1. Gabatarwa

Wannan takarda tana magance kalubalen gudanar da kalmar sirri a cikin tsarin dijital na zamani. Duk da matsalolin tsaro da suka yadu, kalmar sirri ita ce babbar hanyar tabbatar da mutum. Mun binciki masu samar da kalmar sirri a matsayin madadin masu gudanar da kalmar sirri na gargajiya, muna gabatar da tsarin gama-gari na farko na irin wadannan tsare-tsare tare da kimanta hanyoyin da suke da sababbi.

2. Bayanan Baya & Dalili

Nauyin da ba za a iya jurewa ba ga masu amfani don tunawa da yawan kalmar sirri mai karfi da na musamman shine babban abin da ya sa aka yi wannan bincike. Bincike ya nuna masu amfani suna gudanar da asusun dozin-dozin, adadin da ya karu tun lokacin aikin Florêncio da Herley (2007).

2.1. Dorewar Kalmar Sirri

Kamar yadda Herley, van Oorschot, da Patrick suka tattauna, kalmar sirri tana ci gaba da kasancewa saboda arha, sauki, da sanin masu amfani. Fasahohin maye gurbinsu kamar FIDO/UAF suna fuskantar matsalolin amfani.

2.2. Gazawar Masu Gudanar da Kalmar Sirri

Masu gudanar da kalmar sirri, duk da sun shahara, suna da manyan kurakurai. Masu gudanar da ajiya na gida suna hana motsi, yayin da masu gudanar da na gajimare suka gabatar da wuraren gazawa na tsakiya, kamar yadda aka gani a cikin keta hakkin duniya [3, 13, 18, 19].

3. Tsarin Gama-gari na Masu Samar da Kalmar Sirri

Muna gabatar da tsarin hadin kai inda ake samar da kalmar sirri ta musamman ga shafin $P_{site}$ bisa bukata ta hanyar aiki mai tabbatarwa $G$.

3.1. Abubuwan Tsari & Tsarawa

Babban aikin samarwa ana iya tsara shi kamar haka: $P_{site} = G(M, C, S, Aux)$. Inda:

  • $M$: Sirrin babba (misali, kalmar sirri/jumla mai mahimmanci na mai amfani).
  • $C$: Bayanan da suka dace da abokin ciniki (misali, ID na na'ura).
  • $S$: Bayanan da suka dace da uwar garken ko shafin (misali, sunan yankin).
  • $Aux$: Ma'auni na taimako (misali, adadin maimaitawa).
Aikin $G$ yawanci shine Aikin Samarwa Maɓalli (KDF) kamar PBKDF2, bcrypt, ko scrypt.

3.2. Bukatun Aiki na Asali

Mai samar da kalmar sirri mai karfi dole ne ya samar da: Tabbatarwa (guda iri ɗaya na shigarwa yana haifar da kalmar sirri iri ɗaya), Keɓantacce (shafuka daban-daban suna haifar da kalmar sirri daban-daban), Juriya ga Hari (preimage, karo), da Amfani.

4. Nazarin Hanyoyin Da Ake Da Su

An yi nazarin hanyoyin da suka gabata (misali, PwdHash, SuperGenPass) a cikin tsarin da aka gabatar, suna nuna yadda suka fito da $M$, $C$, $S$, da $G$.

4.1. Rarrabe Hanyoyi

Ana iya rarrabe hanyoyi ta hanyar:

  • Rikitarwar Shigarwa: Daga mai sauƙi (sirrin babba + yanki) zuwa mai rikitarwa (mafi yawan abubuwa).
  • Aiwatarwa: Ƙari na burauza, app mai zaman kansa, alamar kayan aiki.
  • Asalin Sirri: Tushen hash, tushen ɓoyayye.

4.2. Tsaro da Amfani: Yin Zabi

Babban binciken shine tashin hankali na asali. Hanyoyin da suka ba da fifikon amfani (ƙarancin shigar mai amfani) sau da yawa suna raunana tsaro akan hare-haren da aka yi niyya. Hanyoyin da ke buƙatar ƙarin ƙoƙarin mai amfani (misali, shigar da ƙidaya) suna rage aiki.

Nazarin Yin Zabi Tsaro-Amfani

Babban Amfani / Ƙananan Tsaro: Hanyoyi kamar bambance-bambancen PwdHash na farko masu saukin kamuwa da satar bayanai idan an ɓata cire yanki.

Babban Tsaro / Ƙananan Amfani: Hanyoyin da ke buƙatar shigar da hannu na ƙidaya mai canzawa ($Aux$) suna saurin kuskuren mai amfani da ɓata daidaitawa.

5. AutoPass: Sabuwar Shawara

An sanar da shi ta hanyar tsari da nazari, mun zana AutoPass, zane da ke nufin haɗa ƙarfi da rage raunin fasahar da ta gabata.

5.1. Ka'idojin Zane

  • Juriya ga Satar Bayanai: Haɗa tashar tsaro da bayanan tabbatar da shafin.
  • Daidaitawar Jiha: Sarrafa ma'auni na taimako (kamar ƙidaya) a bayyane don hana ɓata daidaitawa.
  • Daidaituwar Tsakanin Dandamali: Tabbatar $C$ da jiha suna daidaitawa cikin aminci a duk na'urorin mai amfani.

5.2. Bayyani Game da Tsarin Gina

AutoPass yana hasashen ɓangaren abokin ciniki wanda ke hulɗa da sabis na daidaitawa (zaɓi) amintacce. Aikin samarwa $G_{AutoPass}$ zai haɗa da abu na tushen lokaci ko ƙalubalen uwar garken don samar da juriya ga harin maimaitawa ba tare da nauyin mai amfani ba.

Mahimman Bayanai Game da AutoPass

  • Sabonsa yana cikin sarrafa kansa na ma'auni $Aux$ da ɗaure $S$ cikin aminci zuwa zaman da aka tabbatar.
  • Yana magance babban aibi na masu samar da "marasa jiha" kai tsaye: rauni ga satar bayanai lokacin da ba a tabbatar da $S$ (yankin) da gaske ba.

6. Zurfin Nazari na Fasaha

6.1. Tsarawa ta Hanyar Lissafi

Ana iya ganin mai samar da kalmar sirri mai ƙarfi a matsayin KDF na musamman. Wani yuwuwar gini don hanyoyin da aka yi wahayi zuwa AutoPass: $$P_{site} = Truncate( HMAC( K_{derived}, S \, || \, C_{sync} \, || \, Challenge ) )$$ Inda: $K_{derived} = KDF(M, Salt, iterations)$, $C_{sync}$ jihar abokin ciniki ce da aka daidaita, kuma $Challenge$ baƙon abu ne daga uwar garken ko yanki na lokaci. Aikin $Truncate$ yana daidaita fitarwa zuwa takamaiman manufofin kalmar sirri (tsawon, saitin haruffa).

6.2. Nazarin Tsarin Barazana

Tsarin dole ne ya kare daga:

  • Yin Sulhu na Abokin Ciniki: Maharin ya sami $M$. Magani: Yi amfani da na'urar tsaro ta kayan aiki ko ingantaccen ilimin halittu don kariyar $M$.
  • Satar Bayanai: Maharin yana yaudarar mai amfani don samar da kalmar sirri don shafin karya. Magani: Haɗa $S$ da takaddun shaida na TLS ta hanyar sirri ko amfani da ikirari kamar na FIDO.
  • Keta Hakkin Uwar Garken: Maharin ya sami hash na kalmar sirri $H(P_{site})$. Mai samarwa ya kamata ya tabbatar $P_{site}$ yana da ƙarfi (babban entropy) don juriya ga fashewa.

7. Nazari Mai Zurfi da Hangen Masana'antu

Mahimman Bayani: Aikin Al Maqbali da Mitchell shine muhimmin aikin tsarin ilimi (SoK) na dogon lokaci da ya wuce lokaci don masu samar da kalmar sirri. Fannin ya sha wahala daga shawarwari na ad-hoc, keɓantacce. Ta hanyar kafa tsari na yau da kullun $P_{site} = G(M, C, S, Aux)$, sun ba da ruwan tabarau mai mahimmanci ta hanyar da za a kimanta da'awar tsaro da alkawuran amfani. Wannan yayi daidai da muhimmiyar rawar da tsare-tsare na yau da kullun suka taka wajen ci gaban wasu fannonin sirri, kamar tsare-tsaren rashin bambanci don ɓoyayye.

Kwararar Hankali & Gudunmawa: Hankalin takardar ba shi da aibi: 1) Amincewa da rashin canjin matsalar kalmar sirri, 2) Bayyana kurakurai a cikin mafita mai ci gaba (masu gudanar da kalmar sirri), 3) Gabatar da tsarin haɗin kai don madadin (masu samarwa), 4) Amfani da tsarin don rarrabe fasahar da ta gabata, yana bayyana yawanci abubuwan da aka yi watsi da su, da 5) Zana sabon zane (AutoPass) wanda tsarin kansa ya nuna. AutoPass da aka gabatar, duk da ba a fayyace shi sosai ba, ya gano daidai guntun da ya ɓace: amintaccen sarrafa jiha, ta atomatik. Masu samarwa na yanzu ko dai ba su da jiha (mai rauni ga satar bayanai) ko kuma suna sanya sarrafa jiha akan mai amfani (mai rauni ga kuskure). Hangennin AutoPass na daidaitawa a bayyane yana magance wannan kai tsaye.

Ƙarfi & Kurakurai: Babban ƙarfi shine tsarin kansa—yana da sauƙi amma yana bayyana. Nazarin $S$ (ma'auni na shafin) yana da kaifi musamman, yana nuna yadda hare-haren satar bayanai suka raunana hanyoyin da suka dogara kawai akan sunan yanki da ake gani. Kuskuren takardar, wanda marubutan suka yarda da shi, shine yanayin farko na AutoPass. Zane ne, ba bayani ba. Bugu da ƙari, nazarin ya dogara sosai akan tsarin tsaro; babu cikakken binciken amfani na zahiri wanda ke kwatanta hanyoyin samarwa. Yaya nauyin fahimi na sarrafa sirrin babba don mai samarwa ya kwatanta da amfani da mai gudanar da gajimare kamar 1Password? Bincike kamar na Pearman et al. (CHI 2017) akan amfanin mai gudanar da kalmar sirri yana nuna wannan tambaya ce mai mahimmanci.

Bayanai Masu Aiki: Ga masu gine-ginen tsaro, wannan takarda umarni ce: daina kimanta masu samar da kalmar sirri keɓe. Yi amfani da tsarin $G(M, C, S, Aux)$ a matsayin lissafin abubuwan da za a bincika. Menene ainihin fito da $S$? Shin yana iya satar bayanai? Yaya ake sarrafa $Aux$, kuma wa ke ɗaukar farashin gazawa? Ga masu bincike, hanyar gaba a bayyane take. Aikin mafi daraja shine cika hangen AutoPass, musamman hanyar daidaitawa. Shin za a iya yin hakan ta hanyar rarraba, ta hanyar kiyaye sirri ta amfani da na'urorin sirri, kama da Maɓallin iCloud na Apple amma don kalmar sirri da aka samar? Wata hanyar kuma ita ce haɗawa da tsarin WebAuthn/FIDO2—shin za a iya samun $P_{site}$ na mai samarwa daga takaddun shaida na kayan aiki, ƙirƙirar "mai samar da maɓalli na sirri"? Takardar ta yi nasarar motsa tattaunawar daga "ko" masu samarwa suna da amfani zuwa "yadda" ake gina wanda zai yi amfani, wanda shine mafi girman gudunmawarsa.

Tsarin Nazari: Kimanta Hanyar Mai Samar da Kalmar Sirri

Harka: Kimanta ƙarin burauza na "SimpleHash" na hasashe.

  1. Gano Ma'auni na Tsari:
    • $M$: Kalmar sirri ta babba ta mai amfani.
    • $C$: Babu (maras jiha).
    • $S$: Kirtani na yankin URL da aka ciro daga mashigin adireshin burauza.
    • $Aux$: Babu.
    • $G$: $SHA256(M \, || \, S)$, an yanke shi zuwa haruffa 12 na lambobi.
  2. Kimar Tsaro:
    • Rashin Kariya ga Satar Bayanai (Babban Aibi): $S$ ana iya ɓata shi cikin sauƙi ta hanyar shafin karya. Mai samarwa zai samar da kalmar sirri daidai don shafin maharin.
    • Harin Sirrin Babba: Idan $M$ yana da rauni, za a iya yin amfani da ƙarfin hali a layi.
    • Entropy: Fitarwa bazai cika duk ƙa'idodin rikitarwa na shafuka ba.
  3. Kimar Amfani: High. Mai amfani kawai ya tuna $M$.
  4. Ƙarshe: Wannan tsari ya gaza kimanta tsaro saboda ma'auni $S$ mai iya satar bayanai, duk da kyakkyawan amfani. Kada a karɓi shi.

8. Ayyukan Gaba da Hanyoyin Bincike

  • Haɗawa tare da FIDO/WebAuthn: Yi amfani da mai tabbatar da kayan aiki don kiyaye sirrin babba $M$ ko don samar da iri don $G$. Wannan yana haɗa sauƙin masu samarwa tare da kayan aiki mai ƙarfi na sirri.
  • Daidaitawar Jiha ta Rarraba: Yi amfani da tsarin na'urorin sirri (misali, ta Bluetooth ko ka'idojin abokin tarayya) don daidaita jihar abokin ciniki $C_{sync}$ da ma'auni na taimako $Aux$ ba tare da sabis na gajimare na tsakiya ba, yana haɓaka sirri.
  • Daidaituwar Manufa Taimakon AI: Haɓaka masu samarwa waɗanda ke daidaita tsarin fitarwa na $G$ (yankewa, saitin haruffa) bisa ga manufar kalmar sirri ta shafin da aka yi niyya, wanda aka koya ta hanyar hulɗar burauza ko rarraba bayanai.
  • Sirri Bayan Quantum (PQC): Bincika KDFs na tushen PQC don $G$ don tabbatar da tsaro na dogon lokaci akan hare-haren kwamfuta na quantum.
  • Daidaituwa: Mataki na gaba na hankali shine gabatar da daidaitaccen ma'auni bisa wannan tsari ga IETF ko W3C, yana ba da damar haɗin kai tsakanin abokan ciniki da ayyuka daban-daban na masu samarwa.

9. Nassoshi

  1. Al Maqbali, F., & Mitchell, C. J. (2016). Masu Samar da Kalmar Sirri: Tsofaffin Ra'ayoyi da Sababbi. arXiv preprint arXiv:1607.04421.
  2. Herley, C., van Oorschot, P. C., & Patrick, A. S. (2014). Kalmar Sirri: Idan Muna Da Hankali, Me Yasa Muke Amfani Da Ita Har Yanzu?. A cikin Sirrin Kuɗi da Tsaron Bayanai.
  3. Florêncio, D., & Herley, C. (2007). Babban bincike kan halayen kalmar sirri na yanar gizo. A cikin Proceedings of the 16th international conference on World Wide Web.
  4. McCarney, D. (2013). Masu Gudanar da Kalmar Sirri: Hare-hare da Tsaro. Jami'ar British Columbia.
  5. Ƙungiyar FIDO. (2015). Ƙayyadaddun Ƙa'idar UAF na FIDO.
  6. Pearman, S., et al. (2017). Bari Mu Shiga Don Duba Kusa: Lura da Kalmar Sirri a Matsayinsu na Halitta. A cikin Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.
  7. Bonneau, J., Herley, C., van Oorschot, P. C., & Stajano, F. (2012). Neman maye gurbin kalmar sirri: Tsarin don kwatanta kimanta tsarin tabbatar da yanar gizo. A cikin 2012 IEEE Symposium on Security and Privacy.
  8. Kaliski, B. (2000). PKCS #5: Ƙayyadaddun Sirri na Tushen Kalmar Sirri Version 2.0. RFC 2898.