Schneier on Security

Clive Robinson • February 12, 2010 8:42 AM

The technique of enumerating the lock by various means is by no means new.

However working out the required order code for such keys used to involve a “Trade Secret” mapping list. It usualy was not used for mechanical only locks as “impresioning” produced a new key in about 20mins if you knew what you where about.

All mechanical locks have “slop” and thus can be “enumerated”. This has been known to those inside the trade for more than 150years. And I suspect lock picks since locks where still made of wood…

However automating it in such a maner is new.

However with regards to electronic locks if done properly they should be secure…

But the protocols in many cases are “trade secrets” or under NDA and from the little I’ve seen in recent times I would rate them about as secure as MiFare Classic…

So the question is when is the “add on” ariving 😉

Clive Robinson • February 13, 2010 7:13 AM

@ Cybergibbons,

“If I’ve lost my keys, I don’t want a copy made of them from an impression, because it’s quite likely someone else has my keys. I want new tumblers.”

Look at it this way, you need a working key to change the tumblers for a couple of reasons.

1, To get in and take the handbrake off and unlock the stearing so your car can be moved.

2, Most locks are designed so that changing the tumblers needs the key to get the barrel out of the lock.

And there are other reasons for needing the “old key” information as well with some keys…

As for,

“Normal impressioning is very very sensitive to minute changes in pressure that pins or wafers exert on a blank or foil. I find it hard to believe anything mechanical could sense these forces.”

The answer is actually you can design a device that will measure it way more sensitivly that you can through impressioning.

To explain why first a simple question,

‘How do you measure the speed of a DC motor?”

There are two ways “ask the shaft” and “ask the comutator”.

The first (ask the shaft) requires you to add a transducer to the shaft that converts the rotation to an ouput signal.

The second (ask the comutator) does not require an aditional transducer as the motor produces a very good series of signals it’s self that you can use. All you have to do is extract them out of the DC supply.

Likewise a force balance weighing machine for micro gram or less measurments uses a “floating transducer” very similar to the coil in a speaker. You know how much additional mass has been added byt the increase in current in the coil required to keep the transducer plate floating at the same hight.

If you make a chopper supply to a micro solonoid the waveform you can extract from the supply leads will give you as much information as you wish on the pin tumbler. And if you are a little smart and use it like a “Newton’s cradle” etc you can effectivly “bumb” each pin out and determin if it is a split pin or even anti pick pin…

Think of it if you will as a combined thumper and geophone to make a micro seismograph to sound out the the layers in the lock…

The joys of signal processing can have fun applications it you think sideways.

Clive Robinson • February 14, 2010 4:40 PM

@ Cybergibbons,

“I have no doubt that it’s possible to measure tiny forces, but I very much doubt that it is possible to create an electronic sensing device that can sense everything that a blank key made from soft metal can.”

I’m not sure how old you are but I’m guessing you may have seen 33&1/3 RPM 12″ LP Stereo records and the smaller 45RPM 7″ stereo records.

The former had a grove that could hold 30mins of High Fidelity music.

The pickup was usually a tiny piece of synthetic dimond on a tiny arm that fed two or four tiny solenoids, so some types of sensing work very well even in a mechanicaly sloppy environment (the play in the pivots and bearings in the tone arm and turntable would be atleast as much as the width of the grove.

So much for the sensing side. The more fun part is how do you “cut a master” to press the records from. This involved a more robust setup with a gear driven linear tracking cutting arm. Mounted on which is (in principle) the same transducer type as that on the tone arm on the player. The difference being it has to be powered and biased so requires larger solenoids and a stronger arm to hold the cutting tip.

As I said earlier you can use signal processing and a chopper drive system to make a device that would enumerate the lock in a similar way to radar/sonar/siesmology. That is you put out a high energy pulse and record the echos. It you make a hundred or two such measurements and average them you can be fairly certain of your results.

Class D chopper drives are very very efficient and when used vith a force feed back transducer can provide a wealth of information that just cannot be obtained by other measurment systems.

You find related systems in “fly by wire” systems for both military and comercial aircraft.

And in new technology that would not have been possible before such as in mechanical energy storage devices (such as fly wheel systems) used for energy recovery in braking systems in high performance vehicals. You can read bearing and tire wear and all sorts of other signals long before they become a problem and thus planed maintanence becomes easier and lower cost parts can be used.

The technology is out their and the trick to get around low frequency problems (temprature drafts etc) is to use a high frequency signal and appropriate filter systems and standard signal processing systems to pull signals out of noise.

The technical ability is most definatly there the question is if anyone has built such a system or has another possibly cheaper way to get the same job done.

Oh and yes there is still a reason to get the correct key cut. It is possible to make one key work with two locks but the impresioning of either lock will not open the other. It is like the master key system in reverse.

Clive Robinson • February 15, 2010 6:41 AM

@ Cybergibbons,

“We have no idea how the device works because the only information out there is a single computer generated image.”

No we have no idea if the device exists other than as a series of computer generated external images (unless others know of further info or a link to it).

But to go from a reasonable suspicion that this particular device does not exist to a position of arguing that it is not possible to do what the device is supposed to do as the reason it is not real is not a reasonable argument.

All I have simply pointed out is some moderatly simple methods by which people can see that such a thing is potentialy possible.

That is this specific device may or may not exist but in principle there is no real reason to think it can be done one way or another on a pin by pin basis in simpler locks.

You however have arguments such as,

“I’d be interested to see any practical way of having 5 or more magnetic pickup cartridge like arrangements in something that fits into a keyway. That’s a very small space.”

You are boxing yourself in with your own view point.
For instance try asking yourself the question,

‘Why do I need five sensors?”

The simple answer is you don’t.

Thus you are limiting your thinking process by raising a false barrier.

Most people who have picked the simpler tumbler locks know you effectivly open the lock a pin at a time. Likewise with mechanical key impresioning you usualy do it a pin at a time.

All the device has to do is measure each pin in turn.
How it does five / seven / twenty pins as opposed to one pin is not of that much relevance in deciding if it is possible to make a mesurment of a single pin or not.

The important first step from the security asspect is “can a pin be measured this way”.

Further if you think about it all a single pin measure has to do is deduce from each measurment it takes of the pin the length of the botom part of each split pin. And normalise that against the lock manufactures usual cut depths.

The device has absolutly not need to convert the readings into the maufactures “Key Code”. The pin length information is enough to make a key from. Thus this “key code” convertion is I suspect an attempt at “security by obscurity” and an acknowledgment of trying to stop “non trade” people using the information to keep the “trade” happy (which arguably adds credence to the idea).

You apear to be quite hung up on the idea that the pin needs to be moved up (or down) in the barrel to determine it’s length. You say,

“The other issue is with the movement of pins. You need to move the pin gradually downwards until it stops binding.”

Again with a little further thinking you realise that to measure the pin length you do not need to move it up or down the pin channel in the lock barrel to find it’s non bite position.

All you need to know is the aproximate hight from a fixed point of refrence in the keyway that the botom of all the pins align to and the length of the bottom part of each split pin.

This becomes obvious when you think about the basic idea behind a “Bump key”. The bump key uses the idea that if you couple enough mechanical energy into the bottom part of the split pin the top part like a Newton’s cradle will jump away out of the barrel, and if you get your timing right you will be able to rotate the barrel open, importantly the bottom part of the pin stays in the barrel.

This lack of further thought again limit’s your outlook as your comment,

“A pickup like you mention is very sensitive, but only over a very narrow range of movement.”

shows.

Your view point might be the norm for those regarding lockpicking and impresioning from a distance. But this is due to human inabilities not to the limitations of measuring.

If you think about it geologists don’t drill down to rock layers to find out how deep down they are, it’s impractical so they use a different method.

So another question for you to ponder,

‘Do you need to move the pin to measure it’s length?’

Again the answer is no.

All you need to do is have contact with the bottom of the pin and give it a very small impulse and then use the return echo from the pin to determin it’s length. This is what my earlier comment,

‘Think of it if you will as a combined thumper and geophone to make a micro seismograph to sound out the the layers in the lock…’

was about.

There are already (relativly) cheap devices that meaure the thickness of coatings such as paint. For instance some of the Police in London have a pocket version of a paint thickness measuring device that they use to see if a car has been “re-sprayed” and thus may be a stolen item.

So rather than saying it’s not possable as you cannot immediatly see how to do it, or do not have technical drawings you can assess, or have not had a demonstration of a working device in your hand, try thinking in a different way.

Boxing yourself in is a very bad mindset to be in for “security” thinking.

That is ask yourself how you might go about attacking a system. And only when you can reasonably rule out all the possible ways can you say that a device to do this could not be made.

So have a think about all the number of ways.

Say for instance a probe about the same general size as a bump key, on the leading edge a pizo or synthetic crystal sensor.

When in contact with the bottom off a pin it sends an impulse into it, and also measures the return signal time delay in exactly the same way as radar sonar and siesmographs or other Time Domain Reflectomatry (TDR) measurment.

So we can visualise such a device and a principle by which it could work. So now we know in principle it is possible to do which makes your comment,

“All of what you are saying is a bit of a straw man argument.”

More aplicable to yourself. (Assuming you are going with the US meaning of the phrase not the original English meaning of a “witness to rent to commit purjury”).

You go on to say,

“You don’t know that it exists”

I have never said it did, all I trying to point out a number of general principles by which it could work reasonably be expected to work.

Thus If we can rule them all out then we can say the device probably does not exist (assuming we can identify all the principles by which it may work). But not otherwise.

Which is why I’m not as you say,

“… and try blinding everyone with vaguely related concepts.”

It is these same “vague ideas” that design engineers and inventors use to come up with new and inovative products.

Which brings us onto your final paragraph,

“My point being – doing this would be a large technical challenge. Nothing similar has been produced before”

I’m not sure it is a technical chalenge it depends largly on your meaning. Yes it would be a chalenge making a prototype but not overly so. As I have noted there are several not too dificult to understand principles that can be used.

With regards,

” it’s certainly not a case of standing on the shoulder’s of giants.”

I’m not sure if you know thet Newton used the statment as an insult to others who he felt had delayed his work by not releasing their data to him when he demanded it. If you have another meaning then it is not overly clear.

You then go on to express a personal view point without any real supporting evidence with,

“The demand for this will not be particularly high because impressioning kits are cheap and work well.”

You appear to be assuming that a person can first be bothered to learn how to use the impressioning kit. As we know there are a number of faux locksmiths in it for the money who just “drill or kill” the lock (ie no skill required but a high fee charged).

Then there is the question of if a sufficiently skilled person is prepared to spend the 20minutes or so to do an impression on a street corner late at night with a frustrated customer breathing down their neck.

Or worse some thief who is waiting for the locksmith to turn their back so they can be mugged for their tools van keys etc etc.

Let me ask you to ponder this,

If you had to visit the rougher parts of any major city such as Washington, New York, London, Paris etc etc to help a “stranded maiden” get back into her car in the early hours of the morning, I suspect you would be very interested in a device you could just shove in the lock and then plug into your CNC style key cutting machine back in your van. Where you cannot be easily jumped etc.

Oh speaking of that time of day, the next time you get “a fit of the tweeters in the Midnight Hour” just remeber it might come back to haunt you.

Anyway it’s up to you but try climbing out of the box and having a sideways think, you might get to enjoy the experiance as it will hopefully open up your horizons.

Clive Robinson • February 15, 2010 9:59 PM

@

“There’s no point arguing that it is possible to somehow measure the internals of a lock using any number of fanciful concepts.”

I’m sorry none of the technologies I have mentioned is in any way fancifull. Some of them where originaly developed seventy od years ago and are still being refined to this day.

“It’s easy to dream up all of these ideas, but very hard to put them into practice.”

Err they are not dreamed up as I have taken pains to point out using existing well proven ideas.

“It’s a straw man argument because you are arguing that it is possible, whereas my argument is that it is extremely challenging to do.”

Err no the definition of a strawman argument (from wikipedia you seam to favour so much) is,

‘To “attack a straw man” is to create the illusion of having refuted a proposition by substituting a superficially similar proposition (the “straw man”), and refuting it, without ever having actually refuted the original position.’

Sorry at what point have I taken any part of your argument and represented it in a weakened form and struck it down?

You have not actualy presented an argument one so it would be a bit difficult to make a “strawman” from it.

“We’ve never seen any electronic sensing device inside a lock before”

Who are “We’ve”?

Oh and as a statment it is false we have seen locks with sensing devices in them (one was on this blog not so long ago).

“this seems like a very big step for someone to make.”

Why?

This is where you should be presenting your argument but you don’t.

You go on with,

“Why haven’t we seen electronic picks that use high frequencies to cause resonance between the two sections of each pin?”

We have seen both the pick gun and the bump key both of which impart mechanical energy into a split pin to cause one part to rise in a way that will enable the barrel to be turned.

However at no point have I talked about moving the pin with mechanical energy or bringing the pin or part of it into resonance. I have talked about using the age old principle of TDR which can be seen in Radar / Sonar and seismography.

“There are no patents on anything vaguely related.”

How do you come to that conclusion. Deciding what a patent principle does and does not cover or is related to is a very difficult and fraught excersise which keeps IP specialists in work.

Ah you do respond to some points,

” “Standing on the shoulders of giants” means to build upon work done by others before you.”

That is one definition of the phrase. But as I said the operating principles I have out lined can be seen all around you so I fail to see why you bothered with it.

Ah but you make one of you assumptive arm waving arguments to justify it with,

“There has been no specific work in this area before, and it is a big step from nothing to this.”

Sorry but are you saying that TDR / Radar / Sonar / siesmology don’t work or exist?

Are you also saying that force feedback transducers don’t exist?

Or are you saying that “you personaly” are unaware of any work that “you personaly” think relates to locks?

You go on to say,

“We’re talking many large, technical challenges here:”

Again in what objective view point to do with security?

You go on with a short list,

“1. Sensing the inside of the lock somehow. Although the concepts are imaginable, putting these into practice is not as easy as reading the Wikipedia article.”

I would sugest that this is very much your opinion that is not supported by any objective thought. I’m personaly not that familiar with Wikipedia the few times I have looked at it when trying to find an easy source for others I have found that often those writing the page do not appear to be that conversant with the subject they are writing about (in some areas it appears that the editors have entered a “my number of pages, is bigger than your number of pages” contest).

“2. Miniaturising it so that it fits in a keyway.”

Keyways come in all sizes and shapes and usually have been designed for reliability. You only have to look at a “bump key” or “pick gun” to see what you can get in if you wish. And as it happens I have made up keys out of plastic that have held magnetic components when doing some electronic lock development. On one occasion I mounted a “barber pole” magnetic sensor on the bottom of a milled UK Yale key as a prototype back in the 1980’s, but found the Kaba keys much more amenable to this. On another occasion I built a prototype plastic cylinder where the metal pins where used as contacts with the key to read a chip from a smart card that was mounted in the key fob. Some highend security locks manufactures are now dowing similar a quater of a century later. In the mean time the electronics industry has moved on by 16 generations as has the manufacturing of surface mount and smaller components.

Which brings me on to your final item in the list,

“3. Making this into a device that is resilient and reliable enough to be used by a tradesman.”

Well if depends on your definition of a “tradesman” locksmithing is not what it once was there are a lot of “Drill-n-Bill high” “cowboys” out there who’s primary tools apear to be a cordless drill or a slide hammer. I doubt that they would be interested in such a device. The older style locksmith who can impression a key in 20 minutes will have a considerably greater regard for their tools as they are the way they earn their living. As I said in my previous post I can certainly see these guys considering such a device as it lowers the “on site” risk to them if they simply walk up to the lock “dip it” and return to the relative safety of their van etc.

Which brings me onto the point of how mechanicaly robust does this device need to be. Well it only needs to be the same general shape as a bump key, but unlike the bump key it does not need to be either hit or used to turn the barrel of the lock. Thus in reality it does not actually need to be any more solid than FR4 board. Infact the probe could be made to be disposable in the same way as the test strips for electronic Blood Glucose meters.

Your comments about your belife that this particular product is “vapourware” is actually not relevant as I’ve previously explained. That is when assessing security you have to take a view of what is possible not just what you currently know about.

Which brings us back to weather you are limiting your own view point by your assumptions. You say,

“It’s certainly not “boxing myself in”. It’s simply seeing that this is almost certainly beyond the limits of possibility.”

Why?

You have again failed to produce any argument to that effect you simply wave your arms around saying it like a mantra.

You then go on to say,

“You’ve got to have some kind of limit.”

There are two types of limit the laws of physics and assumed limits.

The problem with assumed limits is that when we get close to one somebody comes along with a new way of doing it (see Charles Moor’s Law over this).

And oh dear oh deary me, what on earth where you thinking with this comment,

“Your same argument would mean that if some random guys posted a website claiming to have landed on Mars, it’s within the realms of thought, so it’s possible.”

How about you draw up your bale of straw and go to this random website,

http://www.beagle2.com/front.htm

Now if you are prepared to back up your assertions with anything aproaching recognisable fact I would be happy to continue this conversation.

But if all you are prepared to do is offer arm waving protestations of “it cann’t be done” then please don’t bother.