Education

Masters of Science in Mathematics, California Polytechnic State University, San Luis Obispo.

Masters of Science in Mathematics, University of California, Irvine.

PhD Candidate in Mathematics, University of California at Irvine in the area of Algorithmic Algebraic Number Theory under Daqing Wan.

Core Areas of Expertise

• Application of Mathematics to Cryptography
• FIPS 140 interpretation and evaluation of products to FIPS 140
• Security engineering and security evaluation
• Cryptography
• Network security protocols
• Network security evaluation
• Non-deterministic RNG evaluation
• Training diverse audiences in highly technical matters
• Production of effective technical reports
• Broad exposure to a cross section of marketed security solutions

Experience

Graduate Student, Teaching Assistant, Research Assistant at University of California at Irvine, Department of Mathematics, 2008 to Present. Concentration: Algebra / Number Theory. Teaching assistant to 60-120 students per quarter in the subjects of calculus (differential, integral, multi-dimensional), linear algebra, differential equations, cryptography, group theory, and a one year graduate level algebra series. Received "Outstanding Mathematics Teaching Assistant Award" for 2010-2011.

Senior Security Engineer, for InfoGard Laboratories, 2004 to 2008. In addition to the responsibilities of Security Engineer: Company technical lead. Provide technical guidance and training to security engineers and customers on complex technical issues. Evaluate formal models for high assurance systems. Design analysis and statistical evaluation of RNGs. Evaluation of statistical tests. Authoring, evaluation, and editing of public ANSI/NIST security standards. Programming and support of internal test tools. Simple and Differential Power Analysis (SPA/DPA) and timing attack testing. Cryptographic protocol and algorithmic analysis. Developed FIPS 140-3 requirements and testing procedures. Participated in PCI scan vendor accreditation testing. Created InfoGard's Penetration Testing Laboratory, and was responsible for its operation.

Security Engineer, for InfoGard Laboratories, 1998 to 2004. FIPS 140-1 and 140-2 cryptographic module validation. Common Criteria evaluation. VISA PED and PCI testing. USPS testing for electronic and mechanical indicia production. Network security analysis. Produce written summaries of security vulnerabilities. Firewall and IDS design and evaluation. Code audits and security evaluations. System and Network administration.

Graduate Teaching Associate, for California Polytechnic State University 2005-2007. Instructor for 9 quarter long university mathematics courses (Pre-calculus Algebra and Business Calculus). Developed syllabi, lectures, tests, quizzes and assigned final grades.

Systems Developer, for The Grid, a national ISP. 1997 to 1998. Programming and support of internal and external user interfaces. Support of DNS, mail, and web servers. System and network security. Firewall design and implementation. (BSDI / Solaris / NT)

System Administrator, for Robert E. Kennedy Library, Cal Poly, San Luis Obispo. 1996 to 1998. Initial setup and administration of UNIX/NT based computers; Installation and upkeep of web, mail, DNS, gopher, and various custom network servers. Custom programming and scripting. Upkeep of legacy systems. Securing UNIX systems against threats, both internal and external. (Linux / NT / OSF1)

Papers

• An Analysis of the RADIUS Authentication Protocol
• Paul Erdős, Mathematical Genius, Human (in that order)
• A Recurrence Relation for Pi
• e i e i, oh!
• ApEn Test Parameter Selection
• An analysis of the "Guess 2/3 of the Average" game
• A Description of the Number Field Sieve
• The Minimum of n Independent Normal Distributions
• A Recurrence Relation for Pi
• The 7-11 Problem and its Solutions
• Ciphertext stealing Wikipedia entry (principal author)
• Weil Image Sums (and some related problems)
• Counting Value Sets: Algorithm and Complexity (with Qi Cheng and Daqing Wan)

Presentations

• The Zen of Information Security
• Securing a Linux Box: It's mine, and You Can't Use It
• Network Security: A Quick Overview
• Cryptographic Foibles and Missteps.
• Coppersmith's Theorem: Background, Generalizations and Applications.
• Weil Image Sums (and some related problems)
• Counting Value Sets: Algorithm and Complexity
• Block Ciphers: Modes of Use, DES and AES
• Random Bit Generation: Theory and Practice
• The Dual Elliptic Curve Deterministic RBG
• Joux's Recent Index Calculus Results

Authored Internal Training Presentations (each runs 2 to 8 hours)

• Basic Cryptography. Touches on historical uses of cryptography, the recent development of modern cryptography, cryptographic goals, cryptographic primitives, attack classes, security evaluation models, and a theoretical framework for symmetric and asymmetric cryptography.
• Cryptographic Algorithms. General principals of symmetric cipher design. Key schedules, general cipher design (Feistel and product ciphers). Detailed presentation of the design of DES, including weak/semi-weak keys and known attacks. Detailed presentation of the design of AES. Overview of internals of Skipjack, and SHA family.
• Randomness Theory. General theoretical background for RNG analysis and review, with emphasis on entropy evaluation of non-deterministic RNGs. Discussion on Shannon entropy and min-entropy. Summary of the SP800-22 testing requirements and use of the NIST sts tool.
• Randomness Practice. General PRNG design and characteristics. Detailed presentation on ANSI X9.31 A.2.4 PRNG, with emphasis on the algorithm's cycle properties. Implementation of the ANSI X9.31 A.2.4 PRNG using other symmetric algorithms. Detailed presentation on FIPS 186-2 appendix 3.1 PRNG, with emphasis on XSEED attacks. Detailed presentation on SP800-90 Hash_DRBG, HMAC_DRBG, CTR_DRBG. Summary of the findings for Dual_EC_DRBG.
• Algorithm modes. Discussion of symmetric algorithm confidentiality modes (ECB, CBC, CFB, OFB, CTR), including error propagation and plaintext malleability. Discussion of authentication modes (CBCMAC, CMAC, HMAC), including susceptibility to extension attacks. Discussion of combined modes (CCM, GCM)
• Public/Private Key Cryptography. Discussion of general properties of public/private systems, security strengths, and complete mathematical detail for RSA, DSA, ECDSA, DH, ECCDH , MQV and ECMQV. Demonstrate an example calculation for RSA, Diffie-Hellman, and ECDSA.
• Error Detection Codes: Basic error detection properties of parity, (1s compliment) checksum, and CRC. Examples of the calculation for each method.
• Penetration Testing, The Path to Fun and Profit (through the inevitable): An overview of the techniques of penetration testing, with emphasis on the shortcomings of this testing technique.

Software

• fidentd, an identd program that always identifies any network communication as associated with a specified user (generally a fake user).
• rpasswd, a random password generator whose passwords are based on the S/Key dictionary.
• ketchup, a utility that keeps track of the changes in a log file between views.
• sts 1.5, with errata. NIST no longer supports the UNIX version of sts, so I keep its statistical tests current with the current windows version (and my version runs 6 times faster than the NIST version). I have also added configuration file support, parameter checking, and fixed numerous bugs.
• A rewrite of the ent program for assessing entropy. Includes several of the SP800-22 tests, as well as likely upper bound calculation for Shannon and min-entropy (for various block sizes, with arbitrary offsets).
• A reference implementation of the ECDSA algorithm in Mathematica, with support for all NIST approved curve (on both prime ordered and binary fields)
• A reference implementation of the FIPS 186-3 RSA key generation procedure in Mathematica.

Languages

Other

Linux Audit Team, 1998 to 2005. Auditing of common Linux tools in order to detect security flaws or faulty programming.

Security Consultant, 1994 to present. Computer, network and data security. Design, review and implementation of security systems for a variety of levels of security.

Cryptographic Research, 1995 to present. Cryptographic application development, protocol design and review and algorithm verification. Member of the IACR

C/C++ Development: over 22 years of experience in the development of 'C' programs of various scales. Over 19 years of experience in 'C++' development.

Personal

References