......................................................................................................................................
Livre Blanc de sécurité SOA. Sécurité des messages. v.1.0 Project Documentation
...................................................................................................................................... OpenCap - Ahmed ALAMI
23 December 2005
TABLE OF CONTENTS
i
Table of Contents ......................................................................................................................................
1
Sécurité Niveau Messages
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1.1 Modèle sécurité simplifié SOA, J2EE, WS-* . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1.2 WS-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.1.3 WS-SecurityPolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.1.4 WS-Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.1.5 WS-SecureConversation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 1.1.6 WS-Federation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 1.1.7 SAML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 1.1.8 XACML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 1.1.9 XKMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 1.2 Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 1.3 Les Solutions Open Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2
Annexes
2.1 Où trouver les spécifications? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.2 Ressources de documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
TABLE OF CONTENTS
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
ii
1.1 INTRODUCTION
1.1
1
Introduction ......................................................................................................................................
! " # $ % &"' % ( ( ) *+
! " # $
! % & '( ) * La sécurité niveau Transport ) + ' # ( ,-. ', - .#/(
+ 0 * La sécurité niveau Message ) 1 2
3
! * Sécurité niveau application ) 456
! * Sécurité niveau Données ) "0 / ! * Sécurité niveau Environnement ) 7 3 8
9 ! # ! : #
! 4 # ! #
' ( ) * % 03 +;+ * %
* " 6 * 4+6 * " * - 03 * < 9 0 03
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
1.1 INTRODUCTION
2
# ) *
* * * * + 4 03 0 # ! # 8 ;
! 1 ! = 2 8 ; ! 1 + 8 ' > (! #
) % ? ':7@( 03 A !
!
/ ! = # ! B 2
WS-Security
SAML ;
! % ;
; Kerberos XKMS XACML ; / !
+;+ !
!
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
1.1.1 MODèLE SéCURITé SIMPLIFIé SOA, J2EE, WS-*
1.1.1
1
Modèle sécurité simplifié SOA, J2EE, WS-* ......................................................................................................................................
: 3 C
+D 3 + 0 + 5E44!
/
+D! - !
+! -
!
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
1.1.1 MODèLE SéCURITé SIMPLIFIé SOA, J2EE, WS-*
2
C ;
C " C ! 4
; ! 2 8
C ! + 3 !
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
1.1.1 MODèLE SéCURITé SIMPLIFIé SOA, J2EE, WS-*
3
" + F! C ; C 0 8 ! : + 5E44
C 5 +<-"! E! 1 C 8 3 ;
8! ; ! -
C ; C 3
: ! G! : C ; C 0 ' ( ; C ! "
! H! C " %3 C
8 0! 4 0 0 C 0 2 C ! I! C C ! J! 1 C 2 3 C ! K! 8 -! % 0 2 ; C8 ! 1 0 ; C ! L! C C
0 2 C ! 1 ! " + ;
!
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
1.1.1 MODèLE SéCURITé SIMPLIFIé SOA, J2EE, WS-*
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
4
1.1.2 WS-SECURITY
1.1.2
5
WS-Security ......................................................................................................................................
+ 0 - '8 ( M- 'M 0 - ( ! + 0 2 ' 0 /( -! 4
2 ! "
8
3 0 ! + 0 N 8 ;
) * 0 2 * * * 0 * 3 % 2 ) * . >7 - * "
O!IPQ * = / R * 7
+ 0 ) * - '60( 8 ' ( * 0 ! 4 8 ) * : * : 0 2 ! + + 0 -! FF ; F!F - F!E - xmlns:S12="http://www.w3.org/2003/05/soap-envelope"
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
1.1.2 WS-SECURITY
6
<s11:Envelope xmlns:s11="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <s11:Header> <wsse:Security> ••• <s11:Body> •••
1 2 ;
# ! + 0
3
! % 3
) * 1 =/ ;
8 0 ! * ; 0 2 ! + / R S T6 0 0=/U
<wsse:Security xmlns:wsse="http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:BinarySecurityToken ValueType="http://www.docs.oasis-open.org/wss/2004/07/oasis-000000-wss-kerberos-token-profile-1.0#Kerb EncodingType="http://www.docs.oasis-open.org/wss/2004/01/#oasis-200401-wss-wssecurity-secext-1.0.xsd#B QMwcAG ...
* 3 0 ; 2 2 +8
8 T 0=/< U 1<%!
O7 2 ! ! + 0
;
46! " + 0- 0!
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
1.1.3 WS-SECURITYPOLICY
1.1.3
7
WS-SecurityPolicy ......................................................................................................................................
+ 0- 0
; +- 0! +- 0 3 + ; ! + 0- 0 0 + ) wsse:SecurityToken
Spécifie un type exigible du jeton de sécurité défini par WS-Security.
wsse:Integrity
Spécifie un format de signature défini par WS-Security.
wsse:Confidentiality
Spécifie un format de cryptage défini par WS-Security.
wsse:Visibility
Spécifie les portions du message qui doivent être traitées ou visibles par un intermédiaire ou un endpoint.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! wsse:SecurityHeader
Spécifie l’utilisation du header Security du message.
wsse:MessageAge
Spécifie la durée maximale pour invalider les messages.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ 0- 0 ! % ; 2 ! + 0
N 8 - F!F F!E -! + 0 0 8
O7
; :! 4
! 4 ; ! + 0- 0 2
! + O7
2 0 O!IPQ!
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"> <wsp:All> <wssp:Integrity wsp:Usage="wsp:Required"> <wssp:Algorithm Type="wssp:AlgSignature" URI="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
1.1.3 WS-SECURITYPOLICY
<wssp:SecurityToken> <wssp:TokenType>wsse:X509v3
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
8
1.1.4 WS-TRUST
1.1.4
9
WS-Trust ......................................................................................................................................
% 2 '"
O IPQ = / R 7 O"7 ( 2! - -
2 0 # ! 1 3
! " 2 N V - 2 ++ V M 0 2 0 V - ; #
) += + 0- 0!
) +=! += ; ; ;
3 9! 1 ++6
! -
0 0 ! += W X ! += 2 ! 3 += ) #
' + A(
0! + 0- 0! 2 T< 0=/U T< 0=/<U!
Mécanisme à WS-Trust += 2 8 + 0! " 0 ! -
2 R 2 ! 4 N - 0 + 0 )
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
1.1.4 WS-TRUST
10
* ) 8 ! * ) $ ! * ) 0 ! += 03 >! < 0=/ = ' 0 =/ ( 8 2 ! = < 0=/< 2! ) * ) = 2 ! * ) 2 = S ; 2 ! * ) 0 ; ! 4 2 += 2 ! " + = !
Le scénario WS-Trust : " - 8 + 0! Y # 0 ' ( = C N 2 ! # 0 = += ! # 0 ! # 0
3 0 C :
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
1.1.4 WS-TRUST
11
C # 0!
# 0 ; C 2 ! C 2 ! # 0 8
2 ! C = # 0 C ! C + ) F!
O!IPQ! % " '"
0( C ! E! 7! G! C 0 C ! H! C $ 0 2 !
! F! - 8 ; # 0 !
1 <soap:Envelope> 2 <soap:Header> 3 <ws:Security> 4 <ws:BinarySecurityToken id="X509token" ValueType="X.509"> 5 sdfOIDFKLSoidefsdflk … 6 7 8 9 10 11 akjsdflaksf 12 13 <ws:BinarySecurityTokenReference URI="#X509token"/> 14 15 16 17 18 <soap:Body> 19 <po:PurchaseOrder ID="PO"/> 20 21
# 0
O!IPQ C ; 7! 4 = 7
O!IPQ! E! C 2 C C 8 !
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
1.1.4 WS-TRUST
12
# 0 8 = )
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
<soap:Envelope> <soap:Header> <ws:Security> <soap:Body> <wstrust:RequestSecurityToken> <wstrust:TokenType>SAML <wstrust:RequestType>ReqExchange <wstrust:OnBehalfOf> <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk …
- '- 60( C < 0=/ 2
! C 6 = 8 0 # 0 ! G! 1 8 0 = 3
7 ; # 0!
1 <soap:Envelope> 2 <soap:Header> 3 <ws:Security> 4 7 8 9 <soap:Body> 10 <wstrust:RequestSecurityTokenResponse> 11 <wstrust:TokenType>SAML 12 <wstrust:RequestedSecurityToken> 13 <saml:Assertion 14 AssertionID="2se8e/vaskfsdif=" 15 Issuer="www.sts.com" 16 IssueInstant="2002-06-19T16:58:33.173Z"> 17 <saml:Conditions 18 NotBefore="2002-06-19T16:53:33.173Z" 19 NotOnOrAfter="2002-06-19T17:08:33.173Z"/> 20 <saml:AuthenticationStatement 21 AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X.509" 22 AuthenticationInstant="2002-06-19T16:57:30.000Z"> 23 <saml:Subject>
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
1.1.4 WS-TRUST
24 25 26 27 28 29 30 31 32 33 34 35 36 37
13
<saml:NameIdentifier NameQualifier="service.com">Client <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:sender-vouches <-- calculated by STS -->
= < 0=/ Z FG+GH[! = C Z GE[! = ; Z EH[! " =
3 ! H! N = C 7 ; 0 ! " + )
1 <soap:Envelope> 2 <soap:Header> 3 <ws:Security> 4 <saml:Assertion 5 AssertionID="2se8e/vaskfsdif=" 6 Issuer="www.sts.com" 7 IssueInstant="2002-06-19T16:58:33.173Z"> 8 <saml:Conditions 9 NotBefore="2002-06-19T16:53:33.173Z" 10 NotOnOrAfter="2002-06-19T17:08:33.173Z"/> 11 <saml:AuthenticationStatement 12 AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X.509" 13 AuthenticationInstant="2002-06-19T16:57:30.000Z"> 14 <saml:Subject> 15 <saml:NameIdentifier> Client 16 <saml:SubjectConfirmation> 17 <saml:ConfirmationMethod> 18 urn:oasis:names:tc:SAML:1.0:cm:sender-vouches 19 20 21 22 23 <-- calculated by STS --> 24 25 26
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
1.1.4 WS-TRUST
27 28 29 30
14
<soap:Body> <po:PurchaseOrder ID="PO"/>
C 7 C8 8 - Z H+EH[! C " 7 Z FK[ C ! % = C !
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
1.1.5 WS-SECURECONVERSATION
1.1.5
15
WS-SecureConversation ......................................................................................................................................
% & ; ; ! ;
8 8 ; ! + " ! + "
) * -
! * += 2 ! + "
+= + 0
! %
; '
( ! 4 2 T#) 0U! 8 / N
0 ! ' # (
; ; -!
<SecurityContextToken wsu:Id="..."> <wsc:Identifier>...
" + C + "
<s:Envelope xmlns:s='http://www.w3.org/2003/05/soap-envelope' > <s:Header> <ws:Security s:mustUnderstand='true' > <wsc:SecurityContextToken> <wsc:Identifier> uuid:652d2aaa-4857-4d8c-865c-f9549e5806f0
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
1.1.5 WS-SECURECONVERSATION
<s:Body wsu:Id='request'> …
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
16
1.1.6 WS-FEDERATION
1.1.6
17
WS-Federation ......................................................................................................................................
+\
+=
! 03 ' ( ; 03 ' Y ( ; ! +\ ! +\ 3 ; ! 3 +\ 0 ; ! " ' ( - '-0 (! - ; ; ! - +\ ) * 0 =/ '=( * % 0 - '%-( += ) : = % = : ! " 3 ; &! " 0
! : 0 1 '" -
: ( - '.
(! ; +\ 0 ! ; +\
2 !
Direct Trust
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
1.1.6 WS-FEDERATION
18
) F! " 3 0 ; ! E! 1 0 2 ; =! G! 1 2 = 2 !
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
1.1.7 SAML
1.1.7
19
SAML ......................................................................................................................................
7 ' 0 7 / ( % 03 ! " #
; # # ! 8
$ ! + 0 7 7 -! 7 3 8 - + 0! 7 ) ! ; 0 ) * 0
* 0 * 0 ! N
' 8 0 (
7 ;
; ! 7 ! 1 0 ! 7 T#) 0=/< U + 0! 4 8 8 T#) 0U! 4
! 7 0 !
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
1.1.8 XACML
1.1.8
20
XACML ......................................................................................................................................
O"7 'O
" 7 / ( W
3!
W
3 ; ) * W
3 * W
3 #
O"7 ; ! 4 ; W
3! O"7 3
3 ; W !
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
1.1.9 XKMS
1.1.9
21
XKMS ......................................................................................................................................
OR7 'O7 R0 7
(
O7 -R% '- R0 (! -R% 0 0 0 # ! 8 0 O7 !
OR7 #
-R%! 4 OR7 # 03 ! OR7 03 -R%!
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
1.2 BEST PRACTICES
1.2
22
Best Practices ......................................................................................................................................
* 8 ! :
8 8 ' 0( * % X ; +! * -
+ 0 7
* -
OR7 7 ! * " OR7 + 0 7! * % 0 O7 7 + 0! * 7 8 OR7 -R%!
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
1.3 LES SOLUTIONS OPEN SOURCE
1.3
23
Les Solutions Open Source ......................................................................................................................................
% 2
; ! 2 5 "]]! " + 2 ) * O7 0 ) " 2 ; O7! " O7+ O7 - ! 2
O7 R0 7 'OR7( * 7 3 5 "]]
7 F!P F!F! * : 0 -2 ) " 2 ) * 1 #/
) O * 1 <\" R * " -# 3 ! * , + 0 / ) + 0
! * "0 -% 6 0 " ) * 1 -% 3 0 5 ! * 1 5"4 5"! * 1 5"4 F!E!F! * 1 3 2 .!F! * : Y F G
O!IPQ -R"FE! * : Y E
C O!IPQ! * : Y >- >7%74 "7 '-R"K(! * : Y >- "- '<\" EIJP(! * : Y >- =- '<\" GFJF(! * : Y >- -Y- '<\" EHHP(! * 1 2 5:R F!H>F!I 5"4 !
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
2.1 Où TROUVER LES SPéCIFICATIONS?
2.1
24
Où trouver les spécifications? ......................................................................................................................................
SAML
http://www.oasis-open.org/committees/security/
XML-Signature
http://www.w3c.org/Signature/
...................................................................................................................................... Security Services TC http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss ...................................................................................................................................... WS-Federation http://www-106.ibm.com/developerworks/webservices/library/ws-fedworld/ ...................................................................................................................................... WS-Security http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss ...................................................................................................................................... WS-SecureConversation http://www-106.ibm.com/developerworks/webservices/library/ws-secon/ ...................................................................................................................................... WS-SecurityPolicy http://www-106.ibm.com/developerworks/webservices/library/ws-secpol/ ...................................................................................................................................... WS-Trust http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-trust.asp ...................................................................................................................................... XML-Encryption http://www.w3c.org/Encryption/2001/ ......................................................................................................................................
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED
2.2 RESSOURCES DE DOCUMENTATION
2.2
25
Ressources de documentation ......................................................................................................................................
" + ! Basic Security Profile Working Group
http://www.ws-i.org/deliverables/workinggroup.aspx?wg=basicsecurity
Public Key Infrastructure (PKI) (Anglais)
http://www.pki-page.org/
Public Key Infrastructure (PKI) (Francais)
http://www.hsc.fr/ressources/cours/pki/index.html.fr
WS-Security Kerberos
http://www.oasis-open.org/committees/download.php/1049/WSS-Kerberos-03.pdf
SAML (Security Assertion Markup Language)
http://www.oasis-open.org/committees/download.php/1048/WSS-SAML-06.pdf
REL (Rights Express Language)
http://www.oasis-open.org/committees/download.php/7347/oasis-____-wss-REL-token-profile-1.0-draft08-clean.pdf
OpenSAML 1.0.1 - an Open Source Security Assertion Markup Language implementation
http://www.opensaml.org/
The XML Apache Security Project
http://xml.apache.org/security/index.html
Ehe Apache Directory Project Kerberos
http://directory.apache.org/subprojects/kerberos.html
La légion de Bouncy Castle
http://www.bouncycastle.org/fr/index.html
AXIS WSSE Security
http://axis-wsse.sourceforge.net/#home
VeriSign Offers Open Source WS-Security Implementation and Integration Toolkit
http://www.verisign.com/verisign-inc/news-and-events/news-archive/us-news-2002/page_000810.html
FIX : Financial Information eXchange protocol
http://www.fixprotocol.org
IIOP : Internet Inter-ORB Protocol
http://www.omg.org
UDDI : Universal Description, Discovery and Integration
http://www.uddi.org
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
©2005 OPENCAP - AHMED ALAMI • ALL RIGHTS RESERVED