Re: [Cfrg] CPace feedback regarding the identity handling
Björn Haase <bjoern.haase@endress.com> Tue, 09 June 2020 19:02 UTC
Return-Path: <bjoern.haase@endress.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A58553A10BF for <cfrg@ietfa.amsl.com>; Tue, 9 Jun 2020 12:02:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=endress.com header.b=xo08nZFn; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=endress.com header.b=ChnNxwuV
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rc3qRW9147Io for <cfrg@ietfa.amsl.com>; Tue, 9 Jun 2020 12:02:29 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00079.outbound.protection.outlook.com [40.107.0.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27DEF3A0ED0 for <cfrg@irtf.org>; Tue, 9 Jun 2020 12:01:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=endress.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qvRE0mNAPsXY4ME7/zgIK5T2wLv/L44T0BJW2fSQWkE=; b=xo08nZFnhuAj7X0hlS6ErbAbhbEVfoTIPwfOsmC3GfonbdMeTF//+mstjx853gLuYKqmn2v9n/xBpazJuG89DH2XJGUyITCyW+veW2a57bj9FdM7OdcwLozfQcYf8/V7SjyG5ux/oE7+x9sc+lIhIkTpn1ZvDuZ5dmc0tdUmPTk=
Received: from AM0PR03CA0068.eurprd03.prod.outlook.com (2603:10a6:208::45) by AM0PR05MB6705.eurprd05.prod.outlook.com (2603:10a6:20b:159::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.18; Tue, 9 Jun 2020 19:01:45 +0000
Received: from AM5EUR03FT023.eop-EUR03.prod.protection.outlook.com (2603:10a6:208:0:cafe::28) by AM0PR03CA0068.outlook.office365.com (2603:10a6:208::45) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.18 via Frontend Transport; Tue, 9 Jun 2020 19:01:45 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 40.68.44.165) smtp.mailfrom=endress.com; irtf.org; dkim=fail (body hash did not verify) header.d=endress.com;irtf.org; dmarc=pass action=none header.from=endress.com;
Received-SPF: Pass (protection.outlook.com: domain of endress.com designates 40.68.44.165 as permitted sender) receiver=protection.outlook.com; client-ip=40.68.44.165; helo=iqsuite.endress.com;
Received: from iqsuite.endress.com (40.68.44.165) by AM5EUR03FT023.mail.protection.outlook.com (10.152.16.169) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3066.18 via Frontend Transport; Tue, 9 Jun 2020 19:01:45 +0000
Received: from mail pickup service by iqsuite.endress.com with Microsoft SMTPSVC; Tue, 9 Jun 2020 21:01:44 +0200
Received: from EUR02-HE1-obe.outbound.protection.outlook.com ([104.47.5.52]) by iqsuite.endress.com over TLS secured channel with Microsoft SMTPSVC(8.5.9600.16384); Tue, 9 Jun 2020 21:01:43 +0200
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TcPTPap/HdrYDuWf9MNDhXMjWXz7yP/Pb5ilVhsML0NJe1FcAm0cPWqc5L+ga6UqsNOU/KsHXPeQnXnuu17PVRxdjRsPWioDy4HIqhxvtuGefV61xnklDKwjHWqjUMJJkPMt6Qu0x23E7fmvtegz6Z8O7pP+UlzwrpnABjGTSkZKiyt2ZwPDN/8sRiKMNP0Hcg1gO2KsdlU/1N2Gf3mROgxs2R0rWnXpxbrM19dCjf2vz+RJX/Xa3UD7LNG9IKF3tVyxtpEr571a9MGFVq2pZnou9eqYbkogFVB+PKtKz9j89JWfybaTEBHbuQ4KEWUiG253bElCEeBsCjvQ60hWyQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8W9Z9XirXTA8A3cmcNIlLvev4e60dyAk5pMdPdsD8r8=; b=QzyX2NjwHBETxH7lg3Oa8McoPhT9VsEEI6CjQQT3U85JWFch/I7aTdCP+y5TpWgKCkDqLYP/7/i05YkPbJrNUiRR56kIQPvociEaruMDuVDEbS/mM6t2pFk1BY6ZVThaFMgeRevB4HK/oCP1HUo+EYFjwFXRrI9toxJEnNc47nDvbJKTdmpqwURAJgnWJSo9Cy+Fbb7Ze/i5uCVMTQYnQOAaUtsXfiY8VIBBd9k6TZ5yM6rb7WpHwL7yR/SWGWCsgEDzGmtej09xOe2+Ge+q53/Ip0asNsLtD7DDbSLPH+e05Z2iBw/49zRfs+CgXNP20fCsBvyieU3piKI4j438zg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=endress.com; dmarc=pass action=none header.from=endress.com; dkim=pass header.d=endress.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=endress.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8W9Z9XirXTA8A3cmcNIlLvev4e60dyAk5pMdPdsD8r8=; b=ChnNxwuVvu/5gII/O9/FcmBjn1T5zLEjP7IOpSIFX26NA0E2TP6IGUOsArjJ8rdgz1oI2DMKdn5wXWDmJT/vZLkfrROkrGaaYK9vxtMskFyLh6XOU08m6VV6AKLC3oKnR4+7NPlSi2RaHCBYsDT16/ZSNZ+zHQLNrZNQcNhh1vA=
Received: from AM0PR05MB4786.eurprd05.prod.outlook.com (2603:10a6:208:b3::15) by AM0PR05MB4162.eurprd05.prod.outlook.com (2603:10a6:208:5f::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.18; Tue, 9 Jun 2020 19:01:43 +0000
Received: from AM0PR05MB4786.eurprd05.prod.outlook.com ([fe80::e00a:324b:e95c:750f]) by AM0PR05MB4786.eurprd05.prod.outlook.com ([fe80::e00a:324b:e95c:750f%7]) with mapi id 15.20.3066.023; Tue, 9 Jun 2020 19:01:43 +0000
From: Björn Haase <bjoern.haase@endress.com>
To: "Hao, Feng" <Feng.Hao@warwick.ac.uk>, Björn Haase <bjoern.m.haase@web.de>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] CPace feedback regarding the identity handling
Thread-Index: AdY+j4PcV/IRjdNZTzK8UubyPmwE8w==
Content-Class:
Date: Tue, 09 Jun 2020 19:01:43 +0000
Message-ID: <AM0PR05MB4786646AE85B46AC15C4488B83820@AM0PR05MB4786.eurprd05.prod.outlook.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Enabled=True; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_SiteId=52daf2a9-3b73-4da4-ac6a-3f81adc92b7e; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Owner=bjoern.haase@endress.com; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_SetDate=2020-06-09T19:01:41.0962105Z; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Name=Not Protected; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Application=Microsoft Azure Information Protection; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_ActionId=ea7fac49-fbf4-497f-9db6-7da2f57e0267; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Extended_MSFT_Method=Automatic
Authentication-Results-Original: warwick.ac.uk; dkim=none (message not signed) header.d=none; warwick.ac.uk; dmarc=none action=none header.from=endress.com;
x-originating-ip: [165.225.73.29]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: f066b3b4-20ef-4fce-8b78-08d80ca78de9
x-ms-traffictypediagnostic: AM0PR05MB4162:|AM0PR05MB6705:
X-Microsoft-Antispam-PRVS: <AM0PR05MB6705187DB4AB96140A7D65FE83820@AM0PR05MB6705.eurprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 042957ACD7
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 7pU3QWfB9Idauf2YS7kRHxcKH8uujzH7zJRcPhS3WRbZPutugcHZ4WT35aPJ/SsZ119PYcwi29JmmQzs+kkN9xMTyupF8E4ck3OjHlSRdox7wb/CDuzpcFYiRnBxdciWkfCi5MJYnJYT6bgy/+CvaVNO5JsJoit3Xp6grJduuQjpl3gWpv5Ay16L34dS45agghRR7KSkAxuMLvHNY0HqO+3Shnnzj8blhs55Ndr7DJSgis8vBoVWlofGrFRqu0DWzK9cjZYGX71Im0h1gYwA9uA+l+LF570+iW09s+BswabG2Ik4kaYDx/tZcoZX1vKCwWGMdqE3Cd7fztesViI8EtEufd2T+SMBQKk8BCXjurZKXYzr+TFKNBXYg2Knsfd9wJwQAMx51KpuGSxURCDsLg==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR05MB4786.eurprd05.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(366004)(39860400002)(136003)(396003)(376002)(186003)(66574014)(7696005)(8676002)(76116006)(64756008)(2906002)(55236004)(66556008)(66946007)(478600001)(6506007)(33656002)(71200400001)(66476007)(66446008)(9686003)(4326008)(26005)(86362001)(45080400002)(966005)(55016002)(83380400001)(110136005)(52536014)(8936002)(5660300002)(316002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 5NlN9HyOkzcTLrvrq2Zz41p46SpUquLXkH9BgymY1QymtaHWrGWoWzrNRJie0kL9Esb014hbVEWNegBdNv9I+gwpZh5LOupwrt60V5s3+sKja33zzZBEbyECAHDjy2r6YD7Ha2Hd0oKlHGfyIN6aplbhM3FoGvclfbzMHGjArZl2BoxTbmmvtK94t4eVgC3XF+1VKwEdrJj5IwjZO2Lqr30307zWcXLm9RiByJrLCjoy1TPKUIJVtdu/Q2KvHnQZiyyEsdVdxSPozs1OyNKneEMLZwfF04cuquEQd4FaiGcTo2JeWXpyG9kDUuIsl9d40p+XRo5mjlfqzW0Htza8+/yJfhIr4yV6Hu7d/pr6Bx8uSsPM/zAGVuV3exNVEcSEImioSfAyuiEZIID75ToM1dpp/zZetPfo0RCoBoPKldNTlhPDbCCoQyq3WvW7gaO88r8Kdc902rjmuXj4Djzyw2oQ3xYCA1UBT3ZHP5XepE0=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR05MB4162
X-OriginalArrivalTime: 09 Jun 2020 19:01:43.0776 (UTC) FILETIME=[6A8BAE00:01D63E90]
X-Trailer: 1
X-GBS-PROC: G5TI1loZoEfm5sv6c2ltOQiiCaNCvidpMk9Lugws5jk=
X-GRP-TAN: IQWE01@656786F72C4F47BA8C1363064FD472A9
X-iqsuite-process: processed
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT023.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:40.68.44.165; CTRY:NL; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:iqsuite.endress.com; PTR:InfoDomainNonexistent; CAT:NONE; SFTY:; SFS:(4636009)(346002)(39850400004)(136003)(376002)(396003)(46966005)(26005)(8936002)(110136005)(8676002)(70586007)(66574014)(70206006)(15974865002)(45080400002)(478600001)(356005)(83380400001)(82310400002)(316002)(966005)(4326008)(5660300002)(52536014)(33656002)(9686003)(81166007)(55016002)(2906002)(47076004)(86362001)(7696005)(6506007)(336012)(82740400003)(186003); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 66f9ace8-346b-4067-adc1-08d80ca78cb6
X-Forefront-PRVS: 042957ACD7
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: TzVRz0RYkK0HzISrZywYTZ1fJUvtXYEzF9e60z27kvPTfKXuyzBszJq3gZ71XSY9tmfKEBs56KHQF8f0H+eM2+m3G8wgoyyKOBWSqHb9tw3I426AHy/1+B+uxPR1rfZ2QKRkXBf2YMOqRedlyuN9XTiTNPK+EbI5cW5JaQ9OU2RC8vyBSv88RcM91oPd+cYk/pzra7eFcdAM20/fXwBQS0Txy0Ig+VqiZiSrmSBFQXZqw9L/DnOQubc69L7xkHB+WdtB5dpDMpWbincYzom29lfLpVMaGNEvQSpVrNT57A/MUr1l1hEM3nHxwCvg9xqcdaZUItb9VVqa+OVAvZW8xayMXxQMUN3SV4eTBrilmkgiAsMsDreGVrEFQ6eA6fCNxUAc0fR3NQlSI2qlwCowP9ZzzokrOGiimvERlZKwKoaF+iEaBPPPoyvP/kMrtF1OgbNZai9JKpVEAEdtS/dteybV9i4695coimTBhPkWC9I=
X-OriginatorOrg: endress.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Jun 2020 19:01:45.2815 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f066b3b4-20ef-4fce-8b78-08d80ca78de9
X-MS-Exchange-CrossTenant-Id: 52daf2a9-3b73-4da4-ac6a-3f81adc92b7e
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=52daf2a9-3b73-4da4-ac6a-3f81adc92b7e; Ip=[40.68.44.165]; Helo=[iqsuite.endress.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR05MB6705
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/RCxIMAUzpHuHxvO0CLm8-6vcJj4>
Subject: Re: [Cfrg] CPace feedback regarding the identity handling
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2020 19:02:39 -0000
Dear Hao, Regarding your remark regarding the structure of the channel identifier, the device Identities A, B were not meant to be memorized or typed by the end user by us but are meant to be inputs available in some binary form by the computers that run the protocol. For instance A and B might be a string shown in a GUI control of a login message "You are requested to authenticate to the server device A='someServerIdentityName', please enter the password for this specific server". The implicit assumption of CPace is that in some form the server identity information needs to be available in some digital form at protocol start at least for the initiator. This holds at least if a password is to be entered on a human user GUI control. The user needs to be given this information before choosing the right password for the remote unit. A and B possibly could also be MAC addresses, Hardware serial numbers or the like in case of machine-machine interfaces. The name "Channel Identifier" CI indicates that it should specify in some way which end points are to be connected and possibly, if there are more than one active interconnections, which one among these interconnections. Including this in the input string CI avoids the need to keep these strings as part of the state of the CPace protocol and reduces memory consumption, but requires that A and B are available upon protocol start. In the current definition, the only state that a CPace player needs to keep during for an active session is the session ID and the secret exponent (ya or yb). Without any impact on the proof A and B could alternatively also be transmitted together with Ya and Yb in the protocol messages and integrated in the final hash in the transcript. This comes at the cost of slightly larger state. For the proof correctness, the requirement is that the CPace result ISK needs to be bound to the identities. Without the A/B identifiers, relay attacks in the style of the "selfie" attack on TLS would be feasible and the proof would not hold because a such a relay attack would become possible in the real world but not possible in the ideal world. Regarding the question whether to include the A/B information better initially or better in the final hash is probably worth a discussion. Yours, Björn Mit freundlichen Grüßen I Best Regards Dr. Björn Haase Senior Expert Electronics | TGREH Electronics Hardware Endress+Hauser Liquid Analysis Endress+Hauser Conducta GmbH+Co.KG | Dieselstrasse 24 | 70839 Gerlingen | Germany Phone: +49 7156 209 377 | Fax: +49 7156 209 221 bjoern.haase@endress.com | www.conducta.endress.com Endress+Hauser Conducta GmbH+Co.KG Amtsgericht Stuttgart HRA 201908 Sitz der Gesellschaft: Gerlingen Persönlich haftende Gesellschafterin: Endress+Hauser Conducta Verwaltungsgesellschaft mbH Sitz der Gesellschaft: Gerlingen Amtsgericht Stuttgart HRA 201929 Geschäftsführer: Dr. Manfred Jagiella Gemäss Datenschutzgrundverordnung sind wir verpflichtet, Sie zu informieren, wenn wir personenbezogene Daten von Ihnen erheben. Dieser Informationspflicht kommen wir mit folgendem Datenschutzhinweis (https://www.endress.com/de/cookies-endress+hauser-website) nach. Disclaimer: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you receive this in error, please contact the sender and delete the material from any computer. This e-mail does not constitute a contract offer, a contract amendment, or an acceptance of a contract offer unless explicitly and conspicuously designated or stated as such. -----Ursprüngliche Nachricht----- Von: Cfrg <cfrg-bounces@irtf.org> Im Auftrag von Hao, Feng Gesendet: Dienstag, 9. Juni 2020 13:16 An: Björn Haase <bjoern.m.haase@web.de> Cc: cfrg@irtf.org Betreff: Re: [Cfrg] Comments on the CPace proof and the CFRG PAKE selection process Dear Bjorn (and CFRG), I hope you are all well. I raised one question about CPace during the selection process, however I don't think it has been properly addressed. Also I don't know whether the selection panel have actually taken this into account. Given that the selection process has finished and that CPace will likely be fielded, I feel we (everyone on CRFG) still have the responsibility to make sure all the technical claims in CPace are accurate and that the protocol can indeed be implemented securely and efficiently. CPace modifies SPEKE by adding a random string (session ID) in the first flow. It claims to be one-round and UC-Secure. However, the design of CPace is based on an "unusual" assumption: namely, each party should know the shared password and the other party's identity even before any communication in key exchange takes place. I say this is "unusual" as no other PAKE protocols make the same assumption, as far as I can tell. The "standard" assumption (e.g., as defined in ISO/IEC 11770-4) in PAKE is that a user only needs to memorize a shared password. The identities are established in-flow as part of the key exchange process and are verified based on the equality of the two passwords supplied by the two parties. This is reflected in all the PAKE designs that I know - but with exception of CPace. One implication for the "unusual" assumption in CPace is that now a user not only needs to memorize a password, but also memorize the other party's "exact" identity which is to going to be used in the key exchange. However, when a key exchange session fails, it's simply impossible to distinguish whether the failure is due to the use of the wrong password or the user mis-remembering the other party's identity. This will impose severe difficulties in the implementation, e.g., defending against online dictionary attacks. The other issue I raised in the earlier discussion in this list is that from the protocol design perspective, CPace is under-specified: there is no specification in the discrete logarithm setting, and several critical efficiency/security questions have been abstracted away by the idealization of hash-to-curve (which is yet to be established). Best regards, Feng _______________________________________________ Cfrg mailing list Cfrg@irtf.org https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg&data=02%7C01%7Cbjoern.haase%40endress.com%7Cde190fc13b26402f113208d80c668bd7%7C52daf2a93b734da4ac6a3f81adc92b7e%7C1%7C1%7C637272981885924039&sdata=Jj39ka13ASLKkMKsMjqllavkRfR1AbO6r0v%2BBMuDpAY%3D&reserved=0