Peter Gutmann, Ph.D.

Peter Gutmann, Ph.D., is a researcher with the Department of Computer Science at the University of Auckland, specializing in the design and analysis of cryptographic security architectures. He helped write the popular PGP encryption package and more recently, created the Cryptlib Security Toolkit, an OS-independent open-source security and encryption toolkit that offers high-speed encryption, key exchange, digital signatures, key and certificate management, smart card support, S/MIME and PGP email encryption, SSL and ssh session encryption, timestamping, CA management and various other features. Cryptlib, internationally used and recognized, is the only New Zealand product to have received a FIPS 140 security certification from the U.S. government.

Peter's research work includes an analysis of secure deletion of data from disk media, which shows how data can be recovered long after it should have been erased, and the creation of a method of data erasure, which has become a de facto standard for the deletion of sensitive data. A recent update to this work examines data remanence problems in RAM, EEPROMs and flash memory devices such as CompactFlash cards. Other research work includes design guidelines for secure random number generation, a problem that has plagued security software for some time. Last year he demonstrated how any cheap, off-the-shelf embedded PC could be converted into a custom crypto coprocessor using open-source software, providing equivalent performance and a higher level of functionality than its commercial equivalents, at a cost one to two orders of magnitude cheaper.

Peter has developed a number of widely used reference guides, including the X.509 Style Guide, which describes various X.509 certificate implementation details and pitfalls, and the Godzilla crypto tutorial, a 700-page reference covering security threats and requirements, services and mechanisms, key management, certificates, CA operations, digital signature legislation, IPSEC, SSL, SSH, email security PGP, S/MIME, Kerberos 4 and 5, authentication tokens, biometrics, electronic payment mechanisms, SET, smart cards, PKCS #11, JavaCard/OCF, contactless cards, anonymity and watermarking. Peter has also authored numerous papers on industry issues such as certificate stores and certificate management systems (some of which is being used in a proposed Internet standard for certificate storage and retrieval) and an analysis of how to handle security requirements for online tax filing.

In the process of examining various widely used security programs, Peter has broken numerous encryption systems, including both the proprietary encryption algorithm and the DES encryption used in Norton's Diskreet disk encryption and the Windows 3.1 and Windows 95 password file (.PWL) encryption. He has demonstrated how to get Windows to mail out user passwords over the Internet, broken Netscape's web server private key encryption and devised an attack that recovered keys from the newer PKCS #12 format used by Microsoft Internet Explorer, Internet Information Server, Outlook Express and many others. He has also reverse-engineered Microsoft's AuthentiCode code signing technology.

Peter is a regular spokesperson and attendee at top industry conferences around the globe, including the annual Usenix Security Symposium. As an expert in the field, he acts as the moderator for the comp.compression.research newsgroup and the co-moderator of the sci.crypt.research newsgroup and is active in the privacy and crypto policy debate on various mailing lists, in newsgroups and occasionally in the media.

Peter received his Ph.D. from the University of Auckland Department of Computer Science, Auckland, New Zealand.