Zaɓi Harshe

AutoPass: Bayanin da Bincike na Na'urar Ƙirƙirar Kalmar Sirri ta Atomatik

Cikakken bayani da binciken tsaro na AutoPass, sabuwar tsarin ƙirƙirar kalmar sirri a gefen mai amfani don magance matsalolin gudanar da kalmar sirri na mai amfani da na sabis.
computationalcoin.com | PDF Size: 0.2 MB
Kima: 4.5/5
Kimarku
Kun riga kun ƙididdige wannan takarda
Murfin Takardar PDF - AutoPass: Bayanin da Bincike na Na'urar Ƙirƙirar Kalmar Sirri ta Atomatik
Duba Takardar PDF Zazzage PDF Fassara PDF
Gida » Takaddun » AutoPass: Bayanin da Bincike na Na'urar Ƙirƙirar Kalmar Sirri ta Atomatik

Teburin Abubuwan Ciki

1. Gabatarwa

Tabbatar da asali ta amfani da kalmar sirri ta rubutu har yanzu ita ce babbar hanyar tabbatar da mai amfani duk da sanannun gazawarta. Yawaitar sabis na kan layi ya ƙara dagula matsalar, yana tilasta wa masu amfani sarrafa adadin kalmar sirri mai ƙarfi da ke musamman wanda ba za a iya ci gaba da sarrafawa ba. Wannan yana haifar da ayyuka marasa tsaro kamar sake amfani da kalmar sirri da ƙirƙirar kalmar sirri mai rauni. An gabatar da AutoPass a matsayin tsarin ƙirƙirar kalmar sirri a gefen mai amfani wanda aka tsara don ƙirƙira da sarrafa kalmar sirri mai ƙarfi ta musamman ga shafin bisa buƙata, yana rage nauyin mai amfani yayin magance iyakokin da aka samu a tsare-tsaren da suka gabata.

2. Tsarin Gabaɗaya

Wannan sashe ya kafa tsari na yau da kullun na masu ƙirƙirar kalmar sirri, yana bambanta su da masu ƙirƙirar kalmar sirri na bazuwa kawai. Tsarin ya ayyana tsarin da ke ƙirƙirar kalmar sirri bisa ƙa'ida daga ƙananan saitin shigarwar mai amfani (kamar babban sirri $M$ da mai gano shafi $S$), yana tabbatar da cewa ana iya sake ƙirƙirar kalmar sirri ɗaya don shafi ɗaya.

2.1 Ma'anar

Mai ƙirƙirar kalmar sirri, a cikin wannan mahallin, ana bayyana shi azaman tsarin da za a iya maimaitawa, bisa buƙata. Yana ɗaukar shigarwa kamar babban sirrin mai amfani $M$, mai gano shafi/sabis $S$ (misali, sunan yanki), da yuwuwar wasu sigogi $P$ (kamar mai ƙidaya canjin kalmar sirri $i$). Yana fitar da kalmar sirri mai ƙarfi, ta musamman ga shafi $PW = G(M, S, P)$. Aikin $G$ dole ne ya zama aiki mai hanyar ɗaya don hana samun $M$ daga $PW$ da aka lalata.

3. Bayanin Matsayin AutoPass

AutoPass an gina shi akan tsarin gabaɗaya amma ya gabatar da sabbin fasahohi don sarrafa ƙuntatawa na duniyar gaske. Babban ƙirƙirarsa ya ta'allaka ne a ikonsa na ɗaukar:
1. Canjin Kalmar Sirri da aka Tilasta: Ya haɗa mai ƙidaya canji $i$ cikin tsarin ƙirƙira.
2. Kalmar Sirri da aka Ƙayyade: Yana ba masu amfani damar "kulle" takamaiman kalmar sirri da aka ƙirƙira don wani shafi idan an so.
3. Manufofin Musamman na Shafi: Zai iya daidaita tsarin kalmar sirri (tsawon, saitin haruffa) don biyan ka'idojin gidan yanar gizo daban-daban.
Tsarin yana aiki a gefen mai amfani, yana buƙatar babu amintaccen ɓangare na uku ko ajiyar sirri a gefen uwar garken.

4. Cikakken Bayanin AutoPass

Bayanin ya yi cikakken bayani game da algorithms na:
- Saitawa: Mai amfani ya zaɓi babban sirri $M$.
- Ƙirƙirar Kalmar Sirri: $PW_{S,i} = H( H(M) \, || \, S \, || \, i )$, inda $H$ aikin hash na sirri ne (misali, SHA-256) kuma $||$ yana nuna haɗawa. Ana sannan tsara fitarwa (misali, an ƙirƙira ta Base64, an yanke) don biyan manufa $P_S$.
- Canjin Kalmar Sirri: Ƙara $i$ yana haifar da sabuwar kalmar sirri mara alaƙa don shafi $S$.
- Kulle Kalmar Sirri: Hanyar adana hash na takamaiman $PW_{S,i}$ don hana canje-canje na gaba sai dai idan an buɗe shi a sarari.

5. Binciken Siffofin AutoPass

Takardar tana bincika AutoPass akan mahimman sifofi na tsaro da amfani:
- Tsaro: Juriya ga ƙarfin tilasta (ƙarfin $H$), satar bayanai (haɗa shafi ta hanyar $S$), da lalacewa (sanin ɗaya $PW$ baya bayyana $M$ ko wasu kalmar sirri na shafi).
- Amfani: Ƙananan nauyin ƙwaƙwalwar ajiya na mai amfani (kawai $M$), yana sarrafa canje-canjen kalmar sirri cikin sauƙi.
- Motsawa & Daidaituwa: Yana aiki a cikin na'urori idan $M$ yana samuwa; zai iya ƙirƙirar kalmar sirri mai daidaitawa da yawancin manufofin gidan yanar gizo.
Binciken ya ƙarasa da cewa AutoPass ya magance mahimman kurakurai a cikin tsare-tsaren da suka gabata, kamar rashin goyon baya ga canji da rashin sassauƙa na manufa.

6. Ƙarshe

AutoPass ya gabatar da babban ci gaba a cikin ƙirar mai ƙirƙirar kalmar sirri. Ta hanyar ƙayyadaddun tsarin da bincika siffofinsa, marubutan sun nuna mafita mai amfani ga rikicin gudanar da kalmar sirri. Yana daidaita tsaro, amfani, da bin ka'idojin duniyar gaske ta hanyar da shawarwarin ilimi na baya suka yi watsi da su sau da yawa.

7. Bincike na Asali & Sharhin Kwararru

Fahimta ta Asali

AutoPass ba kawai wani manajan kalmar sirri ba ne; yana da tsari, sake fasalin sirri na matsalar kalmar sirri. Marubutan sun gano daidai cewa tushen dalili ba shi ne malalacin mai amfani ba, amma nauyin fahimi da ba zai yiwu ba. Maganinsu ya canza nauyin daga ƙwaƙwalwar ajiyar ɗan adam zuwa ƙididdigewa mai ƙayyadaddun ƙa'ida—nasara ta ƙwararrun injiniyan tsaro. Wannan ya yi daidai da ƙa'idodin tushe a cikin binciken tsaro mai amfani, kamar waɗanda Dakin Gwaji na Keɓantawa da Tsaro mai Amfani na Carnegie Mellon (CUPS) suka yi fafutuka, waɗanda ke jaddada ƙirar tsarin da suka dace da iyawar ɗan adam.

Kwararar Hankali

Hankalin takardar yana da tsabta abin yabawa: ayyana matsalar (Sashe na 1), kafa tsari na yau da kullun (Sashe na 2), gabatar da mafita a cikin wannan tsari (Sashe na 3 & 4), sannan a tabbatar da shi (Sashe na 5). Wannan yayi kama da tsattsauran tsarin da aka gani a cikin takardun yarjejeniyar tsaro na farko. Amfani da aikin hash na sirri $H$ a matsayin babban abu na asali yana da sauƙi kuma mai ƙarfi, yana amfani da shekarun binciken sirri. Duk da haka, kwararar ta yi ɗan tuntuɓe ta hanyar rashin kwatanta ƙimar fitarwar AutoPass da ƙa'idodin NIST SP 800-63B don sirrin da aka ƙirƙira, damar da aka rasa don kafa shi a cikin manufa na zamani.

Ƙarfi & Kurakurai

Ƙarfi: Sarrafa canje-canjen da aka tilasta ta hanyar mai ƙidaya $i$ yana da kyau kuma yana kashe babban abin damuwa na mai amfani. Siffar "kulle kalmar sirri" sanarwa ce mai ma'ana cewa wasu shafuka (misali, bankuna) sun zama ainihin shaidar asali. Yanayinsa na gefen mai amfani, mara uwar garken yana guje wa batun gazawar batu ɗaya da batun amana da ke addabar manajojin kalmar sirri na gajimare, damuwa da aka haskaka a cikin keta kamar LastPass (2022).
Kuskure mai mahimmanci: Giwa a cikin ɗakin shine gudanar da babban sirri ($M$) da dawowa. Idan an rasa $M$, duk kalmar sirri da aka samu sun ɓace—yanayin gazawa mai muni wanda takardar ta yi watsi da shi. Shawarwari don dawowar $M$ (misali, raba sirri na shamir) ba su da mahimmanci ga masu amfani na ƙarshe. Bugu da ƙari, tsarin bai ba da kariya daga mai shigar maɓalli yana kama $M$ yayin shigarwa ba, hanyar kai hari ta gama gari. Idan aka kwatanta da mafita na zamani masu goyan baya na kayan aiki kamar WebAuthn/Passkeys, waɗanda ke da juriya ga satar bayanai da masu shigar maɓalli, AutoPass yana jin kamar mafita mai ƙwararru ga matsalar da ke ƙara ƙetare ta hanyar ƙa'idodin Ƙungiyar FIDO.

Fahimta mai Aiki

Ga masu zane na tsaro, tsarin sirri na asali na AutoPass—$H(Sirri || Mahallin)$—abu ne mai mahimmanci don samun takaddun shaida da yawa daga tushe guda. Ana iya daidaita shi don ƙirƙirar maɓallin API ko tabbatar da sabis na ciki. Ga masu bincike, mataki na gaba a bayyane yake: haɗaɗɗe. Haɗa ƙirƙirar ƙayyadaddun ƙa'ida ta AutoPass tare da juriyar satar bayanai na Passkeys. Ka yi tunanin tsarin inda "mai gano shafi" $S$ aka tabbatar da shi ta hanyar sirri (misali, ta hanyar takardar shedar TLS), kuma kalmar sirri da aka samu ana amfani da ita kawai a matsayin abin dogaro ga tsofaffin shafuka. Gaba ba ya cikin zaɓin tsakanin kalmar sirri da maye gurbinsu ba, amma a cikin tsarin takaddun shaida masu hankali, masu sane da mahallin waɗanda ke haɗa tazarar, kamar yadda bincike mai tasowa a cibiyoyi kamar SRI International ya nuna akan tabbatar da asali mai daidaitawa.

8. Cikakkun Bayanai na Fasaha & Tsarin Lissafi

Ana iya faɗaɗa babban aikin ƙirƙira don nuna abubuwan da ke cikinsa:

$\text{Matsakaicin Maɓalli: } K = H(M)$
$\text{Irin Shafi: } Seed_{S,i} = K \, || \, S \, || \, i$
$\text{Fitarwa Danye: } R = H(Seed_{S,i})$
$\text{Kalmar Sirri ta Ƙarshe: } PW_{S,i} = \text{Tsara}(R, P_S)$

Inda $\text{Tsara}()$ yana amfani da ƙa'idodi kamar: zaɓi haruffa 12 na farko, taswira zuwa saitin haruffa/alamomi, tabbatar da babba ɗaya, da sauransu. Tsaro ya dogara da juriyar hoton gaba da juriyar karo na $H$.

9. Tsarin Bincike & Misalin Ra'ayi

Tsarin: Don kimanta kowane mai ƙirƙirar kalmar sirri, yi amfani da wannan lissafin da aka samo daga takardar:
1. Shigarwa: Menene ƙaramin sirrin mai amfani? Shin ana iya tunawa da shi?
2. Ƙayyadaddun Ƙa'ida: Shin ana iya sake ƙirƙirar kalmar sirri iri ɗaya a cikin na'urori/ zaman?
3. Musamman na Shafi: Shin lalacewa a Shafi A yana bayyana wani abu game da kalmar sirri don Shafi B?
4. Goyon Bayan Canji: Shin tsarin zai iya sarrafa jujjuyawar kalmar sirri dole?
5. Bin Manufa: Shin zai iya daidaita fitarwa zuwa ƙa'idodi daban-daban na rikitarwa?
6. Juriya ga Sata: Shin an ɗaure fitarwa da takamaiman sabis da aka yi niyya?

Misalin Ra'ayi (Babu Lamba): Ka yi la'akari da mai amfani, Alice.
- Babban sirrinta $M$ jumlar shiga ce: "doki daidai tanderun baturi @2024".
- Don shafi $S$="example.com" da amfani na farko ($i=1$), AutoPass yana ƙididdige hash na wannan haɗin.
- Fitarwar hash (misali, kirtani na hex) an canza shi zuwa kalmar sirri mai haruffa 16 wanda ya dace da manufar example.com: "X7@!qF9*Kp2$wL5".
- Lokacin da example.com ya tilasta canji bayan kwanaki 90, Alice (ko abokin ciniki na AutoPass) ya saita $i=2$. Sabon hash yana haifar da kalmar sirri daban-daban: "gT8#mY3&Zn6%vR1".
- Don bankinta, tana amfani da siffar "kulle" akan kalmar sirri da aka ƙirƙira na farko, yana hana canje-canje na gaba sai dai idan ta buɗe shi da hannu.

10. Aikace-aikace na Gaba & Hanyoyin Bincike

1. Haɗawa tare da Manajojin Kalmar Sirri: Algorithm na AutoPass zai iya zama babban injin don manajojin kalmar sirri na buɗaɗɗen tushe (misali, ƙari na KeePass), yana samar da daidaitaccen hanyar ƙirƙira da za a iya duba.
2. Sirri na Bayan Quantum (PQC): Aikin hash $H$ dole ne ya zama mai juriya ga hare-haren quantum. Siffofin gaba za su iya ƙayyadaddun amfani da ayyukan hash na ƙarshe na PQC kamar SHA-3 ko ƙa'idodin NIST na gaba.
3. Asalin Rarraba (DID): Tsarin samun takaddun shaida masu tabbatarwa daga babban sirri ya yi daidai da ra'ayoyin DID. Ana iya daidaita AutoPass don ƙirƙirar masu gano rarrabuwa ko maɓallin sirri don aikace-aikacen Web3.
4. Gudanar da Sirri na Kamfani: Ana iya ƙididdige tsarin don DevOps, ƙirƙirar maɓallin API na musamman ko kalmar sirri na bayanai don ƙananan sabis daban-daban daga maɓalli guda wanda aka sarrafa a cikin Module na Tsaro na Kayan Aiki (HSM).
5. Haɗin Binciken Halittar Mutum: Bincike zai iya bincika amfani da samfuri mai ƙarfi na binciken halittar mutum (wanda aka sarrafa a cikin gida) a matsayin wani ɓangare na shigarwa zuwa $M$, yana haɓaka dacewa yayin kiyaye siffar ƙayyadaddun ƙa'ida.

11. Nassoshi

  1. Al Maqbali, F., & Mitchell, C. J. (2017). AutoPass: Mai Ƙirƙirar Kalmar Sirri ta Atomatik. arXiv preprint arXiv:1703.01959v2.
  2. Bonneau, J., Herley, C., van Oorschot, P. C., & Stajano, F. (2012). Neman maye gurbin kalmar sirri: Tsarin don kimanta kwatankwacin tsarin tabbatar da asali na yanar gizo. IEEE Symposium on Tsaro da Keɓantawa.
  3. NIST. (2020). Jagororin Asalin Dijital: Tabbatar da Asali da Gudanar da Rayuwa (SP 800-63B).
  4. Ƙungiyar FIDO. (2022). FIDO2: WebAuthn & Ƙayyadaddun CTAP. An samo daga https://fidoalliance.org/fido2/
  5. Florêncio, D., & Herley, C. (2007). Babban binciken kan halayen kalmar sirri na yanar gizo. Proceedings of the 16th international conference on World Wide Web.
  6. Krombholz, K., et al. (2015). "Ba ni da masaniyar abin da nake yi" - Akan Amfanin Deploy HTTPS. USENIX Security Symposium.