Binciken Tsaro na Manajoji na Kalmar Sirri na Tushen Burauza: Samarwa, Ajiya, da Cika ta Atomata

1. Gabatarwa

Tabatar da asali ta hanyar kalmar sirri ya ci gaba da zama babban nau'in tabbatar da asali a yanar gizo duk da ƙalubalen tsaro da aka rubuta sosai. Masu amfani suna fuskantar nauyin fahimi lokacin sarrafa ƙaƙƙarfan kalmomin sirri da yawa, wanda ke haifar da sake amfani da kalmar sirri da ƙirƙirar kalmar sirri mai rauni. Manajoji na kalmar sirri suna alkawarin rage waɗannan matsalolin ta hanyar samarwa, ajiya, da cika kalmomin sirri ta atomata. Duk da haka, an gano manyan raunuka a cikin binciken da suka gabata, musamman a cikin manajoji na kalmar sirri na tushen burauza. Wannan binciken yana kimanta manajoji na kalmar sirri 13 da suka shahara shekaru biyar bayan manyan binciken da suka gabata don tantance ko tsaro ya inganta.

2. Hanyar Bincike

Binciken ya kimanta manajoji na kalmar sirri goma sha uku a cikin matakai uku na rayuwa: samarwa, ajiya, da cika ta atomata. Ƙungiyar ta ƙunshi kalmomin sirri miliyan 147 da aka samar don bincike. Hanyar ta haɗa:

Binciken ƙididdiga na bazuwar kalmar sirri
Maimaita gwaje-gwajen tsaron ajiya da suka gabata
Gwajin rauni na hanyoyin cika ta atomata
Binciken kwatancen tsakanin ƙari na burauza, burauzoshi da aka haɗa, da abokan ciniki na tebur

3. Binciken Samar da Kalmar Sirri

Binciken farko na cikakke na samar da kalmar sirri a cikin manajoji na kalmar sirri ya bayyana manyan matsaloli tare da bazuwa da tsaro.

3.1. Binciken Rarraba Haruffa

Binciken kalmomin sirri miliyan 147 da aka samar ya nuna rarraba haruffa marasa bazuwa a cikin manajoji na kalmar sirri da yawa. Wasu aiwatarwa suna nuna son kai ga wasu azuzuwan haruffa ko matsayi, suna rage ingantaccen entropy.

3.2. Gwajin Entropy da Bazuwa

Ana auna ƙarfin kalmar sirri ta amfani da entropy na Shannon: $H = -\sum_{i=1}^{n} P(x_i) \log_2 P(x_i)$, inda $P(x_i)$ shine yuwuwar harafin $x_i$. Manajoji da yawa sun samar da kalmomin sirri tare da ƙarancin entropy fiye da yadda ake tsammani, musamman ga kalmomin sirri gajere (<10 haruffa).

4. Tsaron Ajiyar Kalmar Sirri

Kimanta yadda manajoji na kalmar sirri ke kare takaddun shaida da aka adana ya bayyana duka ingantawa da raunuka masu dorewa.

4.1. Aiwatar da Boye-boye

Yawancin manajoji suna amfani da boye-boyen AES-256 don ajiyar kalmar sirri. Duk da haka, ayyukan samar da maɓalli da ayyukan sarrafa maɓalli sun bambanta sosai, tare da wasu aiwatarwa suna amfani da raunin sigogin samar da maɓalli.

4.2. Kariyar Metadata

Wani muhimmin bincike: manajoji na kalmar sirri da yawa suna adana metadata (URLs, sunayen masu amfani, alamomin lokaci) ba tare da boye-boye ba ko tare da raunin kariya fiye da kalmomin sirri da kansu, suna haifar da raunin sirri da leƙen asiri.

5. Raunin Tsarin Cika ta Atomata

Siffar cika ta atomata, wanda aka ƙera don amfani, yana gabatar da manyan wuraren kai hari waɗanda har yanzu ba a magance su yadda ya kamata ba.

5.1. Hare-haren Clickjacking

Manajoji na kalmar sirri da yawa suna ci gaba da zama masu rauni ga hare-haren clickjacking inda rukunin yanar gizo masu mugunta suka rufe abubuwa marasa ganuwa akan filayen kalmar sirri na halalta, suna kama takaddun shaida ba tare da sanin mai amfani ba.

5.2. Rubutun Tsakanin Rukunin Yanar Gizo (XSS)

Duk da ingantawa tun binciken da suka gabata, wasu hanyoyin cika ta atomata na manajoji za a iya amfani da su ta hanyar hare-haren XSS, suna ba da damar cire takaddun shaida daga gidajen yanar gizo masu lahani amma na halalta.

6. Sakamakon Gwaji

Matsalolin Samar da Kalmar Sirri

3 daga cikin manajoji 13 sun nuna rarraba haruffa marasa bazuwa mai mahimmanci a ƙididdiga

Raunin Ajiya

Manajoji 5 sun adana metadata tare da rashin isasshen boye-boye

Raunin Cika ta Atomata

Manajoji 4 masu rauni ga hare-haren clickjacking

Gabaɗayan Ingantawa

Tsaro ya inganta tun 2015 amma manyan matsaloli sun rage

Muhimman Bincike:

Raunin Kalmar Sirri Gajere: Kalmomin sirri gajere fiye da haruffa 10 da wasu manajoji suka samar sun kasance masu rauni ga hare-haren zato kan layi
Rashin Entropy: Aiwatarwa da yawa sun kasa cimma matsakaicin entropy na ka'idar
Tsoffin Saituna marasa Tsaro: Wasu manajoji sun yi jigilar su tare da saitunan tsoho marasa tsaro
Boye-boye na ɓangare: Metadata mai mahimmanci sau da yawa yana samun raunin kariya fiye da kalmomin sirri

Bayanin Chati: Rarraba Ƙarfin Kalmar Sirri

Binciken ya bayyana rarraba ƙarfin kalmar sirri da aka samar mai nau'i biyu. Kusan kashi 70% na kalmomin sirri sun cika ko sun wuce jagororin NIST SP 800-63B don mafi ƙarancin entropy (ragon 20 don sirrin da aka haddace). Duk da haka, kashi 30% sun faɗi ƙasa da wannan bakin kofa, tare da tarin kalmomin sirri mai damuwa tsakanin haruffa 8-12 da ke nuna raguwar entropy sosai saboda ƙayyadaddun saitin haruffa da son kai na algorithm na samarwa.

7. Tsarin Binciken Fasaha

Misalin Tsarin Bincike: Kimanta Entropy na Kalmar Sirri

Binciken ya yi amfani da tsarin kimantawa mai yawa:

Binciken Matsayin Harafi: Rarraba mitar kowane matsayi na harafi ta amfani da gwaje-gwajen $\chi^2$ akan rarraba iri ɗaya
Binciken Jerin: Binciken sarkar Markov don gano jerin haruffa masu iya hasashe
Lissafin Entropy: Lissafin entropy na zahiri ta amfani da: $H_{empirical} = -\sum_{p \in P} \frac{count(p)}{N} \log_2 \frac{count(p)}{N}$ inda $P$ shine saitin kalmomin sirri na musamman kuma $N$ jimillar kalmomin sirri ne
Kwaikwayon Hari: An kwaikwayi hare-haren ƙarfi da ƙamus ta amfani da saitin dokokin Hashcat da John the Ripper

Nazarin Shari'a: Gano Rarraba Marasa Bazuwa

Ga ɗaya manajan kalmar sirri, binciken ya bayyana cewa haruffa na musamman sun bayyana daidai gwargwado a cikin matsayi biyu na ƙarshe na kalmomin sirri na haruffa 12. Gwajin ƙididdiga ya nuna $\chi^2 = 45.3$ tare da $p < 0.001$, yana nuna babban karkata daga bazuwa. Wannan tsari zai iya rage ingantaccen sararin kalmar sirri da kusan kashi 15% don hare-haren da aka yi niyya.

8. Aikace-aikace & Jagorori na Gaba

Shawarwari Nan da Nan:

Aiwatar da masu samar da lambobi marasa bazuwa masu tsaro na sirri (CSPRNG) don duk samar da kalmar sirri
Aiwatar da ƙarfin boye-boye daidai ga metadata da kalmomin sirri
Aiwatar da cika ta atomata mai sane da mahallin tare da tabbatar da mai amfani don rukunin yanar gizo masu mahimmanci
Ɗauki gine-ginen sifili-sanin-kowa inda mai ba da sabis ba zai iya samun damar bayanan mai amfani ba

Hanyoyin Bincike:

Kariyar Koyon Injin: Haɓaka samfuran ML don gano ƙirar cika ta atomata mara kyau da ke nuna hare-hare
Tabbatar da Hukuma: Aiwatar da hanyoyin hukuma don tabbatar da kaddarorin tsaro na manajan kalmar sirri
Haɗin Kayan Aiki: Amfani da kayan aikin tsaro na kayan aiki (HSMs) da wuraren aiwatarwa masu aminci (TEEs)
Boye-boye Bayan Quantum: Shirya don barazanar lissafin quantum ga ƙa'idodin boye-boye na yanzu
Biyometrik na Halayya: Haɗa yanayin maɓallan maɓalli da bincikin motsin linzamin kwamfuta don ƙarin abubuwan tabbatar da asali

Tasirin Masana'antu:

Binciken ya nuna buƙatar daidaitattun takaddun shaida na tsaro don manajoji na kalmar sirri, kama da FIPS 140-3 don kayan aikin sirri. Manajoji na kalmar sirri na gaba na iya haɓaka zuwa cikakkun dandamali na sarrafa takaddun shaida waɗanda ke haɗa hanyoyin tabbatar da asali marasa kalmar sirri kamar WebAuthn yayin kiyaye daidaiton baya.

9. Nassoshi

Oesch, S., & Ruoti, S. (2020). Wannan Ya kasance Sa’ad da, Wannan Yanzu: Binciken Tsaro na Samar da Kalmar Sirri, Ajiya, da Cika ta Atomata a cikin Manajoji na Kalmar Sirri na Tushen Burauza. USENIX Security Symposium.
Li, Z., He, W., Akhawe, D., & Song, D. (2014). Sabon Manajan Kalmar Sirri na Sarkin Sarakuna: Binciken Tsaro na Manajoji na Kalmar Sirri na Yanar Gizo. USENIX Security Symposium.
Silver, D., Jana, S., Boneh, D., Chen, E., & Jackson, C. (2014). Manajoji na Kalmar Sirri: Hare-hare da Tsare-tsare. USENIX Security Symposium.
Cibiyar Ƙididdiga da Fasaha ta Ƙasa. (2017). Jagororin Asalin Dijital: Tabbatar da Asali da Gudanar da Rayuwa. NIST SP 800-63B.
Goodin, D. (2019). Dalilin da yasa manajoji na kalmar sirri ke da rauni na asali. Ars Technica.
Florêncio, D., & Herley, C. (2007). Babban binciken al'adun kalmar sirri na yanar gizo. Proceedings of the 16th international conference on World Wide Web.
Bonneau, J. (2012). Kimanin zato: bincikin gawarwakin da ba a san sunansa ba na kalmomin sirri miliyan 70. IEEE Symposium on Security and Privacy.
Veras, R., Collins, C., & Thorpe, J. (2014). A kan ƙirar ma'ana na kalmomin sirri da tasirin tsaronsu. NDSS Symposium.

Hangen Nesa na Manazarcin: Sabani na Tsaro na Manajan Kalmar Sirri

Fahimtar Asali

Babban sabani da wannan binciken ya bayyana yana da ƙarfi: manajoji na kalmar sirri, waɗanda aka ƙera a matsayin hanyoyin magance tsaro, sun zama hanyoyin kai hari da kansu. Shekaru biyar bayan kimanta Li et al. na 2014 mai laifi, muna ganin ingantawa amma ba tsaro mai canzawa ba. Mayar da hankali na masana'antu akan amfani ya ci gaba da rinjaye tsaro, yana haifar da abin da nake kira "tarko na ciniki na dacewa-da-tsaro". Wannan yayi daidai da binciken a wasu fagagen tsaro kamar takardar CycleGAN (Zhu et al., 2017), inda ingantawa don wata manufa (ingancin fassarar hoto) sau da yawa yana yin sulhu da wasu (kwanciyar hankali na horo).

Kwararar Ma'ana

Hanyar takardar tana bayyana aibi mai mahimmanci a yadda muke kimanta kayan aikin tsaro. Ta hanyar bincika samarwa, ajiya, da cika ta atomata a matsayin tsarin da ke haɗuwa maimakon ɓangarorin keɓaɓɓu, masu bincike sun fallasa raunuka na tsarin. Binciken da ya fi damuwa ba kowane rauni ɗaya ba ne, amma tsarin: manajoji da yawa sun kasa a cikin nau'ikan da yawa. Wannan yana nuna makafin gaba ɗaya na masana'antu, musamman game da kariyar metadata da tsaron cika ta atomata. Binciken gawarwakin kalmar sirri miliyan 147 yana ba da ƙarfin ƙididdiga da ba a taɓa yin irinsa ba—wannan ba shaidar labari ba ce amma hujja mai ƙarfi ta lissafi na matsalolin tsarin.

Ƙarfi & Aibobi

Ƙarfi: Hanyar cikakkiyar rayuwa abin koyi ne. Sau da yawa, kimantawar tsaro ta mayar da hankali kan boye-boyen ajiya yayin da yake yin watsi da samarwa da cika ta atomata. Ƙaƙƙarfan ƙididdiga a cikin binciken kalmar sirri ya kafa sabon ma'auni ga fagen. Kwatancen tsakanin manajoji 13 yana ba da bayanan kasuwa masu mahimmanci game da waɗanda aiwatarwa ke da aibi na asali da kuma waɗanda ke da takamaiman matsalolin da za a iya gyara.

Aibobi Masu Muhimmanci: Babban iyaka na binciken shine yanayin hoton sa. Tsaro yana da ƙarfi, kuma manajoji da yawa da aka kimanta suna iya gyara raunuka bayan binciken. Mafi mahimmanci, binciken bai magance abubuwan ɗan adam yadda ya kamata ba—yadda masu amfani na gaske ke saita (ko kuskuren saita) waɗannan kayan aikin. Kamar yadda jagororin NIST suka jaddada, tsaron da ba za a iya amfani da shi ba ba za a yi amfani da shi ba. Takardar kuma ta rasa damar kwatanta manajoji na tushen burauza da aikace-aikacen keɓaɓɓu, waɗanda sau da yawa ke da gine-ginen tsaro daban-daban.

Fahimta Mai Aiki

Kamfanoni su kamata nan da nan: 1) Bincika waɗanne manajoji na kalmar sirri ma'aikata ke amfani da su, 2) Ƙirƙiri jerin da aka amince da su bisa ga binciken wannan binciken, 3) Aiwatar da manufofin da ke buƙatar boye duk metadata, da 4) Kashe cika ta atomata don asusun daraja mai girma. Ga masu haɓakawa, saƙon a bayyane yake: daina ɗaukar samar da kalmar sirri a matsayin siffa ta biyu. Kamar yadda lissafin entropy ya nuna ($H_{empirical}$ ƙasa da matsakaicin ka'idar sosai), aiwatarwa da yawa suna amfani da samar da lambobi marasa bazuwa mara kyau. Bin mafi kyawun ayyuka na sirri daga tushe masu iko kamar RFC 8937 na IETF akan buƙatun bazuwa don tsaro ba za a iya sasantawa ba.

Gaba ba game da gyara manajoji na kalmar sirri na yanzu ba ne amma sake tunanin su. Muna buƙatar gine-ginen da ke ba da hujjojin sifili-sanin-kowa na kaddarorin tsaro, watakila aro daga hanyoyin tabbatar da blockchain. Masana'antu ya kamata su haɓaka ƙa'idodin buɗe ido don takaddun shaida na tsaro na manajan kalmar sirri, kama da yadda Ƙungiyar FIDO ta daidaita tabbatar da asali mara kalmar sirri. Har sai lokacin, masu amfani suna fuskantar gaskiya mai ban tsoro: kayan aikin da aka yi niyya don kare su na iya lalata tsaronsu.