[IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)

Fri Jan 24 20:30:13 EST 2003

On 2003-01-24, Len Sassaman uttered to Arnold G. Reinhold:

>(This is a purely physical limitation. If you had pins that were of
>drastically different heights next to each other, key insertion would be
>extremely difficult or impossible.)

One should also note that this particular problem doesn't affect disc
wafer designs, like ABLOY's. On other fronts such designs fail as badly as
pin tumbler one, of course. I don't know about the newer designs, though
-- it seems the basic design allows an affordable analog to double
cylinder keying, which doesn't leak as much information. As Matt notes,
such designs have other vulnerabilities, especially when somebody
dismantles the lock itself.

The next logical question is, are there ways of making locks more secure,
starting from cryptanalytic principles? As far as information leakage
goes, the problem is easily corrected by going to double ring designs or
the applicable analogs. From the standpoint of reverse engineering, it
seems we're off into the domain of mechanical computing or wishful fancy,
depending on one's personal level of optimism. That means high security
mechanical lock makers might have to suffer a flashback into Babbage's
age. How's that for retro? ;)

(Okay, they're going for infrared keys and/or RFID, now. That's about
challenge-response, public keys and tamper resistance. I wonder if the
lock community has recognized the inevitable link to what crypto people
are doing...)

>Heck, it's possible to construct a set of all possible *keys* for a given
>lock. Even with the optimizations of knowing which pin combinations are
>physically impossible to use, however, this is still a lot of
>combinations.

Sure. But trying those combinations out can be automated -- I don't think
the kind of automatic lock pickers one sees in current action movies are
*entirely* fictional.

Rotational shear dictates that the key channel of every normal lock must
have a certain minimum cross-section, given a material for the key. If you
think about how long a lock cylinder can be in common applications, one
has a whole lot of room for all sorts of mechanics within the space
alloted for the key in a working lock. It might even be the length of the
cylinder is strictly limited by rotational shear concerns. My first take
on designing an automated probe would simply be to apply rotational noise
to the lock, record the vibration coming back, while sliding a probe
through the cylinder. When each disc/pin is pushed into the free position,
one would expect it to be exceedingly difficult to hide changes such a
match will cause in the response of the signal chain.

>Most of the time, the lock is not the weakest point of attack.

Naturally. I think both Matt and those interested in locks on-list
primarily consider this a funky excercise in what I'd call far-too-applied
cryptanalysis.

>Attacking the lock in this manner is analogous to breaking a
>crypto-system by attacking the cipher. Usually, other parts of the
>implementation are much weaker.

Yes. I say, jump the threat model. Ram a car through the door or arrange
to deliver a promotional pizza to someone behind it, whichever feels more
comfortable.

I also think ideas like these can serve as *wonderful* examples of why
threat models matter in security design -- like Matt says, locks often
serve as a useful analogy to how crypto works.

>If you have a location which is secured in such a manner that the lock's
>security is of concern, you should look into a lock such as Medeco, which
>employs a number of security features which resist these attacks. (Angled
>cuts, restricted key blanks, etc.)

I would equate the latter with both security-thru-obscurity, and purely
legislative approaches to security. That is, I wouldn't lay a lot of
weight on them. The former, that I've already found a minor complication.

>(On another list, I joked that if Matt could get his technique to work on
>a Medeco master-keyed system by July, I'd eat a pound of live crickets at
>DEFCON. I'll hold myself to that.)

That's the spirit. I wouldn't exactly go with the live stuff, but
otherwise crickets sound simply nutritious. Not to mention delicious,
after having been dipped in honey. ;)

Seriously, I cannot really see why the approach wouldn't work on Medeco's
rotating pin design as well. It certainly seems more complicated than a
typical pin tumbler one, and it does add to the total number of key
combinations, but in the end, I would suspect it succumbs to an attack
with the same complexity measure as Matt's more conventional ones. I don't
have the precise details, but I would suspect rotational positions simply
Cartesian the search space, nothing more. Getting it to work in actuality
might be a bit of a problem, especially with Matt's expected budget, but
for those who actually want to get the job done, I don't see any real
hindrance.

It might well be you have to get acquainted with'em crickets.
-- 
Sampo Syreeni, aka decoy - mailto:decoy at iki.fi, tel:+358-50-5756111
student/math+cs/helsinki university, http://www.iki.fi/~decoy/front
openpgp: 050985C2/025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com