Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptographic Review and PKEX

Published byBlaise Harper Modified over 6 years ago

Similar presentations

Presentation on theme: "Cryptographic Review and PKEX"— Presentation transcript:

1 Cryptographic Review and PKEX
Month Year doc.: IEEE yy/xxxxr0 September 2016 Cryptographic Review and PKEX Date: Authors: Paul A. Lambert (Marvell) John Doe, Some Company

2 Month Year doc.: IEEE yy/xxxxr0 September 2016 Abstract The Fast Initial Link Setup project (FILS, P802.11ai) is introducing several new authentication mechanisms. Review of one of these authentication mechanisms, PKEX, has identified serious issues with the cryptographic design of the protocol. This presentation provides a brief summary of PKEX functionality and issues. Options for mitigation of the issues with PKEX are provided. Paul A. Lambert (Marvell) John Doe, Some Company

3 September 2016 PKEX Background The PKEX protocol is defined within the IEEE draft specification for Fast Initial Link Setup (FILS) PKEX is one of several new authentication mechanisms being introduced into IEEE by the FILS project. This review of PKEX is based on Draft P802.11ai_D10.0 PKEX claims to provide: A means to ‘trust’ a public key from a peer by proof of a shared passphrase Public keys are exchanged that are intended for subsequent use for creation/validation of digital signatures and other authorization purposes. PKEX has been included by reference in the draft specification for the Wi-Fi Alliance Device Provisioning Protocol (DPP) PKEX is included in DPP as means to ‘bootstrap’ trust in keys with a shared secret As part of the review of DPP, summaries of PKEX have been reviewed and flaws in the design identified Paul A. Lambert (Marvell)

4 September 2016 FILS and PKEX The Fast Initial Link Setup (FILS) project was started in May 2010 and defines mechanisms that provide IEEE networks with fast initial link set-up methods which do not degrade the security currently offered by Robust Security Network Association (RSNA) already defined in IEEE The project’s primary need comes from an environment where mobile users are constantly entering and leaving the coverage area of an existing extended service set (ESS). (a) scale with a high number of users simultaneously entering an ESS (b) minimize the time spent within the initial link set-up phase (c) securely provide initial authentication. PKEX was introduced into FILS on February 27th, 2015 with comment 7267 CID Submission Comment Proposed Change Resolution 7267 11-15/0291r0 how does one obtain a raw (uncertified) public key from a peer in a trustworthy manner? add a simple protocol to exchange raw public keys in a manner that is trustworthy and does not require certificates :17:49Z) -- REVISED: a corresponding protocol has been added; See 11-15/291r1 for details Paul A. Lambert (Marvell)

5 PKEX Issues Security Issues have been identified with PKEX:
September 2016 PKEX Issues Security Issues have been identified with PKEX: Related Key Attack (8/23) Mitigated by changes in ai-mods-to-pkex.docx Fixes incorporated into P802.11ai_D10.0 Off-line Dictionary attack (8/31) From review on the mailing list for the Crypto Forum Research Group (CFRG) For N different possible passphrases this is a O(sqrt(N)) attack. MiTM Attack (8/31) Identified on CFRG mailing list MiTM attacker simply swaps it’s public key for each of the peer’s during the exchange Details of the protocol and the details of the off-line dictionary attack and MiTM attack are provided in the following slides. Paul A. Lambert (Marvell)

6 Cryptographic Notation
September 2016 Cryptographic Notation s private key used to generate the public key G generator element of the group used for public key operations + associative group operation (point addition for ECC) * scalar multiplication is the repeated addition of a group element with itself P public key where P=s*G H() hash function Kdf() key derivation function hap() the ‘hunt and peck’ algorithm used to map a arbitrary string (passphrase) to a group element (ECC point) defined in section 3.2 of RFC 7664 k symmetric secret key developed from DH key agreement [ ] fields contained in brackets are optional PA PB Subscripts indicate the entity that controls the key pair (Alice ‘A’ , Bob ‘B’) macA macB MAC address Alice sA PA = sA*G Bob sB PB = sB*G Paul A. Lambert (Marvell)

7 PKEX Overview Preconditions Protocol Exchange Post Conditions
September 2016 PKEX Overview sA PA = sA*G macA, macB shared secret pw sB PB = sB*G macA, macB Preconditions Alice Bob macA, macB, nonceA, CA Protocol Exchange macB, macA, nonceB, CB macA, macB, checkA macB, macA, checkB PB PA Post Conditions After the exchange the claimed properties are: - Alice has Bob’s public key PB and has validated its ownership to that of the owner of the shared secret ‘pw’ - Bob has Alice’s public key PA and has validated its ownership to that of the owner of the shared secret ‘pw’ Assumed security properties: - The shared secret ‘pw’ has not been exposed in a manner that would allow more than one guess of the value per run of the protocol. - The long-term public keys (PA, PB) may be subsequently be used for signature creation, signature validation, access control or authorization. This implies that Alice and Bob may have interacted with other peers so PA and PB may be commonly known and shared in the system. Paul A. Lambert (Marvell)

8 PKEX September 2016 sA PA = sA*G macA sB PB = sB*G macB Alice Bob
shared secret pw Pwe = hap(pw) mA = H(macA) nonceA = random() CA = PA + mA*Pwe Pwe = hap(pw) mB = H(macB) nonceB = random() CB = PB + mB*Pwe macA, macB, nonceA, CA macB, macA, nonceB, CB m’B = H(macB) P’B = CB - m’B*Pwe if (min(nonceA, nonceB) == nonceA x = H(nonceB|| nonceA) k = Kdf(x, "PKEX Key Confirmation", CB || CA || macB || macA || sA*P’B) else x = H(nonceA || nonceB) k = Kdf(x, "PKEX Key Confirmation", CA || CB || macA || macB || hap(S)) checkA = HMAC(k, PA || P’B || macA|| macB) m’A = H(macA) P’A = CA - m’A*Pwe if (min(nonceB, nonceA) == nonceB x = H(nonceA || nonceB) k = Kdf(x, "PKEX Key Confirmation", CA || CB || macA || macB || sB*P’A) else x = H(nonceB|| nonceA) k = Kdf(x, "PKEX Key Confirmation", CB || CA || macB || macA || hap(S)) checkB = HMAC(k, PB || P’A || macB|| macA) macA, macB, checkA macB, macA, checkB Validate checkB == HMAC(k, PB || PA || macB|| macA) Validate checkA == HMAC(k, PA || P’B || macA|| macB) After the exchange the claimed properties are: - Alice has Bob’s public key PB and has validated its ownership to that of the owner of the shared secret ‘pw’ - Bob has Alice’s public key PA and has validated its ownership to that of the owner of the shared secret ‘pw’ Paul A. Lambert (Marvell)

9 PKEX Off-line Dictionary Attack
September 2016 PKEX Off-line Dictionary Attack sA PA = sA*G macA, macB sB PB = sB*G macB, macA Alice Bob shared secret pw Pwe = hap(pw) mA = H(macA) nonceA = random() CA = PA + mA*Pwe Pwe = hap(pw) mB = H(macB) nonceB = random() CB = PB + mB*Pwe macA, macB, nonceA, CA Given observation of CA and macA with prior knowledge of PA: CA = PA + H(macA)*hap(pw) Attacker calculates: H(macA)*hap(pw) = PA - CA This exposes an off-line dictionary attack of the passphrase ’pw’ on the term: H(macA)*hap(pw) For N=2^n possible passphrases the search space is: O( N ) A ‘good PAKE’ has a larger search space than O( N ) that is typically of order or greater than O ( q ) where ‘q’ is the order of the PAKE group operations.

10 PKEX MiTM Attack September 2016 sA PA = sA*G macA, macB sB PB = sB*G
macB, macA Alice Bob shared secret pw sE PE= sE*G PA , PB Pwe = hap(pw) mB = H(macB) nonceB = random() CB = PB+mB*Pwe Pwe = hap(pw) mA = H(macA) nonceA = random() CA = PA + mA*Pwe Eve macA, macB, nonceA, CA macA, macB, nonceA, CEB = CA – PA + PE macB, macA, nonceB, CEA = CB – PB + PE macB, macA, nonceB, CB m’B = H(macB) PE = CEA - m’B*Pwe x = H(nonceB || nonceA) k = Kdf(x, "PKEX Key Confirmation", CEA || CA || macB || macA || sA*PE)) checkAE = HMAC(k, PA || PE || macA||macB) Eve first obtains both Alice and Bob’s public key (PA and PB). The public keys are assumed to be “public” and have been exposed or directly provided to Eve. m’A = H(macA) P’A = CA - m’A*Pwe x = H(nonceA || nonceB) k = Kdf(x, "PKEX Key Confirmation", CEA || CA || macB || macA ||sE*P’A)) checkEA = HMAC(k, PE || PA || macB|| macA) macA, macB, checkAE macB, macA, checkEA Validate checkEA == HMAC(k, PE || PA || macB|| macA) After the exchange the MiTM attack properties are: - Alice has Eve’s public key PE and believes it belongs to Bob - Bob has Eve’s public key PE and believes it belongs to Alice (not shown but same as Alice attack) Paul A. Lambert (Marvell)

11 September 2016 PKEX MiTM Mitigation The MiTM attack on PKEX could be mitigated by additional changes to the protocol Such changes are proposed in: ai-kdf-prf-pkex.docx The off-line dictionary attack is not mitigated by this change It would be more productive to look at alternative key exchanges than to incrementally make patches. Paul A. Lambert (Marvell)

12 TGai Options for PKEX Options:
Month Year doc.: IEEE yy/xxxxr0 September 2016 TGai Options for PKEX Options: Fix PKEX + New draft of TGai would be quickly available - Large shared one-time passphrases are a bad user experience - Would not fix bad reviews of security design - Magnet for more comments and could cause indefinite TGai delay Remove PKEX No public key ‘introduction’ mechanism would be available with TGai Replace PKEX + Functionality and cryptographic design could be improved to provide valuable features - Delay to TGai PKEX was removed from TGai 9/14/2016 Paul A. Lambert (Marvell) John Doe, Some Company

13 PAKE+PKA Password Authenticated Key Exchange plus Public Key Authentication (PKA)
PKEX provides a password based mutual authentication of long-term public keys Based loosely on the SPAKE2 protocol: Alternatives to PKEX More efficient and secure exchanges could be developed by combining evaluated authenticated public key exchanges with an evaluated PAKE. An alternative follows where SPAKE2 is combined with mutually blinded Diffie-Hellman (mbDH) Paul A. Lambert (Marvell)

14 Cryptographic Notation
s private key used to generate the public key G generator element of the group used for public key operations + associative group operation (point addition for ECC) * scalar multiplication is the repeated addition of a group element with itself P a long-term public key where P=s*G H() hash function sk symmetric secret key developed from DH key agreement || denotes concatenation of strings { }sk curly braces indicate AEAD encryption by the key appended to the second brace (e.g. ‘sk’) PA PB Subscripts indicate the entity that controls the key pair (Alice ‘A’ , Bob ‘B’) Alice sA PA = sA*G Bob sB PB = sB*G Paul A. Lambert (Marvell)

15 PAKE+PKA Preconditions Protocol Exchange Post Conditions sA PA = sA*G
Alice shared secret pw sB PB = sB*G Preconditions Bob macA, macB, nonceA, CA macB, macA, nonceB, CB Protocol Exchange macA, macB, checkA macB, macA, checkB PB sk PA sk shared secret key Post Conditions After the exchange the required properties are: - Alice and Bob share a pair-wise unique symmetric keys - Alice has Bob’s public key PB and has validated its ownership to that of the owner of the shared secret ‘pw’ - Bob has Alice’s public key PA and has validated its ownership to that of the owner of the shared secret ‘pw’ Paul A. Lambert (Marvell)

16 SPAKE2 https://tools.ietf.org/html/draft-irtf-cfrg-spake2-03
iidA = “Alice” idB = “Bob” shared secret pw idB = “Bob” idA = “Alice” Alice Bob MA and MB are known constants selected for their security properties. w = H( pw ) xA = randRange(0,p*h) XA = xA*G RA = w*MA + XA RA w = H( pw ) xB = randRange(0,p*h) XB = xB*G RB = w*MB + XB RB K = xA * (RB – w*MB) sk = H(idA || idB || RA || RB || XA || XB || K || w) K = xB * (RA – w*MA) sk = H(idA || idB || RA || RB || XA || XB || K || w) After the exchange the properties are: - Alice and Bob share a pair-wise unique symmetric key ‘sk’ with certainty that their peer knew the shared secret ‘pw’ If the peer did not use the same passphrase ‘pw’ the shared secret (sk) will not be the same for the peers. - Note that this 2-step exchange does not include validation of the shared secret key Paul A. Lambert (Marvell)

17 Blinded Diffie-Hellman (bDH) https://www. emvco. com/specifications
The EMVco defined bDH protocol is asymmetric and only authenticates one side of the exchange. sA PA = sA*G Alice Bob xA = randRange(0,p*h) RA = xA* PA RA xB = randRange(0,p*h) RB = xB*G K = xB*XA skBA = H( “R” || K ) encrypt( key=skBA, ( ...) ) RB, { ... }skBA K = sA*xA*RB skBA = H( “R” || K ) decrypt( key=skBA, { (xB, PB), ... } ) assert decrypt is successful skAB = H( “I” || K ) encrypt( key=skAB, ((xA, PA), ...) ) { (xA, PA), ... }skAB skAB = H( “I” || K ) decrypt( key=skAB, { (xA, PA), ... } ) assert decrypt is successful assert RA == xA*PA encrypt( key=skAB, (...) ) { ... }skBA decrypt( key=skBA, { ... } ) After the exchange the properties are: - Alice and Bob share pair-wise unique symmetric keys - Alice has not received a long-term public key from Bob - Bob has Alice’s public key PA and has validated its ownership to the peer with shared key ‘skAB’ Paul A. Lambert (Marvell)

18 Making bDH Mutual Additions to bDH to make the protocol symmetric and provide mutual authentication are shown in red sA PA = sA*G sB PB = sB*G Alice Bob xA = randRange(0,p*h) RA = xA* PA RA xB = randRange(0,p*h) RB = xB*G xB*PB K = sB*xB*XA skBA = H( “R” || K ) encrypt( key=skBA, ((xB, PB), ...) ) RB, { (xB, PB), ... }skBA K = sA*xA*RB skBA = H( “R” || K ) decrypt( key=skBA, { (xB, PB), ... } ) assert decrypt is successful assert RB == xB*PB skAB = H( “I” || K ) encrypt( key=skAB, ((xA, PA), ...) ) { (xA, PA), ... }skAB skAB = H( “I” || K ) decrypt( key=skAB, { (xA, PA), ... } ) assert decrypt is successful assert RA == xA*PA encrypt( key=skAB, (...) ) { ... }skBA decrypt( key=skBA, { ... } ) assert decrypt is successful After the exchange the properties are: - Alice and Bob share a pair-wise unique symmetric keys - Alice has Bob’s public key PB and has validated its ownership to the peer with shared key ‘skBA’ - Bob has Alice’s public key PA and has validated its ownership to the peer with shared key ‘skAB’ Paul A. Lambert (Marvell)

19 Mutually Blinded DH (mbDH)
sA PA = sA*G sB PB = sB*G Alice Bob xA = randRange(0,p*h) RA = xA* PA RA xB = randRange(0,p*h) RB = xB*PB K = sB*xB*XA skBA = H( “R” || K ) encrypt( key=skBA, ((xB, PB), ...) ) RB, { (xB, PB), ... }skBA K = sA*xA*RB skBA = H( “R” || K ) decrypt( key=skBA, { (xB, PB), ... } ) assert decrypt is successful assert RB == xB*PB skAB = H( “I” || K ) encrypt( key=skAB, ((xA, PA), ...) ) { (xA, PA), ... }skAB skAB = H( “I” || K ) decrypt( key=skAB, { (xA, PA), ... } ) assert decrypt is successful assert RA == xA*PA encrypt( key=skAB, (...) ) { ... }skBA decrypt( key=skBA, { ... } ) assert decrypt is successful After the exchange the properties are: - Alice and Bob share a pair-wise unique symmetric keys - Alice has Bob’s public key PB and has validated its ownership to the peer with shared key ‘skBA’ - Bob has Alice’s public key PA and has validated its ownership to the peer with shared key ‘skAB’ Paul A. Lambert (Marvell)

20 SPAKE2 + mbDH SPAKE2 and mbDH can be combined to provide both PAKE and public key authentication. sA PA = sA*G shared secret pw sB PB = sB*G Alice Bob w = H( pw ) xA = randRange(0,p*h) RA = xA* PA RA = w*MA + XA*G RA = w*MA + xA*PA w = H( pw ) xB = randRange(0,p*h) RB = xB*PB RB = w*MB + xB*G RB = w*MB + xB*PB K = sB*xB*RA K = xB*(RA - w*MA) K = sB*xB*(RA - w*MA) skBA = H( “R” || RA || RB || XA || XB || K || w ) encrypt( key=skBA, ((xB, PB), ...) ) RA The ephemeral terms xA*G and xB*G are replaced with the ephemeral masked key xA*PA and xB*PB The ephemeral term xA*G is replaced with the ephemeral masked key xA*PA K = sA*xA*RB K = xA*(RB – w*MB) K = sA*xA*(RB – w*MB) skBA = H( “R” || RA || RB || XA || XB || K || w ) decrypt( key=skBA, { (xB, PB), ... } ) assert decrypt is successful assert (RB – w*MB) == xB*PB skAB = H( “I” || RA || RB || XA || XB || K || w ) encrypt( key=skAB, ((xA, PA), ...) ) RB, { (xB, PB), ... }skBA The mbDH shared key calculation now requires knowledge of the passphrase The mbDH shared key now requires knowledge of the passphrase { (xA, PA), ... }skAB skAB = H( “I” || RA || RB || XA || XB || K || w ) decrypt( key=skAB, { (xA, PA), ... } ) assert decrypt is successful assert (RA - w*MA) == xA*PA encrypt( key=skAB, (...) ) { ... }skBA decrypt( key=skBA, { ... } ) assert decrypt is successful After the exchange the properties are: - Alice and Bob share a pair-wise unique symmetric keys with certainty that their peer knew the shared secret ‘pw’ - Alice has Bob’s public key PB and has validated its ownership to the peer with shared key ‘skBA’ - Bob has Alice’s public key PA and has validated its ownership to the peer with shared key ‘skAB’ Paul A. Lambert (Marvell)

21 SPAKE2 + mbDH sA PA = sA*G shared secret pw sB PB = sB*G Alice Bob
w = H( pw ) xA = randRange(0,p*h) XA = xA*PA RA = w*MA + XA w = H( pw ) xB = randRange(0,p*h) XB = xB*PB RB = w*MB + XB K = sB*xB*(RA – w*MA) skBA = H( “R” || RA || RB || XA || XB || K || w ) encrypt( key=skBA, ((xB, PB), ...) ) RA K = sA*xA*(RB – w*MB) skBA = H( “R” || RA || RB || XA || XB || K || w) decrypt( key=skBA, { (xB, PB), ... } ) assert decrypt is successful assert (RB – w*MB) == xB*PB skAB = H( “I” || RA || RB || XA || XB || K || w) encrypt( key=skAB, ((xA, PA), ...) ) RB, { (xB, PB), ... }skBA { (xA, PA), ... }skAB skAB = H( “I” || RA || RB || XA || XB || K || w ) decrypt( key=skAB, { (xA, PA), ... } ) assert decrypt is successful assert (RA – w*MA) == xA*PA encrypt( key=skAB, (...) ) { ... }skBA decrypt( key=skBA, { ... } ) assert decrypt is successful After the exchange the properties are: - Alice and Bob share a pair-wise unique symmetric keys with certainty that their peer knew the shared secret ‘pw’ - Alice has Bob’s public key PB and has validated its ownership to the peer with shared key ‘skBA’ - Bob has Alice’s public key PA and has validated its ownership to the peer with shared key ‘skAB’ Paul A. Lambert (Marvell)

Download ppt "Cryptographic Review and PKEX"

Similar presentations

Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Doc.: IEEE 802.11-11/1429r0 Submission November 2011 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: 2011-11-01 Authors:

Doc.: IEEE /1429r0 Submission November 2011 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: Authors:
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
Doc.: IEEE 802.11-11-1250-00-00ai Submission Paul Lambert, Marvell TGai Discovery Proposal Author: Abstract Short high-level proposal for discovery techniques.

Doc.: IEEE ai Submission Paul Lambert, Marvell TGai Discovery Proposal Author: Abstract Short high-level proposal for discovery techniques.
Chapter 21 Public-Key Cryptography and Message Authentication.

Chapter 21 Public-Key Cryptography and Message Authentication.
Cryptography and Network Security (CS435) Part Eight (Key Management)

Cryptography and Network Security (CS435) Part Eight (Key Management)
Doc.: IEEE 802.11-11/1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: 2012-01-09 Authors:

Doc.: IEEE /1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: Authors:
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Doc.: IEEE 802.11-13/1164 r00 Submission September 2013 Paul A. Lambert, Marvell SemiconductorSlide 1 Some Par and 5C Requirements Date: 2013-9-17 Authors:

Doc.: IEEE /1164 r00 Submission September 2013 Paul A. Lambert, Marvell SemiconductorSlide 1 Some Par and 5C Requirements Date: Authors:
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,

1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
Key Management Network Systems Security Mort Anvari.

Key Management Network Systems Security Mort Anvari.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Cryptography and Network Security Chapter 10 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 10 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.

1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.
Doc.: IEEE 802.11-11/1244r0 Submission Sep 2011 Hiroshi Mano, Root, Inc.Slide 1 11ai overview (PAR, Scope and current status) Date: 2011-09-19 Authors:

Doc.: IEEE /1244r0 Submission Sep 2011 Hiroshi Mano, Root, Inc.Slide 1 11ai overview (PAR, Scope and current status) Date: Authors:
Doc.: IEEE 802.11-11/1212r0 Submission September 2011 IEEE 802.11Slide 1 The Purpose and Justification of WAPI Comparing Apples to Apples, not Apples to.

Doc.: IEEE /1212r0 Submission September 2011 IEEE Slide 1 The Purpose and Justification of WAPI Comparing Apples to Apples, not Apples to.

Similar presentations

Ads by Google