3 sonuçlar
Arama Sonuçları
Listeleniyor 1 - 3 / 3
Yayın Evaluation of password hashing competition finalists: performance, security, compliance mapping, and post-quantum readiness(Karyay Karadeniz Yayımcılık Ve Organizasyon Ticaret Limited Şirketi, 2025-11-15) Ulutaş, Erdem; Çeliktaş, BarışPassword hashes and key derivation functions (KDFs) are central to authentication and cryptographic security schemes crafted to defend user credentials from brute-force attacks and unauthorized access. Password hashing algorithms, for example PBKDF2, bcrypt, or scrypt, are very popular today, but are lacking in the face of modern hardware acceleration, parallel processing, and advanced cryptanalytic attacks. To contest these shortcomings, the Password Hashing Competition (PHC) was started in 2013 and had 22 candidates for functions for hashing passwords. After thorough evaluation, 9 finalists were selected based on how secure, fast, memory-friendly, flexible, and efficient these functions were. This study evaluates the nine PHC finalists—Argon2, battcrypt, Catena, Lyra2, MAKWA, Parallel, POMELO, Pufferfish, and yescrypt—through survey findings and performance benchmarks. We have evaluated these functions from an architectural standpoint and studied their security features, memory hardness, performance tradeoff, and practical usage. We also compare these finalists with traditional password hashing functions to highlight their advantages and limitations. We also investigate the post-quantum assumption for password hashing – the effectiveness of these functions against quantum assaults, their position in a new cryptography set, and the role of peppering as an additional security measure. In addition, we perform a comprehensive compliance mapping of the PHC finalists against major global standards and regulations such as NIST SP 800-63B, OWASP ASVS, PCI DSS, GDPR, KVKK, and ISO/IEC 27001, highlighting their practical suitability for secure deployment in regulated environments. Finally, we provide usage recommendations for these functions for web authentication, KDFs, and embedded platforms. This paper serves as a reference for researchers, developers, and security engineers, while also introducing a complianceaware, post-quantum-ready framework that bridges cryptographic design with regulatory and deployment needs.Yayın From policy to practice: a sector-agnostic operational framework for post-quantum cryptography transition(Institute of Electrical and Electronics Engineers Inc., 2026-03-02) Birgin, Berat; Çeliktaş, BarışThe pace of quantum computing development necessitates not only the adoption of post-quantum cryptographic algorithms, but also the establishment of an executable and auditable institutional transition process. Although guidance documents published by the National Institute of Standards and Technology (NIST) and roadmaps proposed by the Post-Quantum Cryptography Coalition (PQCC) articulate strategic objectives, they largely remain procedural constructs lacking a concrete operational execution model. This paper presents an industry-neutral operational framework that translates policy-level post-quantum cryptography (PQC) guidance into deterministic, proof-producing process flows encompassing cryptographic asset discovery, classification, risk modeling, algorithm selection, deployment, monitoring, and governance enforcement. Central to the framework is a deterministic Quantum Risk Scoring (QRS) function, calibrated using the Analytical Hierarchy Process (AHP), which enables reproducible asset prioritization and policy-driven enforcement decisions. Framework executability is further strengthened through cryptography-aware continuous integration/continuous deployment (CI/CD) validation gates and downgrade protection mechanisms, ensuring the generation of verifiable and immutable audit artifacts. A scenario-based operational validation, implemented using open-source toolchains, demonstrates the framework’s operability, auditability, and governance alignment without relying on empirical cryptographic performance benchmarks, confirming that PQC transition can be operationalized as a verifiable lifecycle process bridging policy guidance with enforceable technical actions. Rather than introducing new cryptographic primitives, this work formalizes PQC transition as an operational systems-engineering problem centered on governance-enforced execution and lifecycle verifiability.Yayın API güvenlik testi araçlarının karşılaştırmalı analizi: özellikler, yetenekler ve performans değerlendirmesi(BIDGE Publications, 2023-05-24) Çarkçıoğlu, Onur; Çeliktaş, Barış; Çoğun, Hikmet Yeter; Parlar, İshak; Üzmuş, HasanUygulama programlama arayüzleri (API'ler), diğer uygulamalar arasındaki iletişimi kolaylaştıran bileşenlerdir. API'ler, modern web uygulamalarının ayrılmaz bir parçasıdır ve uygulamaların birbirleriyle iletişim kurması ve veri alışverişi yapması için bir araç sağlar. Web uygulamaları ve kullandıkları API'ler, kötü niyetli bilgisayar korsanları için hem çekici hem de kolay erişilebilir hedeflerdir. Bu nedenle, bu uygulamanın güvenliğini sağlamak ve verilerin bütünlüğünü ve gizliliğini korumak çok önemlidir. API servisleri, kullanılabilecek birçok araç için güvenlik testlerine sahiptir. Bu uygulamalardan bazıları ücretsiz olarak kullanılabilen açık kaynak kodlu projelerken, bazıları ise güvenlik odaklı firmaların sunduğu ticari çözümlerdir. Bu bölümde, Postman, Burp Suite, OWASP ZAP, JSON Web Token Toolkit, Security Code Scan, araştırma sırasında kullanılan araçlardan ve bu çalışma sırasında gerçekleştirilen testlerden bazılarıdır. API servislerinin güvenlik testi için kullanılabilecek birçok araç bulunmaktadır. Bu uygulamalardan bazıları ücretsiz olarak kullanılabilen açık kaynak kodlu projelerken bazıları da güvenlik odaklı kuruluşların sunduğu ticari çözümlerdir. Bu bölümde, araştırma sırasında kullanılan araçların detaylı analizleri ve testleri yapılacak olup API testleri açısından avantajlı ve dezavantajları yanları ortaya konnacaktır. Böylece daha güvenli Web uygulamaları ve API geliştirme süreçlerine olumlu katkı sağlanması amaçlanmıştır.
