Binciken Tsaro na Manajoji na Kalmar Sirri na Tushen Burauza: Ƙirƙira, Ajiya, da Cika ta Atomata

1. Gabatarwa

Tabbatar da asali ta hanyar kalmar sirri ya ci gaba da zama babbar hanyar tabbatar da asali a yanar gizo duk da ƙalubalen tsaro da aka rubuta sosai. Masu amfani suna fuskantar nauyin fahimi lokacin sarrafa ƙalmon sirri masu ƙarfi da yawa, wanda ke haifar da sake amfani da kalmar sirri da ƙirƙirar kalmar sirri mai rauni. Manajoji na kalmar sirri suna ba da yuwuwar mafita ta hanyar ƙirƙira, adanawa, da cika kalmon sirri ta atomata. Duk da haka, binciken da ya gabata ya gano manyan raunuka a cikin manajoji na kalmar sirri na tushen burauza. Wannan binciken yana ba da sabon kimanta tsaro na manajoji na kalmar sirri goma sha uku da suka shahara bayan shekaru biyar bayan kimantawa na baya, yana binciken duk matakai uku na rayuwar manajan kalmar sirri: ƙirƙira, ajiya, da cika ta atomata.

2. Hanyoyi & Iyaka

Kimantawar ta ƙunshi manajoji na kalmar sirri goma sha uku, gami da ƙari na burauza biyar, manajoji shida da aka haɗa da burauza, da abokan ciniki na tebur guda biyu don kwatanta. Binciken ya maimaita kuma ya faɗaɗa aikin da ya gabata na Li et al. (2014), Silver et al. (2014), da Stock & Johns (2014). Hanyar ta ƙunshi:

Ƙirƙira da bincika miliyan 147 na ƙalmon sirri don bazuwa da ƙarfi
Bincika hanyoyin ajiya don ƙulle-ƙulle da kariyar bayanan meta
Gwada fasalolin cika ta atomata akan hare-haren satar dannawa da XSS
Kimanta saitunan tsaro na tsoho

3. Binciken Ƙirƙira Kalmar Sirri

Wannan sashe yana gabatar da bincike na farko mai cikar ƙirƙirar algorithms na ƙirƙira kalmar sirri a cikin manajoji na kalmar sirri.

3.1. Kimanta Bazuwa

Binciken ya kimanta bazuwar ƙalmon sirri da aka ƙirƙira ta amfani da gwaje-gwajen ƙididdiga da suka haɗa da gwajen chi-square don rarraba haruffa da lissafin entropy. Entropy na kalmar sirri $H$ don kalmar sirri mai tsayi $L$ tare da girman saitin haruffa $N$ ana ƙidaya shi kamar haka: $H = L \cdot \log_2(N)$. Don kalmar sirri mai bazuwa gaske mai haruffa 12 ta amfani da haruffa 94 da za su iya yiwuwa (haruffa, lambobi, alamomi), entropy zai kasance $H = 12 \cdot \log_2(94) \approx 78.5$ bits.

3.2. Binciken Rarraba Haruffa

Bincike ya bayyana rarraba haruffa marasa bazuwa a cikin manajoji na kalmar sirri da yawa. Wasu masu ƙirƙira sun nuna son kai ga wasu azuzuwan haruffa ko matsayi a cikin kirtani na kalmar sirri. Misali, wani manaja ya ci gaba da sanya haruffa na musamman a cikin matsayi da za a iya hasasawa, yana rage ingantaccen entropy.

3.3. Raunin Harin Zato

Binciken ya gano cewa gajerun ƙalmon sirri da aka ƙirƙira (ƙasa da haruffa 10) sun kasance masu rauni ga hare-haren zato na kan layi, yayin da ƙalmon sirri ƙasa da haruffa 18 sun kasance masu saukin kamuwa da hare-hare na kashe layi. Wannan ya saba wa zato na gama gari cewa ƙalmon sirri da manajan kalmar sirri ya ƙirƙira suna da ƙarfi iri ɗaya.

4. Tsaron Ajiyar Kalmar Sirri

Kimanta hanyoyin ajiyar kalmar sirri ya bayyana duka ci gaba da raunuka masu dorewa idan aka kwatanta da shekaru biyar da suka gabata.

4.1. Ƙulle-ƙulle & Kariyar Bayanan Meta

Yayin da yawancin manajoji yanzu suna ƙulle bayanan kalmon sirri, an gano da yawa suna adana bayanan meta (URLs, sunayen masu amfani, alamomin lokaci) a cikin nau'in da ba a ƙulle ba. Wannan zubar da bayanan meta na iya ba masu kai hari bayanan leƙen asiri masu mahimmanci ko da ba tare da buɗe ƙulle-ƙullen ainihin ƙalmon sirri ba.

4.2. Binciken Saitunan Tsoho

An gano manajoji na kalmar sirri da yawa suna da saitunan tsoho marasa tsaro, kamar kunna cika ta atomata ba tare da tabbatar da mai amfani ba ko adana ƙalmon sirri tare da ƙayyadaddun ƙulle-ƙulle masu rauni. Waɗannan saitunan tsoho suna sanya masu amfani cikin haɗari waɗanda ba su daidaita saitunan tsaro nasu ba.

5. Raunin Hanyoyin Cika ta Atomata

Fasalolin cika ta atomata, yayin da suke da sauƙi, suna gabatar da manyan wuraren kai hari waɗanda aka yi amfani da su a cikin wannan kimantawa.

5.1. Hare-haren Satar Dannawa

Manajoji na kalmar sirri da yawa sun kasance masu rauni ga hare-haren satar dannawa inda gidajen yanar gizo masu mugunta za su iya yaudari masu amfani don bayyana ƙalmon sirri ta hanyar rufaffiyar rufaffiyar da ba a gani ba ko ƙirƙirar abubuwan UI a hankali. Yawan nasarar harin ya bambanta tsakanin manajoji daga 15% zuwa 85%.

5.2. Hadarin Rubutun Tsakanin Rukunin Yanar Gizo (XSS)

Ba kamar shekaru biyar da suka gabata ba, yawancin manajoji yanzu suna da kariya ta asali akan hare-haren XSS masu sauƙi. Duk da haka, ƙwararrun hare-haren XSS da suka haɗa da fasahohi da yawa har yanzu za su iya ketare waɗannan kariya a cikin manajoji da yawa.

6. Sakamakon Gwaji & Bincike

Kimantawar ta samar da bincike da yawa masu mahimmanci a cikin manajoji na kalmar sirri 13 da aka gwada:

Matsalolin Ƙirƙira Kalmar Sirri

4 daga cikin manajoji 13 sun nuna rarraba haruffa marasa bazuwa mai mahimmanci a ƙididdiga

Raunin Ajiya

Manajoji 7 sun adana bayanan meta ba tare da ƙulle-ƙulle ba, 3 suna da saitunan tsoho marasa tsaro

Amfani da Cika ta Atomata

Manajoji 9 masu rauni ga satar dannawa, 4 masu rauni ga hare-haren XSS na ci gaba

Ci Gaba Gabaɗaya

Rage raunuka masu mahimmanci da kashi 60% idan aka kwatanta da kimantawa na 2014

Bayanin Jadawali: Jadawali mai sanduna zai nuna ƙididdigar rauni a cikin rukuni uku (Ƙirƙira, Ajiya, Cika ta Atomata) ga kowane ɗayan manajoji na kalmar sirri 13. Jadawalin zai nuna a fili waɗanne manajoji suka yi mafi kyau da mafi muni a kowane rukuni, tare da lambar launi da ke nuna matakan tsanani.

7. Binciken Fasaha & Tsarin Aiki

Babban Fahimta

Masana'antar manajan kalmar sirri ta sami ci gaba da za a iya aunawa amma bai isa ba. Yayin da adadin manyan raunuka ya ragu tun 2014, yanayin raunukan da suka rage ya fi ƙeta. Ba ma magance gazawar ƙulle-ƙulle na asali ba amma da ƙananan kurakurai na aiwatarwa da ƙarancin saitunan tsoho waɗanda ke lalata tsaro a gefuna. Wannan yana haifar da yanayin tsaro na ƙarya mai haɗari tsakanin masu amfani waɗanda ke ɗauka cewa manajoji na kalmar sirri "saitawa da mantawa" ne.

Tsarin Ma'ana

Takardar tana bin labari mai jan hankali: kafa matsalar dorewar tsaron kalmar sirri, sanya manajoji na kalmar sirri a matsayin mafita ta ka'ida, rushe wannan zato ta hanyar gwaji na zahiri, kuma a ƙare tare da ingantattun ayyuka masu amfani. Hanyar tana da inganci—maimaita binciken da ya gabata yana haifar da bayanan dogon lokaci masu mahimmanci, yayin da sabon mayar da hankali kan ƙirƙirar kalmar sirri yana magance gibi mai mahimmanci. Duk da haka, ingancin waje na binciken yana da iyaka ta hanyar tsarin hoto; tsaro manufa ce mai motsi, kuma facin yau na iya haifar da rauni na gobe.

Ƙarfi & Kurakurai

Ƙarfi: Girman yana da ban sha'awa—miliyan 147 na ƙalmon sirri da aka ƙirƙira yana wakiltar ƙoƙarin lissafi mai mahimmanci. Tsarin ginshiƙai uku (ƙirƙira, ajiya, cika ta atomata) yana da cikakke kuma yana da ma'ana. Kwatanta da ma'auni na 2014 yana ba da mahimmancin mahallin game da ci gaban masana'antu (ko rashinsa).

Kurakurai: Takardar a ban mamaki ta guje wa sunanta mafi munin masu wasa, ta zaɓi nassoshi marasa suna. Yayin da ake fahimta daga mahangar alhaki, wannan yana raunana amfanin aikin binciken ga masu amfani. Binciken kuma ya rasa zurfi akan tushen dalilai—me yasa waɗannan raunuka suka ci gaba? Shin ƙuntatawa ne na albarkatu, yanke shawara na gine-gine, ko ƙarfafa kasuwa?

Fahimta Masu Aiki

1. Ga Masu Amfani: Kada ku ɗauka cewa ƙalmon sirri da manajan kalmar sirri ya ƙirƙira suna da ƙarfi a cikin su. Tabbatar da tsayi (mafi ƙarancin haruffa 18 don juriyar harin kashe layi) kuma ku yi la'akari da bita na hannu na rarraba haruffa. 2. Ga Masu Haɓakawa: Aiwatar da ingantaccen gwajin bazuwa ta amfani da ingantattun ɗakunan karatu na sirri kamar Tsarin Gwajin Ƙididdiga na NIST. Ƙulle DUK bayanan meta, ba kawai ƙalmon sirri ba. 3. Ga Kamfanoni: Gudanar da kimantawar tsaro na ɓangare na uku na yau da kullun na manajoji na kalmar sirri, tare da mai da hankali kan takamaiman raunuka da aka zayyana a nan. 4. Ga Masu Bincike: Faɗaɗa gwaji zuwa dandamali na wayar hannu da bincika ƙarfafawar tattalin arziki waɗanda ke ba da damar waɗannan raunuka su ci gaba.

Misalin Tsarin Bincike

Nazarin Hali: Kimanta Bazuwar Kalmar Sirri

Don kimanta ingancin ƙirƙirar kalmar sirri, masu bincike za su iya aiwatar da tsarin kimantawa mai zuwa ba tare da buƙatar samun damar zuwa tushen mallakar mallaka ba:

Tarin Samfur: Ƙirƙiri ƙalmon sirri 10,000 daga kowane manaja ta amfani da saitunan tsoho
Lissafin Entropy: Lissafa entropy na Shannon $H = -\sum p_i \log_2 p_i$ don rarraba haruffa
Gwajin Ƙididdiga: Aiwatar da gwajin chi-square tare da hasashe maras tushe $H_0$: haruffa suna rarraba iri ɗaya
Gano Tsari: Neman son kai na matsayi (misali, haruffa na musamman kawai a ƙarshen)
Kwaikwayon Hari: Ƙirar hare-haren zato ta amfani da dabarun sarkar Markov kama da waɗanda ke cikin Weir et al.'s "Fashe Kalmar Sirri Ta Amfani da Nahawu na Mahallin Kyauta na Ƙima"

Wannan tsarin yayi kama da tsarin da aka yi amfani da shi a cikin takardar yayin da ake iya aiwatar da shi ta masu bincike masu zaman kansu ko ƙungiyoyin bincike.

8. Hanyoyin Gaba & Shawarwari

Dangane da binciken, hanyoyi da shawarwari da yawa na gaba suna fitowa:

Ingantattun Fasaha

Aiwatar da tabbatar da ƙa'ida don algorithms na ƙirƙirar kalmar sirri
Haɓaka daidaitattun APIs na tsaro don manajoji na kalmar sirri
Haɗa maɓallan tsaro na kayan aiki don kariyar kalmar sirri ta uwa
Karɓar gine-ginen sifili-sanin-kowa inda mai ba da sabis ba zai iya samun damar bayanan mai amfani ba

Damar Bincike

Nazarin dogon lokaci yana bin diddigin juyin halittar tsaro na takamaiman manajoji na kalmar sirri
Nazarin halayen mai amfani akan saitin manajan kalmar sirri da tsarin amfani
Nazarin tattalin arziki na saka hannun jari na tsaro a cikin kamfanonin sarrafa kalmar sirri
Kwatanta tsaro tsakanin dandamali (tebur vs. wayar hannu vs. burauza)

Ma'auni na Masana'antu

Haɓaka shirye-shiryen takaddun shaida don tsaron manajan kalmar sirri
Daidaitattun hanyoyin bayyana rauni na musamman ga manajoji na kalmar sirri
Karɓar masana'antu gaba ɗaya na saitunan tsoho masu tsaro (misali, tilas mai amfani ya tabbatar don cika ta atomata)
Rahotannin bayyana gaskiya da ke cikakken bayani game da hanyoyin gwajin tsaro da sakamako

Makomar manajoji na kalmar sirri mai yiwuwa ya haɗa da haɗawa tare da sabbin ma'auni na tabbatar da asali kamar WebAuthn da maɓallan wucewa, mai yuwuwa rage dogaro ga tsoffin ƙalmon sirri gaba ɗaya. Duk da haka, a cikin wannan lokacin miƙa mulki, inganta tsaron manajan kalmar sirri na yanzu yana da mahimmanci sosai.

9. Nassoshi

Oesch, S., & Ruoti, S. (2020). Wannan Shine Lokacin, Wannan Yanzu: Kimanta Tsaro na Ƙirƙira Kalmar Sirri, Ajiya, da Cika ta Atomata a cikin Manajoji na Kalmar Sirri na Tushen Burauza. USENIX Security Symposium.
Li, Z., He, W., Akhawe, D., & Song, D. (2014). Sabon Manajan Kalmar Sirri na Sarki: Binciken Tsaro na Manajoji na Kalmar Sirri na Yanar Gizo. USENIX Security Symposium.
Silver, D., Jana, S., Boneh, D., Chen, E., & Jackson, C. (2014). Manajoji na Kalmar Sirri: Hare-hare da Kariya. USENIX Security Symposium.
Stock, B., & Johns, M. (2014). Kare Intanet Daga "Kwayoyin cutar JavaScript" da Hare-haren da ke da alaƙa. NDSS Symposium.
Weir, M., Aggarwal, S., Medeiros, B., & Glodek, B. (2009). Fashe Kalmar Sirri Ta Amfani da Nahawu na Mahallin Kyauta na Ƙima. IEEE Symposium on Security and Privacy.
Herley, C. (2009). Tsawon Lokaci, Kuma Babu Godiya ga Abubuwan Waje: Rashin Shawarwarin Tsaro na Masu Amfani. NSPW.
NIST. (2017). Jagororin Asalin Dijital: Tabbatar da Asali da Gudanar da Rayuwa. NIST Special Publication 800-63B.
Fahl, S., Harbach, M., Acar, Y., & Smith, M. (2013). Akan Ingancin Muhalli na Nazarin Kalmar Sirri. SOUPS.
Goodin, D. (2019). Yanayin nadama na manajoji na kalmar sirri—da abin da ya kamata a yi game da shi. Ars Technica.
OWASP. (2021). Takardar Cheat na Ajiyar Kalmar Sirri. OWASP Foundation.