8 Made in Germany: Verbinden von digitalen Identitäten und physischen

This video belongs to the openHPI course Digitale Identitäten - Wer bin ich im Netz? . Do you want to see more?

8 Made in Germany: Verbinden von digitalen Identitäten und physischen Identitäten

Time effort: approx. 23 minutes

An error occurred while loading the video player, or it takes a long time to initialize. You can try clearing your browser cache. Please try again later and contact the helpdesk if the problem persists.

Scroll to current position

00:00We want to deal with this question now, as we have a digital identity and a physical identity, how we can safely connect them.
00:10Because that is a question for many services, that the service really must be safe,
00:16is the person registered there, described in her name and address, that's actually the person it's about.
00:24So when registering with an online service the digital identity would be created,
00:30the attributes are collected, the user typically discloses this data, fills them in on forms herself.
00:40Now it is the case that different services need or want to know, if this data really belongs to a real person, belongs to the person who made the entry.
00:57And that's an interesting question, so here's an example of a service like this, who needs to know that, for example in online banking,
01:06when an account is created or a credit card is requested, then the user enters his own name and address on the website, and then there's this digital identity.
01:19However, the bank must know whether the relevant data, name and address, then really belong to the person specified.
01:29It's not like anybody would open an account here in someone else's name. and then carries out activities from which the real person behind this identity doesn't know anything.
01:41To make this connection now, to create a digital identity. to securely associate it with a physical identity and then confirm it, the user must identify himself accordingly.
01:56It is not enough simply to enter data, but the passport has to be checked, there have to be things checked out that help,
02:05the attributes that now make up the digital identity, with the physical identity of the user.
02:16So typically this process is part of the registration process.
02:23So, what are the methods now? to bind this digital to the physical identity?
02:30So there's different ways, For example, there's the Post-Ident procedure, you know that,
02:39there's the Video-Identification, VideoIdent, for example via WebID, there's a new ID card with this app,
02:48and typically all of these procedures are based on it, that you are working with an external, trusted service provider, to help confirm that identity.
03:04So here at the Post-Ident procedure these are the post offices. and the staff there.
03:08The video identification, the WebID for example is a trustworthy online service that has found widespread use,
03:16and in the case of the electronic identity card, it ends up being the citizen's offices, who provide this confirmation of the issuance of the identity card.
03:33Let's take a closer look at two methods, namely this video identification once using the example of WebID
03:41and then what is possible in Germany, this bond with the help of the new identity card.
03:54This is the best known and most widely used video identification provider, and to be able to use that, i.e. to be able to use WebID, but also other video identification providers,
04:09of course you need a computer that is connected to the Internet and which is equipped with a camera and a microphone, so that a certain interaction can take place.
04:20If we work with the new ID now, then of course you need this identity card or a passport.
04:29This does not have to be a new identity card at WebID, because here the identity card or the passport is only kept ready for identification,
04:42and then of course you have to have a browser, that supports these WebID applications.
04:53First of all, the user gives at his online service, for example at his bank, let's stick to the example of opening a bank account, entering his data.
05:04Then the bank needs confirmation, this data really belongs to the person who logs in. and then redirects the user to the WebID site to determine that.
05:19Here, on the WebID site, the user starts a video chat, a video chat with a WebID employee.
05:30The user then has to show his identity card in the course of the chat, I need you to answer a few questions,
05:39to give security to the WebID service, the user is actually the person specified in this identification document or described with this passport document,
05:54the photos match, and then, after the chat ended, transmits WebID to the corresponding online service, in our case the bank, the information, yes, the person is actually the person he pretends to be.
06:14This registration will then be completed and the user is entitled, the online service, i.e. this online banking service in our example, and identify themselves.
06:27So this identification, it's really this person, is done with the help of a video chat, is done by comparing the person, Discussion with the person and their identity card and passport,
06:42and this service, this WebID is therefore in this registration process a little bit of the notary who gives the bank confirmation, yes, that's really the user he pretends to be.
06:56What speaks for such a video identification, as shown here at the example WebID?
07:03Advantages are that identification is possible at any time, the video chat is also not very complex, takes only a few minutes,
07:13and you can do it from home, therefore has no extra path, for example as in the Postident procedure to the post office,
07:22is then dependent on any opening hours, but at any time, you just need a PC that also has a camera and microphone.
07:32If you look at the disadvantages now, then of course it is so, the bank has to trust this WebID company,
07:42because WebID says yes, yes or no, keeps your thumb up or your thumb down, and the bank is ultimately responsible for the consequences. in interaction with this person.
07:56If things were drifting and that identification wasn't clean, that somebody managed to get there on behalf of a person than to sneak in a hacker
08:09and get confirmation, yes, that's that person, then of course big problems arise.
08:15So trust is necessary in the WebID company in our example case, the video chat employee, who also learns personal data,
08:27he sees the ID, he sees the passport, he knows, for which service the user wants to authenticate now and wants to ensure in the registration process,
08:42wants to prove that he's behind this person. and, of course, that's something that needs to be weighed.
08:51A second way we want to look at, how to link this bond of a digital identity to a physical person,
09:03this secure bond, let's take a look at the possibility, with the new ID card.
09:10So you have to say it again, because the older identity cards do not have this functionality.
09:16So the new identity card offers an alternative to online identification, this new identity card exists since 2010, nPA is often mentioned there,
09:31and it has such an online function, and this online function must of course be activated.
09:39Whoever has a new identity card knows, when you receive it, you have to agree to this activation.
09:46Examples now for online services, for which the new identity card can be used,
09:52are, for example, DATEV, the employee online portal for payroll accounting, which is very widespread in Germany.
10:00Deutsche Bahn accepts that, Deutsche Post accepts that, the e-mail alliance.
10:07There are a number of other services, but we need to establish that the number of these online services with which you can interact in this way but has remained relatively limited so far.
10:22So if I want to do this, so if I want to use this new I.D. card, to identify me to a service, then what does it need?
10:32Well, you need the new ID card itself, of course, you need this activated online function.
10:39To use it, you need a card reader, what's connected to the computer, and it's gotta have this badge app loaded,
10:56Yes, if you are using the online service with your new ID card, it'll work, so if this service allows it, here's how it works.
11:06So the user then clicks on the corresponding login button, then the badge app on the computer opens,
11:14then the user is requested to place his card on the card reader or into the card reader, so that the online service can interact with the pass.
11:29And then the badge first checks whether the service is authorized at all, to read data from him, so if there's this connection,
11:40and the user also sees completely transparently, which data the service wants to read from the badge.
11:48The user is explicitly asked to confirm this transfer, and the confirmation's done by proving now that it's really his ID, by entering the corresponding PIN.
12:04And then the data from the identity card, the corresponding data, which the user has confirmed for transmission, encrypted to the online service.
12:16This new badge, the badge, the identification with this new badge, is based on a public key infrastructure.
12:30This public key infrastructure includes a whole range of state authorities, i.e. the Federal Office for Information Security, BSI, issues the root CA, the root certificate.
12:46The Federal Administration Office with the Issuing Authority for Authorisation Certificates is the registry for the corresponding online services,
12:55who want to give this opportunity, to identify users via the new identity card.
13:02Then we have authorization certificate providers, which issue the actual technical certificates,
13:10for example, D-Trust GmbH, which belongs to Bundesdruckerei, which then provides these corresponding verifications.
13:21Before an online service can interact with the new identity card, he needs this authorization certificate.
13:30And the issuing authority for such a certificate is the Federal Office of Administration.
13:37That checks, if the service is reliable, the service really needs this data, in order to carry out his offer, If it is set up securely, it handles the data properly.
13:51And the approval is granted by issuing such a certificate, which can then also be used in communication.
14:03Now the online service must write an application, to get this certificate, he has to be specific, which data of the badge he wants to access,
14:15why he needs the data, it's data efficient, less data wouldn't be enough,
14:21and once the motion is approved, then the service can go to an authorization certificate provider, and he then issues the certificate.
14:33Only then is it possible for the service to verify the identity card and the data of the identity card to identify a user.
14:46So here schematically again, the service provider with the contract and decision and with the certification offers.
14:53What is important here is that different than with the WebID, where an employee, where a person has had their identity card shown to them and asked questions and then said afterwards, that's him,
15:04here the possession of the identity card, the knowledge of the PIN, that opens the ID card, then are document,
15:19that the data that will then be read are actually the data of the user.
15:24How does that work technically now? so this picture, this interaction?
15:34A certificate is also stored on the identity card, including user attributes and a private key.
15:46The ID card will check if there's such a request now, first the authorization certificate of the online service provider,
15:55that he's really entitled to ask for this information, that he passed this exam.
16:02It shall continue to verify the validity of the certificate, that it hasn't already run out,
16:07and he also checks the security of the certificate, by checking the validity of the root CA certificate.
16:16In the authorization certificate, there is described exactly then, which data the service may access.
16:26This will be shown to the user again, and that's exactly the data that's transferred, if the user declares his consent.
16:37And this consent form, the entry of the PIN is considered as such a declaration of consent,
16:47and only after entering the PIN will the corresponding data, signed with the private key.
16:56So, and the online service can then verify the signature using the ID certificate.
17:01We were talking about public key infrastructure, we were talking about signing,
17:08signing with the private key, that this data is encrypted with the private key,
17:13and only the corresponding public key then of the user on the part of the service provider is able, to decrypt the data again.
17:25The binding of the person to the public key takes place within and with the help of the certificate.
17:36It's about making a bond. between a digital identity and a natural person.
17:44This possibility of doing this with the ID card, offers a high protection, you have seen all the mechanics.
17:57There's the offices that check it out, it's a reliable service provider, If he handles the data properly, he really needs the data.
18:05So that's a very high protection, also that this data is then used in this authorization case. can be imported directly from the identity card,
18:15that the user always retains sovereignty in this action, because he doesn't just need his identity card,
18:22the new identity card, but also with his PIN then confirms the transmission of the corresponding data.
18:30There's mutual identification, that's important, is checked automatically using the authorization certificate, whether the service is authorized to read data from the ID card at all,
18:48and vice versa, it is of course clear that the new identity card also identifies himself to the service provider.
19:01The whole thing is encrypted end-to-end, which is the identity data sent over the network, are inaccessible to those who observe network traffic.
19:15The identity card is handy, always at hand, important, of course, is that this app, that this is unlocked, this online function,
19:26otherwise the badge can be may not be used in this form.
19:31The downside here is I need card readers on my devices, that the connection to the identity card can be established at all,
19:42and at least today is still a disadvantage, there are relatively few services that support this secure identification process. via the identity card.
19:56Let me get this straight, what we've been discussing:
20:02So in different contexts for different services it's very important to know
20:07whether the digital identity that is set up there in the registration process actually matches a physical identity.
20:22We have discussed this binding production through a video identification, have seen how this WebID service works.
20:33So this was relatively easy, because with such a videochat and the ID card or passport WebID to convince, that you're actually the person you pretend to be.
20:48So that actually this digital identity can be linked to a physical identity.
20:53We've discussed a second way, that with the help of the new I.D. card,
20:59if you have a card reader and the online service offers this possibility, therefore has a valid authorization certificate,
21:09then this direct transfer of attributes can also take place. from the identity card to the online service, to create this bond between digital identity and natural identity.
21:22And in this service, which is now very exemplarily organized. with the new identity card
21:30the user always has the choice, this identity data should really be transferred or not.
21:42That's what we've been gathering this week, how registration, how authentication works,
21:50what different possibilities there are, with which protocols this can be safely carried out
21:56and have now also seen in the last video, how this digital identity can be combined with a physical identity can be firmly and securely connected.
22:04Next week we will be dealing with topics, namely attacks on digital identities,
22:13so for example password theft and how to defend yourself.