Digitale Identitäten - Wer bin ich im Netz?

1. 00:00Let's look at a secure authentication method now, based on the use of digital signatures,
2. 00:12First, let me remind you, digital signatures, in our information security course, I would like to remind you again how these digital signatures work,
3. 00:27and the idea is simply to password a better one, to have a more secure authentication method.
4. 00:34Such digital signatures work in principle just like the handwritten signatures.
5. 00:42So if, for example, we want to shop with a money card, then we'll sign the receipt or the bill,
6. 00:50and the cashier compares - at least that's what he should do - our signature with the signature deposited on the card.
7. 00:58With digital signatures, this works relatively similarly in the digital world, the online service sends a random data object to the user,
8. 01:12and the user signs, signs this document, by encrypting it with a specific key and then sent it back to the service.
9. 01:23And the service simply verifies the signature with the help of another key, with which he can decrypt his original data object again.
10. 01:35To make such digital signatures work, it needs precautions, it needs a public key infrastructure,
11. 01:44and such public key infrastructure is always needed, when working with asymmetric encryption procedures.
12. 01:53And we just said this digital signature, there are two keys in play, one of which encrypts the user's key, with the other decrypts the service provider,
13. 02:05and this use of these two keys, which can surely only be guaranteed in the context of public key infrastructures.
14. 02:15So such public key infrastructures are always needed, if you want to use asymmetric crypto procedures safely.
15. 02:23The most important components of such a public key infrastructure are are the certification service, the registration service and the validation service.
16. 02:34Now we can say a little more precisely, how it works with the digital signatures.
17. 02:41Every participant of a public key infrastructure, so every identity, has two encryption keys.
18. 02:51A key is the so-called private key, with which such a signature is created,
19. 02:59and this private key always stays with the user, it's kept secret, it's not given to the outside world.
20. 03:07And then there's the second key, this is the so-called public key.
21. 03:11In contrast to the private key the public key can be widely distributed.
22. 03:15So if now the user who wants to verify service, the signature, which was encrypted with the user's private key,
23. 03:26then the service uses the public key, to decipher that again.
24. 03:32So the service really knows to use the user's public key, This requires precautions, this public key infrastructure.
25. 03:44If you want to illustrate that, you could say that's like setting a seal.
26. 03:52There's one owner - in former times the king or the lord of the throne - and then wax is dripped on it, and then a pattern is embossed into the wax with the seal ring.
27. 04:07The wax then hardens very quickly, so that the pattern is preserved.
28. 04:11The signet ring is then something like the secret key, the private key that is never given out of hand,
29. 04:18and the public key, that's like a template, to help verify this seal.
30. 04:25So these are digital signatures, and the working methods in the public key infrastructure, that looks like it now.
31. 04:34We have the Public Key Infrastructure Registry, and that's where the user goes, sends a request and applies for a so-called certificate.
32. 04:49So the issuance of a certificate requested, and the core of this certificate is that it confirms to the user, that's his public key.
33. 05:00The registrar will verify that, the user really belongs to this public key,
34. 05:08and then initiates the registry, that the certification body issues the certificate.
35. 05:16And in the certificate the document is written, like such an identity card, the user, the name of the user and his public key and a few more details,
36. 05:28and this certificate will be digitally signed by the certification authority, so encrypted with the secret key of the certification authority.
37. 05:40Now, when the user wants to send a message to a communication partner, wants to interact with an online service, for example,
38. 05:53then he gives with a wish what he wants to do, he attaches his certificate.
39. 06:00He digitally signed this wish, so encrypted with his private key,
40. 06:07and with the attached certificate it is now available to the service or the communication partner, to verify the authenticity of this message.
41. 06:17What's the matter with you? The certificate contains the public key of this user.
42. 06:22So if it succeeds, the signature, which was encrypted with the private key, with the public key from the certificate,
43. 06:32then it is proven the message came from the user and everything's fine.
44. 06:46For example, if you are accessing a website via the secure HTTP protocol - you can see this in the HTTPS
45. 06:56when you connect to your bank, it's always with the HTTPS protocol, More and more pages are only accessible via HTTPS -
46. 07:09then the browser uses this HTTPS connection to connect to a Web site a connection to the server of this website and verify the authenticity of the page.
47. 07:23In order for this to succeed, the HTTPS secured website sends a your certificate to the browser, i.e. the website identifies itself.
48. 07:35Before trustworthy things are done, they have to be checked first, is this really the website or is the now or compromised.
49. 07:46So, now the browser has to check the certificate, and he has implemented a list of certification bodies.
50. 07:57The user does not need to worry about it at all, that's what browser manufacturers do,
51. 08:00who check these certification bodies, and as soon as they're considered trustworthy,
52. 08:07they enable the browsers to view this certificate, that was digitally signed by the certification authority,
53. 08:19the browser knows the public key of this certification authority, can decrypt the certificate.
54. 08:26And yes, if he sees that it's the right browser. - you can still do that right now, there are probably changes in the future,
55. 08:36but at the moment you can still see well by clicking in the web browser window since this green key symbol sees the line where the URL is entered,
56. 08:48and if the certificate leads you to say, that's not the site, I don't recognize that,
57. 08:53then you will be warned with a corresponding red symbol, that the browser does not consider the page to be trustworthy.
58. 09:03About digital signatures and public key infrastructures in our information security course.
59. 09:12Here, in this course on digital identities. we're talking about identity management,
60. 09:21and there was a very important phase of authentication, i.e. determining whether a user belongs to a digital identity.
61. 09:30So, and the interesting thing is, with such digital signatures you can perform this authentication.
62. 09:42The question must first be clarified, how does the online service know
63. 09:47that a user's published key actually belongs to that user, to that identity.
64. 09:54And now our certificate comes into play, the user had to if he wanted to sign digitally, Be a participant in a public key infrastructure,
65. 10:05the proof is done with the certificate, with the certificate, in which the binding of the public key to the user was attested.
66. 10:15And the certificate is not now issued by the user himself, that could be someone who wants to pretend a false identity,
67. 10:22but it's issued by a trusted third party. in this public key infrastructure, it is digitally signed by the certification authority.
68. 10:36And if now our service trusts this PKI and trusts this certification body, he trusts the certificate.
69. 10:45For authentication of a user by the online service just needs the public key.
70. 10:53be removed from the certificate and thus the signed message of the user can be decrypted.
71. 11:01So, and if this works, then the authentication will be done, the decryption does not work, does not release the messages of the original user,
72. 11:13then that's a sign that something's been tampered with. or someone pretends to be wrong.
73. 11:19Now, if we're going to use this kind of authentication want to classify using digital signatures
74. 11:25in our scheme authentication on the basis of knowledge, on the basis of ownership, on the basis of biometrics,
75. 11:34then this is a method based on ownership, namely this certificate and this key.
76. 11:44So if we're gonna take a closer look, how this authentication works,
77. 11:50then we know it needs a public key infrastructure, that's always needed when we need digital signatures and asymmetric encryption methods securely.
78. 12:00So, the user - it will first of all in the public key infrastructure generates a key pair - gets a private one, gets a public key,
79. 12:10and the public key will be sent through the registry, that verifies the identity, authenticity, validity of the public key,
80. 12:19then applies for a certificate, which is then confirmed by the appropriate certification body.
81. 12:30On the basis of this application, the certification body then prepares and this verification, this identity check, this certificate,
82. 12:38that ties the public key to the user's identity, and the user receives the certificate.
83. 12:45So that's that, probably at registration. in the public key infrastructure.
84. 12:49So here's the question, how does he register with an online service?
85. 12:54To register with such an online service, the user creates a digital signature, so data is encrypted with his private key,
86. 13:04and this data, encrypted with the private key. together with the certificate in which the corresponding public key is stored is sent to the service.
87. 13:15So, and the service is now validating the certificate. with the help of the PKI's validation point, so it checks,
88. 13:24If it's all legal, get the public key. of this infrastructure and can then decrypt this certificate,
89. 13:37and now the service can be retrieved from the certificate remove the user's public key, decrypt the message sent by the user signed,
90. 13:51that's what this public key is for, and only the public key can do that,
91. 13:56and if that works, the user gets access, because then it is proven that this is really the user he pretends to be.
92. 14:05So we have here to show that again in the schematic flow, our user, who gets a certificate here for the time being,
93. 14:17by submitting an application to the registry, is identified there with his two keys.
94. 14:25The registration body shall then forward this application to to the certification body that builds the certificate, so bring together the user name and the public key,
95. 14:35encrypts it with the private key of the certification authority, and now the user has the certificate.
96. 14:47So, and now the user sends messages to the service, so I want this and that from you, encrypting it with his private key,
97. 14:55that no one understands a) on the way, and b) the service is capable, to decrypt this message using the certificate that was also sent.
98. 15:08If this is successful, it is clear that the certificate is the public key described, the corresponding key, with which the user encrypted the data.
99. 15:19No one else is capable of doing this, this private key is only connected to the user,
100. 15:24and now the service can say okay, all right, who is identified is authenticated, the user, and can now make use of the appropriate resources.
101. 15:36If we look at the pros and cons of this procedure. authentication on the basis of digital signatures,
102. 15:45then first of all there is an advantage, knowledge is no longer necessary, no complicated passwords have to be used either,
103. 15:50that private key, that's in possession, and it's verified, that a person actually belongs to an identity.
104. 16:02This private key, if you put it on the computer, - The best thing to have in a smart card is this -
105. 16:10if that's put down on the computer, you'd be creating a safe working environment, which one protects there also again additionally with a password,
106. 16:18so that if someone hacks into the computer, he can't get that private key yet.
107. 16:23Which is also advantageous, it does not need a registration process with the individual online service.
108. 16:32About the sending of the certificate and the corresponding message can be directly decided by the service, that's the person, that she spends being or not.
109. 16:43So signature and certificate are sufficient, to check it out.
110. 16:50There is also no longer any need to exchange secrets now. like password or fingerprint or something.
111. 16:58And what's important for the service is that this certificate has been certified by a trustworthy body.
112. 17:15Disadvantage, such a Public Key Infrastructure is relatively expensive.
113. 17:22And trust is necessary, so there are public key infrastructures like this established in the net, you can use it, but that is a certain effort.
114. 17:34It is also necessary that the user, the user both on the user's side as well as on the side of service, how to use this mechanism properly.
115. 17:48Disadvantage is also, if the hacker succeeds, to get a user's private key into his hand, then of course he can impersonate that user,
116. 18:00then in this authentication process. then the hacker authenticates as well, because he's in possession of the private key.
117. 18:10So if we sum this up, then we saw the possibility of authentication, to be able to do that with the help of digital signatures.
118. 18:27These public key infrastructures, who work with certificates and digital signatures,
119. 18:34they are based on the application of asymmetric encryption procedure,
120. 18:40so that the user always has two keys, the private key and a public key.
121. 18:46The digital signature is generated, by using the high-security private key, that only the user owns is somewhat encrypted,
122. 18:56with what, if the associated public key, which is widely used, is able to decipher that, then it's clearly proven, that can only come from this user.
123. 19:08It is now important that the correct digital key is used, to check if the message really came from the user,
124. 19:19whether to send the message encrypted with the private key can actually decipher.
125. 19:23And this requires a mechanism that can make this assignment between the user and the public key.
126. 19:33And this mechanism in a public key infrastructure is produced via certificates,
127. 19:40so there this certification authority of the Public Key Infrastructure certifies the user that it is his public key.
128. 19:50The certificate can then be the user anywhere, I'd like to show you my skills in this service as well,
129. 19:59that he really is the user he pretends to be, with whom is in contact and that then according to the authorization
130. 20:09the user may use certain resources, can take place or not.

To enable the transcript, please select a language in the video player settings menu.