Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security, privacy, performance of next-generation transport protocols

kazuho
September 08, 2018

Security, privacy, performance of next-generation transport protocols

Discusses the motivation behind QUIC encryption and TLS encrypted SNI.

kazuho

September 08, 2018
Tweet

More Decks by kazuho

Other Decks in Technology

Transcript

  1. 4FDVSJUZ QSJWBDZ QFSGPSNBODF
    PGOFYUHFOFSBUJPOUSBOTQPSUQSPUPDPMT
    ,B[VIP0LV
    4FQ

    View full-size slide

  2. 4FDVSJUZ QSJWBDZ QFSGPSNBODF

    PGOFYUHFOFSBUJPOUSBOTQPSUQSPUPDPMT
    ,B[VIP0LV
    4FQ

    View full-size slide


  3. • 1SJODJQBM044%FWFMPQFS!'BTUMZ
    • MFBEEFWFMPQFSPG
    – )0 )551

    – QJDPUMT 5-4

    – RVJDMZ 26*$

    • BVUIPSPG
    – 3'$r &BSMZ)JOUTGPS)551
    – ESBGUJFUGIUUQCJTDBDIFEJHFTU
    – ESBGUJFUGUMTFTOJ
    8IPBN*

    View full-size slide


  4. ZFTUFSEBZ UPEBZ UPNPSSPX
    OBNFSFTPMVUJPO %/4 %/4PWFS)5514
    USBOTQPSU 5$1
    26*$5-4
    TFDVSJUZ 5-4 5-4
    BQQMJDBUJPOQSPUPDPM )551
    5IFCJHQJDUVSF

    View full-size slide


  5. • QFSWBTJWFNPOJUPSJOH
    • QFPQMFSFMZJOHNPSFPO QVCMJD
    XJGJ
    $BOXFUSVTUUIFOFUXPSL

    View full-size slide


  6. • 5-4
    • 4FDVSJUZPGBUSBOTQPSU
    • 26*$
    – IBOETIBLF
    – QBDLFUOVNCFSFODSZQUJPO
    • &ODSZQUFE4/*
    "HFOEB

    View full-size slide


  7. • FTTFOUJBMMZ5-4
    • QVCMJTIFEBT3'$JO"VHVTU
    5-4

    View full-size slide


  8. • "&"%DJQIFST
    – XJUIPVUFYQMJDJUOPODF
    • GBTUFSIBOETIBLF UP355
    • GPSXBSETFDSFDZ
    • CFUUFSQSJWBDZ
    – POFPGGTFTTJPOUJDLFUT
    – DFSUJGJDBUFTOPNPSFUSBOTNJUUFEJODMFBS
    5-4

    View full-size slide


  9. AES-CTR
    "&4($.
    AES
    ciphertext 1
    plaintext 1
    nonce || 0
    AES
    ciphertext 2
    nonce || 1
    AES
    ciphertext 3
    nonce || 3
    plaintext 2
    plaintext 3
    GCM
    add. data
    tag

    View full-size slide


  10. AES-CTR
    "&"%JO5-4 VTJOH"&4($.

    AES
    ciphertext 1
    plaintext 1
    nonce || 0
    AES
    ciphertext 2
    nonce || 1
    AES
    ciphertext 3
    nonce || 3
    plaintext 2
    plaintext 3
    GCM
    add. data
    tag
    OPODFSFDPSEOVNCFSBEEEBUBSFDPSEIFBEFS

    View full-size slide


  11. ClientHello
    ServerHello
    ServerCertificate
    ServerKeyExchange
    (ClientSertificate)
    ClientKeyExchange
    Finished
    Finished
    Application Data
    5-4IBOETIBLFGMPX
    Client Server
    plaintext
    encrypted

    View full-size slide


  12. 5-4IBOETIBLFGMPX
    ClientHello (w. pubkey)
    ServerHello (w. pubkey)
    EncryptedExtensions
    ServerCertificate
    Finished
    App. Data (server only)
    (ClientCertificate)
    Finished
    Application Data
    Client Server
    plaintext
    encrypted
    (unauthenticated)
    encrypted
    (authenticated)

    View full-size slide


  13. %JGGFSFODFTCFUIBOETIBLFGMPXT
    • 5-4
    – FYDIBOHFQBSBNFUFST JODMDFSUJGJDBUFT

    UIFOFYDIBOHFUIFQVCMJDLFZT
    • 5-4
    – FYDIBOHFQVCMJDLFZTBTXFMMBTQBSBNFUFST
    • SFUSZUPVTFBOPUIFSQVCMJDLFZBMHPSJUIN
    – TFUVQFODSZQUFEDIBOOFMVTJOHUIF
    FYDIBOHFELFZT
    • VTFUIFDIBOOFMUPBVUIFOUJDBUF

    View full-size slide


  14. • MFTTSPVOEUSJQT
    • JEFOUJUZPGUIFFOEQPJOUTBSFQSPUFDUFE
    – JFDFSUJGJDBUFT
    – DGUSBDLJOHEFWJDFTVTJOHDMJFOUDFSUBVUI
    • CVUUIFTFSWFSOBNF 4/*
    JTVOQSPUFDUFE
    – CFDBVTFJUJTQBSUPG$MJFOU)FMMP
    – XJMMDPWFSUIBUMBUFS
    5IFCFOFGJUT

    View full-size slide


  15. • NJEEMFCPYFTEJTSVQUJOH5-4IBOETIBLF
    – UIJOLTl5IJT5-4IBOETIBLFTVTQJDJPVT*U`TB
    GVMMIBOETIBLFCVUEPFTOPUDPOUBJOB
    DFSUJGJDBUFz UFSNJOBUFTUIFDPOOFDUJPO
    – SFBMJUZDFSUJGJDBUFJTFODSZQUFE
    • TPMVUJPONBLF5-4IBOETIBLFMPPL
    MJLF5-4SFTVNQUJPO
    5BDLMJOHPTTJGJDBUJPO

    View full-size slide


  16. 4FDVSJUZPGBUSBOTQPSU

    View full-size slide


  17. • DPOGJEFOUJBMJUZ
    • JOUFHSJUZ
    • BWBJMBCJMJUZ
    5IFTFDVSJUZUSJBE

    View full-size slide


  18. • 5-4
    – QSPWJEFTDPOGJEFOUJBMJUZ JOUFHSJUZ
    – VTJOHUIFFYDIBOHFELFZT
    • 5$1
    – SFTQPOTJCMFGPSQSPWJEJOHBWBJMBCJMJUZ
    – CVUUIFQBDLFUTDBOCFUBNQFSFE
    5-4PWFS5$1

    View full-size slide


  19. • NJEEMFCPYJOKFDUT5$1SFTFUT
    – TFOEB5$1QBDLFUXJUI345CJUTFU
    • CMPDLBDDFTTUPDFSUBJOXFCTJUFT
    – CZPCTFSWJOHQMBJOUFYU FH 4/*

    • CMPDLDFSUBJOQSPUPDPMT FH11

    3FTFUJOKFDUJPOBUUBDL

    View full-size slide


  20. • POQBUIBUUBDL
    – BUUBDLFSDBOESPQNPEJGZQBDLFUT
    • NBOPOUIFTJEFBUUBDL
    – BUUBDLFSDBOPCTFSWFJOKFDUQBDLFUT
    • PGGQBUIBUUBDL
    – BUUBDLFSEPFTOPUIBWFBDDFTTUPQBDLFUT
    – OPUTPQSBDUJDBMGPS5$1
    5ISFFUZQFTPGBUUBDLT

    View full-size slide


  21. • POQBUIBUUBDL
    – BUUBDLFSDBOESPQNPEJGZQBDLFUT
    – FTTFOUJBMMZBTQFDJBMQVSQPTFSPVUFS
    • BEEJUJPOBMDPTUUPPCTFSWFUIFQBZMPBEPGUIF
    SPVUFEQBDLFUTJTUIFQSPCMFN
    • NBOPOUIFTJEFBUUBDL
    – BUUBDLFSDBOPCTFSWFJOKFDUQBDLFUT
    – BOPEFUIBUUBQTPOUIFOFUXPSL JOKFDUT
    QBDLFUTBUCFTUFGGPSU
    .BOPOUIFTJEFBUUBDLJTFBTZ

    View full-size slide


  22. • JOKFDUJOHPOF 345QBDLFUUFSNJOBUFTB
    5$1DPOOFDUJPO
    • FODSZQUFEUSBOTQPSUT FH %5-4 *1TFD

    QSPWJEFSFTJTUBODFUPJOKFDUJPOBUUBDL
    – CZFODSZQUJOHFWFSZQBDLFUVTJOHUIF
    FYDIBOHFELFZT
    • FH QO cc"&4@($. QO QBZMPBE

    BOEWFSZQSBDUJDBMGPS5$1

    View full-size slide


  23. Packet type and flags (1 octet)
    Destination Connection ID (0,4-18 octets)
    Encrypted Packet Number (1,2,4 octets)
    Encrypted Payload
    AEAD tag (16 octets or more)
    26*$QBDLFU
    additional text
    • "&"%Ћ UPQSPUFDUFBDIQBDLFU
    AEAD payload
    encrypted???

    View full-size slide


  24. • FODSZQUFEUSBOTQPSU
    – VTFT5-4GPSIBOETIBLF
    • IBOETIBLFJO35
    – 5$15-4UBLFT35
    • NVMUJQMFYJOHTUSFBNTJOUPPOFDPOOFDUJPO
    • GJYIFBEPGMJOFCMPDLJOHJO)551
    – QSPDFTTPVUPGPSEFSQBDLFUTCFMPOHJOHUPB
    EJGGFSFOUTUSFBNT
    • NPCJMJUZ OFUXPSLNJHSBUJPO

    'FBUVSFTPG26*$

    View full-size slide


  25. 26*$IBOETIBLF

    View full-size slide


  26. stream 0
    stream 4
    stream 8
    stream 16…
    0SJHJOBMEFTJHO
    HTTP request 1
    TLS 1.3
    HTTP request 2
    HTTP request 3
    packet 1 packet 8
    packet layer 2 3… 9 10 11…
    obtain “exporter secret”

    derive server traffic key & client traffic key

    View full-size slide


  27. • EPVCMFFODSZQUJPO
    • BNCJHVJUJFT
    – XIFOUPBDUJWBUFBQQMJDBUJPOUSBGGJDLFZT
    – XIFOTUSFBNTXJUDIFTUPVTJOHQSPUFDUFE
    26*$QBDLFUT
    • BUUBDLWFDUPST
    – SFTFUJOKFDUJPOBUUBDL
    – "$,QSPNPUJPOBUUBDL
    0SJHJOBMEFTJHOJTTVFT

    View full-size slide


  28. *TTVFVTFPGFODSZQUJPO
    stream 0
    stream 4
    stream 8
    stream 16…
    HTTP request 1
    HTTP request 2
    HTTP request 3
    packet 1 packet 8
    packet layer
    obtain “exporter secret”

    derive server traffic key & client traffic key
    2 3… 9 10 11…
    TLS 1.3

    View full-size slide


  29. *TTVFXIFOUPBDUJWBUFUSBGGJDLFZT
    ClientHello (w. pubkey)
    ServerHello (w. pubkey)
    EncryptedExtensions
    ServerCertificate
    Finished
    App. Data (server only)
    (ClientCertificate)
    Finished
    Application Data
    Client Server
    plaintext
    encrypted
    (unauthenticated)
    encrypted
    (authenticated)

    View full-size slide


  30. *TTVFXIFOUPBDUJWBUFUSBGGJDLFZT
    stream 0
    stream 4
    stream 8
    stream 16…
    HTTP request 1
    HTTP request 2
    HTTP request 3
    packet 1 packet 8
    packet layer
    obtain “exporter secret”

    derive server traffic key & client traffic key
    activate them at different moments
    2 3… 9 10 11…
    TLS 1.3

    View full-size slide


  31. *TTVFSFTFUJOKFDUJPOBUUBDL
    stream 0
    stream 4
    stream 8
    stream 16…
    HTTP request 1
    HTTP request 2
    HTTP request 3
    packet 1 packet 8
    packet layer
    obtain “exporter secret”

    derive server traffic key & client traffic key
    activate them at different moments
    2 3… 9 10 11…
    TLS 1.3
    reset!

    View full-size slide


  32. *TTVF"$,QSPNPUJPOBUUBDL
    stream 0
    stream 4
    stream 8
    stream 16…
    HTTP request 1
    HTTP request 2
    HTTP request 3
    packet 1 packet 8
    packet layer
    obtain “exporter secret”

    derive server traffic key & client traffic key
    activate them at different moments
    2 3… 9 10 11…
    TLS 1.3
    ACK (8)

    View full-size slide


  33. • DIBOHF5-4
    4PMVUJPO

    View full-size slide


  34. • DIBOHFUIFTVCQSPUPDPMPG 5-4
    4PMVUJPO

    View full-size slide


  35. #BDLHSPVOEMBZFSTPG5-4
    segment segment
    TLS messages:
    TLS records:
    TCP segments:
    plaintext HS 1RTT
    SH EE Certificate Fin NST

    View full-size slide


  36. plaintext HS 1RTT
    SH EE Certificate Fin NST
    stream 0 stream 0
    TLS messages:
    TLS records:
    QUIC frames:
    HS HS
    QUC packets:
    datagram datagram
    UDP datagrams:
    stream 0
    1RTT
    -BZFSTJOUIFPSJHJOBMEFTJHO
    confidentiality
    injection
    resistance

    View full-size slide


  37. SH EE Certificate Fin NST
    CRYPTO CRYPTO
    TLS messages:
    QUIC frames:
    Initial HS
    QUC packets:
    datagram datagram
    UDP datagrams:
    CRYPTO
    1RTT
    -BZFSTJOUIFSFGJOFEEFTJHO
    HS
    CRYPTO
    confidentiality
    injection resistance

    View full-size slide


  38. • PSJHJOBMEFTJHO 5-4

    – *0PGFODSZQUFEPDUFUT
    – BDDFTTUPlFYQPSUFSTFDSFUz
    • SFGJOFEEFTJHO
    – *0PG5-4NFTTBHFT JOQMBJOUFYU

    – FWFOUTUPJOTUBMMUSBGGJDLFZT
    • 355 VOJEJSFDUJPOBM
    )4 CJ
    355 CJ

    – OPUF%5-4SFRVJSFTTVDIBOJOUFSOBM"1*
    3FRVJSFEDIBOHFTUP5-4TUBDL"1*

    View full-size slide


  39. • TFQBSBUJPOPGDPODFSO
    – 5-4QSPWJEFTLFZTBOEBVUIFOUJDBUJPO
    – 26*$FODSZQUTUIFQBDLFUT
    • OPNPSFBNCJHVJUZ
    – EJTUJODUTUSFBNTGPSFBDIFODSZQUJPOMFWFM
    – UISFFEJTUJODUQBDLFUOVNCFSTQBDF
    • JF *OJUJBM )BOETIBLF 355
    • OPDIBODFPG"$,QSPNPUJPOBUUBDL
    3FGJOFEEFTJHOUIFCFOFGJUT

    View full-size slide


  40. • EPVCMFFODSZQUJPO
    • BNCJHVJUJFT
    – XIFOUPBDUJWBUFUSBGGJDLFZT
    – XIFOTUSFBNTXJUDIFTUPVTJOHQSPUFDUFE
    26*$QBDLFUT
    • BUUBDLWFDUPST
    – MFTTGSBHJMFUPSFTFUJOKFDUJPOBUUBDL
    – "$,QSPNPUJPOBUUBDL
    *TTVFTSFTPMWFE BMNPTU

    View full-size slide


  41. 26*$QBDLFUOVNCFSFODSZQUJPO

    View full-size slide


  42. • QBDLFUOVNCFS 1/

    – JTVOJRVFGPSFBDIQBDLFUCFJOHTFOU
    – JODSFBTFTNPOPUPOJDBMMZ
    • UIFSFGPSF DBOCFVTFEUPUSBDLBDMJFOU
    – $POOFDUJPO*%JTDIBOHFEXIFOBOFOEQPJOU
    NJHSBUFTUPBEJGGFSFOUOFUXPSL8IBU
    TIPVMEXFEPGPSQBDLFUOVNCFS
    1BDLFUOVNCFSBOEQSJWBDZ

    View full-size slide


  43. • KVNQ1/XIFOTXJUDIJOH$*%
    – QFFSTOFFEUPBHSFFPOUIFSBOEPNPGGTFU
    • TJODF1/ CJU
    JTSPVOEFEPOXJSFUP
    CJUT
    • PGGTFUOFFETUPCFEJGGFSFOUGPSFBDIEJSFDUJPO
    – XIBUUPEPPOQBUIQSPCJOHFSSPS
    • EJGGFSFOU1/TQBDFGPSFBDI$*%
    – NFBOTIBWJOHFODSZQUJPOLFZTBOE"$,
    RVFVFGPSFBDI$*%
    $POTJEFSFEBQQSPBDIFT

    View full-size slide


  44. • FODSZQUJOH1/JTTJNQMFSUIBO
    – JOTFSUJOHKVNQTIBWJOHNBOZLFZTTQBDFT
    4PMVUJPOQBDLFUOVNCFSFODSZQUJPO

    View full-size slide


  45. #VUIPX
    type CID PN payload
    1 0/4-18 1/2/4 any
    size:
    unencrypted:
    type CID PN ciphertext AEAD tag
    1 0/4-18 1/2/4 any 16
    size:
    encrypted:
    AES_GCM(PN, payload)

    1 0/4-18 1/2/4 any
    size:
    type CID PNE ciphertext AEAD tag
    1 0/4-18 1/2/4 any 16
    size:
    + PNE:
    ???

    unencrypted encrypted

    View full-size slide


  46. /BÏWFBQQSPBDI
    type CID PN payload
    1 0/4-18 1/2/4 any
    size:
    unencrypted:
    type CID PN ciphertext AEAD tag
    1 0/4-18 1/2/4 any 16
    size:
    encrypted:
    AES_GCM(PN, payload)

    1 0/4-18 1/2/4 any
    size:
    type CID PNE+ciph. ciph. AEAD tag
    1 0/4-18 16 any – 1/2/4 16
    size:
    + PNE:
    AES

    unencrypted encrypted

    View full-size slide


  47. "EPQUFEBQQSPBDI
    type CID PN payload
    1 0/4-18 1/2/4 any
    size:
    unencrypted:
    type CID PN ciphertext AEAD tag
    1 0/4-18 1/2/4 any 16
    size:
    encrypted:
    AES_GCM(PN, payload)

    1 0/4-18 1/2/4 any
    size:
    type CID PNE ciphertext AEAD tag
    1 0/4-18 1/2/4 any 16
    size:
    + PNE:
    AES_CTR(ciphertext, PN)

    unencrypted encrypted

    View full-size slide


  48. • TPNFNPCJMFOFUXPSLTlGJYzPVUPGPSEFS
    EFMJWFSZCZMPPLJOHBU1/
    – UPMFTTFOSFUSBOTNJUT
    – OPEPXOTJEFGPS5$1
    – JTTVFGPS26*$ CFDBVTFXFDBOVTFQBDLFUT
    BSSJWJOHPVUPGPSEFS
    • 26*$XJMMCFPTTJGJFEPODFNJEEMFCPYFT
    TUBSUVTJOH1/JOQBSUJDVMBSXBZT
    1/&UPQSFWFOUNJTVTFPG1/

    View full-size slide


  49. • 5$15-4
    – BEESFTTFTDPOGJEFOUJBMJUZ JOUFHSJUZ
    • JOBEEJUJPO 26*$5-4
    – JNQSPWFTBWBJMBCJMJUZ
    – QSFTFSWFTVTFSQSJWBDZ
    – QSFWFOUTPTTJGJDBUJPO
    – PQUJNJ[FTGPSQFSGPSNBODF
    • TFUVQJO35 35JO5$15-4

    • VTFPGQBDLFUTBSSJWJOHPVUPGPSEFS
    5IFJNQSPWFNFOUT

    View full-size slide


  50. • FODSZQUJPOJTUIFUBTLPG26*$
    – IBOETIBLFEPOFCZ5-4
    • BMNPTUFWFSZUIJOHJTFODSZQUFE
    – POMZQBDLFUUZQF $*% QSPUPDPMWFSTJPOBSF
    WJTJCMFPOUIFXJSF
    • XIBUUPFYQPTFJTEFDJEFEFYQMJDJUMZ
    – FH lTQJOCJUzFYQFSJNFOU
    26*$BOEFODSZQUJPO

    View full-size slide


  51. &ODSZQUFE4/*

    View full-size slide


  52. • 4FSWFS/BNF*OEJDBUJPO
    – QBSUPG$MJFOU)FMMP
    – VTFECZUIFTFSWFSUPTFMFDU
    • LFZBMHPSJUIN
    • TFSWFSDFSUJGJDBUF
    8IBUJT4/*
    ClientHello (w. pubkey)
    ServerHello (w. pubkey)
    EncryptedExtensions
    ServerCertificate
    Finished
    App. Data (server only)
    (ClientCertificate)
    Finished
    Application Data
    Client Server
    plaintext
    encrypted
    (unauthenticated)
    encrypted
    (authenticated)

    View full-size slide


  53. • %/4SFTPMVUJPO
    • 4/*
    • TFSWFSDFSUJGJDBUF
    • TFSWFS*1BEESFTT
    • USBGGJDBOBMZTJT
    4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF

    View full-size slide


  54. • %/4SFTPMVUJPO %P)
    • 4/* ˡ UIJT
    • TFSWFSDFSUJGJDBUF 5-4
    • TFSWFS*1BEESFTT NBTTTDBMFNVMUJUFOBODZ
    • USBGGJDBOBMZTJT
    4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF

    View full-size slide


  55. • ESBGUSFTDPSMBUMTFTOJ
    – UPCFDPNFESBGUJFUGUMTFTOJ
    • LFZJEFB
    – VTFQVCMJDLFZDSZQUPUPFODSZQU4/*
    – VTF%/4UPEJTUSJCVUFUIFQVCMJDLFZ
    4PMVUJPOFODSZQUFE4/*

    View full-size slide


  56. )PXJUXPSLT
    example.com?
    _esni.example.com?
    example.com=192.0.2.1
    _esni.example.com=pubkey
    ClientHello {ESNI=encrypt("example.com")}
    DoH recursor
    HTTPS server
    DNS authoritative
    server

    View full-size slide


  57. TUSVDU\
    VJOUDIFDLTVN<>
    ,FZ4IBSF&OUSZ LFZT? QVCMJDLFZT
    $JQIFS4VJUF DJQIFS@TVJUFT?
    VJOUQBEEFE@MFOHUI
    VJOUOPU@CFGPSF
    VJOUOPU@BGUFS
    &YUFOTJPOFYUFOTJPOT?
    ^&4/*,FZT
    @FTOJFTOJFYBNQFOFU*/595
    E8[B2#'"#D"225S+CP;Z:YD1:P6IPOISW/YWKGQSKB;CK/#/
    .Y%ZDE%7W#+P),0.I,[BWE*N03*""*5"2&&"""""'T
    (E."""""89"H""
    &4/*SFDPSE

    View full-size slide


  58. • &4/*SFDPSEJTOPUTJHOFE
    – TPUIBUJUDBOCFTNBMM
    – BUUBDLFSDBOTQPPGUIFN
    • CVUBOBUUBDLFSDBOBMTPTQPPGUIF*1BEESFTTPG
    FYBNQMFDPN
    – BDDFTTUPUIFBEESFTTSFWFBMTUIF4/*
    • UPTVNNBSJ[F &4/*
    – JNQSPWFTQSJWBDZXIFO%/4JTIFBMUIZ
    – EPFTOPUXPSTFOUIFTFDVSJUZXIFOVOEFS
    BUUBDL
    4FDVSJUZBTQFDUT

    View full-size slide


  59. • 355BQQMJDBUJPOEBUBJOGVMM
    IBOETIBLF
    – OFFEUPEJTUSJCVUFTJHOFEQVCLFZ BOE
    DFSUJGJDBUFDIBJOVTJOH%/4
    • QSPUFDUJOHJOJUJBMFYDIBOHFGSPN
    JOKFDUJPOBUUBDL
    6TJOH&4/*QVCMJDLFZGPSPUIFSQVSQPTFT

    View full-size slide


  60. 3FDBQJUVMBUJPO

    View full-size slide


  61. • OFBSMZDPNQMFUFUPGJYJOHQSJWBDZMFBLT
    • FODSZQUJPOJTBMTPVTFEGPS
    – QSPWJEJOHBWBJMBCJMJUZ
    – QSFWFOUJOHPTTJGJDBUJPO
    • GPSGVSUIFSFWPMVUJPOJOUIFGVUVSF
    • BMNPTUFWFSZUIJOHJTFODSZQUFEJO26*$
    – FODSZQUFWFONPSFJOVQDPNJOHQSPUPDPMT
    – XFEFCBUFBOEEFDJEFXIBUUPFYQPTFUPUIF
    OFUXPSL
    0VSTUBUVT

    View full-size slide