• Areas of Expertise
• Consulting Activities
• Credentials
• References
• Location and Availability
• Contact

Areas of Expertise

I have extensive information security experience in both the US defense community and in the public (commercial) security community, as described below.

Public/Commercial

• Authentication technology
  I have consulted on the development of commercial authentication products and have extensively studied the field. My recent book, Authentication: From Passwords to Public Keys, surveys the entire field of computer-based authentication and provides several simple techniques for assessing authentication effectiveness.
• Cryptographic engineering
  I have worked on commercial cryptographic products, and my first book, Internet Cryptography, focuses on the construction of secure cryptographic devices. My interest and expertise focuses primarily on the protocols and architectural requirements of devices that incorporate established cryptographic algorithms.
• Network security engineering
  I have developed network security plans for large enterprises and I've designed product security solutions both for security-specific products and security features for non-security products. I've had the privilege of working on some of the strongest security products ever built.
• Commercial security evaluations
  I have worked on a variety of computer security product evaluations such as TCSEC/Orange Book and Common Criteria evaluations. I have also extensively reviewed these evaluations nationally and internationally in my research work.
• Security policy
  I have developed information security policies for corporations and non-profit organizations. These policies have included acceptable use policies, web site content policies, and password policies. My web site, The Center for Password Sanity, is dedicated to improving the usability of password security policies while retaining password effectiveness (such as it is).

US Defense Related

• Cryptographic engineering
  I have consulted on the design of cryptographic devices to meet the US Government's Type 1 cryptographic endorsement requirements.
• Multilevel security and cross domain solutions
  I have extensive experience with multilevel security and cross-domain solutions. I was a key designer of the Standard Mail Guard, a multilevel device for passing RFC 822 e-mail (the product is described here, and the development program is described here). Since then I have consulted on the development of other multilevel products and systems.
• Security evaluations
  I have participated in TCSEC/Orange Book security evaluations for multilevel devices and have extensive familiarity with the Common Criteria. I have produced security assurance documentation to support the Type 1 cryptographic endorsement process.
• Certification and accreditation
  I have worked with C&A processes and coauthored a System Security Authorization Agreement (SSAA) in support of system accreditation. I am also familiar with Secret and Below Interoperability (SABI) processes.

Consulting Activities

Here are examples of consulting activities I have performed over the years.

• Trade studies
  The client has certain security and program requirements and must determine which alternative best those requirements. This often involves research work in addition to reviewing the requirements.
• Technical assessments
  The client has has developed a product or technology and needs an outside opinion before sharing it with potential customers. This usually involves reviewing the technology descriptions and providing an assessment.
• Proposal support
  The client has a business prospect and has identified a solution to offer, but needs help developing the concepts that will best present their solution. This is particularly important in subtle areas of security (like cryptographic systems or cross domain solutions).
• Training
  The client has a team that needs to be brought "up to speed" on a particular set of security concepts or technologies. Typically the result is a seminar based on PowerPoint slides, though this is not what I usually do in my undergraduate college classes.
• Legal Research
  The client is a law firm representing a client whose legal problem involves security technology. Typically I provide documentation regarding the technology in question. For patent disputes, for example, I may try to locate documents illustrating prior art relating to a patent claim.

Here are typical outputs of my work

• Reports - I prefer to produce written reports, since it is the clearest way in which I can present the conclusions of a complex study. Writing examples are posted here.
• Presentation Slides (PowerPoint) - When necessary or appropriate, I produce PowerPoint slides. This happens most often when developing training or proposal-related materials. Examples of my presentations are posted here.
• Document Archive - If the work involves extensive Internet research, I will usually try to save copies of significant source materials. These will be placed on a CD-ROM or DVD-ROM for the customer, if desired.
• Workshops and Technical Meetings - Some people can absorb the information from a document, and some from a presentation, but others absorb it best when there's a give-and-take between writer and reader. Technical meetings give the client's technical experts a chance to talk over the concepts, evidence, and conclusions. This often gives them the most benefits from the work I have done.

Credentials

I have a B.S. cum laude in engineering from Boston University and an M.S. and Ph.D. in computers and information science from the University of Minnesota.

I am a Certified Information Systems Security Professional (CISSP). I also hold a "Security Engineering" specialty certification (ISSEP). This certification was developed for the National Security Agency to reflect knowledge about US government information security requirements, standards, and processes. I also hold a "Security Architecture" specialty certification (ISSAP). These credentials are administered by the International Information Systems Security Certification Consortium (ISC2).

References

Specific customer references are available on request. Other reference and contact information is available from the following sources:

• Department of Defense Central Contractor Registry (CCR).
• Dunn and Bradstreet (D&B).
• Linked In - a web site containing professional endorsements. Click here for my entry.

Location and Availability

• Location: I am located near St. Paul, Minnesota. I am willing to do some travel for meetings, as long as it does not interfere with my teaching schedule.
• Availability: I teach full-time at the University of St. Thomas. I have some limited availability during the school year (September-December and February-May) and greater availability during other times, depending on projects.

Contact

Contact me via e-mail: rick@cryptosmith.com.
Phone or e-mail me at my office at St. Thomas by referring to contact information on my University home page (click here).
If you need privacy, you may use PGP.
Click here to download my PGP public key.
Click here to display my PGP public key in text form.
My PGP public key is also available from the PGP company key server at keyserver.pgp.com. You can retrive it by searching for my Cryptosmith e-mail address given above. Here is the fingerprint:
1A42 C8AC 101F B629 2630 1BC7 F173 905F AED0 0C75