View on GitHub

IDES Data Preparation - OpenSSL

Decrypting notifications received from IDES with OpenSSL

Download this project as a .zip file Download this project as a tar.gz file

IDES Data Preparation

The International Data Exchange Service (IDES) is a secure managed file transfer service that allows financial institutions and tax authorities to securely send information on financial accounts held by U.S. taxpayers in accordance with the Foreign Account Tax Compliance Act (FATCA). Files transmitted via IDES must be encrypted and packaged in accordance with published data preparation instructions. The data preparation process is an important step to ensure that information transmitted via IDES conforms to U.S security standards to safeguard sensitive information.

The IDES Data Preparation OpenSSL project repository demonstrates the commands necessary to decrypt notifications downloaded from the IDES portal. The included commands are Windows specific, Linux specific, and a process that includes manual editing that will work for those and other systems.

The sample commands are intended to be run from a batch file located along with the OpenSSL executable, the Key and Payload files from the notification, and the receiver's private key.

Please note that there are many open market tools that produce the same results; however, the IRS does not endorse any commercial products, including the frameworks used in the example.

CBC Encryption - Windows Batch Scripting

The following code should be placed into a batch file and run in the same folder as the openssl executable.

The following files are required and the filename in the batch script will need to be replaced with your filename for each:

cbctest_public.pem - This will be the IRS Public Key for upload into IDES. A copy of this test key is included in the repository for testing these commands. The .p12 this was created from is included as well with a password of "password".
PAYLOAD.ZIP - This is the Payload file that will be uploaded to IDES

A random 48 byte value will be created that will be used to create the AES key and the IV. The first command will encrypt the Payload and will use parsed values from the random 48 byte value. The second command will encrypt the 48 byte value that contains the AES key and the IV. The output from these commands will be the encrypted Payload and the encrypted Key file. 


setlocal enabledelayedexpansion

openssl rand 48 > 48byterandomvalue.bin
hexdump /bare 48byterandomvalue.bin > 48byterandomvalue.txt

set /a counter=0
for /f "tokens=* delims= " %%i in (48byterandomvalue.txt) do (
set /a counter=!counter!+1
set var=%%i
if "!counter!"=="1" (set aes1=%%i)
if "!counter!"=="2" (set aes2=%%i)
if "!counter!"=="3" (set iv=%%i)
)

set result1=%aes1:~0,50%
set result1=%result1: =%
set result2=%aes2:~0,50%
set result2=%result2: =%
set aeskey=%result1%%result2%
set initvector=%iv:~0,50%
set initvector=%initvector: =%

openssl aes-256-cbc -e -in PAYLOAD.zip -out PAYLOAD -K %aeskey% -iv %initvector%

openssl rsautl -encrypt -certin -inkey cbctest_public.pem -in 48byterandomvalue.bin -out 000000.00000.TA.840_Key

Running the batch file: Image 1 Figure 1

CBC Decryption - Windows Batch Scripting

The following code should be placed into a batch file and run in the same folder as the openssl executable.

The following files are required and the filename in the batch script will need to be replaced with your filename for each:

KEYFILE - this is the Key file that will be in the downloaded notification .zip file, 000000.00000.TA.840_Key for example
cbctest_private.pem - This will be your private key that corresponds to the certificate that was uploaded into IDES. A copy of this test key is included in the repository for testing these commands. The .p12 this was created from is included as well with a password of "password".
PAYLOAD - this is the Payload file that will be in the downloaded notification .zip file

The first command will decrypt the 48 byte value which contains the AES key and the IV. The batch code will parse the hex values of the AES key and IV to prepare it for the second command. The second command will use the AES key and IV in hex format and decrypt the Payload file. The output will be the decrypted Payload .zip file.


setlocal enabledelayedexpansion

openssl rsautl -decrypt -hexdump -in KEYFILE -inkey cbctest_private.pem -out aeskeyandiv.txt

set /a counter=0
for /f "tokens=* delims= " %%i in (aeskeyandiv.txt) do (
set /a counter=!counter!+1
set var=%%i
if "!counter!"=="1" (set aes1=%%i)
if "!counter!"=="2" (set aes2=%%i)
if "!counter!"=="3" (set iv=%%i)
)

set result1=%aes1:~7,48%
set result1=%result1: =%
set result1=%result1:-=%
set result2=%aes2:~7,48%
set result2=%result2: =%
set result2=%result2:-=%
set aeskey=%result1%%result2%
set initvector=%iv:~7,48%
set initvector=%initvector: =%
set initvector=%initvector:-=%

openssl aes-256-cbc -d -in PAYLOAD -out PAYLOADOUT.zip -K %aeskey% -iv %initvector%

Running the batch file: Image 1 Figure 1

CBC Encryption - Linux Shell Scripting

Similar to the Windows method above, the following code should be placed into a shell script and run in the same folder as the openssl executable.

The following files are required and the file names passed to the batch script will need to be replaced with your filename for each:

RECEIVER_PUBLIC_KEY - This will be the IRS Public Key for upload into IDES. A test key for this has been included in the repository. SENDER_PAYLOAD_IN - This is the Payload file that will be uploaded to IDES ENCRYPTED_PAYLOAD_TO_SEND_OUT - This is the name of the encrypted Payload file that will be created ENCRYPTED_AES_IV_TO_SEND_OUT - This is the name of the encrypted Key file that will be created

#!/bin/bash
#
# @author       Subir Paul (IT:ES:SE:PE)
#
#

SCRIPT=$0
function usage {
  printf 'Usage: %s -pubkey <receiver public key pem input file> -in <plain text input file> [-aeskeyiv <encrypted aeskey+iv output file>] [-out <cipher text output file>\n' $SCRIPT
  exit 1
}

if [ $# -le 1 ]; then 
  usage
fi

# Reset all variables that might be set
INFILE=
OUTFILE=
PUBKEY=
AESKEYIV=

# Read command line args
while :; do
  case $1 in
    -h|--help) 
    usage 
    ;;
    -in|--in) 
      if [ -n "$2" ]; then
        INFILE=$2
        shift
      else
        printf 'ERROR: "-in" requires a non-empty option argument.\n' >&2
        exit 1
      fi
      ;;
    -pubkey|--pubkey) 
      if [ -n "$2" ]; then
        PUBKEY=$2
        shift
      else
        printf 'ERROR: "-pubkey" requires a non-empty option argument.\n' >&2
        exit 1
      fi
      ;;
    -aeskeyiv|--aeskeyiv) 
      if [ -n "$2" ]; then
        AESKEYIV=$2
        shift
      fi
      ;;
    -out|--out) 
      if [ -n "$2" ]; then
        OUTFILE=$2
        shift
      fi
      ;;
    --)  # End of all options.
      shift
      break
      ;;
    -?*)
      printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2
      ;;
    *) # Default case: If no more options then break out of the loop.
      break
  esac
  shift
done

if [ -z "$PUBKEY" ]; then
  printf 'missing -pubkey <receiver public key pem input file>\n'
  usage
fi
if [ ! -f $PUBKEY ]; then
  printf 'missing receiver public key input file %s\n' $PUBKEY
  exit 1
fi
if [ -z "$INFILE" ]; then
  printf 'missing -in <plain text input file>\n'
  usage
fi
if [ ! -f $INFILE ]; then
  printf 'missing plain text input file %s\n' $INFILE
  exit 1
fi
if [ -z "$OUTFILE" ]; then
  OUTFILE=`echo $INFILE.out`
fi
if [ -z "$AESKEYIV" ]; then
  AESKEYIV=`echo $INFILE.aeskeyiv`
fi

echo "pubkey=$PUBKEY infile=$INFILE aeskeyiv=$AESKEYIV outfile=$OUTFILE" 

# Create 32 bytes random AES key
TMP=`openssl rand 32 -hex`
AESKEY=`echo ${TMP:0:64}`

# Create 16 bytes random Initialization Vector (IV)
TMP=`openssl rand 16 -hex`
IV=`echo ${TMP:0:32}`

# Encrypt payload with key AESKEY and iv IV
openssl enc -e -aes-256-cbc -in $INFILE -out $OUTFILE -K $AESKEY -iv $IV

# Concatenate 32 bytes AESKEY and 16 bytes IV
TMP=`echo -n $AESKEY$IV`

# Convert AESKEY+IV hex to binary
AESKEYIVBIN=`echo $AESKEYIV.bin`
echo -n $TMP|perl -pe '$_=pack("H*",$_)' > $AESKEYIVBIN

# Encrypt aeskey_iv.bin with receiver's RSA PKI public key
openssl rsautl -encrypt -out $AESKEYIV -pubin -inkey $PUBKEY -in $AESKEYIVBIN

#delete AESKEYIVBIN
if [ -f $AESKEYIVBIN ]; then
  rm -f $AESKEYIVBIN
fi

# Check if OUTFILE and AESKEYIV are created
if [ -f $OUTFILE ] && [ -f $AESKEYIV ]; then
  echo "Cipher text payload file=$OUTFILE and aes key file=$AESKEYIV created"
fi

An example of running the script with the required parameters:

decrypt.sh privatekey.pem 000000.00000.TA.124_Key 000000.00000.TA.840_Payload 000000.00000.TA.840_Payload.zip

CBC Decryption - Linux Shell Scripting

Similar to the Windows method above, the following code should be placed into a shell script and run in the same folder as the openssl executable.

The following files are required and the file names passed to the batch script will need to be replaced with your filename for each:

RECEIVER_PRIVATE_KEY - This will be your private key that corresponds to the certificate that was uploaded into IDES. A copy of this test key is included in the repository for testing these commands. RECEIVED_ENCRYPTED_PAYLOAD_IN - this is the Payload file that will be in the downloaded notification .zip file RECEIVED_ENCRYPTED_AES_IV_IN - this is the Key file that will be in the downloaded notification .zip file, 000000.00000.TA.840_Key for example DECRYPTED_PAYLOAD_OUT - this is the name of the decrypted output file

#!/bin/bash
#
# @author       Subir Paul (IT:ES:SE:PE)
#
#

SCRIPT=$0
function usage {
  printf 'Usage: %s -privatekey <receiver private key pem input file> -in <cipher text input file> [-aeskeyiv <encrypted aes+iv input file>] [-out <plain text output file>]\n' $SCRIPT
  exit 1
}

# Reset all variables that might be set
INFILE=
OUTFILE=
PRIVATEKEY=
AESKEYIV=

# Read command line args
while :; do
  case $1 in
    -h|--help) 
      usage 
      ;;
    -in|--in) 
      if [ -n "$2" ]; then
        INFILE=$2
        shift
      else
        printf 'ERROR: "-in" requires a non-empty option argument.\n' >&2
        exit 1
      fi
      ;;
    -aeskeyiv|--aeskeyiv) 
      if [ -n "$2" ]; then
        AESKEYIV=$2
        shift
      else
        printf 'ERROR: "-aeskeyiv" requires a non-empty option argument.\n' >&2
        exit 1
      fi
      ;;
    -privatekey|--privatekey) 
      if [ -n "$2" ]; then
        PRIVATEKEY=$2
        shift
      else
        printf 'ERROR: "-privatekey" requires a non-empty option argument.\n' >&2
        exit 1
      fi
      ;;
    -out|--out) 
      if [ -n "$2" ]; then
        OUTFILE=$2
        shift
      fi
      ;;
    --)  # End of all options.
      shift
      break
      ;;
    -?*)
      printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2
      ;;
    *) # Default case: If no more options then break out of the loop.
      break
  esac
  shift
done

if [ -z "$PRIVATEKEY" ]; then
  printf 'missing -privatekey <receiver private key pem input file>\n'
  usage
fi
if [ ! -f $PRIVATEKEY ]; then
  printf 'missing receiver private key pem input file %s\n' $PRIVATEKEY
  exit 1
fi
if [ -z "$INFILE" ]; then
  printf 'missing -in <cipher text input file>\n'
  usage
fi
if [ ! -f $INFILE ]; then
  printf 'missing cipher text input file %s\n' $INFILE
  exit 1
fi
if [ -z "$AESKEYIV" ]; then
  printf 'missing -aeskeyiv <encrypted aes+iv input file>\n'
  usage
fi
if [ ! -f $AESKEYIV ]; then
  printf 'missing encrypted aes+iv input file %s\n' $AESKEYIV
  exit 1
fi
if [ -z "$OUTFILE" ]; then
  OUTFILE=`echo $INFILE.out`
fi

echo "privatekey=$PRIVATEKEY infile=$INFILE aeskeyiv=$AESKEYIV outfile=$OUTFILE" 

# Decrypt encrypted AESKEY+IV using receiver's RSA PKI private key
TMP=`openssl rsautl -decrypt -in $AESKEYIV -inkey $PRIVATEKEY | perl -pe '$_=unpack("H*",$_)'`

# Extract 32 bytes AESKEY and 16 bytes IV
AESKEY2DECRYPT=`echo ${TMP:0:64}`
IV2DECRYPT=`echo ${TMP:64:96}`

# Decrypt payload using D_AESKEY and D_IV
openssl enc -d -aes-256-cbc -in $INFILE -out $OUTFILE -K $AESKEY2DECRYPT -iv $IV2DECRYPT 

# Check if OUTFILE are created
if [ -f $OUTFILE ]; then
  echo "Plain text payload file=$OUTFILE created"
fi

CBC - Linux Sample Script

An example of running the encrypt and decrypt scripts with the required parameters:

#!/bin/bash
#
# @author       Subir Paul (IT:ES:SE:PE)
#
#

RECEIVER_PUBLIC_KEY=ReceiverPublicKey.pem
SENDER_PAYLOAD_IN=Sample_000000.00000.TA.124_Payload.signed.xml
ENCRYPTED_PAYLOAD_TO_SEND_OUT=000000.00000.TA.124_Payload
ENCRYPTED_AES_IV_TO_SEND_OUT=000000.00000.TA.840_Key

# Usage: ./encrypt.sh" -pubkey <receiver public key PEM file> -in <plain text file> [-aeskeyiv <encrypted aeskeyiv file>] [-out <cipher text file>

./encrypt.sh -pubkey $RECEIVER_PUBLIC_KEY -in $SENDER_PAYLOAD_IN -aeskeyiv $ENCRYPTED_AES_IV_TO_SEND_OUT -out $ENCRYPTED_PAYLOAD_TO_SEND_OUT


RECEIVER_PRIVATE_KEY=ReceiverPrivateKey.pem
RECEIVED_ENCRYPTED_PAYLOAD_IN=000000.00000.TA.124_Payload
RECEIVED_ENCRYPTED_AES_IV_IN=000000.00000.TA.840_Key
DECRYPTED_PAYLOAD_OUT=000000.00000.TA.124_Payload.decrypted.xml

# Usage: ./decrypt.sh" -privatekey <receiver private key PEM file> -in <cipher text file> [-aeskeyiv <encrypted aes+iv file>] [-out <plain text file>]

./decrypt.sh -in $RECEIVED_ENCRYPTED_PAYLOAD_IN -privatekey $RECEIVER_PRIVATE_KEY -aeskeyiv $RECEIVED_ENCRYPTED_AES_IV_IN -out $DECRYPTED_PAYLOAD_OUT

CBC - Manual OpenSSL Commands for Encryption and Decryption

If you are having trouble with an automated method above, there are additional steps you can take to encrypt or decrypt the AES key, manually get the required hex key data, and use it to decrypt the Payload file.

Creating the AES Key and IV:

A random 48 byte value will be created and a hex version will also be created. Both the binary and hex values will be used.

The following code should be run in the same folder as the openssl executable and necessary files.

openssl rand 48 > 48byterandomvalue.bin
hexdump /bare 48byterandomvalue.bin > 48byterandomvalue.txt

Creating the random 48 byte value: Image 2 Figure 2

The hexdump flag in the command above will output the key in hexadecimal format which is needed to decrypt the Payload file. However, there is extra information that is included that needs to be removed before it can be used in the next command. You can use a text editor to open the 48byterandomvalue.txt file which is the output of the first command.

Example Hex data in Notepad++: Image 2 Figure 3

Example Hex data in Notepad: Image 2 Figure 4

The first two lines will become the AES key and the third line will become the IV. The hex content that is needed from the file is bolded below. The rest of the information needs to be removed.

7E 39 08 C1 60 BA A8 86 EF 8C DE 3B E7 A0 0C 79 // ~9..`......;...y

0B 20 CC F6 47 3D 89 1A 8F AA F8 6F 3D C1 AC 15 // . ..G=.....o=...

39 71 72 82 33 B2 9E AB 2C 3A DD 29 92 4F 91 B1 // 9qr.3...,:.).O..

7E3908C160BAA886EF8CDE3BE7A00C790B20CCF6473D891A8FAAF86F3DC1AC15

3971728233B29EAB2C3ADD29924F91B1

The first command to encrypt the Payload file can then be executed using the AES and IV hex values. The Payload file to be encrypted is needed as well as the two hex values.

openssl aes-256-cbc -e -in PAYLOAD.zip -out PAYLOAD -K 7E3908C160BAA886EF8CDE3BE7A00C790B20CCF6473D891A8FAAF86F3DC1AC15 -iv 3971728233B29EAB2C3ADD29924F91B1

Encrypting the Payload file: Image 2 Figure 5

The second command to encrypt the 48 byte AES key and IV file can then be executed. This will use the initial 48 byte binary file that was created as well as the receiver's public key.

openssl rsautl -encrypt -certin -inkey cbctest_public.pem -in 48byterandomvalue.bin -out 000000.00000.TA.840_Key

Encrypting the Payload file: Image 2 Figure 5

The end result of these two commands are the encrypted Payload and Key files needed for the IDES data packet.

Decrypting the AES key file:

openssl rsautl -decrypt -hexdump -in 000000.00000.TA.840_Key -inkey cbctest_private.pem -out aeskeyandiv.txt

Image 2 Figure 6

The hexdump flag in the command above will output the key in hexadecimal format which is needed to decrypt the Payload file. However, there is extra information that is included that needs to be removed before it can be used in the next command. You can use a text editor to open the aeskeyandiv.txt file which is the output of the first command.

Example Hex data in Notepad++: Image 2 Figure 7

There are three lines in the file. The first two are the AES key and the third is the IV. The hex content that is needed from the file is bolded below. The rest of the information needs to be removed.

0000 - 7e 39 08 c1 60 ba a8 86-ef 8c de 3b e7 a0 0c 79 ~9..`......;...y

0010 - 0b 20 cc f6 47 3d 89 1a-8f aa f8 6f 3d c1 ac 15 . ..G=.....o=...

0020 - 39 71 72 82 33 b2 9e ab-2c 3a dd 29 92 4f 91 b1 9qr.3...,:.).O..

7e 39 08 c1 60 ba a8 86-ef 8c de 3b e7 a0 0c 79

0b 20 cc f6 47 3d 89 1a-8f aa f8 6f 3d c1 ac 15

39 71 72 82 33 b2 9e ab-2c 3a dd 29 92 4f 91 b1

7E3908C160BAA886EF8CDE3BE7A00C790B20CCF6473D891A8FAAF86F3DC1AC15

3971728233B29EAB2C3ADD29924F91B1

The second command to decrypt the Payload file can then be executed using the AES key and the IV. The Payload file from the downloaded notification zip file is needed as well as the 64 character hex key string (AES key) and 32 character hex string (IV).

openssl aes-256-cbc -d -in PAYLOAD -out PAYLOADOUT.zip -K 7E3908C160BAA886EF8CDE3BE7A00C790B20CCF6473D891A8FAAF86F3DC1AC15 -iv 3971728233B29EAB2C3ADD29924F91B1

Decrypting the Payload file: Image 2 Figure 8

This will decrypt the encrypted Payload file giving you the zip file which contains the XML Payload file.

Folder Contents with the Payload .zip file: Image 2 Figure 9

The decrypted .zip file contains the Payload file: Image 2 Figure 10

PLEASE NOTE: THE FOLLOWING SAMPLES ARE FOR ECB DECRYPTION ONLY. THESE ARE PROVIDED FOR LEGACY DECRYPTION AND WILL NOT BE COMPATIBLE WITH IDES AFTER JULY 9, 2016.

ECB Decryption - Windows Batch Scripting

The following code should be placed into a batch file and run in the same folder as the openssl executable.

The following files are required and the filename in the batch script will need to be replaced with your filename for each:

KEYFILE - this is the Key file that will be in the downloaded notification .zip file
PRIVATEKEY - this will be your private key that corresponds to the certificate that was uploaded into IDES
PAYLOAD - this is the Payload file that will be in the downloaded notification .zip file

The first command will decrypt the AES key. The batch code will parse the hex values of the AES key and prepare it for the second command. The second command will use the AES key in hex format and decrypt the Payload file. The output will be the decrypted Payload .zip file.


openssl rsautl -decrypt -hexdump -in KEYFILE -inkey PRIVATEKEY -out aeskey.txt

set /p firstline=< aeskey.txt  
Set line1=%firstline%     
set result1=%line1:~7,48%                           

Setlocal EnableDelayedExpansion
for /f "tokens=* delims= " %%i in (aeskey.txt) do (
set var=%%i
)
set result2=!var:~7,48!  

set result1=%result1: =%
set result1=%result1:-=%
set result1=%result1:~0,32%
set result2=%result2: =%
set result2=%result2:-=%
set result2=%result2:~0,32%
set combined=%result1%%result2%

openssl aes-256-ecb -d -in PAYLOAD -out PAYLOAD.zip -K %combined%

Running the batch file: Image 11 Figure 11

ECB Decryption - Linux Shell Scripting

Similar to the Windows method above, the following code should be placed into a shell script and run in the same folder as the openssl executable. However, this script will use the cut command to prepare the hex data.

The following files are required and the file names passed to the batch script will need to be replaced with your filename for each:

private_key - this will be your private key that corresponds to the certificate that was uploaded into IDES
key_file - this is the Key file that will be in the downloaded notification .zip file
payload_file - this is the Payload file that will be in the downloaded notification .zip file

private_key=$1 #this will be your private key that corresponds to the certificate that was uploaded into IDES

key_file=$2 #this is the Key file that will be in the downloaded notification .zip file 

payload_file=$3 #this is the Payload file that will be in the downloaded notification .zip file

output_file=$4 #this is the expected output filename, and will be in a .zip format

hexvalue='openssl rsautl -decrypt -hexdump -inkey $private_key_file -in $random_key_file|cut -c-55|cut -c7-55|tr -d "\n"|sed 's/[ -]//g' ';

openssl enc -d -aes-256-ecb -in $payload_file -out $output_file -K $hexvalue

An example of running the script with the required parameters:

decrypt.sh privatekey.pem 000000.00000.TA.124_Key 000000.00000.TA.840_Payload 000000.00000.TA.840_Payload.zip

ECB Decryption - Manual OpenSSL Commands

If you are having trouble with an automated method above, there are additional steps you can take to decrypt the AES key, manually get the required hex key data, and use it to decrypt the Payload file.

The process is similar to the automated method above. The following files are required and the filename in the batch script will need to be replaced with your filename for each:

KEYFILE - this is the Key file that will be in the downloaded notification .zip file
PRIVATEKEY - this will be your private key that corresponds to the certificate that was uploaded into IDES
PAYLOAD - this is the Payload file that will be in the downloaded notification .zip file

The following code should be run in the same folder as the openssl executable and necessary files.

Decrypting the AES key: Image 2 Figure 12

The hexdump flag in the command above will output the key in hexadecimal format which is needed to decrypt the Payload file. However, there is extra information that is included that needs to be removed before it can be used in the next command. You can use a text editor to open the aeskey.txt file which is the output of the first command.

Example Hex data in Notepad++: Image 3 Figure 13

Example Hex data in Notepad: Image 4 Figure 14

The hex content that is needed from the file is bolded below. The rest of the information needs to be removed.

0000 - e0 a8 fc 55 88 72 3d 5f-24 0f e4 7f 39 42 df a9 ...U.r=_$...9B..

0010 - c4 34 ab 26 bb b2 dc 20-65 59 d7 14 cd b0 15 47 .4.&... eY.....G

e0 a8 fc 55 88 72 3d 5f-24 0f e4 7f 39 42 df a9

c4 34 ab 26 bb b2 dc 20-65 59 d7 14 cd b0 15 47

e0a8fc5588723d5f240fe47f3942dfa9c434ab26bbb2dc206559d714cdb01547

The second command to decrypt the Payload file can then be executed using the 64 character hex key string. The Payload file from the downloaded notification zip file is needed as well as the 64 character hex key string.

openssl aes-256-ecb -d -in 000000.00000.TA.840_Payload -out 000000.00000.TA.840_Payload.zip -K e0a8fc5588723d5f240fe47f3942dfa9c434ab26bbb2dc206559d714cdb01547

Decrypting the Payload file: Image 5 Figure 15

This will decrypt the encrypted Payload file giving you the zip file which contains the XML Payload file.

Folder Contents with the Payload .zip file: Image 6 Figure 16

Disclaimer:

We waive copyright and related rights in the work worldwide through the CC0 1.0 Universal public domain dedication. Unless expressly stated otherwise, the person who associated a work with this deed makes no warranties about the work, and disclaims liability for all uses of the work, to the fullest extent permitted by applicable law. When using or citing the work, you should not imply endorsement by the author or the affirmer.