AutoPass: Cikakken Bayani da Bincike na Na'urar Ƙirƙirar Kalmar Sirri ta Atomatik

1. Gabatarwa

Tabatar da asali ta amfani da kalmar sirri ta rubutu har yanzu ita ce babbar hanyar tabbatar da asalin mai amfani duk da sanannun gazawarta. Yaduwar ayyukan kan layi ya haifar da nauyi mara ɗorewa ga masu amfani, waɗanda ake sa ran su ƙirƙira su kuma su tuna da yawan ƙaƙƙarfan kalmomin sirri na musamman. Wannan takarda ta gabatar kuma ta yi cikakken bayani game da AutoPass, tsarin ƙirƙirar kalmar sirri wanda aka tsara don magance muhimman batutuwan sarrafa kalmar sirri ta hanyar ƙirƙirar ƙaƙƙarfan kalmomin sirri na takamaiman shafin yanar gizo a lokacin da ake buƙata daga ƙaramin shigarwar mai amfani.

2. Samfurin Gabaɗaya

Wannan sashe ya kafa samfuri na yau da kullun don tsare-tsaren ƙirƙirar kalmar sirri, yana bambanta su da masu ƙirƙirar kalmar sirri na bazuwar kawai. Samfurin ya ayyana tsarin da zai iya sake ƙirƙirar kalmomin sirri don takamaiman shafuka a duk lokacin da ake buƙata, bisa ga ƙaramin tarin sirrin da mai amfani ke riƙe da shi.

2.1 Ma'anar

Ana ayyana mai ƙirƙirar kalmar sirri a matsayin tsari a gefen mai amfani wanda ke sauƙaƙa sarrafa kalmar sirri ta hanyar samar da kalmomin sirri na takamaiman shafin yanar gizo a lokacin da ake buƙata. Babban buƙatu shine maimaitawa: dole ne shigarwa iri ɗaya (sirrin mai amfani + alamun shafin) koyaushe ya samar da kalmar sirri iri ɗaya. Wannan ya bambanta da masu sarrafa kalmomin sirri waɗanda ke adana kalmomin sirri, kamar yadda masu ƙirƙira ke ƙirƙira su ta hanyar algorithm.

3. Bayani Mai Zurfi na AutoPass

AutoPass mai ƙirƙirar kalmar sirri ne a lokacin da ake buƙata wanda ke haɗa ƙarfi daga tsare-tsaren da suka gabata yayin da yake gabatar da sabbin fasahohi don shawo kan iyakokinsu. Babban abubuwan da yake shigar da su sune babban sirrin mai amfani da alamun sabis/shafin yanar gizo (misali, sunan yankin). Yana fitar da ƙaƙƙarfan kalmar sirri ta ƙarya wacce aka keɓance don wannan takamaiman shafin.

Sabon Abu Mai Muhimmanci: AutoPass a sarari yana magance ƙuntatawa na zahiri da yawa daga magabata suka yi watsi da su, kamar canjin kalmar sirri da aka tilasta, buƙatar haɗa kalmomin sirri da aka ƙayyade a baya (misali, umarnin kamfani), da bin ƙa'idodin kalmar sirri daban-daban, na takamaiman shafuka (tsawon lokaci, saitin haruffa).

4. Cikakken Bayani na Ayyukan AutoPass

Tsarin aiki na AutoPass ya ƙunshi matakai da yawa:

Sarrafa Shigarwa: Mai amfani yana ba da babban kalmar sirri da alamun sabis da aka yi niyya.
Samun Maɓalli: Ana samun maɓalli mai ƙarfi na sirri daga babban kalmar sirri ta amfani da Aikin Samun Maɓalli (KDF) kamar PBKDF2 ko Argon2.
Gina Kalmar Sirri: Maɓallin da aka samo, alamun sabis, da sauran sigogi (misali, fihirisar ƙa'idar kalmar sirri, ƙididdigar maimaitawa don canje-canjen da aka tilasta) ana ciyar da su cikin aiki mai ƙayyadaddun ƙayyadaddun bayanai (misali, bisa HMAC) don samar da jerin bayanai na danye.
Yin Bin Ƙa'ida: Ana sanya fitarwa ta danye akan saitin haruffa wanda ya gamsar da takamaiman ƙa'idar shafin da aka yi niyya (misali, dole ne ya haɗa da manyan haruffa, ƙananan haruffa, lambobi, alama).
Fitarwa: Ana gabatar da ƙarshen kalmar sirri mai bin ƙa'ida ga mai amfani don ƙoƙarin shiga.

5. Binciken Siffofin AutoPass

Ana bincika AutoPass akan tarin sifofi masu kyau don masu ƙirƙirar kalmar sirri:

Tsaro: Mai jurewa hare-haren ƙarfin hali na kashe layi akan babban sirri. Amfani da KDF mai ƙarfi yana da mahimmanci a nan.
Keɓantacce: Kalmomin sirri na shafuka daban-daban suna da zaman kansu na sirri.
Sassauƙan Ƙa'ida: Zai iya daidaita fitarwa don biyan buƙatun shafuka masu rikitarwa da bambancin su.
Tallafin Canji: Yana tallafawa canjin kalmar sirri da aka tilasta ta hanyar haɗa ƙididdigar maimaitawa cikin algorithm ɗin ƙirƙira.
Amfani: Yana buƙatar haddace babban sirri ɗaya kawai.

Takardar tana jayayya cewa AutoPass ya yi nasarar magance raunin da aka samu a cikin tsare-tsare kamar PwdHash (ƙayyadaddun bin ƙa'ida) da SuperGenPass (rashin tallafin canji).

6. Ƙarshe

AutoPass ya gabatar da babban ci gaba a cikin ƙirar masu ƙirƙirar kalmar sirri masu amfani. Ta hanyar ƙayyadaddun ƙayyadaddun tsarin da bincika siffofinsa akan buƙatun zahiri, marubutan sun ba da tsarin aikin wanda zai iya rage nauyin sarrafa kalmar sirri na mai amfani yayin da yake kiyaye ƙa'idodin tsaro masu girma. Aikin gaba ya haɗa da aiwatarwa, nazarin mai amfani, da hujjojin tsaro na yau da kullun.

7. Bincike na Asali & Fahimtar Ƙwararru

Fahimta ta Asali

AutoPass ba wani tsarin kalmar sirri kawai bane; yana da fahimtar zahiri cewa tsarin kalmar sirri yana nan don zama kuma gaskiyar yaƙin yana cikin gudanarwa, ba maye gurbinsa ba. Marubutan sun gano daidai cewa shawarwarin ilimi na baya sau da yawa suna gaza a cikin gaskiyar rikitarwa na ƙa'idodin kalmar sirri na kamfani da sake saiti na tilas. Fahimtarsu ta asali ita ce, mai ƙirƙira dole ne ya zama mai fassarar sirri mai sanin ƙa'ida, yana canza sirri ɗaya zuwa alamun da suka dace da mahallin.

Kwararar Hankali

Hankalin takardar yana da tsafta abin yabawa: 1) Ayyana sararin matsalar (batutuwan mai amfani/sabis), 2) Kafa samfuri na yau da kullun don kimanta mafita, 3) Gano gibi a cikin tsare-tsaren da suka wanzu, 4) Ba da shawarar haɗakarwa (AutoPass) wanda ke cika waɗannan gibin tare da sabbin fasahohi kamar ƙididdigar ƙa'ida da ƙididdigar canji. Wannan yana tunawa da tsarin tsari a cikin ayyukan tushe kamar takardar CycleGAN (Zhu et al., 2017), wanda kuma ya gina sabon samfuri ta hanyar bayyana iyakokin fasahohin fassarar hoto zuwa hoto na baya da kuma magance su bisa tsari.

Ƙarfi & Kurakurai

Ƙarfi: Mayar da hankali kan ƙuntatawa na zahiri shine siffar kashe shi. Ƙirar fasaha don sarrafa canje-canjen kalmar sirri ta hanyar ƙididdiga mai sauƙi tana da kyau. Yanayinsa na gefen mai amfani, algorithm kawai ya guje wa batu guda na gazawa da matsalolin daidaitawa na masu sarrafa kalmar sirri na gizo kamar LastPass (kamar yadda aka rubuta a cikin abubuwan da Krebs on Security blog ya ruwaito).

Kuskure Mai Muhimmanci: Babban raunin takardar shine rashin tabbataccen aiwatarwa, da bincike, da hujjar tsaro ta yau da kullun. Ƙayyadaddun bayanai ne, ba kayan aiki da aka tabbatar ba. Dogaro mai yawa akan babban sirri ɗaya yana haifar da yanayin gazawa mai ban tsoro—idan an lalata shi, duk kalmomin sirri da aka samo sun lalace. Wannan ya bambanta da alamun kayan aiki ko ƙa'idodin FIDO2/WebAuthn, waɗanda ke ba da juriya ga satar bayanai. Bugu da ƙari, kamar yadda masu bincike a NIST suka lura, kowane mai ƙirƙira mai ƙayyadaddun ƙayyadaddun bayanai yana fuskantar ƙalubale idan ƙa'idar kalmar sirri ta shafin ta canza a baya, mai yuwuwa ta kulle masu amfani.

Fahimta Mai Aiki

Ga ƙungiyoyin tsaro: Hankalin AutoPass yana da daraja don satar kayan aiki na ciki don taimaka wa ma'aikata su sarrafa jujjuyawar kalmar sirri da aka umarta ba tare da komawa ga takardu masu ɗanko ba. Ra'ayin ƙididdigar ƙa'ida za a iya haɗa shi cikin rumbun kalmomin sirri na kamfani.

Ga masu bincike: Mataki na gaba dole ne ya zama hujjar rage tsaro na yau da kullun, watakila samfurin mai ƙirƙira a matsayin Aikin Ƙarya na Ƙarya (PRF). Nazarin mai amfani yana da mahimmanci—shin matsakaicin mai amfani ya amince da algorithm don "tuna" kalmar sirrinsa? Tashin hankali na amfani da tsaro ya rage.

Ga masana'antu: Duk da yake AutoPass faca ce mai wayo, bai kamata ya janye hankali daga wajibcin ƙetare kalmomin sirri ba. Yana aiki azaman gine-gine mai canzawa mai kyau yayin da FIDO2 da maɓallan wucewa suka sami karɓuwa. Ka yi la'akari da shi azaman sandar sirri—mai amfani a yanzu, amma manufar ita ce warkar da ƙafar da ta karye (tsarin kalmar sirri da kansa).

8. Cikakkun Bayanai na Fasaha & Tushen Lissafi

Za a iya ɗaukar zuciyar sirri na AutoPass a matsayin aiki mai ƙayyadaddun ƙayyadaddun bayanai. Bari:

$S$ = Babban Sirrin Mai Amfani (kalmar sirri)
$D$ = Alamun Sabis (misali, "example.com")
$i$ = Ƙididdigar maimaitawa (don canje-canjen kalmar sirri, farawa daga 0)
$P$ = Fihirisar da ke wakiltar ƙa'idar kalmar sirri ta shafin da aka yi niyya

Matakin ƙirƙira na asali yana amfani da Aikin Samun Maɓalli (KDF) da Lambar Tabbatar da Saƙo (MAC):

$ K = KDF(S, salt) $
$ R = HMAC(K, D \,||\, i \,||\, P) $
Inda $||$ ke nufin haɗawa.

Fitarwa ta danye $R$ (kirtani na byte) sai a canza ta ta hanyar aikin sanya taswira mai bin ƙa'ida $M(P, R)$ wanda ke tabbatar da cewa kalmar sirri ta ƙarshe ta ƙunshi nau'ikan haruffa da ake buƙata (manyan haruffa, ƙananan haruffa, lambobi, alamomi) ta hanyar ƙayyadaddun ƙayyadaddun bayanai. Misali, $M$ na iya ɗaukar bytes daga $R$ modulo girman saitin haruffa mai bin ƙa'ida don zaɓar haruffa, yana ba da garantin aƙalla ɗaya daga kowane aji da ake buƙata.

9. Tsarin Bincike & Misalin Ra'ayi

Tsarin Kimanta Masu Ƙirƙirar Kalmar Sirri:

Mahaɗin Shigarwa: Menene mai amfani yake buƙatar bayarwa? (AutoPass: Babban sirri + sunan shafin).
Injin Ƙayyadaddun Ƙayyadaddun Bayanai: Ta yaya ake samun maimaitawa? (AutoPass: KDF + HMAC).
Layer na Ƙa'ida: Ta yaya ake ɗaukar ƙa'idodin takamaiman shafin? (AutoPass: Aikin sanya taswira mai ƙididdigar ƙa'ida $M$).
Gudanar da Jiha: Ta yaya ake sarrafa canje-canjen kalmar sirri? (AutoPass: Ƙididdigar maimaitawa $i$).
Yanayin Gasa: Menene zai faru idan an ɓace babban sirri, ko ƙa'idar shafin ta canza? (AutoPass: Asarar gabaɗaya; yuwuwar kullewa).

Misalin Ra'ayi (Babu Lamba):
Ka yi tunanin mai amfani, Alice. Babban sirrinta shine "BlueSky42!@#".
Labari 1 - Shiga na farko zuwa `bank.com`:
Abubuwan da aka shigar: $S$="BlueSky42!@#", $D$="bank.com", $i=0$, $P$="Policy_B: haruffa 12, duk nau'ikan haruffa".
AutoPass a ciki yana ƙididdige $R$ kuma yana amfani da $M(Policy_B, R)$ don fitarwa: `gH7@kL2!qW9#`.
Labari 2 - Canjin da aka tilasta a `bank.com` bayan kwanaki 90:
Abubuwan da aka shigar sun yi kama da juna sai dai $i=1$. Sabon fitarwa ya bambanta gaba ɗaya, kalmar sirri mai bin ƙa'ida: `T5!mR8@yV3#j`.
Labari 3 - Shiga zuwa `news.site` tare da ƙa'ida mai sauƙi:
$D$="news.site", $i=0$, $P$="Policy_A: haruffa 8, haruffa da lambobi kawai".
Fitarwa: `k9mF2nL8`.

10. Aikace-aikacen Gaba & Hanyoyin Bincike

Haɗawa tare da WebAuthn/Passkeys: AutoPass zai iya zama hanyar faɗuwa ko hanyar haɗin gwiwa a cikin saitin nau'i-nau'i da yawa, yana samar da ƙaƙƙarfan sirri don shafukan da har yanzu ba su goyi bayan tabbatar da asali ba tare da kalmar sirri ba.
Gudanar da Sirrin Kamfani: Ana iya daidaita algorithm ɗin asali don samar da maɓallan API na musamman, masu jujjuyawa ko kalmomin sirri na asusun sabis a cikin gine-ginen microservices, wanda babban uwar garken ƙa'ida ke sarrafa su.
Sirri Bayan Quantum (PQC): Yayin da ƙididdigar quantum ke ci gaba, Aikin Samun Maɓalli (KDF) da Ayyukan MAC a cikin AutoPass za a buƙaci a maye gurbinsu da algorithms masu jurewa PQC (misali, bisa matsalolin lattice). Bincike kan masu ƙirƙirar kalmar sirri masu shirye-shiryen PQC wani yanki ne a buɗe.
Ƙirƙirar da aka Haɓaka ta Biometric: Siffofi na gaba za su iya amfani da maɓalli da aka samo daga biometric a matsayin wani ɓangare na $S$, ƙara ƙarin Layer na "abin da kake", ko da yake wannan yana haifar da ƙalubalai masu mahimmanci na sirri da soke.
Daidaituwa: Babban alkibla shine ba da shawarar samfurin AutoPass ga ƙungiyoyin ƙa'idodi kamar IETF ko W3C, ƙirƙirar ƙa'ida mai buɗe ido, mai bincike don ƙirƙirar kalmar sirri a gefen mai amfani don tabbatar da haɗin kai da bitar tsaro.

11. Nassoshi

Al Maqbali, F., & Mitchell, C. J. (2017). AutoPass: An Automatic Password Generator. arXiv preprint arXiv:1703.01959v2.
Bonneau, J., Herley, C., van Oorschot, P. C., & Stajano, F. (2012). The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. IEEE Symposium on Security and Privacy.
Zhu, J., Park, T., Isola, P., & Efros, A. A. (2017). Unpaired Image-to-Image Translation using Cycle-Consistent Adversarial Networks. IEEE International Conference on Computer Vision (ICCV).
Krebs, B. (2022). LastPass Breach May Have Exposed Password Vault Data. Krebs on Security. [Online]
National Institute of Standards and Technology (NIST). (2017). Digital Identity Guidelines: Authentication and Lifecycle Management. NIST Special Publication 800-63B.
Ross, B., Jackson, C., Miyake, N., Boneh, D., & Mitchell, J. C. (2005). Stronger Password Authentication Using Browser Extensions. USENIX Security Symposium. (PwdHash)
FIDO Alliance. (2022). FIDO2: WebAuthn & CTAP Specifications. [Online]