Gutmann: operating under the radar

[R. A. Hettinga]

<http://www.computerworld.co.nz/news.nsf/PrintDoc/3F25D67E47980786CC256E6C007EE7D2?OpenDocument&pub=Computerworld>

Computerworld NZ
Tuesday, 6 April, 2004

Gutmann: operating under the radar


Paul Brislen, Auckland

He describes himself as a "professional paranoid", but cryptography expert
Peter Gutmann (pictured) is quite willing to buy products online using his
credit card and advocates writing down passwords on a piece of paper.

Gutmann, a developer, author, speaker and honorary researcher at Auckland
University's computer science department, realises that the password advice
might seem to fly in the face of reason.

"Think about it. If you've written down your complicated password on a
piece of paper someone would have to break into your house to get it to
then break into your online account. That's not likely when the crooks are
sitting in Eastern Europe."

Conversely, he says having one user name and password for all accounts is
perhaps the worst thing a user can do.

"That way if one account is compromised then effectively all of them could be."

Gutmann is world-renowned for his work on security architecture and is in
demand on the IT security speaking circuit. His PhD thesis has been
released as an academic text book (Cryptographic security architecture:
design and verification) and he has at least two more in the pipeline.

"That one's very much an academic book. The next one is more
straightforward and is more about my take on different security issues."

Gutmann's role at Auckland University doesn't pay anything but it allows
him to do what he likes. His income is derived from one of those products
nobody's ever heard of but which many of us use - Cryptlib.

Cryptlib is in embedded products such as ATM machines and print servers,
for authenticating user rights to a particular printer.

"It's widely used but invisible. Basically it's a general purpose tool used
inside applications so most people don't even know it's there."

Gutmann says this is the best approach to issues like email encryption -
make it happen automatically.

"PGP has been around for over a decade and has a tiny market share still."

Cryptlib, by comparison, is marketed by health software developer Orion
Systems.

"There are plenty of cool people using it but if I tell you who they are
they'll kill me," says Gutmann, only half joking.

Gutmann didn't set out to be a cryptographer.

"I was working in data compression but you really can't make much of a
difference there. I sort of drifted into cryptography." Gutmann says his
approach isn't one of maths-intensive algorithms.

"There's very little maths involved. Basically that part of it's secure
these days. It costs too much in terms of time and effort to break the code
to make it worthwhile. I work on the stuff around that to make sure that's
defensible."

Gutmann offers the example of public keys. "What's the point of securing
your system with the most up-to-date encryption technology if you email
someone your key in an insecure manner?"

Gutmann likes to quote cryptographer Bruce Schneier on the subject.

"Basically he says it's like putting a large iron stake in the ground in
your front garden and hoping the burglar will run into it. It's the rest of
the garden that matters as well."

So Gutmann isn't worried that if he's too good at his job he'll do himself
out of a career.

"As long as there are computers we'll need security people."

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'