无线局域网可信接入体系架构及远程证明的研究与实现
|
摘要
为了提高无线局域网环境下应用的安全性和可靠性,人们在网络接入的过程中引入了访问控制技术,以对请求接入网络的无线终端进行接入控制。典型的网络接入访问控制技术是身份认证技术。该技术建立在密钥技术之上,以身份认证技术为基础,以终端平台自身的安全性为前提,结合协议的安全性来确保满足特定访问控制策略的终端能够安全地接入网络。该技术对解决网络接入的安全问题起到了一定的作用。但传统的接入控制方案是以终端设备自身是安全的为前提假设的,因而会使得那些符合协议安全需求但自身存在潜在破坏或威胁的无线终端接入网络,而对整个网络环境造成破坏。随着可信计算技术的出现及对其研究的不断深入,无线局域网环境下的接入控制问题有了新的解决方案。
(1)提出了一种无线多级可信接入体系架构模型。在对现有网络接入技术进行研究的基础上,提出了一种无线可信多级接入体系架构模型。该模型实现了接入时的双向验证功能,克服了单向认证的局限性;在传统身份认证的基础上引入了平台真实性和平台完整性认证,提高了接入控制的安全强度:多级可信接入方法提高了现有“非此即彼”接入控制技术的灵活性和效率。
(2)提出了两种远程证明方案。在构建无线多级可信接入体系架构的基础上,设计出两种远程证明模型:“基于属性的自证实模型”和“基于隐藏证书的远程证明模型”,同时给出了两种模型下的安全认证协议及授权过程。分析表明,两种方案分别从不同角度对现有远程证明方案的隐私性和安全性进行了改进,并提高了协议交互过程的执行效率。
(3)使用TPM_emulator对所提出的理论模型进行了模拟实现。在Linux操作系统下,借助开源的TPM模拟器和VMware虚拟机来搭建原型实验平台,使用Glade技术开发了相应的图形化界面,并对本文所提出的模型方案给出了一定的验证。
In order to improve the security and dependability of the applications in context of wireless LAN, Access Control technology has been used to control the terminal which requests to access the network. Typical authentication technology is identity verification. This technology is based on the key technology, and combines the security agreement to assure that only terminal which meets specific access control policy can access the network securely. This method just considers the credibility of wireless devices from protocol but no securities, which may allows the wireless terminal that meets the requirements of protocol security but has some threats to access the network and leads some destroy to the whole network. With the emergency and deep research of Trusted Computing technology, new solution to control the wireless terminal that requests to access the WLAN is come out.
Through studying the Access Control technology in wireless LAN and Trusted Computing technology, contributions made in this thesis are listed as below.
1. A trusted multi-level architecture model for access controlling in wireless environment is proposed. This model requires bidirectional access verification when a terminal requests to access network, which overcomes the limitations of unidirectional verification; The Authentication Verification and Integrity Verification of terminal are introduced also, which improves the intension of access control; The model also improves the flexibility and efficiency by introducing dichotomy access control technology.
2. Two remote attestation methods are proposed. Based on the given trusted multi-level architecture model for access controlling, two remote attestation methods are given, which based on the property of terminal and Hidden Credentials technology. Then, the security protocol and authentication process of these remote attestation methods is given in detail. Analysis shows that these two attestation methods improve the privacy and security of existing remote attestation methods, and have good protocol efficiency.
3. Remote attestation methods supposed in this thesis has been verified by TPM-Emulator. Using TPM-simulator and VMware software, a prototype platform in Linux operating system is built. Using Glade technology, corresponding graphical interface is designed, and some validation of the theory results presented in this paper is given.
(1)提出了一种无线多级可信接入体系架构模型。在对现有网络接入技术进行研究的基础上,提出了一种无线可信多级接入体系架构模型。该模型实现了接入时的双向验证功能,克服了单向认证的局限性;在传统身份认证的基础上引入了平台真实性和平台完整性认证,提高了接入控制的安全强度:多级可信接入方法提高了现有“非此即彼”接入控制技术的灵活性和效率。
(2)提出了两种远程证明方案。在构建无线多级可信接入体系架构的基础上,设计出两种远程证明模型:“基于属性的自证实模型”和“基于隐藏证书的远程证明模型”,同时给出了两种模型下的安全认证协议及授权过程。分析表明,两种方案分别从不同角度对现有远程证明方案的隐私性和安全性进行了改进,并提高了协议交互过程的执行效率。
(3)使用TPM_emulator对所提出的理论模型进行了模拟实现。在Linux操作系统下,借助开源的TPM模拟器和VMware虚拟机来搭建原型实验平台,使用Glade技术开发了相应的图形化界面,并对本文所提出的模型方案给出了一定的验证。
In order to improve the security and dependability of the applications in context of wireless LAN, Access Control technology has been used to control the terminal which requests to access the network. Typical authentication technology is identity verification. This technology is based on the key technology, and combines the security agreement to assure that only terminal which meets specific access control policy can access the network securely. This method just considers the credibility of wireless devices from protocol but no securities, which may allows the wireless terminal that meets the requirements of protocol security but has some threats to access the network and leads some destroy to the whole network. With the emergency and deep research of Trusted Computing technology, new solution to control the wireless terminal that requests to access the WLAN is come out.
Through studying the Access Control technology in wireless LAN and Trusted Computing technology, contributions made in this thesis are listed as below.
1. A trusted multi-level architecture model for access controlling in wireless environment is proposed. This model requires bidirectional access verification when a terminal requests to access network, which overcomes the limitations of unidirectional verification; The Authentication Verification and Integrity Verification of terminal are introduced also, which improves the intension of access control; The model also improves the flexibility and efficiency by introducing dichotomy access control technology.
2. Two remote attestation methods are proposed. Based on the given trusted multi-level architecture model for access controlling, two remote attestation methods are given, which based on the property of terminal and Hidden Credentials technology. Then, the security protocol and authentication process of these remote attestation methods is given in detail. Analysis shows that these two attestation methods improve the privacy and security of existing remote attestation methods, and have good protocol efficiency.
3. Remote attestation methods supposed in this thesis has been verified by TPM-Emulator. Using TPM-simulator and VMware software, a prototype platform in Linux operating system is built. Using Glade technology, corresponding graphical interface is designed, and some validation of the theory results presented in this paper is given.
引文
[1]DoCoMo, IBM, Intel Corporation. Trusted Mobile Platform Hardware Architecture Description [R].2004.10.
[2]DoCoMo, IBM, Intel Corporation. Trusted Mobile Platform Software Architecture Description [R].2004.10.
[3]DoCoMo, IBM, Intel Corporation. Trusted Mobile Platform Protocol Specification Document [R].2004.04.
[4]Department of Defense Computer Security Center. DOD 5200.28-STD. Department of Defense Trusted Computer System Evaluation Criteria [S]. USA: DOD, December 1985.
[5]Trusted Computing Group. Trusted Computing Platform Alliance (TCPA) main specification version 1.1b [EB/OL].2002.02. https://www.Trustedcomputing group.org/.
[6]http://www.trustedcomputinggroup.org/.
[7]http://www.microsoft.com/mscorp/twc/default.mspx.
[8]http://technet.microsoft.com/en-us/network/bb545879.aspx.
[9]Strasser M.A Software-based TPM Emulator for Linux.Department of Computer Science Swiss Federal Institute of Technology Zurich [D]. Summer Semester, 2004.
[10]可信计算密码支撑平台功能与接口规范[EB/OL].国家密码管理局,2007.12. http://www.oscca.gov.cn/Doc/6/News_1132.htm.
[11]http://www.tcmu.org.cn/
[12]金纯.IEE802.11无线局域网[M].第2版.北京:电子工业出版社,2004.
[13]马建峰,吴振强.无线局域网安全体系结构[M].北京:高等教育出版社,2008.
[14]无线认证保密基础设施(WAPI) GB15692.11[S].中华人民共和国国家标准,2003.
[15]IEEE Std 802.1x-2001, Port-based Network Access Control[S],2001.
[16]IEEE Std 802.1x-2004, Port-based Network Access Control[S],2004.
[17]王璐,曹秀英.EAP协议及其应用[J].通信技术,2002(07).
[18]State Machines for Extensible Authentication Protocol (EAP) Peer and Authenticator, Network Working Group, RFC4137[S],2005.
[19]中华人民共和国国家标准.信息技术系统间远程通信和信息交换局域网和城域网特定要求第11部分:无线局域网媒体访问控制和物理层规范[S].GB15629.11-2003/XG1-2006,2006.
[20]Trusted Computing Group. TCG Trusted Network Connect TNC Architecture for Interoperability. Specification Version1.3 [EB/OL],2008.04 https://www.trustedcomputinggroup.org.
[21]Trusted Computing Group. TCG Trusted Network Connect TNC Architecture for Interoperability. Specification Version1.4 [EB/OL],2009.05 https://www.trustedcomputinggroup.org.
[22]CISCO.Network Admission Control. http://www.cisco.com/en/US/netsol/ns466/ network ing_solutions_package.html.
[23]http://technet.microsoft.com/en-us/network/bb545879.aspx.
[24]Microsoft. Trusted Platform Module Services in Windows Longhorn [EB/OL]. 2005.4. http://www.microsoft.com/resources/ngscb/.
[25]Intel Corporation. LaGrande Technology Architectural Overview [EB/OL]. 2004.5. http://www.intel.com/technology/security/.
[26]Trusted Computing Group. TCG Trusted Network Connect TNC IF-MAP binding for SOAP [EB/OL].2008.04. https://www.trustedcomputinggroup.org.
[27]Trusted Computing Group.Trusted Network Connect Federated TNC TCG[EB/OL].2009.05. https://www.trustedcomputinggroup.org.
[28]马忠泽.端点准入防御解决方案[J].中国新通信,2005.10(32).
[29]李鸿培.何谓可信网络架构[J].计算机安全,2005(2).
[30]林闯,彭雪海.可信网络研究[J].计算机学报,2005.28(5).
[31]Trusted Computing Group. TCG Specification Architecture Overview. Specification Version1.4 [EB/OL]. http://www.trustedcomputinggroup.org/. 2007-08.
[32]IBM.IMA.http://domino.research.ibm.com/comm/research_people.nsf/pages/saile r.ima.html.
[33]Trusted Computing Group. TPM Main Part 1 Design Principles Specification Specification Version 1.2 [EB/OL]. http://www.trustedcomputinggroup.org/. 2007-07.
[34]Trusted Computing Group. TCG Infrastructure Working GroupArchitecture Part Ⅱ-Integrity Management Revision 1.0 [EB/OL]. http://www.trustedcomputinggroup.org/.2006-11.
[35]Trusted Computing Group.TPM Main Part 2 TPM Structures Specification version 1.2[EB/OL]. http://www.trustedcomputinggroup.org/.2006-10
[36]Trusted Computing Group. TPM Main Part 3 Commands Specification Version 1.2[EB/OL]. http://www.trustedcomputinggroup.org/.2006-10.
[37]Cong Nie. Dynamic Root of Trust in Trusted Computing [EB/OL]. Seminar on Network Security.2007.10.
[38]AMD. Secure Virtual Machine Architecture Reference Manual 33047—Rev.3.01 [EB/OL].2005-03.
[39]INTEL CORPORATION. Intel(?)Trusted Execution Technology Architectural Overview.2003.
[40]INTEL CORPORATION. Intel(?)Trusted Execution Technology Software Development Guide_Measured Launched Environment Developer's Guide, 2008.06.
[41]St'ephane Lo Presti, MSc in Information Security-Trusted Computing (IY5608) [R],2008.03.
[42]Beth T, Borcherding M, Klein B. Valuation of trust in open network. In: Gollmann.D, ed. Proceedings of the European Symposium on Research in Security (ESORICS). Brighton:Springer-Verlag,1994:3-18.
[43]Josang A. The right type of trust for distributed systems. In:Meadows, C, ed. Proceedings of the 1996 New Security Paradigms Workshop [M]. Lake Arrowhead, CA:ACM Press,1996.
[44]唐文,陈钟.基于模糊集合理论的主观信任管理模型研究[J].软件学报,2003,14(8):1401-1408.
[45]Wang Y, Vassileva J. Bayesian network-based trustmodel. WI 2003, October 2003.
[46]许树柏.层次分析法原理[M].天津:天津大学出版社,1986.
[47]Saaty T.The Analytic Hierarchy Poreess [M]. MeGraw-HillInc, Newyork,1980.
[48]冀铁果,田立勤,胡志兴,孙锦霞.可信网络中一种基于AHP的用户行为评估方法[J].2007,43(19).
[49]Jonathan Poritz, Matthias Schunter, Els Van Herreweghen, Michael Waidner. Property Attestation—Scalable and Privacy-friendly Security Assessment of Peer Computers[R]. October 2004.
[50]SADEGHI A, STUBLE C. Property-based Attestation for Computing Platforms: Caring about Properties, Not Mechanisms[C]. Proceedings of New Security Paradigms Workshop 2004. New York:Association for Computing Machinery, 2004:67-77.
[51]Vivek Haldar, Deepak Chandra, and Michael Franz. Semantic Remote attestation:A Virtual Machine Directed Approach to Trusted Computing[R].USENIX Virtual Machine Research and Technology Symposium, May 2004.
[52]Vivek Haldar Michael Franz. Symmetric Behavior-Based Trust:A New Paradigm for Internet Computing[C].2004.
[53]CANETTI R, KRAWCZYK H. Analysis of Key-exchange Protocol and Their Use for Building Secure Channels[C]. Proceedings of Eurocrypt'01.Berlin:Springer-Verlag,2001
[54]BELLARE M, CANETTI R, KRAWCZYK H.A Modular Approach to the Design and Analysis of Authentication and Key-exchange Protocols[C].Proc.of the 30th Annual ACM Symposium on Theory of Computing. New York:ACM Press,1998
[55]BELLARE M, ROGAWAY P. Entity Authentication and Key Distribution Advances in Cryptology[C]. Proceedings of the CRYPTO'93. Berlin:Springer-Verlag,1994
[56]R. W. Bradshaw, J. E. Holt, K. E. Seamons. Concealing complex policies with hidden credentials. In Eleventh ACM Conference on Computer and Communications Security, Washington, DC, Oct 2004,146-157.
[57]BONEH D, FRANKLIN M. Identity based Encryption from the Weil Pairing. In: Proceedings of Crypto2001, Advances in Cryptology, Lecture in Computing Science, Vol 2139, Springer-Verlag,2001,213-229.
[58]HOLT J, BRADSHAW R, SEAMONS K, et al. Hidden Credentials [A].2nd ACM Workshop on Privacy in the Electronic Society[C].Washington DC:ACM Press, Oct 2003,1-8.
[59]BRADSHAW R W, HOLT J E, SEAMONS K E. Concealing Complex Policies with Hidden Credentials. In:Proceedings of the 4th ACM Conference on Computer and Communications Security, ACM Press,2004,245-253.
[60]FRIKKEN K, ATALLAH M, LI JIANGTAO. Hidden Access Control Policies with Hidden Credentials. In Proceedings of the 3rd ACM Workshop on Privacy in the Electronic Society, ACM Press,2004,130-131.
[61]A. Kapadia, P. P. Tsang, S. W. Smith. Attribute-based publishing with hidden credentials and hidden policies, the 14th annual Network and distributed system security symposium, Mar 2007.
[62]廖振松,金海,李赤松.一种基于隐藏证书的自动信任协商模型[J].计算机科学,2006,33(12):59.
[63]洪帆,刘磊.用隐藏证书实现访问策略[J].计算机应用,2005,25(12):2731.
[64]Trusted Computing Group.TCG Software Stack (TSS) Specification Version 1.2[EB/OL]. http://www.trustedcomputinggroup.org/.2006-01.
[2]DoCoMo, IBM, Intel Corporation. Trusted Mobile Platform Software Architecture Description [R].2004.10.
[3]DoCoMo, IBM, Intel Corporation. Trusted Mobile Platform Protocol Specification Document [R].2004.04.
[4]Department of Defense Computer Security Center. DOD 5200.28-STD. Department of Defense Trusted Computer System Evaluation Criteria [S]. USA: DOD, December 1985.
[5]Trusted Computing Group. Trusted Computing Platform Alliance (TCPA) main specification version 1.1b [EB/OL].2002.02. https://www.Trustedcomputing group.org/.
[6]http://www.trustedcomputinggroup.org/.
[7]http://www.microsoft.com/mscorp/twc/default.mspx.
[8]http://technet.microsoft.com/en-us/network/bb545879.aspx.
[9]Strasser M.A Software-based TPM Emulator for Linux.Department of Computer Science Swiss Federal Institute of Technology Zurich [D]. Summer Semester, 2004.
[10]可信计算密码支撑平台功能与接口规范[EB/OL].国家密码管理局,2007.12. http://www.oscca.gov.cn/Doc/6/News_1132.htm.
[11]http://www.tcmu.org.cn/
[12]金纯.IEE802.11无线局域网[M].第2版.北京:电子工业出版社,2004.
[13]马建峰,吴振强.无线局域网安全体系结构[M].北京:高等教育出版社,2008.
[14]无线认证保密基础设施(WAPI) GB15692.11[S].中华人民共和国国家标准,2003.
[15]IEEE Std 802.1x-2001, Port-based Network Access Control[S],2001.
[16]IEEE Std 802.1x-2004, Port-based Network Access Control[S],2004.
[17]王璐,曹秀英.EAP协议及其应用[J].通信技术,2002(07).
[18]State Machines for Extensible Authentication Protocol (EAP) Peer and Authenticator, Network Working Group, RFC4137[S],2005.
[19]中华人民共和国国家标准.信息技术系统间远程通信和信息交换局域网和城域网特定要求第11部分:无线局域网媒体访问控制和物理层规范[S].GB15629.11-2003/XG1-2006,2006.
[20]Trusted Computing Group. TCG Trusted Network Connect TNC Architecture for Interoperability. Specification Version1.3 [EB/OL],2008.04 https://www.trustedcomputinggroup.org.
[21]Trusted Computing Group. TCG Trusted Network Connect TNC Architecture for Interoperability. Specification Version1.4 [EB/OL],2009.05 https://www.trustedcomputinggroup.org.
[22]CISCO.Network Admission Control. http://www.cisco.com/en/US/netsol/ns466/ network ing_solutions_package.html.
[23]http://technet.microsoft.com/en-us/network/bb545879.aspx.
[24]Microsoft. Trusted Platform Module Services in Windows Longhorn [EB/OL]. 2005.4. http://www.microsoft.com/resources/ngscb/.
[25]Intel Corporation. LaGrande Technology Architectural Overview [EB/OL]. 2004.5. http://www.intel.com/technology/security/.
[26]Trusted Computing Group. TCG Trusted Network Connect TNC IF-MAP binding for SOAP [EB/OL].2008.04. https://www.trustedcomputinggroup.org.
[27]Trusted Computing Group.Trusted Network Connect Federated TNC TCG[EB/OL].2009.05. https://www.trustedcomputinggroup.org.
[28]马忠泽.端点准入防御解决方案[J].中国新通信,2005.10(32).
[29]李鸿培.何谓可信网络架构[J].计算机安全,2005(2).
[30]林闯,彭雪海.可信网络研究[J].计算机学报,2005.28(5).
[31]Trusted Computing Group. TCG Specification Architecture Overview. Specification Version1.4 [EB/OL]. http://www.trustedcomputinggroup.org/. 2007-08.
[32]IBM.IMA.http://domino.research.ibm.com/comm/research_people.nsf/pages/saile r.ima.html.
[33]Trusted Computing Group. TPM Main Part 1 Design Principles Specification Specification Version 1.2 [EB/OL]. http://www.trustedcomputinggroup.org/. 2007-07.
[34]Trusted Computing Group. TCG Infrastructure Working GroupArchitecture Part Ⅱ-Integrity Management Revision 1.0 [EB/OL]. http://www.trustedcomputinggroup.org/.2006-11.
[35]Trusted Computing Group.TPM Main Part 2 TPM Structures Specification version 1.2[EB/OL]. http://www.trustedcomputinggroup.org/.2006-10
[36]Trusted Computing Group. TPM Main Part 3 Commands Specification Version 1.2[EB/OL]. http://www.trustedcomputinggroup.org/.2006-10.
[37]Cong Nie. Dynamic Root of Trust in Trusted Computing [EB/OL]. Seminar on Network Security.2007.10.
[38]AMD. Secure Virtual Machine Architecture Reference Manual 33047—Rev.3.01 [EB/OL].2005-03.
[39]INTEL CORPORATION. Intel(?)Trusted Execution Technology Architectural Overview.2003.
[40]INTEL CORPORATION. Intel(?)Trusted Execution Technology Software Development Guide_Measured Launched Environment Developer's Guide, 2008.06.
[41]St'ephane Lo Presti, MSc in Information Security-Trusted Computing (IY5608) [R],2008.03.
[42]Beth T, Borcherding M, Klein B. Valuation of trust in open network. In: Gollmann.D, ed. Proceedings of the European Symposium on Research in Security (ESORICS). Brighton:Springer-Verlag,1994:3-18.
[43]Josang A. The right type of trust for distributed systems. In:Meadows, C, ed. Proceedings of the 1996 New Security Paradigms Workshop [M]. Lake Arrowhead, CA:ACM Press,1996.
[44]唐文,陈钟.基于模糊集合理论的主观信任管理模型研究[J].软件学报,2003,14(8):1401-1408.
[45]Wang Y, Vassileva J. Bayesian network-based trustmodel. WI 2003, October 2003.
[46]许树柏.层次分析法原理[M].天津:天津大学出版社,1986.
[47]Saaty T.The Analytic Hierarchy Poreess [M]. MeGraw-HillInc, Newyork,1980.
[48]冀铁果,田立勤,胡志兴,孙锦霞.可信网络中一种基于AHP的用户行为评估方法[J].2007,43(19).
[49]Jonathan Poritz, Matthias Schunter, Els Van Herreweghen, Michael Waidner. Property Attestation—Scalable and Privacy-friendly Security Assessment of Peer Computers[R]. October 2004.
[50]SADEGHI A, STUBLE C. Property-based Attestation for Computing Platforms: Caring about Properties, Not Mechanisms[C]. Proceedings of New Security Paradigms Workshop 2004. New York:Association for Computing Machinery, 2004:67-77.
[51]Vivek Haldar, Deepak Chandra, and Michael Franz. Semantic Remote attestation:A Virtual Machine Directed Approach to Trusted Computing[R].USENIX Virtual Machine Research and Technology Symposium, May 2004.
[52]Vivek Haldar Michael Franz. Symmetric Behavior-Based Trust:A New Paradigm for Internet Computing[C].2004.
[53]CANETTI R, KRAWCZYK H. Analysis of Key-exchange Protocol and Their Use for Building Secure Channels[C]. Proceedings of Eurocrypt'01.Berlin:Springer-Verlag,2001
[54]BELLARE M, CANETTI R, KRAWCZYK H.A Modular Approach to the Design and Analysis of Authentication and Key-exchange Protocols[C].Proc.of the 30th Annual ACM Symposium on Theory of Computing. New York:ACM Press,1998
[55]BELLARE M, ROGAWAY P. Entity Authentication and Key Distribution Advances in Cryptology[C]. Proceedings of the CRYPTO'93. Berlin:Springer-Verlag,1994
[56]R. W. Bradshaw, J. E. Holt, K. E. Seamons. Concealing complex policies with hidden credentials. In Eleventh ACM Conference on Computer and Communications Security, Washington, DC, Oct 2004,146-157.
[57]BONEH D, FRANKLIN M. Identity based Encryption from the Weil Pairing. In: Proceedings of Crypto2001, Advances in Cryptology, Lecture in Computing Science, Vol 2139, Springer-Verlag,2001,213-229.
[58]HOLT J, BRADSHAW R, SEAMONS K, et al. Hidden Credentials [A].2nd ACM Workshop on Privacy in the Electronic Society[C].Washington DC:ACM Press, Oct 2003,1-8.
[59]BRADSHAW R W, HOLT J E, SEAMONS K E. Concealing Complex Policies with Hidden Credentials. In:Proceedings of the 4th ACM Conference on Computer and Communications Security, ACM Press,2004,245-253.
[60]FRIKKEN K, ATALLAH M, LI JIANGTAO. Hidden Access Control Policies with Hidden Credentials. In Proceedings of the 3rd ACM Workshop on Privacy in the Electronic Society, ACM Press,2004,130-131.
[61]A. Kapadia, P. P. Tsang, S. W. Smith. Attribute-based publishing with hidden credentials and hidden policies, the 14th annual Network and distributed system security symposium, Mar 2007.
[62]廖振松,金海,李赤松.一种基于隐藏证书的自动信任协商模型[J].计算机科学,2006,33(12):59.
[63]洪帆,刘磊.用隐藏证书实现访问策略[J].计算机应用,2005,25(12):2731.
[64]Trusted Computing Group.TCG Software Stack (TSS) Specification Version 1.2[EB/OL]. http://www.trustedcomputinggroup.org/.2006-01.