MFDPG: Gudanar da Kalmar Sirri Mai Ƙayyadaddun Maɓalli Da Yawa Ba tare da Ajiye Sirri Ba

Tsarin Abubuwan Cikin Takarda

1. Gabatarwa & Bayyani
2. Nazarin DPGs Masu Wanzuwa
- 2.1 Kurakuran Tsaro & Sirri
- 2.2 Iyakokin Amfani
3. Ƙirar MFDPG
4. Ƙima & Sakamako
5. Fahimtar Masanin Nazari
6. Zurfin Binciken Fasaha
7. Tsarin Nazari & Nazarin Hali
8. Aikace-aikace na Gaba & Hanyoyi
9. Nassoshi

1. Gabatarwa & Bayyani

Kalmomin sirri sun kasance babbar hanyar tantancewa, amma gudanar da su yana gabatar da ƙalubalen tsaro mai mahimmanci. Masu gudanar da kalmomin sirri na gargajiya suna haifar da maki gazawa na tsakiya, kamar yadda keta kamar LastPass ya nuna. An gabatar da Masu Ƙirƙirar Kalmar Sirri Mai Ƙayyadaddun Maɓalli (DPGs) sama da shekaru ashirin a matsayin madadin, suna ƙirƙira kalmomin sirri na musamman a kowane rukunin yanar gizo daga babban sirri da sunan yanki, suna kawar da ajiya. Duk da haka, DPGs masu wanzuwa suna fama da manyan kurakuran tsaro, sirri, da amfani waɗanda suka hana yaduwa.

Wannan takarda ta gabatar da Mai Ƙirƙirar Kalmar Sirri Mai Ƙayyadaddun Maɓalli Da Yawa (MFDPG), wata sabuwar ƙira da ke magance waɗannan gazawar. MFDPG tana amfani da haɓakar maɓalli da yawa don ƙarfafa babban sirri, tana amfani da tsarin bayanai mai yuwuwa don soke kalmar sirri mai tsaro, kuma tana amfani da kewayawa na ƙayyadaddun inji mai ƙarewa (DFA) don bin ƙa'idodin kalmar sirri masu sarƙaƙiya. Sakamakon shine tsarin da ke buƙatar sifili ajiyar sirri na abokin ciniki ko na uwar garken yayin da yake aiki yadda ya kamata a matsayin haɓaka na ɓangaren abokin ciniki don raunin gidan yanar gizo mai kalmar sirri kawai zuwa ƙaƙƙarfan tantancewa da yawa.

Mahimman Ƙididdiga

Nazarin DPGs Masu Wanzuwa 45: Cikakken bincike na aikin da ya gabata.
Daidaitawar 100%: An kimanta MFDPG da manyan aikace-aikacen yanar gizo 100.

Sifili Ajiyar Sirri

2. Nazarin DPGs Masu Wanzuwa

Takarda ta bincika shawarwarin DPG 45 da suka gabata (misali, PwdHash) don gano kurakuran tsarin.

2.1 Kurakuran Tsaro & Sirri

Babban Rauni: Yawancin DPGs suna amfani da babban kalmar sirri guda ɗaya. Idan an ƙeta kalmar sirri da aka ƙirƙira ta kowane rukunin yanar gizo, ana iya amfani da ita kai tsaye don kai hari da yuwuwar dawo da babban kalmar sirri ta hanyar amfani da ƙarfin dole ko binciken ƙamus. Wannan ya saba ka'idar 'yancin kai na sirri.

Zubar da Sirri: DPGs masu sauƙi na iya zubar da tsarin amfani da sabis. Aikin ƙirƙira ko canza kalmar sirri don takamaiman yanki ana iya ƙididdige shi, yana lalata sirrin mai amfani.

2.2 Iyakokin Amfani

Juyawa Kalmar Sirri: Canza kalmar sirri don rukunin yanar gizo guda ɗaya yawanci yana buƙatar canza babban sirri, wanda sannan ya canza duk kalmomin sirri da aka samo—kwarewar mai amfani mara amfani.

Bin Ƙa'idodi: Yawancin DPGs suna ƙirƙira kalmomin sirri na tsari mai ƙayyadaddun tsari, ba za su iya daidaitawa da ƙa'idodin kalmar sirri na gidan yanar gizo daban-daban da masu sarƙaƙiya ba (misali, buƙatar haruffa na musamman, takamaiman tsawon, ko keɓance wasu alamomi).

3. Ƙirar MFDPG

MFDPG ta gabatar da sabbin abubuwa guda uku na asali don shawo kan waɗannan iyakoki.

3.1 Haɓakar Maɓalli Da Yawa

Maimakon babban kalmar sirri guda ɗaya, MFDPG tana amfani da aikin haɓakar maɓalli da yawa (MFKDF). Maɓallin ƙarshe $K$ an samo shi daga abubuwa da yawa:

$K = \text{MFKDF}(\text{Kalmar Sirri}, \text{Tsaba na TOTP}, \text{Mabudin Tsaro PubKey}, ...)$

Wannan hanya tana ɗaga farashin harin sosai. Ƙeta kalmar sirri ta rukunin yanar gizo ba ta bayyana komai game da tsaba na TOTP ko maɓallin kayan aiki ba, yana sa hare-haren babban kalmar sirri ba zai yiwu ba. Yana haɓaka rukunin yanar gizo mai kalmar sirri kawai zuwa MFA yadda ya kamata.

3.2 Tace Cuckoo don Soke

Don magance juyawar kalmar sirri don rukunin yanar gizo guda ɗaya ba tare da canza abubuwan babba ba, MFDPG tana amfani da Tace Cuckoo—tsarin bayanai mai yuwuwa. An shigar da hash ɗin kalmar sirri da aka soke a cikin tacewa na ɓangaren abokin ciniki. Yayin ƙirƙirar kalmar sirri, tsarin yana duba tacewa kuma, idan an sami karo, yana aiwatar da ƙidaya akai-akai (misali, $\text{Hash}(\text{Yanki} || \text{Ƙidaya})$) har sai an sami kalmar sirri da ba a soke ba. Wannan yana ba da damar soke kowane rukunin yanar gizo ba tare da ajiye jerin rukunoni da aka yi amfani da su ba, yana kiyaye sirri.

3.3 Ƙirƙirar Kalmar Sirri Dangane da DFA

Don cika ƙa'idodin kalmar sirri na sabani dangane da maganganu na yau da kullun, MFDPG tana ƙirƙira ƙa'idar a matsayin Ƙayyadaddun Inji Mai Ƙarewa (DFA). Mai ƙirƙira yana amfani da mai ƙirƙira lambobi na sirri mai tsaro na sirri (CSPRNG), wanda aka shuka ta maɓallin da aka samo $K$ da yanki, don kewaya DFA, yana fitar da haruffa da suka dace da canje-canjen jihohin da suka dace. Wannan yana tabbatar da cewa kalmar sirri ta fitarwa duka na musamman ne ga kowane yanki kuma an tabbatar da bin ƙa'idar da aka ƙayyade.

4. Ƙima & Sakamako

Marubutan sun gudanar da ƙima mai amfani na MFDPG:

Daidaitawa: An gwada tsarin da ƙa'idodin kalmar sirri na shafukan yanar gizo 100 da suka fi shahara. Mai ƙirƙira dangane da DFA ya yi nasara ya ƙirƙira kalmomin sirri masu bin doka ga duk rukunonin yanar gizo, yana nuna amfanin duniya.
Nazarin Tsaro: An nuna amfani da MFKDF don rage hare-haren babban kalmar sirri ko da an ɓoye kalmomin sirri na rukunin yanar gizo da yawa. Ƙirar Tace Cuckoo tana hana zubar da tsarin amfani da sabis tare da ƙimar kuskure mai daidaitawa.
Aiki: Ayyukan akan na'ura (haɓakar maɓalli, duba tacewa, kewayawa DFA) suna ƙara jinkiri maras mahimmanci (milliseconds) ga tsarin shiga, yana sa ya dace da amfani na ainihi.

Ma'anar Ginshiƙi: Zanen ginshiƙi na hasashe zai nuna farashin hari (a cikin shekarun lissafi) akan Y-axis, yana kwatanta "DPG na Gargajiya (Abu Guda)" da "MFDPG (Abubuwa Da Yawa)". Ginshiƙin MFDPG zai kasance mafi girma da yawa, yana nuna haɓakar tsaronsa ta gani.

5. Fahimtar Masanin Nazari

Fahimta ta Asali: MFDPG ba wani mai gudanar da kalmar sirri kawai ba ce; yana da dabarun ƙarewa a kusa da gazawar tsarin karɓar tantancewar yanar gizo. Yayin da Ƙungiyar FIDO ke tuƙa don makomar mara kalmar sirri, MFDPG ta yarda cewa tsoffin kalmomin sirri za su ci gaba da wanzuwa shekaru da yawa. Hazakarta shine a ba da damar mai amfani ya tilasta MFA akan kowane rukunin yanar gizo, ba tare da jira mai ba da sabis ya haɓaka kayan aikin su ba—misali na al'ada na ƙirƙira na ɓangaren abokin ciniki yana tilasta ƙa'idodin aiki, tunawa da yadda HTTPS Kowane Wuri ya tura karɓar ɓoyayye.

Kwararar Hankali: Hujjar takarda tana da ban sha'awa: 1) Shaidun da aka ajiye suna da alhaki (kamar yadda keta ya tabbatar). 2) DPGs na baya sun kasance masu inganci a ka'ida amma suna da kuskure a aikace. 3) Saboda haka, mafita ita ce haɓaka tsarin DPG tare da gine-ginen sirri na zamani (MFKDF) da tsarin bayanai (Tace Cuckoo). Hankali yana da tsabta, yana motsawa daga binciken matsala zuwa mafita da aka haɗa wanda ke magance kowane kuskuren da aka gano kai tsaye.

Ƙarfi & Kurakurai: Babban ƙarfin shine canjin yanayin barazanarsa mai kyau. Ta hanyar ɗaure sirrin zuwa abubuwa da yawa, yana matsar da wurin hari daga "sace kalmar sirri ɗaya" zuwa "ƙeta abubuwa masu zaman kansu da yawa," aiki mai wuyar gaske kamar yadda aka lura a cikin Jagororin Shaidar Digital na NIST (SP 800-63B). Amfani da Tace Cuckoo shine gyara mai wayo, mai kiyaye sirri don soke. Duk da haka, kuskure mai mahimmanci shine dogaro da sanin ƙa'idar ɓangaren abokin ciniki. Dole ne mai amfani ya san/shigar da ƙa'idar kalmar sirri ta kowane rukunin yanar gizo don DFA ya yi aiki, yana haifar da matsala mai yuwuwa na amfani da farashin saitin farko. Wannan ya bambanta da cikakken na'urar mai sarrafa kansa. Bugu da ƙari, yayin da yake haɓaka tsaro a ɓangaren abokin ciniki, ba ya yin komai game da satar bayanai a ɓangaren uwar garken—kalmar sirri da aka ƙirƙira ta MFDPG har yanzu mai amfani ne ga maharin har sai an soke shi.

Fahimta Mai Aiki: Ga ƙungiyoyin tsaro, MFDPG tana gabatar da cikakken tsari don gudanar da kalmar sirri na cikin kamfani, musamman don asusun sabis, yana kawar da rumbunan shaidu. Ga manajan samfur, wannan binciken ya nuna kasuwar da ba a biya ba: masu haɓaka tantancewa na ɓangaren mai amfani. Samfurin ma'ana na gaba shine ƙari na burauzar da ke aiwatar da MFDPG, tare da tarin bayanan ƙa'idodin kalmar sirri na gidan yanar gizo (kamar "Ƙa'idodin Kalmar Sirri" daga W3C) don sarrafa saitin DFA ta atomatik. Zuba jari ya kamata ya kwarara cikin kayan aikin da ke haɗa tazara tsakanin gine-ginen ilimi na zamani kamar MFDPG da aikace-aikacen da za a iya turawa, mai sauƙin amfani.

6. Zurfin Binciken Fasaha

Tsarin Haɓakar Maɓalli: Babban MFKDF ana iya tunaninsa kamar:
$K = \text{HKDF-Fadada}(\text{HKDF-Cire}(gishiri, F_1 \oplus F_2 \oplus ... \oplus F_n), \text{bayanai}, L)$
Inda $F_1, F_2, ..., F_n$ su ne daidaitattun fitarwa ("rabo na abu") daga kowane abu na tantancewa (hash kalmar sirri, lambar TOTP, tabbacin maɓallin tsaro, da sauransu). Wannan yana bin ƙa'idodin ƙira na zamani da aka zayyana a cikin HKDF RFC 5869.

Algorithm na Kewayawa DFA (Pseudocode):
aiki ƙirƙiraKalmarSirri(maɓalli, yanki, policyDFA): prng = ChaCha20(maɓalli, yanki) // Shuka CSPRNG jiha = policyDFA.jiharFara kalmarSirri = "" yayin ba policyDFA.karba(jiha) ba: canje-canje = policyDFA.samuCanjeCanjeMasuInganci(jiha) zaɓi = prng.naGaba() % tsawon(canje-canje) zaɓaɓɓenCanji = canje-canje[zaɓi] kalmarSirri += zaɓaɓɓenCanji.harafi jiha = zaɓaɓɓenCanji.jihaNaGaba dawo kalmarSirri

7. Tsarin Nazari & Nazarin Hali

Tsarin: Nazarin Ciniki na Tsaro-Amfani-Sirri (SUP). Wannan tsarin yana kimanta tsarin tantancewa a cikin gatari uku. Bari mu yi amfani da shi ga MFDPG vs. LastPass:

Tsaro: LastPass: Babba, amma tare da yanayin gazawar tsakiya mai ban tsoro. MFDPG: Babba Sosai, rarraba haɗari ta hanyar haɓaka abubuwa da yawa, babu rumbun tsakiya. (MFDPG Ta Ci Nasara)
Amfani: LastPass: Babba, cika ta atomatik, daidaita na'ura. MFDPG: Matsakaici-Babba, ƙirƙira mara tsada amma yana buƙatar saitin ƙa'ida da gudanar da abu. (LastPass Ta Ci Nasara)
Sirri: LastPass: Ƙasa, sabis ya san duk rukunonin ku. MFDPG: Babba, sifili sani ta ƙira. (MFDPG Ta Ci Nasara)

Nazarin Hali - Keta LastPass: A cikin keta na 2022, an fitar da rumbunan kalmomin sirri da aka ɓoye. Mahara za su iya kai hari ga manyan kalmomin sirri a layi. Idan masu amfani sun yi amfani da MFDPG, da babu rumbu da za a sace. Ko da an ɓoye kalmar sirri ta wani rukunin yanar gizo a wani wuri, ginin MFKDF zai hana haɓaka zuwa babban sirri. Wannan yanayin ya nuna sarƙaƙiyar canjin tsarin da MFDPG ke bayarwa.

8. Aikace-aikace na Gaba & Hanyoyi

1. Haɗin Sirri Bayan Quantum (PQC): Tsarin MFKDF ba shi da sani ga sirrin da ke ƙasa. Yayin da kwamfutocin quantum ke barazana ga ayyukan hash na yanzu (kamar SHA-256), MFDPG na iya haɗa algorithms da aka daidaita na PQC (misali, SPHINCS+, LMS) don kare gaba, hanyar da ta dace da aikin daidaita PQC na NIST.

2. Shaidar Rarraba & Yanar Gizo3: Falsafar MFDPG na "sifili ajiyar sirri" ta dace da shaidar rarraba (misali, Shaidar Tabbaci na W3C). Zai iya ƙirƙira shaidu na musamman, masu ƙayyadaddun maɓalli don samun damar aikace-aikacen rarraba (dApps) ko sanya hannu kan ma'amaloli, yana aiki a matsayin mai gudanar da jumlar tsaba mai sauƙin amfani.

3. Gudanar da Sirrin Kamfani: Bayan kalmomin sirri na mai amfani, ƙa'idodin MFDPG za a iya amfani da su ga tantancewa na inji zuwa inji, ƙirƙira maɓallin API na musamman ko kalmomin sirri na asusun sabis daga babban sirrin kamfani da kuma bayanin gano sabis, yana sauƙaƙa juyawa da dubawa.

4. Haɗin Abu na Binciken Halittar Mutum: Sauye-sauye na gaba na iya haɗa samfuran binciken halittar mutum na gida (misali, ta hanyar tabbacin binciken halittar mutum na WebAuthn) a matsayin abu da aka samo, yana haɓaka sauƙi yayin kiyaye kadarorin sifili-ajiye, muddin bayanan binciken halittar mutum ba su taɓa barin na'urar ba.

9. Nassoshi

Nair, V., & Song, D. (Shekara). MFDPG: Gudanar da Kalmar Sirri Mai Tabbacin Abubuwa Da Yawa Ba tare da Ajiye Sirri Ba. [Sunan Taro/Jarida].
Grassi, P., et al. (2017). Jagororin Shaidar Digital: Tantancewa da Gudanar da Rayuwa. NIST Buga Na Musamman 800-63B.
Krawczyk, H., & Eronen, P. (2010). Aikin Haɓakar Maɓalli Mai Tushen HMAC (HKDF). RFC 5869, IETF.
Ross, B., et al. (2005). Ƙarfafa Tantancewar Kalmar Sirri Ta Amfani da Ƙari na Burawaza. Taron Tsaro na USENIX. (PwdHash)
Fan, B., et al. (2014). Tace Cuckoo: Mafi Kyau A Aikace Fiye da Bloom. Proceedings na 10th ACM International akan Taron kan Gwaje-gwajen Cibiyoyin Sadarwa Masu Tasowa.
Ƙungiyar FIDO. (2022). FIDO2: Bayanan WebAuthn & CTAP. https://fidoalliance.org/fido2/
Cibiyar Ƙididdiga ta Ƙasa. (2022). Daidaita Sirri Bayan Quantum. https://csrc.nist.gov/projects/post-quantum-cryptography