Difference between revisions of "ObjectEncryption"

Revision as of 13:41, 11 January 2013

Object Encryption: Extending Swift

OpenStack’s object storage system provides high availability and fault tolerance but for data at rest protection, client side encryption is required. Amazon and Google’s object storage systems provide transparent data encryption. Server side encryption with key management would make data protection more readily available, enable harnessing of any special hardware encryption support on the servers, make available a larger set of encryption algorithms and reduce client maintenance effort. Protecting data involves not only encryption support but also key management, the storing, protecting, and making the encryption keys readily available, without storing data and keys on the same device. We shall address thus both encryption and key management. Before we dig into the details, we take a brief look at the security model and design options and decisions to provide a phased support. Security Model • Protection of data at rest: data encrypted and keys held in a separate location. Stealing the data disk still leaves the data protected. • Keys will also be encrypted, using a Master-key. One thing to keep safe as opposed to multiple keys. A notion similar to a safe deposit box requiring a bank key and a customer key to open. • Key Manager will not maintain mapping between keys to objects. • Authorization and access control support for key manager to protect from unauthorized use. • Protection from denial of service, either from malicious activity or natural disasters by way of key replication (akin to object replication and recovery in Swift). Use Cases Key Provider: • User (would rather not delegate trust, plans to use the same key for each object ..) • Auto-generation (either by the object storage system or key manager) Key Scope: • Per object • Per project (within a domain) • Per domain

             Key-Storage

• End-User • Key Manager

              Key-Size  128, 192, 256, shorter with padding

             Choice of Encryption Algorithm

• AES • DES • RSA • And beyond …

Design Considerations Key Manager Access

       Restricting access to the Key Manager to only OpenStack services would increase security. That is, no end user access.

Access Control Keys inserted by a service only accessible by that service. Is there a use case to support a global access? Master Key

      Each OpenStack service that uses Key Manager to maintain its keys could have its own master key and use the same to encrypt a key string before passing it for storage to the Key Manager. The Master key could reside on a python key ring (currently it is included in common module in OpenStack and readily available to all packages).

Benefits: 1. Communication between the service and the key manager do not need to be further encrypted using ssl or https because they keys flying between them are at all times encrypted. The decrypted key string would at any time only reside on the service that seeks to save it or use. 2. Keys used by different open stack services could reside in a single storage system but if one service were to be compromised, the keys from other services would still be safe. 3. Further, should there be a desire to change a master key, only keys stored by that service need to be re-encrypted. The actual data that they were used to encrypt do not need to be re-encrypted. Fault Tolerance and High Availability Key Manager’s keys need to be accessible at the same level as the objects they encrypt which makes for have the keys stored on a Swift like Object Storage system. Our implementation will be based on this strategy.

Swift API Changes (vx.1) 1. Put (also cli “upload)

      “put” to take optional arguments should take optional args

• encrypt=True|False, absence is the same as False • enc-alg=AES-CBC ..|RSA|DES (Mirantis selected AES-CBC) • enc-key-size=128|192|256 .. default 256 (Mirantis selected 256) • enc-key-string • <project-id> (account, container, object-name == all the usual suspects same as before) (To accommodate for domains and project names having to be only unique within a domain, there will be changes in Swift API semantics, in essence a unique project-id will be provided).

The encrypted object will be stored in Swift and the object meta data shall reflect these parameters. It shall further include a reference to its encryption key, key-id. Alternately a reference to an initialization vector will be provided, IV-id.

2. Get (also cli command) • enc-key-string If an enc-key-string is provided, it is used to decrypt the retrieved object using the other meta data associated with the object. If enc-key-string is not provided, but the meta data indicates that it is encrypted, then key-id if it exists is used to decrypt the object. If IV-id is provided, then the project-id is used to retrieve the project specific key and this is used in conjunction with the IV string retrieved using IV-id to decrypt the object and return to the user.

3. Put-Key, Get-Key, Create-key (cli-commands for the same)

• Put-key, arguments: key-string, project-id o Encrypt key-string using master key to get enc-key-string o Create key-id using hash(DM5 or Sha)(project-id . enc-key-string o Invoke Swift put using account=service-id (Swift|Cinder ..), enc-key-string and key-id from above, specify encrpt=false. (container could be “keys” or “project-id”) • Create-key project-id o Invokes Put-key after first generating a random key-string. Create key returns both the key-id and the unencrypted random key-string that was generated. • Get-key key-id o Invokes a Swift get with account=service-id, container = keys or project-id, and key-id. o The encrypted key string retrieved above is decrypted using the service master key and the plain text key is returned. Key-Manager API (v 1.0) 1. Put <encrypted-key-string> <key-id> Return success/failure and the key-id.

2. Get <key-id> returns the encrypted-key-string 3. Delete <key-id> deletes the entry

Swift Changes Put Path o If encryption is required, and the key string is provided, it shall be used. o If no key string is provided, the system invokes create-key, and on success uses the random key-string generated to encrypt the object and annotate it by way of meta data with the encryption parameters including key-id. Create-key internally contacts key-manager and saves the random key generated. o If a key-string is provided, the key-manager is bypassed and instead before put is attempted, the object is first encrypted. It is the responsibility of the get call to provide the appropriate decryption key. o No change if encryption is not requested. Get Path

          If the retrieved object indicates Encrypt=true, then the encryption related meta data is used and the key-manger used to obtain the encrypted key string used to encrypt the retrieved object and the information used accordingly.

Delete Path If each object has a distinct encryption key, then when an object is deleted, the key-manager may also delete the string saved against key-id or IV-id. How should we indicate whether we are using a common key that must not be deleted? General remarks: o Encryption occurs on Swift which typically is doing more IO than compute, so this would better exploit the hardware resources on Swift. o Additional network traffic to chat with the Key Manager to store and retrieve keys. Keys could be cached in the Swift node memory. o SSL, HTTPS used for client communication with Swift is what protects the encryption key string in transit.

Concerns/Questions • Data transfer overhead: Swift uses Rsync for file transfer during replication. Any encryption algorithm that uses some form of block cipher chaining or new initialization vector each time would result in the object representation changing drastically on each update. This would result in a larger network payload for transmission. • More things that can fail: With a key manager and an object storage system, there are two systems that can fail or be compromised, increasing the chance of things failing. • Unauthorized key deletion: If we use a Swift based system to storing keys and insert tombstone records to mimic a legitimate deletion after breaking into a Swift storage node, yes, keys could indeed be deleted on a reaper task, but this would be no new security hazard from what Swift deals with today. Perhaps we could introduce a check that there was a logged request to delete a key before deleting a key. • Wary of losing control of encryption key(s): Support the use case where the end user provides the encryption key (and stores a copy of their own key, and is responsible for maintaining safety of the key). The said key will not then be saved in the Key Manager. • Caching: Should only cache encrypted data. • Snap shots: Any standard mechanism is fine. No change necessary, data is encrypted. • Do we need an IV (initialization vector) for each object encrypted. Yes, if we take the common key for a project or domain approach. In this case the IV would need to be encrypted, and could be stored against a key-id. We could specify “compound-encryption” to imply use a master key in conjunction with the IV (accessed via the iv-id attached to the object meta-data). • No re-keying in phase-1. Not addressing background tasks of object re-keying such as that mentioned in Mirantis blog.

Implementation versions • Phase 1: Develop stub Key Manager service and specify encryption parameters in the url. Key manager could just be a hash table in the first version to get all the APIs specified and implement, to get the plumbing correct. Support a single most popular encryption algorithm. This would fully implement object encryption. • Phase-2: Make Key Manager is Swift instance, with multiple zones for storage. This would support true HA and fault tolerance. • Phase-3: Support multiple encryption algorithms. For instance, volume encryption may prefer XTS, an encryption strategy that uses sector address. • Phase-4: Reaper routine to change a master key for a service

Intel’s Interest Intel X86 hardware in Westmere and beyond provides AES-NI, hardware support for encryption/decryption. These speed up encryption/decryption. Further, Intel provides open source libraries to speed computation further by parallelizing the operations (multibuffer) and interleaving them (function stitching). The references give pointers to white papers. Intel product generations are incorporating wider registers which enables further parallelization of cryptographic operations. Future • Store user encryption preferences such as default key string, size, and encryption algorithm, to be passed along with the authentication token and used by Swift during object insertion. This would reduce put URL request lengths, while yet allowing flexibility in algorithm selection.

Glossary Key-string: A string of bits used to encrypt data. Could be auto-generated or end-user provided. Key-id: a unique ID used to index a key-string in the system. The key-id will be attached as meta data with the encrypted object. Master-key: a key-string used to encrypt the keys (key-strings) in the Key Manager

References http://www.mirantis.com/blog/openstack-swift-encryption-architecture http://www.egnyte.com/blog/2012/05/encryption-at-rest-in-egnyte-object-store-eos.html http://en.wikipedia.org/wiki/CBC-MAC http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

      http://wiki.openstack.org/VolumeEncryption

Fast Cryptographic computation on IA processors via Function Stitching http://download.intel.com/design/intarch/PAPERS/323686.pdf Processing Multiple buffers in parallel - http://download.intel.com/design/intarch/papers/324101.pdf

      XTS efficient implementation: http://download.intel.com/design/intarch/PAPERS/324310.pdf

@@ Line 1: / Line 1: @@
 __NOTOC__
-<html xmlns:v="urn:schemas-microsoft-com:vml"
+Object Encryption: Extending Swift
-xmlns:o="urn:schemas-microsoft-com:office:office"
-xmlns:w="urn:schemas-microsoft-com:office:word"
-xmlns:dt="uuid:[[C2F41010]]-65B3-11d1-A29F-00AA00C14882"
-xmlns:m="http://schemas.microsoft.com/office/2004/12/omml"
-xmlns="http://www.w3.org/TR/REC-html40">
-<head>
+[[OpenStack]]’s object storage system provides high availability and fault tolerance but for data at rest protection, client side encryption is required. Amazon and Google’s object storage systems provide transparent data encryption. Server side encryption with key management would make data protection more readily available, enable harnessing of any special hardware encryption support on the servers, make available a larger set of encryption algorithms and reduce client maintenance effort.
-<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
+Protecting data involves not only encryption support but also key management, the storing, protecting, and making the encryption keys readily available, without storing data and keys on the same device. We shall address thus both encryption and key management. Before we dig into the details, we take a brief look at the security model and design options and decisions to provide a phased support.
-<meta name=[[ProgId]] content=Word.Document>
+Security Model
-<meta name=Generator content="Microsoft Word 14">
+•	Protection of data at rest: data encrypted and keys held in a separate location. Stealing the data disk still leaves the data protected.
-<meta name=Originator content="Microsoft Word 14">
+•	Keys will also be encrypted, using a Master-key. One thing to keep safe as opposed to multiple keys. A notion similar to a safe deposit box requiring a bank key and a customer key to open.
-<link rel=File-List href="ObjectEncryption_files/filelist.xml">
+•	Key Manager will not maintain mapping between keys to objects.
-<!--[if gte mso 9]><xml>
+•	Authorization and access control support for key manager to protect from unauthorized use.
- <o:[[DocumentProperties]]>
+•	Protection from denial of service, either from malicious activity or natural disasters by way of key replication (akin to object replication and recovery in Swift).
-  <o:Author>Bhandaru, Malini K</o:Author>
+Use Cases
-  <o:[[LastAuthor]]>Bhandaru, Malini K</o:[[LastAuthor]]>
+Key Provider:
-  <o:Revision>2</o:Revision>
+•	User (would rather not delegate trust, plans to use the same key for each object ..)
-  <o:[[TotalTime]]>6</o:[[TotalTime]]>
+•	Auto-generation (either by the object storage system or key manager)
-  <o:Created>2013-01-11T13:23:00Z</o:Created>
+Key Scope:
-  <o:[[LastSaved]]>2013-01-11T13:23:00Z</o:[[LastSaved]]>
+•	Per object
-  <o:Pages>7</o:Pages>
+•	Per project (within a domain)
-  <o:Words>1869</o:Words>
+•	Per domain
-  <o:Characters>10659</o:Characters>
+              Key-Storage
-  <o:Company>Intel Corporation</o:Company>
+•	End-User
-  <o:Lines>88</o:Lines>
+•	Key Manager
-  <o:Paragraphs>25</o:Paragraphs>
+               Key-Size  128, 192, 256, shorter with padding
-  <o:[[CharactersWithSpaces]]>12503</o:[[CharactersWithSpaces]]>
-  <o:Version>14.00</o:Version>
- </o:[[DocumentProperties]]>
- <o:[[OfficeDocumentSettings]]>
-  <o:AllowPNG/>
- </o:[[OfficeDocumentSettings]]>
-</xml><![endif]-->
-<link rel=themeData href="ObjectEncryption_files/themedata.thmx">
-<link rel=colorSchemeMapping
-href="ObjectEncryption_files/colorschememapping.xml">
-<!--[if gte mso 9]><xml>
- <w:[[WordDocument]]>
-  <w:[[SpellingState]]>Clean</w:[[SpellingState]]>
-  <w:[[GrammarState]]>Clean</w:[[GrammarState]]>
-  <w:[[TrackMoves]]>false</w:[[TrackMoves]]>
-  <w:[[TrackFormatting]]/>
-  <w:[[PunctuationKerning]]/>
-  <w:[[ValidateAgainstSchemas]]/>
-  <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
-  <w:[[IgnoreMixedContent]]>false</w:[[IgnoreMixedContent]]>
-  <w:[[AlwaysShowPlaceholderText]]>false</w:[[AlwaysShowPlaceholderText]]>
-  <w:DoNotPromoteQF/>
-  <w:[[LidThemeOther]]>EN-US</w:[[LidThemeOther]]>
-  <w:[[LidThemeAsian]]>X-NONE</w:[[LidThemeAsian]]>
-  <w:[[LidThemeComplexScript]]>X-NONE</w:[[LidThemeComplexScript]]>
-  <w:Compatibility>
-   <w:[[BreakWrappedTables]]/>
-   <w:[[SnapToGridInCell]]/>
-   <w:[[WrapTextWithPunct]]/>
-   <w:[[UseAsianBreakRules]]/>
-   <w:[[DontGrowAutofit]]/>
-   <w:[[SplitPgBreakAndParaMark]]/>
-   <w:[[EnableOpenTypeKerning]]/>
-   <w:[[DontFlipMirrorIndents]]/>
-   <w:[[OverrideTableStyleHps]]/>
-  </w:Compatibility>
-  <m:mathPr>
-   <m:mathFont m:val="Cambria Math"/>
-   <m:brkBin m:val="before"/>
-   <m:brkBinSub m:val="&#45;-"/>
-   <m:smallFrac m:val="off"/>
-   <m:dispDef/>
-   <m:lMargin m:val="0"/>
-   <m:rMargin m:val="0"/>
-   <m:defJc m:val="centerGroup"/>
-   <m:wrapIndent m:val="1440"/>
-   <m:intLim m:val="subSup"/>
-   <m:naryLim m:val="undOvr"/>
-  </m:mathPr></w:[[WordDocument]]>
-</xml><![endif]--><!--[if gte mso 9]><xml>
- <w:[[LatentStyles]] [[DefLockedState]]="false" [[DefUnhideWhenUsed]]="true"
-  [[DefSemiHidden]]="true" DefQFormat="false" [[DefPriority]]="99"
-  [[LatentStyleCount]]="267">
-  <w:[[LsdException]] Locked="false" Priority="0" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" QFormat="true" Name="Normal"/>
-  <w:[[LsdException]] Locked="false" Priority="9" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" QFormat="true" Name="heading 1"/>
-  <w:[[LsdException]] Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
-  <w:[[LsdException]] Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
-  <w:[[LsdException]] Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
-  <w:[[LsdException]] Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
-  <w:[[LsdException]] Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
-  <w:[[LsdException]] Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
-  <w:[[LsdException]] Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
-  <w:[[LsdException]] Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
-  <w:[[LsdException]] Locked="false" Priority="39" Name="toc 1"/>
-  <w:[[LsdException]] Locked="false" Priority="39" Name="toc 2"/>
-  <w:[[LsdException]] Locked="false" Priority="39" Name="toc 3"/>
-  <w:[[LsdException]] Locked="false" Priority="39" Name="toc 4"/>
-  <w:[[LsdException]] Locked="false" Priority="39" Name="toc 5"/>
-  <w:[[LsdException]] Locked="false" Priority="39" Name="toc 6"/>
-  <w:[[LsdException]] Locked="false" Priority="39" Name="toc 7"/>
-  <w:[[LsdException]] Locked="false" Priority="39" Name="toc 8"/>
-  <w:[[LsdException]] Locked="false" Priority="39" Name="toc 9"/>
-  <w:[[LsdException]] Locked="false" Priority="35" QFormat="true" Name="caption"/>
-  <w:[[LsdException]] Locked="false" Priority="10" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" QFormat="true" Name="Title"/>
-  <w:[[LsdException]] Locked="false" Priority="1" Name="Default Paragraph Font"/>
-  <w:[[LsdException]] Locked="false" Priority="11" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" QFormat="true" Name="Subtitle"/>
-  <w:[[LsdException]] Locked="false" Priority="22" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" QFormat="true" Name="Strong"/>
-  <w:[[LsdException]] Locked="false" Priority="20" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" QFormat="true" Name="Emphasis"/>
-  <w:[[LsdException]] Locked="false" Priority="59" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Table Grid"/>
-  <w:[[LsdException]] Locked="false" [[UnhideWhenUsed]]="false" Name="Placeholder Text"/>
-  <w:[[LsdException]] Locked="false" Priority="1" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" QFormat="true" Name="No Spacing"/>
-  <w:[[LsdException]] Locked="false" Priority="60" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Light Shading"/>
-  <w:[[LsdException]] Locked="false" Priority="61" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Light List"/>
-  <w:[[LsdException]] Locked="false" Priority="62" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Light Grid"/>
-  <w:[[LsdException]] Locked="false" Priority="63" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Shading 1"/>
-  <w:[[LsdException]] Locked="false" Priority="64" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Shading 2"/>
-  <w:[[LsdException]] Locked="false" Priority="65" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium List 1"/>
-  <w:[[LsdException]] Locked="false" Priority="66" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium List 2"/>
-  <w:[[LsdException]] Locked="false" Priority="67" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Grid 1"/>
-  <w:[[LsdException]] Locked="false" Priority="68" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Grid 2"/>
-  <w:[[LsdException]] Locked="false" Priority="69" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Grid 3"/>
-  <w:[[LsdException]] Locked="false" Priority="70" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Dark List"/>
-  <w:[[LsdException]] Locked="false" Priority="71" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Colorful Shading"/>
-  <w:[[LsdException]] Locked="false" Priority="72" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Colorful List"/>
-  <w:[[LsdException]] Locked="false" Priority="73" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Colorful Grid"/>
-  <w:[[LsdException]] Locked="false" Priority="60" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Light Shading Accent 1"/>
-  <w:[[LsdException]] Locked="false" Priority="61" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Light List Accent 1"/>
-  <w:[[LsdException]] Locked="false" Priority="62" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Light Grid Accent 1"/>
-  <w:[[LsdException]] Locked="false" Priority="63" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Shading 1 Accent 1"/>
-  <w:[[LsdException]] Locked="false" Priority="64" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Shading 2 Accent 1"/>
-  <w:[[LsdException]] Locked="false" Priority="65" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium List 1 Accent 1"/>
-  <w:[[LsdException]] Locked="false" [[UnhideWhenUsed]]="false" Name="Revision"/>
-  <w:[[LsdException]] Locked="false" Priority="34" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" QFormat="true" Name="List Paragraph"/>
-  <w:[[LsdException]] Locked="false" Priority="29" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" QFormat="true" Name="Quote"/>
-  <w:[[LsdException]] Locked="false" Priority="30" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" QFormat="true" Name="Intense Quote"/>
-  <w:[[LsdException]] Locked="false" Priority="66" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium List 2 Accent 1"/>
-  <w:[[LsdException]] Locked="false" Priority="67" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Grid 1 Accent 1"/>
-  <w:[[LsdException]] Locked="false" Priority="68" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Grid 2 Accent 1"/>
-  <w:[[LsdException]] Locked="false" Priority="69" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Grid 3 Accent 1"/>
-  <w:[[LsdException]] Locked="false" Priority="70" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Dark List Accent 1"/>
-  <w:[[LsdException]] Locked="false" Priority="71" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Colorful Shading Accent 1"/>
-  <w:[[LsdException]] Locked="false" Priority="72" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Colorful List Accent 1"/>
-  <w:[[LsdException]] Locked="false" Priority="73" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Colorful Grid Accent 1"/>
-  <w:[[LsdException]] Locked="false" Priority="60" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Light Shading Accent 2"/>
-  <w:[[LsdException]] Locked="false" Priority="61" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Light List Accent 2"/>
-  <w:[[LsdException]] Locked="false" Priority="62" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Light Grid Accent 2"/>
-  <w:[[LsdException]] Locked="false" Priority="63" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Shading 1 Accent 2"/>
-  <w:[[LsdException]] Locked="false" Priority="64" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Shading 2 Accent 2"/>
-  <w:[[LsdException]] Locked="false" Priority="65" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium List 1 Accent 2"/>
-  <w:[[LsdException]] Locked="false" Priority="66" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium List 2 Accent 2"/>
-  <w:[[LsdException]] Locked="false" Priority="67" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Grid 1 Accent 2"/>
-  <w:[[LsdException]] Locked="false" Priority="68" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Grid 2 Accent 2"/>
-  <w:[[LsdException]] Locked="false" Priority="69" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Grid 3 Accent 2"/>
-  <w:[[LsdException]] Locked="false" Priority="70" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Dark List Accent 2"/>
-  <w:[[LsdException]] Locked="false" Priority="71" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Colorful Shading Accent 2"/>
-  <w:[[LsdException]] Locked="false" Priority="72" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Colorful List Accent 2"/>
-  <w:[[LsdException]] Locked="false" Priority="73" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Colorful Grid Accent 2"/>
-  <w:[[LsdException]] Locked="false" Priority="60" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Light Shading Accent 3"/>
-  <w:[[LsdException]] Locked="false" Priority="61" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Light List Accent 3"/>
-  <w:[[LsdException]] Locked="false" Priority="62" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Light Grid Accent 3"/>
-  <w:[[LsdException]] Locked="false" Priority="63" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Shading 1 Accent 3"/>
-  <w:[[LsdException]] Locked="false" Priority="64" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Shading 2 Accent 3"/>
-  <w:[[LsdException]] Locked="false" Priority="65" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium List 1 Accent 3"/>
-  <w:[[LsdException]] Locked="false" Priority="66" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium List 2 Accent 3"/>
-  <w:[[LsdException]] Locked="false" Priority="67" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Grid 1 Accent 3"/>
-  <w:[[LsdException]] Locked="false" Priority="68" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Grid 2 Accent 3"/>
-  <w:[[LsdException]] Locked="false" Priority="69" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Grid 3 Accent 3"/>
-  <w:[[LsdException]] Locked="false" Priority="70" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Dark List Accent 3"/>
-  <w:[[LsdException]] Locked="false" Priority="71" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Colorful Shading Accent 3"/>
-  <w:[[LsdException]] Locked="false" Priority="72" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Colorful List Accent 3"/>
-  <w:[[LsdException]] Locked="false" Priority="73" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Colorful Grid Accent 3"/>
-  <w:[[LsdException]] Locked="false" Priority="60" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Light Shading Accent 4"/>
-  <w:[[LsdException]] Locked="false" Priority="61" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Light List Accent 4"/>
-  <w:[[LsdException]] Locked="false" Priority="62" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Light Grid Accent 4"/>
-  <w:[[LsdException]] Locked="false" Priority="63" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Shading 1 Accent 4"/>
-  <w:[[LsdException]] Locked="false" Priority="64" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Shading 2 Accent 4"/>
-  <w:[[LsdException]] Locked="false" Priority="65" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium List 1 Accent 4"/>
-  <w:[[LsdException]] Locked="false" Priority="66" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium List 2 Accent 4"/>
-  <w:[[LsdException]] Locked="false" Priority="67" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Grid 1 Accent 4"/>
-  <w:[[LsdException]] Locked="false" Priority="68" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Grid 2 Accent 4"/>
-  <w:[[LsdException]] Locked="false" Priority="69" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Grid 3 Accent 4"/>
-  <w:[[LsdException]] Locked="false" Priority="70" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Dark List Accent 4"/>
-  <w:[[LsdException]] Locked="false" Priority="71" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Colorful Shading Accent 4"/>
-  <w:[[LsdException]] Locked="false" Priority="72" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Colorful List Accent 4"/>
-  <w:[[LsdException]] Locked="false" Priority="73" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Colorful Grid Accent 4"/>
-  <w:[[LsdException]] Locked="false" Priority="60" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Light Shading Accent 5"/>
-  <w:[[LsdException]] Locked="false" Priority="61" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Light List Accent 5"/>
-  <w:[[LsdException]] Locked="false" Priority="62" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Light Grid Accent 5"/>
-  <w:[[LsdException]] Locked="false" Priority="63" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Shading 1 Accent 5"/>
-  <w:[[LsdException]] Locked="false" Priority="64" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Shading 2 Accent 5"/>
-  <w:[[LsdException]] Locked="false" Priority="65" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium List 1 Accent 5"/>
-  <w:[[LsdException]] Locked="false" Priority="66" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium List 2 Accent 5"/>
-  <w:[[LsdException]] Locked="false" Priority="67" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Grid 1 Accent 5"/>
-  <w:[[LsdException]] Locked="false" Priority="68" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Grid 2 Accent 5"/>
-  <w:[[LsdException]] Locked="false" Priority="69" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Grid 3 Accent 5"/>
-  <w:[[LsdException]] Locked="false" Priority="70" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Dark List Accent 5"/>
-  <w:[[LsdException]] Locked="false" Priority="71" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Colorful Shading Accent 5"/>
-  <w:[[LsdException]] Locked="false" Priority="72" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Colorful List Accent 5"/>
-  <w:[[LsdException]] Locked="false" Priority="73" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Colorful Grid Accent 5"/>
-  <w:[[LsdException]] Locked="false" Priority="60" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Light Shading Accent 6"/>
-  <w:[[LsdException]] Locked="false" Priority="61" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Light List Accent 6"/>
-  <w:[[LsdException]] Locked="false" Priority="62" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Light Grid Accent 6"/>
-  <w:[[LsdException]] Locked="false" Priority="63" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Shading 1 Accent 6"/>
-  <w:[[LsdException]] Locked="false" Priority="64" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Shading 2 Accent 6"/>
-  <w:[[LsdException]] Locked="false" Priority="65" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium List 1 Accent 6"/>
-  <w:[[LsdException]] Locked="false" Priority="66" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium List 2 Accent 6"/>
-  <w:[[LsdException]] Locked="false" Priority="67" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Grid 1 Accent 6"/>
-  <w:[[LsdException]] Locked="false" Priority="68" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Grid 2 Accent 6"/>
-  <w:[[LsdException]] Locked="false" Priority="69" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Medium Grid 3 Accent 6"/>
-  <w:[[LsdException]] Locked="false" Priority="70" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Dark List Accent 6"/>
-  <w:[[LsdException]] Locked="false" Priority="71" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Colorful Shading Accent 6"/>
-  <w:[[LsdException]] Locked="false" Priority="72" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Colorful List Accent 6"/>
-  <w:[[LsdException]] Locked="false" Priority="73" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" Name="Colorful Grid Accent 6"/>
-  <w:[[LsdException]] Locked="false" Priority="19" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" QFormat="true" Name="Subtle Emphasis"/>
-  <w:[[LsdException]] Locked="false" Priority="21" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" QFormat="true" Name="Intense Emphasis"/>
-  <w:[[LsdException]] Locked="false" Priority="31" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" QFormat="true" Name="Subtle Reference"/>
-  <w:[[LsdException]] Locked="false" Priority="32" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" QFormat="true" Name="Intense Reference"/>
-  <w:[[LsdException]] Locked="false" Priority="33" [[SemiHidden]]="false"
-   [[UnhideWhenUsed]]="false" QFormat="true" Name="Book Title"/>
-  <w:[[LsdException]] Locked="false" Priority="37" Name="Bibliography"/>
-  <w:[[LsdException]] Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
- </w:[[LatentStyles]]>
-</xml><![endif]-->
-<style>
-<!--
- /* Font Definitions */
- @font-face
-	{font-family:Wingdings;
-	panose-1:5 0 0 0 0 0 0 0 0 0;
-	mso-font-charset:2;
-	mso-generic-font-family:auto;
-	mso-font-pitch:variable;
-	mso-font-signature:0 268435456 0 0 -2147483648 0;}
-@font-face
-	{font-family:Wingdings;
-	panose-1:5 0 0 0 0 0 0 0 0 0;
-	mso-font-charset:2;
-	mso-generic-font-family:auto;
-	mso-font-pitch:variable;
-	mso-font-signature:0 268435456 0 0 -2147483648 0;}
-@font-face
-	{font-family:Cambria;
-	panose-1:2 4 5 3 5 4 6 3 2 4;
-	mso-font-charset:0;
-	mso-generic-font-family:roman;
-	mso-font-pitch:variable;
-	mso-font-signature:-536870145 1073743103 0 0 415 0;}
-@font-face
-	{font-family:Calibri;
-	panose-1:2 15 5 2 2 2 4 3 2 4;
-	mso-font-charset:0;
-	mso-generic-font-family:swiss;
-	mso-font-pitch:variable;
-	mso-font-signature:-520092929 1073786111 9 0 415 0;}
- /* Style Definitions */
- p.[[MsoNormal]], li.[[MsoNormal]], div.[[MsoNormal]]
-	{mso-style-unhide:no;
-	mso-style-qformat:yes;
-	mso-style-parent:"";
-	margin-top:0in;
-	margin-right:0in;
-	margin-bottom:10.0pt;
-	margin-left:0in;
-	line-height:115%;
-	mso-pagination:widow-orphan;
-	font-size:11.0pt;
-	font-family:"Calibri","sans-serif";
-	mso-ascii-font-family:Calibri;
-	mso-ascii-theme-font:minor-latin;
-	mso-fareast-font-family:Calibri;
-	mso-fareast-theme-font:minor-latin;
-	mso-hansi-font-family:Calibri;
-	mso-hansi-theme-font:minor-latin;
-	mso-bidi-font-family:"Times New Roman";
-	mso-bidi-theme-font:minor-bidi;}
-h1
-	{mso-style-priority:9;
-	mso-style-unhide:no;
-	mso-style-qformat:yes;
-	mso-style-link:"Heading 1 Char";
-	mso-style-next:Normal;
-	margin-top:24.0pt;
-	margin-right:0in;
-	margin-bottom:0in;
-	margin-left:0in;
-	margin-bottom:.0001pt;
-	line-height:115%;
-	mso-pagination:widow-orphan lines-together;
-	page-break-after:avoid;
-	mso-outline-level:1;
-	font-size:14.0pt;
-	font-family:"Cambria","serif";
-	mso-ascii-font-family:Cambria;
-	mso-ascii-theme-font:major-latin;
-	mso-fareast-font-family:"Times New Roman";
-	mso-fareast-theme-font:major-fareast;
-	mso-hansi-font-family:Cambria;
-	mso-hansi-theme-font:major-latin;
-	mso-bidi-font-family:"Times New Roman";
-	mso-bidi-theme-font:major-bidi;
-	color:#365F91;
-	mso-themecolor:accent1;
-	mso-themeshade:191;
-	mso-font-kerning:0pt;
-	font-weight:bold;}
-h2
-	{mso-style-priority:9;
-	mso-style-qformat:yes;
-	mso-style-link:"Heading 2 Char";
-	mso-style-next:Normal;
-	margin-top:10.0pt;
-	margin-right:0in;
-	margin-bottom:0in;
-	margin-left:0in;
-	margin-bottom:.0001pt;
-	line-height:115%;
-	mso-pagination:widow-orphan lines-together;
-	page-break-after:avoid;
-	mso-outline-level:2;
-	font-size:13.0pt;
-	font-family:"Cambria","serif";
-	mso-ascii-font-family:Cambria;
-	mso-ascii-theme-font:major-latin;
-	mso-fareast-font-family:"Times New Roman";
-	mso-fareast-theme-font:major-fareast;
-	mso-hansi-font-family:Cambria;
-	mso-hansi-theme-font:major-latin;
-	mso-bidi-font-family:"Times New Roman";
-	mso-bidi-theme-font:major-bidi;
-	color:#4F81BD;
-	mso-themecolor:accent1;
-	font-weight:bold;}
-h3
-	{mso-style-priority:9;
-	mso-style-qformat:yes;
-	mso-style-link:"Heading 3 Char";
-	mso-style-next:Normal;
-	margin-top:10.0pt;
-	margin-right:0in;
-	margin-bottom:0in;
-	margin-left:0in;
-	margin-bottom:.0001pt;
-	line-height:115%;
-	mso-pagination:widow-orphan lines-together;
-	page-break-after:avoid;
-	mso-outline-level:3;
-	font-size:11.0pt;
-	font-family:"Cambria","serif";
-	mso-ascii-font-family:Cambria;
-	mso-ascii-theme-font:major-latin;
-	mso-fareast-font-family:"Times New Roman";
-	mso-fareast-theme-font:major-fareast;
-	mso-hansi-font-family:Cambria;
-	mso-hansi-theme-font:major-latin;
-	mso-bidi-font-family:"Times New Roman";
-	mso-bidi-theme-font:major-bidi;
-	color:#4F81BD;
-	mso-themecolor:accent1;
-	font-weight:bold;}
-p.[[MsoSubtitle]], li.[[MsoSubtitle]], div.[[MsoSubtitle]]
-	{mso-style-priority:11;
-	mso-style-unhide:no;
-	mso-style-qformat:yes;
-	mso-style-link:"Subtitle Char";
-	mso-style-next:Normal;
-	margin-top:0in;
-	margin-right:0in;
-	margin-bottom:10.0pt;
-	margin-left:0in;
-	line-height:115%;
-	mso-pagination:widow-orphan;
-	font-size:12.0pt;
-	font-family:"Cambria","serif";
-	mso-ascii-font-family:Cambria;
-	mso-ascii-theme-font:major-latin;
-	mso-fareast-font-family:"Times New Roman";
-	mso-fareast-theme-font:major-fareast;
-	mso-hansi-font-family:Cambria;
-	mso-hansi-theme-font:major-latin;
-	mso-bidi-font-family:"Times New Roman";
-	mso-bidi-theme-font:major-bidi;
-	color:#4F81BD;
-	mso-themecolor:accent1;
-	letter-spacing:.75pt;
-	font-style:italic;}
-a:link, span.[[MsoHyperlink]]
-	{mso-style-priority:99;
-	color:blue;
-	mso-themecolor:hyperlink;
-	text-decoration:underline;
-	text-underline:single;}
-a:visited, span.[[MsoHyperlinkFollowed]]
-	{mso-style-noshow:yes;
-	mso-style-priority:99;
-	color:purple;
-	mso-themecolor:followedhyperlink;
-	text-decoration:underline;
-	text-underline:single;}
-p
-	{mso-style-noshow:yes;
-	mso-style-priority:99;
-	mso-margin-top-alt:auto;
-	margin-right:0in;
-	mso-margin-bottom-alt:auto;
-	margin-left:0in;
-	mso-pagination:widow-orphan;
-	font-size:12.0pt;
-	font-family:"Times New Roman","serif";
-	mso-fareast-font-family:"Times New Roman";}
-p.[[MsoListParagraph]], li.[[MsoListParagraph]], div.[[MsoListParagraph]]
-	{mso-style-priority:34;
-	mso-style-unhide:no;
-	mso-style-qformat:yes;
-	margin-top:0in;
-	margin-right:0in;
-	margin-bottom:10.0pt;
-	margin-left:.5in;
-	mso-add-space:auto;
-	line-height:115%;
-	mso-pagination:widow-orphan;
-	font-size:11.0pt;
-	font-family:"Calibri","sans-serif";
-	mso-ascii-font-family:Calibri;
-	mso-ascii-theme-font:minor-latin;
-	mso-fareast-font-family:Calibri;
-	mso-fareast-theme-font:minor-latin;
-	mso-hansi-font-family:Calibri;
-	mso-hansi-theme-font:minor-latin;
-	mso-bidi-font-family:"Times New Roman";
-	mso-bidi-theme-font:minor-bidi;}
-p.[[MsoListParagraphCxSpFirst]], li.[[MsoListParagraphCxSpFirst]], div.[[MsoListParagraphCxSpFirst]]
-	{mso-style-priority:34;
-	mso-style-unhide:no;
-	mso-style-qformat:yes;
-	mso-style-type:export-only;
-	margin-top:0in;
-	margin-right:0in;
-	margin-bottom:0in;
-	margin-left:.5in;
-	margin-bottom:.0001pt;
-	mso-add-space:auto;
-	line-height:115%;
-	mso-pagination:widow-orphan;
-	font-size:11.0pt;
-	font-family:"Calibri","sans-serif";
-	mso-ascii-font-family:Calibri;
-	mso-ascii-theme-font:minor-latin;
-	mso-fareast-font-family:Calibri;
-	mso-fareast-theme-font:minor-latin;
-	mso-hansi-font-family:Calibri;
-	mso-hansi-theme-font:minor-latin;
-	mso-bidi-font-family:"Times New Roman";
-	mso-bidi-theme-font:minor-bidi;}
-p.[[MsoListParagraphCxSpMiddle]], li.[[MsoListParagraphCxSpMiddle]], div.[[MsoListParagraphCxSpMiddle]]
-	{mso-style-priority:34;
-	mso-style-unhide:no;
-	mso-style-qformat:yes;
-	mso-style-type:export-only;
-	margin-top:0in;
-	margin-right:0in;
-	margin-bottom:0in;
-	margin-left:.5in;
-	margin-bottom:.0001pt;
-	mso-add-space:auto;
-	line-height:115%;
-	mso-pagination:widow-orphan;
-	font-size:11.0pt;
-	font-family:"Calibri","sans-serif";
-	mso-ascii-font-family:Calibri;
-	mso-ascii-theme-font:minor-latin;
-	mso-fareast-font-family:Calibri;
-	mso-fareast-theme-font:minor-latin;
-	mso-hansi-font-family:Calibri;
-	mso-hansi-theme-font:minor-latin;
-	mso-bidi-font-family:"Times New Roman";
-	mso-bidi-theme-font:minor-bidi;}
-p.[[MsoListParagraphCxSpLast]], li.[[MsoListParagraphCxSpLast]], div.[[MsoListParagraphCxSpLast]]
-	{mso-style-priority:34;
-	mso-style-unhide:no;
-	mso-style-qformat:yes;
-	mso-style-type:export-only;
-	margin-top:0in;
-	margin-right:0in;
-	margin-bottom:10.0pt;
-	margin-left:.5in;
-	mso-add-space:auto;
-	line-height:115%;
-	mso-pagination:widow-orphan;
-	font-size:11.0pt;
-	font-family:"Calibri","sans-serif";
-	mso-ascii-font-family:Calibri;
-	mso-ascii-theme-font:minor-latin;
-	mso-fareast-font-family:Calibri;
-	mso-fareast-theme-font:minor-latin;
-	mso-hansi-font-family:Calibri;
-	mso-hansi-theme-font:minor-latin;
-	mso-bidi-font-family:"Times New Roman";
-	mso-bidi-theme-font:minor-bidi;}
-p.[[MsoIntenseQuote]], li.[[MsoIntenseQuote]], div.[[MsoIntenseQuote]]
-	{mso-style-priority:30;
-	mso-style-unhide:no;
-	mso-style-qformat:yes;
-	mso-style-link:"Intense Quote Char";
-	mso-style-next:Normal;
-	margin-top:10.0pt;
-	margin-right:.65in;
-	margin-bottom:14.0pt;
-	margin-left:.65in;
-	line-height:115%;
-	mso-pagination:widow-orphan;
-	border:none;
-	mso-border-bottom-alt:solid #4F81BD .5pt;
-	mso-border-bottom-themecolor:accent1;
-	padding:0in;
-	mso-padding-alt:0in 0in 4.0pt 0in;
-	font-size:11.0pt;
-	font-family:"Calibri","sans-serif";
-	mso-ascii-font-family:Calibri;
-	mso-ascii-theme-font:minor-latin;
-	mso-fareast-font-family:Calibri;
-	mso-fareast-theme-font:minor-latin;
-	mso-hansi-font-family:Calibri;
-	mso-hansi-theme-font:minor-latin;
-	mso-bidi-font-family:"Times New Roman";
-	mso-bidi-theme-font:minor-bidi;
-	color:#4F81BD;
-	mso-themecolor:accent1;
-	font-weight:bold;
-	font-style:italic;}
-span.[[Heading1Char]]
-	{mso-style-name:"Heading 1 Char";
-	mso-style-priority:9;
-	mso-style-unhide:no;
-	mso-style-locked:yes;
-	mso-style-link:"Heading 1";
-	mso-ansi-font-size:14.0pt;
-	mso-bidi-font-size:14.0pt;
-	font-family:"Cambria","serif";
-	mso-ascii-font-family:Cambria;
-	mso-ascii-theme-font:major-latin;
-	mso-fareast-font-family:"Times New Roman";
-	mso-fareast-theme-font:major-fareast;
-	mso-hansi-font-family:Cambria;
-	mso-hansi-theme-font:major-latin;
-	mso-bidi-font-family:"Times New Roman";
-	mso-bidi-theme-font:major-bidi;
-	color:#365F91;
-	mso-themecolor:accent1;
-	mso-themeshade:191;
-	font-weight:bold;}
-span.[[IntenseQuoteChar]]
-	{mso-style-name:"Intense Quote Char";
-	mso-style-priority:30;
-	mso-style-unhide:no;
-	mso-style-locked:yes;
-	mso-style-link:"Intense Quote";
-	color:#4F81BD;
-	mso-themecolor:accent1;
-	font-weight:bold;
-	font-style:italic;}
-span.[[SubtitleChar]]
-	{mso-style-name:"Subtitle Char";
-	mso-style-priority:11;
-	mso-style-unhide:no;
-	mso-style-locked:yes;
-	mso-style-link:Subtitle;
-	mso-ansi-font-size:12.0pt;
-	mso-bidi-font-size:12.0pt;
-	font-family:"Cambria","serif";
-	mso-ascii-font-family:Cambria;
-	mso-ascii-theme-font:major-latin;
-	mso-fareast-font-family:"Times New Roman";
-	mso-fareast-theme-font:major-fareast;
-	mso-hansi-font-family:Cambria;
-	mso-hansi-theme-font:major-latin;
-	mso-bidi-font-family:"Times New Roman";
-	mso-bidi-theme-font:major-bidi;
-	color:#4F81BD;
-	mso-themecolor:accent1;
-	letter-spacing:.75pt;
-	font-style:italic;}
-span.[[Heading2Char]]
-	{mso-style-name:"Heading 2 Char";
-	mso-style-priority:9;
-	mso-style-unhide:no;
-	mso-style-locked:yes;
-	mso-style-link:"Heading 2";
-	mso-ansi-font-size:13.0pt;
-	mso-bidi-font-size:13.0pt;
-	font-family:"Cambria","serif";
-	mso-ascii-font-family:Cambria;
-	mso-ascii-theme-font:major-latin;
-	mso-fareast-font-family:"Times New Roman";
-	mso-fareast-theme-font:major-fareast;
-	mso-hansi-font-family:Cambria;
-	mso-hansi-theme-font:major-latin;
-	mso-bidi-font-family:"Times New Roman";
-	mso-bidi-theme-font:major-bidi;
-	color:#4F81BD;
-	mso-themecolor:accent1;
-	font-weight:bold;}
-span.[[Heading3Char]]
-	{mso-style-name:"Heading 3 Char";
-	mso-style-priority:9;
-	mso-style-unhide:no;
-	mso-style-locked:yes;
-	mso-style-link:"Heading 3";
-	font-family:"Cambria","serif";
-	mso-ascii-font-family:Cambria;
-	mso-ascii-theme-font:major-latin;
-	mso-fareast-font-family:"Times New Roman";
-	mso-fareast-theme-font:major-fareast;
-	mso-hansi-font-family:Cambria;
-	mso-hansi-theme-font:major-latin;
-	mso-bidi-font-family:"Times New Roman";
-	mso-bidi-theme-font:major-bidi;
-	color:#4F81BD;
-	mso-themecolor:accent1;
-	font-weight:bold;}
-span.SpellE
-	{mso-style-name:"";
-	mso-spl-e:yes;}
-span.GramE
-	{mso-style-name:"";
-	mso-gram-e:yes;}
-.[[MsoChpDefault]]
-	{mso-style-type:export-only;
-	mso-default-props:yes;
-	mso-ascii-font-family:Calibri;
-	mso-ascii-theme-font:minor-latin;
-	mso-fareast-font-family:Calibri;
-	mso-fareast-theme-font:minor-latin;
-	mso-hansi-font-family:Calibri;
-	mso-hansi-theme-font:minor-latin;
-	mso-bidi-font-family:"Times New Roman";
-	mso-bidi-theme-font:minor-bidi;}
-.[[MsoPapDefault]]
-	{mso-style-type:export-only;
-	margin-bottom:10.0pt;
-	line-height:115%;}
-@page [[WordSection1]]
-	{size:8.5in 11.0in;
-	margin:1.0in 1.0in 1.0in 1.0in;
-	mso-header-margin:.5in;
-	mso-footer-margin:.5in;
-	mso-paper-source:0;}
-div.[[WordSection1]]
-	{page:[[WordSection1]];}
- /* List Definitions */
- @list l0
-	{mso-list-id:122116483;
-	mso-list-type:hybrid;
-	mso-list-template-ids:-1638240446 -1256955394 -747331808 780309708 -992315210 1350077410 -933344816 430724074 -874457274 810312566;}
-@list l0:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l0:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:1.0in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l0:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:1.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l0:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:2.0in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l0:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:2.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l0:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:3.0in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l0:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:3.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l0:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:4.0in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l0:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:4.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l1
-	{mso-list-id:122773038;
-	mso-list-type:hybrid;
-	mso-list-template-ids:-236697528 -2076565284 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
-@list l1:level1
-	{mso-level-text:"%1\)";
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:77.4pt;
-	text-indent:-.25in;}
-@list l1:level2
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:113.4pt;
-	text-indent:-.25in;}
-@list l1:level3
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	margin-left:149.4pt;
-	text-indent:-9.0pt;}
-@list l1:level4
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:185.4pt;
-	text-indent:-.25in;}
-@list l1:level5
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:221.4pt;
-	text-indent:-.25in;}
-@list l1:level6
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	margin-left:257.4pt;
-	text-indent:-9.0pt;}
-@list l1:level7
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:293.4pt;
-	text-indent:-.25in;}
-@list l1:level8
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:329.4pt;
-	text-indent:-.25in;}
-@list l1:level9
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	margin-left:365.4pt;
-	text-indent:-9.0pt;}
-@list l2
-	{mso-list-id:139855240;
-	mso-list-type:hybrid;
-	mso-list-template-ids:1149647228 1875906516 -1891470114 -530021094 -747722204 -1564852286 1375896106 768749834 -662000900 120738526;}
-@list l2:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l2:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:1.0in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l2:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:1.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l2:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:2.0in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l2:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:2.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l2:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:3.0in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l2:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:3.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l2:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:4.0in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l2:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:4.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l3
-	{mso-list-id:215437186;
-	mso-list-type:hybrid;
-	mso-list-template-ids:247096654 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l3:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l3:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l3:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l3:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l3:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l3:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l3:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l3:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l3:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l4
-	{mso-list-id:270671711;
-	mso-list-type:hybrid;
-	mso-list-template-ids:1660208844 -606031210 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l4:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Times New Roman","serif";}
-@list l4:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l4:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l4:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l4:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l4:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l4:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l4:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l4:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l5
-	{mso-list-id:279142354;
-	mso-list-type:hybrid;
-	mso-list-template-ids:1780925060 -606031210 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l5:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Times New Roman","serif";}
-@list l5:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l5:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l5:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l5:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l5:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l5:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l5:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l5:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l6
-	{mso-list-id:344987493;
-	mso-list-type:hybrid;
-	mso-list-template-ids:1624039236 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l6:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:74.4pt;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l6:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:110.4pt;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l6:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:146.4pt;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l6:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:182.4pt;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l6:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:218.4pt;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l6:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:254.4pt;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l6:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:290.4pt;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l6:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:326.4pt;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l6:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:362.4pt;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l7
-	{mso-list-id:351803333;
-	mso-list-type:hybrid;
-	mso-list-template-ids:942731244 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
-@list l7:level1
-	{mso-level-text:"%1\)";
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l7:level2
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l7:level3
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l7:level4
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l7:level5
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l7:level6
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l7:level7
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l7:level8
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l7:level9
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l8
-	{mso-list-id:352611016;
-	mso-list-type:hybrid;
-	mso-list-template-ids:-2055053236 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
-@list l8:level1
-	{mso-level-text:"%1\)";
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l8:level2
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l8:level3
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l8:level4
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l8:level5
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l8:level6
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l8:level7
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l8:level8
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l8:level9
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l9
-	{mso-list-id:408237228;
-	mso-list-type:hybrid;
-	mso-list-template-ids:-1813769110 -606031210 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l9:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:.75in;
-	mso-level-number-position:left;
-	margin-left:.75in;
-	text-indent:-.25in;
-	font-family:"Times New Roman","serif";}
-@list l9:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:1.25in;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l9:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:1.75in;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l9:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:2.25in;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l9:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:2.75in;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l9:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:3.25in;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l9:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:3.75in;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l9:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:4.25in;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l9:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:4.75in;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l10
-	{mso-list-id:429930739;
-	mso-list-type:hybrid;
-	mso-list-template-ids:660902738 -606031210 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l10:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Times New Roman","serif";}
-@list l10:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l10:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l10:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l10:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l10:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l10:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l10:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l10:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l11
-	{mso-list-id:459617094;
-	mso-list-type:hybrid;
-	mso-list-template-ids:-756269696 -220722202 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
-@list l11:level1
-	{mso-level-text:"%1\)";
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:.75in;
-	text-indent:-.25in;}
-@list l11:level2
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:1.25in;
-	text-indent:-.25in;}
-@list l11:level3
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	margin-left:1.75in;
-	text-indent:-9.0pt;}
-@list l11:level4
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:2.25in;
-	text-indent:-.25in;}
-@list l11:level5
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:2.75in;
-	text-indent:-.25in;}
-@list l11:level6
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	margin-left:3.25in;
-	text-indent:-9.0pt;}
-@list l11:level7
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:3.75in;
-	text-indent:-.25in;}
-@list l11:level8
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:4.25in;
-	text-indent:-.25in;}
-@list l11:level9
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	margin-left:4.75in;
-	text-indent:-9.0pt;}
-@list l12
-	{mso-list-id:472260649;
-	mso-list-type:hybrid;
-	mso-list-template-ids:323261092 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l12:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l12:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l12:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l12:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l12:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l12:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l12:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l12:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l12:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l13
-	{mso-list-id:569929020;
-	mso-list-type:hybrid;
-	mso-list-template-ids:-1812306624 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
-@list l13:level1
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l13:level2
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l13:level3
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l13:level4
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l13:level5
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l13:level6
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l13:level7
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l13:level8
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l13:level9
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l14
-	{mso-list-id:706487500;
-	mso-list-type:hybrid;
-	mso-list-template-ids:-1297577952 -606031210 -1297346110 2076623484 -1479669194 142794190 -802287618 -81219148 -1111036746 -1423013632;}
-@list l14:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Times New Roman","serif";}
-@list l14:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:1.0in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Times New Roman","serif";}
-@list l14:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:1.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Times New Roman","serif";}
-@list l14:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:2.0in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Times New Roman","serif";}
-@list l14:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:2.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Times New Roman","serif";}
-@list l14:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:3.0in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Times New Roman","serif";}
-@list l14:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:3.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Times New Roman","serif";}
-@list l14:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:4.0in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Times New Roman","serif";}
-@list l14:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:4.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Times New Roman","serif";}
-@list l15
-	{mso-list-id:744692889;
-	mso-list-type:hybrid;
-	mso-list-template-ids:-1530245928 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l15:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:1.0in;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l15:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:1.5in;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l15:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:2.0in;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l15:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:2.5in;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l15:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:3.0in;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l15:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:3.5in;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l15:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:4.0in;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l15:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:4.5in;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l15:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:5.0in;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l16
-	{mso-list-id:757680205;
-	mso-list-type:hybrid;
-	mso-list-template-ids:175019204 -1072557874 707161064 202383198 -516286808 -1644017316 -1124537578 1903569360 1751160296 1266824778;}
-@list l16:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l16:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:1.0in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l16:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:1.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l16:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:2.0in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l16:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:2.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l16:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:3.0in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l16:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:3.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l16:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:4.0in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l16:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:4.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";}
-@list l17
-	{mso-list-id:778257005;
-	mso-list-type:hybrid;
-	mso-list-template-ids:1384833978 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l17:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:1.0in;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l17:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:1.5in;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l17:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:2.0in;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l17:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:2.5in;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l17:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:3.0in;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l17:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:3.5in;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l17:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:4.0in;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l17:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:4.5in;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l17:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:5.0in;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l18
-	{mso-list-id:834301006;
-	mso-list-type:hybrid;
-	mso-list-template-ids:-2002630492 -606031210 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l18:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Times New Roman","serif";}
-@list l18:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l18:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l18:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l18:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l18:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l18:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l18:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l18:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l19
-	{mso-list-id:878205406;
-	mso-list-type:hybrid;
-	mso-list-template-ids:1417684554 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l19:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l19:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l19:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l19:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l19:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l19:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l19:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l19:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l19:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l20
-	{mso-list-id:919291507;
-	mso-list-type:hybrid;
-	mso-list-template-ids:-285414150 -606031210 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l20:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Times New Roman","serif";}
-@list l20:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l20:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l20:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l20:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l20:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l20:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l20:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l20:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l21
-	{mso-list-id:927888618;
-	mso-list-type:hybrid;
-	mso-list-template-ids:534256980 67698691 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l21:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l21:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l21:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l21:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l21:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l21:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l21:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l21:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l21:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l22
-	{mso-list-id:1009405999;
-	mso-list-type:hybrid;
-	mso-list-template-ids:-557834622 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
-@list l22:level1
-	{mso-level-text:"%1\)";
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l22:level2
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l22:level3
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l22:level4
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l22:level5
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l22:level6
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l22:level7
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l22:level8
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l22:level9
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l23
-	{mso-list-id:1135299525;
-	mso-list-type:hybrid;
-	mso-list-template-ids:335442640 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l23:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l23:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l23:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l23:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l23:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l23:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l23:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l23:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l23:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l24
-	{mso-list-id:1259800777;
-	mso-list-type:hybrid;
-	mso-list-template-ids:1683795436 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l24:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:1.0in;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l24:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:1.5in;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l24:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:2.0in;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l24:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:2.5in;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l24:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:3.0in;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l24:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:3.5in;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l24:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:4.0in;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l24:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:4.5in;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l24:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:5.0in;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l25
-	{mso-list-id:1268923595;
-	mso-list-type:hybrid;
-	mso-list-template-ids:347531028 -606031210 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l25:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Times New Roman","serif";}
-@list l25:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l25:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l25:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l25:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l25:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l25:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l25:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l25:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l26
-	{mso-list-id:1324777341;
-	mso-list-type:hybrid;
-	mso-list-template-ids:1566070432 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l26:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l26:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l26:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l26:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l26:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l26:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l26:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l26:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l26:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l27
-	{mso-list-id:1371953485;
-	mso-list-type:hybrid;
-	mso-list-template-ids:919913810 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l27:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:1.0in;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l27:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:1.5in;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l27:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:2.0in;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l27:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:2.5in;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l27:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:3.0in;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l27:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:3.5in;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l27:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:4.0in;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l27:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:4.5in;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l27:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:5.0in;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l28
-	{mso-list-id:1470199665;
-	mso-list-type:hybrid;
-	mso-list-template-ids:200833058 653957714 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
-@list l28:level1
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:.75in;
-	text-indent:-.25in;
-	mso-ansi-font-weight:bold;}
-@list l28:level2
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:1.25in;
-	text-indent:-.25in;}
-@list l28:level3
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	margin-left:1.75in;
-	text-indent:-9.0pt;}
-@list l28:level4
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:2.25in;
-	text-indent:-.25in;}
-@list l28:level5
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:2.75in;
-	text-indent:-.25in;}
-@list l28:level6
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	margin-left:3.25in;
-	text-indent:-9.0pt;}
-@list l28:level7
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:3.75in;
-	text-indent:-.25in;}
-@list l28:level8
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:4.25in;
-	text-indent:-.25in;}
-@list l28:level9
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	margin-left:4.75in;
-	text-indent:-9.0pt;}
-@list l29
-	{mso-list-id:1542597610;
-	mso-list-type:hybrid;
-	mso-list-template-ids:-223980410 -606031210 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l29:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Times New Roman","serif";}
-@list l29:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l29:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l29:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l29:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l29:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l29:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l29:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l29:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l30
-	{mso-list-id:1658223727;
-	mso-list-type:hybrid;
-	mso-list-template-ids:-278248284 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l30:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l30:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l30:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l30:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l30:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l30:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l30:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l30:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l30:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l31
-	{mso-list-id:1668291820;
-	mso-list-type:hybrid;
-	mso-list-template-ids:-221496802 1032849646 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
-@list l31:level1
-	{mso-level-text:"%1\)";
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:.75in;
-	text-indent:-.25in;}
-@list l31:level2
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:1.25in;
-	text-indent:-.25in;}
-@list l31:level3
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	margin-left:1.75in;
-	text-indent:-9.0pt;}
-@list l31:level4
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:2.25in;
-	text-indent:-.25in;}
-@list l31:level5
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:2.75in;
-	text-indent:-.25in;}
-@list l31:level6
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	margin-left:3.25in;
-	text-indent:-9.0pt;}
-@list l31:level7
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:3.75in;
-	text-indent:-.25in;}
-@list l31:level8
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:4.25in;
-	text-indent:-.25in;}
-@list l31:level9
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	margin-left:4.75in;
-	text-indent:-9.0pt;}
-@list l32
-	{mso-list-id:1719165480;
-	mso-list-type:hybrid;
-	mso-list-template-ids:480281366 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
-@list l32:level1
-	{mso-level-text:"%1\)";
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l32:level2
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l32:level3
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l32:level4
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l32:level5
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l32:level6
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l32:level7
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l32:level8
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l32:level9
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l33
-	{mso-list-id:1735615887;
-	mso-list-type:hybrid;
-	mso-list-template-ids:1965696710 -248099998 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
-@list l33:level1
-	{mso-level-text:"%1\)";
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:.75in;
-	text-indent:-.25in;}
-@list l33:level2
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:1.25in;
-	text-indent:-.25in;}
-@list l33:level3
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	margin-left:1.75in;
-	text-indent:-9.0pt;}
-@list l33:level4
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:2.25in;
-	text-indent:-.25in;}
-@list l33:level5
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:2.75in;
-	text-indent:-.25in;}
-@list l33:level6
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	margin-left:3.25in;
-	text-indent:-9.0pt;}
-@list l33:level7
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:3.75in;
-	text-indent:-.25in;}
-@list l33:level8
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:4.25in;
-	text-indent:-.25in;}
-@list l33:level9
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	margin-left:4.75in;
-	text-indent:-9.0pt;}
-@list l34
-	{mso-list-id:1782453638;
-	mso-list-type:hybrid;
-	mso-list-template-ids:-521994616 -606031210 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l34:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Times New Roman","serif";}
-@list l34:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l34:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l34:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l34:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l34:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l34:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l34:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l34:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l35
-	{mso-list-id:1854955638;
-	mso-list-type:hybrid;
-	mso-list-template-ids:-1051832468 -1131242166 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
-@list l35:level1
-	{mso-level-start-at:2;
-	mso-level-number-format:alpha-lower;
-	mso-level-text:"%1\)";
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:77.4pt;
-	text-indent:-.25in;}
-@list l35:level2
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:113.4pt;
-	text-indent:-.25in;}
-@list l35:level3
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	margin-left:149.4pt;
-	text-indent:-9.0pt;}
-@list l35:level4
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:185.4pt;
-	text-indent:-.25in;}
-@list l35:level5
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:221.4pt;
-	text-indent:-.25in;}
-@list l35:level6
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	margin-left:257.4pt;
-	text-indent:-9.0pt;}
-@list l35:level7
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:293.4pt;
-	text-indent:-.25in;}
-@list l35:level8
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:329.4pt;
-	text-indent:-.25in;}
-@list l35:level9
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	margin-left:365.4pt;
-	text-indent:-9.0pt;}
-@list l36
-	{mso-list-id:1865436252;
-	mso-list-type:hybrid;
-	mso-list-template-ids:829867566 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
-@list l36:level1
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l36:level2
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l36:level3
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l36:level4
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l36:level5
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l36:level6
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l36:level7
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l36:level8
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l36:level9
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l37
-	{mso-list-id:1871797321;
-	mso-list-type:hybrid;
-	mso-list-template-ids:1772274718 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
-@list l37:level1
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l37:level2
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l37:level3
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l37:level4
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l37:level5
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l37:level6
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l37:level7
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l37:level8
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l37:level9
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l38
-	{mso-list-id:2028824457;
-	mso-list-type:hybrid;
-	mso-list-template-ids:1730040010 -606031210 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l38:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:;
-	mso-level-tab-stop:.5in;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Times New Roman","serif";}
-@list l38:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l38:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l38:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l38:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l38:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l38:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l38:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l38:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l39
-	{mso-list-id:2064063239;
-	mso-list-type:hybrid;
-	mso-list-template-ids:1768198160 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
-@list l39:level1
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l39:level2
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l39:level3
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l39:level4
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l39:level5
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l39:level6
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l39:level7
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0B7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Symbol;}
-@list l39:level8
-	{mso-level-number-format:bullet;
-	mso-level-text:o;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:"Courier New";}
-@list l39:level9
-	{mso-level-number-format:bullet;
-	mso-level-text:\[[F0A7]];
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;
-	font-family:Wingdings;}
-@list l40
-	{mso-list-id:2096240889;
-	mso-list-type:hybrid;
-	mso-list-template-ids:-2032233358 -2076565284 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
-@list l40:level1
-	{mso-level-text:"%1\)";
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	margin-left:77.4pt;
-	text-indent:-.25in;}
-@list l40:level2
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l40:level3
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l40:level4
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l40:level5
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l40:level6
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-@list l40:level7
-	{mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l40:level8
-	{mso-level-number-format:alpha-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:left;
-	text-indent:-.25in;}
-@list l40:level9
-	{mso-level-number-format:roman-lower;
-	mso-level-tab-stop:none;
-	mso-level-number-position:right;
-	text-indent:-9.0pt;}
-ol
-	{margin-bottom:0in;}
-ul
-	{margin-bottom:0in;}
--->
-</style>
-<!--[if gte mso 10]>
-<style>
- /* Style Definitions */
- table.[[MsoNormalTable]]
-	{mso-style-name:"Table Normal";
-	mso-tstyle-rowband-size:0;
-	mso-tstyle-colband-size:0;
-	mso-style-noshow:yes;
-	mso-style-priority:99;
-	mso-style-parent:"";
-	mso-padding-alt:0in 5.4pt 0in 5.4pt;
-	mso-para-margin-top:0in;
-	mso-para-margin-right:0in;
-	mso-para-margin-bottom:10.0pt;
-	mso-para-margin-left:0in;
-	line-height:115%;
-	mso-pagination:widow-orphan;
-	font-size:11.0pt;
-	font-family:"Calibri","sans-serif";
-	mso-ascii-font-family:Calibri;
-	mso-ascii-theme-font:minor-latin;
-	mso-hansi-font-family:Calibri;
-	mso-hansi-theme-font:minor-latin;
-	mso-bidi-font-family:"Times New Roman";
-	mso-bidi-theme-font:minor-bidi;}
-</style>
-<![endif]--><!--[if gte mso 9]><xml>
- <o:shapedefaults v:ext="edit" spidmax="1026"/>
-</xml><![endif]--><!--[if gte mso 9]><xml>
- <o:shapelayout v:ext="edit">
-  <o:idmap v:ext="edit" data="1"/>
- </o:shapelayout></xml><![endif]-->
-</head>
-<body lang=EN-US link=blue vlink=purple style='tab-interval:.5in'>
+              Choice of Encryption Algorithm
+•	AES
+•	DES
+•	RSA
+•	And beyond …
-<div class=[[WordSection1]]>
+Design Considerations
+Key Manager Access
+        Restricting access to the Key Manager to only [[OpenStack]] services would increase security. That is, no end user access.
+Access Control
+Keys inserted by a service only accessible by that service. Is there a use case to support a global access?
+Master Key
+       Each [[OpenStack]] service that uses Key Manager to maintain its keys could have its own master key and use the same to encrypt a key string before passing it for storage to the Key Manager. The Master key could reside on a python key ring (currently it is included in common module in [[OpenStack]] and readily available to all packages).
+Benefits:
+.	Communication between the service and the key manager do not need to be further encrypted using ssl or https because they keys flying between them are at all times encrypted. The decrypted key string would at any time only reside on the service that seeks to save it or use.
+.	Keys used by different open stack services could reside in a single storage system but if one service were to be compromised, the keys from other services would still be safe.
+.	Further, should there be a desire to change a master key, only keys stored by that service need to be re-encrypted. The actual data that they were used to encrypt do not  need to be re-encrypted.
+Fault Tolerance and High Availability
+Key Manager’s keys need to be accessible at the same level as the objects they encrypt which makes for have the keys stored on a Swift like Object Storage system. Our implementation will be based on this strategy.
-<h1>Object Encryption: Extending Swift </h1>
+Swift API Changes (vx.1)
+.	Put    (also   cli “upload)
+       “put” to take optional arguments should take optional args
+•	encrypt=True|False,  absence is the same as False
+•	enc-alg=AES-CBC ..|RSA|DES   (Mirantis selected AES-CBC)
+•	enc-key-size=128|192|256 .. default 256  (Mirantis selected 256)
+•	enc-key-string
+•	<project-id>     (account, container, object-name == all the usual suspects same as before)
+(To accommodate for domains and project names having to be only unique within a domain, there will be changes in Swift API semantics, in essence a unique project-id will be provided).
-<p class=[[MsoNormal]]><o:p>&nbsp;</o:p></p>
+The encrypted object will be stored in Swift and the object meta data shall reflect these parameters. It shall further include a reference to its encryption key, key-id.
+Alternately a reference to an initialization vector will be provided, IV-id.
-<p class=[[MsoNormal]]><span class=SpellE>[[OpenStack]]s</span> object storage system
+.	Get  (also cli command)
-provides high availability and fault tolerance but for data at rest protection,
+•	enc-key-string
-client side encryption is required. Amazon and Googles object storage systems
+If an enc-key-string is provided, it is used to decrypt the retrieved object using the other meta data associated with the object. If enc-key-string is not provided, but the meta data indicates that it is encrypted, then key-id if it exists is used to decrypt the object. If IV-id is provided, then the project-id is used to retrieve the project specific key and this is used in conjunction with the IV string retrieved using IV-id to decrypt the object and return to the user.
-provide transparent data encryption. Server side encryption with key management
-would make data protection more readily available, enable harnessing of any special
-hardware encryption support on the servers, make available a larger set of
-encryption algorithms and reduce client maintenance effort. </p>
-<p class=[[MsoNormal]]>Protecting data involves not only encryption support but
+.	Put-Key, Get-Key, Create-key  (cli-commands for the same)
-also key management, the storing, protecting, and making the encryption keys readily
-available, without storing data and keys on the same device. We shall address
-thus both encryption and key management. Before we dig into the details, we
-take a brief look at the security model and design options and decisions to
-provide a phased support.</p>
-<h2>Security Model</h2>
+•	Put-key, arguments: key-string, project-id
+o	Encrypt key-string using  master key to get enc-key-string
+o	Create key-id using  hash(DM5 or Sha)(project-id . enc-key-string
+o	Invoke Swift put using account=service-id (Swift|Cinder ..), enc-key-string and key-id from above, specify encrpt=false. (container could be “keys” or “project-id”)
+•	Create-key	project-id
+o	Invokes Put-key after first generating a random key-string. Create key returns both the key-id and the unencrypted random key-string that was generated.
+•	Get-key key-id
+o	Invokes a Swift get with account=service-id, container = keys or project-id, and key-id.
+o	The encrypted key string retrieved above is decrypted using the service  master key and the plain text key is returned.
+Key-Manager API  (v 1.0)
+.	Put <encrypted-key-string> <key-id>
+Return success/failure and the key-id.
-<p class=[[MsoListParagraphCxSpFirst]] style='text-indent:-.25in;mso-list:l19 level1 lfo16'><![if !supportLists]><span
+.	Get <key-id>   returns the encrypted-key-string
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
+.	Delete <key-id>  deletes the entry
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Protection
-of data at rest: data encrypted and keys held in a separate location</b>. Stealing
-the data disk still leaves the data protected. </p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l19 level1 lfo16'><![if !supportLists]><span
+Swift Changes
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
+Put Path
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+o	If encryption is required, and the key string is provided, it shall be used.
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Keys will
+o	If no key string is provided, the system invokes create-key, and on success uses the random key-string generated to encrypt the object and annotate it by way of meta data with the encryption parameters including key-id. Create-key internally contacts key-manager and saves the random key generated.
-also be encrypted, using a Master-key</b>. One thing to keep safe as opposed to
+o	If a key-string is provided, the key-manager is bypassed and instead before put is attempted, the object is first encrypted. It is the responsibility of the get call to provide the appropriate decryption key.
-multiple keys. A notion similar to a safe deposit box requiring a bank key and
+o	No change if encryption is not requested.
-a customer key to open.</p>
+Get Path
+           If the retrieved object indicates Encrypt=true, then the encryption related meta data is used and the key-manger used to obtain the encrypted key string used to encrypt the retrieved object and the information used accordingly.
+Delete Path
+If each object has a distinct encryption key, then when an object is deleted, the key-manager may also delete the string saved against key-id or IV-id. How should we indicate whether we are using a common key that must not be deleted?
+General remarks:
+o	Encryption occurs on Swift which typically is doing more IO than compute, so this would better exploit the hardware resources on Swift.
+o	Additional network traffic to chat with the Key Manager to store and retrieve keys. Keys could be cached in the Swift node memory.
+o	SSL, HTTPS used for client communication with Swift is what protects the encryption key string in transit.
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l19 level1 lfo16'><![if !supportLists]><span
+Concerns/Questions
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
+•	Data transfer overhead: Swift uses Rsync for file transfer during replication. Any encryption algorithm that uses some form of block cipher chaining or new initialization vector each time would result in the object representation changing drastically on each update. This would result in a larger network payload for transmission.
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+•	More things that can fail:  With a key manager and an object storage system, there are two systems that can fail or be compromised, increasing the chance of things failing.
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Key
+•	Unauthorized key deletion: If we use a Swift based system to storing keys and insert tombstone records to mimic a legitimate deletion after breaking into a Swift storage node, yes, keys could indeed be deleted on a reaper task, but this would be no new security hazard from what Swift deals with today. Perhaps we could introduce a check that there was a logged request to delete a key before deleting a key.
-Manager will not maintain mapping between keys to objects</b>.</p>
+•	Wary of losing control of encryption key(s):  Support the use case where the end user provides the encryption key (and stores a copy of their own key, and is responsible for maintaining safety of the key). The said key will not then be saved in the Key Manager.
+•	Caching: Should only cache encrypted data.
+•	Snap shots:  Any standard mechanism is fine. No change necessary, data is encrypted.
+•	Do we need an IV (initialization vector) for each object encrypted. Yes, if we take the common key for a project or domain approach. In this case the IV would need to be encrypted, and could be stored against a key-id. We could specify “compound-encryption” to imply use a master key in conjunction with the IV (accessed via the iv-id attached to the object meta-data).
+•	No re-keying in phase-1. Not addressing background tasks of object re-keying such as that mentioned in Mirantis blog.
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l19 level1 lfo16'><![if !supportLists]><span
+Implementation versions
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
+•	Phase 1: Develop stub Key Manager service and specify encryption parameters in the url.
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+Key manager could just be a hash table in the first version to get all the APIs specified and implement, to get the plumbing correct. Support a single most popular encryption algorithm.
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Authorization
+This would fully implement object encryption.
-and access control support for key manager to protect from unauthorized use</b>.</p>
+•	Phase-2: Make Key Manager is Swift instance, with multiple zones for storage. This would support true HA and fault tolerance.
+•	Phase-3: Support multiple encryption algorithms. For instance, volume encryption may prefer XTS, an encryption strategy that uses sector address.
+•	Phase-4: Reaper routine to change a master key for a service
-<p class=[[MsoListParagraphCxSpLast]] style='text-indent:-.25in;mso-list:l19 level1 lfo16'><![if !supportLists]><span
+Intel’s Interest
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
+Intel X86 hardware in Westmere and beyond provides AES-NI, hardware support for encryption/decryption. These speed up encryption/decryption. Further, Intel provides open source libraries to speed computation further by parallelizing the operations (multibuffer) and interleaving them (function stitching). The references give pointers to white papers.
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+Intel product generations are incorporating wider registers which enables further parallelization of cryptographic operations.
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Protection
+Future
-from denial of service</b>, either from malicious activity or natural disasters
+•	Store user encryption preferences such as default key string, size, and encryption algorithm, to be passed along with the authentication token and used by Swift during object insertion. This would reduce put URL request lengths, while yet allowing flexibility in algorithm selection.
-by way of key replication (akin to object replication and recovery in Swift).</p>
-<h2>Use Cases</h2>
+Glossary
+Key-string:  A string of bits used to encrypt data. Could be auto-generated or end-user provided.
+Key-id: a unique ID used to index a key-string in the system. The key-id will be attached as meta data with the encrypted object.
+Master-key: a key-string used to encrypt the keys (key-strings) in the Key Manager
-<p class=[[MsoNormal]] style='text-indent:.5in'><b style='mso-bidi-font-weight:
+References
-normal'>Key Provider</b>:</p>
+http://www.mirantis.com/blog/openstack-swift-encryption-architecture http://www.egnyte.com/blog/2012/05/encryption-at-rest-in-egnyte-object-store-eos.html http://en.wikipedia.org/wiki/CBC-MAC
+http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
-<p class=[[MsoListParagraphCxSpFirst]] style='margin-left:1.0in;mso-add-space:auto;
+       http://wiki.openstack.org/VolumeEncryption
-text-indent:-.25in;mso-list:l17 level1 lfo18'><![if !supportLists]><span
+Fast Cryptographic computation on IA processors via Function Stitching  http://download.intel.com/design/intarch/PAPERS/323686.pdf
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
+Processing Multiple buffers in parallel -  http://download.intel.com/design/intarch/papers/324101.pdf
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+       XTS efficient implementation: http://download.intel.com/design/intarch/PAPERS/324310.pdf
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>User</b> (would
-rather not delegate trust, plans to use the same key for each <span
-class=GramE>object ..</span>)</p>
-<p class=[[MsoListParagraphCxSpLast]] style='margin-left:1.0in;mso-add-space:auto;
-text-indent:-.25in;mso-list:l17 level1 lfo18'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Auto-generation
-</b>(either by the object storage system or key manager)</p>
-<p class=[[MsoNormal]] style='margin-left:.5in'><b style='mso-bidi-font-weight:
-normal'>Key Scope:<o:p></o:p></b></p>
-<p class=[[MsoListParagraphCxSpFirst]] style='margin-left:1.0in;mso-add-space:auto;
-text-indent:-.25in;mso-list:l15 level1 lfo19'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Per object<o:p></o:p></b></p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='margin-left:1.0in;mso-add-space:
-auto;text-indent:-.25in;mso-list:l15 level1 lfo19'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Per
-project </b>(within a domain)<b style='mso-bidi-font-weight:normal'><o:p></o:p></b></p>
-<p class=[[MsoListParagraphCxSpLast]] style='margin-left:1.0in;mso-add-space:auto;
-text-indent:-.25in;mso-list:l15 level1 lfo19'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Per
-domain <o:p></o:p></b></p>
-<p class=[[MsoNormal]]><b style='mso-bidi-font-weight:normal'><span
-style='mso-spacerun:yes'>              </span>Key-Storage<o:p></o:p></b></p>
-<p class=[[MsoListParagraphCxSpFirst]] style='margin-left:1.0in;mso-add-space:auto;
-text-indent:-.25in;mso-list:l27 level1 lfo20'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>End-User<o:p></o:p></b></p>
-<p class=[[MsoListParagraphCxSpLast]] style='margin-left:1.0in;mso-add-space:auto;
-text-indent:-.25in;mso-list:l27 level1 lfo20'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Key
-Manager<o:p></o:p></b></p>
-<p class=[[MsoNormal]]><b style='mso-bidi-font-weight:normal'><span
-style='mso-spacerun:yes'>               </span>Key-<span class=GramE>Size<span
-style='mso-spacerun:yes'>  </span>128</span>, 192, 256, shorter with padding<o:p></o:p></b></p>
-<p class=[[MsoNormal]]><b style='mso-bidi-font-weight:normal'><o:p>&nbsp;</o:p></b></p>
-<p class=[[MsoNormal]]><b style='mso-bidi-font-weight:normal'><span
-style='mso-spacerun:yes'>              </span>Choice of Encryption Algorithm<o:p></o:p></b></p>
-<p class=[[MsoListParagraphCxSpFirst]] style='text-indent:-.25in;mso-list:l30 level1 lfo21'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>AES<o:p></o:p></b></p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l30 level1 lfo21'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>DES<o:p></o:p></b></p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l30 level1 lfo21'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>RSA<o:p></o:p></b></p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l30 level1 lfo21'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>And beyond
-<o:p></o:p></b></p>
-<p class=[[MsoListParagraphCxSpLast]]><b style='mso-bidi-font-weight:normal'><o:p>&nbsp;</o:p></b></p>
-<h2>Design Considerations</h2>
-<p class=[[MsoNormal]]><b style='mso-bidi-font-weight:normal'>Key Manager Access<o:p></o:p></b></p>
-<p class=[[MsoNormal]]><span style='mso-spacerun:yes'>        </span>Restricting
-access to the Key Manager to only [[OpenStack]] services would increase security.
-That is, no end user access.</p>
-<p class=[[MsoNormal]]><b style='mso-bidi-font-weight:normal'>Access Control<o:p></o:p></b></p>
-<p class=[[MsoNormal]]>Keys inserted by a service only accessible by that service.
-Is there a use case to support a global access?</p>
-<p class=[[MsoNormal]]><b style='mso-bidi-font-weight:normal'>Master Key<o:p></o:p></b></p>
-<p class=[[MsoNormal]]><b style='mso-bidi-font-weight:normal'><span
-style='mso-spacerun:yes'>       </span></b>Each [[OpenStack]] service that uses Key
-Manager to maintain its keys could have its own master key and use the same to
-encrypt a key string before passing it for storage to the Key Manager. The
-Master key could reside on a python key ring (currently it is included in
-common module in [[OpenStack]] and readily available to all packages).</p>
-<p class=[[MsoNormal]]>Benefits:</p>
-<p class=[[MsoListParagraphCxSpFirst]] style='text-indent:-.25in;mso-list:l36 level1 lfo22'><![if !supportLists]><span
-style='mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin'><span
-style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]>Communication between the service and the key
-manager do not need to be further encrypted using ssl or https because they
-keys flying between them are at all times encrypted. The decrypted key string
-would at any time only reside on the service that seeks to save it or use.</p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l36 level1 lfo22'><![if !supportLists]><span
-style='mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin'><span
-style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]>Keys used by different open stack services could
-reside in a single storage system but if one service were to be compromised,
-the keys from other services would still be safe.</p>
-<p class=[[MsoListParagraphCxSpLast]] style='text-indent:-.25in;mso-list:l36 level1 lfo22'><![if !supportLists]><span
-style='mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin'><span
-style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]>Further, should there be a desire to change a
-master key, only keys stored by that service need to be re-encrypted. The
-actual data that they were used to encrypt do <span class=GramE>not<span
-style='mso-spacerun:yes'>  </span>need</span> to be re-encrypted.</p>
-<p class=[[MsoNormal]]><b style='mso-bidi-font-weight:normal'>Fault Tolerance and
-High Availability<o:p></o:p></b></p>
-<p class=[[MsoNormal]]>Key Managers keys need to be accessible at the same level
-as the objects they encrypt which makes for have the keys stored on a Swift
-like Object Storage system. Our implementation will be based on this strategy.</p>
-<p class=[[MsoNormal]]><o:p>&nbsp;</o:p></p>
-<p class=[[MsoNormal]]><o:p>&nbsp;</o:p></p>
-<h3>Swift API Changes (vx.1)</h3>
-<p class=[[MsoListParagraph]] style='text-indent:-.25in;mso-list:l13 level1 lfo37'><![if !supportLists]><b
-style='mso-bidi-font-weight:normal'><span style='mso-bidi-font-family:Calibri;
-mso-bidi-theme-font:minor-latin'><span style='mso-list:Ignore'>1.<span
-style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span></b><![endif]><b
-style='mso-bidi-font-weight:normal'>Put <span
-style='mso-spacerun:yes'>   </span>(also<span style='mso-spacerun:yes'>
-</span>cli upload)<o:p></o:p></b></p>
-<p class=[[MsoNormal]]><span style='mso-spacerun:yes'>   </span><span
-style='mso-spacerun:yes'>    </span><span class=GramE>put</span> to take
-optional arguments should take optional <span class=SpellE>args</span> </p>
-<p class=[[MsoListParagraphCxSpFirst]] style='text-indent:-.25in;mso-list:l4 level1 lfo38;
-tab-stops:list .5in'><![if !supportLists]><span style='font-family:"Times New Roman","serif";
-mso-fareast-font-family:"Times New Roman"'><span style='mso-list:Ignore'><span
-style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]>encrypt=<span class=SpellE>True|False</span>,<span
-style='mso-spacerun:yes'>  </span>absence is the same as False</p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l4 level1 lfo38;
-tab-stops:list .5in'><![if !supportLists]><span style='font-family:"Times New Roman","serif";
-mso-fareast-font-family:"Times New Roman"'><span style='mso-list:Ignore'><span
-style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><span class=SpellE><span class=GramE>enc-alg</span></span><span
-class=GramE>=</span>AES-CBC ..|RSA|DES<span style='mso-spacerun:yes'>
-</span>(Mirantis selected AES-CBC)</p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l4 level1 lfo38;
-tab-stops:list .5in'><![if !supportLists]><span style='font-family:"Times New Roman","serif";
-mso-fareast-font-family:"Times New Roman"'><span style='mso-list:Ignore'><span
-style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><span class=SpellE><span class=GramE>enc</span></span><span
-class=GramE>-key-size=</span>128|192|256 .. default 256<span
-style='mso-spacerun:yes'>  </span>(Mirantis selected 256) </p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l4 level1 lfo38;
-tab-stops:list .5in'><![if !supportLists]><span style='font-family:"Times New Roman","serif";
-mso-fareast-font-family:"Times New Roman"'><span style='mso-list:Ignore'><span
-style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><span class=SpellE>enc</span>-key-string</p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l4 level1 lfo38;
-tab-stops:list .5in'><![if !supportLists]><span style='font-family:"Times New Roman","serif";
-mso-fareast-font-family:"Times New Roman"'><span style='mso-list:Ignore'><span
-style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]>&lt;project-id&gt;<span
-style='mso-spacerun:yes'>     </span>(account, container, object-name == all
-the usual suspects same as before)</p>
-<p class=[[MsoListParagraphCxSpMiddle]]>(To accommodate for domains and project
-names having to be only unique within a domain, there will be changes in Swift
-API semantics, in essence a unique project-id will be provided).</p>
-<p class=[[MsoListParagraphCxSpMiddle]]><o:p>&nbsp;</o:p></p>
-<p class=[[MsoListParagraphCxSpMiddle]]>The encrypted object will be stored in
-Swift and the object <span class=GramE>meta</span> data shall reflect these
-parameters. It shall further include a reference to its encryption key, <b
-style='mso-bidi-font-weight:normal'>key-id</b>.</p>
-<p class=[[MsoListParagraphCxSpMiddle]]>Alternately a reference to an
-initialization vector will be provided, <b style='mso-bidi-font-weight:normal'>IV-id</b>.</p>
-<p class=[[MsoListParagraphCxSpMiddle]]><o:p>&nbsp;</o:p></p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l13 level1 lfo37'><![if !supportLists]><b
-style='mso-bidi-font-weight:normal'><span style='mso-bidi-font-family:Calibri;
-mso-bidi-theme-font:minor-latin'><span style='mso-list:Ignore'>2.<span
-style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span></b><![endif]><b
-style='mso-bidi-font-weight:normal'>Get<span style='mso-spacerun:yes'>
-</span>(also cli command)<o:p></o:p></b></p>
-<p class=[[MsoListParagraphCxSpLast]] style='margin-left:.75in;mso-add-space:auto;
-text-indent:-.25in;mso-list:l9 level1 lfo40;tab-stops:list .75in'><![if !supportLists]><span
-style='font-family:"Times New Roman","serif";mso-fareast-font-family:"Times New Roman"'><span
-style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><span class=SpellE>enc</span>-key-string</p>
-<p class=[[MsoNormal]] style='margin-left:.5in'>If an <span class=SpellE>enc</span>-key-string
-is provided, it is used to decrypt the retrieved object using the other <span
-class=GramE>meta</span> data associated with the object. If <span class=SpellE>enc</span>-key-string
-is not provided, but the <span class=GramE>meta</span> data indicates that it
-is encrypted, then key-id if it exists is used to decrypt the object. If IV-id
-is provided, then the project-id is used to retrieve the project specific key
-and this is used in conjunction with the IV string retrieved using IV-id to
-decrypt the object and return to the user.</p>
-<p class=[[MsoNormal]] style='margin-left:.5in'><o:p>&nbsp;</o:p></p>
-<p class=[[MsoListParagraphCxSpFirst]] style='text-indent:-.25in;mso-list:l13 level1 lfo37'><![if !supportLists]><span
-style='mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin'><span
-style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Put-Key,
-Get-Key, Create-key </b><span style='mso-spacerun:yes'> </span>(cli-commands
-for the same)</p>
-<p class=[[MsoListParagraphCxSpMiddle]]><b style='mso-bidi-font-weight:normal'><o:p>&nbsp;</o:p></b></p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='margin-left:.75in;mso-add-space:
-auto;text-indent:-.25in;mso-list:l9 level1 lfo40;tab-stops:list .75in'><![if !supportLists]><span
-style='font-family:"Times New Roman","serif";mso-fareast-font-family:"Times New Roman"'><span
-style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Put-key,
-arguments: key-string, project-id<o:p></o:p></b></p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='margin-left:1.25in;mso-add-space:
-auto;text-indent:-.25in;mso-list:l9 level2 lfo40'><![if !supportLists]><span
-style='font-family:"Courier New";mso-fareast-font-family:"Courier New"'><span
-style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;
-</span></span></span><![endif]>Encrypt key-string using<span
-style='mso-spacerun:yes'>  </span>master key to get <span class=SpellE>enc</span>-key-string</p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='margin-left:1.25in;mso-add-space:
-auto;text-indent:-.25in;mso-list:l9 level2 lfo40'><![if !supportLists]><span
-style='font-family:"Courier New";mso-fareast-font-family:"Courier New"'><span
-style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;
-</span></span></span><![endif]>Create key-id using<span
-style='mso-spacerun:yes'>  </span>hash(DM5 or <span class=SpellE>Sha</span>)(project-id
-* <span class=SpellE>enc</span>-key-string</p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='margin-left:1.25in;mso-add-space:
-auto;text-indent:-.25in;mso-list:l9 level2 lfo40'><![if !supportLists]><span
-style='font-family:"Courier New";mso-fareast-font-family:"Courier New"'><span
-style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;
-</span></span></span><![endif]>Invoke Swift put using account=service-id (<span
-class=SpellE>Swift|<span class=GramE>Cinder</span></span><span class=GramE> ..</span>),
-<span class=SpellE>enc</span>-key-string and key-id from above, specify <span
-class=SpellE>encrpt</span>=false. (container could be keys or project-id)</p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='margin-left:.75in;mso-add-space:
-auto;text-indent:-.25in;mso-list:l9 level1 lfo40;tab-stops:list .75in'><![if !supportLists]><span
-style='font-family:"Times New Roman","serif";mso-fareast-font-family:"Times New Roman"'><span
-style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Create-key<span
-style='mso-tab-count:1'>  </span>project-id<o:p></o:p></b></p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='margin-left:1.25in;mso-add-space:
-auto;text-indent:-.25in;mso-list:l9 level2 lfo40'><![if !supportLists]><span
-style='font-family:"Courier New";mso-fareast-font-family:"Courier New"'><span
-style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;
-</span></span></span><![endif]>Invokes Put-key after first generating a random
-key-string. Create key returns both the key-id and the unencrypted random
-key-string that was generated.</p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='margin-left:.75in;mso-add-space:
-auto;text-indent:-.25in;mso-list:l9 level1 lfo40;tab-stops:list .75in'><![if !supportLists]><span
-style='font-family:"Times New Roman","serif";mso-fareast-font-family:"Times New Roman"'><span
-style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Get-key
-key-id<o:p></o:p></b></p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='margin-left:1.25in;mso-add-space:
-auto;text-indent:-.25in;mso-list:l9 level2 lfo40'><![if !supportLists]><span
-style='font-family:"Courier New";mso-fareast-font-family:"Courier New"'><span
-style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;
-</span></span></span><![endif]>Invokes a Swift get with account=service-id, container
-= keys or project-id, and key-id.</p>
-<p class=[[MsoListParagraphCxSpLast]] style='margin-left:1.25in;mso-add-space:auto;
-text-indent:-.25in;mso-list:l9 level2 lfo40'><![if !supportLists]><span
-style='font-family:"Courier New";mso-fareast-font-family:"Courier New"'><span
-style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;
-</span></span></span><![endif]>The encrypted key string retrieved above is
-decrypted using the <span class=GramE>service<span style='mso-spacerun:yes'>
-</span>master</span> key and the plain text key is returned.</p>
-<h3>Key-Manager <span class=GramE>API <span style='mso-spacerun:yes'> </span>(</span>v
-.0)</h3>
-<p class=[[MsoListParagraphCxSpFirst]] style='margin-left:.75in;mso-add-space:auto;
-text-indent:-.25in;mso-list:l28 level1 lfo39'><![if !supportLists]><b
-style='mso-bidi-font-weight:normal'><span style='mso-bidi-font-family:Calibri;
-mso-bidi-theme-font:minor-latin'><span style='mso-list:Ignore'>1.<span
-style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span></b><![endif]><b
-style='mso-bidi-font-weight:normal'>Put</b> &lt;encrypted-key-string&gt; &lt;key-id&gt;
-</p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='margin-left:.75in;mso-add-space:
-auto'>Return success/failure and the key-id.<span style='mso-spacerun:yes'>
-</span></p>
-<p class=[[MsoListParagraphCxSpMiddle]]><o:p>&nbsp;</o:p></p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='margin-left:.75in;mso-add-space:
-auto;text-indent:-.25in;mso-list:l28 level1 lfo39'><![if !supportLists]><b
-style='mso-bidi-font-weight:normal'><span style='mso-bidi-font-family:Calibri;
-mso-bidi-theme-font:minor-latin'><span style='mso-list:Ignore'>2.<span
-style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span></b><![endif]><b
-style='mso-bidi-font-weight:normal'>Get &lt;key-id&gt;</b><span
-style='mso-spacerun:yes'>   </span>returns the encrypted-key-string</p>
-<p class=[[MsoListParagraphCxSpLast]] style='margin-left:.75in;mso-add-space:auto;
-text-indent:-.25in;mso-list:l28 level1 lfo39'><![if !supportLists]><b
-style='mso-bidi-font-weight:normal'><span style='mso-bidi-font-family:Calibri;
-mso-bidi-theme-font:minor-latin'><span style='mso-list:Ignore'>3.<span
-style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span></b><![endif]>Delete
-&lt;key-id&gt;<span style='mso-spacerun:yes'>  </span>deletes the entry</p>
-<p class=[[MsoNormal]]><o:p>&nbsp;</o:p></p>
-<h3>Swift Changes</h3>
-<p class=[[MsoNormal]]><b style='mso-bidi-font-weight:normal'>Put Path<o:p></o:p></b></p>
-<p class=[[MsoListParagraphCxSpFirst]] style='text-indent:-.25in;mso-list:l21 level1 lfo41'><![if !supportLists]><span
-style='font-family:"Courier New";mso-fareast-font-family:"Courier New"'><span
-style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;
-</span></span></span><![endif]>If encryption is required, and the key string is
-provided, it shall be used.</p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l21 level1 lfo41'><![if !supportLists]><span
-style='font-family:"Courier New";mso-fareast-font-family:"Courier New"'><span
-style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;
-</span></span></span><![endif]>If no key string is provided, the system invokes
-create-key, and on success uses the random key-string generated to encrypt the
-object and annotate it by way of <span class=GramE>meta</span> data with the
-encryption parameters including key-id. Create-key internally contacts
-key-manager and saves the random key generated.</p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l21 level1 lfo41'><![if !supportLists]><span
-style='font-family:"Courier New";mso-fareast-font-family:"Courier New"'><span
-style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;
-</span></span></span><![endif]>If a key-string is provided, the key-manager is
-bypassed and instead before put is attempted, the object is first encrypted. It
-is the responsibility of the get call to provide the appropriate decryption
-key.</p>
-<p class=[[MsoListParagraphCxSpLast]] style='text-indent:-.25in;mso-list:l21 level1 lfo41'><![if !supportLists]><span
-style='font-family:"Courier New";mso-fareast-font-family:"Courier New"'><span
-style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;
-</span></span></span><![endif]>No change if encryption is not requested.</p>
-<p class=[[MsoNormal]]><b style='mso-bidi-font-weight:normal'>Get Path<o:p></o:p></b></p>
-<p class=[[MsoNormal]]><span style='mso-spacerun:yes'>           </span>If the
-retrieved object indicates Encrypt=true, then the encryption related <span
-class=GramE>meta</span> data is used and the key-manger used to obtain the
-encrypted key string used to encrypt the retrieved object and the information
-used accordingly.</p>
-<p class=[[MsoNormal]]><b style='mso-bidi-font-weight:normal'>Delete Path<o:p></o:p></b></p>
-<p class=[[MsoNormal]] style='text-indent:.5in'>If each object has a distinct
-encryption key, then when an object is deleted, the key-manager may also delete
-the string saved against key-id or IV-id. How should we indicate whether we are
-using a common key that must not be deleted?</p>
-<p class=[[MsoNormal]]><b style='mso-bidi-font-weight:normal'>General remarks:<o:p></o:p></b></p>
-<p class=[[MsoListParagraphCxSpFirst]] style='text-indent:-.25in;mso-list:l21 level1 lfo41'><![if !supportLists]><span
-style='font-family:"Courier New";mso-fareast-font-family:"Courier New"'><span
-style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;
-</span></span></span><![endif]>Encryption occurs on Swift which typically is
-doing more IO than compute, so this would better exploit the hardware resources
-on Swift.</p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l21 level1 lfo41'><![if !supportLists]><span
-style='font-family:"Courier New";mso-fareast-font-family:"Courier New"'><span
-style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;
-</span></span></span><![endif]>Additional network traffic to chat with the Key
-Manager to store and retrieve keys. Keys could be cached in the Swift node
-memory.</p>
-<p class=[[MsoListParagraphCxSpLast]] style='text-indent:-.25in;mso-list:l21 level1 lfo41'><![if !supportLists]><span
-style='font-family:"Courier New";mso-fareast-font-family:"Courier New"'><span
-style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;
-</span></span></span><![endif]>SSL, HTTPS used for client communication with
-Swift is what protects the encryption key string in transit.</p>
-<p class=[[MsoNormal]]><b style='mso-bidi-font-weight:normal'><o:p>&nbsp;</o:p></b></p>
-<p class=[[MsoNormal]]><o:p>&nbsp;</o:p></p>
-<h2>Concerns/Questions</h2>
-<p class=[[MsoListParagraphCxSpFirst]] style='text-indent:-.25in;mso-list:l23 level1 lfo17'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Data
-transfer overhead</b>: Swift uses Rsync for file transfer during replication.
-Any encryption algorithm that uses some form of block cipher chaining or new
-initialization vector each time would result in the object representation
-changing drastically on each update. This would result in a larger network
-payload for transmission. </p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l23 level1 lfo17'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>More things
-that can fail</b>:<span style='mso-spacerun:yes'>  </span>With a key manager
-and an object storage system, there are two systems that can fail or be compromised,
-increasing the chance of things failing.</p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l23 level1 lfo17'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Unauthorized
-key deletion</b>: If we use a Swift based system to storing keys and insert
-tombstone records to mimic a legitimate deletion after breaking into a Swift
-storage node, yes, keys could indeed be deleted on a reaper task, but this
-would be no new security hazard from what Swift deals with today. Perhaps we
-could introduce a check that there was a logged request to delete a key before
-deleting a key.</p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l23 level1 lfo17'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Wary of
-losing control of encryption key(s)</b>:<span style='mso-spacerun:yes'>
-</span>Support the use case where the end user provides the encryption key (and
-stores a copy of their own key, and is responsible for maintaining safety of
-the key). The said key will not then be saved in the Key Manager.</p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l23 level1 lfo17'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Caching</b>:
-Should only cache encrypted data.</p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l23 level1 lfo17'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Snap
-shots</b>:<span style='mso-spacerun:yes'>  </span>Any standard mechanism is
-fine. No change necessary, data is encrypted.</p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l23 level1 lfo17'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Do we
-need an IV (initialization vector) for each object <span class=GramE>encrypted<span
-style='font-weight:normal'>.</span></span></b> Yes, if we take the common key
-for a project or domain approach. In this case the IV would need to be
-encrypted, and could be stored against a key-id. We could specify compound-encryption
-to imply use a master key in conjunction with the IV (accessed via the iv-id
-attached to the object meta-data).</p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l23 level1 lfo17'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>No re-keying
-in phase-1. </b>Not addressing background tasks of object re-keying such as that
-mentioned in Mirantis blog.</p>
-<p class=[[MsoListParagraphCxSpLast]]><o:p>&nbsp;</o:p></p>
-<h2>Implementation versions</h2>
-<p class=[[MsoListParagraph]] style='text-indent:-.25in;mso-list:l39 level1 lfo23'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Phase 1:</b>
-Develop stub Key Manager service and specify encryption parameters in the <span
-class=GramE>url</span>.</p>
-<p class=[[MsoNormal]] style='margin-left:.5in'>Key manager could just be a hash
-table in the first version to get all the APIs specified and implement, to get
-the plumbing correct. Support a single most popular encryption algorithm.</p>
-<p class=[[MsoNormal]] style='margin-left:.5in'>This would fully implement object
-encryption.</p>
-<p class=[[MsoListParagraphCxSpFirst]] style='text-indent:-.25in;mso-list:l39 level1 lfo23'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Phase-2</b>:
-Make Key Manager is Swift instance, with multiple zones for storage. This would
-support true HA and fault tolerance.</p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l39 level1 lfo23'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Phase-3</b>:
-Support multiple encryption algorithms. For instance, volume encryption may
-prefer XTS, an encryption strategy that uses sector address.</p>
-<p class=[[MsoListParagraphCxSpMiddle]] style='text-indent:-.25in;mso-list:l39 level1 lfo23'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]><b style='mso-bidi-font-weight:normal'>Phase</b>-4:
-Reaper routine to change a master key for a service</p>
-<p class=[[MsoListParagraphCxSpLast]]><o:p>&nbsp;</o:p></p>
-<h3>Intels Interest</h3>
-<p class=[[MsoNormal]]>Intel <span class=GramE>X86 hardware in <span class=SpellE>Westmere</span>
-and beyond</span> provides AES-NI, hardware support for encryption/decryption.
-These speed up encryption/decryption. Further, Intel provides open source
-libraries to speed computation further by parallelizing the operations (<span
-class=SpellE>multibuffer</span>) and interleaving them (function stitching).
-The references give pointers to white papers.</p>
-<p class=[[MsoNormal]]>Intel product generations are incorporating wider registers
-which enables further parallelization of <span class=GramE>cryptographic</span>
-operations.</p>
-<h2>Future</h2>
-<p class=[[MsoListParagraph]] style='text-indent:-.25in;mso-list:l12 level1 lfo15'><![if !supportLists]><span
-style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
-Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-</span></span></span><![endif]>Store user encryption preferences such as default
-key string, size, and encryption algorithm, to be passed along with the
-authentication token and used by Swift during object insertion. This would
-reduce put URL request lengths, while yet allowing flexibility in algorithm
-selection.</p>
-<p class=[[MsoNormal]]><o:p>&nbsp;</o:p></p>
-<h2>Glossary</h2>
-<p class=[[MsoNormal]]><strong><span style='font-family:"Calibri","sans-serif";
-mso-ascii-theme-font:minor-latin;mso-hansi-theme-font:minor-latin;mso-bidi-font-family:
-"Times New Roman";mso-bidi-theme-font:minor-bidi'>Key-string</span></strong>:<span
-style='mso-spacerun:yes'>  </span>A string of bits used to encrypt data. Could
-be auto-generated or end-user provided.</p>
-<p class=[[MsoNormal]]><b style='mso-bidi-font-weight:normal'>Key-id</b>: a unique
-ID used to index a key-string in the system. The key-id will be attached as <span
-class=GramE>meta</span> data with the encrypted object.</p>
-<p class=[[MsoNormal]]><b style='mso-bidi-font-weight:normal'>Master-key</b>: a
-key-string used to encrypt the keys (key-strings) in the Key Manager</p>
-<p class=[[MsoNormal]]><o:p>&nbsp;</o:p></p>
-<h2>References</h2>
-<p class=[[MsoNormal]] style='margin-left:.25in'><a
-href="http://www.mirantis.com/blog/openstack-swift-encryption-architecture/">http://www.mirantis.com/blog/openstack-swift-encryption-architecture
-<span style='mso-field-code:" HYPERLINK \0022http\:\/\/www\.egnyte\.com\/blog\/2012\/05\/encryption-at-rest-in-egnyte-object-store-eos\.html\0022 "'>http://</span><span
-style='mso-field-code:" HYPERLINK \0022http\:\/\/www\.egnyte\.com\/blog\/2012\/05\/encryption-at-rest-in-egnyte-object-store-eos\.html\0022 "'>www.egnyte.com/blog/2012/05/encryption-at-rest-in-egnyte-object-store-eos.html</span>
-<span style='mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;
-mso-bidi-font-family:Calibri;color:windowtext;text-decoration:none;text-underline:
-none'><span style='mso-field-code:" HYPERLINK \0022http\:\/\/en\.wikipedia\.org\/wiki\/CBC-MAC\0022 "'><u><span
-style='color:blue;mso-themecolor:hyperlink'>http://en.wikipedia.org/wiki/CBC-MAC</span></u></span><o:p></o:p></span></a></p>
-<p class=[[MsoNormal]] style='margin-left:.25in'><span style='mso-ascii-font-family:
-Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri'><a
-href="http://www.mirantis.com/blog/openstack-swift-encryption-architecture/"><span
-style='color:windowtext;text-decoration:none;text-underline:none'><span
-style='mso-field-code:" HYPERLINK \0022http\:\/\/en\.wikipedia\.org\/wiki\/Advanced_Encryption_Standard\0022 "'><u><span
-style='color:blue;mso-themecolor:hyperlink'>http://en.wikipedia.org/wiki/Advanced_Encryption_Standard</span></u></span></span><span
-style='mso-ascii-font-family:Calibri;mso-ascii-theme-font:minor-latin;
-mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin;mso-bidi-font-family:
-"Times New Roman";mso-bidi-theme-font:minor-bidi'><o:p></o:p></span></a></span></p>
-<p class=[[MsoNormal]]><span style='mso-spacerun:yes'> </span><span
-style='mso-spacerun:yes'>      </span><a
-href="http://wiki.openstack.org/VolumeEncryption">http://wiki.openstack.org/VolumeEncryption</a></p>
-<p class=[[MsoNormal]] style='margin-left:.25in'>Fast Cryptographic computation on
-IA processors via Function <span class=GramE>Stitching<span
-style='mso-spacerun:yes'>  </span></span><a
-href="http://download.intel.com/design/intarch/PAPERS/323686.pdf">http://download.intel.com/design/intarch/PAPERS/323686.pdf</a><u>
-</u></p>
-<p class=[[MsoNormal]] style='margin-left:.25in'>Processing Multiple buffers in
-parallel <span class=GramE>- <span style='mso-spacerun:yes'> </span></span><a
-href="http://download.intel.com/design/intarch/papers/324101.pdf">http://download.intel.com/design/intarch/papers/324101.pdf</a><u>
-</u></p>
-<p class=[[MsoNormal]]><span style='mso-spacerun:yes'>       </span>XTS efficient
-implementation: <a
-href="http://download.intel.com/design/intarch/PAPERS/324310.pdf">http</a><a
-href="http://download.intel.com/design/intarch/PAPERS/324310.pdf"><span
-class=GramE>:/</span>/</a><a
-href="http://download.intel.com/design/intarch/PAPERS/324310.pdf">download.intel.com/design/intarch/PAPERS/324310.pdf</a></p>
-<p class=[[MsoNormal]]><o:p>&nbsp;</o:p></p>
-<p class=[[MsoNormal]]><o:p>&nbsp;</o:p></p>
-<p class=[[MsoNormal]]><o:p>&nbsp;</o:p></p>
-<p class=[[MsoNormal]]><o:p>&nbsp;</o:p></p>
-<p class=[[MsoNormal]]><o:p>&nbsp;</o:p></p>
-</div>
-</body>
-</html>