Schneier on Security
A blog covering security and security technology.
« Airline Passenger Profiling |
| Resolutions »
December 23, 2004
Physical Access Control
In Los Angeles, the "HOLLYWOOD" sign is protected by a fence and a locked gate. Because several different agencies need access to the sign for various purposes, the chain locking the gate is formed by several locks linked together. Each of the agencies has the key to its own lock, and not the key to any of the others. Of course, anyone who can open one of the locks can open the gate.
This is a nice example of a multiple-user access-control system. It's simple, and it works. You can also make it as complicated as you want, with different locks in parallel and in series.
Posted on December 23, 2004 at 8:36 AM
• 22 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I used to work in a city government job with the same setup to control access to a fenced yard/parking lot. It has a downfall: anyone can break the system by forgetting to not re-lock everything lock-to-lock.
An interesting example of key management for shared access, but the fence is hardly a deterrent. People that climb all the way to the top of the hill can easily climb over the fence and they often do. The real deterrent is the surveillance system with speakers that the Park Rangers use to monitor and interact with trespassers:
So perhaps the system of chains with multiple locks is more related to auditing/monitoring the people with keys than those without.
Another wide comment ruins the page; is there a fix for this?
Yes, it seems that this is the SOP for govvy operations. When I did some work for the USGS while in school, every time we went to a remote area, gate access was always via 'chained locks'.
One nice thing about the system is that every lock was vouched for by an existing member: in order to add your lock to the link, someone has to "let you in."
The downfall of the system, of course, is that one cheapie lock in the chain makes it easy to get in. Also, as Paul pointed out, the entire link breaks if someone forgets to relock.
Actually, there is a fairly easy way to "hack" in:
Say, by reconnaissance, you find out one of the locks belongs to someone, who is due to arrive soon. All you have to do is add your own lock, closed, on a lock next to the one you found. Most likely, when the guy comes, he won't notice it upon opening, and will use it as the end point (since no one remembers exactly what is where), upon closure, and by that will "vouch" for you unknowingly.
In short, electornic key-sharing mechanisms may work far better, as long as designed rght.
A flaw in the design is that someone with access can remove someone else's (or everyone's) access by skipping locks when re-locking the system.
That is nice. The nice feature is that the insecurity of the thing increases in a linear manner. Making one secure lock, protected against lock picks and bolt cutters, is hard enough. In addition each lock now has one or two keys. Thus, an attacker can use two tactics per lock, break it or ue a key. So, the total risk increases by a set amount with each new lock.
I am just wondering - what is the nett difference (seeing this system as a black box) between having multiple different interlinked locks with different keys assigned to different people, vs. one lock with several copies of the same key given to different people? In either case all people granted with a key can open the gate...
The difference is that you can revoke one person's access by simply removing their lock from the chain. If everyone had keys to one lock, you'd have to change the lock and get new keys to everyone.
I thin on paper this sounds like a neat little idea.
However, say a padlock has 5000 unique keys associated with it during manufacture, and you string up 10 padlocks in your chain. The chances of someone having a duplicate key (from another padlock from the point of manufacture) that opens the gate massivly increases - from 5000/1 to 500/1.
OK, so in the case of a padlock might not be a problem - 500/1 is probably still ok.
But thinking about other examples of "in series" security - such a multiple passwords to gain entry to a computer system... Every new unique password you are adding, your security is decreasing rapidly as only one of the passwords is needed to access the system
The point here is *what* is being secured. We're not talking about locking government files with simple locks, here. We're talking about a gigantic HOLLYWOOD sign. So you can climb the fence, or trick someone into unlocking the door for you. What then? You're going to steal the gigantic, HOLLYWOOD sign? What you're trying to secure dictates what measures you will employ. In this case, a simple chain of locks and a fence is enough.
Typically what people do when they break in is modify the sign with (for example) sheets of white and black plastic to make it say something else, such as "CALTECH"
That risk is still not worth more than a few locks and a fence, in my opinion.
There's another scheme I've seen in similar locations. In order to open the gate, a rod must be retracted. Blocking its way is a metal circle with several metal holes drilled in it. The holes are blocked by padlocks. If you can remove a lock, you spin the circle until the hole lines up with the rod, and you open the gate. Unassigned holes have a chain wound through them. It seems like a better system, with two downsides: specialized hardware (compared to a chain of locks) and it's not arbirarily extensible (but maybe you combine the two ideas...).
I think that all the talk about climbing the fence and compromising the locks, misses the point-- that this is simply a physical model of shared access.
A complimentary system can be found in the safety shutout used for industrial maintenence. Each worker has his own padlock which is hooked to a multiple hole locking plate. In this case, the plate cannot be removed, the machine cannot be started, until every worker has removed his own lock. Of course, if a worker leaves without removing his lock, this causes problems, but the safety goal is still priority.
The lockout system is an example of multiple locks in parallel (all locks must be unlocked to gain access), while this is an example of multiple locks in series.
Of course there's another problem with this system: anyone could insert their lock in parallel with someone else's (or put a bunch of locks, one parallel with each of the "official" locks) Instant Denial-of-service for one or more authorized parties.
Correct me if I am wrong, but it strikes me as being a silly idea for one simple reason.
"How many locks are there" and "Who knows the correct number".
Dror made the point about slipping in a lock whilst one of the locks was unlocked.
More simply "why not simply cut the last link on the chain and add your own lock into the chain". If nobody knows how many locks there should be then the chances are nobody is going to notice any way (or care for that matter).
I can think of several ways to improve this physical access systems. But, the idea of locking the gate is to keep the honest and/or lazy people from bringing something in that can't go over the fence. Unless the people needing access are grounds keepers, there are probably ladders or climbing gear required to do whatever is needed. That gear would make getting over the fence easier. But, still there is probably a requirement for the use of other equipment/supplies that would be difficult to get over the fence. But, I digress... The security requirement will dictate the type and level of security needed. In this case allowing multiple parties physical access while preventing easy access by others via a chain and multiple locks.
As i'm security Manger for an International Organization, the messege which posted, can be very valuable for my day to day security activities.
This is similar to "lockout" systems used in industry. This is a safety system used what a dangerous system is being repaired or maintained.
With a lockout system, a device of some sort (power cutoff, valve, etc. is closed and locked by a hasp that has holes for several padlocks. Each person working on the device puts their own padlock on the hasp insuring that the envirornment will remain safe until the last person has finished his/her work.
I've been reading all your comments regarding multiple access locking systems and I also had to deal with multiple locks almost every day. To be honest I just got fed up of having to mess with up to 8 locks. I came up with a solution that encased the locks in a case that can be attached to a chain link fence. So far it seems to work great. If interested please feel free to email me at firstname.lastname@example.org
who is the manufacturer of the lock used on the Hollywood Sign.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.