A Computer Scientist Takes a Look at Mechanical Security

I wrote recently about visiting The Tech in San Jose. One of the exhibits showed you how a cylinder lock worked (and even how lock picks worked, since you could use them to open the lock without using a key). I mentioned an academic paper about master keys that caused some pushback from locksmiths. Rather like the Yogi Berra remark that nobody went to some bar anymore because it was too crowded, half the locksmiths attacked the paper as being common knowledge, and half attacked it as letting locksmith secrets out to the bad guys because nobody knew it. See this article in The New York Times for more details on the controversy.

The paper is Cryptology and Physical Security: Rights Amplification in Master-Keyed Mechanical Locks by Matt Blaze. The title couches everything in the terms that we use in the computer security world. Rights amplification is doing something like having a password for a Linux system, and then somehow transforming yourself from a normal user to root, the Linux superuser who can do anything. In the same way, this paper shows how having a key to a single office can allow you to create a master key that will open any office. This assumes that the office building has been keyed for a master key in the usual way, but most are since security (and the janitorial service) doesn't want to carry hundreds of keys.

The paper dates back to 2003, but is still quite important. In their AT&T labs report on the paper, they summarize the situation well:

We describe weaknesses in most master-keyed lock systems, such as those used by offices, schools, and businesses as well as by some residential facilities (particularly apartment complexes, dormitories, and condominiums). These weaknesses allow anyone with access to the key to a single lock to create easily the "master" key that opens every lock in the entire system. Creating such a key requires little skill, leaves behind no evidence, and does not entail engaging in recognizably suspicious behavior. The only materials required are a metal file and a small number of blank keys, which for many locks are readily available. Needless to say, the ability for any keyholder to obtain system-wide access represents a serious potential threat to the security of master keyed installations. Individuals and institutions that depend on such locks to protect their safety and property should be aware of these risks and consider alternatives to eliminate or reduce their exposure to this threat.

How a Cylinder Lock Works

If you look at the above picture, taken in The Tech in San Jose (see my post The San Jose Tech Museum) you can see the internals of a normal cylinder lock. Obviously, a normal lock is not this big, and it has more than four pins. But the basic concept is the same. Those black and grey cylinders are the pins. In a real lock they are spring loaded but in this demonstration, they are just pulled down by gravity. Each "pin" consists of two sub-pins, a grey one at the bottom, and a black one on top. The length of the grey ones is what determines which key will open the lock. The key has to push up each grey pin just enough that the gap between the grey and black cylinders, known as the shear-line, is exactly on the boundary between the lock cylinder and the outer case of the lock. If any pin is pushed up too far, then that grey pin will block the lock turning. If any pin is not pushed up far enough, then its corresponding black pin will still be penetrating the cylinder and prevent it rotating. In the picture above, the girl has put the wrong key in, since the 3^rd pin from the left is not lifted high enough to push its black pin fully out of the cylinder.

The Tech also has a set of giant lock picks to show how that works. There are two tools. One is L-shaped and goes in the entrance of the lock and is used to apply pressure (even though the cylinder will not turn more than a tiny bit). The pick itself is inserted in the lock and used to push the pins up. At least one will lock in place due to the tolerances—this is not precision engineering. Keeping the pressure up with the L-shaped tool, that pin will not drop back while you find another that you can work up. Eventually, all the pins align and the lock opens.

If you ever get locked out and get a locksmith to come to your house, they will either open it using tools like that, or with a "bump key." That is a key with all the notches cut to maximum depth. It serves as both tools at once. It is put in the lock, pressure is put on to try and turn the lock, and then the key is hit with something like the handle of a screwdriver. It jumps the pins up and they will catch. If you want to see it being done, here is a 1-minute video (but the demonstration only takes about 5 seconds of the video, that's how insecure the lock on your front door probably is).

Master Keys

If the building has a master key, then in addition to each lock having a key that opens it, the master key must open it, too. This is done by having a second shear-line in each pin. There are other complications, since there might be sub-masters that only open some locks, but to keep the explanation simple, the assumption is that each lock can be opened by its own key or by the master key. The key that only opens each office lines up to one set of shear-lines, the master key lines up to the second set. It doesn't matter if, for a pin, the shear-lines are at the same point, that pin will just have one shear line and both keys will line it up. If you look at the cutaway photo to the right closely, you can see the multiple shear-lines on each of the pins.

So how do you make a master key? As it happens, I wrote a book (well, about half of it, I never finished) in which a couple of engineers break into an office using the technique described in Matt's paper. Here's how the conversation in the book took place (it doesn't matter that you have no idea who any of these characters are):

“So how do we find out where the breaks in the pins are?" Kali said. "We can hardly sit outside Yong-Jun’s office all day tomorrow filing keys until we get one to open the door. We’d look pretty suspicious, to say the least.”

Peter laughed. "We're going to do something easier. We're going to make a master key.”

“Surely that’s more difficult, not easier. Isn’t the master key more secure or something?”

“No, the important thing about a master key is that it is a master key.”

“That’s a bit too zen for me,” said Kali.

“Because it's a master key, it opens all locks in the building.”

“Yes, I know that. That’s just the definition of a master key. If I wanted to be geeky, I’d say that was a tautology.”

Peter was enjoying dragging out the secret. “Since the master key opens all locks in the building, we don’t need access to Yong-Jun’s office, like we would to make a key that just opens his office. We can make do with any lock in the building. The breaks in the pins for the master key are the same everywhere.”

Kali’s engineering background finally started to work as she realized the implications. “So we could use the lock for the janitor’s closet or something. A lock where no-one can observe us.”

“Yes, but we need to use a lock where you already have a normal key. That way we can investigate the pins one at a time. We already know where at least one break is in each pin since your key opens it. So we make a key with all the pins except one set to the height of the non-master key. Then we file the last notch down gradually until the key turns. We have then found the depth for the master key notch. We make another key, just missing the next pin, and then repeat the process.  When we have done every pin, we know exactly how deep to make each notch to make our own master key. Once we make that key, we can open any office in the building. Including Yong-Jun's."

It's surprisingly straightforward to make a master key.

Safes

Having found vulnerabilities in master-keyed locks, Matt Blaze moved on. See Safecracking for the Computer Scientist for his review of how safes work, and how to get into a combination lock safe without the combination. However, even using his techniques, physical security tends to be much better than computer security in some ways. As he puts it:

Few weaknesses in physical security admit the kinds of catastrophic failures common in computers and networks, in which a low-risk, low-cost attack can yield a high-value and easily replicated benefit. Even the most sophisticated attacks against safes, whether involving force or lock manipulation, almost always entail at least some risk of exposure.

Or you can just build a robot to try the combinations:

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.