Zaɓi Harshe

Ma'auni na Canonical na Ƙarfin Kalmar Sirri: Tsara Tsaro a kan Hare-haren Zato

Bincike na yau da kullun da ke gabatar da ma'anar canonical na ƙarfin kalmar sirri bisa ingancin dabarun mai kai hari, yana ƙalubalantar ma'aunin tsaro na gargajiya.
strongpassword.org | PDF Size: 0.2 MB
Kima: 4.5/5
Kimarku
Kun riga kun ƙididdige wannan takarda
Murfin Takardar PDF - Ma'auni na Canonical na Ƙarfin Kalmar Sirri: Tsara Tsaro a kan Hare-haren Zato
Duba Takardar PDF Zazzage PDF Fassara PDF
Gida » Takaddun » Ma'auni na Canonical na Ƙarfin Kalmar Sirri: Tsara Tsaro a kan Hare-haren Zato

1. Gabatarwa

Takardar ta magance babban gibi a cikin tattaunawar tsaron kalmar sirri: rashin ma'anar "ƙarfin kalmar sirri" mai tsauri. Ta yi iƙirarin cewa hanyoyin da ake amfani da su a yanzu sau da yawa na labari ne kuma sun kasa yin la'akari da dabarun mai kai hari. Marubutan sun gabatar da ma'auni na canonical bisa ingancin yuwuwar hare-haren zato, suna mai da hankali daga halayen kalmar sirri zuwa halayen kai hari.

2. Matsayin Fasaha

Takardar ta soki yanayin tsaron kalmar sirri na yanzu a matsayin "mai ban tsoro kamar maganin zamanin da," tana ambaton lura da Bruce Schneier cewa yawancin shawarwari sun dogara ne akan labari maimakon bincike. Ta bayyana rashin ingantacciyar hanyar auna ƙarfin bayanan kalmar sirri, kamar yadda aka lura a cikin wallafe-wallafen kwanan nan [3]. Ana watsi da ma'aunin ƙarfin kalmar sirri na gama-gari a matsayin ma'aunin "kwaikwayo" maimakon juriya na gaskiya ga hare-haren hankali.

3. Fahimta ta Asali & Tsarin Ma'ana

Fahimta ta Asali: Ƙarfin kalmar sirri ba dukiya ce ta asali ba ta jerin haruffa; abu ne na dangantaka wanda aka ayyana gaba ɗaya ta hanyar dabarun zato na mai kai hari. Manufar mai tsaron gida ba ta ƙirƙirar "kalmar sirri mai ƙarfi" a sarari ba, amma ta ƙirƙiri wadda ba ta yi kyau ba a kan saitin dabarun kai hari masu yuwuwa da wani abokin gaba mai hankali zai iya amfani da su.

Tsarin Ma'ana: Hujjar ta ci gaba da daidaito na yau da kullun:

  1. Ayyana hare-haren zato a matsayin jerin da aka jera (ƙamus) na zaɓaɓɓun kalmomin sirri.
  2. Tabatar da cewa kowane hare-hare biyu sun bambanta kawai ta hanyar tsarin wannan jeri.
  3. Ƙarshe cewa ƙarfin kalmar sirri a kan wani takamaiman hari shine matsayinta a cikin ƙamus na wannan hari.
  4. Tun da mai tsaron gida ba ya san ainihin tsarin kai hari, dole ne su yi la'akari da saitin hare-haren da ake iya gani.
  5. Saboda haka, ma'aunin ƙarfin mai tsaron gida shine ƙimar da ake tsammani na matsayin kalmar sirri a cikin wannan saitin hare-hare.
Wannan ya juyar da rubutun: ana ƙirƙira tsaro a matsayin wasa inda mai tsaron gida ya ƙididdige sararin dabarun mai kai hari.

4. Ƙarfi & Kurakurai

Ƙarfi:

  • Daidaito na Ra'ayi: Yana ba da ma'anar farko na yau da kullun, mai mai da hankali kan kai hari na ƙarfin kalmar sirri, ya wuce ƙa'idodin ƙwaƙwalwar ajiya.
  • Tushen Ka'idar Wasanni: Yana daidaita zaɓin kalmar sirri daidai a matsayin hulɗar dabara, yana daidaitawa da binciken tsaro na zamani kamar wanda aka samu a cikin binciken Ka'idar Wasanni don Tsaro.
  • Yana Bayyana Ƙa'idodin Kuskure: Yana rushe manufofin da aka mai da hankali kan bin doka (misali, "dole ne ya haɗa da lamba da alama") waɗanda ke haifar da tsarin tsinkaye.

Kurakurai & Iyakoki:

  • Rashin Iyawar Lissafi: Ma'auni na asali—ƙididdige matsayi da ake tsammani a duk faɗin hare-haren da ake iya gani—ba shi da yuwuwar lissafi don manyan wuraren kalmar sirri. Manufa ce ta ka'idar, ba kayan aiki na ainihi ba don ma'aunin ƙarfi na ainihin lokaci.
  • Ya Bari Gaskiyar Maɓalli: Ƙirar tana ɗauka cewa "hare-haren zato na waje" ba tare da iyaka ba, tana yin watsi da iyakancewar ƙima, kulle asusu, da tsarin gano kan layi waɗanda ke canza dabarun mai kai hari gaba ɗaya.
  • Babu Jagora akan Saitin Kai Hari: Babban tsalle-tsalle na takardar—ayyana "saitin hare-haren da ake iya gani"—an bar shi ba a bayyana shi ba. Ta yaya mai tsaron gida zai ƙirƙira wannan saitin a aikace? Wannan shine jigon matsalar.

5. Fahimta Mai Aiki

Ga masu aikin tsaro, wannan takarda ta ba da umarnin canjin tsari:

  1. Daina Auna Kwaikwayo: A jefar da ma'aunin kalmar sirri waɗanda kawai ke duba azuzuwan haruffa. Suna horar da masu amfani don ƙirƙirar kalmomin sirri waɗanda suke da ƙarfi a kan ma'auni, ba a kan mai kai hari ba.
  2. Yi Tunani a cikin Rarraba, Ba Dokoki ba: Maimakon tilasta alamomi, ƙarfafa masu amfani su zaɓi kalmomin sirri daga babban rarrabawa na entropy wanda ba zai yi daidai da ƙamus na hare-haren gama-gari ba (misali, ta amfani da diceware ko manajoji na kalmar sirri).
  3. Ƙirƙira Abokin Gaban ku: Don mahimman tsarin, gudanar da ƙirar barazana don ayyana dabarun kai hari masu yuwuwa (misali, ƙarfin hali, ƙamus dangane da karyewar da suka gabata, bayanan sirri da aka yi niyya). Daidaita manufofin kalmar sirri don rushe waɗannan takamaiman dabarun.
  4. Karɓi Rashin Tabbaci: Yardar da cewa cikakken ma'aunin ƙarfi ba shi yiwuwa. Manufar ita ce ƙara farashi da rashin tabbas ga mai kai hari, ba don cimma maki cikakke ba.

6. Tsarin Fasaha

6.1 Tsarin Kai Hari na Yau da Kullun

Takardar tana ƙirƙira hare-haren zato $A$ a matsayin jerin da aka jera (ƙamus) $D_A = (w_1, w_2, w_3, ...)$ na zaɓaɓɓun kalmomin sirri, inda $w_i$ kalma ce daga haruffa masu iyaka. Mai kai hari yana gwada kalmomin sirri a wannan tsari har sai nasara. Hare-haren "waje" ne, ma'ana tashar tana ba da amsa nasara/kasa nan da nan ba tare da iyaka ba.

6.2 Tsarin Lissafi

Bari $p$ ya zama takamaiman kalmar sirri. Don wani hari $A$, ƙarfin $p$ an ayyana shi a matsayin matsayinsa a cikin $D_A$: $$S_A(p) = \text{rank}_A(p)$$ inda $\text{rank}_A(p) = i$ idan $p = w_i \in D_A$.

Tun da mai tsaron gida bai san ainihin $A$ ba, yana la'akari da saitin $\mathcal{A}$ na yuwuwar hare-hare. Ƙarfin kalmar sirri na canonical $C(p)$ shine matsayin da ake tsammani: $$C(p) = \mathbb{E}_{A \sim \mathcal{A}}[\,S_A(p)\,] = \sum_{A \in \mathcal{A}} P(A) \cdot \text{rank}_A(p)$$ inda $P(A)$ shine yuwuwar (ko yuwuwar) da aka ba wa hari $A$ daga saitin $\mathcal{A}$. Wannan tsari yana haɗa ƙarfi kai tsaye da imanin mai tsaron gida game da dabarun mai kai hari.

7. Sakamakon Gwaji & Bincike

Gwaji na Ra'ayi & Ma'ana: Duk da yake takardar kanta ba ta gabatar da bayanan ƙwaƙƙwaran daga gudanar da software ba, tana nuna wajibcin ƙirarta ta hanyar tunani. Ta nuna cewa kalmomin sirri biyu, "Password123!" da "xQ37!z9pLm", na iya samun maki iri ɗaya daga ma'auni marar hankali yana duba tsayi da nau'in haruffa. Duk da haka, "Password123!" zai sami matsayi mai ƙasa (ƙarfi mai girma) a cikin tsarin kai hari na ƙarfin hali amma matsayi mai girma sosai (ƙarfi ƙasa) a cikin hare-haren ƙamus wanda ke ba da fifiko ga kalmomin tushe na gama-gari da tsari. Ma'aunin canonical $C(p)$, ta hanyar matsakaicin nau'ikan hare-hare biyu, zai bayyana raunin gaskiya na "Password123!" dangane da kirtani na bazuwar.

Fassarar Ginshiƙi (Ra'ayi): Ka yi tunanin ginshiƙi kwatankwacin hanyoyin kimanta kalmar sirri guda uku don samfurin kalmomin sirri:

  • Hanya A (Ma'auni Marar Hankali): Yana nuna "Password123!" da "xQ37!z9pLm" a matsayin masu ƙarfi daidai.
  • Hanya B (Matsayi na Hare-haren Ƙamus): Yana nuna "Password123!" a matsayin mai rauni sosai (ƙananan lambar matsayi) kuma "xQ37!z9pLm" a matsayin mai ƙarfi (babban lambar matsayi).
  • Hanya C (Ma'aunin Canonical $C(p)$): Yana nuna matsakaicin nauyi. Makin "Password123!" ya faɗi saboda yuwuwar sa mai girma a cikin hare-haren ƙamus, yayin da kirtani na bazuwar ya riƙe babban maki. Wannan ginshiƙi zai yi jayayya ta gani cewa $C(p)$ yana da alaƙa da kyau tare da fashewar duniyar gaske.

8. Tsarin Bincike: Nazarin Lamari

Yanayi: Manufar kalmar sirri na kamfani yana buƙatar: "Aƙalla haruffa 12, gami da manyan haruffa, ƙananan haruffa, lamba, da alama."

Bincike na Gargajiya: Kalmar sirri kamar "Summer2024!$" ta wuce manufar kuma ta sami ƙimar "Mai Ƙarfi" daga ma'auni na yau da kullun.

Binciken Ma'aunin Canonical:

  1. Ayyana Saitin Kai Hari $\mathcal{A}$:
    • $A_1$: Hare-haren ƙamus ta amfani da kalmomin gama-gari ("Summer"), yanayi, shekaru, da kalmomin alama na gama-gari ("!$"). Yuwuwar: Babba (0.7).
    • $A_2$: Hare-haren da aka yi niyya ta amfani da sunan kamfani, bayanan ma'aikata. Yuwuwar: Ƙasa don hare-haren yawa (0.1).
    • $A_3$: Cikakken ƙarfin hali akan sararin haruffa 12. Yuwuwar: Ƙasa sosai (0.001).
    • $A_4$: Hare-haren ta amfani da kalmomin sirri daga karyewar da suka gabata na kamfanoni makamantan. Yuwuwar: Matsakaici (0.199).
  2. Ƙididdige Matsayi:
    • $\text{rank}_{A1}("Summer2024!$")$: Ƙasa sosai (misali, a cikin manyan miliyan 10).
    • $\text{rank}_{A2}(p)$: Zai iya zama ƙasa idan an yi niyya.
    • $\text{rank}_{A3}(p)$: Babba sosai (~$95^{12}$).
    • $\text{rank}_{A4}(p)$: Yana iya zama ƙasa idan tsarin ya zama gama-gari.
  3. Ƙididdige $C(p)$: Matsayin da ake tsammani yana mamaye hare-haren ƙamus mai yuwuwar babba $A_1$, yana haifar da makin ƙarfin canonical ƙasa, yana bayyana gazawar manufar.
Ƙarshe: Manufar tana haifar da rarrabawa mai tsinkaye. Tsarin canonical ya nuna cewa tsaron gida yana buƙatar karya wannan tsinkayen, watakila ta hanyar tilasta kalmomin sirri da aka samar da bazuwar ko amfani da jerin kalmomin sirri marasa ƙarfi da aka sani, wanda ke canza yuwuwar kai tsaye a cikin $\mathcal{A}$.

9. Aikace-aikace na Gaba & Jagorori

  • Manufofin Kalmar Sirri Masu Daidaitawa: Tsarin zai iya amfani da tsarin canonical don ƙirƙirar manufofi masu ƙarfi. Maimakon dokoki masu tsayi, sabis na baya na iya ƙididdige $\mathcal{A}$ bisa bayanan barazana na yanzu (misali, sabbin ƙamus da aka ɓoye) kuma ya ƙi kalmomin sirri tare da makin $C(p)$ ƙasa a kan wannan sabon ƙirar.
  • Haɗin Manajan Kalmar Sirri: Manajoji na kalmar sirri sun dace don aiwatar da wannan. Suna iya kiyaye ƙirar gida na $\mathcal{A}$ (bisa bayanan karyewar duniya da ƙa'idodin tunani) kuma su yi amfani da shi don samar da kalmomin sirri waɗanda ke haɓaka $C(p)$. Wannan yana mai da ƙirar ka'idar zuwa haɓakar tsaro mai aiki, mai bayyana ga mai amfani.
  • Hujjojin Tsaro na Yau da Kullun: Ƙirar tana ba da tushe don tabbatar da kaddarorin tsaro na algorithms na samar da kalmar sirri a cikin wallafe-wallafen ilimi, kamar yadda ake nazarin algorithms ɓoyewa.
  • Ƙirar Barazana Guda biyu: Aikin nan gaba dole ne ya haɗa ma'aunin canonical tare da ƙuntatawa na duniyar gaske kamar iyakancewar ƙima. Saitin kai hari $\mathcal{A}$ zai haɗa da ba kawai tsarin kalmar sirri ba, har ma da dabarun rarraba zato a cikin lokaci da asusu.
  • Koyon Injina don $\mathcal{A}$: Babban matsalar da aka buɗe—ayyana saitin kai hari—za a iya magance shi tare da ML. Tsarin zai iya horar da ƙira akan ainihin yunƙurin fashewa da kalmomin sirri da aka ɓoye don ci gaba da koyo da sabunta rarraba yuwuwar $P(A)$ akan dabarun, ƙirƙirar manufa mai motsi ga masu kai hari.

10. Nassoshi

  1. Panferov, E. (2016). A Canonical Password Strength Measure. arXiv:1505.05090v4 [cs.CR].
  2. Schneier, B. (2007). Schneier on Security. Wiley.
  3. Bonneau, J. (2012). The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. IEEE Symposium on Security and Privacy.
  4. Shannon, C. E. (1948). A Mathematical Theory of Communication. The Bell System Technical Journal.
  5. Florêncio, D., & Herley, C. (2007). A Large-Scale Study of Web Password Habits. Proceedings of the 16th International Conference on World Wide Web.
  6. Ur, B., et al. (2015). Do Users' Perceptions of Password Security Match Reality? Proceedings of the 2015 CHI Conference on Human Factors in Computing Systems.
  7. NIST Special Publication 800-63B (2017). Digital Identity Guidelines: Authentication and Lifecycle Management.
  8. Wang, D., et al. (2016). The Tangled Web of Password Reuse. NDSS Symposium 2016.