[IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)

Fri Jan 24 16:25:21 EST 2003

On Fri, 24 Jan 2003, Matt Blaze wrote:

> Len,
>
> We're probably getting a bit into the depths of the details for this
> (cryptography-oriented) list, so I'll certainly understand if Perry doesn't
> forward this on.

Ditto. Time for a "lockpunks@" list? =)

> It surely would be possible to have a Medeco-type design using
> different rotations for the change and master by cutting new holes/grooves
> in the bottom pin.  I've not seen that on any of the Biaxial pins
> I've looked at, and the Medeco pinning kits I've seen  seem to have
> such pins in them (maybe they sell them only to certain customers?  In
> any case, such a kit would have to be very large indeed).

I was trying to draw this in ASCII-art, and failing. Looks like Derek had
the same problem.

In any case, you'll typically find the more complex pin combinations in
installations where you need a large amount of change keys on the same
master key. It's more work to design a master-key system when you add in
these additional variables, so some locksmiths probably won't do it unless
they have to.

> But even if they did, you'd still be able to straightforwardly do the
> attack, consuming up to 3 (in the standard design) or 6 (in the Biaxial
> design) blanks per pin (at each rotation/offset).

I'm forgetting off the top of my head how many pins a Medeco Biaxial has
-- it's 7, right? That would mean in the worse case you would need to try
42 different key blanks. And filing a Biaxial is probably not feasible, so
you would need the machine. I'm just not convinced this would ever be done.
The time and effort involved would almost certainly make this a less
efficient attack than others.

> Some of the "restricted" Medeco blanks are in fact readily available; others
> aren't but can be modified from available blanks, and still others
> seem to require extensive milling or casting.

Medeco has a number of different blanks for a number of different security
models. The restricted ones are either "Card restricted", where you can go
to a Medeco authorised locksmith and present your signature card to
have the key duplicated; "Contract restricted" where your key is using a
blank that is tied to a specific locksmith (or specific to your
organization), and you must deal with that locksmith only; and "Factory
restricted", where Medeco itself does duplication, and the key blanks are
not released outside of the factory. The last two require the same
signature card/ID authorization as well.

Sure, you could mill or cast your own blanks to beat the factory controls.
That is surely a waste of time, since either there are going to be easier
ways to gain access without attacking the lock directly, or the lock will
be using dummy-stepping if not on a master-ring system, because the
locksmith has considered this attack.

--Len.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com