email: paulv (insert "at" here) scs.carleton.ca voice +613.520.2600 ext.4356 Ottawa, Canada
Short biography: Paul C. Van Oorschot is a Professor of Computer Science at Carleton University in Ottawa, where he is Canada Research Chair in Authentication and Computer Security. He is a Fellow of the Royal Society of Canada (FRSC), Canada's national academy. He was Program Chair of USENIX Security 2008, Program co-Chair of NDSS 2001 and 2002, co-author of the Handbook of Applied Cryptography (2001), and is on the editorial board of IEEE TDSC, IEEE TIFS, and previously ACM TISSEC. He is the Scientific Director of NSERC ISSNet, a pan-Canadian strategic research network exploring computer and Internet security. His current research interests include authentication and identity management, security and usability, smartphone security, software security, and generally computer and Internet security.
The longer story: I am a Professor of Computer Science at Carleton University, hold the Canada Research Chair in Authentication and Computer Security, and am founding Director of the Carleton Computer Security Lab. I am the Scientific Director and Principal Investigator of NSERC ISSNet, a strategic research network exploring computer and Internet security, involving 14 professors across 8 Canadian universities. To many I am best-known as co-author of the Handbook of Applied Cryptography, the standard crypto reference for engineers and applied researchers, which somehow continues to rank near or at the top in lists of most cited (all-years) Security and Privacy publications. The entire book is free online, without strings (but if you really like it, please buy a copy - we've convinced our publisher that this approach helps sales, and it does). My industrial experience includes positions at Entrust Technologies as Chief Scientist, Vice President, and Chief Security Architect; as Chief Scientest at Cloakware Corporation; and with the Secure Networks division of Bell-Northern Research (BNR Ottawa), the once-mighty R&D arm of a company called Northern Telecom (later Nortel). My Ph.D. (1988) is from the University of Waterloo (Canada), which in June 2000 also awarded me the J.W. Graham Medal in Computing and Innovation. I am listed as an inventor on 20 issued patents (18 U.S., 2 Canadian). In 2011, I was inducted as a Fellow of the Royal Society of Canada (RSC), the oldest association of scientists and scholars in Canada, elected under the Division of Mathematical and Physical Sciences, of Academy III (The Academy of Science).
Upon finishing graduate school, I joined BNR as a member of scientific staff, and soon found myself in a small security group. Having a PhD, it was assumed that I was an expert in security (I did know some math and had studied number-theoretic cryptography). Other employees brought their security problems to me. This caused much rapid learning. Our security group of about five in 1993 formed the seed of what eventually spun out in January 1997 as the above-mentioned Entrust; I was a founding employee. Over the past 25 years, my research interests have ranged from applied cryptography to Internet security, including security architectures and infrastructures. My industrial work has included crypto-security research and product development, security assurance, the development and protection of core intellectual property, and cryptographic consulting. As is the fate of many cryptographers in industry, I have been involved in issues related to cryptographic policy, crypto export, and key escrow. I made the move into academia proper in 2002, taking an appointment as a tenured professor and research chair.
In the early and mid 1990's, I played a role in pioneering what is known as Public Key Infrastructure (PKI), now embraced by the world's largest software companies as the basis for Internet security. This includes the use of public-key certificates for authentication and encryption for secure browser sessions (via SSL) and large-scale Virtual Private Networks (VPNs). Although now very widely used in various forms, it turns out that more than 15 years after PKI technology was first considered "ready for prime-time", there remain many research challenges related to real-world deployment and everyday use, in the face of increasing Internet fraud and malicious activity. Surprisingly, advanced authentication technologies have failed to eliminate the escalation of ordinary passwords. Another motivation for my ongoing interest in Internet authentication is the continued practise, by many banks, of password-based authentication for online banking, despite mounting documentation of very large-scale customer losses that are not made whole.
This has fueled my renewed interest in PKI (including usability issues), text passwords, image-based passwords (graphical passwords), and more generally, authentication and identity management. I believe that an increasingly important interdisciplinary research area is usability and security: the design and study of computer-related security mechanisms which take into account human users, a design constraint which most software and software developers don't address well. Other current research interests include smartphone security, secure software installation, network scanning, the interconnected areas of software, application and web security, and computer security in general. For publications, technical conferences and activities I am currently involved in, see my university page. If you are a potential graduate student looking for a supervisor, please read this page.
Trivia from Previous Lives.
As a university undergraduate, I played
four years (1980-84)
on the University of Waterloo
Warrior basketball team,
the last two as captain. In 1982-83, the year we were national finalists,
I was team MVP, and the university's Athlete of the Year.
Finishing undergraduate school in 1984 with a 93.9% grade average,
the University of Waterloo awarded me the
K.D. Fryer Gold Medal.
I enjoyed serving two years on the University of Waterloo
Senate (1986-88) as well as the university's Board of Governors (1986-88).
Last updated: November 2011