4 sonuçlar
Arama Sonuçları
Listeleniyor 1 - 4 / 4
Yayın Evaluation of password hashing competition finalists: performance, security, compliance mapping, and post-quantum readiness(Karyay Karadeniz Yayımcılık Ve Organizasyon Ticaret Limited Şirketi, 2025-11-15) Ulutaş, Erdem; Çeliktaş, BarışPassword hashes and key derivation functions (KDFs) are central to authentication and cryptographic security schemes crafted to defend user credentials from brute-force attacks and unauthorized access. Password hashing algorithms, for example PBKDF2, bcrypt, or scrypt, are very popular today, but are lacking in the face of modern hardware acceleration, parallel processing, and advanced cryptanalytic attacks. To contest these shortcomings, the Password Hashing Competition (PHC) was started in 2013 and had 22 candidates for functions for hashing passwords. After thorough evaluation, 9 finalists were selected based on how secure, fast, memory-friendly, flexible, and efficient these functions were. This study evaluates the nine PHC finalists—Argon2, battcrypt, Catena, Lyra2, MAKWA, Parallel, POMELO, Pufferfish, and yescrypt—through survey findings and performance benchmarks. We have evaluated these functions from an architectural standpoint and studied their security features, memory hardness, performance tradeoff, and practical usage. We also compare these finalists with traditional password hashing functions to highlight their advantages and limitations. We also investigate the post-quantum assumption for password hashing – the effectiveness of these functions against quantum assaults, their position in a new cryptography set, and the role of peppering as an additional security measure. In addition, we perform a comprehensive compliance mapping of the PHC finalists against major global standards and regulations such as NIST SP 800-63B, OWASP ASVS, PCI DSS, GDPR, KVKK, and ISO/IEC 27001, highlighting their practical suitability for secure deployment in regulated environments. Finally, we provide usage recommendations for these functions for web authentication, KDFs, and embedded platforms. This paper serves as a reference for researchers, developers, and security engineers, while also introducing a complianceaware, post-quantum-ready framework that bridges cryptographic design with regulatory and deployment needs.Yayın From policy to practice: a sector-agnostic operational framework for post-quantum cryptography transition(Institute of Electrical and Electronics Engineers Inc., 2026-03-02) Birgin, Berat; Çeliktaş, BarışThe pace of quantum computing development necessitates not only the adoption of post-quantum cryptographic algorithms, but also the establishment of an executable and auditable institutional transition process. Although guidance documents published by the National Institute of Standards and Technology (NIST) and roadmaps proposed by the Post-Quantum Cryptography Coalition (PQCC) articulate strategic objectives, they largely remain procedural constructs lacking a concrete operational execution model. This paper presents an industry-neutral operational framework that translates policy-level post-quantum cryptography (PQC) guidance into deterministic, proof-producing process flows encompassing cryptographic asset discovery, classification, risk modeling, algorithm selection, deployment, monitoring, and governance enforcement. Central to the framework is a deterministic Quantum Risk Scoring (QRS) function, calibrated using the Analytical Hierarchy Process (AHP), which enables reproducible asset prioritization and policy-driven enforcement decisions. Framework executability is further strengthened through cryptography-aware continuous integration/continuous deployment (CI/CD) validation gates and downgrade protection mechanisms, ensuring the generation of verifiable and immutable audit artifacts. A scenario-based operational validation, implemented using open-source toolchains, demonstrates the framework’s operability, auditability, and governance alignment without relying on empirical cryptographic performance benchmarks, confirming that PQC transition can be operationalized as a verifiable lifecycle process bridging policy guidance with enforceable technical actions. Rather than introducing new cryptographic primitives, this work formalizes PQC transition as an operational systems-engineering problem centered on governance-enforced execution and lifecycle verifiability.Yayın API güvenlik testi araçlarının karşılaştırmalı analizi: özellikler, yetenekler ve performans değerlendirmesi(BIDGE Publications, 2023-05-24) Çarkçıoğlu, Onur; Çeliktaş, Barış; Çoğun, Hikmet Yeter; Parlar, İshak; Üzmuş, HasanUygulama programlama arayüzleri (API'ler), diğer uygulamalar arasındaki iletişimi kolaylaştıran bileşenlerdir. API'ler, modern web uygulamalarının ayrılmaz bir parçasıdır ve uygulamaların birbirleriyle iletişim kurması ve veri alışverişi yapması için bir araç sağlar. Web uygulamaları ve kullandıkları API'ler, kötü niyetli bilgisayar korsanları için hem çekici hem de kolay erişilebilir hedeflerdir. Bu nedenle, bu uygulamanın güvenliğini sağlamak ve verilerin bütünlüğünü ve gizliliğini korumak çok önemlidir. API servisleri, kullanılabilecek birçok araç için güvenlik testlerine sahiptir. Bu uygulamalardan bazıları ücretsiz olarak kullanılabilen açık kaynak kodlu projelerken, bazıları ise güvenlik odaklı firmaların sunduğu ticari çözümlerdir. Bu bölümde, Postman, Burp Suite, OWASP ZAP, JSON Web Token Toolkit, Security Code Scan, araştırma sırasında kullanılan araçlardan ve bu çalışma sırasında gerçekleştirilen testlerden bazılarıdır. API servislerinin güvenlik testi için kullanılabilecek birçok araç bulunmaktadır. Bu uygulamalardan bazıları ücretsiz olarak kullanılabilen açık kaynak kodlu projelerken bazıları da güvenlik odaklı kuruluşların sunduğu ticari çözümlerdir. Bu bölümde, araştırma sırasında kullanılan araçların detaylı analizleri ve testleri yapılacak olup API testleri açısından avantajlı ve dezavantajları yanları ortaya konnacaktır. Böylece daha güvenli Web uygulamaları ve API geliştirme süreçlerine olumlu katkı sağlanması amaçlanmıştır.Yayın Automating cyber risk assessment with public LLMs: an expert-validated framework and comparative analysis(Institute of Electrical and Electronics Engineers Inc., 2026-03-26) Ünal, Nezih Mahmut; Çeliktaş, BarışTraditional cyber risk assessment methodologies face a critical dilemma: they are either quantitative yet static and context-agnostic (e.g., CVSS), or context-aware yet highly labor-intensive and subjective (e.g., NIST SP 800-30). Consequently, organizations struggle to scale risk assessment to match the pace of evolving threats. This paper presents an automated, context-aware risk assessment framework that leverages the reasoning capabilities of publicly available Large Language Models (LLMs) to operationalize expert knowledge. Rather than positioning the LLM as the final decision-maker, the framework decouples semantic interpretation from risk scoring authority through a transparent, deterministic Dynamic Metric Engine. Unlike complex closed box machine learning models, our approach anchors the AI's reasoning to this expert-validated metric schema, with weights derived using the Rank Order Centroid (ROC) method from a survey of 101 cybersecurity professionals. We evaluated the framework through a comparative study involving 15 diverse real-world vulnerability scenarios (C1-C15) and three supplementary sensitivity stress tests (C16-C18). The validation scenarios were independently assessed by a cohort of ten senior human experts and two state-of-the-art LLM agents (GPT-4o and Gemini 2.0 Flash). The results show that the LLM-driven agents achieve scoring consistency closely aligned with the human median (Pearson r ranging from 0.9390 to 0.9717, Spearman ρ from 0.8472 to 0.9276) against a highly reliable expert baseline (Cronbach's α =0.996), while reducing the assessment cycle time by more than 100× (averaging under 4 seconds per case vs. a human average of 6 minutes). Furthermore, a dedicated context sensitivity analysis (C13-C15) indicates that the framework adapts risk scores based on organizational context (e.g., SME vs. Critical Infrastructure) for identical technical vulnerabilities. Importantly, the system is designed not merely to replicate expert intuition, but to enforce bounded, policy-consistent risk evaluation under predefined governance constraints. Overall, these findings suggest that commercially available LLMs, when constrained by expert-validated metric schemas, can support reproducible, transparent, and real-time risk assessments.
