Doc.: IEEE 802.11-03/084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution to support fast and secure roaming Arunesh.

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec Title: IEEE r Fast BSS Transition – A Study Date Submitted: September 21, 2009 Present.
IEEE P802 Handoff ECSG Submission July 2003 Bernard Aboba, Microsoft Detection of Network Attachment (DNA) and Handoff ECSG Bernard Aboba Microsoft July.
Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.
Doc.: IEEE /689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.
IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
Wireless and Security CSCI 5857: Encoding and Encryption.
IEEE MEDIA INDEPENDENT HANDOVER DCN: srho
By: Alex Feldman.  A mobile station is connected to the network wirelessly through another device.  In case of WiFi (IEEE ) this would be an access.
Doc: Submission September 2003 Dorothy Stanley (Agere Systems) IETF Liaison Report September 2003 Dorothy Stanley – Agere Systems IEEE.
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Problem Statement for Authentication Signaling Optimization Date.
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
Doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
Doc.: IEEE /540 Submission July 2003 Arunesh Mishra, Min-ho Shin, William Arbaugh, Insun Lee, Kyunghun Jang. Fast handoffs using Fixed Channel.
Doc.: IEEE /137r2 Submission June 2000 Tim Godfrey, IntersilSlide 1 TGe Requirements Version r2 8 June 2000.
ProjectIEEE Working Group on Mobile Broadband Wireless Access TitleIEEE MBWA Security Architecture.
KAIS T Wireless Network Security and Interworking Minho Shin, et al. Proceedings of the IEEE, Vol. 94, No. 2, Feb Hyeongseop Shim NS Lab, Div. of.
Doc.: IEEE /1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: Authors:
EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba
Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
Doc.: IEEE /0476r2 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
Wireless Network Security and Interworking
An Empirical Analysis of the IEEE MAC Layer Handoff Process Arunesh Mishra Minho Shin William Arbaugh University of Maryland,College Park,MD.
Doc.: IEEE /551r0 Submission September 2002 Moore, Roshan, Cam-WingetSlide 1 TGi Frame Exchanges Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget.
Doc.: IEEE /084r0-I Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution to support fast and secure roaming Arunesh.
Doc.: IEEE /562r1 Submission November 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE Tgi Tim Moore Bernard Aboba.
Doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 1 Establishing PTK liveness during re-association Nancy Cam-Winget, Cisco Systems.
IEEE i Aniss Zakaria Survey Fall 2004 Friday, Dec 3, 2004
Doc.: IEEE r Submission November 2004 Bob Beach, Symbol TechnologiesSlide 1 Fast Roaming Using Multiple Concurrent Associations Bob.
Doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 1 Dominos, bonds and watches: discussion of some security requirements.
IEEE MEDIA INDEPENDENT HANDOVER DCN: Sec Title: Considerations on use of TLS for MIH protection Date Submitted: January 14, 2010.
EAP Keying Framework Draft-aboba-pppext-key-problem-06.txt EAP WG IETF 56 San Francisco, CA Bernard Aboba.
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
Csci388 Wireless and Mobile Security – Key Hierarchies for WPA and RSN
Doc: IEEE xxx Submission March 2015 Jeongseok Yu et al., Chung-Ang University Project: IEEE P Working Group for Wireless Personal.
Doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems.
Wireless Unification Theory William Arbaugh University of Maryland College Park.
Wireless Network Security CSIS 5857: Encoding and Encryption.
Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
Doc.: IEEE /403r0 Submission July 2001 Albert Young, 3Com, et alSlide 1 Supplementary Functional Requirements for Tgi ESS Networks Submitted to.
1 An Empirical Analysis of the IEEE MAC Layer Handoff Process Arunesh Mishra Minho Shin William Arbaugh University of Maryland College Park,MD,USA.
Robust Security Network (RSN) Service of IEEE
M. Kassab, A. Belghith, J. Bonnin, S. Sassi
Keying for Fast Roaming
Wireless Security Potpourri
Mesh Security Proposal
PEKM (Post-EAP Key Management Protocol)
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
The dangers of pre-shared key and why a certificate OID is needed.
doc.: IEEE /252 Bernard Aboba Microsoft
Jesse Walker and Emily Qi Intel Corporation
Pre-Association Negotiation of Management Frame Protection (PANMFP)
Fast Roaming Compromise Proposal
Roaming timings and PMK lifetime
Fast Roaming Compromise Proposal
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
Fast Roaming Compromise Proposal
Dan Harkins Trapeze Networks
Roaming timings and PMK lifetime
Keying for Fast Roaming
doc.: IEEE /1072r0 Dan Harkins Trapeze Networks
Security Requirements for an Abbreviated MSA Handshake
Fast Roaming Observations
EAP Method Requirements for Emergency Services
Presentation transcript:

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution to support fast and secure roaming Arunesh Mishra, Minho Shin, William Arbaugh University of Maryland College Park Insun Lee, Kyunghun Jang Samsung Electronics

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Goals of this Talk Introduce the different methods for key predistribution (the good and the bad). Introduce a back-end protocol that is independent of key management and hand-shakes. Information slides on example implementations for key distribution (not covered in talk)

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang TGi MUST Support Fast Roaming Otherwise non-standard and non-vetted solutions will evolve….creating potential “brand” problems. Transparent roaming was one cause of exponential growth in the cellular market. Interworking is around the corner.

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Backend Requirement Protocol MUST be standardized within IETF –This requires that key material NOT leave the AS. –This means that the protocol should fit within current and future AAA practice.

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Pre-authentication RADIUS (AAA) ABCDE MK PMK PTK PMK PTK MK PMK EAP/TLS Authentication Via Next AP

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Problems with Pre-Auth Expensive in terms of computational power for client, and time (Full EAP-TLS can take seconds depending on load at RADIUS Server). TLS- Resume will make things faster, but other problems persist. Requires well designed and overlapping coverage areas Can not extend beyond LAN No opportunity for Interworking

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Goals Permit fast roaming without reducing overall security Fast roaming occurs when the total cost of Layer 1-3 hand-off times is less than 50ms (Ideally 35ms).

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang TGi Fast Roaming Goals Handoff to next AP SHOULD NOT require a complete EAP/TLS re-authentication. Compromise of one AP MUST NOT compromise past or future key material, i.e. perfect forward secrecy, and with stand known key attacks.

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang TGi Trust Assumptions AAA Server is trusted AP to which STA is associated is trusted. All other AP’s are untrusted.

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Only Three Ways to meet TGi Goals Exponentiation support for asymmetric cryptographic operations at AP, or Trusted Third Party, i.e. Authentication/Roaming Server Use IAPP with proactive caching

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Three methods for key distribution Static roam keys –Does not provide PFS –Simple implementation for back-end although storage requirements at the AP’s can be large! One key for every STA in the LAN, but can be combined with proactive key distribution. IAPP with proactive caching –Communications from the next association is compromised if STA associates to a compromised AP. Proactive key distribution –Provides PFS and protection from known key attacks –Slightly more complex.

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Static Roam keys sketch AS pushes a unique seed for key derivation, e.g. PMK, to each AP which the STA knows how to derive without further communications. The PTK is then derived via some form of a hand-shake. –Past communications are subject to compromise if the AP becomes compromised. –Large memory requirement for AP unless combined with a proactive distribution means.

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang IAPP The AP derives the next PMK (for each neighbor AP) via a hash chain and a roam key(RK) provided by AS such as: –PMK next = PRF(RK, PMK current, STA mac, next AP mac ) –PMK next is sent to next AP via IAPP caching (TGf) –PTK is derived via some handshake Compromised AP only compromises current and next PTK.

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution (TGi) Extend Neighbor Graphs and Proactive Caching (IEEE r1.ppt) to support key distribution by the AS Eliminates problems with sharing key material amongst multiple APs –Easily extended to support WAN roaming –Extendable to support Interworking

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Neighbor Definition and Graph Two APs i and j are neighbors iff –There exists a path of motion between i and j such that it is possible for a mobile STA to perform a reassociation –Captures the ‘potential next AP’ relationship –Distributed data-structure i.e. each AP or AS/RS can maintain a dynamic list of neighbors 1 A B C E D A B E D C

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang AP Neighborhood Graph – Automated Learning Construction –Manual configuration for each AP/RS or, –AP/RS can learn: If STA c sends Reassociate Request to AP i, with old-ap = AP j : Create new neighbors (i,j) (i.e. an entry in AP i, for j and vice versa) Learning costs only one ‘high latency handoff’ per edge in the graph. Enables mobility of APs, can be extended to wireless networks with an ad-hoc backbone infrastructure. Dynamic implementation using LRU replacement permits invalid and stale entries to time out.

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Graph Synchronization The graph’s state at the accounting server is updated by: –Accounting-Request messages from the current AP (draft-congdon-radius-8021x)

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Roaming Example Given the following infrastructure with associated neighbor graph with STA about to associate to AP A. A B C E D A B E D C

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Post Authentication and 4-handshake RADIUS (AAA) ABCDE Accounting Server Accounting-Request(Start)

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution RADIUS Authentication Server (AS) ABCDE Accounting Server Notify-Request

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution Post Authentication ABCDE AS Accounting Access-Request Access-Accept(key material) Access-Request Access-Accept(key material)

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang AP Actions on Notify Request Dynamic Keys, i.e. PMK changes per roam. –AP MUST send an ACCESS-REQUEST to AS Static Key, i.e. PMK is unique per AP but never changes. –Nothing unless authorization is required.

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Maximum STA Velocity For the Notify and PMK install to occur in time, we need: 2 RTT + handshake < D/v Where: D = coverage diameter v = STA velocity RTT = round-trip time from AP to AAA server, including processing. Assuming D=100 ft, handshake = 10 ms, and RTT = 100ms, we get: v = 100 ft/ (200ms + 10 ms) ~ 500 ft/sec = Mach 0.5!!

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Conclusions Provided an overview of various options Provided a protocol that: –Can support high speed roaming, meets IETF requirements (draft-arbaugh-radius-handoff-00.txt), –Is independent of the type of key management/derivation used (static or dynamic), i.e. can IEEE r0-I or the method in the information slides of this presentation. –Is independent of the type of hand-shake used.

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Acknowledgements Bernard Aboba assisted with the best way to integrate Proactive key distribution with RADIUS. The maximum STA velocity calculation is from Bernard Aboba. Jesse Walker pointed out potential synchronization problems in an earlier version of proactive key distribution. Nancy Cam-Winget raised several concerns which caused the creation of the IAPP distribution method.

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Informational Slides How to do predistribution of keys via IAPP and with an accounting server.

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang TGi Pairwise Key Hierarchy Review Master Key (MK) Pairwise Master Key (PMK) = TLS-PRF(MasterKey, “client EAP encryption” | clientHello.random | serverHello.random) Pairwise Transient Key (PTK) = EAPoL-PRF(PMK, AP Nonce | STA Nonce | AP MAC Addr | STA MAC Addr) Key Confirmation Key (KCK) – PTK bits 0–127 Key Encryption Key (KEK) – PTK bits 128–255 Temporal Key – PTK bits 256– n – can have cipher suite specific structure

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Key Locations RADIUS (AAA) MK PMK AP1AP2 PMK PTK MK PMK PTK

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang IAPP The AP derives the next PMK (for each neighbor AP) via a hash chain such as: –PMK next = PRF(RK, PMK current, STA mac, next AP mac ) –PMK next is sent to next AP via IAPP caching (TGf) –PTK is derived via some handshake Compromised AP only compromises current and next PTK.

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang IAPP Pairwise Key Hierarchy Review MK PMK curr PTKRK=PRF(PMK, “Roam Key”, AP nonce,STA nonce ) PMK next =PRF(RK,PMK curr,STA mac,AP mac )

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang IAPP Example RADIUS (AAA) ABCDE AP and STA derive PTK,RK via 4-way MK,PMK,PTK,RK

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang IAPP Caching of Next PMK to Neighbors RADIUS (AAA) ABCDE PMK next =PRF(RK,PMK curr,STA mac,AP mac ) PMK next =PRF(RK,PMK curr, STA mac,AP mac ) MK,PMK curr,PTK curr,RK

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Reassociation RADIUS (AAA) ABCDE MK,PMK next,RK AP and STA Derive new PTK via fast Roam handshake Or worst case 4-way

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Changes Needed TGi –Use of RSN IE reserved bit –Derivation method for RK IETF –None

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution (TGi) Extend Neighbor Graphs and Proactive Caching (IEEE r1.ppt) to support key distribution by the AS/RS Eliminates problems with sharing key material amongst multiple APs –Easily extended to support WAN roaming –Extendable to support Interworking

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Pre Association RADIUS (AAA) ABCDE

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Post Authentication and 4-handshake RADIUS (AAA) ABCDE MK PMK PTK PMK PTK MK PMK Accounting Server Accounting-Request(Start)

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution RADIUS Authentication Server (AS) ABCDE MK PMK PTK PMK PTK MK PMK Accounting Server Notify-Request

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution Post Authentication ABCDE MK PMK A PTK PMK A PTK AS Accounting PMK B =TLS-PRF(MK, PMK A, AP B -MAC-Addr, STA-MAC-Addr) PMK E =TLS-PRF(MK, PMK A, AP E -MAC-Addr, STA-MAC-Addr) PMK B PMK B, timeout PMK E Access-Request Access-Accept

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang PMK Generation Each AP is given a unique PMK per roam, or generation. The PMK for the AP for that generation becomes that generation’s PMK.

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Generations Generation: –PMK 0 = TLS-PRF(MK,”client EAP encryption”, client-Hello.random, serverHello.random) –PMK 1-B = TLS-PRF(MK, PMK 0,AP B -MAC-Addr, STA-MAC-Addr) –PMK 1-E = TLS-PRF(MK, PMK 0,AP E -MAC-Addr, STA-MAC-Addr) STA roams to AP B : –PMK 1-B  PMK 0

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang PMK Synchronization STA maintains PMK for each generation (can be combined with timeouts to require only a “window” of PMK’s). First message of 4-way handshake (or derivative) from AP indicates the generation PMK held at the AP. STA derives the correct PMK based on the provided generation. Maintains security even if synchronization is lost, i.e. latest generation PMK hasn’t arrived at AP yet. Also maintains security (and speed) even if roam to a non- neighbor (but was at one time before timeout).

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Synchronization Example STA roam pattern: A  B  C ≈ D PMK 0 PMK B PMK E PMK G PMK A PMK C PMK D PMK E PMK B PMK E Generation

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang How do the AP and STA know that Fast Roaming is supported? STA asserts that it supports fast roaming by setting a bit (use of the current reserved bits) in the RSN information field element in the REASSOCIATION-REQUEST. AP asserts the same bit in the REASSOCIATION- RESPONSE if and only if the AP supports fast roaming and it is provisioned with a derived PMK for the STA. If either bits are unset, then a full reauthentication MUST be done.

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Proactive Key Distribution STA Roam to AP B ABCDE PMK B =TLS-PRF(MK, PMKA, AP B -MAC-ADDR, STA-MAC-ADDR) PTK via standard 4-way handshake or other means PMK A PTK RADIUS (AAA) Accounting Server PMK B PMK E New AP informs Acct. Server Updates Neighbor Graph

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Roaming Functions Handled at Accounting Server Reduces exposure of MK, i.e. the MK remains only at the AS and STA Reduces load on AS Takes advantage of the already defined accouting process

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Changes Needed TGi –Use of RSN IE reserved bit –Addition of “Generation” field to Message 1 of 4-way handshake IETF –Define two new RADIUS messages to install derived PMK’s at AP’s (draft-arbaugh-radius-handoff-00.txt) –Perhaps one or two new RADIUS attributes

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang Open Source Availability The University of Maryland and Samsung Electronics will provide an open source implementation under both the GPL and *BSD style licenses shortly.

doc.: IEEE /084r1 Submission January 2003 Mishra, Shin, Arbaugh, Lee, Jang External Review This proposal will be submitted to an academic conference for peer review soon.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.