Electronic locks and Crypto/Hardening?
RobRPM2222
but what I would like to ask is, for the people here with both physical
security and tech backgrounds, is how generally well-designed most real
electronic locks are, and which locks are particularly noted for being tough to
get into.
Do a lot of the electronic locks out there fall prey to the "amateur
cryptographer" syndrome, where the lock engineer lets geek pride goeth before
the fall and decides he can design his own encryption algorithm instead of
getting a time-tested one and getting pro crypto guys to check his
implimentation?
if so, which locks use AES or the specialized PIC crypto algorithms that are
solid?
also, how hardened are they against physical, direct electronic, or
combinations of the two attacks? I realize some things are not worth taking
seriously in most applications (like the "fire plasma jet from shaped-charge to
defeat anti-tampering mechanisms"), but I was amazed at some of the things they
thought of protecting against for tamper-resistance when I started looking at
tamper-resistant computers in Anderson's "Security Engineering".
they have heard about the old cracker trick and the locks don't just fail when
you just tazer the dangly bits, right?
I'm not asking for detailed specifics since that would aggrivate some people
here, just a general idea that either, "most electronic locks are
great/suck/suck, but you can get good ones." and if there are good ones, which
ones are good.
--
Rob Meyer | "There are only so many ways to hurt
Goshinbudo Jujitsu (MMA) | the human body, and everyone
| invented them." - Dan Inosanto
Joe Kesselman (yclept Keshlam)
> but what I would like to ask is, for the people here with both physical
> security and tech backgrounds, is how generally well-designed most real
> electronic locks are, and which locks are particularly noted for being tough to
> get into.
It's hard finding anyone who has this information. (Which is a good
illustration of why security-through-obscurity is not always a Bad Thing.)
Most electronic locks don't actually require a lot of crypto. They're
generally challenge-and-response systems, and as long as the system has
basic provisions to prevent exhaustively searching the key space to
reconstruct that table this is likely to be Good Enough for all
practical purposes. The important thing is making sure that the
transformation from challenge to response isn't blatently trivial.
All are designed so that brute-force attack is more likely to kill the
lock than to open it. That's relatively trivial to achieve; it's basic
fail-secure.
Higher-end ones consider Tempest issues as well. Realistically, that's
overkill for most applications.
Your concerns in electronic locks are more often basic reliability and
mechanical strength than crypto/electronic security.
--
Joe Kesselman, http://www.lovesong.com/people/keshlam/
{} ASCII Ribbon Campaign | "may'ron DaroQbe'chugh vaj bIrIQbej" --
/\ Stamp out HTML mail! | "Put down the squeezebox & nobody gets hurt."
RobRPM2222
>illustration of why security-through-obscurity is not always a Bad Thing.)
that tends to make me nervous, because it says to me that all it would probably
take is someone serious enough to do some real reverse engineering.
the more paranoid side of me tends to think that since nobody knows much,
someone has already figured out a class break, and is keeping it secret.
>Most electronic locks don't actually require a lot of crypto. They're
>generally challenge-and-response systems, and as long as the system has
>basic provisions to prevent exhaustively searching the key space to
>reconstruct that table this is likely to be Good Enough for all
>practical purposes.
same principle as making sure the garage door opener isn't using an 8 bit value
so you can sweep for the 256 possible values in five seconds, I assume. Only
with crypto added.
The important thing is making sure that the
>transformation from challenge to response isn't blatently trivial.
>
>All are designed so that brute-force attack is more likely to kill the
>lock than to open it. That's relatively trivial to achieve; it's basic
>fail-secure.
good deal.
>Higher-end ones consider Tempest issues as well. Realistically, that's
>overkill for most applications.
I assume the government drives the demand for these.
>
>Your concerns in electronic locks are more often basic reliability and
>mechanical strength than crypto/electronic security.
makes sense. sorry, I guess I fell into the "when your only tool is a hammer,
everything looks like a nail" deal.
good to know that they are taking solid design principles into consideration,
though.
d...@tanj.com
> no, I am not going ask "how to pick X lock".
>
> but what I would like to ask is, for the people here with both physical
> security and tech backgrounds, is how generally well-designed most real
> electronic locks are, and which locks are particularly noted for being tough to
> get into.
I'm not an expert, just a tinkerer.
The security of the electronic lock depends on a lot of things. You have
the physical device, the technique used to enter the code, the default
codes and other issues. Crypto doesn't come into play on most of them.
The best installations will use an input method that is not easily
snooped, either via a shrouded keypad or keypads that scramble the
numbers. They will also have a lockout interval after too many tries,
accompanied by an alarm. This can backfire, but it's part of the
fail-secure philosophy. Audit logs should be configured to print out
or store remotely.
The best installations also require two or more items for authentication,
I.E a card and a pin, or a thumb-print and voice print, etc.
Good installations will use tamper proof wiring and tamper proof lock.
If radio or infrared is used to tranmit codes, it should be encrypted
in some way.
Just proximity card or just a wireless transmitter is not very secure,
as it can be easily stolen/borrowed or even spoofed.
An alarm should be used in conjunction with electronic locks, just as
they should with mechanical locks. Access Control VS Detection.
Hope that helps you out some. There are lots of good electronic locks
in the market. Schlage, Marks, Doorking, Dynalock, Omnilock and many
others make electronic stand-along locks.
Daniel
Roger Shoaf
their reliability. They seem to have a rather high premature failure rate
and they don't usually allow the locksmith many options to open them even
one last time before drilling the safe.
You probably don't need a whole lot of crypto in the design as they have
time delays for subsequent opening attempts, and to my knowledge there is no
way to read the electronics on the inside of the lock from the outside.
I think however they do suffer from a weakness, but I certainly am not going
to discuss this speculation.
Since these are closed systems why or how would you use an encryption
system?
--
Roger Shoaf
If you are not part of the solution, you are not dissolved in the solvent.
"RobRPM2222" <robrp...@aol.comInternet> wrote in message
news:20030913084733...@mb-m21.aol.com...
Putyourspamhere
>From: robrp...@aol.comInternet (RobRPM2222)
>Date: 9/13/2003 11:23 AM Eastern Daylight Time
>Message-id: <20030913112331...@mb-m28.aol.com>
>
>>It's hard finding anyone who has this information. (Which is a good
>>illustration of why security-through-obscurity is not always a Bad Thing.)
>
>that tends to make me nervous, because it says to me that all it would
>probably
>take is someone serious enough to do some real reverse engineering.
>
>the more paranoid side of me tends to think that since nobody knows much,
>someone has already figured out a class break, and is keeping it secret.
>
>>Most electronic locks don't actually require a lot of crypto. They're
>>generally challenge-and-response systems, and as long as the system has
>>basic provisions to prevent exhaustively searching the key space to
>>reconstruct that table this is likely to be Good Enough for all
>>practical purposes.
>
>same principle as making sure the garage door opener isn't using an 8 bit
>value
>so you can sweep for the 256 possible values in five seconds, I assume. Only
>with crypto added.
It's not really the same principle. It is simpler to intercept the
communication from a remote garage door opener, it's also simpler to attempt to
brute force it (in the electronic security sense of the term, not the crowbar
sense). With most electronic locks you have to physically swipe a card or enter
a code. You are typically limited in the number of bad attempts. Granted if the
electronics in question are not shielded well enough the system could be
vulnreable to Van Eck phreaking or a tempest attack. More practical concerns
are likely the amount of force needed to physically compromise the door/jamb
and the tendency of people to share security codes or leave their cards
unattended. Also the degree of access or lack thereof to the wiring from the
access control module to the locking solonoid(s) or mechanism. At least one La
Gard electronic safe lock is vulnerable to this type of defeat. I won't mention
the model number here.
The DOD lock programs specifications for locks to secure containers and vault
doors protecting classified information can be found here:
http://locks.nfesc.navy.mil/pdf_files/ffl2740a.pdf.
The Kaba-Mas X-09 and CD-X09 are the only two combination locks regardless of
type that I am aware of meeting the specification.
The main DOD lock program page may have some other information you might find
of use. It is here:
http://locks.nfesc.navy.mil/
RobRPM2222
>system?
I assumed they would use some form of crypto, for security on the electronic
parts of the key.
Roger Shoaf
safe locks.
--
Roger Shoaf
If you are not part of the solution, you are not dissolved in the solvent.
"RobRPM2222" <robrp...@aol.comInternet> wrote in message
news:20030914213831...@mb-m20.aol.com...
Putyourspamhere
>From: robrp...@aol.comInternet (RobRPM2222)
>Message-id: <20030914213831...@mb-m20.aol.com>
Are you talking about a swipe card based system or a keypad system?
Joe Kesselman (yclept Keshlam)
> Are you talking about a swipe card based system or a keypad system?
Or smartcard, or Dallas chip, or other forms of token? Or fingerprint or
other forms of biometric? Or...
"Electronic locks" covers a lot of ground.
RobRPM2222
>other forms of biometric? Or...
>
>"Electronic locks" covers a lot of ground.
>
hardware, non-biometric.
Jim Gaynor
voiceprint what ever is just another token applied to the lock's input
device? Harder to duplicate possibly but then again when card reader systems
fist start to become practical and popular in the mid '70s the chief aspect
differentiating the systems was the card technology. Once weigand was
introduced quite a few of the other technoogies simply evaporated.
"RobRPM2222" <robrp...@aol.comInternet> wrote in message
Putyourspamhere
>Date: 9/15/2003 11:25 PM Eastern Daylight Time
>Message-id: <3f67b...@news1.prserv.net>
>
>Putyourspamhere wrote:
>> Are you talking about a swipe card based system or a keypad system?
>
>Or smartcard, or Dallas chip, or other forms of token? Or fingerprint or
>other forms of biometric? Or...
>
>"Electronic locks" covers a lot of ground.
>
>--
Yes with regard to an electronic lock which is simply keypad operated as many
are I'm not really sure what the purpose of encryption would be. Now if we are
talking about encrypting the information on a mag stripe that makes more sense.
Roger Shoaf
"Jim Gaynor" <jga...@optonline.net> wrote in message
news:PO_9b.23972$BS1.6...@news4.srv.hcvlny.cv.net...
> Why would you exclude biometric devices? A finger print,. retinal pattern,
> voiceprint what ever is just another token applied to the lock's input
> device?
Well one good reason to forget about the retinal scan is that down-sized
employees absolutely refuse to turn in their retinas when they are
discharged.
Putyourspamhere
>Date: 9/17/2003 1:57 PM Eastern Daylight Time
>Message-id: <10638214...@jaguar.syix.com>
Not much of a problem when their downsizing employer deactivates them from the
system before they are done cleaning out their desks.
d...@tanj.com
>
> "Jim Gaynor" <jga...@optonline.net> wrote in message
> news:PO_9b.23972$BS1.6...@news4.srv.hcvlny.cv.net...
>> Why would you exclude biometric devices? A finger print,. retinal pattern,
>> voiceprint what ever is just another token applied to the lock's input
>> device?
>
> Well one good reason to forget about the retinal scan is that down-sized
> employees absolutely refuse to turn in their retinas when they are
> discharged.
Never watched "Judge Dread"? (yuck)
The nice thing about biometric systems is that they can be quickly
reprogrammed if the employees refuse to turn in their retinas. Many of
the commercial systems are networked to allow immediate updates when an
employee is discharged.
Don't forget, a good biometric system will also require a token of some
sort that CAN be confiscated. That can be a swipe card, key, transponder,
etc. Those are systems where the retinal scan acts as much like a PIN.
Daniel
Jim Gaynor
keys after every use to deter shoulder surfing.
The main weakness in any token based sytem is that the token maybe lost,
stolen or given away. Even systems whiccombine something the user has plus
something he knows reader plus Pin) are vulnerable to the same attacks.
Biometric systems which get their input from some the user is have the
greatest longterm potential from a basic security point of view. The
encrption ascpect if used would come into how the data is encoded,
transmitted and stored.
"Putyourspamhere" <putyour...@aol.com> wrote in message
news:20030917132752...@mb-m22.aol.com...