Binciken Tsaro na Ƙirƙira, Ajiya, da Cika ta Atomatik a Manajoji na Kalmar Sirri na Burauza

1. Gabatarwa

Tabatar da asali ta amfani da kalmar sirri ita ce babbar hanyar tabatar da asali a yanar gizo duk da ƙalubalen tsaro da aka rubuta. Masu amfani suna fuskantar nauyin fahimi lokacin gudanar da ƙalmon sirri masu ƙarfi da yawa, wanda ke haifar da sake amfani da kalmar sirri da ƙirƙirar kalmar sirri mara ƙarfi. Manajoji na kalmar sirri suna alkawarin rage waɗannan matsalolin ta hanyar ƙirƙira, adanawa, da cika kalmon sirri ta atomatik. Duk da haka, binciken da ya gabata ya yi shakkar tsaronsu. Wannan takarda ta gabatar da sabuntaccen, cikakken kimantawar tsaro na manajoji goma sha uku na kalmar sirri na burauza, tare da bincika cikakken tsarin rayuwa: ƙirƙira, ajiya, da cika ta atomatik.

2. Hanyoyi & Iyaka

Mun kimanta manajoji na kalmar sirri goma sha uku, ciki har da ƙari na burauza biyar (misali, LastPass, Dashlane), manajoji shida da aka haɗa da burauza (misali, Chrome, Firefox), da abokan ciniki biyu na tebur don kwatanta. Tsarin kimantawa ya ƙunshi matakai uku na asali: nazarin bazuwar ƙalmon sirri miliyan 147 da aka ƙirƙira, kimanta tsaron ajiya (rufe bayanai, sarrafa bayanan meta, tsoho), da gwada raunin cika ta atomatik a kan hare-hare kamar satar dannawa da XSS.

3. Binciken Ƙirƙirar Kalmar Sirri

Wannan sashe ya ba da cikakken bayani game da binciken farko mai girma na algorithms na ƙirƙirar kalmar sirri a cikin manajoji na kalmar sirri.

4. Tsaron Ajiyar Kalmar Sirri

Muna maimaita da faɗaɗa aikin da Li da sauransu suka yi, mun kimanta yadda ake rufe bayanai da adana kalmon sirri a cikin gida da kuma a cikin girgije.

5. Raunin Tsarin Cika ta Atomatik

Cika ta atomatik, yayin da yake da sauƙi, yana gabatar da manyan hanyoyin kai hari. Mun gwada a kan sanannun nau'ikan amfani.

6. Sakamako & Binciken Kwatance

Gabaɗaya, tsaro ya inganta idan aka kwatanta da kimantawa daga shekaru biyar da suka gabata, amma manyan matsaloli sun ci gaba. Babu wani manaja guda ɗaya da ba shi da aibi a cikin duka nau'ikan uku (ƙirƙira, ajiya, cika ta atomatik). Manajoji da aka haɗa da burauza sau da yawa suna da sauƙi, mafi tsaro na cika ta atomatik amma algorithms na ƙirƙira marasa ƙarfi. Ƙarin na ɓangare na uku sun ba da ƙarin fasali amma sun gabatar da rikitarwa da filin kai hari mafi girma. Mun gano takamaiman manajoji waɗanda suka yi rashin nasara kuma ya kamata masu amfani masu hankali na tsaro su guje su.

7. Shawarwari & Hanyoyin Gaba

Ga Masu Amfani: Zaɓi manajoji tare da ƙaƙƙarfan tarihin tsaro, kunna duk fasalin tsaro da ake da shi (kamar 2FA), kuma ku yi taka tsantsan tare da cika ta atomatik. Ga Masu Haɓakawa: Aiwatar da masu ƙirƙira lambobi marasa tsari na tsaro na sirri (CSPRNGs) don ƙirƙirar kalmar sirri, rufe duk bayanan meta, ɗauki tsoho masu tsaro (misali, babbar kalmar sirri koyaushe ana buƙata), da ƙarfafa cika ta atomatik daga sarrafa UI. Ga Masu Bincike: Bincika cinikin amfani-tsaro na cika ta atomatik, haɓaka daidaitattun tsare-tsaren kimantawar tsaro, da bincika sirrin sirri bayan ƙididdiga don tsare-tsaren gaba.

8. Bincike na Asali & Sharhin Kwararru

Fahimtar Asali: Binciken Oesch da Ruoti yana ba da tabbataccen gaskiya: kayan aikin da aka ƙera don magance rikicin kalmar sirri su kansu guntun raunuka ne. Mayar da hankalin masana'antu akan sauƙi da ƙima ya, a lokuta da yawa, ya lalata alkawuran tsaro na asali kai tsaye. Gano cewa ƙalmon sirri da aka ƙirƙira na iya zama mara ƙarfi musamman ya zama laifi—yana buga zuciyar alkawarin manajan kalmar sirri.

Tsarin Ma'ana: Takardar ta tsara kai hari cikin kyau tare da tafiyar mai amfani: ƙirƙira (ƙirƙira), a hutu (ajiye), da a cikin amfani (cika ta atomatik). Wannan hanyar tsarin rayuwa, mai kama da ƙirar barazana a cikin tsare-tsare kamar STRIDE na Microsoft, ta bayyana cewa rauni ba keɓaɓɓu ba ne amma na tsarin. Aibi a cikin ƙirƙira yana rage tasirin ajiya mai ƙarfi; aibi a cikin cika ta atomatik yana soke duka biyun. Wannan haɗin kai sau da yawa ana rasa shi a cikin binciken lokaci-lokaci.

Ƙarfi & Aibobi: Ƙarfin binciken shine cikakken bayaninsa da maimaita aikin da ya gabata, yana ba da hangen nesa na tsawon lokaci na juyin halittar tsaro. Babban tarin ƙalmon sirri miliyan 147 da aka ƙirƙira don bincike yana da yabo. Duk da haka, binciken yana da aibi da yawa na kimantawar tsaro: galibi baƙar akwati ne, gwajin aiki. Yana gano abin da ya lalace amma yana ba da ƙaramin haske game da dalilin daga mahangar injiniyan software—shin waɗannan aibobin sun kasance saboda ƙarewar lokaci, rashin fahimtar ƙayyadaddun bayanai, ko rashin bitar tsaro? Bugu da ƙari, yayin da yake ambaton Jagororin Asalin Dijital na NIST, zurfafa cikin yadda waɗannan manajoji suka yi daidai (ko kuma suka kasa yin daidai) da ma'auni kamar FIPS 140-3 ko buƙatun tsaro da aka zayyana a cikin shawarwarin Musayar Maɓalli Mai Tabbatar da Kalmar Sirri (PAKE) na IETF zai ƙara ƙarfi mai mahimmanci.

Hankali mai Aiki: Ga ƙungiyoyin tsaro na kamfani, wannan takarda ce umarni don bincika manajoji na kalmar sirri da aka amince da su sosai. Dogaro da sunan alama bai isa ba. Lissafin sayayya dole ne ya haɗa da takamaiman gwaje-gwaje don bazuwar ƙirƙira (misali, ta amfani da daidaitattun gwaje-gwaje kamar Dieharder ko STS na NIST), rufewa na bayanan meta, da halayen cika ta atomatik a ƙarƙashin simintin kai hari. Ga masu haɓakawa, darasin shine ba da fifiko ga sauƙi da tsoho masu tsaro. Mafi tsaro tsarin cika ta atomatik zai iya zama mafi sauƙi: "danna-don-cika" na hannu wanda ke buƙatar aiki na zahiri, na hankali na mai amfani, kamar yadda bincike daga Jami'ar California, Berkeley ya nuna akan mu'amalar yarda na zahiri. Gaba ba ya cikin ƙoƙarin yin cikakken cika ta atomatik cikakke, amma a cikin ƙira mafi ƙarancin kutsawa amma mafi girman bayyanannun hulɗar mai amfani waɗanda ke kiyaye mutum a cikin madauki don yanke shawara mai mahimmanci na tsaro.

9. Cikakkun Bayanai na Fasaha & Tsarin Lissafi

Kimantawar bazuwar ƙirƙirar kalmar sirri ya dogara ne akan lissafin entropy na Shannon $H$ na ƙalmon sirri da aka ƙirƙira:

$H = -\sum_{i=1}^{n} P(x_i) \log_2 P(x_i)$

inda $P(x_i)$ shine yuwuwar harafin $x_i$ ya bayyana a wani matsayi. Don zaɓin gaske mara tsari daga saitin haruffa $C$, matsakaicin entropy kowane harafi shine $\log_2(C)$. Don saitin haruffa 72 (ƙananan haruffa 26 + manyan haruffa 26 + lambobi 10 + alamomi 10), matsakaicin $H_{harafi} \approx 6.17$ bits. Don haka kalmar sirri mai haruffa 10 tana da matsakaicin ka'idar ~61.7 bits na entropy.

Binciken ya gano cewa son zuwa ga wasu algorithms na manajoji ya rage ingantaccen entropy. An kimanta raunin ga hare-haren kashe layi ta amfani da ƙimar fashewa da aka ƙiyasta $R$ (hashes a kowace dakika) da sararin kalmar sirri $N$:

$\text{Lokaci don fashewa} \approx \frac{N}{2 \times R}$

Idan aka ɗauka babban ƙimar $10^{10}$ hashes/sec (a cikin kewayon don tarukan GPU na zamani), kalmar sirri tare da ƙasa da ~65 bits na entropy ($N = 2^{65}$) za a iya fashe shi a cikin lokacin da zai yiwu ga mai kai hari mai sha'awa.

10. Sakamakon Gwaji & Hoto na Bayanai

Babban Taswira 1: Son Rarraba Haruffa. Taswira mai sandar kwatanta abin da aka gani da kuma tsammanin mita na nau'ikan haruffa (manyan haruffa, ƙananan haruffa, lamba, alama) a cikin manajoji na kalmar sirri da yawa. Manajoji da yawa sun nuna bambanci mai mahimmanci na ƙididdiga (p < 0.01) daga tsammanin rarraba daidai, tare da wakilcin lambobi a wasu matsayi.

Babban Taswira 2: Entropy vs. Tsawon Kalmar Sirri. Taswira mai watsawa wanda ke nuna ƙididdigar entropy kowane manaja don tsawon kalmar sirri daban-daban da aka saita (haruffa 8, 12, 16, 20). Taswirar za ta bayyana cewa yayin da yawancin manajoji ke kusantar layin entropy na ka'idar don ƙalmon sirri masu tsayi, wasu sun gaza ga tsawon gajere (haruffa 8-12), suna taruwa ƙasa da layin, yana nuna raunin bazuwar.

Babban Taswira 3: Matrix na Raunin Cika ta Atomatik. Taswirar zafi tare da manajoji akan Y-axis da nau'ikan rauni (Satar Dannawa, Zubar da XSS, Allurar Cibiyar Sadarwa) akan X-axis. Kwayoyin suna da launin kore (ba rauni ba), rawaya (rauni na ɓangare/banbance), da ja (rauni). Wannan hoton yana nuna a fili wadanne manajoji suke da haɗari a fadin filin kai hari na cika ta atomatik.

11. Tsarin Bincike: Misalin Nazarin Shari'a

Shari'a: Kimanta Tsaron Cika ta Atomatik na "Manaja X."

Mataki 1 - Taswirar Fasali: Rubuta yadda Manaja X ke jawo cika ta atomatik: Shin yana cika ta kansa? Shin yana nuna saukowa? Wadanne halayen DOM yake dogara da su (id, suna, aji, wurin tsayawa)?

Mataki 2 - Ƙirar Barazana: Aiwatar da ƙirar STRIDE.

• Yaudara: Shin wani ƙirar shigar da asali na ƙarya zai iya yaudari manajan? (Gwada tare da bambance-bambancen `id="password"`).
• Gurbatawa: Shin JavaScript zai iya gyara bayanan da aka cika kafin ƙaddamarwa?
• Ƙin yarda: Shin manajan yana rubuta abubuwan da suka faru na cika ta atomatik?
• Bayanin Bayanai: Shin wani ɓoyayyen iframe ko ƙirar CSS (opacity:0.001) zai iya haifar da cikawa a cikin filin da ba a gani ba wanda daga nan aka fitar?
• Hana Sabis: Shin shafukan yanar gizo marasa kyau za su iya kulle fasalin cika ta atomatik?
• Ƙarin Iko: Shin cika ta atomatik yana aiki akan shafukan burauza? (Bai kamata ba).

Mataki 3 - Aiwar Gwaji: Ƙirƙiri shafin yanar gizon gwajin da ke ƙoƙarin kowane hanyar barazana a tsari. Don satar dannawa, ƙirƙiri abubuwa masu juyawa. Don XSS, kwaikwayi rubutun karanta kadarorin `darajar` na filayen da aka cika.

Mataki 4 - Bincike & Ƙididdiga: Ƙididdige kowane rauni bisa ga yuwuwar da tasiri (misali, ta amfani da ƙididdigar DREAD). Jimlar maki yana ƙayyade matsakaicin ƙimar tsaro na cika ta atomatik ga Manaja X.

Wannan tsari mai tsari yana motsawa bayan gwajin ad-hoc kuma yana tabbatar da cikakken ɗaukar hoto.

12. Aikace-aikacen Gaba & Hanyoyin Bincike

1. Haɗawa tare da WebAuthn/Mabuɗin Wucewa: Gaba ba shi da kalmar sirri. Juyin halitta na gaba ga manajoji na kalmar sirri shine zama manyan dillalan mabuɗin wucewa (bisa ga API na Tabatar da Yanar Gizo na W3C). Ana buƙatar bincike akan daidaitawar tsaro da dawo da mabuɗin sirri na mabuɗin wucewa a cikin na'urori, ƙalubalen da Ƙungiyar FIDO ta haskaka.

2. Cika ta Atomatik Mai Fahimtar Mahallin, Mai Dogaro da Haɗari: Maimakon ma'anar cika/kar-a-cika ta binary, manajoji na gaba za su iya amfani da koyon inji don kimanta halaccin shafi (duba shekarun yanki, takardar shaidar SSL, makin suna) da mahallin mai amfani (lokacin shiga na yau da kullun, na'ura) don daidaita halayen cika ta atomatik, yana buƙatar ƙarin tabbatar da asali don yanayi masu haɗari.

3. Tabbatarwa na Yau da kullun & Kayan Aiki masu Tsaro: Muhimman abubuwa, musamman mai ƙirƙira lambobi marasa tsari da ainihin ayyukan rufewa/ɓoyewa, ana iya tabbatar da su ta amfani da kayan aiki kamar Coq ko Tamarin Prover. Haɗawa tare da Module na Dandamali da Aka Aminta (TPMs) ko Wuraren Tsaro don ajiyar maɓalli zai iya ɗaukaka tsaro ga maƙasudai masu ƙima.

4. Tsarin Gine-gine na Rarrabuwa & Mai Amfani: Matsawa daga rumbunan girgije na tsakiya zuwa ka'idoji masu rarrabuwa (misali, bisa ga ƙididdigar ƙididdiga masu yawa masu tsaro ko sabobin sirri) zai iya rage haɗarin fashewar manyan masu bayarwa. Wannan ya yi daidai da faɗaɗar hangen nesa na aikin "Solid" don kwandon bayanan sirri.

13. Nassoshi

1. Oesch, S., & Ruoti, S. (2020). Wannan Shine Yanzu: Binciken Tsaro na Ƙirƙira, Ajiya, da Cika ta Atomatik a Manajoji na Kalmar Sirri na Burauza. USENIX Security Symposium.
2. Li, Z., He, W., Akhawe, D., & Song, D. (2014). Sabon Manajan Kalmar Sirri na Sarki: Binciken Tsaro na Manajoji na Kalmar Sirri na Yanar Gizo. IEEE Symposium on Security and Privacy.
3. Stock, B., & Johns, M. (2016). Kare Intranet daga "Barazanar JavaScript" da Sauran Hare-hare. IEEE EuroS&P.
4. Cibiyar Ƙididdiga da Fasaha ta Ƙasa (NIST). (2017). Jagororin Asalin Dijital (SP 800-63B).
5. Ƙungiyar FIDO. (2022). FIDO2: WebAuthn & CTAP Specifications. https://fidoalliance.org/fido2/
6. Grassi, P., et al. (2017). NIST Special Publication 800-63B: Jagororin Asalin Dijital - Tabbatar da asali da Gudanar da Tsarin Rayuwa.
7. Silver, D., Jana, S., Boneh, D., Chen, E., & Jackson, C. (2014). Manajoji na Kalmar Sirri: Hare-hare da Tsare-tsare. USENIX Security Symposium.
8. Shannon, C. E. (1948). Ka'idar Lissafi na Sadarwa. The Bell System Technical Journal.