Sunday, June 14, 2020

[cyxqfqwb] Master key locksmith conspiracy

In "Rights amplification in master-keyed mechanical locks", Matt Blaze described how to make a master key if you have access to just one working non-master key and its lock.

Locksmiths dismissed it as old news, claiming that they had all known about the attack as a secret in their trade since master keying of pin-tumbler locks was invented (when was that?).  Was that really so?  Did a large number of people actually manage to collectively keep a secret, one for which there probably wouldn't be much punishment for revealing?  (For example, a retired locksmith could tell friends.)  If this kind of secret-keeping is really possible (I doubt it), one wonders what other juicy secrets are being kept this way in other fields.  It's not the attack that is interesting; it's the secret-keeping.

If the attack really was known and kept a secret, it also seems like there would have been lawsuits by customers having been sold a security system with a known but undisclosed vulnerability, lawsuits for them to recover the cost of having to replace everything with two-cylinder master key locks which are not vulnerable.

More likely, although a huge number of locksmiths know how master keys work, few, perhaps no one until Matt Blaze (not a locksmith), thought about how turn the knowledge into an attack.  It seems like it would have been rare that a locksmith would have legitimately needed to create a master key within the constraints in which the attack works: you have a working key but are not permitted to disassemble the lock.  If you can disassemble the lock, which is what locksmiths do day in and day out, measuring pins to create a key is (I think) a straightforward operation for them.

No comments :