HTTPS connections - How are the keypairs managed












1














In an HTTPS connection, a client and a server exchange public keys and use these keys to encrypt their messages using an algorithm (e.g. RSA) (Asymmetric encryption). Interestingly, for HTTPS connections on web, after both sides assure they have a secure channel, they transmit a key for sending further messages encrypted by another algorithm (Symmetric encryption). Symmetric encryption is used because asymmetric encryption is computationally heavy. After they agree upon a single secret encryption key, the server and client can easily transmit messages (text, images, heavy video, etc).



Now, my questions are : How is the keypair(s) used for https connections managed? Does the OS manage them or is it the browsers? Where are they stored? Can one change them? Is a (new) keypair generated for every https connection that a client makes?



Logically, a single keypair will serve a client for lifetime. So each OS needs to have a bunch of keys of various lengths generated for each algorithm.



Specifically, I'm very curious about how it is done in android. I am trying to decide on how to manage https connections in my app, but I didn't find any libraries that allow me to use a specific keypair for the connection, and that made me thinking about all these stuff.










share|improve this question



























    1














    In an HTTPS connection, a client and a server exchange public keys and use these keys to encrypt their messages using an algorithm (e.g. RSA) (Asymmetric encryption). Interestingly, for HTTPS connections on web, after both sides assure they have a secure channel, they transmit a key for sending further messages encrypted by another algorithm (Symmetric encryption). Symmetric encryption is used because asymmetric encryption is computationally heavy. After they agree upon a single secret encryption key, the server and client can easily transmit messages (text, images, heavy video, etc).



    Now, my questions are : How is the keypair(s) used for https connections managed? Does the OS manage them or is it the browsers? Where are they stored? Can one change them? Is a (new) keypair generated for every https connection that a client makes?



    Logically, a single keypair will serve a client for lifetime. So each OS needs to have a bunch of keys of various lengths generated for each algorithm.



    Specifically, I'm very curious about how it is done in android. I am trying to decide on how to manage https connections in my app, but I didn't find any libraries that allow me to use a specific keypair for the connection, and that made me thinking about all these stuff.










    share|improve this question

























      1












      1








      1







      In an HTTPS connection, a client and a server exchange public keys and use these keys to encrypt their messages using an algorithm (e.g. RSA) (Asymmetric encryption). Interestingly, for HTTPS connections on web, after both sides assure they have a secure channel, they transmit a key for sending further messages encrypted by another algorithm (Symmetric encryption). Symmetric encryption is used because asymmetric encryption is computationally heavy. After they agree upon a single secret encryption key, the server and client can easily transmit messages (text, images, heavy video, etc).



      Now, my questions are : How is the keypair(s) used for https connections managed? Does the OS manage them or is it the browsers? Where are they stored? Can one change them? Is a (new) keypair generated for every https connection that a client makes?



      Logically, a single keypair will serve a client for lifetime. So each OS needs to have a bunch of keys of various lengths generated for each algorithm.



      Specifically, I'm very curious about how it is done in android. I am trying to decide on how to manage https connections in my app, but I didn't find any libraries that allow me to use a specific keypair for the connection, and that made me thinking about all these stuff.










      share|improve this question













      In an HTTPS connection, a client and a server exchange public keys and use these keys to encrypt their messages using an algorithm (e.g. RSA) (Asymmetric encryption). Interestingly, for HTTPS connections on web, after both sides assure they have a secure channel, they transmit a key for sending further messages encrypted by another algorithm (Symmetric encryption). Symmetric encryption is used because asymmetric encryption is computationally heavy. After they agree upon a single secret encryption key, the server and client can easily transmit messages (text, images, heavy video, etc).



      Now, my questions are : How is the keypair(s) used for https connections managed? Does the OS manage them or is it the browsers? Where are they stored? Can one change them? Is a (new) keypair generated for every https connection that a client makes?



      Logically, a single keypair will serve a client for lifetime. So each OS needs to have a bunch of keys of various lengths generated for each algorithm.



      Specifically, I'm very curious about how it is done in android. I am trying to decide on how to manage https connections in my app, but I didn't find any libraries that allow me to use a specific keypair for the connection, and that made me thinking about all these stuff.







      android encryption https cryptography operating-system






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 20 at 19:13









      Shamshun

      6019




      6019
























          1 Answer
          1






          active

          oldest

          votes


















          0















          In an HTTPS connection, a client and a server exchange public keys and use these keys to encrypt their messages using an algorithm (e.g. RSA) (Asymmetric encryption)




          This is not true. The key pairs are used to establish a pre-master secret, from which the symmetric keys are derived. This can be done by using key agreement (DH/DHE/ECDH/ECDHE ciphersuites) in TLS up to and including TLS 1.3. In earlier versions of the standard it is also possible to encrypt that secret - generated by the client - using RSA encryption, just using the key pair of the server.




          Interestingly, for HTTPS connections on web, after both sides assure they have a secure channel, they transmit a key for sending further messages encrypted by another algorithm (Symmetric encryption).




          No, the pre-master secret is used to generate the master secret, which is then used to derive the session keys using a key derivation function, generally called a PRF in TLS standards up to 1.3.




          Symmetric encryption is used because asymmetric encryption is computationally heavy.




          It also expands the ciphertexts by a much larger amount than asymmetric encryption. It is a misconception that it depends just on being computationally heavy. Otherwise this is correct.




          After they agree upon a single secret encryption key, the server and client can easily transmit messages (text, images, heavy video, etc).




          No. First of all the previous messages need to be authenticated. Otherwise an attacker could insert information to attack the scheme. Furthermore, two to four keys are used to encrypt the data frames. If a cipher with authentication is needed then one key is used to create messages in either direction. If a cipher without authentication is used then another key is needed for each direction to provide integrity and authenticity by calculating a MAC - commonly HMAC.




          Now, my questions are : How is the keypair(s) used for https connections managed?




          That depends on the key pair and the implementation.




          Does the OS manage them or is it the browsers?




          That depends as well. Firefox certainly manages it's own keys and certificates. However IE and Edge generally use SChannel, a TLS implementation within Windows that uses the Windows certificate / key store.




          Where are they stored?




          Ephemeral (temporary) key pairs are generally kept in memory. Static key pairs are generally kept in permanent storage or they may even be hardware protected.




          Can one change them?




          No, you can generate new ones, but if you change them then they will not be valid anymore.




          Is a (new) keypair generated for every https connection that a client makes?




          The E in DHE and ECDHE based ciphersuites means ephemeral. For the - sparsely used - DH and ECDH schemes one key pair is static and the other one is ephemeral. Otherwise key pairs are static and the answer is no. The public keys of static key pairs are generally within X.509 certificates. To use static key pairs it is important to establish trust in the public key.




          Logically, a single keypair will serve a client for lifetime. So each OS needs to have a bunch of keys of various lengths generated for each algorithm.




          That's complete and utter nonsense. A client will generally not even have a key pair. Certificates all have a validity period in which they need used. A client commonly doesn't even have a certificate. Keys need to be renewed. Ephemeral key pairs are generated on the fly.




          Specifically, I'm very curious about how it is done in android. I am trying to decide on how to manage https connections in my app, but I didn't find any libraries that allow me to use a specific keypair for the connection, and that made me thinking about all these stuff.




          You should not be thinking, because anything you wrote above is utterly wrong (well except for that single sentence, which is merely incomplete). You should be reading - for the TLS RFC's for starters. Thinking comes after you've established a sufficient base of knowledge.



          If you have any interesting thoughts now: write them down, learn, and then check if they are worth keeping.






          share|improve this answer























          • Note that I've also voted to close this. I have posted it as you have shown clear interest in TLS, so please see this as a short personal tutorial on the subject.
            – Maarten Bodewes
            Nov 21 at 18:19











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53399983%2fhttps-connections-how-are-the-keypairs-managed%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0















          In an HTTPS connection, a client and a server exchange public keys and use these keys to encrypt their messages using an algorithm (e.g. RSA) (Asymmetric encryption)




          This is not true. The key pairs are used to establish a pre-master secret, from which the symmetric keys are derived. This can be done by using key agreement (DH/DHE/ECDH/ECDHE ciphersuites) in TLS up to and including TLS 1.3. In earlier versions of the standard it is also possible to encrypt that secret - generated by the client - using RSA encryption, just using the key pair of the server.




          Interestingly, for HTTPS connections on web, after both sides assure they have a secure channel, they transmit a key for sending further messages encrypted by another algorithm (Symmetric encryption).




          No, the pre-master secret is used to generate the master secret, which is then used to derive the session keys using a key derivation function, generally called a PRF in TLS standards up to 1.3.




          Symmetric encryption is used because asymmetric encryption is computationally heavy.




          It also expands the ciphertexts by a much larger amount than asymmetric encryption. It is a misconception that it depends just on being computationally heavy. Otherwise this is correct.




          After they agree upon a single secret encryption key, the server and client can easily transmit messages (text, images, heavy video, etc).




          No. First of all the previous messages need to be authenticated. Otherwise an attacker could insert information to attack the scheme. Furthermore, two to four keys are used to encrypt the data frames. If a cipher with authentication is needed then one key is used to create messages in either direction. If a cipher without authentication is used then another key is needed for each direction to provide integrity and authenticity by calculating a MAC - commonly HMAC.




          Now, my questions are : How is the keypair(s) used for https connections managed?




          That depends on the key pair and the implementation.




          Does the OS manage them or is it the browsers?




          That depends as well. Firefox certainly manages it's own keys and certificates. However IE and Edge generally use SChannel, a TLS implementation within Windows that uses the Windows certificate / key store.




          Where are they stored?




          Ephemeral (temporary) key pairs are generally kept in memory. Static key pairs are generally kept in permanent storage or they may even be hardware protected.




          Can one change them?




          No, you can generate new ones, but if you change them then they will not be valid anymore.




          Is a (new) keypair generated for every https connection that a client makes?




          The E in DHE and ECDHE based ciphersuites means ephemeral. For the - sparsely used - DH and ECDH schemes one key pair is static and the other one is ephemeral. Otherwise key pairs are static and the answer is no. The public keys of static key pairs are generally within X.509 certificates. To use static key pairs it is important to establish trust in the public key.




          Logically, a single keypair will serve a client for lifetime. So each OS needs to have a bunch of keys of various lengths generated for each algorithm.




          That's complete and utter nonsense. A client will generally not even have a key pair. Certificates all have a validity period in which they need used. A client commonly doesn't even have a certificate. Keys need to be renewed. Ephemeral key pairs are generated on the fly.




          Specifically, I'm very curious about how it is done in android. I am trying to decide on how to manage https connections in my app, but I didn't find any libraries that allow me to use a specific keypair for the connection, and that made me thinking about all these stuff.




          You should not be thinking, because anything you wrote above is utterly wrong (well except for that single sentence, which is merely incomplete). You should be reading - for the TLS RFC's for starters. Thinking comes after you've established a sufficient base of knowledge.



          If you have any interesting thoughts now: write them down, learn, and then check if they are worth keeping.






          share|improve this answer























          • Note that I've also voted to close this. I have posted it as you have shown clear interest in TLS, so please see this as a short personal tutorial on the subject.
            – Maarten Bodewes
            Nov 21 at 18:19
















          0















          In an HTTPS connection, a client and a server exchange public keys and use these keys to encrypt their messages using an algorithm (e.g. RSA) (Asymmetric encryption)




          This is not true. The key pairs are used to establish a pre-master secret, from which the symmetric keys are derived. This can be done by using key agreement (DH/DHE/ECDH/ECDHE ciphersuites) in TLS up to and including TLS 1.3. In earlier versions of the standard it is also possible to encrypt that secret - generated by the client - using RSA encryption, just using the key pair of the server.




          Interestingly, for HTTPS connections on web, after both sides assure they have a secure channel, they transmit a key for sending further messages encrypted by another algorithm (Symmetric encryption).




          No, the pre-master secret is used to generate the master secret, which is then used to derive the session keys using a key derivation function, generally called a PRF in TLS standards up to 1.3.




          Symmetric encryption is used because asymmetric encryption is computationally heavy.




          It also expands the ciphertexts by a much larger amount than asymmetric encryption. It is a misconception that it depends just on being computationally heavy. Otherwise this is correct.




          After they agree upon a single secret encryption key, the server and client can easily transmit messages (text, images, heavy video, etc).




          No. First of all the previous messages need to be authenticated. Otherwise an attacker could insert information to attack the scheme. Furthermore, two to four keys are used to encrypt the data frames. If a cipher with authentication is needed then one key is used to create messages in either direction. If a cipher without authentication is used then another key is needed for each direction to provide integrity and authenticity by calculating a MAC - commonly HMAC.




          Now, my questions are : How is the keypair(s) used for https connections managed?




          That depends on the key pair and the implementation.




          Does the OS manage them or is it the browsers?




          That depends as well. Firefox certainly manages it's own keys and certificates. However IE and Edge generally use SChannel, a TLS implementation within Windows that uses the Windows certificate / key store.




          Where are they stored?




          Ephemeral (temporary) key pairs are generally kept in memory. Static key pairs are generally kept in permanent storage or they may even be hardware protected.




          Can one change them?




          No, you can generate new ones, but if you change them then they will not be valid anymore.




          Is a (new) keypair generated for every https connection that a client makes?




          The E in DHE and ECDHE based ciphersuites means ephemeral. For the - sparsely used - DH and ECDH schemes one key pair is static and the other one is ephemeral. Otherwise key pairs are static and the answer is no. The public keys of static key pairs are generally within X.509 certificates. To use static key pairs it is important to establish trust in the public key.




          Logically, a single keypair will serve a client for lifetime. So each OS needs to have a bunch of keys of various lengths generated for each algorithm.




          That's complete and utter nonsense. A client will generally not even have a key pair. Certificates all have a validity period in which they need used. A client commonly doesn't even have a certificate. Keys need to be renewed. Ephemeral key pairs are generated on the fly.




          Specifically, I'm very curious about how it is done in android. I am trying to decide on how to manage https connections in my app, but I didn't find any libraries that allow me to use a specific keypair for the connection, and that made me thinking about all these stuff.




          You should not be thinking, because anything you wrote above is utterly wrong (well except for that single sentence, which is merely incomplete). You should be reading - for the TLS RFC's for starters. Thinking comes after you've established a sufficient base of knowledge.



          If you have any interesting thoughts now: write them down, learn, and then check if they are worth keeping.






          share|improve this answer























          • Note that I've also voted to close this. I have posted it as you have shown clear interest in TLS, so please see this as a short personal tutorial on the subject.
            – Maarten Bodewes
            Nov 21 at 18:19














          0












          0








          0







          In an HTTPS connection, a client and a server exchange public keys and use these keys to encrypt their messages using an algorithm (e.g. RSA) (Asymmetric encryption)




          This is not true. The key pairs are used to establish a pre-master secret, from which the symmetric keys are derived. This can be done by using key agreement (DH/DHE/ECDH/ECDHE ciphersuites) in TLS up to and including TLS 1.3. In earlier versions of the standard it is also possible to encrypt that secret - generated by the client - using RSA encryption, just using the key pair of the server.




          Interestingly, for HTTPS connections on web, after both sides assure they have a secure channel, they transmit a key for sending further messages encrypted by another algorithm (Symmetric encryption).




          No, the pre-master secret is used to generate the master secret, which is then used to derive the session keys using a key derivation function, generally called a PRF in TLS standards up to 1.3.




          Symmetric encryption is used because asymmetric encryption is computationally heavy.




          It also expands the ciphertexts by a much larger amount than asymmetric encryption. It is a misconception that it depends just on being computationally heavy. Otherwise this is correct.




          After they agree upon a single secret encryption key, the server and client can easily transmit messages (text, images, heavy video, etc).




          No. First of all the previous messages need to be authenticated. Otherwise an attacker could insert information to attack the scheme. Furthermore, two to four keys are used to encrypt the data frames. If a cipher with authentication is needed then one key is used to create messages in either direction. If a cipher without authentication is used then another key is needed for each direction to provide integrity and authenticity by calculating a MAC - commonly HMAC.




          Now, my questions are : How is the keypair(s) used for https connections managed?




          That depends on the key pair and the implementation.




          Does the OS manage them or is it the browsers?




          That depends as well. Firefox certainly manages it's own keys and certificates. However IE and Edge generally use SChannel, a TLS implementation within Windows that uses the Windows certificate / key store.




          Where are they stored?




          Ephemeral (temporary) key pairs are generally kept in memory. Static key pairs are generally kept in permanent storage or they may even be hardware protected.




          Can one change them?




          No, you can generate new ones, but if you change them then they will not be valid anymore.




          Is a (new) keypair generated for every https connection that a client makes?




          The E in DHE and ECDHE based ciphersuites means ephemeral. For the - sparsely used - DH and ECDH schemes one key pair is static and the other one is ephemeral. Otherwise key pairs are static and the answer is no. The public keys of static key pairs are generally within X.509 certificates. To use static key pairs it is important to establish trust in the public key.




          Logically, a single keypair will serve a client for lifetime. So each OS needs to have a bunch of keys of various lengths generated for each algorithm.




          That's complete and utter nonsense. A client will generally not even have a key pair. Certificates all have a validity period in which they need used. A client commonly doesn't even have a certificate. Keys need to be renewed. Ephemeral key pairs are generated on the fly.




          Specifically, I'm very curious about how it is done in android. I am trying to decide on how to manage https connections in my app, but I didn't find any libraries that allow me to use a specific keypair for the connection, and that made me thinking about all these stuff.




          You should not be thinking, because anything you wrote above is utterly wrong (well except for that single sentence, which is merely incomplete). You should be reading - for the TLS RFC's for starters. Thinking comes after you've established a sufficient base of knowledge.



          If you have any interesting thoughts now: write them down, learn, and then check if they are worth keeping.






          share|improve this answer















          In an HTTPS connection, a client and a server exchange public keys and use these keys to encrypt their messages using an algorithm (e.g. RSA) (Asymmetric encryption)




          This is not true. The key pairs are used to establish a pre-master secret, from which the symmetric keys are derived. This can be done by using key agreement (DH/DHE/ECDH/ECDHE ciphersuites) in TLS up to and including TLS 1.3. In earlier versions of the standard it is also possible to encrypt that secret - generated by the client - using RSA encryption, just using the key pair of the server.




          Interestingly, for HTTPS connections on web, after both sides assure they have a secure channel, they transmit a key for sending further messages encrypted by another algorithm (Symmetric encryption).




          No, the pre-master secret is used to generate the master secret, which is then used to derive the session keys using a key derivation function, generally called a PRF in TLS standards up to 1.3.




          Symmetric encryption is used because asymmetric encryption is computationally heavy.




          It also expands the ciphertexts by a much larger amount than asymmetric encryption. It is a misconception that it depends just on being computationally heavy. Otherwise this is correct.




          After they agree upon a single secret encryption key, the server and client can easily transmit messages (text, images, heavy video, etc).




          No. First of all the previous messages need to be authenticated. Otherwise an attacker could insert information to attack the scheme. Furthermore, two to four keys are used to encrypt the data frames. If a cipher with authentication is needed then one key is used to create messages in either direction. If a cipher without authentication is used then another key is needed for each direction to provide integrity and authenticity by calculating a MAC - commonly HMAC.




          Now, my questions are : How is the keypair(s) used for https connections managed?




          That depends on the key pair and the implementation.




          Does the OS manage them or is it the browsers?




          That depends as well. Firefox certainly manages it's own keys and certificates. However IE and Edge generally use SChannel, a TLS implementation within Windows that uses the Windows certificate / key store.




          Where are they stored?




          Ephemeral (temporary) key pairs are generally kept in memory. Static key pairs are generally kept in permanent storage or they may even be hardware protected.




          Can one change them?




          No, you can generate new ones, but if you change them then they will not be valid anymore.




          Is a (new) keypair generated for every https connection that a client makes?




          The E in DHE and ECDHE based ciphersuites means ephemeral. For the - sparsely used - DH and ECDH schemes one key pair is static and the other one is ephemeral. Otherwise key pairs are static and the answer is no. The public keys of static key pairs are generally within X.509 certificates. To use static key pairs it is important to establish trust in the public key.




          Logically, a single keypair will serve a client for lifetime. So each OS needs to have a bunch of keys of various lengths generated for each algorithm.




          That's complete and utter nonsense. A client will generally not even have a key pair. Certificates all have a validity period in which they need used. A client commonly doesn't even have a certificate. Keys need to be renewed. Ephemeral key pairs are generated on the fly.




          Specifically, I'm very curious about how it is done in android. I am trying to decide on how to manage https connections in my app, but I didn't find any libraries that allow me to use a specific keypair for the connection, and that made me thinking about all these stuff.




          You should not be thinking, because anything you wrote above is utterly wrong (well except for that single sentence, which is merely incomplete). You should be reading - for the TLS RFC's for starters. Thinking comes after you've established a sufficient base of knowledge.



          If you have any interesting thoughts now: write them down, learn, and then check if they are worth keeping.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 21 at 16:18

























          answered Nov 21 at 16:12









          Maarten Bodewes

          61.3k1075170




          61.3k1075170












          • Note that I've also voted to close this. I have posted it as you have shown clear interest in TLS, so please see this as a short personal tutorial on the subject.
            – Maarten Bodewes
            Nov 21 at 18:19


















          • Note that I've also voted to close this. I have posted it as you have shown clear interest in TLS, so please see this as a short personal tutorial on the subject.
            – Maarten Bodewes
            Nov 21 at 18:19
















          Note that I've also voted to close this. I have posted it as you have shown clear interest in TLS, so please see this as a short personal tutorial on the subject.
          – Maarten Bodewes
          Nov 21 at 18:19




          Note that I've also voted to close this. I have posted it as you have shown clear interest in TLS, so please see this as a short personal tutorial on the subject.
          – Maarten Bodewes
          Nov 21 at 18:19


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53399983%2fhttps-connections-how-are-the-keypairs-managed%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Wiesbaden

          Marschland

          Dieringhausen