EXPLORING BIOMETRICS

Quite a popular word when it comes to advance security technologies, lets drill it deeper.

Definition :
                  Biometrics is a technology, a science used in analyzing biological data or biological information.     In terms of Information Technology, Biometrics is the technology used to measure, analyze, verify various human traits such as the foll (including, but not limited to)-
1) Iris,
2) Retina,
3) Fingerprints,
4) Blood pressure,
5) Heart beat rate,
6) DNA,
7) Facial pattern,
8) Hand pattern, etc.

                    By authenticating with the help of Biometric systems, we confirm the identity of the users undergoing the authentication process. An example would be the common occurence of the fingerprint scanning techniques used in corporate offices for confirming the identity of their employees, by institutions for confirming the identity of their students, professors, by Government offices for confirming the access to authorized staff members, etc.

Characteristics :
                          Biometrics systems possess the following seven important characteristics, as follows:-
1) Universality
2) Uniqueness
3) Permanence
4) Acceptability
5) Collectability
6) Performance
7) Circumvention

                          The above seven, in detail, as follows,

1) Universality :- It implies that the human characteristic being measured should be available in majority of the  users of the system. For example, almost every living human has fingers and thus can be used for authenticating the users. On the other hand if we use "burns on hands" as a measure of authentication, not every user would possess a burn on his/her hand and thus can be ruled out.

2) Uniqueness :- This implies that the human characteristic chosen for authentication should be unique otherwise this biometric system would not have a true meaning. Imagine 20 people having same characteristic and the system is subjected to authenticate them on that particular characteristic. This system would indicate a positive confirmation also to those who are not authorized and hence would amount to a critical security breach.

3) Permanence :- This means that the characteristic chosen for authentication should resist itself from change for a long period of time. In simpler words, that characterstic should retain itself for a longer period of time. Imagine that if we choose height as an authentication factor, it will most probably increase after some years. At that moment, the original height wont be useful anymore and thus would require a complete recheck of the user for proper authentication.

4) Acceptability :- Imagine a system which requires you to touch a device that has been repeatedly used by others, which requires you to do some acrobatics, some kind of unusual dance, which requires you to remove your clothes, all this for authenticating you. Assuming a strong negative nod, we would definitely reject such systems. Acceptability is thus a measure of how useful the system is to the user. A system which requires you to only place your eye at the scanning area is most likely to be accepted by all the users of the system.

5) Collectability :- This simply means how easy it is to collect the authenticating characteristic from the user . For example, if it requires that the user should walk for 10 minutes before the authentication is completed, this is a very time consuming process considering this system authenticating 100 users. On the contrary, a fingerprint is easy to collect and hence would make the authentication process swifter.

6) Performance :-  This talks about the performance of the authenticating system in terms of its speed, accuracy, error rate and other performance parameters.

7) Circumvention :- This describes how easily the authenticating system can be bypassed or tricked. This must be a topic of interest for the security guys, definitely !

To be continued..

AUTHENTICATION

Before delving into the actual domain of authentication, let's take a moment to understand the difference between identification and authentication. When you show your ID card to the college security guards you identify yourself to them as being a legitimate student of that college. When you enter your ATM card into the ATM machine card slot, you identify yourself to your bank as its legal customer. But anyone can claim to be this bank's customer by stealing some one's ATM card. Now in such a situation how does the bank confirm its legal user? It is confirmed with the help of the PIN number. If the PIN number you enter is correct then you are positively confirmed. In other words you are authenticated. Now how do we implement this authentication? It can be done, based on the following 5 ways. 
1) Something you know
2) Something you have
3) Something you are
4) Something you do
5) Where you are

Let's explore them in detail.

1) Something you know
     This is based on the fact that you know the important credentials for logging into the system such as passwords, PIN number, unlock patterns etc. When you enter these correctly, you are given access to the system otherwise some kind of error is displayed.

2) Something you have
     This is based on the fact that you possess some kind of physical entity which helps you in your authentication process. For example, ATM card, ID cards used in company's to enter the rooms, etc.

3) Something you are
     This type of authentication is based on your physical traits. Your eyes, your palm, your fingerprints etc are used for authenticating yourself. Retina scans, facial recognition, fingerprint scan, etc are some commonly used authenticating techniques.

4) Something you do
     In simple words, in this pattern if you wave your left hand up and down 3 times, you will get authenticated. If you revolve your head clockwise twice you will get authenticated. In short, what actions you perform becomes your password. This can also include style of handwriting, the speed with which keystrokes are done, etc.

5) Where you are
     This involves using your geographical location as the password. This can be useful in case of ATM card transactions done physically at banks where this type of authentication can be used as an additional step for authentication thus making the system more secure.

Multifactor Authentication
Simply put, more than one type of authentication methods seen above are used for authenticating the user.

Mutual Authentication
In majority of cases we have seen one entity authenticating the other. This is unidirectional authentication. But in mutual authentication, both the entities authenticate each other. This mutual authentication can be seen in client server communication system. When we are trying to log in to an account on a website, the browser(client) authenticates the server by checking its certificate, whereas the server authenticates the client by checking its certificate and authenticates the user by verifying its credentials.

Threats,Vulnerabilites,Risks,Controls

Next we would be dealing with the concepts and subtleties involved in the terms threat, vulnerabilities, risk and impact. 

------------------------------------------------------------------------------------------------------------------

12] THREATS, VULNERABILITIES, RISK, IMPACT, what are the differences?

12.1) Threats : Threats are those entities which have a potential to cause harm to an asset. This asset can range from a small piece of paper to a large organisation of 100,000 employees.  In cyber terms, threat can be any type of malware. Jot down more such examples in cyber terms on your own so that you will get a confidence on your understanding of this concept.

12.2) Vulnerabilities : Vulnerabilities are the weaknesses in the system which can be exploited(used) by threats. Lets start with ourselves as an example. When you have a high fever, this is simply your weakness, your vulnerability(please refer to any standard English dictionary if you are unaware of the general meaning of the word vulnerability). Now when you have a high fever(vulnerability), you are more prone to diseases such as malaria, cold, flu,etc. Now these diseases here act as threats to yourself. In terms of computers and their networks, an example would of transferring some data on an unsecured connection. Here, the property of connection being unsecured is a weakness, a vulnerability.

12.3) Risk : Risk is the likelihood or the probability that something bad(inconvenient or unwanted) will happen. Taking the example from the definition of vulnerability, when you are suffering from high fever and there is an ongoing epidemic in the town in which you live, then you are at a high risk, meaning you have more probability of catching that epidemic.
In terms of computers and their networks, for example, when there is an attack going on a network and somehow you plan to send a data on an unsecured communication line, here you are employing a high degree of risk. 

12.4) Impact : Impact is nothing but the value of the asset which is being protected from the threats. For example, if your data contains a one line information which says how the sun revolves, then we do not employ any risk here. It means that even if the data gets exposed, our organisation wont be facing any unwanted incidence(threat).

Go through the terms once again and make a long list of examples for each term so that you master the concept at once.

We spoke about the threats,risks,etc, now how do we CONTROL them. Yes, next topic would deal in detail about Controls.

------------------------------------------------------------------------------------------------------------------
13] CONTROLS

       Controls are those entities that mitigate the above mentioned risks and threats. We classify these controls in 3 broad fields viz:- Physical, Logical, Administrative.

13.1) Physical Controls : Physical controls are those controls which protect the physical environment in which our assets reside or are present. For example, our home is our dear asset. Now to protect it from intruders say thieves or harmful animals, we protect it by installing big sized gates in front, fences on all 4 sides, with another gate on the backside. Thus these gates and fences together comprise physical controls. In cyber terms, consider a server room or say a data center in a large organisation. Such rooms are always protected with heavy metal doors with advanced locking mechanisms. Here these doors and locks together comprise physical controls. An important point here to be noted is that the fire safety mechanisms, air conditioning systems, backup generators also comprise of physical controls.

13.2) Logical Controls : Logical controls are those type of controls which protect the systems, their networks and the environments that store, process, transmit our data. These logical controls include passwords, anti viruses, firewalls, intrusion detection systems,etc.

13.3) Administrative Controls : These controls comprise of the rules, policies, procedures that an organisation's administration employs to ensure the organisation's security. For example, the rule which says everyone who takes up coffee from the machine is bound to close(switch off) the machine after use. In cyber terms it would be as changing passwords every 5th log in. These controls are nothing but how we want the users of our environment to behave.

----------------------------------------------------------------------------------------------------------------

Defense In Depth Strategy

14] DEFENSE IN DEPTH STRATEGY

The above words would make us visualize a scenario where we would be having many levels or a large number of defensive mechanisms in our organisation to protect it from the unwanted, malicious intruders. Almost correct, lets take a deep look in the concept.

Defense in Depth specifies employing a multi-layer defense mechanism. To be more simpler, it specifies to have particular defense mechanisms at the various levels of the organisation. These levels would be say the external network, internal network, host layer, application layer, data layer. A diagram to this would simplify your thinking further.

                     (Photo credit : The Basics of Information Security by Jason Andress)

We will now see which defenses can be applied at which layer.All the unknown or unread terms appearing in the following section would be covered in detail in the later posts in the blog.

14.1) Defense mechanisms at external network layer: These would include the following

(a) De-Militarized Zones (DMZ)
(b)Virtual Private Networks(VPN)
(c) Logging
(d) Auditing
(e) Penetration Testing
(f) Vulnerability Analysis
(g) Firewalls
(h) Proxy
(i) Stateful Packet Inspection

14.2) Defense mechanisms at internal network layer : These would include the following

(a) Intrusion Detection Systems (IDS)
(b) Intrusion Prevention Systems (IPS)
(c) Logging
(d) Auditing
(e) Penetration Testing
(f) Vulnerability Analysis.


14.3) Defense mechanisms at host layer : These would include the following


(a) Authentication
(b) Firewalls
(c) IDS
(d) IPS
(e) Password Hashing
(f) Logging

(g) Auditing
(h) Penetration Testing
(i) Vulnerability Analysis




14.4) Defense mechanisms at Application layer : These would include the following


(a) Single Sign On (SSO)
(b) Content Filtering
(c) Data Validation
(d) Auditing
(e) Penetration Testing
(f) Vulnerability Analysis



14.5) Defense mechanisms at data layer : These would include the following


(a) Encryption
(b) Access Controls
(c) Backup
(d) Penetration Testing
(e) Vulnerability Analysis
----------------------------------------------------------------------------------------------------

Attacks

We would now be covering up the various types of attacks, and how these attacks fall under the triads or the hexad's categories.
------------------------------------------------------------------------------------------------------------------


11] TYPES OF ATTACKS 

       Attacking an entity in the cyber world is usually performed with a malicious intent. We can classify attacks on cyber systems (if confused with the word cyber system, please refer the very top section of the blog for the explanation of the basic terms.) in four categories viz- Interception, Interruption, Modification and Fabrication(develop your own mnemonic so that you can remember these attacks for a long period). Before we begin with the actual explanation of the attacks lets understand them roughly with the help of a picture.
      

                     (Photo credit : The Basics of Information Security by Jason Andress)

11.1) Interception :  Interception is the unauthorized access to a communication between parties. Suppose two higher level officials of FBI are discussing via email about security measures to be adopted during the President's next visit to say Afghanistan and some random malicious cracker(not a hacker) is successful in intruding this communication silently, he will gain a wealth of information which, if disclosed can bring about a colossal damage to the US administration. Why interception is mapped to confidentiality in the above picture? Because, considering the above example, the information communicated between the officials is definitely confidential and interception attack is the one which would compromise it heavily.
11.2) Interruption : Its not uncommon to experience that situation when our browser displays a page which says, "Cannot connect to xyz. abc.com. Connection rejected by the server" or "Cannot connect to happy.go.lucky.com. Server taking too long to respond" (Chrome users would definitely agree on these messages ).  The reason for these messages is because the server is either experiencing a lot of load or it is undergoing a temporary maintenance check, or it is under attack and the server's security team shut it down to avoid further propagation of the attack. And suppose we are accessing our data and an attack incidence takes place, thus our access is interrupted. Clearly, thus, interruption can be mapped to an attack on availability. But from the picture Interruption is also mapped to Integrity, why? because, while an attack is ongoing it causes interruption to our services thus attacking availability, but an attack can also modify the data while in process and thus compromise the Integrity aspect of our data transmission. 

11.3) Modification :  Modification involves tampering with the data in hand(accessible). Thus modification attacks the Integrity principle of our systems. But according to the figure above, it also attacks the Availability aspect, how? because when a cracker(or a hacker) perform tampering of the data, consider for a moment this data is a critical system process, now when the tampering with this process is ongoing, it is most likely that the system may stop functioning(crash), thereby not allowing users to access the content on the system. 

11.4) Fabrication : Fabrication is nothing but cooking up false stories, but in a cyber world sense, it means generating/creating false data, false processes, false web pages or any such thing. How does Fabrication attack Integrity? Fabrication, can involve interception of the data in transmission, and replacing this data with the fabricated one. How it attacks Availability? If a malicious hacker goes on creating false processes, false user requests to the server, false web traffic, then it can cause the target system(servers, for example) to stop functioning and thereby deny access to legitimate users.

CIA Triad and Perkerian Hexad

10) The CIA triad - CONFIDENTIALITY, INTEGRITY, AVAILABILITY

            The CIA triad defines the baseline or the foundation for discussing security issues. Security professionals use this triad to map the various attacks and abnormalities arising when dealing with their systems.

10.1) Confidentiality :  Its similar to a situation where a class teacher tells the students that she will be disclosing the result of the tests conducted exactly at 3 pm, but before that this result will be handed over ONLY to the class head, who will be in charge of taking care of this result and warning that other students are not allowed to access this result. I hope I tried to provide a  common scenario so that the concept will last long in our minds. Its simple, consider the result as the data which the teacher needs to protect from other students(except the class head), the class head is the only authorized person to access this CONFIDENTIAL data. Thus by taking the above mentioned step, the teacher has attempted to keep the data confidential (before 3 pm) and this is nothing but confidentiality.

10.1.1)  What is the difference between confidentiality and privacy then? 
           In simple terms, confidentiality is related to data where as privacy is related to the person. Lets talk about privacy first. Privacy is the measure taken to decide who can access you(who can interact with you) and who cannot. We heard people saying this often "please give me some privacy". Consider this statement from a celebrity's point of view. Then, here, it means that any tom dick and harry are not allowed to meet(interact) with the celebrity now and then, but only his close associates are allowed to do so. Another perspective for privacy can be when a newspaper publishes a celebrity's very personal story(which might be quite embarrassing for that celebrity). Now the celebrity apparently expects that such information should not be openly disclosed. Disclosing his personal story nothing but a breach of that celebrity's privacy. Next, how is it differing from confidentiality? Confidentiality is about keeping a secrecy about the data. If you have followed about America's Manhattan project, this term would be familiar to you. Its application(bombing of Hiroshima and Nagasaki) was successful only because this "bombing" activity was kept a secret or confidential.

10.2) Integrity : Integrity in simple terms would be "oneness" of data. In other words, while the data is being transmitted across various entities it should not get tampered or changed(deviation from the original). This would cause wrong information to be communicated between the concerned parties and in many cases could cause severe financial losses. The concerned parties should take measures to ensure that while the data is being transmitted, no unauthorized entity would breach this transmission. The original data which was sent should be received as it is at the receiving end.

10.3) Availability : Imagine that one day you log in to your favorite gmail.com and alas ! the page says your emails and attachments cannot be shown as the server is down(not functioning).  Taking the cause of this from a security perspective, we can conclude that the server might be compromised by some malicious intruders. Thus Availability is the access to our data when we need it . Not only our emails and attachments but also, may be, our photos, our records, our data stored on cloud services, etc.

       Any issue in information security, when arises, can be mapped to the above three foundations and measures can be taken accordingly. There is also a concept of PARKERIAN HEXAD which adds three more baselines to the above three, making the number to 6, hence the name "Hexad".

10.4) Possession or control : This deals with the physical security of the data. If we have stored our data on portable hard disks, measures should be taken to ensure that no one would steal those hard disks under any circumstances. A laptop containing confidential information, should be protected from the breach of physical security.

10.5) Authenticity : I-cards, Biometrics (will be covered later) all such entities ensure that you are a genuine person associated to the concerned organisation. Authenticity is a check of genuineness and originality. 

10.6) Utility : It ensures that how useful the data is. For example, if you have encrypted the data on your storage device and someone steals this device, it would not be of much USE to him/her because the data is unreadable(assuming this thief is not an expert cryptanalyst).

Basic cyber security concepts

 1) What is meant by the term "information technology"?

-->Well it can be narrowly described as a branch of engineering which deals with computers and telecommunications equipment to store, retrieve, transmit and manipulate data.

---------------------------------------------------------------------------------------------------------------

 2) What is meant by the term "cyber"?

-->Cyber means, anything which is related to computers or information technology or culture of computers. 

--------------------------------------------------------------------------------------------------------------      

 3) What is meant by the term information security?

 --> Well, in lay man terms, it is safeguarding the vital data from it getting itself leaked to unauthorized entities, getting changed(or transformed) while its transmission and more importantly preventing it from getting misused for harmful intentions and activities(terrorism, bank frauds).

      Having now a basic idea of what information security is, let us delve deeper to understand the technical aspect of this crucial concept. But, before we proceed with this we should clearly distinguish between the terms such as information security, cyber security, network security, information assurance,etc. If you have been a follower of security related news and updates from forums, discussions etc, this demarcation of the above mentioned terms is hardly highlighted and used in an incorrect manner and sometimes even interchangeably. But this will lead you astray.
As we are talking about security, lets take a moment to look at what a Virus is. Basically its an abbreviation standing for Vital Information Resource Under Siege (VIRUS). Subtle differences between a virus, worm, trojans, backdoor trojans etc, coming up in later subsequent sections.

a) Information security- This is security of information. Now information includes any kind. For example, the file on your desktop containing your credentials, or a hard copy file of confidential documents containing a company's strategy or even that small diary of you containing the important formula's. Securing such entities is nothing but information security. Thus information security can be executed by keeping security guards outside your data servers room (in an organisation), or by installing anti-virus software's in your computing machines to protect your data or even keeping your drawers locked, which contain some confidential documents. Thus information security is a generalized term and apparently should not be used interchangeably.

b) Cyber security- (Please read the explanation of the above term before proceeding ahead). It is nothing but securing the information stored, transmitted and used by the computers. Thus we can deduce that cyber security is a subset of information security.

c) Network security- (Please read the explanation of the above terms before proceeding ahead). It is generally considered in a "computer network" perspective. Accordingly it is concerned with the safety of data when involved in a transaction in a network. Also  it involves preventing and monitoring unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources.

d) Information Assurance-  Again in a simplified sense, information assurance professional is one who decides the policies, the appropriate rules and regulations for the protection of information in an organisation. Information security professional, on the other hand implements these policies and rules using tools such as intrusion detection/prevention systems, anti-malware software's etc to safeguard an organisation's critical data.

[ Find more here:-  http://www.novainfosec.com/2011/08/30/information-assurance-versus-information-security/ ]

-----------------------------------------------------------------------------------------------------------------

4) Are hackers and crackers same? No. Why?

    Hackers : Hackers are those who break into a system with the sole purpose of learning that system, getting to know the flowchart of the processes of the system and etc. Some of these people, learn the system, find vulnerabilities and report it to the organisation without causing harm to their systems. But those who do cause harm to the organisations' systems fall into the next category, the crackers.

   Crackers : Crackers are those who break into a system with an intent to cause harm to it. They break the system, manipulate the data to their wish, modify the critical processes so that the organisation fails to provide its usual services and etc. Simply put, these are malicious hackers.

This the reason why some hackers wont like to be called as a cracker.

-----------------------------------------------------------------------------------------------------------------

5) Quickly! the differences between malware, virus, worms ,trojans, spyware, rootkit?

(a) Malware : An umbrella term meaning MALicious softWARE. It is authored by hackers and/or crackers to realize their malicious intents. It includes virus, worms, trojans,etc.

(b) Virus : A program which replicates itself throughout the computer by attaching with other programs. It also contains malicious code intended to cause harm to the system in consideration. Viruses are sometimes annoying or sometimes a big threat to the system. This kind of malware is now majorly superseded by trojan, worm and rootkit malwares. Importantly, a virus program can only be initiated manually ,i.e only when the user clicks on the malicious file(usually .exe). A complete section for antiviruses, each antiviruses distinctiveness, their working methodology, their output, and the usual section for reviews,rankings, all this, soon on this blog.

(c) Worm : A worm is a next version of a virus. It spreads to a larger scale, traversing across the various networks. Worms, do not require manual initiation but they spread automatically and this is why they are more harmful than viruses. They look out for network loopholes to spread the attack . Usual way to do this is through email attachments, IM messaging portals etc. Good network security practices, safe use of portable data storage equipment such as pen drives, portable hard disks, portable solid state drives, etc can all avert a worm attack.

(d) Trojans : This might be known to you, if you have seen a famous movie called Troy. Anyways, trojans are deceptive malwares, which appear as legitimate programs, but which perform malicious activities under this legitimacy. They are mostly found on the serial key websites, some adult websites, which insist the user to download a file as if it is from an authenticated source. Even after downloading, they "appear" to be working correctly but actually it is causing a system attack.
Never download from an unknown site. Use kaspersky internet security which has a good malicious URL adviser incorporated in their mainstream products.

(e) Spyware : They do not cause harm to the system but secretly spy on the system activities, user activities, log the keystrokes of the user, check the IM messages being sent, emails being sent, passwords and other important banking credentials are recorded by this malware. Key stroke programs are so easily available that a kid as young as 10 years old could be the thief who can stole an amount enough to keep us sleepless at night. 

(f) Rootkit : Rootkits are malware that are designed to gain administrative access on the target system. In most cases or almost all the cases, an administrator has full control over the systems. A successful rootkit attack can give the attacker an opportunity to exploit the system in its own way. Keeping a check on those Access Control Lists (ACL's), constant scheduled penetration testing for the system can keep this malware away at large. 

Next we will enter into a discussion pertaining to subtle differences between firewall, intrusion detection system, their types, intrusion prevention system and also penetration testing. Later we will move on to secure coding and its intricate's.-----------------------------------------------------------------------------------------------------------------

6) Firewall: Quite widely used and existing from a long time, firewalls are used to block types of traffic incoming from say a malicious website or server or user, a range of malicious IP addresses, particular company networks,etc. They filter such traffic and deny them an entry into our network. In short they BLOCK such traffic from invading our networks. But they do not trigger any alarm to the security team or administrator when they find or detect a malicious incoming activity. Common example of a firewall is our windows firewall or the firewalls incorporated on our antivirus products.

-----------------------------------------------------------------------------------------------------------------

7) Intrusion Detection System(IDS) :  IDS as the name suggests, is a system which detects intrusion. This system detects any malicious or unwanted intrusion incoming in the network and if found alarms the security team and/or the administrator of the organisation. Now how is it different from a firewall? It is because firewall blocks a malicious intrusion and triggers no alarm. But IDS does not block any malicious intrusion, but only detects it and also raises an alarm. We will go into the types of IDS soon.

-----------------------------------------------------------------------------------------------------------------

8) Intrusion Detection and Prevention System(IDPS) : IDPS systems as the name suggests, detect as well as prevent any malicious intrusions. They also notify the administrator of any important observed activity taking place on the network. Also they prevent the attack themselves by changing the security environment, re-configuring the firewall, changing the attack's content etc.
IDPs are widely used in organisations with advanced configurations to deal with various new types of attacks. A famous example would be snort from Source Fire, fortunately it is an open source software.

-----------------------------------------------------------------------------------------------------------------

9) Types of Intrusion Detection Systems : 

a) Network based IDS (NIDS) :  This acts as an independent platform and monitors the network activities comprised of multiple hosts. These have sensors at the choke points in the network which closely monitor the network and detect and report of any malicious activities that occur in the network. Example: Snort.

b) Host based IDS(HIDS) : In this type, the sensors are usually the software agents. They are located on the host and they detect an intrusion by analyzing the system calls, file system modifications, application logs, access control lists,etc.Some Application based IDS are also a part of this category. Example : Tripwire, OSSEC.

(c) Stack based IDS (SIDS) : In this system, the packets are analyzed as they pass through the TCP/IP stack.

IDS systems use the following two types of detection techniques, they are:-

1) Statistical anomaly based IDS : They determine a normal activity such as what bandwidth is generally used, what protocols are generally involved in a transaction or communication, which ports and applications usually interact and if they detect any anomalous(irregular,abnormal) activity, report it to the concerned administrator.

2) Signature based IDS :  Mostly similar in working to an antivirus application, here the system detects the incoming packets and compare it with predetermined attack patterns known as signatures. Even anti-viruses compare the activity they detect with their signature databases.

Next we will be entering into a more technical surrounding of the information security domain . Following articles will continue to discuss the various other basic concepts of information security.
------------------------------------------------------------------------------------------------------------------