Paul founded Cryptography Research, where he now serves as president and chief scientist. He has held positions at RSA Security and was a founding member of Valicert, Inc. (Tumbleweed). Among his notable accomplishments are his work on SSL 3.0, the DES Key Search machine, and discovering timing attacks and Differential Power Analysis. He holds a B.S. from Stanford University.
SM: To start, take us through your background. Where are you from?
PK: My mother is Canadian, although whatever accent she passed on has mostly been beaten out of me. I grew up in Oregon, where my father was a university professor. He taught physics, although I don’t know the details. My parents were very hands-off. They opened the doors, let us go get muddy, and cleaned us up afterwards. My dad brought home lots of computer equipment from his office with no manuals. I learned computer science backwards. Today you start by learning high-level languages like Java. I started with Assembly because that was all there was.
SM: What year was that?
PK: I am horrible with dates. That would have been around fifth grade, so sometime around 1982. I was not athletic, so the computer was much more interesting than going out and getting pummeled. After high school I went to school at Stanford, and I was planning on being a veterinarian. I loved animals and worked at a vet clinic in high school. Becoming a doctor is tough, but if I made a mistake and somebody died, I don’t know if I could keep going.
I got a degree in biology. However, around sophomore year I ran out of money. My parents would have helped, but there are always strings attached when money comes along. I ended up getting work at RSA Data Security. I worked there while I was in school, and I also got some consulting projects from Microsoft doing security evaluation work. At that time the CD format was the new thing; hundreds of floppy disks could be stored on a single CD.
SM: What a sense of freedom!
PK: There was so much data nobody knew what to do with it! Microsoft was trying to figure out if they could put all of their programs on one CD and do various ‘try before you buy’ business models. I was doing reviews of these for them. They would send me the product, and I would break it and then send them a note telling them how I did it. I did not charge them enough money, but it did help pay my way through school.
When I graduated, Martin Hellman had a consulting project he no longer wanted to do so he sent it my way. My vet school plans went on ice while I took on that project. That project, and others, were lots of fun. The nice thing, or horrible thing, about security is you never know if you got it right or not. You can find out that somebody broke your systems, or you may see the bad outcomes, but when you are launching a program you generally have no idea if you have done a good enough job. Unlike most areas of computer science, in security you do not go for the cheapest solution. You go for the most conservatively designed and robust one. It connects all of the threads together: the user interface, the code, the business model, the operating system and the hardware. Everything can screw up your security, so you have to worry about it. The same amount of ambiguity you have to deal with in veterinary medicine is also dealt with in security. You really have to solve a problem with very limited information.
SM: That is interesting. Our dog is quite old, and he has all sorts of problems. You don’t do an MRI and all the things you would otherwise to diagnose an issue. The vet is all trial and error. That is a good comparison to your line of work.
PK: It certainly requires a lot of instinct. You cannot ask. I may be drawing parallels more than I should, but I think there are similarities. Once I had those consulting projects two things happened. First, I hired a friend to work with me. He was someone I knew from seventh grade, and he was doing a lot of interesting computer work. I am easygoing, and he is as well, so there were no real challenges there. We are still close friends.