Date post: | 28-Jan-2016 |
Category: |
Documents |
Upload: | james-garrett |
View: | 12 times |
Download: | 6 times |
http://toool.us
Deviant Ollam
http://toool.us
Who am i ?
http://toool.us
Who am i ?
http://toool.us
Who am i ?
http://toool.us
Who am i ?
auditing
assessments
research
trainings
workshops
public
lectures
lockpick
village
contests &
games
http://toool.us
The Open Organisation Of
Lockpickers
http://toool.us
The Open Organisation Of
Lockpickers
http://toool.us
Lockpicking is Fun, Fun, Fun!
http://toool.us
First, a word about rules…
Yes, we have rules.
1.Do not pick locks
which you do not own.
2.Do not pick locks
which you rely on.
http://toool.us
Deadbolts…
http://toool.us
…The Mechanism Itself Is All The
Same
http://toool.us
How It Looks Inside
http://toool.us
Attempt Without a Key
http://toool.us
Operating With a Key
http://toool.us
Pin Stacks
http://toool.us
Using a Key
http://toool.us
Using Lockpicks
http://toool.us
Master-Keyed Systems
http://toool.us
Master-Keyed Systems
http://toool.us
Master-Keyed Systems
http://toool.us
Master-Keyed Systems
http://toool.us
Master-Keyed Systems
http://toool.us
Master-Keyed Systems
http://toool.us
Master-Keyed Systems
http://toool.us
Master-Keyed Systems
http://toool.us
Master-Keyed Systems
http://toool.us
Master-Keyed Systems
http://toool.us
Master-Keyed Systems
http://toool.us
Master-Keyed Systems
http://toool.us
Master-Keyed Systems
http://toool.us
Master-Keyed Systems
http://toool.us
Master-Keyed Systems
http://toool.us
Master-Keyed Systems
http://toool.us
Attacking Master-Keyed Systems
“Master-Keyed Lock
Vulnerability”
by Matt Blaze
2003-01-27
http://www.crypto.c
om/papers/mk.pdf
http://www.crypto.c
om/masterkey.html
http://toool.us
Consider Alice’s key… for a lock
that she can access…
http://toool.us
Change Key Bitting Depths …
http://toool.us
Obviously, it Works in the Lock…
http://toool.us
Obviously, it Works in the Lock…
http://toool.us
So, What Can We Infer About the
Inside of the Lock? …
http://toool.us
Pins Must Be At the Edge of the
Plug…
http://toool.us
… They Could Simply be Solid Key
Pins…
http://toool.us
… But the Specific Details are
Unknown…
http://toool.us
… And these Unknowns are Hidden
http://toool.us
… And these Unknowns are Hidden.
So What to Do?
http://toool.us
Prepare Exploratory Key Number
One …
http://toool.us
Prepare Exploratory Key Number
One …
Zero
Cut
http://toool.us
Prepare Exploratory Key Number
One …
Bitting
Depths
Already
Known From
Change Key
Zero
Cut
http://toool.us
This Key Will be Used to Sweep
This Range …
http://toool.us
Beware That MACS Issues Can
Arise …
http://toool.us
File Position One Down a Bit …
http://toool.us
File Position One Down a Bit …
http://toool.us
File Position One Down a Bit …
http://toool.us
We’re Still Encountering MACS
Violations …
http://toool.us
But Let’s Try the Key Anyway…
http://toool.us
But Let’s Try the Key Anyway… the
Lock Fails to Open
http://toool.us
Remove the Key …
http://toool.us
File Position One Down to the
Next Bitting Depth…
http://toool.us
Although They Look Different,
These Are Both #2 Cut Depths …
http://toool.us
MACS is No Longer Being Violated
Now …
http://toool.us
So, Let’s Try the Key Again…
http://toool.us
So, Let’s Try the Key Again… the
Lock Fails to Open
http://toool.us
Remove the Key …
http://toool.us
File Down Position One Again …
http://toool.us
Let’s Try The Key Again…
http://toool.us
Let’s Try The Key Again…OPEN! …
http://toool.us
Of Course, That Was Expected …
http://toool.us
Remember the Change Key? …
http://toool.us
We’ve Duplicated That …
http://toool.us
We Have Learned Something,
However …
http://toool.us
We Don’t Know About These
Chambers…
http://toool.us
But Now We Know That This Key
Pin is Solid …
http://toool.us
Of Course, There Could Still Be
Mastering Here …
http://toool.us
So, There is More Exploring to be
Done …
http://toool.us
File Position One Down Further …
http://toool.us
Try They Key…
http://toool.us
Try They Key… And Find It Does
Not Work
http://toool.us
Remove the Key …
http://toool.us
File Down Position One to the
Next Bitting Height …
http://toool.us
Try the Key…
http://toool.us
Try the Key… and Find it Does
Not Work
http://toool.us
Remove the Key…
http://toool.us
File Position One Down another
Depth…
http://toool.us
Try the Key in the Lock……
http://toool.us
Try the Key in the Lock… OPEN!…
http://toool.us
So What Has Been Learned Now?…
http://toool.us
All Drivers Must Be Raised
Properly Right Now…
http://toool.us
Given What We Know From Before,
This is the Current Picture…
http://toool.us
We Still Haven’t Explored These
Chambers…
http://toool.us
We Know This Key Pin…
http://toool.us
We Know This Mastering Pin…
http://toool.us
There’s a Chance of More Shear
Lines…
http://toool.us
Remove the Key…
http://toool.us
File Position One Down a bit
More…
http://toool.us
Try the Key……
http://toool.us
Try the Key… and Find it Does
Not Work…
http://toool.us
You Can Continue For The Rest of
the Bitting Range …
http://toool.us
(If There is More to the Bitting
Range) …
http://toool.us
(If There is More to the Bitting
Range) … Kwikset Depths
Don’t Go Past 7
http://toool.us
Prepare Another Key, for
Exploring Position Two …
http://toool.us
Prepare Another Key, for
Exploring Position Two …
Discover
ed
Master
Depth
http://toool.us
Prepare Another Key, for
Exploring Position Two … Zero
Cut Discover
ed
Master
Depth
http://toool.us
Prepare Another Key, for
Exploring Position Two …
Depths
Known
From
Change Key
Zero
Cut Discover
ed
Master
Depth
http://toool.us
NOTE - The Zero Depth is Almost
Never Used…
http://toool.us
So, Save Time by Starting
Position Two at the #1 Depth…
http://toool.us
MACS is Being Violated Here…
http://toool.us
But Let’s Try the Key Anyway…
http://toool.us
But Let’s Try the Key Anyway… The
Lock Doesn’t Open
http://toool.us
Remove the Key…
http://toool.us
File Down Position Two by a
Bitting Depth…
http://toool.us
MACS is OK now, BTW…
http://toool.us
Try the Key in the Lock……
http://toool.us
Try the Key in the Lock… The
Lock Doesn’t Open…
http://toool.us
Remove the Key…
http://toool.us
File Position Two Down by a
Bitting Depth…
http://toool.us
Try the Key…
http://toool.us
Try the Key… the Lock Doesn’t
Open
http://toool.us
Remove the Key…
http://toool.us
File Position Two Down by a
Bitting Depth…
http://toool.us
Try the Key……
http://toool.us
Try the Key… OPEN!…
http://toool.us
So What Have We Learned Now?…
http://toool.us
The Drivers Must be at the Plug’s
Edge…
http://toool.us
And Now We Know the Following……
http://toool.us
We’ve Learned This Earlier…
http://toool.us
We Don’t Know About These…
http://toool.us
But Now Our Exploring Here is
Kind of Done…
http://toool.us
There is a Shear Line Here…
http://toool.us
There is a Shear Line Here, We
Know From Our Change Key…
http://toool.us
There is a Shear Line Here, We
Know From Our Change Key…
http://toool.us
So We’re Basically Done with
Position Two…
http://toool.us
So We’re Basically Done with
Position Two… How Come?
http://toool.us
Single Depth Mastering Pins are
Rare and Bad……
http://toool.us
So, a Five Depth is Highly
Unlikely
http://toool.us
If We Wanted, We Could Take Our
Key……
http://toool.us
And File Down to the 6th Bitting
Depth…
http://toool.us
Try the Key…
http://toool.us
Try the Key… It Surely Should
Work!
http://toool.us
After All…
http://toool.us
After All… Depth 6 was Known in
Position Two
http://toool.us
Further Exploring Is Not Really
Necessary Here…
http://toool.us
A Depth of Seven? …
http://toool.us
A Depth of Seven Would Mean
Another Single-Depth Pin…
http://toool.us
… And Kwikset Locks Don’t Go
Deeper Than 7
http://toool.us
So… Now Three Chambers Remain
Unknown…
http://toool.us
Let’s Prepare a Third Exploring
Key…
http://toool.us
What Cut Will be in Position
One?…
http://toool.us
A #6 Depth, The Mastering Depth
We Discovered Earlier…
http://toool.us
(By the Way… Is This a Valid
Key?)…
http://toool.us
(By the Way… Is This a Valid
Key?)…
ANSWER - No. This
would violate MACS
since we’re dealing
with a Kwikset lock.
http://toool.us
What Cut Will be in Position
Two?…
http://toool.us
A #4 Depth Will be There… The
Master Cut Discovered Earlier
http://toool.us
What Will We Do in Position
Three?…
http://toool.us
Leave Position Three Blank For
Now…
http://toool.us
And For the Rest of the Key?…
http://toool.us
Finish Off with Depths Known
from the Change Key …
http://toool.us
So, Now it’s Time to Explore…
http://toool.us
So, Now it’s Time to Explore… Or
is it?…
http://toool.us
Remember the Change Key’s Known
Depth?…
http://toool.us
So What About #1 and #3 Depths?…
http://toool.us
A #1 Depth Would be Unwise…
http://toool.us
A #3 Depth Would be Unwise, Too…
http://toool.us
And #2 Depth Was Already Known,
So Skip It…
http://toool.us
Thus, #4 Depth is an Ideal
Starting Point…
http://toool.us
This is a Much More Efficient
Exploring Range, No?…
http://toool.us
Key 3 is Prepared…
http://toool.us
Key 3 is Tried…
http://toool.us
Key 3 is Tried… It Doesn’t Turn
http://toool.us
Remove the Key…
http://toool.us
File Down by One Cut Depth…
http://toool.us
Try the Key…
http://toool.us
Try the Key… OPEN!
http://toool.us
This Tells Us Quite a Lot…
http://toool.us
So, Let’s Discuss What We Know…
http://toool.us
Mastering in Position Three
Likely Looks Like This…
http://toool.us
No News Yet Back Here…
http://toool.us
But Otherwise, Position Three
Seems Pretty Dialed-In…
http://toool.us
Would We Need to Explore a #6
Depth? …
http://toool.us
Would We Need to Explore a #6
Depth? …
I wouldn’t. That would
mean there’s a single-
depth mastering pin
in there. Most
professional
locksmiths would know
better than to use
one when building a
system.
http://toool.us
How About a #7 Depth? …
http://toool.us
How About a #7 Depth? …
While it’s possible to
have multi-mastered
pin stacks, this is
rare. Personally, I’d
skip it and just make
a note to myself
saying, “Come back
later if I get stuck.”
http://toool.us
Let’s Prepare a Fourth Exploring
Key…
http://toool.us
Start Out with Mastering We’ve
Discovered Thus Far…
http://toool.us
Leave Position Four Blank…
http://toool.us
Exploring Key Number Four, Fully-
Prepared…
http://toool.us
Keep in Mind, This Violates MACS…
http://toool.us
We Could Sweep This Exploring
Range…
http://toool.us
But Remember This is the Change
Key Bitting Here…
http://toool.us
More Efficient: Only Explore
Depth #1 … then #5, #6, & #7
http://toool.us
Code-Cut (or Simply File) to the
#1 Depth…
http://toool.us
Key Four, First Attempt…
http://toool.us
Key Four, First Attempt… No Go.
http://toool.us
Remove the Key…
http://toool.us
If Desired, File to the #3 Depth,
Which is Known…
http://toool.us
Give the Key a Try…
http://toool.us
Give the Key a Try… OPEN!
http://toool.us
That Was Expected, of Course…
http://toool.us
Remove the Key…
http://toool.us
File Down… Skipping a Depth, to
Save Time…
http://toool.us
Try the Key…
http://toool.us
Try the Key… No Luck.
http://toool.us
Remove the Key…
http://toool.us
File Down by Another Depth…
http://toool.us
Try the Key…
http://toool.us
Try the Key… No Joy.
http://toool.us
Remove the Key…
http://toool.us
File Down to the Last Depth…
http://toool.us
Try the Key…
http://toool.us
Try the Key… Nope.
http://toool.us
So, WTF ?
http://toool.us
Maybe You Question Yourself
http://toool.us
In This Case… Position Four is
Not Mastered
http://toool.us
The Master Key We’ve Decoded Thus
Far…
http://toool.us
Let’s Prepare a Fifth (and
Hopefully Final) Exploring Key…
http://toool.us
Code-Cut the Mastering We’ve
Discovered So Far…
http://toool.us
Leaving the Fifth Position Free
to be Explored…
http://toool.us
Attempt Either at the Blank
Depth of 0 or at a Depth of 1…
http://toool.us
Try the Key…
http://toool.us
Try the Key… OPEN!
http://toool.us
That’s a Heaping Bowl of
Awesomesauce…
http://toool.us
There’s a Very Real Chance We
Know it All Now…
http://toool.us
The Mastering Might be Fully
Decoded…
http://toool.us
True, There Could be Another Cut
Here…
http://toool.us
There Could Even be Other Cuts
Here…
http://toool.us
But Personally, I’d Just Start
Trying This Key in Lots of
Doors…
http://toool.us
Of Course, Your Key Will Likely
Look Like This…
http://toool.us
Of Course, Your Key Will Likely
Look Like This…
(Since most likely you
will be hand-filing
all cuts, not working
with a code-cutter to
set up your exploring
keys.)
http://toool.us
Speaking of Hand-Filed Keys…
Beware of Canyoning!
http://toool.us
The Internals of our Original
Door Lock…
http://toool.us
These Marks Represent the
Mastering Depths…
http://toool.us
Here’s a Hypothetical Alternate
Lock in the Same System…
http://toool.us
Our Decoded Master Key Would
Work There, Too…
http://toool.us
A Winnar is You!…
http://toool.us
Mitigating Against This Attack?
• Restricted Keyway / Restricted
Blanks
• Secondary Monitoring Systems
• Audit Trails / Access Control
Scheduling
• Use Entirely Separate Zone
Arrangements
• Move Away From Plain Jane Pin
Tumbler Systems
Other Badass
Lock Designs
http://toool.us
High Security Locks – Side Bar
http://toool.us
High Security Locks – Pin-Based
Side Bar
http://toool.us
High Security Locks – Pin-Based
Side Bar
http://toool.us
Pin-Based Side Bar – Schlage
Primus
http://toool.us
High Security Locks – Side Bar
Only Design
http://toool.us
Rotating Discs
http://toool.us
Rotating Discs
http://toool.us
Rotating Discs
http://toool.us
Rotating Discs
http://toool.us
Rotating Discs
http://toool.us
Rotating Discs
http://toool.us
Rotating Discs
http://toool.us
Rotating Discs
http://toool.us
Rotating Discs
http://toool.us
Rotating Discs
http://toool.us
Rotating Discs
http://toool.us
Rotating Discs
http://toool.us
Rotating Discs
http://toool.us
Rotating Discs
http://toool.us
Rotating Discs
http://toool.us
Magnetic Locks
http://toool.us
Magnetic Locks
http://toool.us
Magnetic Locks
http://toool.us
Magnetic Locks
http://toool.us
Magnetic Locks
http://toool.us
Magnetic Locks
photo courtesy of Eric Schmiedl
http://toool.us
Magnetic Locks
photo courtesy of Eric Schmiedl
A New Contest At
HOPE…
http://toool.us
Master-Key Escalation Contest
http://toool.us
Master-Key Escalation Contest
http://toool.us
Master-Key Escalation Contest
http://toool.us
Master-Key Escalation Contest
http://toool.us
Master-Key Escalation Contest
http://toool.us
Master-Key Escalation Contest
http://toool.us
Master-Key Escalation Contest
Will j00 be teh winnar?!?
http://toool.us
Master-Key Escalation Contest
SATUR
DAY
SATUR
DAY
http://toool.us
This presentation is CopyLeft by Deviant Ollam.
You are free to reuse any or all of this material as long as it is attributed
and freedom for other s to do the same is maintained.
Thank You Very Much!
http://to
ool.us
info@tooo
l.us