Paul Van Oorschot

email: paulv (insert "at" here) 
voice +613.520.2600 ext.4356
Ottawa, Canada

Short biography: Paul C. Van Oorschot is a Professor of Computer Science at Carleton University in Ottawa, Canada. He is an ACM Fellow, IEEE Fellow, and Fellow of the Royal Society of Canada (FRSC). He is author of Computer Security and the Internet: Tools and Jewels from Malware to Bitcoin (2021), and co-author of Handbook of Applied Cryptography (1996). He was Program Chair of USENIX Security 2008 and NDSS 2001-2002, and has served on the editorial boards of IEEE TDSC, IEEE TIFS, and ACM TISSEC/TOPS. His research interests include authentication and identity management, computer security, Internet security, software security, usable security, key management, and applied cryptography.

The longer story: I am a Professor of Computer Science at Carleton University, and founding Director of the Carleton Computer Security Lab. Over 2002-2023, I was a Canada Research Chair in authentication, computer security, and network security. Over 2008-2013, I was the Scientific Director and Principal Investigator of NSERC ISSNet, a strategic research network exploring computer and Internet security, involving 14 professors across 8 Canadian universities. My most recent book is Computer Security and the Internet: Tools and Jewels from Malware to Bitcoin (second edition 2021; first edition 2020). It is openly available from my personal page, and commercially available from the usual vendors (and the publisher, Springer). To many I am best-known as co-author of the Handbook of Applied Cryptography (1996), the standard crypto reference for engineers and applied researchers, and which continues to rank highly on lists of most-cited all-time Security and Privacy publications. It is also free online, without strings (but if you like it, please buy a copy - we've convinced our publisher that this approach helps their sales). I also had the privilege of co-authoring An Introduction to Error Correcting Codes with Applications (1989) with my late advisor, Scott Vanstone. My industrial experience includes positions at Entrust Technologies as Chief Scientist, Vice President, and Chief Security Architect; as Chief Scientest at Cloakware Corporation; and with the Secure Networks division of Bell-Northern Research (BNR Ottawa), the once-mighty R&D arm of a company called Northern Telecom (later Nortel). My Ph.D. (1988) is from the University of Waterloo (Canada), which in June 2000 also awarded me the J.W. Graham Medal in Computing and Innovation; I had the privilege of working under Wes, and with his son Jim, on undergrad work terms at Waterloo. I am listed as an inventor on 20 issued patents (18 U.S., 2 Canadian). In 2011, I was inducted as a Fellow of the Royal Society of Canada (RSC), the oldest association of scientists and scholars in Canada, being elected under the Academy of Science (Division of Mathematical and Physical Sciences). I received Carleton University's Faculty Graduate Mentoring Award in 2013, was named ACM Fellow in 2016 for contributions to applied cryptography, authentication and computer security, IEEE Fellow (effective Jan 2019) for contributions to applied cryptograpy and authentication, and appointed Professorial Fellow (Honorary Professor, 2017-2022) at the University of Melbourne.

Upon finishing graduate school, I joined BNR as a member of scientific staff, and soon found myself in a small security group. Having a PhD, it was assumed that I was an expert in security (I did know some math and had studied number-theoretic cryptography). Other employees brought their security problems to our internal security group. This caused much rapid learning. Our group of about five in 1993 formed the seed of what eventually spun out in January 1997 as the above-mentioned Entrust. Over the past 35 years, my research interests have ranged from applied cryptography to Internet security, including security architectures and infrastructures. My industrial work has included crypto-security research and product development, security assurance, the development and protection of core intellectual property, and cryptographic consulting. As is the fate of many cryptographers in industry, I have been involved in issues related to cryptographic policy, crypto export, and key escrow. I moved into academia proper in 2002, taking an appointment as a tenured professor and research chair.

In the early and mid 1990's, I was part of a small group that pioneered what is known as Public Key Infrastructure (PKI), now embraced by the world's largest software companies as the basis for Internet security. This includes the use of public-key certificates for authentication and encryption for secure browser sessions (via SSL, now TLS) and large-scale Virtual Private Networks (VPNs). Although now widely used in various forms, it turns out that more than 25 years after PKI technology was first considered "ready for prime-time", there remain many research challenges related to its real-world deployment and everyday use, in the face of increasing Internet fraud and malicious activity. While advanced authentication technologies including PKI failed to slow universal use and growth of password-based authentication, the slow but steady transition to two-factor authetication to augment password-only authentication is now in progress, strengthened by industry support for open APIs and FIDO-based protocols. An early motivation for my interest in Internet authentication was the practise, by many banks, of password-based authentication for online banking, despite considerable documentation of very large-scale customer losses that are not made whole.

This fueled my interest in authentication and identity management, including image-based passwords (graphical passwords). I was among the first wave of researchers recognizing usability and security as an important interdisciplinary research area: the design and study of computer-related security mechanisms that take into account human users, who represent a design constraint often addressed poorly by software and software developers. Some of my other research interests have included smartphone security, secure software installation, network scanning, the interconnected disciplines of software, application and web security, and computer security in general.

Trivia from Previous Lives. As a university undergraduate, I played four years (1980-84) on the University of Waterloo Warrior basketball team, the last two as captain. In 1982-83, a year we were national finalists, I was team MVP, and the university's Athlete of the Year. Finishing undergraduate school in 1984 with a 93.9% grade average, the University of Waterloo awarded me the K.D. Fryer Gold Medal. I enjoyed serving two years on the University of Waterloo Senate (1986-88) as well as the university's Board of Governors (1986-88).

Side note on cryptocurrencies. My 2021 book (above) includes a chapter on Bitcoin and Ethereum (two cryptocurrency systems), to allow those with minimal computer science and security background to gain a technical understanding of blockchain technologies. I believe that understanding this is important to allow informed decisions and to beware the dangers -- discussion of which are absent in many popular media articles promoting cryptocurrencies. I see two main explanations for this absence: people who do not understand the technology, and people who do but nonetheless promote cryptocurrencies for personal gain. If you are interested to know more about the harms caused by today's cryptocurrency-based systems, one starting place is this interview with Nicholas Weaver (13 May 2022, Economics), who believes that All Cryptocurrency Should "Die in a Fire".

Last updated: Nov 2023