Re: Keep it secret, stupid!
The tragic part is that there are alternatives. There are several lock designs that turn out to resist this threat, including master rings and bicentric locks. While these designs aren't perfect, they I think it is worth pointing out that, while master ring systems (and master-keyed systems with false steps added) resist the attack Matt describes, they often make the task of picking the lock (on a case by case basis) easier. Actually, master ring systems make it considerably harder to pick a lock. Sometimes a pin will set at the master shear line and sometimes it will set at the change shear line, but unless all pin stacks catch at the same one, the lock won't operate. (This phenomenon is also why it is difficult to pick a SFIC core with conventional torque tools). Adding false cuts does increase picking vulnerability, of course. Personally, I think it's a shame that master ring designs have all but disappeared. They're still listed as an option in the Corbin-Russwin catalog for a few commercial cylinders, and are also used in some prison locks as I understand it. -matt That needs to be considered when designing a physical security plan. One may wish to key locks of particular importance separately from the master ring system if entry by picking is a concern. (There are some master-key systems, like the one made by Corbin, that require pin rotation at the proper time to unlock the secondary sheer line. And, as Matt mentioned, bicentric cylinders avoid this problem completely. Cost may be a major concern with these solutions, though.) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Keep it secret, stupid!
Matt Blaze wrote: Once I understood the basics, I quickly discovered, or more accurately re-discovered, a simple and practical rights amplification (or privilege escalation) attack to which most master-keyed locks are vulnerable. http://www.crypto.com/masterkey.html Matt, is there some reason why you didn't bother asking a single locksmith if they knew about this attack already before claiming it was 'new' in your paper? Have you looked into the differences in actual costs of production of the various ways of making locks more secure? Do you have any information on how common various ways of breaking into locks are done in practice? Of course I did. What gave you the idea that I didn't? I'm not arguing that security through obscurity is a good thing, just pointing out that your claims of the importance of your publication are being made mostly in ignorance. -Bram Cohen Markets can remain irrational longer than you can remain solvent -- John Maynard Keynes - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Keep it secret, stupid!
Matt Blaze wrote: Once I understood the basics, I quickly discovered, or more accurately re-discovered, a simple and practical rights amplification (or privilege escalation) attack to which most master-keyed locks are vulnerable. http://www.crypto.com/masterkey.html Matt, is there some reason why you didn't bother asking a single locksmith if they knew about this attack already before claiming it was 'new' in your paper? Have you looked into the differences in actual costs of production of the various ways of making locks more secure? Do you have any information on how common various ways of breaking into locks are done in practice? I'm not arguing that security through obscurity is a good thing, just pointing out that your claims of the importance of your publication are being made mostly in ignorance. -Bram Cohen Markets can remain irrational longer than you can remain solvent -- John Maynard Keynes - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Keep it secret, stupid!
On Sun, 26 Jan 2003, Matt Blaze wrote: The tragic part is that there are alternatives. There are several lock designs that turn out to resist this threat, including master rings and bicentric locks. While these designs aren't perfect, they I think it is worth pointing out that, while master ring systems (and master-keyed systems with false steps added) resist the attack Matt describes, they often make the task of picking the lock (on a case by case basis) easier. That needs to be considered when designing a physical security plan. One may wish to key locks of particular importance separately from the master ring system if entry by picking is a concern. (There are some master-key systems, like the one made by Corbin, that require pin rotation at the proper time to unlock the secondary sheer line. And, as Matt mentioned, bicentric cylinders avoid this problem completely. Cost may be a major concern with these solutions, though.) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]