
Master Keys - mikegerwitz
http://www.schneier.com/blog/archives/2012/10/master_keys.html
======
jgrahamc
Also, if you are interested in actual master keys, Matt Blaze's paper on the
subject is a classic: <http://www.crypto.com/masterkey.html>

"n a recent research paper, we describe weaknesses in most master-keyed lock
systems, such as those used by offices, schools, and businesses as well as by
some residential facilities (particularly apartment complexes, dormitories,
and condominiums). These weaknesses allow anyone with access to the key to a
single lock to create easily the "master" key that opens every lock in the
entire system. Creating such a key requires little skill, leaves behind no
evidence, and does not entail engaging in recognizably suspicious behavior.
The only materials required are a metal file and a small number of blank keys,
which for many locks are readily available."

------
jgrahamc
If you follow through to the story that shows a picture of the keys two things
are notable: these are pretty easy keys to duplicate (especially given the
nice clear photograph of them) and it was the New York Post who both broke the
original story and posted a picture of the keys (face palm).

~~~
finnw
I was slightly surprised that they just look like regular keys. I was half
expecting them to have special grooves, or protrusions, or magnets or
something.

~~~
btilly
Nope. Just a regular key that hits a specific set of pins that are required to
be there.

If you think about it, designing a lock that takes 2 completely different
types of keys would be very difficult. If you don't fit the grooves that a
regular key does, you don't fit. So you have to use the same blank. After that
it is just the set of grooves that matters.

~~~
paulgerhardt
>designing a lock that takes 2 completely different types of keys would be
very difficult

This is actually fairly common in commercial buildings. The keys have a
channel running down the side (the 'grooves' you speak of). The grooves
determine what kind of keyway the key can fit into. You can can configure your
locks so a certain groove pattern will only fit a subset of your locks, while
another kind of groove will fit into all of them. Schlage for instance makes a
series of keyways (A, C, D, E, F, G, H, J, K, L, M, XP etc.) that are
specified to do exactly this. I always forget which, but I believe it's the L
keys that will fit into most of the other keyways.

You can consult Schlage's own books to learn more:
[http://professional.schlage.com/pdfs/sss/Schlage_Key_Systems...](http://professional.schlage.com/pdfs/sss/Schlage_Key_Systems_Answer_Book.pdf)
(scroll to the end.)

------
MattRogish
Master keys are the very definition of "security through obscurity". As Bruce
says, this is a very hard problem and one that has been reasonably solved for
a long time. However, thinking that sophisticated terrorists or criminals have
been unable to exploit this merely because they haven't been to eBay is naïve
to the extreme.

~~~
nathan_long
>> Master keys are the very definition of "security through obscurity".

Not really. A key is like a physical password. Security by obscurity is "I'm
betting you don't know what kind of lock/encryption I'm using." Legitimate
security is "I won't give you my key/reveal my password."

Just because there's a secret doesn't mean you're Doing it Wrong. "Something
you know" is a valid authentication factor.

~~~
mikeash
Security through obscurity is, ultimately, betting your system on something
you can't ever change.

A key that you give out to thousands of people and cannot be changed
afterwards ceases to be a key and becomes an intrinsic part of the system.

With a real key, when a leak like this happens, you invalidate the leaked key
and issue a new one. In this particular case, they're basically stuck hoping
that nobody does anything nefarious with this key.

The mere existence of a physical key does not make it security through
obscurity. It's the fact that the same physical key is distributed to
thousands of people with no good way to control them all or compensate for a
leak that makes it security through obscurity.

~~~
TeMPOraL
> The mere existence of a physical key does not make it security through
> obscurity. It's the fact that the same physical key is distributed to
> thousands of people with no good way to control them all or compensate for a
> leak that makes it security through obscurity.

Semantic nitpick, but how does that make this security through obscurity?
S.T.O. is not betting your system on something you can't ever change, it's
betting your system on hoping the attacker won't guess how the lock works. I
think we should be careful not to use inappropriate labels, as this dilutes
the language and makes it more difficult to communicate.

~~~
gknoy
It's a different sort of "security through obscurity". We all know that many
locks (elevators, etc) have a master key -- we see the receptacles every time
we ride in such an elevator. The obscure part is not that there IS a master
key, but rather its shape.

A master key is the same as a backdoor known to few. Whether you're using a
key that fits the lock, or know that 'Joshua' is the superuser's login, it's
still a "secret" which only provides protection while it's actually secret. I
think it still counts as STO.

~~~
TeMPOraL
Not meaning to start any kind of semantic flame war, but I'm still not
convinced.

> Whether you're using a key that fits the lock, or know that 'Joshua' is the
> superuser's login, it's still a "secret" which only provides protection
> while it's actually secret.

But isn't the same true about passwords? Aren't passwords secrects providing
protection only when they remain unknown?

The problem here lies, IMO, not with secrecy but with the password/key
distribution and protection. I could imagine a situation similar to described
in the article if an administrator gave server's root password to half of the
company staff, hoping that no one leaks it.

------
CaptainZapp
I was wondering about the same thing regarding those TSA locks.

My fancy new luggage comes with combination locks and in addition with one of
those TSA locks.

The thing is, how many different lock combinations are they? (My guess: less
then a dozen) How widely must the master keys be distributed? Well, in
multiple instance to every airport in the US and then some How long until a
bunch of dodgy luggage handlers own a set of those locks?

While the consideration not having to break your luggage is nice the
implementation seems not very secure to begin with (yeah: I know: neither are
luggage locks, but still)

~~~
jgrahamc
Details analysis of the TSA locks:
<http://download.security.org/tsa_luggage_locks_report.pdf>

~~~
smackfu
That's depressing.

Especially the part about how you can just bust open the zipper on a locked
bag anyways.

------
jasonkolb
I assume the lock industry will be added to the list of industries that will
lobby like hell against 3D printer technology. I'm putting the over/under on a
3D model of these keys showing up on the Net at about a day.

~~~
andr
Key-making machines are already widespread and much cheaper than 3D printers.

~~~
camiller
equally, a set of metalworking files and key blanks/brass stock are much
cheaper than key-making machines.

------
jdechko
Michael Brady, commenting on the original article, said it best.

"Master keys are a convenience, not a security measure."

------
rikf
Like a smart terrorist/activist/pranker couldnt learn how to pick locks.

------
precisioncoder
I feel like if this were to be replaced by a digital solution it would be
essential that multiple vendors would be used. There was a big vulnerability
that occurred with hotel locks that seems like it would have been mitigated by
multiple vendors.
[http://www.schneier.com/blog/archives/2012/08/hotel_door_loc...](http://www.schneier.com/blog/archives/2012/08/hotel_door_lock.html)

~~~
buro9
Given when such keys need to be used, a digital solution would also need to
work in emergencies such as flooding, fire, and partial destruction (door and
lock internals fine, outer lock and door severely damaged).

I imagine that it's easier just to stick with the good old master keys.

I've long believed that most locks are not there to stop professionals,
they're just there to stop the opportunist.

If you're at peace with this then there's little advantage spending an
extremely large amount of money putting in place a sub-standard digital
solution.

The existing system is good enough.

~~~
bjxrn
I've heard it before: "Locks are there to keep honest people honest."

The lock on your front door won't stop someone breaking into your house. Or
rather: your lock likely isn't the weakest point when it comes to keeping
people out.

However, with the master keys it's not just about getting into places where
you shouldn't be able to go, it's also about more or less locking a whole
place down by disabling elevators. I can imagine you could put something a bit
more complex to disable something which already requires electronics to
function.

~~~
precisioncoder
Yeah, I guess master key usage is just a little too broad. Opening doors
doesn't seem like a huge issue, but I would at least require a supplementary
password entry for crucial functionality like disabling elevators.

~~~
buro9
And in those life and death situations that emergency workers are involved
in... would you accept the loss of a life because the emergency worker
couldn't get hold of the password in time to save someone?

As I said... it's good enough.

~~~
precisioncoder
A second layer of protection for critical features that could cost lives is
always a good idea. Have to balance authorized people using them with
preventing unauthorized people from causing chaos, maybe a standardized pass
code that changed once a month and all rescue workers received. If for
instance 3d printers become household items and the key pattern is widely
distributed online it could end up being a big problem.

------
ezpassmac
I think that this article represents the need for digital locks. So far, no
one has disrupted this space and there is a HUGE market. Think of everyone who
lives in an apartment/house in the world. Now take only 1% of 1% of 1% and
that's going to be a very large number of people who would signup.

~~~
potatolicious
> _"I think that this article represents the need for digital locks."_

I disagree. We are talking about keys to critical infrastructure - fire doors,
elevator overrides, utility areas of subway systems.

These are all resources that need to be accessible in a power outage or
disaster situation. I do _not_ want our firemen to be locked out of where they
need to go because some digital lock lost power.

There is a reason in traditional engineering emergency overrides and shutoffs
are _mechanically_ implemented and don't go through a computer.

~~~
jl6
Digital lock with built in dynamo (pull down lever?) to generate the miniscule
power required to operate it?

~~~
potatolicious
Some horrifying disaster happens in New York, the subway tunnels are flooded.
Fire crews need access to a locked/gated area, but your dynamo'ed electronic
door lock is completely kaput.

The whole point of this critical infrastructure is that it be accessible in an
emergency and have as few failure modes as possible. A mechanical lock has
very few failure modes short of changing the laws of physics.

~~~
sadga
Fire crews have bolt cutters to handle the common case of a door with a small
lock of any sort.

