[IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)

Fri Jan 24 20:55:08 EST 2003

On Sat, 25 Jan 2003, Sampo Syreeni wrote:

> Sure. But trying those combinations out can be automated -- I don't think
> the kind of automatic lock pickers one sees in current action movies are
> *entirely* fictional.

I've never encountered an automatic key combination decoder, but it would
presumably be possible to build for a lot of locks.

Most automatic lock picks are variations on the snap-gun design, however,
which is an entirely different approach to lock picking. (Think of when
you hit a cue-ball with a pool cue, and it hits the target ball. The cue
ball stops moving, and the target ball speeds off. That's the principal
behind a snap-gun: the snap-gun is the cue, the bottom pin is the
cue-ball, and the top pin is your target. You use the snap-gun to strike
all the pins at once. The top pins fly up past the sheer line, the bottom
pin stays below it, and deft use of a tension wrench lets you turn the
cylinder at just the right moment.)

> Rotational shear dictates that the key channel of every normal lock must
> have a certain minimum cross-section, given a material for the key. If you
> think about how long a lock cylinder can be in common applications, one
> has a whole lot of room for all sorts of mechanics within the space
> alloted for the key in a working lock. It might even be the length of the
> cylinder is strictly limited by rotational shear concerns. My first take
> on designing an automated probe would simply be to apply rotational noise
> to the lock, record the vibration coming back, while sliding a probe
> through the cylinder. When each disc/pin is pushed into the free position,
> one would expect it to be exceedingly difficult to hide changes such a
> match will cause in the response of the signal chain.

I have met people who can decode a lock's pin combination by feel, so what
you are describing is almost certainly possible.

> >If you have a location which is secured in such a manner that the lock's
> >security is of concern, you should look into a lock such as Medeco, which
> >employs a number of security features which resist these attacks. (Angled
> >cuts, restricted key blanks, etc.)
>
> I would equate the latter with both security-thru-obscurity, and purely
> legislative approaches to security. That is, I wouldn't lay a lot of
> weight on them. The former, that I've already found a minor complication.

It's not exactly security-through-obscurity. The blank's cuts are known --
but in order to make blanks of your own, you have to go through a lot of
effort. It's a protection based on increasing the work an attacker needs
to do to succeed.

> That's the spirit. I wouldn't exactly go with the live stuff, but
> otherwise crickets sound simply nutritious. Not to mention delicious,
> after having been dipped in honey. ;)

Now, there's another yummy idea.

> It might well be you have to get acquainted with'em crickets.

Well, here's the deal. If Matt decides he really wants to see me feast on
crickets, I'll send him a box locked with a Medeco lock that has two
possible change keys (they aren't really master/change in this scenario).
I'll give him one of the change keys. If he shows up at DEFCON[*] with the
other change key, without disassembling the lock or the box, I'll publicly
"eat my words."

I'm betting my dignity on the assumption that Matt has better things to
do. :)

--Len.

[*] Insects have a history of being eaten by people when The Shmoo Group
gathers at DEFCON. It's as good a place as any.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com