Schneier on Security
A blog covering security and security technology.
« A Useful Side-Effect of Misplaced Fear |
| Quantum Ghost Imaging »
November 17, 2009
Secret Knock Lock
Door lock that opens if you tap a particular rhythm.
EDITED TO ADD (11/20): Another knock lock.
EDITED TO ADD (12/12): A version for cars.
Posted on November 17, 2009 at 2:00 PM
• 38 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Anyone want to bet the default password is Shave And A Haircut...Two Bits ?
Knock "friend" and enter.
Interesting. There's a similar lock in a Donald Duck story by Carl Barks, BTW, namely "The Phantom of Notre Duck" - only that in that one, you have to play a certain melody on a flute to open the door of Scrooge McDuck's money bin.
I always thought that would be a fun way to have a car unlock itself. Wouldn't be too hard to implement. Trivial, actually.
I can't wait to see the "10 second" attack against this. It'll involve either a jack hammer or a Led Zeppelin song.
Does it have a lock out policy? Because if not, I've got a drummer
Shave...and...a...hair...cut...two...bits will be the knock code equivalent of having the password "password".
I'm sure it goes without saying... But I'll say it anyway:) If you insist on using "Secret Method" locks, you should choose a method that isn't compromised just by having someone stand near you.
Is it just me who thinks that this completely open to a replay attack?
Richie Rich movie, the family vault could only be opened by the harmonics of Richie Rich's parents duet.
"The Pacifier" with Vin Diesel. You'd look pretty silly on your front doorstep, but so would any burglar -- a sure tipoff to the neighbors.
Eponymous - surely you mean a Knock Out Policy? ;-)
a modern day "open the sesame"? Well, the older version was hacked convincingly.
If we're looking for prior art here:
"The Adenturous Exploit of the Cave of Ali Baba", by Dorothy L Sayers, a Lord Peter Wimsey story from about 1930. Lord Peter, doing dangerous undercover work, has a safe with an extra lock (he knows about single-point failures) that is opened only by his own voice saying, of course, "Open sesame". Wimseyismus:
“Your voice? I will choke your voice with my own hands. What do you mean—your voice only?”
“Just what I say. Don’t clutch my throat like that, or you may alter my voice so that the door won’t recognize it. ..."
"the thing in action... after the break"
they got to be kidding.
Portknocking on OSI layer 0.
Of course prone to replay attack unless you memorize a list of one-time-pass"knocks".
What's brittle about the system is that again identification, authentication and authorisation fall together into one step -- that's no progress compared to the physical key-and-lock:
It's almost impossible for the flat owner to know when his authentication token (the knocking sequence) has been compromised because "copying" the token is even easier than copying a physical door key: the attacker needs less budget and less risk tolerance. In fact, it's not even possible to prove that an attacker has copied the key ("No, I didn't listen to your knocking, sir, I was just thinking about something that just came to my mind...")
On the other hand: What if you want to give the key to your lessor who has to give it to some plumbing company who will give it to the local contractor who comes over to your place to fix a broken pipe while you are at work? In that case the process of moving authorisation is not so easy because it's chinese whispers.
And what's about the passive failure rate? How much "being off beat" does the lock tolerate? Hard to tell for the owner.
And the active failure rate? How good is the lock at recognising an intoxicated, tired, ill-tempered owner?
Starting to look at this doorlock security system from the use cases beyond the obvious "open the door now" (e.g. "temporarily shift authorisation", "withdraw temporary authorisation", ...) it seems that it leaves the user with the same problems the physical key does -- but with more trade-offs.
Can it be combined with one-time-password approaches?
The knock-sequence changes every time you use it (and perhaps at certain time periods, like, every 12 hours or so).
You carry a "fob" with a led screen that displays the appropriate knock sequences via a numeric codes (like http://en.wikipedia.org/wiki/File:Ledcards.JPG, with the numbers on the card indicating the required knock-sequence)
This would make it quite robust against replay attacks. And against "brute force" attacks too, methinks...
Am I correct?
"Richie Rich... the family vault could only be opened by the harmonics of ... parents duet."
Yeah they were locking up their loot, sure. But they were implementing a control to prevent Richie from pulling a Mendez Brothers on them.
Make the knock sequence John Cage's ASLSP. The cops could stop for coffee and doughnuts and still make the collar.
Needs to be combined with "something you have"; maybe an RFID badge with a secret knock?
Christopher, you're right! Heck, if you had some kind of physical token you could even ditch the uncertainty of the knocking mechanism, and instead just carry around your badge.
Except, since it's RFID, it'd be vulnerable to replay -- unless you're shielding your badge, you're effectively broadcasting your entry credentials everywhere you go. And what happens when the circuits in the badge start to wear out? Or when you need to secure more than one entry point? Do you just carry two or three badges with you at all times?
Ideally, your token would be made of something solid, like metal, and small enough to carry several of them -- maybe on something like a ring. Let us know if you can key in on anything that sounds useful.
I've just developed a Secret Knock Lock(tm) bypass device. I like to call it "A Portable Tape Recorder". The included lapel microphone can be discreetly strung under your door and aimed at your neighbor's in order to nick their key every time they record it.
This needs two-factor for sure. A pin, or some sort of biometric. Retinal scanner.
Too much to worry about though. Wait! What about just a key?
(continental, not international) Morse Code anyone?
This would work better as a second line of defense. You three doors. The first door only allows in one person at a time (kiosk style) The second door has no apparent access method it simply allows you in with or without a knock. But if you go in with a knock, the third door will be unlocked. Without a knock the third door remains locked and an alarm is triggered.
In this way you prevent your knock from being compromised from observers and anyone caught by the system still doesn't know what was needed to prevent triggering the alarm.
Heh heh. The title of this blog post reminded me of a nasty defect in Peugeot 406 sedan cars made in France between 1999 and 2001: thieves could open the trunk without keys by gently hitting a specific point in the body rear.
Insurance companies even refused to pay for the stolen items because there was no breaking involved. 200'000 cars were made defective, and Peugeot never managed to fix them.
Link here (in french): http://www.leparisien.fr/economie/...
So what about making it Challenge/Response? Upon some trigger (a single knock, or turning the handle, perhaps), the lock issues an audible knock. You run this through your algorithm+secret key in your head, and knock with the result. Obviously if you're going to do it without computational aid, it's not going to be strong crypto, but even if it's just XORing with a small secret (conveniently Shave And A Haircut - Two Bits appears to be an 8-bit string) it's probably already more secure from most people than your typical combination lock.
Of course there'd have to be some constraints on the result string, e.g. it can't be all zeros, or any single one bit. And a door that knocks at you is bound to attract plenty of unintentional brute force attacks from local kids.
Some problems are over-complicated by thinking too much. Boy, are most of these comments evidence of that.
For many people, there is no one close enough to hear the knock. Even living in an apartment building as I do, my neighbor would not hear my knock. Even if he did, if he doesn't know that it activates an entry device, he is no wiser.
Also, it appears to be simple enough to change the knock on a regular basis.
Finally, most of us who use deadbolts also have a second, keyed lock -- usually in the knob assembly (if not in the knob itself.)
So yes, like any security device, if used stupidly it won't work. Used well -- I like it. I think I would use Morse Code as someone suggested -- learned it for my ham radio license, might as well use it. Gives a wide variety of easily-remembered passphrases.
> Some problems are over-complicated by thinking too much.
Of course this post (or rather: the knock lock) was rather meant as a joke but why not examine it the way you usually do examines these things? It's fun!
> Even living in an apartment building as I do, my neighbor would not
> hear my knock. Even if he did, if he doesn't know that it activates
> an entry device, he is no wiser.
Aaaah, security by obscurity. That's one of the advanced ways of handling things ;-)
I designed a door opener that’s connected to the bell. Its operated in morse and using a simple feed back with the door bell sound to give the challenge and hiding the key. Door bell is not activated every key press. In case I forgot my other key’s I don’t have to stay outside…
From Heinlein's THE NUMBER OF THE BEAST:
"Part of the problem lay in the fact that Gay Deceiver [a computerized flying car] was a one-man girl; her doors unlocked only to her master's voice or to his thumbprint, or to a tapping code if he were shy both voice and right thumb; Zeb tended to plan ahead-"Outwitting Murphy's Law," he called it, "Anything that can go wrong, will go wrong." (Grandma called it "The Butter-Side Down Rule.")
First priority was to introduce us to Gay Deceiver-teach her that all four voices and right thumbprints were acceptable.
That took a couple of hours, with Deety helping Zebbie. The tapping code took even less, it being based on an old military cadence-its trickiness being that a thief would be unlikely to guess that this car would open if tapped a certain way and in guessing the correct cadence. Zebbie called the cadence "Drunken Soldier." Jacob said that it was "Bumboat." Deety claimed that its title was "Pay Day," because she had heard it from Jane's grandfather."
You can see that the tap code wouldn't be easily detected by someone hiding in the bushes, which is what happened to the original "Open, sesame!" because it wouldn't come into play except in an emergency.
The default knock is "Shave And A Haircut.." but there also is a passphrase required. But that default is "Louie sent me."
As Thunderbird points out, a much more sophisticated system (with an electronic device to do the knocking) has been discussed previously, and is commercially available. It was noted that the acoustic data channel has a number of potential advantages. IIRC that system resisted replay attacks through the Keeloq protocol  .
It is possible to make this system more resistant to replay without nearly that much complication. What is required is that the user be able to easily represent a variety of coded knocks (e.g. through Morse code, or as binary numbers), and an algorithm to generate new knocks which can be interpreted by the processor in the lock.
No algorithm that you can do in your head will be remotely as secure as a modern cryptographic protocol, but it is not difficult to come up with ones that will frustrate limited eavesdropping. For a simple example: add the current day of month to 10 x the minutes past the hour. Use each digit to pick a letter from a password, and tap it out in Morse. (Currently 38 minutes past the hour on 19th of the month, giving 399; if my password is OPENSESAME the current code is NEE.)
A smart eavesdropper will eventually figure out this sort of system, but it will take quite a lot of interceptions, typically at only one per day; and the defender may change the password and / or algorithm from time to time. Of course, any such method will also require rate limiting (e.g. the typical 5 minute lockout after 3 wrong guesses.)
1. A simple but clever protocol widely used in "rolling code" systems for remote door unlocking using low powered devices with very limited computation, only one of which can transmit. It is usually deployed with a weak cipher that can be broken in realistic time, but the protocol itself is fairly sound (other than being vulnerable to a MITM relay, which seems impossible to defeat when we have one way communication.)
For rolling codes, use an iPod playlist; once you've used the opening to "Flirtin' With Disaster", then use "YYZ"...
Though YYZ gives me an idea: use a passphrase in Morse code.
Reminds me too of the keyboard lock to the Chocolate Room in the 70's Willy Wonka movie with Gene Wilder. He had to play a Rachmaninoff melody to enter.
Think This Security System based on sound could be bypasseable us the phone system on the John(captain crunch) on his times...
In my case i won't put this system in my house :p
An aftermarket version for cars has been available for many years,
I think I first heard of it 5 years ago:
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.