Digital Identities

1. 00:01Now we want to introduce Digital Identities. This is the topic of our
2. 00:06OpenHPI course about digital identities,
3. 00:10and the question is Who we are on the internet?
4. 00:15Ofcourse with the physical identities we know how to deal,
5. 00:19this is what we do in everyday life. But before we can use a
6. 00:23web service on the internet, we have to identify ourself to the service,
7. 00:29because the service needs to be able to recognize who we are,
8. 00:35and when we come next time to remember which permissions we have.
9. 00:41As I mentioned in the physical world,
10. 00:43identification is easy. We identify ourselves through our outer appearance,
11. 00:49with our physical identity. So people who know us can remember our face.
12. 00:56our outer appearance. our voice and then say, okay this is Christoph Meinel.
13. 01:02But how we can identify ourselves on the internet?
14. 01:06To show a photo or video and to claim this is Christoph Meinel it's very easy.
15. 01:12But for the partner, it's completely unclear whether it's only
16. 01:17a photo or whether it's a real identity.
17. 01:21So we can't identify ourselves through our physical presence, but
18. 01:26what we can do we can represent and identify ourself by a collection of
19. 01:32electronic data. And exactly this is a digital identity, a collection of
20. 01:39electronic data, in more detail of electronic attributes.
21. 01:46Such attributes are for example, our address, our password, our email address,
22. 01:52our passport ID, our credit card, the telephone number or the account number.
23. 01:59So a combination of these data identifies ourself and forms a
24. 02:05digital identity.
25. 02:09What we have to do when we want to
26. 02:13use a web service, we have to prove
27. 02:18that we own such a digital identity, it is our data.
28. 02:24This telephone data and this email data and others.
29. 02:28So there are numerous ways to provide such a proof, we can prove that we own
30. 02:37a digital identity by knowing something, for example knowing
31. 02:42a secret password or knowing a secret pin.
32. 02:45We can prove the ownership by the ownership of something, for example,
33. 02:51a smart card or a token.
34. 02:55We can prove that we own this or we can show biometric characteristics, for example,
35. 03:02fingerprint or face or iris.
36. 03:07But most common and a very simple method is the use of passwords.
37. 03:13These are easy to implement with little effort for the user,
38. 03:17but we have to remember this use of password for authentication is quite unsecure
39. 03:24and holds great dangers. Original
40. 03:28approach to submit such a proof by knowing a password
41. 03:33was introduced when the personal computers came up. So to prove to the computer
42. 03:40that I am allowed to access this data.
43. 03:45But to use for authentication of a web service,
44. 03:49there are many problems and weaknesses and we will discuss about
45. 03:55this. The password must be stored in the database of the service.
46. 04:01So when we register and we design a password,
47. 04:04we have to remember the password and the service has to remember
48. 04:08the password. So the service stores the passwords in its customer database,
49. 04:15and later on the service is able to verify
50. 04:22that this password belongs to us, to verify our digital identity
51. 04:28during the login process.
52. 04:32In a professional way the data, the password is not allowed to
53. 04:36secured in the database in clear text, but it has to be
54. 04:43stored in hashed form so that all the people working
55. 04:49outside of the service are not able to understand the password itself.
56. 04:55There are many attacks known to try to steal
57. 05:01the user data. User data are most interesting for cyber
58. 05:06criminals, because with this user data they can access a service
59. 05:13and can interact with the service under the stolen name.
60. 05:19And the possibilities how attackers can attack a service to
61. 05:25steal user data, this is by exploiting some software vulnerabilities.
62. 05:31This is possible by social engineering,
63. 05:34for example, to play
64. 05:37that they are an administrator of the service and ask the user to send him
65. 05:43or to tell him the password to install something.
66. 05:47So the stolen identity data can in many different ways be misused,
67. 05:55and the idea every time is to assume a digital identity, and then
68. 06:01interact with the service, use the resources of the services
69. 06:05in the name of that identity. This is the
70. 06:09field of identity theft we will discuss
71. 06:12in the course more about this.
72. 06:16So such identity leaks here is a short
73. 06:20report of a very recent case, under the name Collection
74. 06:26number 1 to number 5.
75. 06:28Records were published on the internet in January 2019,
76. 06:35that contained a total of 2.1 one billion
77. 06:40email addresses with the corresponding passwords in plain text.
78. 06:47So these are ofcourse identity data, and this is a huge amount of identity
79. 06:53data which were published in the internet and the cybercriminals could access,
80. 06:59could take this data and then work with this data.
81. 07:02In some cases the exact services from which the identity data
82. 07:07was stolen were specified, so that it becomes very easy
83. 07:12for the attacker to misuse an identity for that
84. 07:18particular service and the attackers can quickly test identity access data
85. 07:24for different platforms, simply because the users often use the same password
86. 07:30for different services.
87. 07:33This identity leaks and this identity theft
88. 07:38is extremely dangerous, it's extremely dangerous for the persons affected.
89. 07:45Reason is their digital identities remain vulnerable as long
90. 07:50as the stolen password
91. 07:53are valid. So as long as they do not change the password, the cybercriminals could misuse
92. 08:00the identity in using the service. Here is another case,
93. 08:06in December 2018, data and documents of roughly a
94. 08:121000 politicians and celebrities were published in the internet,
95. 08:17and these data include internal and personal documents, as well as contact data
96. 08:24such as email addresses,
97. 08:27telephone numbers, or post address of the celebrities concerned.
98. 08:33And it caused a lot of discussion. How was it possible
99. 08:38for the cybercriminals to a collect such
100. 08:42personal data?
101. 08:45So the more identity data about a person
102. 08:48comes in the hands of the cybercriminals,
103. 08:52the more easily these identities can be misused. So it's a real
104. 08:58problem and it's very important to know more about
105. 09:05digital identities, ways how they can be established, the ways
106. 09:11how to manage such identities and how to use it.
107. 09:16So what we want to do in our course in the first week,
108. 09:20we will speak in general digital identities, who I am in the internet?
109. 09:27And in the first course week, we consider how digital identities are defined
110. 09:33and we discuss the different ways to manage such digital identities.
111. 09:38So it is the topic of identity management which is a in the center
112. 09:44of the first week. And we discuss how to prove
113. 09:49that one has a certain digital identity.
114. 09:53And these our the discussions of authentication methods
115. 09:57we want to do in the first week. And then in the second week,
116. 10:01we deal with questions which attacks
117. 10:06are known on digital identities, which attacks are possible and how
118. 10:11best to protect your digital identity. And in addition, we
119. 10:17look at the problem of weak passwords and give advises
120. 10:22on how to choose strong passwords and what influence strong passwords have
121. 10:28on possible attacks. Because the identification by
122. 10:34passwords is very common in the internet and we have to deal
123. 10:40with this relatively weak method in a best possible way.
124. 10:46So to introduce the teaching team, my name is Christiph Meinel, I am
125. 10:52the head of the Hasso Plattner Institute and run the chair for
126. 10:56Internet Technologies and Systems. This research focuses
127. 11:01on security engineering, on learning and knowledge engineering, digital education
128. 11:08and innovation research. And I am supported
129. 11:11by my PhD students, Alexander Muhle and Chris Pelchen. Alexander
130. 11:19is working in his
131. 11:22research for the thesis on Secure Identities on peer to peer applications
132. 11:29with certification process in international consortium.
133. 11:33And Chris Pelchen is working in the field of security engineering,
134. 11:39identity on the internet and has a lot to do with this a a digital
135. 11:44identity theft and our service to inform you about this.
136. 11:51So this is the introduction to our
137. 11:56new openHPI course, digital identities. We hope you are interested to
138. 12:01learn more about that.
139. 12:03We are happy if you stay with us and if you start to interact
140. 12:09with the other learners by using our discussion forum, by
141. 12:16answering the questions in the quizzes and in the
142. 12:21homeworks. And hope also you have fun with the course.

To enable the transcript, please select a language in the video player settings menu.