMx9r/z6EDZxfDYFYpO
9UV9bRzRC4Jo3kFTIaYaxoIuiLUf+Izoh9ax1le59M/vri6W6IR4QzzZOFkl
JZRpxPabAo1nwQ8KqmOjAC2ckZ7zT1S81koGbtUYuCDKbO8CEU0RFhVyAkuA
nxYi+S5OpvT0NERyikbSrux3c4rUFe6WwpNVn7BIYJPwT6kyoZDTUdWvTBRF
YR8IxrMH+NYDjd4IBl26aEuiw34OuLvLdb7MSscp7IGT55S+XpxNg+2/C3QB
ETOAc1GujvV5F+TIKxo+xF8f7piXlqFH2OXKqQrfEpX9oxxGUdFlXBQqb708
mmaT8VgmPmuWi7DfE5i8TELa9wdCsuNqXbKsFzyWfwpt9aVMGNJcLwAhlH+5
YxlERKBoNuGVynCwVSiGyWNHQoyoGJEaXtTCG2ue7VpqiY9f6SJ/GW0s0KRY
z+cxeiFIobg034nUZ7UsG8pmLQsR3cv5flx1AwtCoVgWZZkcNGF8M3rGIbI3
MfyfbZ6+zGZ3lmN64kKM3EHror2sfUNcFiaAk8E7MNqmJJ4rRSyupBwnD8GK
dRSAklPpKTmuVBWaTCqLibypZ1Nv422h13WMhssiNlXBef1YTgG4HxmA5JGf
GQ/EgT6gUKsK69liW+CGCIY50Lof41iyKfj97YZmKVewqV5WJkYp2DcoOKy3
2kzPTszRBKImAAu+hSaV1+UXQVCq/ZFXS8Nms5e1qnJUE2/qXasckc0J1jSJ
ixmDDLLRt7Aq0wGo4Z1qh0Vm/b4Vdl9GET/kdNvx9SIr8A5Uet7LakzZlPfG
/OByJOIFVpoQWKFIdL2UxK6QJUYl4oyIS6PXr2Qdus5oODKOFPXDQpSfPh2z
OL6iqAE5LtGqyimc7IL7E0PWpVD+4ZcyhRndQJZZoar5/kVS/yA81reP/IfR
Pslhf8ghyMyrEww9GbEBHVRNC3RftiYKpZTtdit4ec7HmmlLlZrwtkv2fYHl
io9tAwZ52S4I27bbckn3UioXoC2VixnKK/GNoiJbAs+qiQ/kjaEk+zKxX6lg
l0ZfgZ5K9tY9dDVGcCYX1AGtDalNx3iHcaGWN+71vaE3GjiWa7muZQ3dYc9y
ek4wGJnj3kNue/4dNh5bbhAMB2HfCj1r3AvCgeuMo34vGLvjnjkKH+JMXkov
QiCEnNSMb4UBmmpp9B9w3ylWBPlwZniuDwy+59im+K9lmz3b93zLH8E3H361
/bDX8y38FVv5ITzrwd+RPCZhUX+k+JLYU0X75NXxpnq/a09TVmOpwkseL6UF
ABvhbZ+0KxpHwD/yhGx6x2dil1d3Z8ZFeb0udv5hXPuIjX6XTuEh/LdjPdSd
2JtiBXjjRLk/SrVwJG6zKKcgZjR7h8mE0BI8PS7vWsK+b/Zd1wksE/4H//U8
c9/Rjv2+1XdcsxXYpmXbput6/hBOwLVDx/LgWc/zTWcMZMqz+mFv4AIMjfqj
oB9Ylhf0xkMHNP6WF/ihN/AcN/RtzRta90TYllCTijKVhFmUetQYPAaDEIFr
9gGgwcQFxWlJPs7gy//+3wabt09RKMYw7DPDgn80jDFOocEn49/+7YRe1+zx
2IF8+/w7+I93EKZgdyciEJtwFftZYKbJU82fvzTjn3Lj8pID27PyK1Xg2qqA
mZ2oJ40Tri254+Ca2c5zeqK1AGiE/7oKLsWjT2X35RrUazcPD4EIHSAeakM2
X1KI7t+2DLrH0dNlNxy8Eo90iIq2pHwpFdzNsL8KVl3hhWaMwRrHWFawxCp7
7A1GTgBLGXg9czwcDALP6duR77u+Hzi2bcHSw743ijyzPwwc0x8PXccKfDMa
twIvgI/Z6zuAiz3TNr3AHVoDv+/Y4djqjSv3irXrwy9N7HRNoq4enOkeOVto
4CuhMz4sjJfCe6ROD6ORzd8m+fsz42UHIIG/f0Dk8fp9fwSkPQyBqvR9O8LN
6dtm1Assz+65I9iXYDCEf0y3H4ajYBQ5sPvmyPE9C3ZWkNI77GsQRYCEthcN
HBv6NEcmsGpoZ4Zm4MJhjJGnOL1+aA1Ny49C1x70h/bAtyLb64+toehrin35
5jjyw9CHQwy9nmvC+bqDoT8eWLbfi6Jg5A2DvjXsj4aeE0W2O4jcoRsNLdMe
uT1/6GyQeJsYJiruwuDCDcqjOA+REh3hTsP5HvNjzQDGN8+dqu3rzBAsHp9o
aP+xguz2AP5QkCSwXvpWdPZaxX6HvMlt4UtO3xrBcuB0oQNgVMCtgD/ZptPv
9+Dkhq4H4oIPwOP23cAZm37kAIIOnZYZROMxwM/A8/rOaDwOzKEHwkYIEAfH
7Nq2Td248GMw9MIQpBA41KE/HFteKwhc33Ms0+lZngcTG/vWmODBCyzoFijA
ACC1P+wNkVcCoA7HdtTvu47t+q2xGVkAyEMgBT2nB5KNG5iuCa2BANiDoT30
fgteud1d7p+OVapV1TmijiSK4ikmJxe5l8VWvLXgewf6Lp8Ti13d8ZA2DWjr
DBifA50U7+FuE8GsN8H8MR0bd3QvqBuNn30I8LA6Hi3EofEacaJEiS3j7cOU
Uh74tF3i0Hb55mEVr/aj1a+ROBrQZ6/AQTdT/3MkDWmQ2KUDo72CFLxFtuho
avDJdh0Yw/0W2TY1+M2C4mmF/eNEGUU4y/cCCQf6baLsprzitNqSZPCAY+lM
ViK/bbesfSwSO4hEyJt1i8VYRMVETAJ+BWQ7EeG8ZD+gnOW5SGhIfvpH5nHl
FpFyE6MXAUdtY05S6VJoWH6HzA1lZoHLWTZ5x1H2Kj3PCq/Hi1nG3sJvVOI8
rKadZutSthMQg00pIyiaTHzXeJIOZT2xCSaxpkeuOfDJ1iGKtkl389pUVD8W
ty6tteffieotJpppbM+TZhfQ7DHfOo3FTmbw7p/wlpffUd6ocxG+yk3V5YVa
qV4zSn7Ov7N0unH+na2X5KkVAPrl1z57pFX10b/K579U3/+l/v7O5++opFEk
H+hfD+1/3/x2rO2l1ekcPTqWP7+06euX2MxR5YQMFO/brafJdbIAZogN0Z9J
wS7KJqB+dKsKnERZVfJIYP4LieZMOX97K5kgAZqVzAZlJPItHynmeNgHjTYa
eWFvOLAD0/fGUcVKFgbQ1BnakRmOPG8MvMgeRk5/CJxoEI78/u/MSoZb/IeV
bKsmYqLByxmMx+MQdZF9h8u6SItfa7KTga7qmg7y5pEd2XBekeuH7shyLCzQ
Czqv1RqYgR/a/mgcWIOB+ZvayRDlDhb+hUVpq0xfys2+B6qxsCYhfAlRVRf7
92LJP4GFbD8sVEHhi1jItCP/77aQDYcgjnu2HUSDXh8k9NGo1/NGztC0XWsY
ukPTcRzAs9AOh6D59aKoF7gD2BVn2NtvAPtydOwPA9jvygAmqMmRICb/RFaw
z+Q97i47mGc6vhu54dgZe1G/5w7CQT9yAQBGpjsOWnDArjP0AaKiHvQBamXY
d8Y9vz/qWX3QI/se28EGg8gH+BtGY2fg2UPLjsb9ljOwraEFfbo9kI78nt13
gwA4X88N+wPbAcLWAyCLwrEXmMgLo743gJlHEbzRcqNoFABdsEIHDiRyQtBx
3cgaDcajqD8AyUZXTn8DO9g/NSv8B7OA7Qby/TC+1dTVBPb3gfqDbFoEXzpu
HIIaX8KWdR/R4EvZsr6MTCDtRTtNVcPRlzVVnS9KM5VKXQVoLZ1U9YRy7FSo
VDvMUysqL2blu2wUOWm3RKnvMqMTCmJkm+Hgi8kNZxBaZdfJipbQYAC7nAgD
GKebZ7d+HJLqYZX2F2E8ItvVTsOWqrglTFqc4wrLjd1JMxPlpGIL1lQ5sWLv
FDrLaQ/Iawu2SfiXsRKvZqccD1UJiVmCkfZlVHtSNXbFyrXQuJrFxY0s1ThD
/3ay95U1BMkj8ADr2BE1OVaeWED1CHykERJ/q5jK2i20GV6mK+NIGM2wvKyw
O4pBTOFqh+OcWv7XSMH0zss6jMIcCXtkltXtqmYB+DqbFXVjofLcBTZHm6TC
AWBW4shFIP35dwXl0yUgLG16lrfFDPeyauExXmpGuEbL0Pl3ytgkbVQVY9Mv
1Vd/2fektHv9UvnKT0ur2S+Vr3ufVixyvzRY5Hb3vHtWu9f5SLfjNeyAca8n
e01wL1Pj69LuJMgJPhjhg1EpPpRPInigeSdLz2189A4eKYMNZyEwDDzvr42/
vHhVAnPdxsdUqWLjA9j/Hdj4fLs3Ho1BO+rbwOF7oQd606BvReinMnZMp2Lj
Gzg9UGr6ljcwx33XCwfRqO8D7wpGIAAMQ+v3ZuODLf7DxneAnhWgnrXvcPfa
+CJr0B+PbfjJ9qMRyPMgyTkOaPLjUW9o4x1sy4Ifbdu3LFDh7d/WFw5R7jdS
bCyp2AB8NSg2e7Hkn8DGtx8WqqDwZWx85ZH/N9v4BiNzYHn+aOyCemWi7aHv
g/IF643MoTkYB+hrPO71x/ZwNBqOQZmy3DAcuvZwbLYi24oOMPR9MWL2h6Hv
92foE+5ucMj/lIa+ezGgnYa+4cgP7HAUeqbtjfroyx94IbQDgSZyvVZ/FPRs
e9wfDwfuMPSgrdszB6Oh5QUoe7j9ARv6cAQfYGDs9xzPsjwXQKNlB4DRg6AX
hYHTs0fD3tAKxgM3AM43dKHDsT8Mh4D2QWD1kSEGMIFwPPRcIHgt2wbIA1HL
drxo6I1tF9bnjlx3ZPn9AUgxbs8JflND3z8zP/wHM/TtBvL9ML7V0NcE9veB
+sMNfTpuHIIaX8TQdw/54AsZ+r6gYIDWPWGPG1HZe6zJrlfXMkJVclTQcsqs
eL7AmaWcRy3jMlrA/vkXUUYL6MbkhqPuytyhbnfACWaQjGwrn3V8gmbGICwD
qzUz4GZkbml0lAkpb+M7io58H89SGZaumR5heFWir+jWAoPLzspaSJQ6kIpJ
Y6UFqg6SCIvmiqpJL6YxhoUTz3smq71pRsvyjAsZFfcdzw1pseSS6jDKaOWy
Ipcsc4RCGdaaoOSTW9dIOUdqQ8Jpk73rGR1MfIVx8+J4K0XAtp5lVktur2fu
5/Qf1OdU9VnNMQp7PucCCj9xsoFqTDFn0dQH7FB/nbI/ncn8rmpWHlCy8r+h
aGWlfN2pAdQXeVS75K+MTJ2U6GXHAm5gXDwOmC3IZvw6OVYWTFadIZbdHdjB
Q/W4Ws9JgsEp9kH8rXlmZOGFVYLm52CScGl3bujpPgV+HX8A8/PM8RcryEnP
mnEAthVbwL8lPZlI0lnWZ9YXonjGARCueAh1qeNrUMPX30U5zzpRuUyuMAfF
vagKFteKZwVFzccicjlrqBlXYMEH6l7frvgdpsuexVTQ4TBag6yn4Si4801q
oyVPMeYw/WsqiHwZr1Z4W5N8uInXBQe2U2GZggrOrItCJn8E+k1lXP9biddv
RAr6QxdQLXTcKinYlGQ+lxQ09LTRwxcmzJ+F6c3z/EcrTLyHeG1gzHbqNawT
ht8N+aK5UshCtbDt6/halBuSk8a8dRuC6aH5WzAhDubIqUuiHDpQghNV6lWZ
zTdFQyU3StpakxK3ia9wSCkmDRZJLrdLxqsy7WVZA4fL82p1kz9+FG066mWE
gxRz/nRWIJ/W6sfHhnxq4FOSznlKKu1msYovZ2lxU0qVsuf6Paq8Gjz486jd
qt32fWt11d6GsEl08175/ILj3GukR3xXWRtp9+cXfgMYhUxhtPVDqk0h37jH
5/3mG3vX1bAS8e1bu2s8E2zQGAouqK+l4R3QghWXDASX3PrOnl3fsss7d6Rx
z34BgtPY+odkyy6/P2yMzek/2vPGL8a3TreS+qR5OfoYj+q7sueNbUez+40f
EnFSsFc73xB7U92ibRuGENkVC3jEGcGNrlgHfio/iVaMwphpxzA0/4Fg/Dp6
VflpGI1fvJJuB78YrzjiaioblCzIaPwJpvZQjvqQ5/GwnEfjTxqX3EMVJYMM
JTF8DT+e6bYAJLaCMClLUaXGpBJW5CUMkrLHWKo7Exc2ZaLZ62RlrJosTf+u
fGEaSzNjZB8tINbLRrRbKaXrl8wCG87yJJ7eKXaiFXQgbl0tFt/Be+5lkpdx
hHFpR4pnG3KWyGckYuamIlMVEqBQrlWrnUFFMiRh2i6e89LvEi6y2LD+m1jm
8CpXtaF4yLkA2p4XOs+sGxGrKY1qgx++dlUhvHrAcoaiHOc2Ri4EmakSZIyU
MxsushPZB/9a6CYkrLKDChbrV0aSknFN7AVm0K6be+qArPW1qbrBCl9FoxfP
nkXPwygUifzG0pvjzZLWhbI2Op2F5HQmBJIxOac9S+YZnPDHr8hXrYYrcywe
Dw/eo2ce6hWyLCx7r4n957LuOJNZnF8nnGQ3j6853rQEUy6kg9G0VDsAXcIw
WVm9oC++XhaYKcrnOFiKGZTl6ta0Ok6tOV3rRc55gIWW2xMdHG+7xgsqmZUV
KdXgANiQRbIqohmWg0FPwMai6QVIlnGeZhK+MVFYhtdoRhIXKZawxKHfqfrd
D0R69MX1A+WwxN6cGfWu6igLbbso9WUpjmr5IrHXqrMOne48ncAuKEdDsYsZ
gjQiAFoE7vBVykgKvRTZ1Qq7OGkoVsxpkufx5Aal3lkS5xQhO89ADi66Bpsi
5NZMRPrtlboXI6y5zUCYhymvJH19w0lE2SNyTkB3JkCQvzWughyUVndLehfd
ZN9nM5goXrSLtwiOkjzGe3bKxQhCIIEh1ZtcqcJN7EN2Arh8jXCLPpbC45Qi
j0EBuwUUk52IVPIUbDxL3icz4wg2LFkYLuvxVFJeH6ZbWQu5dV6tc8R0Sida
JAIbOAlpCVdiFXlyjbAvkyYXqywXWWAvs2yFxAd9asvXRF7QouLDK6DhCHag
yDpi3eh1WRzLCuybhamNjx9ZGZ3Fd9l6BQoHGngKzkLKViB+wq6ttRMCZKRl
w/CxIObPqi2A5hTp9eIMJPNp0njGZUHmSbyQ9ae5tOdUVPNGBpdfpqAFwV4x
GYVF6rCkUhpyNloJ3picH04vWxLmMmXB6WDFGsDZMg2gaJYQncODRiUfqb3a
Xc6KqKoMlOdCpje9FikmZWQPVs0VeCYL9MmJSwgGmoQDMilVragqGhclyDqX
SQeHo1yUFZ9bhDIqCEAVuPnAHyxzeIge0HDynAn8e5k9t+SqtY6QW1OdHSqB
AECWl4kPmdYT+caCzrAH6sCQ+iGoTsWNdzIViRkRHiTmMQ1MUOKqTivgnVyQ
i2cmnIX1jaX60cCms+sF57NdJLf1meOZ8rTYVVzjzjT57HZBvU1Fe8Z6wOKO
8IKWHRjFbbzkRa5uhCDAjs28w+LWRtvcepEl9GKHPpZybJgtcoONKSjhTsaf
z4ToJ56r7AZIRQl/RX3s7JbnJfges58c/d2FmXQSC9mGhja4lPLmaV/F6Ywr
deNmy2VMp4WRZ5cg5y24kHfVy7vObMviDLhvtINcH64UdViyIQETcC7mHMX1
2y8Ymow6KYkK1VqaZatNwI/fwyoo+3PD0Yjy3Tg+bxlNUkE5IvcswRo+QL1n
uNoH0/V8fieh54FeXwQbS9S+IcRFQ2P9Dg8EgrwsSqzAT1S8LutlwdZRaWWa
ESw41MfFBoT4nJu2xEA9ZqPJ916AqFhrBdeaIZ4XxTNBQox/4eIMtTbl5NJu
bT2GI7pxqA9wrIgxrBpdX+Ru0CGoregiYSoLkcdcAI9cZfCqAe8K5unPQigE
ka1ILzH6QhoKYY3vucILzjuhnB7tFmU0EeuUmdClUAfD3tDikJ2I1Ur1jSIW
qqvDsBccqzoRKnCdrapZ4zczejPdFdtwE+dT7JfT1IPwAWrsTdK5mlUOvqQ4
VYCGaYiAlQrIT1AwE8nVuZSnVtoMxippvVAa0CbN6onKeVyFFEEIRFXQRYLp
1PHZrWQfNcBCdFIiSbsVTyj/OpzhPC2EdJLzy0Lyz5g5pAjGVx0QL5cVHo6c
UP+5lPFAPZXSNolT79czTKzPqd+N5c1dgQxJ6qa/2tApTJ3DkhMd9vnl88d6
KYjXBW7sgWMdbL48EghhHeNb3Xt/7jPWr5uh/bufofO7n6F7/Cvg8EKh+IGQ
+Acc/p+Z4T86HKKoEKAW8RvMsPLW585wVNGlKRP9bzSWMovrirq0gUvPSDY/
0I49pQalh2R8mZK5CVhlnrCWJEzTeb6uaoNCyE+lFhxLZWROLB7vkNcLNAov
NCugyoFPdZCxOEwu7ptBYwE5ZHoi3P5YGSmjX8lrMDOu1rMrDtOloFw1nhAb
SkEEhfGb9eIdyBobCgGaVTSLjl6CsCoTyhBmVM04rDWW10Wkd6hiPCq6mBWY
n1VNh9L9u/R8breOuGTD5R29jDZp7HphVI33oB5dC72IpqVJaWigOi71dXhV
nMZ1gsX/LtnGeCtFZl1RppohFb23qgC2W6WyXFFRVQhug0lDwgqbIuAsqMIe
SG4sJ4IQmUxuuFQwGTIr2iOOdJng7YEu1KtYajpqUVvoRNVS2FWWggTvhuLa
mjmYQxe1S37t7Wa9SaZHFNf9U84U2OAloTsCnTTVZ0Gf3H7XJ1eE7S65J9UK
S7gbWikNsgIW5LaCMVAjUOpw/45EeOgxWWBlCLiIjzWGFPU9uuE0hgCGIiLp
WCvGQVBNYEkH1Zw+AF1F9LoWvN2AmwLt8VnM0UyxulEpN1TPK7Co4DjVB6Gb
BHYrprIe3BWDljTWGUuQ3tk8WzVU6tWOMgKogkzoP5d2zHZL034UUjFci0Ja
evmPpmuT15UoLc0bpKyjIky6W6pDwQlQngYxrfci+eTR+XfHgGgzASlyM0UN
Iw4fUxVWMHvpogqq2s6qcloBqPoi+acsm8LFSaeatobUGIMehC1DFmphk9VM
ECSZSJROnC8LuJQXeWYLlZnLq2VlasxTofNPsjkWi64YNpU2R1keOIAbL19E
woSiNO8QyetI0opAjXFKc1C6YcPmMZmPSVuvZUaQXbMdUtofZD8Vs3CqMnpm
+ZQLDD5Jh8rsO0dCjuyzzGdRgaTSFRVwMZ2RVVxkNxD8pCiNSaqKFn83VND4
JnSpQu1oL4JG6NMkPHim7EfTcKVKtVpWMEENIrhsXqYx1Hbr8bNgRFEq8C/h
MYU/4D6IsMVETmyt0rhqgM9x0gA4ejH0jaDoxiDpI9/C/4GYKQLQTuSkRWFQ
3C/HPlahE1waU82H7Ozp9UIlwK1OLRqFFwFOcAmry63qHElaGkbfnD83Xr46
/y54HRlPoh/o13br2fk3j4PrKHg2fPbN8O6nby6euQP4/s1oJP6+jR4PvzFv
49vzYfDtt9fB8q8//P2vozffPH3mmd9hGpfR33+4WP3lkTn4+zfzxd2fX+bL
8Onrn09v0r+8uHkVPB8FwUU0y6I4v17/9NPgzzfffUiT3vNs/v6nn572X63e
t1svH12mq++/n9xM3wf56+LqybtVMfoh+nD75Pkqf/74L+ngxdB5/uh2EbxZ
FT/PX9nOM3f1JP1eLA0IVcPCtKi0SZYDy16iYwNGmZYVpJGZX5bMs3ShKxK1
9c37+Gb49Hykb+P43W10+8PjJ9lfz3/+uzkKvv3hXPwdBt9OQti46ObP8fCb
n9ynP/30/uKH7yY/LNY/x3/O/Z/S0+iy3br8+XTu5t/NFud/ubx9YvYe3y2f
Xgbz4bPJ6O+X8c+vLPf96+vpz1fFn2/HTy+fee+mq59fPL3IZtdff61vRH1m
Ep5IptJjby8eB4QLwn1ReNtqJf9ktp6yIK8UqYlCf4+3gkYoPTuNj1+J7juM
THxt+GkTxasXysgvCd9j9CctyCydVUrJVW2VNDaFQD2LJ6aBKM1ZnzODBiS8
wtstTRBqcEJZUDaf0mG16ldS+qtSn9Cd/EExxOoqttQi44CrMrC0EBSHLLLo
2iI0kOPSfxwZfwlzmCnkVJbK4ou4H1/H19cJRrhbZu/oY8smHerUaPaFQV9b
cs7+W8sR6hZ9cZX2pfyw93htt7zNVzTX7SAY+kGv7/dHbuQ6oTfoO8MwMq1B
NLbtXm/Q8nfqgLY19sf9aGyNRxipZzqYRsv2vGEU2qPQMR+2eqLlWwpw7JeL
OS3BQdub3tHfWgNtxpuxlZZpaM/11XPUI7pmC/AyTluWStrCEZaWXb5bj7L8
BI8dbehqhCg8dMuHoPbwBg4crOfVcwMvNF3bikJ/PPSi4bg/MAO7745aVnkA
5ScMRr2+5YOoZLr94djFtFvjoDceO/CLPXIetiyx8W+PYd4tq1fuodXnKSgo
Vo78LWsg5ycfdmTFTa4kcdKyzY0mMhqiwzmiGPawqSWboicH9SEHsrVtLIPm
+M2/tYw/aUf0L//yLxrCarWROWxPPSBH+K9MA9qftmyn7OFvD9V9TUcKkQ+x
XvDnj2KJUVx9FEVutFFatjo9+NvXIcnuyQ1IsYo1hRBbPYG0dl/NzODQgoar
6lNtCbSAKZyGlD4b5vz1lkmKxQzKIQ8LI2k5ZtMrO8IOWo6WA2ln+IbrNxwQ
xxsYGKkBcqs8Bcdu7rMW0FFsi+hQO/Gg5SiwAVx2NHTdGujRcryW42sNBQP6
1cdl0nE1Qa5Yda9pdruCQ1pOv+mVncdVktI94SIYKwKQSzH6rkZhm2mwW8tV
trNYjWvrTRl5XKf6+kbAu+vWR7hPQRu3QnMBFly/2tnB0f9ur/piPROA2zcq
H/hlYNQ+TTvomfVWvDGetfn2xuZ4dr3Rrgw7ntPUeiPbjufWG8G+eRvMq5KF
x2uQDj6nLp3X2+xnR/C9V9v0ty1vUP3ua9tLHHQ7Nbo3ofW30MBt0VQtXx3X
J30ap6Keq/BZbiqsisaY90h5fE0u2RKV1fLFAaKU0PLp4D7Rn3BIn0oV9bya
SWXTVzQtKulThoFt2l4fC+B4fdvt2/aY0hw7fjTyB17k2o7j2uOxBwJMfzB0
Imdk2SNzPADe2RsM7HEvHPhj0+rZfavXt0OsgjPyTOwkCC1ViswLzLFPBcCG
PdPrgeDmD4bmOIq8yLdtEwQqH/4c9Jxxb+zY/Z7nDryB2Y/CIBhY0WgwcIej
wHWH9sB0AEAGIaVrsUxMsOJ4PRgDxu9j0h/TH4FSP/Cjnut7vX7PtUM941sL
U74BpPZ7o74LlMa2cN3RYTWBWs1FgfbVBLIcr+86v6Y2m9UKtmZL24+PrSpC
WrZZZoLeo0+OiZ8+MkYIi0qtLDb1SgTW+6uV5B5MQ1T8/TCsrzQi4VUJeZim
5PMhnQ+10IXS7kVXBtLHD13GZHaI/UoloVupUla95dqt2ywHTfE2Icexyg3R
VHdT/8v5y6pd8UuopmzTblZNhaf4U3yHJXy+ztDCDNBvvGi3KCsH0UZif0jt
jGPjJn6fsJuZzK9ETipVE3K71WxDVushP7uikAloRbzzThX5IPUYyZz64x5q
ca35fVTiTV4lP/vVYUmgT+TEt6vBisPsTi+0U/0VbGdncqHmvDms8soHh6u7
G3uyX9VVTLpV7k2jestz2ara1h5vU2sl762ptCVT3lBnxWerIqqeN6qQgiu3
qifRqDbKOexSGTekgB0qHoqozZJMBQMOUSVKmNun9TU0/AxVTkBu0zTrKlzZ
ZKfydo+NM2njGpW3L7Jxu/WvEnd2IT8/31kkVH50/OfXtiYY48f3Kx6qhqmO
cY8Ma+VLTZnW5Kf6bf/ubC78gMXXtnVLttKy5ZaspY17Ut+Xje5+TU3vcoCd
Scvk522r6W+pK2mT3afe7KAxu5C4orvcSxeieTK3IP1G020okCu5ijFqC4U8
8hFBFyISAdnJoQxO2zQWbqQl87oWmqp2JCVD/wy+hFb59Ld2X7VFfmXitLaQ
Gem3cYXeMcsYjvDB6WZD8usnwfjDkuBZBdwIvxt+O1d3j3LiwkEmAdkO/fxh
iVXpU0hr6O+crWfo+sLBUH97anWeWr23lZueoibpoZMN7B+07Xee+t5bftG2
O09t7y17/2AkSNMWFf+6bUPqe8c3sVsgr9YYgBRvEhny0E+K5jN4i+lACmOy
zikGbcMQgJXBKYgpLsgPaVpqNysMlVttGf6YB3BsMYBm9iyTkRzKCEVf7lsW
CriGBqWEoIgsrW+6HGuekeikt3fF5v4VN52OXPEAztsUgxBA1W/21fr5Bd+q
blF9QuV2fYVZaegV563k80XtjI+aezkudT4ZCU9hnbRfeg+w+C07c7ypt8Yr
zmQs3AWvEgoHEtVbN40qlWAK5ftVGlp+wQwY3KHxHB1ddn2g8eUlxlrFMmGB
yi74KhFRrORAeh/HzHrjxpfJK7WRtm2b6ei8+r1OXQ3h6nqkWdOPNwCh1ukU
xPuy42qnlkm97uyUwj1evHx9/uJ58JShTHR60dxpv9svZ8pgdkxIV+2EQLUy
0yKfdN68Ot/SKd1lUqdbEKCpe+502/KhU7H8xgS/oHKskl30Xs++WPVWwUQ8
SQVia0BYlr6ow0Ap7u3+NMDsVhi+B3DTDtcBcQuf+WUbT2me7QYobtj15YMN
w/6uTdgAxuenQXO3Wx5s6bYOjlu7PZQ9ld3qm7Blrfeb7aH2agZXlg4Ps13v
s/DYVmu3HWeb7ZqtI63t5pF9xhCyXQ97Fdt13x6S9dreb71uccESbOh7fuQ7
Pbs36JnY1K+ZuaWVGyvmmiPTstwWbFZk9e3Ign5t34e+4X9mz3ECe2yPcTQY
OaQZeDZ07o/9EH/HgVp7RvLMMYxikj2djN26rbt1X2O3butu3dfYrStQLd+2
fBMrQ1RLH0qXK4Yq5UKPfq5Sr6BAZsqxgwHLMhuIjOskmzTx/DvWDqqZMlBA
lVZhzhzCSTdEePSG6+k5E+N4LdMuyAmyJ+qtiLCVAbbcC7sc/u3moWkKjQL/
th6+5QphjWxctiax/0TFgirdplxTUuenX5ndezhAtQ/2gGpXXKDan+ED1f6V
TlDtX+sF1a66QbUP8oNq73aEat/PE6pdd4Vq7/GFau90hmp/njdU+zPdodpV
f6i27hDV3uER1T7AJap9D5+o9g6nqPZur6j2r3eLalf9ohhVT35Vx5bs2K12
bKHSqDk/taveT+2d7k/tA/2fKjM/0AOK5yZnfW+fp/b9nZ7a9/J6ajiNRren
9hf0e2pXHJ/ah3k+QTOvfbDvU/v+zk+Ck4jF3tvdqX1/f6f25zk8tfd7PLXv
5fLUbvJ5au91emr/Oq+n9obbU/uz/Z7a+xyf2pueT+3DXJ/a23yf2gc5P7Xv
5/3UPtD9qd3o/9Te4wDV/lIeUO17ukC1N32g2nUnqHaDF9R26nQAtb2v41O7
4vm0QUEOtfiLwfd7QLUrLlBtzQeqXXeCwtJnFKrTEBuxy5eFXvrcEAmjFiHB
2W0aQiQu0uuFBRPECAmKqyhDJP5BAiR+n54fo2hsOq5tO2FvDFLnIPR7oAX7
g4E3dKPQjXZ4fvTRAWzkDcdW3x36vulHkW+PXGtkuYMRKNPbPT/osLUN6H+2
60enB/8S1HxBzw+V6apaddH3Im8A/KgfOB7oSgPP7ble37H80BrBjo21rRoP
7VEUOKY7GoyHvuVZkTfqB/1+YJp2YA9srSlsYH/kA620hl4wMoPIsQagEPiW
2cd67JWmw3A4tHueEwWw9Z4Lu95zHLPnBwM7imzzf5JbifJO+5VuIwcJVhoI
/ZYuDvKWCiH6TDu3m4eO644DO/SC0B6DCOOPHd8JA3+MKOf0xpE/iBwnckLf
6VluWME52xn0AcdM2x0MoqEZ9Ye2Y4WuN3KwtL0XBo5vAcr55mjkWdbD5ovs
/znOF2EQ+ZYztCMzHHkebJZtDyOnD5AfDMKR3/99O19UpbLd5e+2bdYBG8ZN
9pXFK1vuLo9XtttbJq9sWpbLG4/9CKh9GAyDsWcNe7YJoiDAs0XVQV1/BwfB
j9V3ooE7At7hjkfhqO8PAEsGgWd6QTQOo+Bh8/hlVT1vPBy5QFT7rut65tAJ
RrYdDB1z1AMdwXSHe8YfeqBfDEPfBKF10Os5bjAYB6ZlA3H1zP7A2/Q22fBv
2RSuN3xU7usTA4huWz4awJ2xE7nmYNy3vH7YBwE78Pze2HHNyOkNAuDYEXDb
wW/hE7PLlYWlMyR05IdfDvpFfFoO8NcnG23TxUevdvGxT8Dp263dYozXd4Fs
S7u97fPFh2uyONDaLg/sEwJGXms369/N71u2iTcl0Wib17+PFxNbrkNa+n3I
aNj31U0Fef7v5letOsO6D49qWRbehgzMJs//fdS/JW5DyiK19maR2m0EqSUp
0j6Sw0Vqq3SltUlY9lGOMiqhZYeg/sLM74vWlaiEZgUuTJaYyWkxudvQ2abq
0ecpbnlSZLP3ichfKvvqll5n/NOqgpci94NI+c9xBpzkoZ6aIBo1ZXl4PBkF
30bR+fm3sd9LPH/eH/3w1Pv5u/jP4/TpzDH/bv704bKfx3d2mLx59tPjRz/9
kAWZygLRbmEeiOzNt5TIIFyOnvz0cji3P/TPX1/f2m+KH7w3uf3X/k/fD4r0
URK8/quff/siX2Yrx755/0Me9Z+B9vnnkX/+7V/P3zvzfPzO+nP++rtX1gfz
w8Xd9M+9d08v5tVEBo3rqHjnqRPSN0ol4o9rZSa0c+NkRnTPJbI5C1c+48FX
ZSvlm/fAePPq/A+1FnW1wAoHY9eOekPXdHtAxjz41zetAVBZIPs7hAIn6Aej
kev3AqBYXs8fWr0Qr7p8IL1AQe1/NLU2HLsDByjs2PJ7ETAt1/QGzsgbWGbo
OMAQta1ybWAeFmxNODa9vmlGge8DQxsOgJUMRqGnNbVMszfoW2Nge+ORYyNr
HAM9j/xxzwuALutNB70w9CIgtoE/BHY9iqCdO7QixxsBP4x+b2qtQrw0Kbjr
jxUBaEMFrVer1jB3CbidikY1deNhA4J30aSly3qlyNZQEvqL6d9qx7TFTVlj
k32q2a6aJvv2AE3++YvX0RlVq2sUG+8ZzVBR+ZsW+4fKr975Q+VXnz9U/j9U
/j9U/k9agBmTZawDYjQwpPtG59XIsmAZdQb3RWP1aqV/q7SvJno1C5hyHqWQ
STImaKwWSDYgLgEZHjiO1RsFo0FgDgbD4cgc7sGCYDz0QBN1RyBU9npjDyPq
A9dyrDEotyNbA8K3W+OTNpwxQM7aG43YqDjssvXUYw9li7JYsNZjmZf01OhV
25c9Ctdr7T2cv6VMSZpZCF9vnjKeppAq9mgg4qgP0ULwswEk99JGNoHl7AtA
y2eDyyHaiQCW/WLAfi2FgGivKLCbi1cfNmot+AE24A0G5tgB1SIcuWPbNMfj
gev7rhP4YeSYYW1Lw1Hk9YZm3xyCQtcPo0F/4Id9a2AOB4HvRHa9uW9GvZET
DnxQj/weXnZCv2ZvCJJZMHS9WnPHcke24/ftXmC7NjCkoRf5/X4Yoipp+xq5
1int24pWt0WjqT5s1GpqTXZpNtx0i3ajHm5RHPCzU3mgRdVO8AYaTNWcmGfW
kGwbA9kq1suX9gn3m50fwkXkW/fgJfKVgzlKObMaX3H8ASjZ/T7oCH7f7Fn2
uIfmYGuM0kAv2nUlrz6gt4fukBK0WEEIuohl+mYfFI3A8kPPHNeFh7eNEunO
WvWV1p9a1b5KtbTGvA5QJfFzgPL7Vu9WVfEGrtPA5nfWtd/KaLcqq/z4fnoo
v3MIuB5wz6JWteeuBbXpyzvNUlsb6LB9EW2pGuuqqbhqmWpGOuWcVjZVShfy
z0/H8M8XufJxmq589hn/nKC128S37cqHTWWt7bayfQYyy2ztNovttoW1+pHp
eAPT6pmgLWnhMk4Pg0MCvkfBy5++1cfrn55JoSp4+RO1fNAe7NAPfQt+Gvg+
PAbeCbvkoPbWc3fdG7Xq0S0mRtz06mNQaM7GAC05gmXh5C0HlnHwdVNr01hy
uH2khQaSz71uavn9z79uapXa8P2vm1pNSu2h100tCgz6rOsm2DCMigKscnR8
2ie6Stm0tU04xRircQ/gxQUJqQYyEipbVaih6Kke/P/QHO96jd9qydc8GGf7
XXDzQlqbK9m2kE3C0GLKsE8UbZY9W6XwuU/a3BQvW1X5Eo+sNwx8nSy4A9yH
JqxuNcesmbCB9hjWI9CzCgdSMGltk0z2SR0IBy0rItrRQKH2Eqhey3VwHuYY
oLQnLq0BA/GX8prUeCHLE8YzLPFTgLDH3wtVTkcKaUVDEcBpNllzrVkqdqCV
soxzLOCtVUSslTqHIThnBIm8eJn6LrnTLLFktTt6Ej05Lp1UlTWSku9XKkvg
40oWumKC5r9jLH2Mo3BhBAy/S6hYn6p1XuaNV+Vutg5CV8Vcs2aYwXeu6iFr
g1B17/XyKs84Q8B8vUhVEVwQDOMJL5oKIhcymp/z0sP4qvxluniPV8nTWh+4
oynXELpJC71LWcJQlnVBMSYW8YMoFIC0QmeEimU2yTA6K64dJpdlAa6PRVuo
fsmdXpfYSOJ8llIlEPZKnoGgMbmbzJJSrOGqubhfMvhQ1P6EGayvYKb0rd3C
0EZ+gOvj0omY9g2DGGXOObkV77jiJYg5SZ7Gs3aL6nuU6UA4UZ0E0EqdEq2q
Be0LDkM1K15vFK/k8q0YwqmXYypUAZBVvp5wMdcrdqyuzqIrZDI6f1kzJs2n
jAOkIIJgRokg4tkdHDaWEMlTLuFpvFtkt7CpBWw0iYmy1iPeJONxG1hVc7M6
BtUwSgtZLBwvv7HzlEq9YKFdLkZPOE3K5Gp2dyKArXF27VaSkgOCtnHXIFbD
oXChS3EkZXFUWsadKLdZqdJBdVcSvULnBPcGrUpwUj8nU+1eQW3q5hIJJMSs
cF9PmipkJR+wtku6wrwtE0HAoMOssk7cbJGwQFXfwZBaLMKNpYSoioyofxrL
hek7imW0c1HyBMnmhTyuKs00Pn4FB4k3XcUnVdVeVFBRpDItRAJEeeYMQPTg
Osum6nc4R0TwgqKFkQiVBdGJXlCUsPpJlJfqcsWpSrYhtGtzsRz2NBGFUbg+
q0oYg1CtCBNRKtBnb7Ip43R5usWNyPmjDa7SmsyyxXUHsHVuFHdzeD9n4oq1
x9hTol4gjCppVymdtn4mWOymkal6RHAS6wn72nANVDjM/IrKpK8k6bpMFgkg
OFCN6ta1W+UU1S5qyUMFbyiXhhhGUFqC5ZhK78odht390ZLDNmzz1g02eH+J
I8gSXxuV3rgAGo5hq2RL9cJgjZXuqeS4McO8PCLn0lWNZ1M59claq3W0daZA
Z2Gat5mYsqiXtQIi9TOWnVrE8wRwqcKAj3j1nF4nkpdxnQt0ppmASgobnCad
x8lsBgzCOBK8VaXLonQiGLkOcsU8Rqoh0kghG8+xqjJhNVcvF+mbBI1KMXh+
OcvucJVSCd5WHfdR5YeNp/VcIY826y7+Uvlh46lR/4F6eM7GRjgT0cOFLF+F
b7xYiL9FD/j9ifwueniKYPwawVj0QMg1m/EbaK4XEsDmd9HDEwR/fRUy5cDB
q/iV+/C7PQsQOmaJeKP8YqizwLtDvYeRwBs1B2ywpGQ/lS+GOgspDcseSmuU
6EFroH/h74neWj/NIxirOOYe2JYs3ii/8PdVHi8KIT5uPU2mYwhSlS/GVoja
6AEbEEAZlS/bz2KjB+1b/WlDD78TiHoDHGeEtTRlD0+T63hyJ96IrpAxCXiB
7y8zkKg6q6yzax/eFMgN5Bs1eKAe1K+H7GSoU/f693+os3iFwuecKrj+O/Xw
PDsxLiVm/ZAUlR4q37ftA8tlCPj/U+ik5mIrykM21VskFNdqWaKSmWcoa5Hb
7SVWws3vUPS5idcFCwYkf8lk5yyMCbmAbe2o+bFZQE9ZA2rgUgnNPIskvwb9
/8MyAYGa0qdnspSqKOJInWMqHZL7pni1F2NPqGUUQmOJZW4drKes/Juk5Map
+LJ8kmg6q8hWjioFFtq9BfVdGSu6VJhZlY9V/WDB4AUIPCqdj6xCmVNB4EWG
EtlOkZasEah2YtnY20TUsBQzEtk9Mf5Ww8rirlglc1SuVM3LpufpqkhmV7JS
I8jlaSH03qSchspHqNsMauHG5MWyIrFKO1yWBMu5UjtMfoTldIX9gkrzTVaz
u7J7taEqIVLM/UJn6TwREngVBgTEaJBCuebjGfpa33HOeQEitMImXVd7GSV0
TXNAEwYNjdJ+Wdm53RJgDod7m+TVAs4Gl20F0XOyBsl6VqrrAuxIgVRY0W5d
JInx8SOt49MnktCkDgNHB6J3UabD14fh1EwbZQDOF5PZeiqhUVywCgNMU7B3
9URjDGcoBGAp0BdHHEvsNjaQW2j44njETRql/0xKSx5hll6JlELvsYApYqJ2
Cqsse8eQL+qHGufB86DB9kg/I9wV71jZiafTWsrB9/FsnUjDBF2BvVT31KgU
YHlhXFGBykRa3DCYy3SIltX1dmfvLS/QnsaXCUs+zek3VV5NEetwyAdQchjK
/EOa/Ee3kfSRM3UVAX81HhnRNF1l+cMCGNkqMY6ok+MzytnFGyI12lqfWBRD
ZolEE1hC+pI1OJHFIlGtylAbpG7oeGCaABiTd3xUY/QbHYXhU+PjV1fwd2cy
nc4a4mWoyRyAiEjycsnl0/VzUglJsSnnG6Pf6U0tGzPaGwPqIP1gBLtPSyp6
2AdgXtMd79fGV3534B+Rk494eNxq/a//Ra1fak4Op18bR7Wi2HUv4a/5gvYS
YMzoTi5h05vGhO739QNnoFnkgwmaBGfJlK22AMgfz0RhjmT69YNFxpXuv0+E
OWCWvhM4EC/eYaHfd8Ywzd/dZLOfCRIouxywSDxGqefTNrMBWGbfrdoG4PAD
Vf8Dqelt83DP0slNDJjxCv/NpwUWWP6v/+fufQrk4NV//b8LtOwC9k1PjBBJ
9+ubeIa0/2m8FtjydL2YXs7iaXJijG5ywNcU7Sbz4r/+v6I4MV6t11MjTPLb
9JoTOo/iHJjcwhhShfWFBPUUbUKgXNyqlXaNccpTb7e2zD1MYUOGOdAjNgLN
43cIvGsgOSQYCcIKC5thNd+kqKQrniOqoBgADKNqLyTEeUXT0fL9nkcX3yBr
BAKewJIugeJls+SOVvUqQxNIGC/uZuktvP7/A1M5zrq1VwEA

-->

</rfc>