Binciken Tsaro na Ƙirƙirar Kalmar Sirri, Ajiyewa, da Cika ta Atomatik a cikin Manajoji na Kalmar Sirri na Burauzar

1. Gabatarwa

Tabatar da asali ta hanyar kalmar sirri har yanzu ita ce babbar hanyar tabatar da asali a yanar gizo duk da ƙalubalen tsaro da aka rubuta. Masu amfani suna fuskantar nauyin tunani wajen ƙirƙira da tunawa da ƙaƙƙarfan kalmomin sirri na musamman, wanda ke haifar da sake amfani da kalmar sirri da ƙirƙirar shaida mara ƙarfi. Manajoji na kalmar sirri suna alƙawarin rage wannan nauyi ta hanyar ƙirƙira, ajiyewa, da cika kalmomin sirri ta atomatik. Duk da haka, tsaronsu an yi tambaya a binciken da ya gabata. Wannan takarda tana gabatar da sabuntaccen, cikakken kimantawar tsaro na manajoji na kalmar sirri goma sha uku da suka shahara na burauzar, shekaru biyar bayan an bayar da rahoton manyan raunuka na ƙarshe. Binciken ya ƙunshi dukkan tsarin rayuwar manajan kalmar sirri: ƙirƙira, ajiyewa, da cika ta atomatik.

2. Hanyoyi & Faɗin Bincike

Kimantawar ta ƙunshi manajoji na kalmar sirri goma sha uku, gami da ƙari na burauzar guda biyar (misali, LastPass, 1Password), manajoji shida na cikin burauzar (misali, Chrome, Firefox), da abokan ciniki guda biyu na tebur don kwatanta. Hanyoyin sun haɗa da:

• Ƙirƙira da bincikin tarin kalmomin sirri miliyan ɗari hudu da saba'in don bazuwar da ƙarfi.
• Maimaita da faɗaɗa kimantawar da ta gabata na tsaron ajiyar kalmar sirri.
• Gwada hanyoyin cika ta atomatik don raunuka kamar satar dannawa da XSS.
• Kimanta saitunan tsaro na tsoho da ayyukan rufe bayanai.

3. Binciken Ƙirƙirar Kalmar Sirri

Wannan shine farkon cikakken bincike na algorithms na ƙirƙirar kalmar sirri a cikin manajoji na kalmar sirri.

4. Tsaron Ajiyar Kalmar Sirri

Duk da an lura da ci gaba idan aka kwatanta da kimantawar da ta gabata shekaru biyar, manyan matsaloli har yanzu suna nan.

5. Raunin Tsarin Cika ta Atomatik

Siffar cika ta atomatik, wacce aka tsara don sauƙi, tana gabatar da babban filin kai hari.

6. Sakamako & Binciken Kwatance

Mahimmin Bincike: Yanayin ya inganta tun bayan binciken da ya gabata (misali, Li et al., 2014; Silver et al., 2013), amma har yanzu akwai matsalolin tsaro na asali a cikin masana'antun da yawa. Babu wani manajan kalmar sirri guda ɗaya da ba shi da aibi a cikin dukkan matakai uku da aka kimanta (ƙirƙira, ajiyewa, cika ta atomatik). Manajoji na cikin burauzar da ƙari na musamman duk sun nuna nau'ikan raunuka daban-daban.

7. Shawarwari & Hanyoyin Gaba

Takardar ta ƙare da shawarwari masu aiki:

• Ga Masu Amfani: Ku guji manajoji na kalmar sirri tare da sanannun aibobin ƙirƙira ko saitunan tsoho na cika ta atomatik marasa tsaro. Ku fi son manajoji waɗanda ke ba da iko mai zurfi akan halayen cika ta atomatik.
• Ga Masu Haɓakawa: Aiwatar da masu ƙirƙira lambobi bazuwa masu tsaro na sirri (CSPRNGs) don ƙirƙirar kalmar sirri. Ku rufe duk bayanan bayanai (metadata). Aiwatar da ingantattun binciken asali da hanyoyin yarda na mai amfani don cika ta atomatik (misali, buƙatar danna kan wani abu da ba za a iya gyara fuskar mai amfani ba).
• Ga Masu Bincike: Bincika haɗa hanyoyin ƙa'ida don tabbatar da dabaru na cika ta atomatik da kuma amfani da koyon inji don gano buƙatun cika ta atomatik marasa al'ada waɗanda ke nuna kai hari.

8. Bincike na Asali & Sharhin Kwararru

Fahimtar Asali: Binciken Oesch da Ruoti yana ba da sake duba gaskiyar rayuwa mai ban tsoro: kayan aikin tsaro da muka amince da su don haɗa makullinmu na dijital an gina su da ginshiƙai masu girgiza. Shekaru biyar bayan an bayyana manyan aibobi, ci gaban masana'antu yana ƙaruwa aƙalla, ya kasa magance matsalolin tsarin a cikin dukkan ginshiƙai uku na asali—ƙirƙira, ajiyewa, da cika ta atomatik. Wannan ba rahoton kwaro kawai bane; laifin rashin kulawa ne a cikin wani muhimmin sashi na tsaro.

Tsarin Ma'ana: Ƙarfin takardar yana cikin tsarin rayuwa gaba ɗaya. Ya gano daidai cewa sarkar tana da ƙarfi kamar mafi raunin mata. Gano rashin bazuwa a cikin ƙirƙira ($P(char) \neq \frac{1}{N}$) yana rushe duk tsarin tun kafin a yi la'akari da ajiyewa ko cika ta atomatik. Maimaita gwaje-gwajen ajiyewa/cika ta atomatik na baya sannan ya nuna tsari: duk da yake za a iya gyara raunuka na zahiri, aibobin gine-gine (kamar bayanan bayanai da ba a rufe ba ko cika ta atomatik mara kyau) suna ci gaba. Wannan ci gaba daga ƙirƙira mai aibi zuwa sarrafawa mara tsaro zuwa turawa mai haɗari yana zana cikakken hoto mai laifi.

Ƙarfafawa & Aibobi: Babban ƙarfin binciken shine babban tsarinsa na bayanai zuwa ƙirƙirar kalmar sirri—na farko a cikin wallafe-wallafen. Tarin kalmomin sirri miliyan ɗari hudu da saba'in yana ba da cikakkiyar shaida na ƙididdiga na raunin algorithmic, yana motsawa bayan damuwa na ka'ida. Duk da haka, binciken yana da makafin ido: yana ɗaukar manajoji na kalmar sirri a matsayin abokan ciniki keɓe. Gaskiyar zamani ita ce haɗin gwiwar girgije da aikace-aikacen wayar hannu. Kamar yadda aka lura a cikin IEEE Symposium on Security and Privacy game da tsarin tsaron girgije, filin barazana ya faɗaɗa zuwa ƙa'idodin haɗin kai, APIs na gefen uwar garken, da haɗin kai na OS na wayar hannu, waɗanda wannan binciken bai kimanta ba. Bugu da ƙari, duk da yake ya ambaci "tsarin tsoho mara tsaro," bai ƙididdige yawan amfani da saitunan tsaro na mai amfani ba—wani muhimmin abu a cikin haɗarin duniya na gaske, kamar yadda binciken amfani daga taron USENIX SOUPS ke nuna akai-akai cewa yawancin masu amfani ba su taɓa canza tsarin tsoho ba.

Fahimta mai Aiki: Ga ƙungiyoyin tsaro na kamfani, wannan binciken yana tilasta canzawa daga shawarwarin "amfani da manajan kalmar sirri" gabaɗaya zuwa jagora ta musamman ga mai siyarwa, ta musamman ga saiti. Dole ne a hana manajoji tare da masu ƙirƙira marasa ƙarfi. Lissafin sayayya dole ne yanzu su haɗa da tabbatar da amfani da CSPRNG da rufe bayanan bayanai. Ga masu haɓakawa, hanyar gaba a bayyane take: ɗauki ƙa'idar "rashin amincewa" don cika ta atomatik, yana buƙatar bayyanannen yarda na mai amfani, mai sanin mahallin, don kowane aikin cika, kama da tsarin izini da Majalisar Duniya ta Yanar Gizo (W3C) ta ba da shawara don APIs na yanar gizo masu ƙarfi. Gaba ba ya cikin ƙoƙarin cikakken tsaro na cika ta atomatik mai yawan izini ba, amma a cikin ƙirƙira wanda ya fi ƙanƙanta izini, wanda mai amfani ke sarrafawa. Rashin masana'antu na gyara kansa cikin shekaru biyar yana nuna cewa za a iya buƙatar shiga tsakani na ƙa'ida ko ƙungiyar ƙa'idodi (misali, ta NIST ko Ƙungiyar FIDO) don tilasta buƙatun tsaro na asali ga waɗannan masu kiyaye asalinmu na dijital.

9. Cikakkun Bayanan Fasaha & Sakamakon Gwaji

Binciken Ƙirƙirar Kalmar Sirri: Matsakaicin ƙarfin kalmar sirri $H$ da aka ƙirƙira mai tsayi $L$ daga saitin haruffa $C$ a cikin mafita shine $H = L \cdot \log_2(|C|)$ bits. Binciken ya gano lokuta inda ƙarfin ƙarfi ya yi ƙasa saboda son kai na zaɓin haruffa. Misali, idan mai ƙirƙira yana nufin amfani da saitin haruffa 94 amma wasu haruffa sun bayyana tare da yuwuwar $p \ll \frac{1}{94}$, ainihin ƙarfin ƙarfi ya ragu: $H_{na_gaskiya} = -\sum_{i=1}^{94} p_i \log_2(p_i)$ a kowane harafi, inda $\sum p_i = 1$.

Bayanin Jadawalin Gwaji: Wani muhimmin jadawali a cikin binciken zai zana juzu'in tarin kalmomin sirri da aka karya a kan adadin yunƙurin zato (ma'aunin log) don kalmomin sirri da aka ƙirƙira masu tsayi daban-daban (misali, haruffa 8, 12, 16). Lanƙwasa don kalmomin sirri ƙasa da haruffa 10 zai nuna haɓaka mai zurfi, yana nuna saurin cin zarafi a ƙarƙashin simintin kai hari akan yanar gizo (misali, zato 1000). Lanƙwasa don kalmomin sirri ƙasa da haruffa 18 zai nuna wani ɓangare mai mahimmanci da aka karya bayan zato $10^{10}$ zuwa $10^{12}$ ba tare da yanar gizo ba, yana sanya su cikin iyawar mahara masu ƙuduri tare da kayan aikin zamani, kamar yadda kayan aikin kamar Hashcat da teburin bakan gizo suka yi ma'auni.

10. Tsarin Bincike & Nazarin Lamari

Tsarin don Kimanta Tsaron Manajan Kalmar Sirri:

1. Ingancin Ƙirƙira: Gwada fitarwa ta ƙididdiga don bazuwa (misali, NIST STS, gwaje-gwajen Dieharder) da lissafin ƙarfin ƙarfi na aiki. Tabbatar da tsarin tsoho na mafi ƙarancin tsayi ya yi daidai da jagororin NIST na yanzu (>= haruffa 12).
2. Tsaron Ajiyewa: Duba ajiyar gida (misali, IndexedDB na burauzar, fayilolin SQLite) da zirga-zirgar cibiyar sadarwa don bayanan da aka rufe da na rubutu. Bincika ɗakin karatu na rufe bayanai da aikin cire maɓalli (misali, shin yana amfani da PBKDF2 tare da isassun maimaitawa, ko Argon2?).
3. Matsayin Tsaro na Cika ta Atomatik: Zana tsarin jawo cika ta atomatik. Gwada don gyara fuskar mai amfani (UI redressing) ta hanyar ƙirƙirar iframes masu haɗuwa. Gwada dabaru daidaita asali ta hanyar turawa shafuka tare da sunayen yanki makamantan (misali, `example.com` da `example.com.evil.net`). Duba ko cika ta atomatik yana buƙatar motsin mai amfani akan wani abu na shafi wanda ba a iya hasashewa ba.

Nazarin Lamari - Raunin Satar Dannawa: Ka yi la'akari da Manajan X, wanda ke nuna maɓallin cika ta atomatik akan fom ɗin shiga. Maharin ya ƙirƙiri shafi mai mugunta tare da iframe mara ganuwa yana loda `bank.com`. An sanya iframe ɗin ta yadda maɓallin cika ta atomatik na Manajan X ya bayyana akan maɓallin "submit-to-attacker" na ɓoye akan shafin maharin. Mai amfani ya danna don cika ta atomatik, amma a maimakon haka ya danna maɓallin maharin, yana aika shaida na `bank.com` zuwa uwar garken maharin. Wannan yana nuna gazawa a cikin ɗaurin dannawa na manajan da tabbatar da asali.

11. Aikace-aikacen Gaba & Hangen Nesa na Bincike

Binciken ya buɗe hanyoyi da yawa don aikin gaba:

• Ƙirƙira & Ajiyewa Mai Goyan Bayan Kayan Aiki: Haɗin kai tare da Modules na Dandamali da Aka Amince (TPMs) ko Wuraren Tsaro (misali, Element na Tsaro na Apple) don ƙirƙira iri bazuwa da ajiye maɓallan rufe bayanai, motsa sirrin daga cikin da'irorin software kawai.
• Cika ta Atomatik Mai Sanin Mahalli, Mai Haɗari: Amfani da koyon inji don bincika mahallin shafi (tsarin DOM, cikakkun bayanan takaddun shaida, sunan shafi) don kimanta haɗarin cika ta atomatik. Mahalli mai haɗari mai yawa zai iya buƙatar ƙarin tabbatar da asali (binciken halayen ɗan adam) ko toshe cika ta atomatik gaba ɗaya.
• Daidaituwar APIs na Tsaro: Haɗaɗɗen API na burauzar da aka daidaita, mai izini, don manajoji na kalmar sirri (misali, magaji ga API na `chrome.loginState`) wanda ke ba da aminci, amintaccen shiga shaida tare da faɗakarwar yarda mai amfani, yana rage filin kai hari daga shigar da DOM na sabani.
• Shirye-shiryen Sirrin Bayanai na Bayan Quantum: Bincika ƙaura rufe bayanai na manajan kalmar sirri zuwa algorithms masu jurewa hare-haren kwamfuta na quantum, kamar yadda rufaffiyar rumbun ajiya ta kasance kadari mai dogon rai wacce ke da sha'awar tattara-yanzu-karya-daga-baya ga mahara.
• Tsarin Rashin Taro & Kula da Kai: Bincika amfani da ƙa'idodin asali marasa tsari (misali, dangane da Shaida da Za a Iya Tabbatar da W3C) don rage dogaro da rumbun ajiya na tsakiya, rarraba haɗari da ba da babban iko ga masu amfani.

12. Nassoshi

1. Oesch, S., & Ruoti, S. (2020). That Was Then, This Is Now: A Security Evaluation of Password Generation, Storage, and Autofill in Browser-Based Password Managers. USENIX Security Symposium.
2. Li, Z., He, W., Akhawe, D., & Song, D. (2014). The Emperor's New Password Manager: Security Analysis of Web-based Password Managers. IEEE Symposium on Security and Privacy (SP).
3. Silver, D., Jana, S., Boneh, D., Chen, E., & Jackson, C. (2013). Password Managers: Attacks and Defenses. USENIX Security Symposium.
4. National Institute of Standards and Technology (NIST). (2017). Digital Identity Guidelines (SP 800-63B).
5. Stock, B., & Johns, M. (2013). Protecting the Intranet Against "JavaScript Malware" and Related Attacks. International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA).
6. Herley, C. (2009). So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. Proceedings of the New Security Paradigms Workshop (NSPW).
7. World Wide Web Consortium (W3C). (2021). Permissions Policy. https://www.w3.org/TR/permissions-policy-1/
8. FIDO Alliance. (2022). FIDO2: WebAuthn & CTAP. https://fidoalliance.org/fido2/