Sigina da Ƙarfin Kalmar Sirri: Tsaro Mai Hana Kai Tsaye Daga Fasa Kalmar Sirri

Teburin Abubuwan Ciki

1. Gabatarwa
2. Babban Fahimta: Binciken Masana
3. Tsarin Tunani: Hanyar Aiki
4. Ƙarfi da Rashi
- 4.1 Ƙarfi
- 4.2 Rashi da Iyakoki
5. Bayanai Masu Aiki
6. Bayanan Fasaha da Tsarin Lissafi
7. Sakamakon Gwaji
8. Nazarin Harka: Sigina a Aiki
9. Aikace-aikace da Hanyoyi na Gaba
10. Bincike na Asali
11. Manazarta

1. Gabatarwa

Fasa kalmar sirri ya kasance ɗaya daga cikin mafi yawan barazanar da ke ci gaba a cikin tsaro na yanar gizo. Karyewar kwanan nan sun fallasa biliyoyin kalmomin sirri, suna ba wa maharan damar duba miliyoyin hasashe a cikin daƙiƙa guda. Tsare-tsare na gargajiya kamar hashing suna iyakance ta hanyar tsadar lissafi. Wannan takarda ta gabatar da wani tsaro mai hana kai tsaye: sigina da ƙarfin kalmar sirri. Maimakon yin fasa da wuya, uwar garken tana adana sigina mai hayaniya mai alaƙa da ƙarfin kalmar sirri. Abin mamaki, wannan na iya rage yawan kalmomin sirri da aka fasa har zuwa 12% a hare-haren da ba a haɗa su da yanar gizo ba da kuma 5% a hare-haren da ake kai wa ta yanar gizo.

2. Babban Fahimta: Binciken Masana

Babban Fahimta: Fasa kalmar sirri ba wasa ne na sifili ba. Ribar mai hari ita ce darajar kalmomin sirri da aka fasa tare da rage farashin hasashe. Ta hanyar sarrafa imanin mai hari ta hanyar sigina masu hayaniya, mai tsaron zai iya ƙarfafa mai hari ya yi hasashe kaɗan. Wannan aikace-aikace ne mai kyau na Bayesian Persuasion a fannin tsaro na yanar gizo.

Me yasa yake da mahimmanci: Yawancin tsare-tsare suna mai da hankali kan sanya fasa ya zama mai tsadar lissafi. Sigina tana jujjuya labarin: tana amfani da hankalin mai hari. Idan mai hari ya yi imani cewa yawancin kalmomin sirri ba su da ƙarfi, suna iya yin hasashe da ƙarfi. Amma idan sigina ta nuna cewa yawancin kalmomin sirri suna da ƙarfi, mai hari na iya rage ƙoƙari, saboda tsoron tsadar farashi tare da ƙarancin riba.

3. Tsarin Tunani: Hanyar Aiki

3.1 Tsarin Bayesian Persuasion

Mai tsaron (uwar garken tantancewa) yana zaɓar tsarin sigina $\sigma$ wanda ke danganta kowane ƙarfin kalmar sirri $s$ zuwa rarraba sigina $m$. Mai hari yana lura da sigina kuma yana sabunta imaninsa ta amfani da dokar Bayes. Burin mai tsaron shi ne ya rage yawan kalmomin sirri da ake tsammanin za a fasa, yayin da mai hari ke ƙara yawan ribar da ake tsammani.

3.2 Tsara Tsarin Sigina

Mai tsaron yana warware matsalar ingantawa: idan aka ba da saitin ƙarfin kalmomin sirri da aikin farashin mai hari, nemo tsarin sigina wanda ke rage yawan kalmomin sirri da aka fasa. Marubutan suna amfani da algorithm na juyin halitta don lissafta mafi kyawun tsarin. Ana adana sigina tare da hash, don haka mai hari yana ganin ta lokacin da aka karye.

3.3 Shawarar Mai Hari Mai Hankali

Mai hari yana zaɓar kasafin hasashe $B$ don ƙara yawan $\mathbb{E}[V \cdot \text{rabon da aka fasa}] - C(B)$, inda $V$ shine darajar kowace kalmar sirri da aka fasa kuma $C(B)$ shine farashin hasashe $B$. Sigina tana canza rarraba bayanai na mai hari, mai yuwuwa ta rage mafi kyawun $B$.

4. Ƙarfi da Rashi

4.1 Ƙarfi

Sabuwar hanya: Aikace-aikace na farko na Bayesian Persuasion ga tsaron kalmar sirri.
Tabbatarwa ta zahiri: An gwada akan bayanan kalmar sirri na gaske (misali, RockYou, LinkedIn).
Babu gogayya da mai amfani: Sigina ba a iya gani ga masu amfani na halal.
Yana cika tsare-tsare na yanzu: Ana iya haɗa shi da hashing da iyakance ƙimar.

4.2 Rashi da Iyakoki

Yana ɗaukan mai hari mai hankali: Maharan na gaske ba za su iya zama masu hankali sosai ba.
Zubar da sigina: Idan mai hari ya yi watsi da sigina, tsaron ya gaza.
Damuwa game da ɗabi'a: Adana sigina masu ɓatarwa na iya zama kamar yaudara.
Ƙananan riba: Rage 12% ba shi da yawa; ba maganin sihiri ba ne.

5. Bayanai Masu Aiki

Ga masu tsara tsarin: Yi la'akari da aiwatar da sigina a matsayin ƙarin Layer mai rahusa. Yi amfani da algorithms na juyin halitta don daidaita sigina bisa ga rarraba kalmar sirri.
Ga masu bincike: Bincika sigina mai daidaitawa wanda ke canzawa akan lokaci, ko lallashi mai zagaye da yawa.
Ga masu tsara manufofi: Yi la'akari da abubuwan da suka shafi ɗabi'a kafin tilasta irin waɗannan fasahohin.

6. Bayanan Fasaha da Tsarin Lissafi

Matsalar ingantawa ta mai tsaron ita ce:

$$\min_{\sigma} \mathbb{E}_{s \sim P} \left[ \mathbb{E}_{m \sim \sigma(s)} \left[ \text{cracked}(m) \right] \right]$$

tare da amsar mafi kyawu ta mai hari: $B^*(m) = \arg\max_B \mathbb{E}[V \cdot \text{cracked}(s, B) | m] - C(B)$.

A nan, $P$ shine rarraba farko na ƙarfin kalmomin sirri, $\sigma(s)$ shine rarraba sigina don ƙarfin $s$, kuma $\text{cracked}(m)$ shine rabon kalmomin sirri da aka fasa idan aka ba da sigina $m$ da halayyar mai hari mafi kyau.

7. Sakamakon Gwaji

Marubutan sun gwada akan bayanai guda uku: RockYou (miliyan 32 na kalmomin sirri), LinkedIn (miliyan 6.5), da bayanan kamfani. Sakamakon ya nuna:

Hare-haren da ba a haɗa su da yanar gizo ba: Har zuwa 12% rage yawan kalmomin sirri da aka fasa.
Hare-haren da ake kai wa ta yanar gizo: Har zuwa 5% rage.
Mafi kyawun sigina: Sau da yawa sun haɗa da "haɗa" kalmomin sirri masu rauni da masu ƙarfi don haifar da rashin tabbas.

Hoto 1: Jadawalin ginshiƙi yana nuna rabon da aka fasa da kasafin hasashe don babu sigina da mafi kyawun sigina. Sigina tana rage kalmomin sirri da aka fasa a duk kasafin kuɗi.

8. Nazarin Harka: Sigina a Aiki

Halin: Kamfani mai masu amfani miliyan 1. Ƙarfin kalmomin sirri yana bin rarraba Zipf. Mai tsaron yana tsara tsarin sigina tare da sigina biyu: "mai rauni" da "mai ƙarfi". Mafi kyawun tsarin yana danganta 60% na kalmomin sirri masu rauni zuwa "mai ƙarfi" da 20% na kalmomin sirri masu ƙarfi zuwa "mai rauni". Mai hari, yana ganin "mai ƙarfi", yana rage kasafin hasashe da 30%, yana haifar da 8% ƙarancin kalmomin sirri da aka fasa gabaɗaya.

9. Aikace-aikace da Hanyoyi na Gaba

Sigina mai daidaitawa: Sabunta sigina bisa ga halayyar mai hari da aka lura.
Wasanni masu tsaro da yawa: Sabobin da yawa suna daidaita sigina.
Haɗin kai da AI: Yi amfani da koyon ƙarfafawa don inganta sigina a lokaci guda.
Aikace-aikace masu faɗi: Aiwatar da wasu fannonin tsaro kamar CAPTCHA ko gano zamba.

10. Bincike na Asali

Wannan takarda tana da sabo ne daga tseren makamai na sanya kalmomin sirri da wuya a fasa. Maimakon haka, tana amfani da hankalin mai hari a kansu. Babban fahimtar—cewa fasa kalmar sirri ba wasa ne na sifili ba—yana da zurfi. Kamar yadda Kamenica da Gentzkow (2011) suka lura a cikin aikinsu na asali akan Bayesian Persuasion, tsara bayanai na iya rinjayar masu yanke shawara ko da suna da cikakken hankali. Wannan takarda ta yi amfani da wannan ka'idar ga matsalar tsaro mai amfani tare da sakamako mai ban sha'awa.

Koyaya, ɗaukan cikakken hankali babban iyaka ne. Maharan na gaske na iya zama da dalilai marasa kuɗi (misali, suna, son sani) ko kuma suna iya amfani da dabarun hasashe na heuristic. Bugu da ƙari, ba za a iya yin watsi da girman ɗabi'a ba: da gangan adana bayanai masu ɓatarwa na iya zama kamar yaudara, musamman idan masu amfani ba su sani ba. Kamar yadda marubutan da kansu suka lura, wannan "tabbatar da ra'ayi" ne kuma dole ne a magance matsalolin al'umma.

Idan aka kwatanta da tsare-tsare na gargajiya kamar bcrypt ko Argon2, sigina tana ba da wata musanya daban: ba ta ƙara tsadar lissafi ba amma tana amfani da rashin daidaiton bayanai. Wannan yana tunatar da hanyar "honeypot", amma mafi dabara. Aikin gaba ya kamata ya bincika tsare-tsare masu haɗaka waɗanda ke haɗa sigina da hashing mai daidaitawa. Rage 12% ba shi da yawa amma yana da ma'ana—a cikin karyewar kalmomin sirri miliyan 10, wannan shine kalmomin sirri miliyan 1.2 da ba a fasa ba.

A ƙarshe, sigina da ƙarfin kalmar sirri tsaro ne mai wayo, mai tushen ka'idar wanda ya cancanci ƙarin bincike. Ba zai maye gurbin hashing ba, amma yana iya zama ƙari mai mahimmanci ga kayan aikin mai tsaron.

11. Manazarta

Bai, W., Blocki, J., & Harsha, B. (2021). Password Strength Signaling: A Counter-Intuitive Defense Against Password Cracking. arXiv:2009.10060v5.
Kamenica, E., & Gentzkow, M. (2011). Bayesian Persuasion. American Economic Review, 101(6), 2590-2615.
Blocki, J., & Datta, A. (2016). Cracking the Cracking Problem: A Game-Theoretic Approach. IEEE S&P.
Ur, B., et al. (2015). How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation. USENIX Security.