Paul Van Oorschot

email: paulv (insert "at" here) 
voice +613.520.2600 ext.4356
Ottawa, Canada

Short biography: Paul C. Van Oorschot is a Professor of Computer Science at Carleton University in Ottawa, Canada. He is an ACM Fellow, IEEE Fellow, and Fellow of the Royal Society of Canada. He is author of Computer Security and the Internet: Tools and Jewels from Malware to Bitcoin (2021), and co-author of Handbook of Applied Cryptography (1996). He was Program Chair of USENIX Security 2008 and NDSS 2001-2002, and has served on the editorial boards of IEEE TDSC, IEEE TIFS, and ACM TISSEC/TOPS. His research interests include authentication and identity management, computer and Internet security, software security, usable security, key management, and applied cryptography.

The longer story: I am a Professor of Computer Science at Carleton University, and founding Director of the Carleton Computer Security Lab. Over 2002-2023, I was a Canada Research Chair in authentication, computer security, and network security. Over 2008-2013, I was Scientific Director and Principal Investigator of NSERC ISSNet, a strategic research network exploring computer and Internet security, involving 14 professors across 8 Canadian universities. My most recent book is Computer Security and the Internet: Tools and Jewels from Malware to Bitcoin (2021; 1/e 2020), openly available from my personal page and commercially available from the usual vendors and the publisher Springer. To many I am known as co-author of the Handbook of Applied Cryptography (1996), the standard crypto reference for engineers and applied researchers, also free online (but if you like it, please buy a hard copy - to reassure our publisher that this approach helps their sales). I co-authored An Introduction to Error Correcting Codes with Applications (1989) with my late advisor, Scott Vanstone. My industrial experience includes positions at Entrust Technologies as Chief Scientist and Chief Security Architect; Chief Scientest at Cloakware Corporation; and with the Secure Networks division of Bell-Northern Research (BNR Ottawa), the R&D arm of once-mighty Northern Telecom (Nortel). My Ph.D. (1988) is from the Canada's University of Waterloo, which in June 2000 also awarded me the J.W. Graham Medal in Computing and Innovation; I had the privilege of working under Wes Graham and his colleagues, and his son Jim on undergrad work terms at Waterloo. I am an inventor on 20 issued patents (18 U.S., 2 Canadian). In 2011, I was inducted as a Fellow of the Royal Society of Canada (RSC), the oldest association of scientists and scholars in Canada, within the Academy of Science (Division of Mathematical and Physical Sciences). I received Carleton University's Faculty Graduate Mentoring Award in 2013, was named ACM Fellow in 2016 for contributions to applied cryptography, authentication and computer security, IEEE Fellow (effective Jan 2019) for contributions to applied cryptograpy and authentication, and appointed Professorial Fellow (Honorary Professor, 2017-2022) at the University of Melbourne. In 2023, the ACM committee sponsoring computer and communications security research conferred an ACM SIGSAC Outstanding Contribution Award for my scientific work in applied cryptography, authentication, and the Handbook of Applied Cryptography.

Early career. On completing graduate school, I joined BNR as a member of scientific staff, and soon found myself in a small security group. Having a PhD, it was assumed that I was a security expert (I knew some math and a bit of number-theoretic cryptography). As colleagues brought their security problems to our group, I began learning about security in the real world. Our group of about five in 1993 seeded what eventually spun out in January 1997 as above-mentioned Entrust. Over the past 35 years my research interests have ranged from applied cryptography to Internet security, including security architectures and infrastructures. My industrial work has included crypto-security research and product development, security assurance, the development and protection of core intellectual property, and cryptographic consulting. As is the fate of many cryptographers in industry, I have been involved in issues related to cryptographic policy, crypto export, and key escrow. I moved into academia in 2002, accepting a tenured appointment as professor and research chair.

In the early and mid 1990's, I was part of a small group that pioneered what is known as Public Key Infrastructure (PKI), now embraced worldwide as the basis for Internet security. This includes the use of public-key certificates for authentication and encryption for secure browser sessions (via TLS, formerly SSL) and large-scale Virtual Private Networks (VPNs). Although now widely used in various forms, it turns out that more than 25 years after PKI technology was first considered "ready for prime-time", there remain many research challenges in its real-world use, in the face of ongoing Internet fraud and malicious activity. While advanced authentication technologies including PKI failed to replace global use of passwords, a slow but steady transition to two-factor authentication to augment passwords-only is in progress, strengthened by industry support for open APIs and FIDO-based protocols. An early motivation for my interest in Internet authentication was the practise, by many banks, of password-based authentication for online banking and now email-based money transfers, despite documentation of large-scale customer losses that are not made whole.

I was among the first wave of researchers recognizing usability and security as an important interdisciplinary research area: the design and study of computer-related security mechanisms that take into account human users, who represent a design constraint often addressed poorly by software and software developers. Other research interests have included smartphone security, secure software installation, network scanning, the interconnected disciplines of software, application and web security, and computer security in general. My interest in authentication and identity management has included image-based passwords (graphical passwords).

Trivia from Previous Lives. As a university undergraduate, I played four years (1980-84) on the University of Waterloo Warrior basketball team, the last two as captain. In 1982-83, a year we were national finalists, I was team MVP, and the university's Athlete of the Year. Finishing undergraduate school in 1984 with a 93.9% grade average, the University of Waterloo awarded me the K.D. Fryer Gold Medal. I enjoyed serving two years on the University of Waterloo Senate (1986-88) as well as the university's Board of Governors (1986-88).

Side note on cryptocurrencies. My 2021 book (above) includes a chapter on Bitcoin and Ethereum (two cryptocurrency systems), to allow those with minimal computer science and security background to gain a technical understanding of blockchain technologies. I believe that understanding this is important to enable informed decisions and to be aware of dangers and false promises related to many cryptocurrencies, distinct from blockchain technology in general. If you are interested to know more about the harms caused by today's cryptocurrency-based systems, you might read this interview with Nicholas Weaver (13 May 2022, Economics): All Cryptocurrency Should "Die in a Fire".

Last updated: Dec 2023