 Hi, welcome back. This is the second part of the identity management lecture. In the previous lecture, we had a look at the personal traits of a human being, which can be used by a system. In this part, we are going to have a look at something else, which we are going to term as system-generated identities. So, we have already seen what personal traits we have like face and eye rays and all that stuff. We are going to see something else now, some identities, which are generated by the system. So, with this, we come to system-generated identities. So, suppose any system that wants to identify you provides you an identity from its own side. So, a username or password pair is one such identity. So, the system will give you a username or password. You can actually choose your username and password and this is a kind of a shared secret. So, the system knows this secret and only you know this secret. And if somebody can provide this secret, the system simply assumes that it is you and nobody else knows this password. So, anyone who knows this secret can pose as you. This is the aspect that we have to understand. So, even though systems are trying to share a secret with you, anyone who knows that secret can pose as you. So, the system really cannot identify anyone who is different from you if he or she knows the username, password of your account. There is a variation to this called OTPs or one-time passwords. One-time passwords are basically system-generated identities for short term. So, the system generates some kind of a random string. It is sent to your registered phone or email and you are supposed to enter this information, say, within a few minutes or something like that. And well, this is how the system identifies you. The assumption that system actually makes is that the phone or email on which the password was sent is in your possession. This is very important. The system assumes that you are having your phone with you and that the email that you provided to the system, you know, it is still operated by you only and not someone else. So, with this, we come to another interesting concept called cookies. So, let us assume that the system was able to generate an identity for you username and password and, you know, you now have a shared secret with the system with which you can identify. The problem is that most of the time this username, password entering could actually be a kind of, you know, boring activity that you will have to do. Just imagine if you log into Facebook every day, say, you know, two dozen times and you have to type in your password and type in your username every time, you know. That is going to be boring. That is going to be irritating for the user. So, how about having a pact between your browser and system? So, in general, cookies are a pact between your browser and the system. So, you must have seen something like keep me logged in. Many of the sites these days have this kind of a message on their, you know, home page that you are entering username and password and there is an option keep me logged in or keep me signed in something like this. So, these are cookies at work. The browser stores some information regarding your identity when you log into a website and then this identity can actually be replayed next time you try to visit the same website. So, the system can log you in automatically using the information that was sent by the browser. You do not really need to type in the username, password all over again. The system can simply log you in with the help of this cookie. Again, just like the previous cases, there are some assumptions. The assumption is you have access to this computer and only you can use that particular browser. If you are using Facebook or say Gmail or some other website like this on a shared computer, then do not take that. So, how secure is our identity? Well, can a computer trust something like password? Well, provided the limitations with other traits, passwords are a very good way of identifying people. You know, they are fairly robust and they are easy to manage. They are actually acceptable for a number of reasons because considering the amount of hardware, you will actually be required for using something like biometric traits. Password is a fairly good trade-off, but passwords are not very secure. People tend to keep passwords which could be easily remembered. This is the whole point of putting up passwords. If you do not remember passwords, what are they for? So, if the password is easy to remember, it would probably be easy to guess as well. So, if you are too predictable with what you keep as your passwords, that can actually be guessed quite easily. In fact, there are some tools which can do this guesswork for you and just trying combinations of some publicly available information like your name, your date of birth, the name of your spouse, the name of your parents. Just trying combinations of that can give the password in a number of cases. Also, passwords could be sniffed over a network. So, what does sniffing mean? So, basically just assume that you are connecting to a system via a network and somebody is trying to listen what data packets are going on that network. By the virtue of just sniffing what data is going through, people can actually figure out what you typed. So, they can actually figure out your username. They can actually figure out your password, whatever text messages you write on say Facebook, everything can actually be sniffed over a network. So, this is something that is possible using network sniffing and there will be a homework on this. We will talk about HTTPS and HTTP. You would have seen certain websites start with HTTPS and certain websites start with HTTP. So, there will be a homework on this just to tell you what is the difference between the two, how HTTPS makes your website more secure than HTTP. We will come back to this. Prevention or cure. So, can the systems actually prevent themselves from any kind of attacks or any imposter? Well, there are some heuristics that can be used. One is forcing regular password changes. So, some systems, for example, the banking websites these days, they will force you to change your password fairly regularly. For example, they will ask you to change your password say every six months or so. So, this is one way of trying to minimize the effect of anybody trying to hack your password or anybody trying to guess your password. So, basically, if you keep on changing them regularly, the chances are that, you know, they would not be able to guess it. But sure, I mean, it is going to be a new sense for the user because finding an easy to remember password which is difficult to guess, well, that is not an easy task. Generally, it would not be able to come up with so many passwords which are easy to remember, but difficult to guess. Can the systems somehow detect an imposter? So, let us assume that the imposter did get hold of your username and password and now the imposter wants to, you know, log in to the system as you. Can the system still do something? Well, some systems deploy heuristics to detect probable imposter. For example, if I am logging to their website from Kanpur regularly, if suddenly I log in from something like, say, Beejin, that is going to be suspicious because regularly I log in from Kanpur. How the hell can I go to Beejin in, you know, say a few hours of time? Some systems use this information to detect probable attacks. They are not sure whether it was actually an attack or not, but yeah, you know, the activity is suspicious. It may actually be looked upon in a bit more detail. Now, one more way by which probably the bank websites try, you know, to minimize any kind of attack is by using of OTPs. We talked about OTPs, right? They are one-time passwords which are sent to your mobile and or your email ID. So, you know, if an imposter somehow gets hold of your username and password, it may still be difficult for him to be able to enter that OTP that was sent to your mobile, right? Because the mobile will still probably be with you and the email will probably still be in your possession. So, being able to enter that OTP is not that easy. So, that is one way. Let's say it is kind of an extra layer of security that the banking website or some other website is trying to add. It may or may not be helpful, but yeah, it may be used to detect or say stop certain imposter. So, what can the systems do other than this? Cookies. We talked about cookies, right? The cookies can actually be used for something more than that, okay? They can also be used to identify a new device. So, basically, suppose I bought a new laptop and I logged in to Facebook from that new laptop, Facebook might actually block my access to it, you know, because that device is not identifiable. Basically, by identifiable, I mean, they should have a certain kind of cookie within it, okay? So, when the browser connects to Facebook, it sends some information to it. And if the browser is not able to send that information, Facebook may feel, you know, this is something suspicious. You know, this is not the device from which you log in regularly. So, the system may actually block such accesses. Actually, Facebook does that, you know, it will probably ask you to first identify yourself by entering some one-time password or it may even ask you to tag some friends of yours, you know, before going ahead. So, this is actually something that systems do use. They can take further security measures before allowing you or they may simply block your access for now. Then, suppose the imposter actually logged in as you and he was able to, you know, go through all the security checks the system had, now what? So, let's say an imposter may actually go and delete your account or may deactivate your account. Can the system provide some padding to the legitimate user? Can the user can get back to the system and, you know, save the situation? Well, some systems can provide some time for legitimate users to revert actions. So, for example, if you actually, you know, if the imposter did some kind of events like changing the password or, you know, deleting your account, well, the legitimate user can be sent an email and he can be informed about what just happened. If the actual legitimate user was someone who didn't do that, he can actually get back to the system, you know, by, say, within certain amount of time, within 24 hours or 48 hours and the system administrators can actually revert the account back. Now, some systems may actually do not delete all your stuff as soon as you actually do that. They actually keep that stuff within their database or their storage and they wait till, you know, say, 48 hours or say 1 week or something like this and you can actually get back to them if you think somebody else actually hacked your account and they, you know, did some stuff. So, some systems keep backup of your data as well and they can actually restore the state of your account to an old state. So, a quick recap of what we've learned till now. So, systems need to identify people before communicating with them just like we do. We communicate with someone only after we recognize them. The usual traits employed by us are, say, face or voice and these traits are generally not usable by systems. The most common way by which systems identify us are by shared secrets. These are passwords. We just talked about passwords and usernames. Cookies is actually a mechanism by which we can use the actual number of times the user will be required to type in the user name of password. You know, we talked about how boring it can be to type user name and password each and every time we log into some system. Now, modern systems also apply some kind of heuristics to detect, avoid and repair possible attempts of breach of security. So, basically, it is possible that the system may actually take care of, you know, recording your locations every time you log in and with the help of your location, the system is able to figure out if somebody is trying to, you know, hack into your account. So, the systems use some kind of heuristics these days and with the help of those heuristics they can figure out certain security breaches. So, we talked about HTTP and HTTPS. We were talking about them in the context of key logging, how somebody can actually put some kind of a key logger and record all the keys that you press on a keyboard and with the help of that they can probably figure out your username and password. Well, there are some ways to avoid this. You know, some websites use something called HTTPS. This is HTTP secured. So, your homework is go and try to find out what is the difference between these two, HTTP and HTTPS. You know, can this kind of key logging be saved? You know, how can some systems try and protect your passwords when they are in transit. The other thing is that you could probably do is check out this keep me logged in feature. You know, you just read a little bit more about what this keep me logged in feature does and you just have to figure out why it is a horrible idea if you are using some site like Facebook from a cyber cafe to put tick on this keep me logged in. You know, what can go wrong here? You have to think and figure out what would be a problem by ticking keep me logged in. You know, it can actually cause some serious problems for you. So, you have to figure out what could go wrong here with respect to identity management and this is a fun exercise the last one. So, basically we are talking about the IRCTC website. We talked about how the IRCTC website uses your username and password as your identity. Do this, go to the IRCTC website and try to log in to the IRCTC website from the same account but with two different browsers. So, you can use say Firefox and Chrome. So, log in to Firefox first and use your username and password. Log in there, open another instance of say Chrome. Log in there with the same username password as you did in Firefox and then from the first session to the one in Firefox try to access some information, you know, something like your book history or cancellation history and see what happens. There will be something that will be surprising for you. Let's just leave it here and find it out what you see in that. So, you can probably somehow relate it to identity management. This is what your task is relating it to identity management. Thank you. Bye.