Key Management for Wireless Sensor Networks in Building Environments Kashif Kifayat, Madjid Merabti, Qi Shi, David Llewellyn-Jones School of Computing & Mathematical Sciences, Liverpool John Moores University, UK. Email:
[email protected], {M.Merabti, Q.Shi, D.Llewellyn-Jones}@ljmu.ac.uk Abstract – Key establishment and its management in Wireless Sensor Networks is a challenging problem due to the limited resources and disordered structure of such networks. In this paper we propose a key management technique for Wireless Sensor Networks in building environments. In our solution each floor of a building is assigned a unique master key that will be used to generate other keys between pairs of nodes on the same floor. In this way we provide secure communications between nodes, robust against node capture attack. Unlike other techniques ours solution provides good resilience against node capture attack using less memory and maintaining maximum connectivity.
I. INTRODUCTION Recent advances in wireless communications and electronics have enabled the development of low-cost, lowpower, multifunctional sensor nodes that are small in size and communicate undeterred over short distances. These tiny sensor nodes, which consist of sensing, data processing, and communicating components, leverage the ideas of sensor networks. Sensor networks represent a significant improvement over traditional sensors [2]. Wireless Sensor Network (WSN) development is an exciting research area due to the constraints involved. The reason for Wireless Sensor Network’s popularity is due in part to the small size of the sensors, their operations, and the networking behaviour, which enables it to provide significant advantages for many applications that were not possible in the past. Battlefield surveillance, forest fire detection, smart environments and environmental control in office buildings are well known applications. In indoor and outdoor WSN applications, communications can be monitored and nodes are potentially subject to capture and surreptitious use by an adversary [1]. For this reason cryptographically protected communications are required. A keying relationship can be used to facilitate cryptographic techniques, whereby communicating entities share common data (keying material). This data may include public or secret keys, initialization values, or additional nonsecret parameters [3]. Key management is the set of techniques and procedures supporting the establishment and maintenance of keying relationships between authorized parties. There are two simple strategies for key management schemes. One is to use a single secret key over the entire network. This scheme is obviously efficient in terms of the cost of computation and memory. However the compromise of only a single node exposes all communications over the entire network, which is a
ISBN: 1-9025-6013-9 © 2006 PGNet
serious deficiency. The other approach is to use distinct keys for all possible pairs of nodes. Then every node is preloaded with n - 1 keys, where n is the network size. This scheme guarantees perfect resilience in that links between noncompromised nodes are secure against any coalition of compromised nodes. However this scheme is not suitable for large networks since the key storage required per node increases linearly with the network size [4]. Consequently, in the first strategy the sharing of keys between nodes is high whilst in the second strategy sharing between the nodes is low. Before further discussion on key management we need to highlight a number of important points. For any solution we need to set our priorities and requirements, since there are many threats in WSNs. What are our main aims that we hope to achieve from key management? Key management alone cannot provide a solution to all of these threats. We need to address those threats that can be stopped through key management. Threats that can’t be stopped altogether through key management can at least be minimized. The possibility often arises to do unnecessary processing because of attacks that cannot be tackled only by key management. This must be avoided, since processing means resource utilization, which is dear in WSNs. There are a good number of key management schemes but they do not all work efficiency in building environments. We have already proposed a routing algorithm and topology discovery technique [17] for building environments. For the next stage of development of efficient sensor networks in buildings we propose a key management scheme for the inbuilding environment. Our schemes provide good resilience against node capture attack using less memory and processing. This paper is organized as follows. Section 2 overviews related work. Section 3 discusses key management solutions category-wise. Section 4 describes the security policy for our proposed solution. Section 5 describes our key management solution and section 6 explains the evaluation of our proposed scheme. We conclude with a summary of ideas for future work in Section 7. II. RELATED WORKS In this section we will give an overview of previous proposed solutions for key management. A. Key pool based key management Eschenacuer and Gilger [1] proposed a probabilistic key pre-distribution scheme. They use a large pool of keys with
their key identifiers. Every sensor node is equipped with a fixed number of keys randomly chosen from the key pool with their key identifiers. After deployment every pair of nodes within wireless communication range establishes their common keys. If they share any common key in their assigned keys, they can pick one of them as their secret key. Path-key establishment can take place in case there is no common key between pairs of nodes. Chan, Perrig and Song [5] extended the previous idea to overcome the difficulties that occur when a pair of nodes share no common key. In their proposed solution two nodes compute pair-wise keys only if they share at least q common keys. They use multiple keys to establish communication instead of just one key between nodes. Their idea is also based on the random selection of keys from a key pool. Liu and Ning [6] designed two schemes for secure pair-wise communication in sensor networks: Polynomial-based and grid-based key distribution protocols. The polynomial-based protocol further extends the idea of Eschenauer and Chan's works [1, 5]. Instead of pre-distributing keys, they actually predistribute polynomials from a polynomial pool. Du et al. [7] models deployment knowledge and developed a key pre-distribution scheme based on this model. The scheme divides sensor nodes into t × n groups Gi,j and deploys them at a resident point (xi, yj) for 1 < i < t and 1 < j < n, where the points are arranged in a two dimensional grid. In the key setup phase the key-pool KP is divided into t × n key-pools KPi,j of size ωi,j. The pool KPi,j is used as the key-pool for the nodes in the group Gi,j. Given ωi,j and overlapping factors α and β, the key-pool is divided into subsets. Where (i) two horizontally and vertically neighbouring key-pools have α × ωi,j keys in common, (ii) two diagonally neighbouring key-pools have β × ωi,j keys in common, and (iii) non-neighbouring key-pools do not share a key. A basic probabilistic key pre-distribution scheme is applied within each group. The problem in this scheme is the difficulty in deciding the parameters ωi,j, α and β to provide adequate key connectivity [8]. B. Session base key management A number of shared-session key negotiation protocols have been developed for sensor networks. SPINS [9] is a security suit that includes two protocols: SNEP and μTESLA. SNEP is for confidentiality, two party data authentication, integrity and data freshness, whilst μTESLA provides authentication for data broadcasting. Suppose node x wants to establish a shared-session key SKxy with node y through a trusted third party sink S. The sink plays a role as the key distribution centre. Node x will send a request message to node y. Node y receives this message and sends a message to the sink S. Sink S will perform the authentication and generate the shared-session key and send this key back to nodes x and y respectively. The BROadcast Session Key (BROSK) [10] negotiation protocol stores a single master key in sensor nodes for the entire network. A pair of sensor nodes (Si, Sj) exchange random nonce values. The master key Km is used to establish a session key Ki,j = MAC (Km | Ni | Nj).
Roberto, Luigi, and Sushil [11] proposed a key management protocol for large sensor networks. The protocol is composed of two main phases. In the first phase, a new session key is generated, while in the second phase the new session key is distributed to all of the sensors in the WSN. In the first phase, each sensor autonomously generates the session key. The algorithm driving such a generation makes sure that each sensor generates the same key; the second phase focuses on ensuring that each sensor holds an appropriate set of cryptographic keys. This second phase is needed for synchronization. C. Hierarchical base key management Gaurav et al. [12] structure the sensor network in clusters, then assign one gateway (super node) to each cluster to be in charge of the cluster. Gateway nodes are equipped with more resources compared to the rest of the nodes. In their solution each sensor stores two keys. One key is shared with a gateway and the other with a sink. Mathias and Wade [13] proposed a new network structure for their key management idea. They use a three-tier ad hoc network topology. At the top level there are high-power access points that route packets received via radio links to the wired infrastructure. On the second level there are mediumpowered forwarding nodes and at the bottom level there are low power mobile sensor nodes with limited resources. The lower level nodes share keys with the level above them. For more security each node should have a personal initial certificate (iCert). They split sensing data into two parts: normal and sensitive data. III. DISCUSSION In this section we will critically assess various different solutions for key management in wireless sensor networks. First we consider solutions based on the key pool idea [1, 5, 6, 7, 14]. In these probabilistic key pre-distribution schemes we assign n keys to each node. After deployment a common key is selected in order to establish a secure communication link. The important question that arises here is how this step can be performed. For example, suppose that every node has four keys after being randomly assigned keys from the key pool. To find common keys between two nodes each node needs to send each key ID one by one to other nodes for comparison. The other nodes will respond after a comparison as to whether there is a common key present or not. Comparing keys involves an extra communication overhead, and the process of comparison may provide an additional opportunity for the adversary to gain information about the keys. Once a common key has been found, two nodes will establish a secure link, but the uncommon keys will no longer be used. The path-key establishment only takes place in the case when no common key is found between pairs of nodes. To minimize path establishment, Chan et al. [5] and Du et al. [7] have proposed new solutions on the basis of the work of Eschenauer and Gligor [1]. The Polynomial-based and grid-based key distribution protocol of Liu and Ning [6] has several advantages over the protocols of Eschenauer and Gligor [1] and Chan et al. [5]. For example, sensors can be added
dynamically without having to contact the previously deployed sensors. Also, scalability is better since there is no upper limit on the network size. According to Li Zhou et al. [18] the random key predistribution schemes suffer from two major problems, making them inappropriate for many applications. First these schemes require that the deployment density is high enough to ensure connectivity. Second the compromise of sets of keys or key spaces can lead to the compromise of the entire network. The grid-based scheme also has some nice properties that fit various applications. For example, it is guaranteed that two sensors will establish a pair-wise key if no sensors are compromised. Even if a small number of sensors are compromised, the probability of establishing a pair-wise key is still high [14]. Donggang, and Peng [15] quote in their paper that μTESLA [9] will not be efficient in large sensor networks. For example μTESLA has 10Kbps bandwidth and supports 30 bytes messages. To bootstrap 2000 nodes, the base station has to send or receive at least 4000 packets to distribute the initial parameters, which takes at least 4000 × 30 × 8 / 10240 = 93.75 seconds even if the channel utilization is perfect. Such a method certainly cannot scale up to very large sensor networks, which may have thousands of nodes. Bocheng et al. [10] quote that the use of sinks for keying limits the scalability of the sensor network. Seyit and Bulent [8] explain that for master key based key pre-distribution solutions, once the master key has been compromised it is possible to derive all link keys. In a hierarchical ad hoc sensor network [13] a sensor node with limited resources at level D stores keys for the upper two levels. This is an extra load on these sensor nodes. Gaurav et al. in the low energy key management protocol [12] have assigned two keys to every sensor node in a network. One key is shared with a gateway node and the other is shared with a sink. This is similar to using a single shared key in a network, because compromises of any node give up these two keys, which can result in problems for the complete network. The main reason for this discussion is to visualize the different issues that arise in existing proposed solutions. We highlighted some problems after discussing various different proposed solutions for key management in WSNs. There are a number of good solutions, but they only focus on a few specific issues and avoid others, which will indirectly affect sensor network performance or provides a chance for an adversary to attack. Due to the dynamic and sensitive nature of sensor networks key management solutions should be highly scaleable and dynamic. The main aim should be to avoid any extra usage of communication, processing and memory for key establishment. IV. SECURITY POLICY Before proposing a solution we need to define the security policy for building environments that will provide a base for our proposed protocol. The security policy specifies the security requirements, threat priorities, and resource priorities.
A. Requirements The group key management protocol must establish a shared key (or keys) among all the sensors that exchange application data to provide confidentiality and group-level authentication for application data [11]. Some of our WSN security requirements are given below. I. Confidentially: Provide privacy of the wireless communications channels to prevent eavesdropping. II. Authentication: Authentication of other nodes, cluster heads, and sinks before revealing information. III. Availability: Key management services must ensure that confidentially and group-level authentication services are available to authorized parties when needed. IV. Scalability: Key distribution schemes must support large networks. V. Integrity: must ensure that a message or the entity is not altered. VI. Forward and Backward secrecy: Due to limited resources key management mechanisms must be efficient in terms of storage, processing, amount of processing required to establish a key, communication complexity, and number of messages exchanged during the key generation process [8] B. Threats priorities There are many threats in wireless sensor networks, such as eavesdropping, Denial of Service, the Sybil attack, HELLO floods, spoofing, alteration, selective forwarding, node capture and many others. The nature of each attack is distinct, but some attacks relate to each other so that one successful attack can cause other vulnerabilities to be easily exploited. For example, eavesdropping can cause denial of service, and alteration etc. We should therefore assign a high priority to such attacks. In our proposed solution we consider node capture and eavesdropping to be high priority attacks. C. Use of resources for key management During the process of key establishment we use the memory, processor, and transmission resources of the sensor node. If we fix the priorities for resources then it will be easier for us to propose a solution, viz. more energy-starved resources will have lower priority. For example, information transmission (sending and receiving) uses more energy compared to local processing. Sending messages consumes more energy compared to receiving [16]. Therefore we should avoid transmission during key establishment. The use of the sensor node processor should be kept to a minimum. Memory usage does not consume significant energy directly compared to other resources so we prefer any method relying on memory over transmission. Consequently the first priority in our proposed solution is to minimize transmission, the second is to use less processing, and the final priority is to minimise memory usage. Another advantage of avoiding transmission during key establishment is to minimize the chance of eavesdropping. Sometimes a secure solution will prove expensive in terms of resources. We need a balanced solution from every viewpoint. Unfortunately, given the nature of
sensor networks, it is difficult to produce a 100% secure solution and secure methods are usually costly in terms of resources. V. KEY MANAGEMENT This section presents our proposed key management scheme for wireless sensor networks in building environments. From the discussion in previous sections we can conclude that our goals should be as follows. • The protocol should avoid any communication between nodes during key generation in order to minimize the potential for eavesdropping. • Compromise of a node should not lead to the compromise of any other node. For efficient and well-managed wireless sensor networks researchers have proposed different methods and protocols. They manage large-scale networks by splitting them into regions or small groups of sensor nodes (logically or physically) using clustering, geographical division or topologies, etc. In our proposed scheme we have assigned unique master key to each floor in building. These keys will be set up in each sensor node before deployment. Once deployed, nodes at each floor will generate new keys using the master key and a random number as shown in ”Fig. 1,” The sender node will encrypt a hello message using the newly generated key and send to its neighbours along with the random number used. The neighbouring nodes will use the master key and random number to decrypt the received message. Once decryption is successfully completed that key will be used for further communication. The sender and receiver nodes will perform these steps once after deployment, after which the nodes will no longer retain the master key, apart form the local floor sink. - Sender Node Step 1: Generate a random number r ← random (n) Where n is any number e.g. 10,000,000 Step 2: Key generation KID ← hash (Km, r) Where Km is the master key for the current group. Step 3: Encrypt Hello message using KID and send to neighbouring node a) m ← EKID (Hello) b) Send (m, r) - Receiver Node Step 1: Generate a key using received random number K = hash (Km, r) Step 2: Decrypt received message If E-1K (m) = “Hello” then Key “K” will use for future communication between these two nodes. Else Report Group leader End if Fig. 1. Operation after deployment
All this pre-distribution process can be done before setting up the sensor network. Suppose a WSN in an indoor application such as a building has multiple floors. Each floor constitutes a group of sensor nodes, as shown in ”Fig. 2,”. The nodes on a floor are assigned with a unique master key. To aid understanding we have taken one floor equipped with sensor nodes from ”Fig. 2,” and depicted it in ”Fig. 3,”
Fig. 2. Eight story building sensor network
The nodes linked with a solid line are active, the others are in a sleep state. Each link, e.g. L1, L2 or L3, is generated using a different key. Suppose L1 is created using K1 where K1 = hash (Km, 8) and L2 is created using K2= hash (Km, 90) and so on. In the next step the sender node will send encrypted data along with the random number that was used to generate the key at the sender node. The receiver node will generate a key using that random number in order to decrypt the data
Fig. 3. Nodes on a single floor
We will explain this process using an example. Suppose we consider “Fig. 3,” as a group of nodes. There are five nodes in the group: n1, n2, n3, n4, n5, n6, n7, n8, n9. All nodes have a shared key K (the master key).
Fig. 4. Key establishment
After deployment the nodes generate keys as shown below. Kn = hash (K, r) Where K is the master key shared between nodes and r is a random number generated by the sender node. K1 = hash (K, 5) Æ shared between n1 and n2 K2 = hash (K, 65) Æ shared between n2 and n3 K3 = hash (K, 31) Æ shared between n4 and n5 K4 = hash (K, 57) Æ shared between n5 and n6 K5 = hash (K, 52) Æ shared between n7 and n8 K6 = hash (K, 101) Æ shared between n8 and n9 K7 = hash (K, 99) Æ shared between n1 and n4 K8 = hash (K, 981) Æ shared between n4 and n7 K9 = hash (K, 321) Æ shared between n2 and n5 K10 = hash (K, 22) Æ shared between n5 and n8 K11 = hash (K, 26) Æ shared between n3 and n6 K12 = hash (K, 29) Æ shared between n6 and n9 These keys will be generated once and each key will be used between pairs of nodes. This method can only be used by nodes on a single floor. Using this method we can achieve: • 100% connectivity between pairs of nodes. This contrasts with key pool based ideas where the uncommon keys problem causes communication overhead. • We create secure links between nodes using different keys by generating them using one master key. Previous methods have used many keys to create links between nodes with different keys.
We have avoided such a risk in our scheme. The first advantage of group key management is that we have assigned a different master key to each group, which stops an adversary in the case of compromise of a group. Further, we are generating different keys between nodes using a random number. In our scheme the compromised nodes will not help an adversary to hack the remaining network.
Fig. 5. Compromise of sensor network using node capture attack on the scheme of Du et al. [7]
“Fig. 6,” reflects the security under a node compromise attack. We have investigated the effect of node compromise in a network of 5000 nodes on single floor. We can see that the resilience against the node capture attack is significantly improved through the application of our framework.
VI. EVALUATION Since we are applying the mesh topology for sensor network in buildings, therefore we compare our proposed key management scheme with PIKE [23]. In sections A. and B. we have shown our simulation results. Results are based on the averaged runs of 500 simulations. A. Node Capture Attack The advantages of this scheme over others [1, 5, 6, 7, 14] is that we are not using a key pool. Suppose there are 10,000 nodes in a sensor network, and the size of the key pool is 100,000 keys [7]. According to Du et al. [7] an increase in the number of random keys chosen from the key pool for each node will increase the connectivity, which is true. Moreover they show that if we can carry 100 keys in each sensor node using their method the probability of local connectivity with neighbouring nodes will be 0.687. Now, suppose Cn is the number of compromised nodes and m is the number of compromised keys. The compromise of more nodes will allow an adversary to get more keys. Suppose we have a network of 10,000 sensor nodes. If an adversary gets 10 keys then the probability that it can communicate with any other node will be 0.024. If the number of compromised keys increases to 120 through the compromise of Cn nodes, the probability will increase to 0.871. We represented this in the graph (“Fig. 5,”). This graph shows that the compromise of more nodes will help to compromise the complete network.
Fig. 6. Fraction of total communication compromised
B. Connectivity The advantage of our scheme is that we have achieved absolute unconditional connectivity in any size of group (we ignore the impact of non-security related connectivity issues). As previously mentioned, every node keeps keys according to the local node density. Li. et al. [18] also achieve 100% connectivity compared to other solutions [19] but their 100% connectivity is conditional. As they explain, their scheme will achieve full connectivity only with 55 keys in each group. The number of sensor nodes or size of floor does not affect the performance of our scheme either, unlike solutions such as the key pool based ideas. PIKE [20] also provides 100% connectivity.
C. Memory overhead In this section we will compare our propose scheme with PIKE [20]. For simplicity we consider key establishment only on a single floor and suppose there are no shared keys or keys between other floors. The memory overhead for PIKE2D is ⎡ n ⎤ + 1 where n is the total number of nodes. Our scheme ⎢
⎥
is more flexible in terms of memory overhead, since it requires only nk < d keys where nk is the number of keys and d is the density of sensor nodes. To compare memory overhead with PIKE we structured the network in a mesh. The number of sensor nodes does not affect memory overhead in our scheme, whereas for PIKE increasing the numbers of sensor nodes or the network size causes the number of keys in each node to increase. In our case the number of keys depends only on the number of neighbours a node has. “Fig. 7,” shows how network size affects memory use.
[2] [3] [4] [5] [6]
[7]
[8]
[9]
[10]
[11]
[12] Fig. 7. Memory requirements for PIKE-2D, PIKE-3D, and for our scheme
VII. CONCLUSION AND FUTURE WORK In this paper we have proposed a key management scheme for large-scale Wireless Sensor Networks in buildings. Our scheme provides maximum unconditional connectivity between neighbouring nodes. Our simulation result shows that our scheme provides good resilience against node capture attacks. The number of nodes on a floor does not affect the performance of our scheme. For future development we intend to extend our current scheme to incorporate floor-to-floor key management. We also need to address routing attacks in building environments. After simulating node capture attacks we have identified some further issues, such as the possibility for node capture attacks to lead to a black hole and other routing attacks. If node capture attacks occur on a series of nodes it can cause a total communication block from any part of network, and this is something we will consider in future work. REFERENCES [1]
L. Eschenauer and V. Gligor, A Key Management Scheme for Distributed Sensor Networks, CCS 2002
[13] [14]
[15]
[16] [17] [18]
[19] [20]
Akyildiz, I.F., Su, W., Sankarasubramaniam, Y., and Cayirci, E., “A Survey on Sensor Networks, IEEE Communications Magazine,'' Vol. 40, No. 8, pp. 102-116, August 2002 Anna Hac, Wireless Sensor Networks, John Wiley & Sons, 2003, ISBN 0-470-86736-1 J.Leeand and D.R.Stinson. Deterministic key predistribution schemes for distributed sensornetworks. Lecture Notes in Computer Science 3357 (2005), 294-307 (SAC 2004 Proceedings) Haowen Chan, Adrian Perrig and Dawn Song, Random Key Predistribution Schemes for Sensor Networks. In 2003 IEEE Symposium on Research in Security and Privacy. pp197-213. Donggang Liu, Peng Ning, "Establishing Pairwise Keys in Distributed Sensor Networks," in Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS '03), pages 52--61, Washington D.C., October, 2003 Wenliang Du, Jing Deng, Yunghsiang S. Han, and Pramod Varshney. A Key Pre-distribution Scheme for Sensor Networks Using Deployment Knowledge. Submitted to the IEEE Transactions on Dependable and Secure Computing, 2005. This paper is an extended version of the INFOCOM'04 paper. Seyit A. Çamtepe, Bülent Yener Key Distribution Mechanisms for Wireless Sensor Networks: a S urvey," TR-05-07 Rensselaer Polytechnic Institute, Computer Science Department, March 2005 Adrain Perrig, Robert Szewczyk, Victor Wen, David Culler, and Doug Tygar, SPINS: Security Protocols for Sensor Networks in Proceedings of Seventh Annual International Conference on Mobile Computing and Networks MOBICOM 2001, July 2001 B.C. Lai, S. Kim, and I. Verbauwhede, "Scalable session key construction protocol for wireless sensor networks," Proc. IEEE Workshop on Large Scale Real-Time and Embedded Systems (LARTES), December 2002. Roberto Di Pietro, Luigi V. Mancini and Sushil Jajodia, “Providing secrecy in key management protocols for large wireless sensors networks” Ad Hoc Networks, Volume 1, Issue 4, November 2003, Pages 455-468 G. Jolly, M.C. Kuscu, P. Kokate, and M. Younis. A Low-Energy Key Management Protocol for Wireless Sensor Networks. IEEE Symposium on Computers and Communications(ISCC'03). KEMER ANTALYA, TURKEY. June 30 - July 3 2003. Mathias Bohge and Wade Trappe "An Authentication Framework for Hierarchical Ad Hoc Sensor Networks". WiSe03 Scott C.-H. Huang, Maggie X. Cheng and Ding-Zhu Du, “GeoSENS: geo-based sensor network secure communication protocol “Computer Communications, In Press, Uncorrected Proof, Available online 12 February 2005 Donggang Liu, Peng Ning, "Efficient Distribution of Key Chain Commitments for Broadcast Authentication in Distributed Sensor Networks," in Proceedings of the 10th Annual Network and Distributed System Security Symposium, pages 263-276, February 2003 A. Sinha, A. Chandrakasan, Dynamic power management in wireless sensor networks, IEEE Design and Test of Computer 18 (2) (2001) 62-74. Kashif Kifayat, Madjid Merabti, Qi Shi, David Llewellyn-Jones, “Adaptive routing and Topologies Creations for WSN in building environment” , PGNet 2005 Li Zhou, Jinfeng Ni, Chinya V. Ravishankar (University of California at Riverside) “Efficient Key Establishment for Group-Based Wireless Sensor Deployments” WiSe 2005, September 2, 2005 Cologne, Germany Wenliang Du, Jing Deng, Yunghsiang S. Han. “A pair wise key predistribution schemes for wireless sensor networks. In ACM Conference on Computer and Communications security (CCS), 2003. H. Chan, A. Perrig. “PIKE: Peer intermediaries for key establishment in sensor networks”. In INFOCOM, 2005.