Crossing Borders Security and Privacy Issues of the European e-Passport
a r
X
i
v
:08
1
.
3
9
3
v
1
[
c
s
.
C
R
]
2
5
J a
n
2
8
Crossing Borders:Security and Privacy Issues of the European e-Passport ?Jaap-Henk Hoepman,Engelbert Hubbers,Bart Jacobs,Martijn Oostdijk,Ronny Wichers Schreur Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010,6500GL Nijmegen,the Netherlands {jhh,hubbers,bart,martijno,ronny }@cs.ru.nl Abstract.The ?rst generation of European e-passports will be issued in 2006.We discuss how borders are crossed regarding the security and privacy erosion of the proposed schemes,and show which borders need to be crossed to improve the security and the privacy protection of the next generation of e-passports.In particular we discuss attacks on Basic Access Control due to the low entropy of the data from which the access keys are derived,we sketch the European proposals for Extended Access Control and the weaknesses in that scheme,and show how fundamentally di?erent design decisions can make e-passports more secure.1Introduction After several years of preparation,many countries start issuing e-passports with an embedded chip holding biometric data of the passport holder in 2006.This is a major ICT-operation,involving many countries,most of them providing their own implementation,using biometrics at an unprecedented scale.Passport secu-rity must conform to international (public)standards,issued by the International Civil Aviation Organization (ICAO)[11,10].The standards cover con?dential-ity,integrity and authenticity of the passport data,including the facial image.Additionally,the European Union (EU)has developed its own standards (called “Extended Access Control”).The present paper reviews these developments (like in [14,15])especially
from a European perspective,with corresponding emphasis on ?ngerprint pro-tection.Also it tries to put these developments within a wider perspective of identity management (IM)by governments,following [8].This leads to a “revi-sion”plan for e-passports.
From an academic background we,the authors,closely follow the introduc-tion of the e-passport in the Netherlands.We have advised the government on several matters,and are involved in public debates on related issues.We have received an early test version of the e-passport,and developed our own reader-side software,based on the ICAO protocols.We have had access to con?dential
2Hoepman et al.
material regarding the EU-protocols.However,the present paper is based solely on publicly available material,and is organised as follows.
We?rst discuss the main security requirements the new e-passport should satisfy.After a brief discussion of biometry in Sect.3,we describe the standard security measures of the ICAO standard and the weaknesses associated with them in Sect.4.Future European e-passports will be equipped with Extended Access Control,which we outline in Sect.5,and whose shortcomings we also study.e-Passports enable new applications.Sect.6discusses the danger of such function creep but also investigates the new possibilities created by such ap-plications.We study identity management issues of the e-passport in Sect.7, and evaluate the realisation of the original goals in Sect.8.We?nish the pa-per with some proposals for more fundamental changes to the architecture of a second generation of e-passports that will increase both their security and their ?exibility of use in new applications.
2Aims and Security Goals
It is a fact that modern passports are hard to forge.Thus,many criminal organ-isations do not even try such fraud,but instead collect large numbers of genuine passports,and pick one that shows a reasonable resemblance to a member that needs a new identity.Similarly,passports are sometimes borrowed for illegal border crossing,and later returned to the rightful owner.
The original aim of the use of biometrics in travel documents is thus to com-bat“look-alike”fraud.Hence the emphasis is on biometric veri?cation(instead of identi?cation),involving a1:1check to make sure that a particular passport really belongs to a particular person.
The biometrics of the passport holder will be included in a chip that is embedded in the https://www.360docs.net/doc/0611189652.html,munication with the chip will be wireless,and not via contact points,because wireless communication allows higher data rates, does not involve wear,and does not require a change of the standard format of the passport to for instance credit-card size1.
The wireless character does introduce new security risks(with respect to traditional passports),for the holder,the issuing state,and for the accepting state.At a high level of abstraction,the following three security goals seem reasonable.The?rst two focus on con?dentiality for the passport holder.The last one mainly concerns the accepting(and also issuing)state.
1.A passport reader should identify itself?rst,so that only“trusted”parties
get to read the information stored in the chip.
2.No identifying information should be released without consent of the pass-
port holder.
3.The receiver of the information should be able to establish the integrity and
authenticity of the data.
Crossing Borders3 The?rst goal relates to the situation where for instance a police o?cer wishes to check your identity.In most countries you have the right to ask the police o?cer in question to identify himself?rst,so that you can be sure that you are dealing with a genuine representative of the state.The second goal is relevant to prevent“RFID-bombs”[14]for instance,that are activated by the immedi-ate presence of(the passport of)a particular person,or citizen of a particular country.Such information is also useful for a terrorist who is trying to decide whether to blow himself up in a particular bus.We shall evaluate the realisation of these goals later on,in Sect.8
3Biometry
This paper does not focus on the biometry involved,but a few words are in order.ICAO has opted for the use of facial images and?ngerprints as primary biometrics because they are reasonably familiar,easy to use,and non-intrusive.
A controversial issue—from a privacy perspective—is that the passport chip will not contain templates but pictures(actual JPEGs).The reason is that there is no well-established digital standard for such templates,and early commitment to a closed proprietary format is not desirable.This means that if a passport chip(or data base,or reader)is compromised,original biometric data leaks out, which may lead to reconstruction and additional(identity)fraud.
The e?ectiveness of biometry is highly overrated,especially by politicians and policy makers.Despite rapid growth in applications,the large-scale use of biometry is untested.The di?culty is that it is not only unproven in a huge single application(such as e-passports),but also not with many di?erent applications in parallel(including“biometry for fun”).The interference caused by the diversity of applications—each with its own security policy,if any—may lead to unforeseen forms of fraud.
A basic issue that is often overlooked is fallback.What if my biometric iden-tity has been compromised,and I am held responsible for something I really did not do,how can I still prove“it wasn’t me”?
The Netherlands has recently conducted a?eld test for the enrolment proce-dures of the biometric passport,see[19],involving almost15.000participants. The precise interpretation of the outcome is unclear,but failure-to-acquire turns out to be a signi?cant problem,especially for young and elderly people.Substan-tial numbers of people will thus not have appropriate biometric travel documents, so that fully automatic border crossing is not an option.
4Standard Security Measures(ICAO)
The various ICAO standards for machine readable travel documents,notably[11] and[10],specify precise requirements for accessing and interpreting the contents of the embedded chip.Di?erent security controls are described to ensure that di?erent security goals are met.We discuss these in the order in which the mechanisms are used in a typical session between reader(or:inspection system,
4Hoepman et al.
Fig.1.Example of a Dutch passport.The two bottom lines of text are the MRZ. the computer that is attempting to read information from the document)and the European passport chip.
BAC:Basic Access Control.Before any information can be read from a passport, the reader needs to go through basic access control(BAC).This is a challenge-response protocol in which the reader proves to the passport that it has knowl-edge of the contents of the machine readable zone(MRZ).The MRZ consists of two lines of optically readable text containing among others the name of the holder,and the passport number.It is printed on the?rst page of the physical document(See Fig.1).
The procedure is as follows.The reader optically reads the contents of the MRZ,and derives the access key seed k IFD/ICC from the data it reads.After that,the reader proves to the chip that it has optically read the MRZ by signing a random challenge from the chip using a key derived from the access key seed. Subsequently,passport and inspection system exchange some extra random data, which is then used to generate session keys and an initial counter for secure messaging.The session keys are fresh for each session.
BAC prevents so-called skimming of passports,i.e.,reading the contents without the cardholder’s knowledge.Note that BAC does not authenticate the reader:anyone who knows the MRZ can successfully complete BAC and continue reading other information on the chip.
SM:Secure Messaging.Con?dentiality and integrity of all communication be-tween reader and passport is provided by so-called secure https://www.360docs.net/doc/0611189652.html,mands sent to the passport as well as responses sent back to the reader are encrypted and augmented with a message authentication code(MAC),using the keys estab-lished during BAC.A sequence counter is included to prevent replay of messages. PA:Passive Authentication.The data stored on the passport is organised in a logical data structure(LDS),which consists of a number of?les(called data groups).Typical examples of data groups are:a?le containing the information in the MRZ,a?le containing a JPEG image of the cardholder’s face,and?les containing other biometric features such as the cardholder’s?ngerprints.
Crossing Borders5
Each data group in the LDS is hashed.All these hashes together form the (document)security object SO LDS.The security object is signed by the issuing country and the result,SO D,is stored on the passport as well.This means that the inspection system can check that the contents of the LDS have not been altered during communication,thus ensuring the integrity of the LDS.The standards refer to this integrity protection mechanism as passive authentication.
AA:Active Authentication.To prevent cloning of the chip,an integrity mecha-nism called active authentication is used,in which the passport proves possession of a private key k AA using a challenge-response protocol.The corresponding pub-lic key,needed by the inspection system to check the response of the passport,is part of the LDS and can be read by the inspection system.A hash of this public key is signed through the SO D,to ensure authenticity.
4.1Guessing the Access Key
To access the passport without having its MRZ,one needs to guess the access key seed k IFD/ICC,which is128bits long.The National Institute of Standards and Technology(NIST)[18]and the ECRYPT EU Network of Excellence on cryptology[3]recommend80bits for a minimal level of general purpose protec-tion in2005,and112bits ten years from now.In other words,the access key seed is long enough to provide adequate security.
But the fact that the access key seed is derived from information in the MRZ can be used to the attackers’advantage.The‘MRZ-information’consists of the concatenation of the passport number,date of birth and date of expiry,including their respective check digits,as described in[9].Given a guess for the MRZ-information,the corresponding access key seed k IFD/ICC is easily calculated, and from that all other session keys can be derived as well.These keys can then be tried against a transcript of an eavesdropped communication session between this passport and the reader,to see if they deliver meaningful data.
To estimate the amount of work the attacker needs to perform for such an o?-line attack,we estimate the amount of Shannon entropy of each of these?elds. We should stress this is a very crude approach(unless we assume the underlying probability distributions are uniform).For lower bounds,we should in fact use the Guessing entropy[17]( i ip i)or even the min-entropy(min i?log p i).The Shannon entropy only gives us an upper bound,but if that bound is small the
security of the system is most certainly weak.
The entropy of the date of birth?eld is log(100×365.25)=15.16bits,as it can contain only the last two digits of the year of birth.If one can see the holder of the passport and guess his age correct within a margin of5years,the entropy of this?eld decreases to10.83.
The date of expiry is determined by the date of issuing and the validity period of a passport.In the Netherlands,passports are valid for5years,and are issued only on working days(barring exceptional circumstances).For a valid passport, the entropy of this?eld becomes log(5×365.25×5/7)=10.34.
6Hoepman et al.
Fig.2.Known dates of issuing reduce the search space.
The MRZ?eld for the passport number can contain9characters.If the pass-port number is longer,the excess characters are stored in the MRZ optional data?eld(which is not used to derive the access key seed).The entropy of the passport number?eld,assuming digits and upper-case letters only,becomes log((26+10)9)=46.53.Many countries have further restrictions on the format of their passport numbers.Passport numbers may contain check digits,or start with a common pre?x to distinguish passport types(e.g.,military passports).
At best,the total entropy of date of birth,date of expiry and passport number becomes15.16+10.34+46.53=72.03,which is less than80bits recommended by both NIST and ECRYPT[3,18]to protect against eavesdropping and other o?-line attacks.It is su?cient to protect against skimming attacks(where possible keys are tried on-line)because the passport is slow to respond to each individual key tried.
In certain countries the situation is even worse.Often,passport numbers are issued sequentially.This implies there is a correlation between the date of issue (and therefore date of expiry)and the passport number.Moreover,all currently valid passports numbers(ignoring stolen or otherwise invalidated ones)form a consecutive range,which is no longer than the total number of people of that nationality.For the Dutch passport for instance,bounding the population from above by20million,the passport number entropy drops to log(20×106)=24.25.
With sequentially issued passports,the entropy drops even further with ev-ery known combination of a passport number and the expiry date.Suppose we know k such combinations.This gives rise to k+1intervals of possible passport numbers for a given date range Let us take the rather pessimistic approach that we do not assume anything about the distribution of passports over dates within those intervals(although it is very likely that passports are issued at a reasonably constant rate).On the optimistic side,let us assume the k known passports are issued evenly distributed over the validity period length.This reduces the search space by a factor k+1as illustrated in Fig.2.Hence the entropy of expiry date plus passport number drops with log(k+1).For the Dutch passport,using k=15
Crossing Borders7 and the?gures above,the entropy of the passport number becomes as small as 20.25,and the total entropy could be as small as10.83+10.34+20.25=41.42 (when we assume we can guess the age of the passport holder).
One obvious idea is to include the MRZ optional data?eld in the list of MRZ items that is used to derive the MRZ access key seed.This would increase the entropy of the MRZ access key seed,especially if this optional data?eld is?lled with random data.Unfortunately some countries already use this?eld for other purposes.In the Netherlands,for instance,this?eld stores the social-?scal number,which is uniquely linked to an individual and not very secret information.In fact,this idea was recently rejected for inclusion in the ICAO standards.
4.2Traceability
To avoid collisions,contactless smart cards and RFID systems use unique low-level tag identi?ers in the radio communication protocol.This is also true for the e-passports.If this identi?er is?xed(which is usually the case in RFID tags and contactless smart cards),passports are clearly easily traceable.Note that because this identi?er is used in the very?rst stages of setting up a connection between the passport and the reader,no form of access control or reader authentication can be performed.
Luckily,this anti-collision identi?er does not have to be?xed.The number can also be randomly generated each time the passport comes within range of a reader.If the random generator is of su?cient quality(and this is certainly an issue in low-end RFID systems),the passport can no longer be traced through the anti-collision identi?er.
However,the anti-collision identi?er creates a possible subliminal channel. For instance,instead of simply generating a random number r,the passport could be instructed to generate an anti collision identi?er like
id=E k
(r,passportnumber).
NSA
The resulting string looks random,because of the randomness of r and the properties of the encryption function.But clearly it can be decrypted by the owner of k NSA to reveal the passport number.Unless the passport chip is reverse engineered,the existence of such a subliminal channel cannot be detected.
Another subliminal channel exists when Active Authentication is used[5]. Recall that active authentication requires the passport to sign a challenge from a reader using its unique private key.Because the challenge is totally determined by the reader,the reader can embed information into this string,which is un-knowingly signed by the passport.For instance,the challenge could contain the border crossing location,and the current date and time.A signature adds an extra layer of non-repudiability to the border crossing logs,and can be used to prove this fact to others.The challenge could also contain the passport number of the person veri?ed ahead of you at border inspection,possibly linking you to the person you were travelling with.
8Hoepman et al.
Even if all the above issues are addressed,discriminating features of pass-ports remain.Di?erent countries may use di?erent chip https://www.360docs.net/doc/0611189652.html,ter batches of passports will use more advanced technology,or may contain di?erent or ad-ditional information2.In the future,newer versions of chip operating systems may be used.All these di?erences may be noticeable by looking carefully at the behaviour of the chip on the radio channel,at the chip’s Answer To Reset (ATR),which is sent in reaction to a reset command by the reader,or at the responses the chip gives(or doesn’t give)to speci?c card commands sent to it. We expect to see large di?erences in behaviour especially on unintended,unex-pected or even unspeci?ed input sent to the card.All these things are possible before BAC has been performed.
Other applications may be put on the passports(see Sect.6)as well.These applications may even be accessible before BAC has been performed.The set of available applications may actually constitute a narrow pro?le that identi?es a speci?c set of possible passport holders,and may reveal the place of work,or the banks the passport holder has accounts with.
We conclude that even without access to the MRZ,i.e.,in the classic skim-ming scenario on streets,public transport,etc.,passports still leak information that can be traced back to individuals,or groups of individuals.
5Extended Access Control
Standardisation of the security features and biometrics to be used in European passports has been taken up independently(but of course in accordance with the ICAO standards)by the European Union[7].In recognition of the fact that biometric information is quite sensitive,the European Union has mandated that such data should be protected by a so-called“Extended Access Control”mech-anism.The technical speci?cations of the European e-passport are drafted by a special EU Committee,founded as a result of Article6of Regulation1683/95 laying down a uniform format for visas[6].
Public information about the details of Extended Access Control has recently become available[5,16].This allows us to discuss certain shortcomings in the schemes under consideration,although we wish to stress that these schemes are a huge improvement over the extremely minimal security features imposed by the ICAO standards.
Extended Access Control consists of two phases,Chip Authentication fol-lowed by Terminal Authentication.Chip Authentication performs the same func-tion as Active Authentication in the ICAO standards,i.e.,proving the chip is genuine and thus protecting the passport against cloning.It avoids the problems associated with active authentication,like the challenge semantics discussed in the previous section.Chip authentication achieves its task by?rst exchanging a session key using a Di?e-Hellman key exchange.The chip uses a static key pair for this,the public part of which is part of the logical data structure(LDS)on
Crossing Borders9
Fig.3.Extended Access Control certi?cates
the chip and thus signed through the security objects SO D.The terminal uses a fresh key pair for each session.Authenticity of the chip is established once the chip proves that it knows the session key,which happens implicitly when the session key is used successfully to communicate with the chip.
Terminal Authentication aims to prove to the chip that the terminal is al-lowed to access the data on the chip.This access is granted through a chain of certi?cates,the root of which is the issuer of the passport at hand(see Fig.3). In other words,the issuer of the passport controls who can access the data on the passport.This root issues Document Veri?er(DV)Certi?cates,one for each country that is granted access to the data on the passport.These DV cer-ti?cates are used to generate Inspection System(IS)certi?cates,which can be distributed to inspection systems(e.g.,readers/terminals)at border crossings. Each passport issued by a particular country can verify the authenticity of these DV certi?cates,and hence of the IS certi?cates issued through these DV cer-ti?cates.A valid IS certi?cate grants access to certain data on the chip.All certi?cates have a limited validity period.
Terminal authentication,as proposed,does have a few weaknesses.First of all,the chip cannot keep time itself,and does not have access to a reliable source of time either.This makes it hard to check whether a certi?cate has expired or not.This,in turn,makes it practically impossible to revoke a certi?cate. The problem is the following.A terminal with a valid IS certi?cate and a valid DV certi?cate can access the sensitive data on many passports.When such a terminal is stolen,these access rights remain,even when the validity period of these certi?cates has expired:the chip does not know the correct time,and the terminal does not have to tell it the correct time.This is the case even if certi?cates have extremely short validity periods,like a single day.We see that one stolen terminal breaks the intended security goal of terminal authentication. Of course,stolen terminals do not make skimming attacks possible:a terminal still needs access to the MRZ in order to perform basic access control.To mitigate the problem somewhat,the standards propose that the chip keeps the most recent date seen on a valid certi?cate.In other words,the chip advances its
10Hoepman et al.
idea of the current time each time it passes a border inspection system.This only saves the frequent travellers;people that barely use their passports stay vulnerable for a long time.
Secondly,the certi?cate hierarchy itself poses a problem.The hierarchy is quite shallow.It does not make it easy to allow access to the biometric data for other applications beyond border inspection,even though such applications are already being discussed today(see also Sect.6below).To acquire access, one has to apply for IS certi?cates at the country DV,or for a DV certi?cate at each issuing country.The latter would create a huge management overhead, as it would require each country to reliably verify the identity and trustwor-thiness of the requesting applicant and issue certi?cates in response.The?rst makes it impossible for countries to di?erentiate access rights among di?erent applications,and would make the country DV responsible for the issuing of IS certi?cates for each and every terminal involved in the new application.This is clearly impractical,if we consider the use of passports for home banking or single sign-on systems that require terminals at each and every PC.
Making the certi?cate hierarchy larger and more?exible may not be an option.It means the chip has to verify even more certi?cates before it can grant access.This does put quite a burden on the processing capabilities of the chip, which should guarantee reasonably short transaction times.No one is willing to stand in the queue at border inspection for an even longer amount of time, simply because the new passports contain new,but slow,technology.A di?erent, more?exible,approach is discussed in Sect.9.
6New Applications
The new e-passport requires an international infrastructure for biometric veri?-cation.This is a huge project,of which the e?ectiveness and risks are uncertain. The main driving force is political pressure:the logic of politics simply requires high pro?le action in the face of international terrorism.Once implemented,it inevitably leads to function creep:new possible applications emerge,either spon-taneously or via new policy initiatives.We shall discuss two such applications, and speculate about the future.
Once we obtain a new passport with a high-end chip embedded with which we can communicate ourselves(via open standards),we can ask ourselves whether we can also use it for our own purposes.We brie?y discuss two options:logon, and digital signatures.
The e-passport can be used to log on to your computer account.For instance, if you give your MRZ(or the associated keys)to your computer or local network, the logon procedure can set up a challenge-response session with your passport: activation of the chip happens via the MRZ,and checking of a signature written by the passport-chip on a challenge generated by your computer can proceed via the public key of the document signer.It allows your computer to check the integrity of the passports security object,which contains the public key corresponding to the private signature-key of your passport.
Crossing Borders11 This authentication procedure only involves“something you have”:anyone holding your passport can log in to your machine.You can strengthen the pro-cedure by requiring a usual password,or even a biometric check based on a comparison of facial images(a freshly taken one,and the one on the chip).
You may also wish to use your e-passport to sign documents and emails using the embedded private key for Active Authentication.This is not such a good idea, for two reasons.First of all,the signature is obtained by exploiting the challenge-response mechanism for another purpose.Such interference should be avoided, because a challenge-response at a border inspection could then be misused to trick you into signing a certain document.Secondly,proving your identity after signing requires publication of your MRZ,together with the security object of your passport-chip(which is integrity-protected by a signature of the document signer):this object couples the public key(for your signature)to identifying information such as your name.But releasing the MRZ allows everyone to access your passport,through Basic Access Control.
The underlying problem is that the e-passport was not designed with an embedded useful certi?cate(such as X.509)for the holder.
Once there is an infrastructure for biometric veri?cation,it becomes natural to ask:why not use it for identi?cation as well?People may loose(willingly or unwillingly)their passport,or may apply for multiple copies,possibly un-der di?erent names.Indeed,the government of the Netherlands is preparing legislation[1,2]to set up a central database with biometric information,in or-der to“increase the e?ectiveness of national identi?cation laws”.Such a central database goes beyond what is required by European directives.
The possibility of biometric identi?cation of the entire(passport-holding) population involves a change of power balance between states and their citizens. Consent or cooperation is then no longer needed for identi?cation.Tracing and tracking of individuals becomes possible on a scale that we have not seen before.
Assuming the biometric passport leads to a reliable infrastructure for veri?ca-tion and identi?cation of individuals,the societal pressure will certainly increase to use it in various other sectors than just border inspection.Such applications are not foreseen—or covered by—European regulations.Interested parties are police and intelligence forces,banks and credit card companies,social security organisations,car rental?rms,casinos,etc.Where do we draw the line,if any?
We see that the introduction of the new e-passport is not only a large tech-nical and organisational challenge,but also a societal https://www.360docs.net/doc/0611189652.html,ernments are im-plicitly asking for acceptance of this new technology.This acceptance question is not so explicit,but is certainly there.If some political action group makes a strong public case against the e-passport,and manages to convince a large part of the population to immediately destroy the embedded chip after issuance—for instance by putting the passport in a microwave—the whole enterprise will fail. The interesting point is that individuals do have decisive power over the use of the chip in their e-passport.Even stronger,such a political action group may decide to build disruptive equipment that can destroy the RFID-chips from some distance,so that passports are destroyed without the holder knowing(immedi-
12Hoepman et al.
ately).To counter such movements,governments may try to make it su?ciently unattractive or even impossible to cross borders for travellers without a func-tioning passport.This is only possible,however,if the numbers of broken chips is relatively low.And in any case,it will not improve popularity of the scheme to begin with.
7Identity Management Issues
Identity management(IM)is about“rules-4-roles”:regulation of identi?cation, authentication and authorisation in and between organisations.The new e-passport is part of IM by states.It forms an identi?cation and authentication mechanism that is forced upon citizens,primarily for international movement, but also for internal purposes.
Identi?cation and authentication in everyday life is a negotiation process. When a stranger in the street asks for your biometric data,you will refuse.But you may engage in a conversation,discover mutual interests,and exchange busi-ness cards or phone numbers.Upon a next contact more identifying information may be released,possibly leading to a gradual buildup of trust.
The e-passport,in contrast,provides a rigid format.In certain situations it forms an overkill,for instance when you just need to prove that you are over eighteen.When IM goes digital and becomes formalised one would like to have more?exible mechanisms,with individual control via personal policies.In the future we may expect to be carrying identity tokens that?exibly react to the environment.Three basic rules for such systems are:
–The environment should authenticate itself?rst.For instance,when the en-vironment can prove to be my home,my policy allows my token to release much personal information,for instance about my music preference or health.–Authentication should be possible in small portions,for instance via certi?-cates or credentials saying“this person is over eighteen”,with a signature provided by a relevant authority.
–Automatic recognition of individuals,for instance via an implanted RFID chip that broadcasts your personal(social security)number,is excluded.
Privacy is important for personal security—and not,as too often stated, only an impediment to public security.
8Evaluation of Security Goals
In Sect.2we have formulated three security goals that we consider reasonable. In this section we evaluate whether the current system meets these goals. Readers should identify themselves?rst In the usual sense of“authenticated”or “trusted”readers,this goal is not reached.For instance,we managed to write our own terminal application that retrieves the public information like the facial image from the chip.And our reader is not considered trusted.The implemented
Crossing Borders13 BAC protocol only assures that the reader has knowledge of the MRZ on the passport.In the European implementation of EAC the reader must authenticate itself and hence this goal is more or less met for the information marked as sensitive,but weaknesses exist(see Sect.5).
Consent by the passport holders Theoretically this goal is reached.By use of BAC any terminal that tries to read information?rst needs to read the MRZ information printed on the inside of the passport.Hence the holder must give his consent for the transaction by opening his passport.However,as we have seen in Sect.4.2some subliminal channels exist that may leak information about the card even before BAC has been applied or in other words even before the holder has given his consent.
Proof of integrity and authenticity The integrity part of this goal is reached by the secure messaging system,which is applied for all communication after BAC.As we have seen in Sect.4both commands and responses are encrypted and augmented with a message authentication code to provide integrity and con?dentiality.Authenticity of the information is guaranteed through Passive Authentication(see Sect.4)
9e-Passport v2
Until now we have discussed several issues with the security and privacy protec-tion of the current proposed standards for biometric passports,from both ICAO and,in particular,the EU.We have argued that protection mechanisms should be improved.However,improvements to such standards are at best incremental, and do not usually challenge the primary design decisions.In fact,such funda-mental changes would certainly be backwards incompatible,and require a totally new standard.In our opinion,more fundamental changes are required to really provide strong security and proper privacy protection to the new generation of e-passports.
9.1Avoiding Contactless Cards
The most fundamental change is to reconsider the choice for a wireless commu-nication interface between the chip in the passport and the terminal at border https://www.360docs.net/doc/0611189652.html,ing a wireless interface makes skimming attacks possible.It is ex-actly the fear of this possibility that has sparked a huge controversy over the current e-passport proposals.Initially,the US passports would not even imple-ment Basic Access Control.Now they are even considering to include metal shields in the cover pages of the passport to function as a Faraday cage,to physically disable the wireless communication link.
But all Basic Access Control really is,is a very elaborate way to achieve exactly the same as what is achieved when inserting a smart card with contacts into the slot of a reader:namely that the holder of the passport allows the
14Hoepman et al.
owner of the terminal to read the data on the chip.Then,why not simply use smart cards with contacts for the new e-passport?The main arguments against this have been the form-factor of the passport,and the need for a su?cient bandwidth to quickly transmit the biometric data from the card to the terminal. However,identity cards and drivers licenses with dimensions similar to credit cards(ID-1)are already under consideration.And bandwidth concerns are no longer an issue either.Many smart card suppliers already sell smart cards with integrated USB1.1interfaces that allow for a much higher throughput,using the original[12]ISO contact module found on the card,and standardisation for this approach is underway[13].Such a solution would take away all worries associated with using a wireless chip,and would keep the e-passport clear of all discussions surrounding the(perceived)privacy issues with RFID.
9.2On-line Terminal Authentication
Once a connection between passport and terminal is established,a decision has to be made regarding the access rights of the terminal and to determine which data on the passport it is allowed to read.Current EU proposals for extended access control are found wanting:stolen terminals cannot be revoked,and the shallow, rigid certi?cate hierarchy proposed to regulate access does not allow for?exible and/or dynamic access control policies(see Sect.5).The EU approach was chosen to allow for o?-line,mobile terminals,like those that are used by mobile border inspection units.But clearly such mobile terminals can be connected to the network over a wireless link,if only through GPRS,which is the standard on cell phones these days.
If we assume that terminals are always connected to the network,we can use on-line terminal authentication.The general idea is then the following.
Each terminal owns a private/public key pair.Each terminal is used for a particular application.This application is encoded in a certi?cate C AA that con-tains the public key K T A of the terminal,and which is signed by the application authority AA.Access rights are associated with application.Each country stores, for each application authority that it wishes to recognise,the access rights for that application.These access rights are stored in the back o?ce.The back o?ce also stores the public keys of all terminals that have been revoked.
On-line terminal authentication then proceeds as follows.First,the terminal sends the certi?cate C AA(containing its public key K T A)to the chip.The chip and the terminal perform a challenge-response protocol in which the terminal proves to the chip that it owns the private key corresponding to K T A.This establishes the identity of the terminal.Next,the chip sets up an authenticated channel between itself and the back o?ce of the issuing country.It can do so using a country certi?cate that is stored in the chip during personalisation.The channel should not be vulnerable to replay attacks.It sends C AA(and K T A)to the back-o?ce.There,C AA is veri?ed against the known application authorities (this validates that K T A was certi?ed by such an authority)and K T A is checked against the list of all revoked terminals.If these checks pass,the access rights for AA are sent back to the chip.If not,then the empty set(i.e.,no access rights)is
Crossing Borders15 sent back to the chip.The chip interprets the access rights it receives and grants access to the terminal accordingly.Because the channel is authentic and does not allow replay attacks,the access rights received by the chip correspond to the certi?cate it sent to the back o?ce.
With on-line terminal authentication,terminals can be revoked in real-time: as soon as they are marked as revoked in the back o?ces of the issuing country, no passport of that country will allow that terminal access to its data.Also, the access permissions can be changed dynamically,and can even be based on the exact time the request was made,or on the speci?c usage pattern of the passport.The general idea can be re?ned to also allow revocation of terminals by the countries that manage them,instead of requiring them to inform all other countries that a particular terminal should be revoked(because it was stolen,for instance).Also,more levels of certi?cates can be introduced,to make management of access rights easier.
9.3Other Improvements
In Sect.3we have seen that real pictures are stored on the chip.With an immediate consequence that whoever is able to retrieve these images from the chip,has access to good biometric data,which he can use for identity https://www.360docs.net/doc/0611189652.html,ing templates that work like a one-way function,it will be possible to check whether the template on the chip matches the template derived from the person who is claiming to be the holder of the passport.This leaking of real biometric data may not seem such a big deal in a time where many pictures are published on the Internet.The point here is that these pictures for the passports are taken under good conditions and hence provides highly accurate biometric information.
The entropy-related o?-line attacks discussed in Sect.4.1are possible because a guess of MRZ-information directly leads to all keys used in a communication session.These keys can be checked against a transcript of that session to ver-ify the guess.The situation is similar to many password-based authentication and session-setup protocols.Encrypted key exchange protocols,discovered by Bellovin and Merritt[4],do not su?er from this problem.There a low entropy password is used to exchange a high entropy secret that cannot e?ciently be guessed using an o?-line https://www.360docs.net/doc/0611189652.html,ing encrypted key exchange protocols for basic access control would strengthen the security of the passport considerably.
In Sect.6we have seen that it will be inevitable that other applications want to use the infrastructure available on the chip for other purposes than the original ones.In the current system it is already possible to sign things with a private key,but this causes some unwanted side e?ects as already described in Sect.6.In order to prevent this the standards should be rewritten in such a way that at least these additional functions can be used and preferably in a disjoint setting from the border inspection functions.A possible implementation for this could be to have an X.509certi?cate included with a public key that has nothing to do with the MRZ or other information needed for the border inspection tasks.
16Hoepman et al.
References
[1]Kamerstuk II2004/2005,25764,nr.26.(O?cial communication of the Dutch
parliament).
[2]Kamerstuk II2004/2005,29754,nr.5.(O?cial communication of the Dutch
parliament).
[3]Yearly report on algorithms and keysizes(2005).Technical report,IST-2002-
507932ECRYPT,January2006.D.SPA.10Rev2005-0.2.
[4]Steven M.Bellovin and Michael Merritt.Encrypted key exchange:Password-
based protocols secure against dictionary attacks.In IEEE Security&Privacy, pages72–84,Oakland,CA,USA,May1992.IEEE.
[5]BSI.Advanced security mechanisms for machine readable travel documents–
extended access control(eac).Technical Report TR-03110,BSI,Bonn,Germany, 2006.
[6]Proposal for a council regulation amending regulation(ec)no1683/95laying down
a uniform format for visas.OJ C,51:219–220,February262002.
[7]Proposal for a council regulation on standards for security features and biometrics
in eu citizens’passports.OJ C,98:39,April232004.
[8]Jaap-Henk Hoepman and Bart Jacobs.E-passports without the big picture.eGov
Monitor,February202006.https://www.360docs.net/doc/0611189652.html,/node/4716.
[9]ICAO.Machine Readable Travel Documents.Technical report,ICAO,2003.5th
edition.
[10]ICAO.Development of a logical data structure-LDS for optional capacity ex-
pansion technologies,revision1.7.Technical report,ICAO,May2004.
[11]ICAO.PKI for machine readable travel documents o?ering ICC read-only access,
version-1.1.Technical report,Oct2004.
[12]ISO7816.ISO/IEC7816Identi?cation cards–Integrated circuit(s)cards with
contacts.Technical report,ISO JTC1/SC17.
[13]ISO7816-12.ISO/IEC7816Identi?cation cards–Integrated circuit(s)cards–
Part12:Cards with contacts–USB electrical interface and operating procedures.
Technical report,ISO JTC1/SC17.
[14] A.Juels,D.Molnar,and D.Wagner.Security issues in e-passports.In Se-
cureComm2005,2005.
[15]Gaurav S.Kc and Paul A.Karger.Security and privacy issues in machine read-
able travel documents(MRTDs).IBM Technical Report(RC23575),IBM T.J.
Watson Research Labs,April2005.
[16]Dennis K¨u gler.Security mechanisms of the biometrically enhanced(eu)pass-
port.Presentation at the Security in Pervasive Computing conference,Boppard, Germany,https://www.360docs.net/doc/0611189652.html,/2005/slides/SPC
630
No bean named 'springSecurityFilterChain' is defined=
No bean named 'springSecurityFilterChain' is defined Exception starting filter springSecurityFilterChain org.springframework.beans.factory.NoSuchBeanDefinitionExceptio n: No bean named 'springSecurityFilterChain' is defined at org.springframework.beans.factory.support.DefaultListableBeanFa ctory.getBeanDefinition(DefaultListableBeanFactory.java:387) at org.springframework.beans.factory.support.AbstractBeanFactory.g etMergedLocalBeanDefinition(AbstractBeanFactory.java:971) at org.springframework.beans.factory.support.AbstractBeanFactory.d oGetBean(AbstractBeanFactory.java:246) at org.springframework.beans.factory.support.AbstractBeanFactory.g etBean(AbstractBeanFactory.java:185) at org.springframework.beans.factory.support.AbstractBeanFactory.g etBean(AbstractBeanFactory.java:168) at org.springframework.context.support.AbstractApplicationContext.g etBean(AbstractApplicationContext.java:884)
SpringSecurity源码分析
DelegatingFilterProxy源码分析 说明该方法会在DelegatingFilterProxy初始化的时候调用,目的是创建一个链式调用的Filter类型是FilterChainProxy该类实际上是Filter的一个实现类。 FilterChainProxy源码分析
①FilterInvocation是Spring的一个不同的Bean该方方法中实际上就上将ServletRequest和 ServletResponse转换为HttpServletRequest和HttpServletResponse。 ②重点看一下getFilters方法。
③如果该请求下没有相应的Security过滤器,就直接放行 ④创建一个VertualFilterChain该Chain作为FilterChain下的一个子Chain主要是实现 SpringSecurity相关Filter的链式调用。 接下来看看VertualFilterChain的doFilter调用代码: ⑤调用VirtualFilterChain的doFilter方法,调用参数参数链式调用。 核心过滤器介绍SecurityContextPersistenceFilter 该Filter主要是通过SecurityContext作为SpringSecurity执行的上下文,这里一般会保存用的的登录的Authentication信息。而且SpringSecurity会在请求路由的时候将SecurityContext作为HttpSession的一个命名属性存储。同样SpringSecurty会通过SecurityContextHolder类来方便的获取SecurityContext里面的信息。在每一次请求结束的时候,该filter负责清空SecurityContextHolder里面的内容。SpringSecurity建议为了安全考虑,不建议用户直接的去访问HttpSession。最简单直接的做法就是直接操作SecurityContextHolder类。 注意:这里如果在多个request并发访问的时候,会出现多个Request中从Session获取的是同一个SecurityContext,此时可能会出现一个SecurityContext被多个线程共同访问。此时为了避免多线程之间由于访问的一个session获取的同一个SecurityContext修改造成的影响,建议用户可以自己创建一个使用SecurityContextHolder的createEmptyContext方法创建一个新的临时的对象为每一个请求。并且将用户的认证信息存储到SecurityContext中,这样就不会影响其他线程中的数据了。
SpringSecurity使用记录(五)-- 配置
SpringSecurity使用记录(五)-- 配置 研究了好长时间,不知道从哪里下手。新的版本,很多东西在网上找不到,只能看他们的文档,当然这些文档相当不错,就看是否耐心的研究了!总是有急躁的心理作祟,不能专心研读,却处处碰壁,效率上反而未达预期效果! 终于,在无数次的沮丧下,稍微看到了点光亮!前面的文章太过皮毛,接下来的一些,希望能更加实际的,更加深入的分析每一个过程! 一直通过默认配置进行设置: namespace(是security 3.0,网上也看到一些兄弟描述的是3.0,但是总是不符合我这里的namespace配置):
舌尖上的中国分集简介
舌尖上的中国分集简介 第一集自然的馈赠 本集导入作为一个美食家,食物的美妙味感固然值得玩味,但是食物是从哪里来的?毫无疑问,我们从大自然中获得所有的食物,在我们走进厨房,走向餐桌之前,先让我们回归自然,看看她给我们的最初的馈赠。本集将选取生活在中国境内截然不同的地理环境(如海洋,草原,山林,盆地,湖泊)中的具有代表性的个人、家庭和群落为故事主角,以及由于自然环境的巨大差异(如干旱,潮湿,酷热,严寒)所带来的截然不同的饮食习惯和生活方式为故事背景,展现大自然是以怎样不同的方式赋予中国人食物,我们又是如何与自然和谐相处,从而了解在世代相传的传统生活方式中,通过各种不同的途径获取食物的故事。 美食介绍 烤松茸油焖春笋雪菜冬笋豆腐汤 腊味飘香腌笃鲜排骨莲藕汤椒盐藕夹酸辣藕丁煎焖鱼头泡饼煎焗马鲛鱼酸菜鱼松鼠桂鱼侉炖鱼本集部分旁白中国拥有世界上最富戏剧性的自然景观,高原, 第一集: 自然的馈赠 山林,湖泊,海岸线。这种地理跨度有助于物种的形成和保存,任何一个国家都没有这样多潜在的食物原材料。为了得到这份自然的馈赠,人们采集,捡拾,挖掘,捕捞。穿越四季,本集将展现美味背后人和自然的故事。香格里拉,松树和栎树自然杂交林中,卓玛寻找着一种精灵般的食物——松茸。松茸保鲜期只有短短的两天,商人们以最快的速度对松茸进行精致的加工,这样一只松茸24小时之后就会出现在东京的市场中。松茸产地的凌晨3点,单珍卓玛和妈妈坐着爸爸开的摩托车出发。穿过村庄,母女俩要步行走进30公里之外的原始森林。雨让各种野生菌疯长,但每一个藏民都有识别松茸的慧眼。松茸出土后,
卓玛立刻用地上的松针把菌坑掩盖好,只有这样,菌丝才可以不被破坏,为了延续自然的馈赠,藏民们小心翼翼地遵守着山林的规矩。为期两个月的松茸季节,卓玛和妈妈挣到了5000元,这个收入是对她们辛苦付出的回报。 舌尖上的中国DVD 老包是浙江人,他的毛竹林里,长出过遂昌最大的一个冬笋。冬笋藏在土层的下面,从竹林的表面上看,什么也没有,老包只需要看一下竹梢的叶子颜色,就能知道笋的准确位置,这完全有赖于他丰富的经验。笋的保鲜从来都是个很大的麻烦,笋只是一个芽,是整个植物机体活动最旺盛的部分。聪明的老包保护冬笋的方法很简单,扒开松松的泥土,把笋重新埋起来,保湿,这样的埋藏方式就地利用自然,可以保鲜两周以上。在中国的四大菜系里,都能见到冬笋。厨师偏爱它,也是因为笋的材质单纯,极易吸收配搭食物的滋味。老包正用冬笋制作一道家常笋汤,腌笃鲜主角本来应该是春笋,但是老包却使用价格高出20倍的遂昌冬笋。因为在老包眼里,这些不过是自家毛竹林里的一个小菜而已。在云南大理北部山区,醒目的红色砂岩中间,散布着不少天然的盐井,这些盐成就了云南山里人特殊的美味。老黄和他的儿子在树江小溪边搭建一个炉灶,土灶每年冬天的工作就是熬盐。云龙县的冬季市场,老黄和儿子赶到集市上挑选制作火腿的猪肉,火腿的腌制在老屋的院子里开始。诺邓火腿的腌制过程很简单,老黄把多余的皮肉去除,加工成一个圆润的火腿,洒上白酒除菌,再把自制的诺盐均匀的抹上,不施锥针,只用揉、压,以免破坏纤维。即使用现代的标准来判断,诺邓井盐仍然是食盐中的极品,虽然在这个古老的产盐地,盐业生产已经停止,但我们仍然相信诺邓盐是自然赐给山里人的一个珍贵礼物。圣武和茂荣是兄弟俩,每年9月,他们都会来到湖北的嘉鱼县,来采挖一种自然的美味。这种植物生长在湖水下面的深深的淤泥之中,茂荣挖到的植物的根茎叫做莲藕,是一种湖泊中高产的蔬菜——藕。作为职业挖藕人,每年茂荣和圣武要只身出门7个月,采藕的季节,他们就从老家安徽赶到有藕的地方。较高的人工报酬使得圣武和茂荣愿意从事这个艰苦的工作。挖藕的人喜欢天气寒冷,这不是因为天冷好挖藕,而是天气冷买藕吃藕汤的人就多一些,藕的价格就会涨。整整一湖的莲藕还要采摘5个月的时间,在嘉鱼县的珍湖上,300个职业挖藕人,每天从日出延续到日落,在中国遍布淡水湖的大省,这样场面年年上演。今天当我们有权远离自然,享受美食的时候,最应该感谢的是这些通过劳动和智慧成就餐桌美味的人们。 第二集主食的故事 本集导入主食是餐桌上的主要食物,是人们所需能量的主要来源。从远古时代赖以充饥的自然谷物到如今人们餐桌上丰盛的、让人垂涎欲滴的美食,一个异彩纷呈、变化多端的主食世界呈现在你面前。本集着重描绘不同地域、不同民族、不同风貌的有关主食的故事,展现人们对主食的样貌、口感的追求,处理和加工主食的智慧,以及中国人对主食的深
SpringSecurity_openId完整配置攻略
Spring Security2.04+OpenID 配置攻略 目录 1.QQ互联中的O PEN ID (3) 2.配置环境 (3) 3、S PRING S ECURITY的XML配置 (3) 4、OPENID登录页 (17) 5、申请O PEN ID账号 (17)
6、在本地登录O PEN ID (18) 7、其他注意事项 (19)
1.QQ互联中的OpenID QQ互联接口中,在QQ登陆成功后,会返回一个OpenID,但是此OpenID是一个大写字母和数字的组合。与一般的OpenID的格式不同,正常的OpenID应该是http 开头的URL格式,例如https://www.360docs.net/doc/0611189652.html,/,本文介绍的是国际通用的OpenID认证协议+Spring Security配置过程。 2.配置环境 本文的介绍的配置过程是在OpenJWeb2.63环境下配置的,OpenJWeb2.63集成了S2SH 和Spring Security2.0.4,大家也可以自己搭建一个S2SH+Spring Security2.04的环境,在环境搭建好以后,我们需要从网上找到openid4java-0.9.8.jar,放到WEB-INF\lib目录下。有了这个驱动,我们就可以在spring security中进行openID的认证登陆。 另外,我们需要将spring-security-openid-2.0.4.jar放到lib目录中。 在web.xml文件中,我们需要增加一段配置以支持openID认证过滤器:
感觉系统
感觉器官练习题 一、单选题 1.下列哪项不属于感觉器官的是( ) A.耳 B.鼻 C.神经D.皮肤 E.以上均错 2.视器包括( ) A.眼球壁和附属结构 B.眼球壁和屈光装臵 C.眼球及其附属结构 D.眼球及其屈光装臵 E.眼球及其眼睑 3.眼球() A.壁仅由巩膜、脉络膜、视网膜构成 B.折光系统包括角膜、房水、晶状体和玻璃体 C.视神经盘是感光最敏锐的部位 D.房水由虹膜分泌形成 E.角膜中央一圆孔称瞳孔 4.巩膜() A.乳白色,厚而坚韧,是硬脑膜的延伸结构 B.前方与晶状体相连C.占纤维膜的前1/6 D.有屈光作用 E.以上均错 5.瞳孔大小() A.随眼压高低而变化 B.随光线强弱而变化 C.由睫状体收缩来调节D.与三叉神经眼神经的作用有关E.随晶状体突度变化而变化 7.眼前房是指() A.角膜与玻璃体之间腔隙 B.角膜与虹膜之间腔隙 C.虹膜与晶状体之 间腔隙 D.虹膜与玻璃体之间腔隙 E.角膜与晶状体之间腔隙 8.黄斑() A.位于视神经乳头(盘)外侧约3-4mm 处 B.感光作用强,但无辨色能力C.中央有中央凹,该处对光不敏感D.视网膜节细胞轴突由此向后穿出眼 球壁 E.此处无感光细胞,称为生理性盲点 9.上直肌收缩时,瞳孔转向()A.上内方 B.下内方 C.上外方 D.下外方 E.外侧 10.上斜肌可使() A.瞳孔转向上外方 B.瞳孔转向下外方 C.瞳孔转向上方D.瞳孔转向外侧 E.瞳孔 转向下方 11.眼球的折光装臵为() A.晶状体 B.角膜、晶 状体 C.角膜、房水、晶状 体 D.角膜、房水、晶状体、玻璃体 E.角 膜、房水、晶状体、玻璃体、视网膜 12.泪道包括() A.鼻泪管、泪小管 B.泪小管、 泪囊 C.泪小管、泪囊、鼻泪管 D.泪点、泪小管、泪囊、鼻泪管 E.泪腺、结膜囊、泪小管、泪囊、鼻 泪管 13.视网膜中央动脉来源于() A.颈内动脉B.颈外动脉 C.椎动脉 D.脑膜中动脉 E.面 动脉 17. 属于生理性盲点的是 A、脉络膜 B、角膜 C、虹膜 D、视轴 E、视网膜中央凹 14. 眼前房与后房的分界是() A.睫状体 B.虹膜 C.脉 络从 D.晶状体 E.玻璃体 15.关于中耳鼓室壁的描述中,何者是错误的() A.上壁为鼓室盖,分隔鼓室与颅中 窝 B.内壁为乳突窦壁 C.下壁为颈静脉壁,将鼓室与颅内 静脉起始部隔开 D.外侧壁为鼓膜 E.前壁为颈动脉壁,此壁上部有咽 鼓管鼓口 16. 位于鼓室内的结构是() A.球囊 B.面神经 C.听 小骨 D.螺旋器(Corti器) E.半规管 17.耳蜗( ) A.由软骨构成B.由蜗管围绕蜗轴约两周半形成的 C.仅分为前庭阶和鼓阶两部分D.前庭阶和鼓阶充满内淋巴 E.以上均不对 18.不属于位觉感受器的是() A.椭圆囊斑 B.球囊斑 C.壶 腹嵴 D.螺旋器 E.以上均不对 19.前庭阶和鼓阶借何结构相通 () A.蜗孔 B.蜗管 C.蜗 窗 D.前庭窗 E.联合管 20.将声波的振动传人内耳的是 () A.听小骨 B.前庭 C.耳
舌尖上的中国栏目策划
《舌尖上的中国》电视节目策划书 一、背景浅析 改革开放以来,国人物质生活更加富足,在吃方面也变得更加讲究。食客、美食家、吃货等的出现,则从另一方面体现国人口味的变化。衣食住行为人之根本,古人读万卷书、行万里路已是满足,今人在此之外加上品万种美食,才称得上是真正的享受生活。而中国幅员辽阔,有八大菜系,淮扬菜、粤菜、鲁菜、湘菜,每种菜系都有其特色美食,而且烹调方法各有不同,可以说,国人够有口福的了。在《舌尖上的中国》这部纪录片中,导演和摄制组带着观众探访祖国各地美食,了解各式各样与美食有关的人和事,总共七集、每集50分钟的容量,节奏紧凑、制作精良,尝遍美食的同时又能遍览祖国风物,纪录片煞是好。而随着中国经济的飞速发展,人们的物质生活水平也得到了极大地提高,已经不再局限于吃饱穿暖这样基本的要求。民以食为天,在物质文明丰富至如斯的今天,人们开始重视对于生活品质更高层次的追求。对于吃,食不厌精、烩不厌细,不只吃味道,还要吃环境、吃服务、吃文化,吃健康。 二、企划动机 《舌尖上的中国》这部以美食为主题的纪录片,前些日子风头力压各种电视连续剧,成为连日来的微博“刷屏利器”并高居话题榜榜首,甚至让许多早已抛弃了电视的80后“吃货”们,纷纷锁定夜间的央视坐等这部“吃货指南”。人们为美食流口水,为美食的故事流眼泪,为美食的文化而感动自豪,自豪于中国饮食文化的博大精深,甚至有人高调地赞美“这才是最好的爱国主义教育片”。看要应对新的发展形势,就必须有新的态度与措施。饮食行业发展到今日,大街小巷、五花八门,各种价位、各种地域乃至跨国界的美食比比皆是。如何从
千篇一律的店面经营中脱颖而出?不仅仅是商家绞尽脑汁,着力打开销售额与知名度。美食老饕们也寻寻觅觅,力图享受到有特色、有内涵的精彩美食。《舌尖上的中国》这档美食资讯节目,是继《舌尖上的中国》这个记录片之后的后续美食资讯类节目,更实现其为商家和消费者两者搭建一个交流的平台,优秀的商家可以尽展己之所长,以此为基础展示自身特色美食功夫。而美食爱好者们则可以通过节目的推介,节省大量的时间、精力,接触到平时踏破铁鞋无觅处,只能通过口口相传难辨优劣,隐藏在街头巷尾的各种美食。大可以凭此慕名而来、亦可尽兴而去。 一、节目名称——《舌尖上的中国》 二、节目类别——继纪录片《舌尖上的中国》之后,观众参与度高的一档各地美食资讯节目 三、节目主旨——让爱美食的人走进节目让看节目的人走近美食 四、节目目标 借助最近《舌尖上的中国》的热点,重点打造一档精品的美食资讯节目,不仅仅做美食,还囊括了相关的综合资讯。力图达到“美食主动靠过来,观众自然看进去”的效果,打造口碑,铸就精品。 五、节目定位 这是一档集继纪录片《舌尖上的中国》之后的观众参与度高的一档各地美食资讯节目。将美食推介节目与菜肴烹饪节目于一身,力图更好的开发各地特色美食资源的服务资讯类美食节目,兼顾一定的娱乐性质。采用立体全面的推介方式,为现场和电视机前的观众提供优质精选的美食信息,商家现场展示、与美食爱好者们现场沟通交流。
《舌尖上的中国》简介和解说词1-7集
《舌尖上的中国》解说词1-7集 第一季:1.自然的馈赠 作为一个美食家,食物的美妙味感固然值得玩味,但是食物是从哪里来的?毫无疑问,我们从大自然中获得所有的食物,在我们走进厨房,走向餐桌之前,先让我们回归自然,看看她给我们的最初的馈赠。 本集将选取生活在中国境内截然不同的地理环境(如海洋,草原,山林,盆地,湖泊)中的具有代表性的个人、家庭和群落为故事主角,以及由于自然环境的巨大差异(如干旱,潮湿,酷热,严寒)所带来的截然不同的饮食习惯和生活方式为故事背景,展现大自然是以怎样不同的方式赋予中国人食物,我们又是如何与自然和谐相处,从而了解在世代相传的传统生活方式中,通过各种不同的途径获取食物的故事。 第一季:2.主食的故事 主食是餐桌上的主要食物,是人们所需能量的主要来源。从远古时代赖以充饥的自然谷物到如今人们餐桌上丰盛的、让人垂涎欲滴的美食,一个异彩纷呈、变化多端的主食世界呈现在你面前。本集着重描绘不同地域、不同民族、不同风貌的有关主食的故事,展现人们对主食的样貌、口感的追求,处理和加工主食的智慧,以及中国人对主食的深厚情感。 第一季:3.转化的灵感 腐乳、豆豉、黄酒、泡菜,都有一个共同点,它们都具有一种芳香浓郁的特殊风味。这种味道是人与微生物携手贡献的成果。而这种手法被称作“发酵”。中国人的老祖宗,用一些坛坛罐罐,加上敏锐的直觉,打造了一个食物的新境界。要达到让食物转化成美食的境界,这其中要逾越障碍,要营造条件,要把握机缘,要经历挫败,从而由“吃”激发出最大的智慧。 第一季:4.时间的味道 腌制食品,风干晾晒的干货,以及酱泡、冷冻等是中国历史最为久远的食物保存方式。时至今日,中国人依然对此类食品喜爱有加。 本集涉及的美食主要有腊肉,火腿,烧腊,咸鱼(腌鱼),腌菜,泡菜,渍菜,以及盐渍,糖渍,油浸,晾晒,风干,冷冻等不同食物保存方法,展现以此为基础和原材料的各种中国美食。贮藏食物从早先的保存食物 方便携带发展到人们对食物滋味的不断追求,保鲜的技术中蕴涵了中国人的智慧,呈现着中国人的生活,同时“腌制发酵保鲜”也蕴含有中国人的情感与文化意象,如对故乡的思念,内心长时间蕴含的某种情感等等。第一季:5.厨房的秘密 与西方“菜生而鲜,食分而餐”的饮食传统文化相比,中国的菜肴更讲究色、香、味、形、器。而在这一系列意境的追逐中,中国的厨师个个都像魔术大师,都能把“水火交攻”的把戏玩到如火纯青的地步,这是 8000年来的修炼。我们也在这漫长的过程中经历了煮、蒸、炒三次重要 的飞跃,他们共同的本质无非是水火关系的调控,而至今世界上懂得蒸菜和炒菜的民族也仅此一家。本集将主要透过与具有精湛美食技艺的人有关的故事,一展中国人在厨房中的绝技。 第一季:6.五味的调和
spring security 中启用角色继承、ACL与CAS
spring security 中启用角色继承、ACL与CAS
舌尖上的中国(1-7)全集解说词
《舌尖上的中国》7集(全)解说词 《舌尖上的中国》是纪录频道推出的第一部高端美食类系列纪录片,从2011年3月开始大规模拍摄,是国内第一次使用高清设备拍摄的大型美食类纪录片。共在国内拍摄60个地点方,涵盖了包括港澳台在内的中国各个地域,它全方位展示博大精深的中华美食文化。向观众,尤其是海外观众展示中国的日常饮食流变,千差万别的饮食习惯和独特的味觉审美,以及上升到生存智慧层面的东方生活价值观,让观众从饮食文化的侧面认识和理解传统和变化着的中国。 而台词优美而清新,听着解说看着画面,让人心醉··· 第一集《自然的馈赠》 中国拥有世界上最富戏剧性的自然景观,高原,山林,湖泊,海岸线。这种地理跨度有助于物种的形成和保存,任何一个国家都没有这样多潜在的食物原材料。为了得到这份自然的馈赠,人们采集,捡拾,挖掘,捕捞。穿越四季,本集将展现美味背后人和自然的故事。 香格里拉,松树和栎树自然杂交林中,卓玛寻找着一种精灵般的食物——松茸。松茸保鲜期只有短短的两天,商人们以最快的速度对松茸的进行精致的加工,这样一只松茸24小时之后就会出现在东京的市场中。 松茸产地的凌晨3点,单珍卓玛和妈妈坐着爸爸开的摩托车出发。穿过村庄,母女俩要步行走进30公里之外的原始森林。雨让各种野生菌疯长,但每一个藏民都有识别松茸的慧眼。松茸出土后,卓玛立刻用地上的松针把菌坑掩盖好,只有这样,菌丝才可以不被破坏,为了延续自然的馈赠,藏民们小心翼翼地遵守着山林的规矩。 为期两个月的松茸季节,卓玛和妈妈挣到了5000元,这个收入是对她们辛苦付出的回报。老包是浙江人,他的毛竹林里,长出过遂昌最大的一个冬笋。冬笋藏在土层的下面,从竹林的表面上看,什么也没有,老包只需要看一下竹梢的叶子颜色,就能知道笋的准确位置,这完全有赖于他丰富的经验。 笋的保鲜从来都是个很大的麻烦,笋只是一个芽,是整个植物机体活动最旺盛的部分。聪明的老包保护冬笋的方法很简单,扒开松松的泥土,把笋重新埋起来,保湿,这样的埋藏方式就地利用自然,可以保鲜两周以上。 在中国的四大菜系里,都能见到冬笋。厨师偏爱它,也是因为笋的材质单纯,极易吸收配搭食物的滋味。老包正用冬笋制作一道家常笋汤,腌笃鲜主角本来应该是春笋,但是老包却使用价格高出20倍的遂昌冬笋。因为在老包眼里,这些不过是自家毛竹林里的一个小菜而已。在云南大理北部山区,醒目的红色砂岩中间,散布着不少天然的盐井,这些盐成就了云南山里人特殊的美味。老黄和他的儿子树江小溪边搭建一个炉灶,土灶每年冬天的工作就是熬盐。云龙县的冬季市场,老黄和儿子赶到集市上挑选制作火腿的猪肉,火腿的腌制在老屋的院子里开始。诺邓火腿的腌制过程很简单,老黄把多余的皮肉去除,加工成一个圆润的火腿,洒上白酒除菌,再把自制的诺盐均匀的抹上,不施锥针,只用揉、压,以免破坏纤维。 即使用现代的标准来判断,诺邓井盐仍然是食盐中的极品,虽然在这个古老的产盐地,盐业生产已经停止,但我们仍然相信诺邓盐是自然赐给山里人的一个珍贵礼物。 圣武和茂荣是兄弟俩,每年9月,他们都会来到湖北的嘉鱼县,来采挖一种自然的美味。这
4、Spring Security 安全权限管理手册
Spring Security 3.0 安全权限管理手册 参考文献: 1、https://www.360docs.net/doc/0611189652.html,中的spring security权限管理手册。 2、spring security3.0权限管理手册 3、spring的相关资料。 本文档内容仅仅作为公司权限管理资料用,对于企业来说,权限管理将是系统中的非常重要的一个模块,权限的设计也是参考相关资料进行整理和补充。系统将通过数据库进行管理用户权限。 权限管理搭建要的问题: 1、区分Authentication(验证)与 Authorization(授权) 验证 这个用户是谁? 用户身份可靠吗? 授权 某用户A是否可以访问资源R 某用户A是否可以执行M操作 某用户A是否可以对资源R执行M操作 2、SS中的验证特点 支持多种验证方式 支持多种加密格式 支持组件的扩展和替换 可以本地化输出信息 3、SS中的授权特点 支持多种仲裁方式 支持组件的扩展和替换 支持对页面访问、方法访问、对象访问的授权。 4、SS核心安全实现 Web安全 通过配置Servlet Filter激活SS中的过滤器链 实现Session一致性验证 实现免登陆验证(Remember-Me验证) 提供一系列标签库进行页面元素的安全控制 方法安全 通过AOP模式实现安全代理 Web安全与方法安全均可以使用表达式语言定义访问规则 5、配置SS 配置Web.xml,应用安全过滤器 配置Spring,验证与授权部分 在web页面中获取用户身份
在web页面中应用安全标签库 实现方法级安全 6、配置web.xml 7、Spring配置文件中设置命名空间 8、通过数据库验证用户身份 9、完善web页面验证规则 10、自定义验证配置 11、本地化消息输出(国际化) 根据公司项目的开发要求和集合spring security3.0功能,公司将通过数据库进行对用户身份验证和授权,系统将建立5个基础表进行对权利的管理。 第一部分数据库设计 1、表设计
Spring Security 3.x 完整入门教程
Spring Security 3.x出来一段时间了,跟Acegi是大不同了,与2.x的版本也有一些小小的区别,网上有一些文档,也有人翻译Spring Security 3.x的guide,但通过阅读guide,无法马上就能很容易的实现一个完整的实例。 我花了点儿时间,根据以前的实战经验,整理了一份完整的入门教程,供需要的朋友们参考。 1,建一个web project,并导入所有需要的lib,这步就不多讲了。 2,配置web.xm l,使用Spring的机制装载: