Schneier on Security
A blog covering security and security technology.
« The Importance of Security Engineering |
| The Psychological Effects of Terrorism »
August 29, 2012
A reader sent me this photo of a shared lock. It's at the gate of a large ranch outside of Victoria, Texas. Multiple padlocks secure the device, but when a single padlock is removed, the center pin can be fully lifted and the gate can be opened. The point is to allow multiple entities (oil and gas, hunting parties, ranch supervisors, etc.) access without the issues of key distribution that would arise if it were just a single lock. On the other hand, the gate is only as secure as the weakest padlock.
EDITED TO ADD (9/14): A less elegant way to do the same thing.
A slightly different implementation of same idea: removal of any one lock allows locking bar to retract from pole and gate to open. And an interesting comment from someone who deals with this in his work.
Posted on August 29, 2012 at 6:37 AM
• 62 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
A nice idea.
I have seen chains of padlocks to achieve largely the same thing.
I initially thought of a chain of padlocks, but I now realize that someone could steal all the padlocks. And the chain.
And this way, you can tell "Who left the Dang Gate Open!?!"
It hasn't really eliminated the issues of key distribution -- it's changed it from a problem of key distribution to one of lock distribution. So instead of each Gate having a lock and trying to figure out how to deliver copies of the key to that lock to all the legitimate Accessors, each legitimate Accessor has a key, and has to figure out a way to deliver copies of the lock that fits it to all the Gates.
I suppose it's more economical to put that burden on the Accessors, who have the resources to regularly visit each and every Gate. And it's probably easier to train a few Accessor employees about distributing locks than it is to train innumerable Gate-owners about distributing keys.
That said, I don't know if it's safer this way: You only have to steal/copy one key from one legitimate Accessor, and you can gain access to any Gate. If it were the other way around, to access N Gates you'd have to steal/copy N keys.
Either that or just hop over the fence.
In the australian outback, they just have a padlock to lock fence entrances to parks/ranges.
A ranger carries a large bolt cutter like this http://www.uline.com/images/product/Medium/... and a spare padlock.
Everytime they need to open the door, they just cut the padlock, and replace it with their own.
I like analogies as much as the next techie, but to me this looks like good ol' farm boy ingenuity. If you want to get in to security lessons and make it an all out arms race, I have yet to see a lock or gate that I can't get in to with the K-12 from my fire engine.
Rather than a scolding "weakest link", perhaps this is more a "match the cost of the security to the mission" lesson. The mission here is to deter unauthorized vehicles on some piece of rural land, that is all.
Another problem with the "chain of padlocks" approach is that (at least some) users can be maliciously locked out by a stranger with a spare padlock or two. If you've got a chain of locks A to B to C, just slip another lock between A and C and you've prevented B from ever opening the chain.
The lock in the original post does not share this problem, as it has a limited number of holes, and every whole must be filled to lock the gate in the first place (presumably using some placeholder locks if there are fewer users than holes).
Of course, neither situation could prevent someone from just adding a whole new chain around the gate post to lock everyone else out.
Add an accountability control by causing the pin to trigger a timestamp and notation of which hole it was lifted through.
Since you can easily open any padlock with a can of coke and a pair of scissors I would estimate the security value of this solution as almost non existent.
It should suffice to keep out people who won't bother to overcome a minor nuisance, though.
There's a little bit of a problem with the lock-distribution setup on the initial lock: if you assume that the bolt starts out filled with a bunch of placeholder locks, any new authorized person has to remove one of those lock to put theirs on. How do they do that in an accountable way (i.e. not just use one of the placeholders to get in and not bother with their own)? The only low-paperwork solution I can think of is to make the placeholders only openable with a boltcutter, and have the newly-authorized person deliver the cut link to the authority.
I have also seen the "chain of padlocks" thing and this is better from a "overlapping user" perspective.
Of course for this one you have a defined maximum number of users that can not be exceeded [without adding a lot of complexity] and you need a fixed number of locks from day 1.
With a chain of padlocks, you would need a collusion of multiple entities to steal the whole chain; even then the longer the user had been involved the farther towards the outside his lock probably is. That would enable him to steal the maximum number of padlocks, but by then he'd probably be the most trusted.
I don't understand what "issues of key distribution" this avoids.
This reminds me of articles about Picture Hanging puzzles. This has been studied by Erik and Martin Demaine and Ronald Rivest (the R of RSA if I am not mistaken). I read it in an article of a french scientist Jean-Paul DELAHAYE but the page gives the rough idea :
I forgot to mention (in the image description) that all of the padlocks were 4 digit combination locks. I suspect (don't don't know for certain) that the property manager maintained which entity was assigned to each lock and the PIN for that lock. If a new entity needed access to the ranch, all the property manager would need to provide is the location of the lock (the count either clockwise or counter-clockwise from "Zachry") and the PIN.
@Eric - the "issues of key distribution" is solved by this solution thusly: Okay Mr. Hunter you want access to my land? That is fine, once you sign this contract, bring your own padlock with you and we will meet at the gate. I will remove one of my "filler" locks and you will put your padlock there. You will be the only one with the key as you got it when you bought the padlock.
As the owner of the land, I don't need a copy of Mr. Hunter's key as I have a key to my own lock so I still can access my land; I do not have to give a key to Mr. Hunter since he will have is own key for his own lock. If Mr. Hunter loses his key, he will have to get it replaced or get a new lock. And he will not have to bother me with getting a replacement key.
I am from the Netherlands where there are a lot of bicycles and many of them get stolen. One should always tie their bike with a chain lock around some pole or other, usually a street light post or a bicycle stand. Now, you could also tie bikes together, but you have to be smart, so any bike owner can get their own bike without the others. The trick is to NOT tie the chain around your bike and around someone else's bike, but around your own bike and THROUGH someone else's chain!
Works like a charm :)
Imagine if someone loses the key to the lock in a one-lock system: Everyone needs to be issued new keys. This would require a central agent and lots of time and hassle.
Imagine if someone loses the key to the lock in the presented multi-lock system: Noone else but the lock's owner needs to be involved. (He gets a lock cutter and a new lock, and swaps the locks.)
Does this scheme exist in any cryptographic primitive construction? It seems something multiple encryption in onion routing but the existence of a secret key doesn't reveal the plaintext
Re: chain of locks, weld one lock or part of an actual metal chain to the gate, and no one person can steal or misplace the rest of the chain.
@kevin, do you have a picture of this? I can see you locking your bike to someone else's chain, but when that other person unlocks their bike and takes their chain, now your chain is only connected to your bike, meaning your bike is unsecured.
@curious, the analogue would be a cryptosystem with multiple secret keys, where all keys must be present to generate ciphertext (all locks must be locked to secure the gate), but any key could be used to decrypt ciphertext (any lock may be opened to open the gate).
Perhaps a secret sharing scheme, where pieces of the secret are broken up amongst y entities, and x out of y must collaborate to regenerate the secret. In this case, x == 1.
The simple version, a nesting series of padlocks and a short length of chain, often has the chain unsecured. So if you open one lock and leave it open, someone could make the gate unlockable by stealing all the locks and the chain.
Often with fire gates, a failure state of unlocked is safer and better. In a typical rural setup, there will be two or three "agency" locks (fire, sheriff, utility, public landowner) and individual locks for private landowners (Albert, Baker, Charles, etc.)
It is awkward to reissue keys to every utility lineman or every piece of fire apparatus, so keys to these locks are controlled although the locks effectively are not. The landowners change more often and bring new locks when they do. Combo locks mean greater sharing and less accountability, which is nice for granting access by phone and not so nice when your neighbor gives out the combo to his buddy the meth-head. (Can keys be copied? Easily. On a wind swept ridge ten miles from town on a Saturday evening, not so much.)
Given the nature of the lock, etc., it would imply this is in a location that is not heavily travelled, populated or otherwise frequented. So one could just as easily shoot off one of the locks, pick one of the locks, or shatter one of the locks using techniques such as a CO2 fire extinguisher -- or even bolt cutters.
@N0R7H: Not all padlocks can be shimmed easily. All cheap ones, however...
You can't steal all the other locks in a chain of locks... they are still linked to one another, you're removing a link, so the "chain" is now in two pieces. Also inserting a lock "inbetween" two other locks would not do anything in the "chain of locks", as you can still remove your lock, and the chain is broken. Now if someone "shorts" the chain, and links your locks neighbor to your other neighbor's lock, removing your own will no longer work. But perhaps you meant that in the OP's link that if someone puts a lock between you and your neighbor, then your both screwed.
As for solving the problem of key issuing, the maintainer or person in charge of securing that mechanism only has to issue the keys once. From that point on, the padlock and key is yours to maintain, they can wash their hands of it. Should you lose your key, you need to cut the old lock off and replace it. It's much like your username and password, if it needs "reset" then cut it off and replace it, just like the helpdesk will give you a new password. To me this lock mechanism is an access control list, but it only authenticates, it can't necessarily authorize. A key can be borrowed, stolen or lent, so the "authorization" moved to the key holder and or the physical mehanisms.
in underground mining (and probably other things like construction) they use multiple locks/one hasp, so for example an electrician comes in, locks the lockout and goes on back out of sight, etc etc; whatever it is that's locked can't be accessed until *all* the locks are off. a good example is a blasting box, i.e. where you pull the lever to set off a charge with electric blasting caps; it's very easy for someone to enter a dangerous area from one side while the guy who wants to pull the trigger departs another way, and without the lockout bad things can happen.
The barrel lock is susceptible to a DOS attack if the central pin gets cut or the barrel filled with sand. You also can't do maintenance on the barrel without removing all locks (or, I guess, all but one).
@MarkRusk: Actually, most locks in your picture are not combination locks, but locks that have to be opened with keys.
@Curious: Here is an analogous system for a cryptographic system.
Encrypt a document using any suitable algorithm and a "random" key.
Create a series of auxiliary files by encrypting the decryption key using the public key(s) of anyone authorized to access the document. Any such person can then access the document by using their private key to get the decryption key.
This scheme can be elaborated in all sorts of ways. One idea, for example, is that the document can be periodically re-encrypted by an administrator, without involving the users of the document - in some environments, such regular maintenance may benefit security.
@Wert erm kernfersed - You've missed the point on how inserting an addition lock can deny access to one or all of the other key / lock owners. If there is a cahin of lock - A, B, C, D in order and I now add a new lock Z that locks A & D together I create two parallel chains of locks - A, B, C, D and A, Z, D so then unlocking B or C will not release the chain -- try drawing it out and see. Similarly I could deny everyone access simply by running a chain through all of the other locks, loop it through the main hasp and lock it with my own lock
This does solve the key distribution problem, but does so by replacing it with a quality control problem that is generally beyond the gate owner's control. Unless, of course, the gate owner wants to spend a lot of time inspecting the quality of very single lock on his gates. Time that might well be better spent buying reliable locks and passing out keys.
Then there's a back door issue. If the gate owner issued keys to one lock, it would be pretty obvious if someone replaced the lock at a heavily used gate. But with the multi-lock system, an attacker could replace an infrequently used lock with his own - giving him easy and legitimate looking access for a very long time.
in underground mining (and probably other things like construction) they use multiple locks/one hasp...
It's an idea that is a lot more common than you would suspect.
In electrical and electronic systems it's often called an "interlock" which cuts power if the cabinet etc is opened.
You will find such a system in most microwave ovens where the "dogs" on the door and inside some hinges provide not just physical locking but also push against a number of micro switches that in some case open circuit the supply and in other short circuit it and take out the fuse...
@Troy and others:
This security measure is not meant to be strong. A fence or a gate without defenders is pretty weak security anyway. This is meant to stop casual trespassers who aren't going to jump or run down the gate or cut the chain or lock, while allowing legitimate access without much hassle. Definitely the area protected by this clever hack is not worth having more security or nearly any security at all. The protection provided is only slightly stronger than not locking the gate at all and posting a "no trespassing" sign. It will keep honest people out.
There's also some security in depth provided by the legal system and I believe that's one of the reasons for implementing this solution: trespassing quite often carry lesser punishment than breaking and entering.
> the gate is only as secure as the weakest padlock.
or the weakest combination code
or the weakest process to store a code
or the weakest person who has a code
or the weakest point of the gate itself (hinges?)
or the fence the gate is attached to
What you need is layered defence, perhaps place many big angry objects with horns snorting on the other side?
omg I need to stop thinking like this ... but I can't :(
@Peter A. and others:
The fence and gate are not intended to keep people out, but to keep animals in. As Peter A. said, the lock deters casual trespassers. It deters them from opening the gate, leaving it open out of ignorance, and letting the animals out.
A "farm gate" isn't a high-security scenario. Typically, the purpose of such a gate is to prevent low-level malicious activity; hikers or transients leaving the gate open so valuable livestock can wander off.
Remember, your fence is typically vulnerable to a $5 pair of wire cutters or a Leatherman tool; the point at which someone would simply bypass the whole locking system is very low.
Another problem with the "chain of padlocks" approach is that (at least some) users can be maliciously locked out by a stranger with a spare padlock or two.
One could also look at this as a feature, rather than a bug. While it could be used maliciously as you suggest, the same approach also provides a mechanism for "key revocation". If the padlocks are normally linked in the order A-B-C-D, then the 'gate sysadmin' can put his own padlock between A and C to temporarily suspend user B's gate privileges without requiring bolt cutters, without damaging B's lock, and without affecting any of ther other gate users.
The core idea behind it isn't that there's a weaker item connected to it, it's that it simplifies key issues. Let's say a similar system was installed on a secure container or enclosure to eliminate the reasoning and focus on the point.
I buy one of those...things....and 15 high-security padlocks. Put them all on the hub. When someone needs access, you simply give them a key from the pile of 15 (and, if you're nice you tell them which lock it goes to). So now that you've given out 15 keys, let's say someone loses theirs. With 15 keys for one lock you would have to replace the lock + 15 keys (in the possession of 15 different people). Instead, with this, you simply cut off their lock, put a new one on, and give that one person a new key.
It's pretty much like resetting a user's password. You can reset a single user's password without having to reset everybody's. Good idea.
It's like how modern (well, the penultimate) generation of hotel doors work (the standalone units with the key cards). If a staff member loses their key, that key can be removed from the lock without replacing the lock and every other staff member's keys. Not generally possible (without a hub-type thing on every door) with hard keys.
The issue of multiple padlocks is one I deal with on a regular basis at work. I work for the Los Angeles Department of Water and Power, and we have a large number of gates, fences, and whatnot which need to be opened by a number of different entities.
The simplest solution is the "chain of padlocks" where up to a dozen padlocks can be found linked together to form a chain. As has been mentioned, it's quite possible for one or more locks to be bypassed, accidentally or on purpose. The most common way for this to happen is, in a chain of locks A-B-C-D-E, someone opens lock C, and on re-locking links to lock E rather than lock D. The result is that opening lock D no longer opens the chain. Of course, if lock C is fastened to the chain after lock E, then both D and E are bypassed.
I have, on one or two occasions, solved this problem for a lock I'm supposed to use and which has been bypassed by cutting the chain on the opposite side from the chain of locks. After I've finished my work in the area, I close the break in the chain with my lock, which had been bypassed. The rest of the chain still functions, all the remaining locks continue to secure the space, and opening any one lock provides access to the space. And it's physically impossible to bypass my lock any more, because the chain just isn't long enough.
I've also seen the "disc with a number of holes" assembly on at least half a dozen gates, some of them with protective housings of varying nuisance factors. The problem of adding additional locks can be addressed in two ways. 1) Start with only as many holes in the disc as you need to accommodate the locks you want to use, and drill extras as needed. 2) Use a disc with a full complement of holes (whatever that is) and attach a barrier of some sort -- a grommet, a bolt, or additional copies of the owner's lock -- to whatever holes are not going to be used to accommodate other people's locks.
Other work-arounds include the use of metal bars that fit through slots in gates, with holes at each end to accommodate locks. The bar holds the gate shut, just like the classic "bar the door" configuration, but you need to unlock a lock on one or the other end of the bar before you can slide it out. The bar, in turn, can be held in place by additional bars which themselves are held in place using padlocks on each end. (I'm not sure if my description does this justice. Maybe I'll take a photo next time I access one.)
Then there are facilities like the major reservoir complexes which need to be accessible by larger numbers of different entities. Access to these facilities is controlled by a more complicated mechanism called a "security guard".
Another idea would be: same as before, but only _one_ specific padlock will open the gate. Best case: one try, average: 2/n, worst case: all; perception of a thief: f*ck that :D
That would work for the first couple of months, but over time it would become obvious which lock was being used.
@Kevin: The problem with that method of temporary revocation is that A or C can restore B's access.
@paul, re: "if you assume that the bolt starts out filled with a bunch of placeholder locks, any new authorized person has to remove one of those lock to put theirs on. How do they do that in an accountable way?"
Simple. The landowner drives out there with the new keyholder, unlocks his lock, and lets the new guy put his on. It's kind of handy: the act of granting privileges also provides authentication of both parties.
And one big advantage to this system over the "chain of padlocks" -- probably the reason they set this up: only the landowner can grant access without losing access himself. With a chain of locks, if landowner Alice grants access to fisherman Bob, Bob can grant access to Eve without Alice's permission. And Eve, it turns out, is a cattle rustler.
@Chii - in Oz, bolt cutters are referred to as "master keys" ;-)
Thanks to Bengt-Erik Norum for finding that patent. It's expired, by the way, but links to a bunch of other interesting solutions for this problem -- some expired, some not.
As others have noted, it is difficult to achieve any but a "nuisance" level of security for this situation, for several reasons:
- At least one user will choose a cheap padlock that is easy to bypass;
- Being in remote area, such a gate is usually left unmonitored, perhaps for weeks at a time;
- People working in remote areas often carry heavy tools that can quickly breach all but the heaviest barriers;
- With perimeters many tens of miles long, heavy barriers are too expensive so usually the fence is just a 3 or 4 strand cattle fence;
- The protected area inside is large and mainly unmonitored, so it is difficult to even detect if someone duplicates access or obtains unauthorised access.
The most impressive solution I ever saw, worked as follows. First, the shared gate was cheap but robust due to careful selection of location, and some handy use of a welder. It was not far off the route a local jobbing farmer took, so he was paid an honorarium (in venison) to maintain it. During his own rounds he usually passed it twice a day, so it was checked frequently.
The lock was a combination lock that requires a special change key to reset the combination. The change key was held by the farmer, and once a month he would change the combination. To get the new combination you drop in to his house, have a cup of coffee with him and the missuss, and if you're still on the "list", you get the new number.
It's not foolproof, but it's cheap and pretty robust. The main disadvantage is the custodian needs to be on the ball (not use guessable combos; not forget the new combo; not let visitors soft-soap him) yet still do the duties very cheaply.
When I was a kid in the 1960s, my uncle worked for a major oil company. Whenever he needed to go through a gate (work related), he would try his keys to see if they fit any of the other padlocks. If not, he would pull out his bolt cutters, take out the last chain link before the chain of locks, and then add a padlock he had a key for to the chain.
I never understood what does this means;
"The point is to allow multiple entities (oil and gas, hunting parties, ranch supervisors, etc.) access without the issues of key distribution that would arise if it were just a single lock"
Can anybody explain please !
@ Imran Shafi
It means if they used only one lock, a key for that lock would have to be distributed (given) to any one (entity) who needs access (unlock the gate).
Any system using padlocks isn't *meant* to keep determined attackers out. It's just enough so people will stop for a moment and think about what they're doing. It stops otherwise honest people who might want to take a shortcut or try to park their car and leave the gate open in the process.
It's also slightly different from the chain in one aspect: With the chain, people who feel like they should have legitimate access will cut the chain and place their lock in between. But sometimes there's a reason they don't actually have a lock in the chain (like, you know your neighbor usually leaves the gate open)
@Imran: Like someone said already, the main issue is actually redistribution, when a key is lost. If there's only one lock, anyone has to get a new key. With multiple locks, only the guy who lost his key.
I thought at first that the lock was intended to keep a gate closed so animals couldn't escape but a closer look shows that there is a cattle grate beside the lock. I have seen ranch/farm gates out west that use grates but no gate because cattle won't walk on the grate. I don't know about horses.
Frances's mention of cattle grates reminds me of a classic: supposedly, once cattle become familiar with cattle grates, you can keep them out by just painting parallel white lines on the road.
A classic example of security theater! It works great, so long as your intruder is a cow.
I'm just waiting for the new boy on the round to turn up with a key ring of 50 keys, look at the 16 locks and start trying each key in each lock.
@Jason, I disagree; it's not security theater if it actually works. Security theater would be a contractor building an open gate with a sign that says "COWS KEEP OUT", for a client stupid enough to be satisfied by it.
a sign that says "COWS KEEP OUT", for a client stupid enough to be satisfied by it...
That would not be Security Theater either!!! It could qualify as Security Zoo or Security Circus :)
@Jason, I disagree; it's not security theater if it works.
Security theater would be an open gate with a sign that says "COWS KEEP OUT"-- built by a contractor for a stupid client.
thanks Bengt-Erik Norum for the useful link :)
The purpose of these gates on ranches is not to keep criminals out. It's to keep the cattle in (and to keep casual visitors such as tourists out). The purpose of the multiple locks is to make sure that the landowner can tell who it was who left the gate open. With a single lock and multiple keys the guy who screwed up could plausibly deny responsibility. With multiple locks he knows he can't and so will be careful. It's about accountability, not security.
The reason for having a gate next to a cattle grate is that horses (and some vehicles) can't cross the grate.
@ Northern Realist
Isn't that true of any gate? I could run some chain around it and lock it.
(I'm tempted to say that the "shorting" attack is as much a feature as a bug---you can cut just one person off fairly easily)
I have dealt with a lot of these chains of locks as a paraglider pilot, where we are one of many who have access to mountain roads to our launch sites, often a cellphone tower site with limited access.
In many cases some or even all of the locks are combination locks of the kind that have 4 rotatable dials.
Having forgotten my combination on more than one occasion, it was easy to find it.
As occasional users are apt to forget which lock is the one they can open, they will try their combination on one of the others first. Not caring about the security, they don't scramble it before trying another lock.
So usually, the correct combination is sitting there dialed in on one of the other locks. It is just a matter of using it.
That said, the whole idea is very low level security to prevent casual visitors from opening the gate and driving the road, leaving the gate open, or creating a liability situation, should the driver have an accident on a poorly maintained dangerous stretch. Anyone with a bolt cutter could get in in a second.
GeoNomad, you're quite right about the combinations being left on the other locks. Often when they do scramble it, they only hit one or two dials, so by writing down the combinations that show on all the dials when you approach sites, patterns quickly emerge and even "scrambled" combinations are easily revealed.
Good thing, too! As a cell-site tech, I often found that our lock was jammed, malfunctioning, or locked out of the chain as Karl describes. Using the other guys' codes always got me in, and then I could put our lock back into the chain without resorting to the "red key" (bolt-cutters).
On one occasion I remember distinctly, the chain of locks worked fine but the gate mechanism itself was seized solid with rust. Judicious application of some Very Serious Pliers allowed disassembly of the hinge, which had thoughtfully been installed with the bolts facing out. The property manager loved that one.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.