Deviant Ollam
http://to
�Who am i ?
http://to
�Who am i ?
http://to
�Who am i ?
http://to
�Who am i ?
auditing
assessments
research
trainings
workshops
public
lectures
lockpick
village
contests &
games
http://to
�The Open Organisation Of
Lockpickers
http://to
�The Open Organisation Of
Lockpickers
http://to
�Lockpicking is Fun, Fun, Fun!
http://to
�First, a word about rules
Yes, we have rules.
1.Do not pick locks
which you do not own.
2.Do not pick locks
which you rely on.
http://to
�Doorknobs
http://to
�Padlocks
http://to
�Deadbolts
http://to
�The Mechanism Itself Is All The
Same
http://to
�How It Looks Inside
http://to
�Attempt Without a Key
http://to
�Operating With a Key
http://to
�Pin Stacks
http://to
�Using a Key
http://to
�Using Lockpicks
http://to
�Master-Keyed Systems
http://to
�Master-Keyed Systems
http://to
�Master-Keyed Systems
http://to
�Master-Keyed Systems
http://to
�Master-Keyed Systems
http://to
�Master-Keyed Systems
http://to
�Master-Keyed Systems
http://to
�Master-Keyed Systems
http://to
�Master-Keyed Systems
http://to
�Master-Keyed Systems
http://to
�Master-Keyed Systems
http://to
�Master-Keyed Systems
http://to
�Master-Keyed Systems
http://to
�Master-Keyed Systems
http://to
�Master-Keyed Systems
http://to
�Master-Keyed Systems
http://to
�Attacking Master-Keyed Systems
Master-Keyed Lock
Vulnerability
by Matt Blaze
2003-01-27
http://www.crypto.c
om/papers/mk.pdf
http://www.crypto.c
om/masterkey.html
http://to
�Consider Alices key for a lock
that she can access
http://to
�Change Key Bitting Depths
http://to
�Obviously, it Works in the Lock
http://to
�Obviously, it Works in the Lock
http://to
�So, What Can We Infer About the
Inside of the Lock?
http://to
�Pins Must Be At the Edge of the
Plug
http://to
� They Could Simply be Solid Key
Pins
http://to
� But the Specific Details are
Unknown
http://to
� And these Unknowns are Hidden
http://to
� And these Unknowns are Hidden.
So What to Do?
http://to
�Prepare Exploratory Key Number
One
http://to
�Prepare Exploratory Key Number
One
Zero
Cut
http://to
�Prepare Exploratory Key Number
One
Zero
Cut
Bitting
Depths
Already
Known From
Change Key
http://to
�This Key Will be Used to Sweep
This Range
http://to
�Beware That MACS Issues Can
Arise
http://to
�File Position One Down a Bit
http://to
�File Position One Down a Bit
http://to
�File Position One Down a Bit
http://to
�Were Still Encountering MACS
Violations
http://to
�But Lets Try the Key Anyway
http://to
�But Lets Try the Key Anyway the
Lock Fails to Open
http://to
�Remove the Key
http://to
�File Position One Down to the
Next Bitting Depth
http://to
�Although They Look Different,
These Are Both #2 Cut Depths
http://to
�MACS is No Longer Being Violated
Now
http://to
�So, Lets Try the Key Again
http://to
�So, Lets Try the Key Again the
Lock Fails to Open
http://to
�Remove the Key
http://to
�File Down Position One Again
http://to
�Lets Try The Key Again
http://to
�Lets Try The Key AgainOPEN!
http://to
�Of Course, That Was Expected
http://to
�Remember the Change Key?
http://to
�Weve Duplicated That
http://to
�We Have Learned Something,
However
http://to
�We Dont Know About These
Chambers
http://to
�But Now We Know That This Key
Pin is Solid
http://to
�Of Course, There Could Still Be
Mastering Here
http://to
�So, There is More Exploring to be
Done
http://to
�File Position One Down Further
http://to
�Try They Key
http://to
�Try They Key And Find It Does
Not Work
http://to
�Remove the Key
http://to
�File Down Position One to the
Next Bitting Height
http://to
�Try the Key
http://to
�Try the Key and Find it Does
Not Work
http://to
�Remove the Key
http://to
�File Position One Down another
Depth
http://to
�Try the Key in the Lock
http://to
�Try the Key in the Lock OPEN!
http://to
�So What Has Been Learned Now?
http://to
�All Drivers Must Be Raised
Properly Right Now
http://to
�Given What We Know From Before,
This is the Current Picture
http://to
�We Still Havent Explored These
Chambers
http://to
�We Know This Key Pin
http://to
�We Know This Mastering Pin
http://to
�Theres a Chance of More Shear
Lines
http://to
�Remove the Key
http://to
�File Position One Down a bit
More
http://to
�Try the Key
http://to
�Try the Key and Find it Does
Not Work
http://to
�You Can Continue For The Rest of
the Bitting Range
http://to
�(If
There is More to the Bitting
Range)
http://to
�(If
There is More to the Bitting
Range)
Kwikset Depths
Dont Go Past 7
http://to
�Prepare Another Key, for
Exploring Position Two
http://to
�Prepare Another Key, for
Exploring Position Two
Discover
ed
Master
Depth
http://to
�Prepare Another Key, for
Exploring Position Two
Zero
Cut
Discover
ed
Master
Depth
http://to
�Prepare Another Key, for
Exploring Position Two
Zero
Cut
Discover
Depths
ed
Known
Master
From
Depth
Change Key
http://to
�NOTE - The Zero Depth is Almost
Never Used
http://to
�So, Save Time by Starting
Position Two at the #1 Depth
http://to
�MACS is Being Violated Here
http://to
�But Lets Try the Key Anyway
http://to
�But Lets Try the Key Anyway The
Lock Doesnt Open
http://to
�Remove the Key
http://to
�File Down Position Two by a
Bitting Depth
http://to
�MACS is OK now, BTW
http://to
�Try the Key in the Lock
http://to
�Try the Key in the Lock The
Lock Doesnt Open
http://to
�Remove the Key
http://to
�File Position Two Down by a
Bitting Depth
http://to
�Try the Key
http://to
�Try the Key the Lock Doesnt
Open
http://to
�Remove the Key
http://to
�File Position Two Down by a
Bitting Depth
http://to
�Try the Key
http://to
�Try the Key OPEN!
http://to
�So What Have We Learned Now?
http://to
�The Drivers Must be at the Plugs
Edge
http://to
�And Now We Know the Following
http://to
�Weve Learned This Earlier
http://to
�We Dont Know About These
http://to
�But Now Our Exploring Here is
Kind of Done
http://to
�There is a Shear Line Here
http://to
�There is a Shear Line Here, We
Know From Our Change Key
http://to
�There is a Shear Line Here, We
Know From Our Change Key
http://to
�So Were Basically Done with
Position Two
http://to
�So Were Basically Done with
Position Two How Come?
http://to
�Single Depth Mastering Pins are
Rare and Bad
http://to
�So, a Five Depth is Highly
Unlikely
http://to
�If We Wanted, We Could Take Our
Key
http://to
�And File Down to the 6th Bitting
Depth
http://to
�Try the Key
http://to
�Try the Key It Surely Should
Work!
http://to
�After All
http://to
�After All Depth 6 was Known in
Position Two
http://to
�Further Exploring Is Not Really
Necessary Here
http://to
�A Depth of Seven?
http://to
�A Depth of Seven Would Mean
Another Single-Depth Pin
http://to
� And Kwikset Locks Dont Go
Deeper Than 7
http://to
�So Now Three Chambers Remain
Unknown
http://to
�Lets Prepare a Third Exploring
Key
http://to
�What Cut Will be in Position
One?
http://to
�A #6 Depth, The Mastering Depth
We Discovered Earlier
http://to
�(By
the Way Is This a Valid
Key?)
http://to
�(By
the Way Is This a Valid
Key?)
ANSWER
No.
This
would
violate
MACS
since
were
dealing
with a Kwikset lock.
http://to
�What Cut Will be in Position
Two?
http://to
�A #4 Depth Will be There The
Master Cut Discovered Earlier
http://to
�What Will We Do in Position
Three?
http://to
�Leave Position Three Blank For
Now
http://to
�And For the Rest of the Key?
http://to
�Finish Off with Depths Known
from the Change Key
http://to
�So, Now its Time to Explore
http://to
�So, Now its Time to Explore Or
is it?
http://to
�Remember the Change Keys Known
Depth?
http://to
�So What About
#1
and
#3
Depths?
http://to
#1
Depth Would be Unwise
http://to
#3
Depth Would be Unwise, Too
http://to
�And #2 Depth Was Already Known,
So Skip It
http://to
�Thus, #4 Depth is an Ideal
Starting Point
http://to
�This is a Much More Efficient
Exploring Range, No?
http://to
�Key 3 is Prepared
http://to
�Key 3 is Tried
http://to
�Key 3 is Tried It Doesnt Turn
http://to
�Remove the Key
http://to
�File Down by One Cut Depth
http://to
�Try the Key
http://to
�Try the Key OPEN!
http://to
�This Tells Us Quite a Lot
http://to
�So, Lets Discuss What We Know
http://to
�Mastering in Position Three
Likely Looks Like This
http://to
�No News Yet Back Here
http://to
�But Otherwise, Position Three
Seems Pretty Dialed-In
http://to
�Would We Need to Explore a
Depth?
#6
http://to
�Would We Need to Explore a
Depth?
#6
I wouldnt. That would
mean theres a singledepth mastering pin
in
there.
Most
professional
locksmiths would know
better than to use
one when building a
system.
http://to
�How About a
#7
Depth?
http://to
�How About a
#7
Depth?
While its possible to
have
multi-mastered
pin stacks, this is
rare.
Personally, Id
skip it and just make
a
note
to
myself
saying,
Come
back
later if I get stuck.
http://to
�Lets Prepare a Fourth Exploring
Key
http://to
�Start Out with Mastering Weve
Discovered Thus Far
http://to
�Leave Position Four Blank
http://to
�Exploring Key Number Four, FullyPrepared
http://to
�Keep in Mind, This Violates MACS
http://to
�We Could Sweep This Exploring
Range
http://to
�But Remember This is the Change
Key Bitting Here
http://to
�More Efficient: Only Explore
Depth #1 then #5, #6, & #7
http://to
�Code-Cut (or Simply File) to the
#1 Depth
http://to
�Key Four, First Attempt
http://to
�Key Four, First Attempt No Go.
http://to
�Remove the Key
http://to
�If Desired, File to the
Which is Known
#3
Depth,
http://to
�Give the Key a Try
http://to
�Give the Key a Try OPEN!
http://to
�That Was Expected, of Course
http://to
�Remove the Key
http://to
�File Down Skipping a Depth, to
Save Time
http://to
�Try the Key
http://to
�Try the Key No Luck.
http://to
�Remove the Key
http://to
�File Down by Another Depth
http://to
�Try the Key
http://to
�Try the Key No Joy.
http://to
�Remove the Key
http://to
�File Down to the Last Depth
http://to
�Try the Key
http://to
�Try the Key Nope.
http://to
�So, WTF
http://to
�Maybe You Question Yourself
http://to
�In This Case Position Four is
Not Mastered
http://to
�The Master Key Weve Decoded Thus
Far
http://to
�Lets Prepare a Fifth (and
Hopefully Final) Exploring Key
http://to
�Code-Cut the Mastering Weve
Discovered So Far
http://to
�Leaving the Fifth Position Free
to be Explored
http://to
�Attempt Either at the Blank
Depth of 0 or at a Depth of 1
http://to
�Try the Key
http://to
�Try the Key OPEN!
http://to
�Thats a Heaping Bowl of
Awesomesauce
http://to
�Theres a Very Real Chance We
Know it All Now
http://to
�The Mastering Might be Fully
Decoded
http://to
�True, There Could be Another Cut
Here
http://to
�There Could Even be Other Cuts
Here
http://to
�But Personally, Id Just Start
Trying This Key in Lots of
Doors
http://to
�Of Course, Your Key Will Likely
Look Like This
http://to
�Of Course, Your Key Will Likely
Look Like This
(Since
most likely you
will be hand-filing
all cuts, not working
with a code-cutter to
set up your exploring
keys.)
http://to
�Speaking of Hand-Filed Keys
Beware of Canyoning!
http://to
�The Internals of our Original
Door Lock
http://to
�These Marks Represent the
Mastering Depths
http://to
�Heres a Hypothetical Alternate
Lock in the Same System
http://to
�Our Decoded Master Key Would
Work There, Too
http://to
�A Winnar is You!
http://to
�Mitigating Against This Attack?
Restricted Keyway / Restricted
Blanks
Secondary Monitoring Systems
Audit Trails / Access Control
Scheduling
Use Entirely Separate Zone
Arrangements
Move Away From Plain Jane Pin
Tumbler Systems
http://to
�Other Badass
Lock Designs
�High Security Locks Side Bar
http://to
�High Security Locks Pin-Based
Side Bar
http://to
�High Security Locks Pin-Based
Side Bar
http://to
�Pin-Based Side Bar Schlage
Primus
http://to
�High Security Locks Side Bar
Only Design
http://to
�Rotating Discs
http://to
�Rotating Discs
http://to
�Rotating Discs
http://to
�Rotating Discs
http://to
�Rotating Discs
http://to
�Rotating Discs
http://to
�Rotating Discs
http://to
�Rotating Discs
http://to
�Rotating Discs
http://to
�Rotating Discs
http://to
�Rotating Discs
http://to
�Rotating Discs
http://to
�Rotating Discs
http://to
�Rotating Discs
http://to
�Rotating Discs
http://to
�Magnetic Locks
http://to
�Magnetic Locks
http://to
�Magnetic Locks
http://to
�Magnetic Locks
http://to
�Magnetic Locks
http://to
�Magnetic Locks
photo courtesy of Eric Schmiedl
http://to
�Magnetic Locks
photo courtesy of Eric Schmiedl
http://to
�A New Contest At
HOPE
�Master-Key Escalation Contest
http://to
�Master-Key Escalation Contest
http://to
�Master-Key Escalation Contest
http://to
�Master-Key Escalation Contest
http://to
�Master-Key Escalation Contest
http://to
�Master-Key Escalation Contest
http://to
�Master-Key Escalation Contest
Will j00 be teh winnar?!?
http://to
�SATUR
DAY
SATUR
DAY
Master-Key Escalation Contest
http://to
�Thank You Very Much!
http://to
ool.us
info@tooo
l.us
http://to
This presentation is CopyLeft by Deviant Ollam.
You are free to reuse any or all of this material as long as it is attributed
