Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
I took a look at the "MIT Guide to Lock Picking" August 1991 revision at http://www.lysator.liu.se/mit-guide/mit-guide.html It says: "9.10 Master Keys Many applications require keys that open only a single lock and keys that open a group of locks. The keys that open a single lock are called change keys and the keys that open multiple locks are called master keys. To allow both the change key and the master key to open the same lock, a locksmith adds an extra pin called a spacer to some of the pin columns. See Figure 9.8. The effect of the spacer is to create two gaps in the pin column that could be lined up with the sheer line. Usually the change key aligns the top of the spacer with the sheer line, and the master key aligns the bottom of the spacer with the sheer line (the idea is to prevent people from filing down a change key to get a master key). In either case the plug is free to rotate." The parenthetical comment suggests awareness of the general vulnerability Matt exploited, but I suspect that had the authors known the multiple partial copy trick Matt described, they would have published it. Arnold Reinhold - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
Bill Stewart <[EMAIL PROTECTED]> writes: > and a door that had two locks - a classified-rated Sergeant & Greenleaf > mechanical combination lock, which we used when the room was unattended, Have a look at the DOD Lock Program Faq at http://locks.nfesc.navy.mil/faq.htm and the links leading from it, especially the one on high security padlocks and hasps. -- natsu-gusa ya / tsuwamono-domo-ga / yume no ato summer grasses / strong ones / dreams site Summer grasses, All that remains Of soldier's dreams (Basho trans. Stryk) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
At 09:12 PM 01/26/2003 -0500, Donald Eastlake 3rd wrote: It's just silly to spend, say, $50 more, on a more secure lock unless you are really willing, in the forseeable future, to spend hundreds or thousands of dollars or even more on other weaknesses to make most of them approximately as strong. Defense in depth is certainly important for physical security, for serial attacks as well as parallel attacks. A long long time ago, in a phone company far far away, about two floors down from where Matt Blaze was working, I ran the computers and some other operations for a workroom that did classified government processing. The higher-security data lived in safes when we weren't actively using it, as did any classified backup magtapes. (Computers were still big then, and the removable disk packs were roughly 14" diameter, 8" high, 250MB.) The TEMPEST room they lived in didn't have locks on it, just annoyingly unreliable electrical airlock doors. It lived inside a room that had several inches of sheetrock and wiremesh walls, and a door that had two locks - a classified-rated Sergeant & Greenleaf mechanical combination lock, which we used when the room was unattended, and an electronic-pushbutton combination lock which was enough when the room wasn't attended by a guard at the front desk, plus there were motion-detector alarms set when it wasn't attended. Army Reg 380-380 didn't require that the room be impregnable to people with sawzalls and dynamite - just that it be hard to break into, and extremely hard to break into without leaving an obvious mess, and a guard schedule appropriate for the level of difficulty breaking in. There are also other factors in planning physical security. I've had to actually break through a wall because an electronic lock's battery back up power died because the transformer for a building was being replaced and it had absolutely no power feed for a few days. The repair of such wall damage is an expense. Mechanical devices do not have the problem of requiring power (PS: Brass is self lubricating). One of the screws holding the S&G lock to the doorframe came loose and jammed the lock. We had to call a locksmith to drill it out, and it took him about the required two hours to do it. (If there'd been an emergency, we'd have sawzalled the door.) The electronic lock jammed a couple of times, and it wasn't hard to jimmy the door enough with a fireman's prybar to use a screwdriver to open the latch, but we let the guards know before we started. The real security problem was when somebody built another secure lab next door, with what was supposed to be a high-spookiness-quality alarm system; it took a long time to figure out that most of the false alarms were from the guards' walkie-talkies causing electrical interference, and got them instructed not to press talk in that hallway unless there was something seriously suspicious going on... and got them instructed to call the other guy, not me, if there was an alarm :-) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
On Mon, 27 Jan 2003, Faust wrote: >Bribe a guard, go to bed with a person with access etc.. >However, that is not the proper domain of a study of rights amplification. I'm actually not sure of that. I think that an organized case-by-case study of "social engineering" breaches would be valuable reading material for security consultants, HR staff, employers, designers, and psychologists. It's not actually the study of cryptography, but it's a topic near and dear to the heart of those who need security, just as Matt's paper on locks. Bear - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
My message was not a reply to Matt's paper. It was a reply to a message that said, approximately, "If I wanted to SECURE A BUILDING the first thing I would do is worry about the LOCK and replace it with an electric lock..." It did NOT say "If I wanted to SECURE A LOCK...". My reply was to point out that the suggested strategy for securing a building would almost always be the wrong strategy. I agree that locks and methods of defeating them are intersting. Thanks, Donald == Donald E. Eastlake 3rd [EMAIL PROTECTED] 155 Beaver Street +1-508-634-2066(h) +1-508-851-8280(w) Milford, MA 01757 USA [EMAIL PROTECTED] On Mon, 27 Jan 2003, Faust wrote: > Date: Mon, 27 Jan 2003 13:57:30 + > From: Faust <[EMAIL PROTECTED]> > To: Donald Eastlake 3rd <[EMAIL PROTECTED]> > Cc: Pete Chown <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > Subject: Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs) > > > > You are coming at this from a software/computer mindset that just isn't > > applicable to this sort of physical world security. > > > Matt's paper was about _locks_. > In case you have forgotten, the title was "Cryptology and Physical Security: > Rights Amplification in Master-Keyed Mechanical Locks". > > To weakly criticize his paper because it did not talk about the cost of > fabrication or physical tolerances misses the point entirely. > > There _are_ situations where information leakage is of concern. > > I can imagine other applications of Matt's methods to other forms of > physical security. > > In any case, it is intrinsically interesting > > In practice, social engineering is far easier to use to access secure premises. > Bribe a guard, go to bed with a person with access etc.. > However, that is not the proper domain of a study of rights amplification. > > - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
> You are coming at this from a software/computer mindset that just isn't > applicable to this sort of physical world security. Matt's paper was about _locks_. In case you have forgotten, the title was "Cryptology and Physical Security: Rights Amplification in Master-Keyed Mechanical Locks". To weakly criticize his paper because it did not talk about the cost of fabrication or physical tolerances misses the point entirely. There _are_ situations where information leakage is of concern. I can imagine other applications of Matt's methods to other forms of physical security. In any case, it is intrinsically interesting In practice, social engineering is far easier to use to access secure premises. Bribe a guard, go to bed with a person with access etc.. However, that is not the proper domain of a study of rights amplification. -- natsu-gusa ya / tsuwamono-domo-ga / yume no ato summer grasses / strong ones / dreams site Summer grasses, All that remains Of soldier's dreams (Basho trans. Stryk) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
On Sat, 25 Jan 2003, Pete Chown wrote: > Date: Sat, 25 Jan 2003 11:53:23 + > From: Pete Chown <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs) > > Len Sassaman wrote: > > > Most of the time, the lock is not the weakest point of attack. > > Isn't this like saying that cryptography isn't important, because most > real world attacks aren't cipher breaks? Also, if you pick the lock, You are coming at this from a software/computer mindset that just isn't applicable to this sort of physical world security. Sure, in the ~0 fabrication and distribution cost world of software, you might as well use strong crypto because its costs ~0 and probably a lot of the other weaknesses are also software and can also be avoided for ~0 cost. If you can think of a more secure physical lock design that is CHEAPER, run out and patent it now. You will probably make money. But most substantially more secure physical locks are substantially more expensive to fabric being more complex and frequently requiring tighter mechanical tolerances. > potentially no one will know that you gained access. An ordinary > burglar can just break a window, but someone with a more subtle reason > for wanting to gain access may not want to. It is usually not that hard to gain invisible access even with quite crude methods. > If I wanted to make a building physically secure, my instinct would be > to use electronic locks. While attacks on, say, an iButton are probably > possible, it seems to me that it must be an order of magnitude more > difficult than attacking a mechanical lock. The lock almost never has anything to do with it. Why is it you never see simple pin tumbler locks on safes and vaults? Because, with substantial metal and/or solid reinforced concrete walls on all sides and no windows, it is actually worth the cost of good combination locks, possibly with time lock in addition. If I wanted to make a building more secure, even if for some reason I'm just looking at the only door, there are a lot of things I'd look at right away: Are the hinges on the outside and if so what steps have beeen taken to stop someone from removing the hinge pins and removing the door? Is there an astragal to stop people from credit-carding the door? What steps have been made to stop someone from spreading the door frame so that any bolts no longer latch? If there is a lock cylinder, can you just unscrew it from the outside and open the door with a scredriver (I have determined by experimentation that most cylinder set screws will easily give way and allow you to unscrew the cylinder with minimal damage)? Is there any kind of opening above the door, like a transom (even if it is tiny, you may be able to drop a loop down inside and turn the internal door knob, opening the door despite its being locked for the outside knob)? Etc. Etc. Oh, and I suppose you could think about attacks on the security of the lock itself, which is probably pin tumbler. But it probably has lots of window/wall/roof/basement/etc. weaknesses that have nothing to do with the door. It's just silly to spend, say, $50 more, on a more secure lock unless you are really willing, in the forseeable future, to spend hundreds or thousands of dollars or even more on other weaknesses to make most of them approximately as strong. There are also other factors in planning physical security. I've had to actually break through a wall because an electronic lock's battery back up power died because the transformer for a building was being replaced and it had absolutely no power feed for a few days. The repair of such wall damage is an expense. Mechanical devices do not have the problem of requiring power (PS: Brass is self lubricating). > Now, I'm not an expert on locks, so firstly am I right? If so, does > this mean that high security mechanical locks will gradually disappear? There are markets for a wide variety of locks. I do not believe that high security or low security mechanical locks will disappear in my lifetime. Thanks, Donald == Donald E. Eastlake 3rd [EMAIL PROTECTED] 155 Beaver Street +1-508-634-2066(h) +1-508-851-8280(w) Milford, MA 01757 USA [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
On Sat, 25 Jan 2003, Pete Chown wrote: > Len Sassaman wrote: > > > Most of the time, the lock is not the weakest point of attack. > > Isn't this like saying that cryptography isn't important, because most > real world attacks aren't cipher breaks? No. It's similar to arguing against a system because it uses 56 bit DES, but missing the fact that the cryptosystem isn't actually encrypting the plaintext at all. > Also, if you pick the lock, potentially no one will know that you > gained access. An ordinary burglar can just break a window, but > someone with a more subtle reason for wanting to gain access may not > want to. There are many, many entrance techniques which do not cause any physical damage whatsoever, which also do not require direct manipulation of the pin tumbler mechanism. > If I wanted to make a building physically secure, my instinct would be > to use electronic locks. While attacks on, say, an iButton are probably > possible, it seems to me that it must be an order of magnitude more > difficult than attacking a mechanical lock. Again, you're missing the weakest point of attack. *Ignore* the actual lock. It doesn't matter if you have an iButton or an ASSA or a Kwikset if the door is secured with an improperly installed spring-latch mechanism, and it can be opened with a shim. Only after you get the rest of the physical security aspects addressed should you spend time thinking about the lock, because it takes a lot more time, effort, or talent to attack a lock than it does to jimmy a latch. I would say that 60 percent of the doors I have stood before in my life, I could have opened with items I carry in my pocket on a daily basis. Another ten percent would have required picking. The world of physical security doesn't rely on "security through obscurity." It relies on security through illusion. > Now, I'm not an expert on locks, so firstly am I right? If so, does > this mean that high security mechanical locks will gradually disappear? Nearly all installed locks do nothing more than keep honest people honest. I don't see this changing anytime soon. I used to jump up and down about physical security problems when I encountered them, until I learned that people generally don't want to hear if they have security problems -- they just want to think they are safe. One of my previous employers was a web hosting company, who had a locked data center. On my second day working for them, I pointed out that I could open the door to their datacenter with a credit card. They didn't believe me. I demonstrated. Did they thank me for this bit of information? Nope. I was nearly fired. If you have to sign an NDA before you visit a company's colocation facility, ask yourself what it is you are about to see that would do damage to the company if you spoke about it. Locked cages? Look at the raised floors. None of these problems even come close to the issues of lost keys and overly helpful employees, though. Criminals have been using social engineering techniques to get into locked buildings for as long as there have been locked buildings. My comments in this thread have never been intended to criticize Matt for publishing his paper. In fact, I hope I've praised it. I just don't think that it will affect the status quo. --Len. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
Len Sassaman wrote: Most of the time, the lock is not the weakest point of attack. Isn't this like saying that cryptography isn't important, because most real world attacks aren't cipher breaks? Also, if you pick the lock, potentially no one will know that you gained access. An ordinary burglar can just break a window, but someone with a more subtle reason for wanting to gain access may not want to. If I wanted to make a building physically secure, my instinct would be to use electronic locks. While attacks on, say, an iButton are probably possible, it seems to me that it must be an order of magnitude more difficult than attacking a mechanical lock. Now, I'm not an expert on locks, so firstly am I right? If so, does this mean that high security mechanical locks will gradually disappear? -- Pete - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
On Sat, 25 Jan 2003, Sampo Syreeni wrote: >Sure. But trying those combinations out can be automated -- I don't think >the kind of automatic lock pickers one sees in current action movies are >*entirely* fictional. There are several types of devices that can convince a keylock to open. One of them is a kind of spring-loaded bar, usually on a handle. The bar is inserted into the keyhole, and then the spring is released and a weight whacks the bar fairly hard. This transmits the shock to the pins resting on the bar, and thence to the other side of the pins resting across the cut from the shocked side. The result is that the pins fly apart momentarily against the retaining springs. If your timing is good, you can turn the lock immediately after the 'snap' of the spring slamming shut. It usually takes an experienced user no more than three or four tries to get the timing right. This is actually a very simple device to construct. I ran across it in a book on locks and mechanisms. Some folks call it an automatic lock picker, but it's really just a snap mechanism. I've never actually seen one in person, but I can give you the name and publication date of the pamphlet I saw it in if I can find it around here. Bear - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
On Sat, 25 Jan 2003, Sampo Syreeni wrote: > Sure. But trying those combinations out can be automated -- I don't think > the kind of automatic lock pickers one sees in current action movies are > *entirely* fictional. I've never encountered an automatic key combination decoder, but it would presumably be possible to build for a lot of locks. Most automatic lock picks are variations on the snap-gun design, however, which is an entirely different approach to lock picking. (Think of when you hit a cue-ball with a pool cue, and it hits the target ball. The cue ball stops moving, and the target ball speeds off. That's the principal behind a snap-gun: the snap-gun is the cue, the bottom pin is the cue-ball, and the top pin is your target. You use the snap-gun to strike all the pins at once. The top pins fly up past the sheer line, the bottom pin stays below it, and deft use of a tension wrench lets you turn the cylinder at just the right moment.) > Rotational shear dictates that the key channel of every normal lock must > have a certain minimum cross-section, given a material for the key. If you > think about how long a lock cylinder can be in common applications, one > has a whole lot of room for all sorts of mechanics within the space > alloted for the key in a working lock. It might even be the length of the > cylinder is strictly limited by rotational shear concerns. My first take > on designing an automated probe would simply be to apply rotational noise > to the lock, record the vibration coming back, while sliding a probe > through the cylinder. When each disc/pin is pushed into the free position, > one would expect it to be exceedingly difficult to hide changes such a > match will cause in the response of the signal chain. I have met people who can decode a lock's pin combination by feel, so what you are describing is almost certainly possible. > >If you have a location which is secured in such a manner that the lock's > >security is of concern, you should look into a lock such as Medeco, which > >employs a number of security features which resist these attacks. (Angled > >cuts, restricted key blanks, etc.) > > I would equate the latter with both security-thru-obscurity, and purely > legislative approaches to security. That is, I wouldn't lay a lot of > weight on them. The former, that I've already found a minor complication. It's not exactly security-through-obscurity. The blank's cuts are known -- but in order to make blanks of your own, you have to go through a lot of effort. It's a protection based on increasing the work an attacker needs to do to succeed. > That's the spirit. I wouldn't exactly go with the live stuff, but > otherwise crickets sound simply nutritious. Not to mention delicious, > after having been dipped in honey. ;) Now, there's another yummy idea. > It might well be you have to get acquainted with'em crickets. Well, here's the deal. If Matt decides he really wants to see me feast on crickets, I'll send him a box locked with a Medeco lock that has two possible change keys (they aren't really master/change in this scenario). I'll give him one of the change keys. If he shows up at DEFCON[*] with the other change key, without disassembling the lock or the box, I'll publicly "eat my words." I'm betting my dignity on the assumption that Matt has better things to do. :) --Len. [*] Insects have a history of being eaten by people when The Shmoo Group gathers at DEFCON. It's as good a place as any. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
On 2003-01-24, Len Sassaman uttered to Arnold G. Reinhold: >(This is a purely physical limitation. If you had pins that were of >drastically different heights next to each other, key insertion would be >extremely difficult or impossible.) One should also note that this particular problem doesn't affect disc wafer designs, like ABLOY's. On other fronts such designs fail as badly as pin tumbler one, of course. I don't know about the newer designs, though -- it seems the basic design allows an affordable analog to double cylinder keying, which doesn't leak as much information. As Matt notes, such designs have other vulnerabilities, especially when somebody dismantles the lock itself. The next logical question is, are there ways of making locks more secure, starting from cryptanalytic principles? As far as information leakage goes, the problem is easily corrected by going to double ring designs or the applicable analogs. From the standpoint of reverse engineering, it seems we're off into the domain of mechanical computing or wishful fancy, depending on one's personal level of optimism. That means high security mechanical lock makers might have to suffer a flashback into Babbage's age. How's that for retro? ;) (Okay, they're going for infrared keys and/or RFID, now. That's about challenge-response, public keys and tamper resistance. I wonder if the lock community has recognized the inevitable link to what crypto people are doing...) >Heck, it's possible to construct a set of all possible *keys* for a given >lock. Even with the optimizations of knowing which pin combinations are >physically impossible to use, however, this is still a lot of >combinations. Sure. But trying those combinations out can be automated -- I don't think the kind of automatic lock pickers one sees in current action movies are *entirely* fictional. Rotational shear dictates that the key channel of every normal lock must have a certain minimum cross-section, given a material for the key. If you think about how long a lock cylinder can be in common applications, one has a whole lot of room for all sorts of mechanics within the space alloted for the key in a working lock. It might even be the length of the cylinder is strictly limited by rotational shear concerns. My first take on designing an automated probe would simply be to apply rotational noise to the lock, record the vibration coming back, while sliding a probe through the cylinder. When each disc/pin is pushed into the free position, one would expect it to be exceedingly difficult to hide changes such a match will cause in the response of the signal chain. >Most of the time, the lock is not the weakest point of attack. Naturally. I think both Matt and those interested in locks on-list primarily consider this a funky excercise in what I'd call far-too-applied cryptanalysis. >Attacking the lock in this manner is analogous to breaking a >crypto-system by attacking the cipher. Usually, other parts of the >implementation are much weaker. Yes. I say, jump the threat model. Ram a car through the door or arrange to deliver a promotional pizza to someone behind it, whichever feels more comfortable. I also think ideas like these can serve as *wonderful* examples of why threat models matter in security design -- like Matt says, locks often serve as a useful analogy to how crypto works. >If you have a location which is secured in such a manner that the lock's >security is of concern, you should look into a lock such as Medeco, which >employs a number of security features which resist these attacks. (Angled >cuts, restricted key blanks, etc.) I would equate the latter with both security-thru-obscurity, and purely legislative approaches to security. That is, I wouldn't lay a lot of weight on them. The former, that I've already found a minor complication. >(On another list, I joked that if Matt could get his technique to work on >a Medeco master-keyed system by July, I'd eat a pound of live crickets at >DEFCON. I'll hold myself to that.) That's the spirit. I wouldn't exactly go with the live stuff, but otherwise crickets sound simply nutritious. Not to mention delicious, after having been dipped in honey. ;) Seriously, I cannot really see why the approach wouldn't work on Medeco's rotating pin design as well. It certainly seems more complicated than a typical pin tumbler one, and it does add to the total number of key combinations, but in the end, I would suspect it succumbs to an attack with the same complexity measure as Matt's more conventional ones. I don't have the precise details, but I would suspect rotational positions simply Cartesian the search space, nothing more. Getting it to work in actuality might be a bit of a problem, especially with Matt's expected budget, but for those who actually want to get the job done, I don't see any real hindrance. It might well be you have to get acquainted with'em crickets. -- Sampo Syreeni, aka decoy - mailto:[EMAIL PROTECTED], tel:+35
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
On Fri, 24 Jan 2003, Matt Blaze wrote: > Len, > > We're probably getting a bit into the depths of the details for this > (cryptography-oriented) list, so I'll certainly understand if Perry doesn't > forward this on. Ditto. Time for a "lockpunks@" list? =) > It surely would be possible to have a Medeco-type design using > different rotations for the change and master by cutting new holes/grooves > in the bottom pin. I've not seen that on any of the Biaxial pins > I've looked at, and the Medeco pinning kits I've seen seem to have > such pins in them (maybe they sell them only to certain customers? In > any case, such a kit would have to be very large indeed). I was trying to draw this in ASCII-art, and failing. Looks like Derek had the same problem. In any case, you'll typically find the more complex pin combinations in installations where you need a large amount of change keys on the same master key. It's more work to design a master-key system when you add in these additional variables, so some locksmiths probably won't do it unless they have to. > But even if they did, you'd still be able to straightforwardly do the > attack, consuming up to 3 (in the standard design) or 6 (in the Biaxial > design) blanks per pin (at each rotation/offset). I'm forgetting off the top of my head how many pins a Medeco Biaxial has -- it's 7, right? That would mean in the worse case you would need to try 42 different key blanks. And filing a Biaxial is probably not feasible, so you would need the machine. I'm just not convinced this would ever be done. The time and effort involved would almost certainly make this a less efficient attack than others. > Some of the "restricted" Medeco blanks are in fact readily available; others > aren't but can be modified from available blanks, and still others > seem to require extensive milling or casting. Medeco has a number of different blanks for a number of different security models. The restricted ones are either "Card restricted", where you can go to a Medeco authorised locksmith and present your signature card to have the key duplicated; "Contract restricted" where your key is using a blank that is tied to a specific locksmith (or specific to your organization), and you must deal with that locksmith only; and "Factory restricted", where Medeco itself does duplication, and the key blanks are not released outside of the factory. The last two require the same signature card/ID authorization as well. Sure, you could mill or cast your own blanks to beat the factory controls. That is surely a waste of time, since either there are going to be easier ways to gain access without attacking the lock directly, or the lock will be using dummy-stepping if not on a master-ring system, because the locksmith has considered this attack. --Len. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
The fact that the hole is on the bottom pin is not important. What is important is that the hole at the change-key height does not need to be at the same angular position as the hole at the master-key height. It's hard to draw ascii art to show what I mean, but because the twist holes are at a particular height when the key is inserted, you can certainly see how at different heights the holes can be in different locations. -derek Matt Blaze <[EMAIL PROTECTED]> writes: > Actually even in their Biaxial design the sidebar hole is always on the > bottom pin, and so the master shares the angle with the change keys. > > -matt > > > There is, however, a newer medeco design that uses a drill-hole > > instead of a groove. With that design you can have the pin twist be > > different at different pin-heights (by putting the drill-hole at a > > different twist-angle). I don't think this attack would work quite > > as easily on this design. > > > > -derek > -- Derek Atkins Computer and Internet Security Consultant [EMAIL PROTECTED] www.ihtfp.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
Len, We're probably getting a bit into the depths of the details for this (cryptography-oriented) list, so I'll certainly understand if Perry doesn't forward this on. It surely would be possible to have a Medeco-type design using different rotations for the change and master by cutting new holes/grooves in the bottom pin. I've not seen that on any of the Biaxial pins I've looked at, and the Medeco pinning kits I've seen seem to have such pins in them (maybe they sell them only to certain customers? In any case, such a kit would have to be very large indeed). But even if they did, you'd still be able to straightforwardly do the attack, consuming up to 3 (in the standard design) or 6 (in the Biaxial design) blanks per pin (at each rotation/offset). Some of the "restricted" Medeco blanks are in fact readily available; others aren't but can be modified from available blanks, and still others seem to require extensive milling or casting. -matt > On Fri, 24 Jan 2003, Matt Blaze wrote: > > > I have no particular interest in seeing you eat crickets (and before > > I went veggie I've eaten a few myself; taste like whatever they're > > cooked in), but I've done it on Medecos; it's no problem. > > Well, unfortunately I specified "live", which probably precludes the > cooking bit. Hmm. Cricket fondue, perhaps. > > > The angles will be the same on the master as the change key; only the > > cut depth will differ. > > That isn't necessarily the case. High-security Medecos can have multiple > valid pin rotation positions -- the pin's angled surface doesn't need to > be flush with the key. This allows much larger number of possible pin > combinations, and I think it would make your attack infeasible in practice > (particularly since the attacker presumably doesn't know if there are > dummy steps added, or if the key is part of a master-ring system. That's a > lot of work to do only to find out the attack wouldn't have worked in the > first place.) > > > If you have a code cutter at the oracle lock it's no different from > > doing the attack regular locks, except that Medeco's MACS restrictions > > mean you have to be careful about whether you use the change depth or > > previously learned master depth at the positions adjacent to the > > position under test. > > That would certainly be true. > > > If you're using a file at the oracle lock, just use a code machine to > > pre-cut a #1 cut at the right angle at each position; the sharp angle > > actually makes filing a bit easier than on locks with a standard cut. > > > I recommend a light garlic sauce. > > *grin* > > Have you found a source for the factory-controlled Medeco key blanks? > > > --Len. > - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
On Fri, 24 Jan 2003, Matt Blaze wrote: > I have no particular interest in seeing you eat crickets (and before > I went veggie I've eaten a few myself; taste like whatever they're > cooked in), but I've done it on Medecos; it's no problem. Well, unfortunately I specified "live", which probably precludes the cooking bit. Hmm. Cricket fondue, perhaps. > The angles will be the same on the master as the change key; only the > cut depth will differ. That isn't necessarily the case. High-security Medecos can have multiple valid pin rotation positions -- the pin's angled surface doesn't need to be flush with the key. This allows much larger number of possible pin combinations, and I think it would make your attack infeasible in practice (particularly since the attacker presumably doesn't know if there are dummy steps added, or if the key is part of a master-ring system. That's a lot of work to do only to find out the attack wouldn't have worked in the first place.) > If you have a code cutter at the oracle lock it's no different from > doing the attack regular locks, except that Medeco's MACS restrictions > mean you have to be careful about whether you use the change depth or > previously learned master depth at the positions adjacent to the > position under test. That would certainly be true. > If you're using a file at the oracle lock, just use a code machine to > pre-cut a #1 cut at the right angle at each position; the sharp angle > actually makes filing a bit easier than on locks with a standard cut. > I recommend a light garlic sauce. *grin* Have you found a source for the factory-controlled Medeco key blanks? --Len. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
Matt Blaze <[EMAIL PROTECTED]> writes: > I have no particular interest in seeing you eat crickets (and before > I went veggie I've eaten a few myself; taste like whatever they're > cooked in), but I've done it on Medecos; it's no problem. Having taken apart Medeco's before, I have to agree with Matt that this attack would work fine on old-style medecos with a groove for the the turn-bar. This means the twist is the same at all pin heights for any particular pin. > The angles will be the same on the master as the change key; only the > cut depth will differ. If you have a code cutter at the oracle lock > it's no different from doing the attack regular locks, except that Medeco's > MACS restrictions mean you have to be careful about whether you use the > change depth or previously learned master depth at the positions adjacent > to the position under test. If you're using a file at the oracle lock, > just use a code machine to pre-cut a #1 cut at the right angle at each > position; the sharp angle actually makes filing a bit easier than on > locks with a standard cut. There is, however, a newer medeco design that uses a drill-hole instead of a groove. With that design you can have the pin twist be different at different pin-heights (by putting the drill-hole at a different twist-angle). I don't think this attack would work quite as easily on this design. -derek -- Derek Atkins Computer and Internet Security Consultant [EMAIL PROTECTED] www.ihtfp.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
Actually even in their Biaxial design the sidebar hole is always on the bottom pin, and so the master shares the angle with the change keys. -matt > There is, however, a newer medeco design that uses a drill-hole > instead of a groove. With that design you can have the pin twist be > different at different pin-heights (by putting the drill-hole at a > different twist-angle). I don't think this attack would work quite > as easily on this design. > > -derek - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
On 24 Jan 2003, David Wagner wrote: > If those locksmiths didn't publish the vulnerability, phooey on them. > Matt Blaze deserves full credit for being the first to publish. I'm fairly certain this has been published in locksmithing journals previously, though I would have to do some digging to prove that. > What good is it to know about a vulnerability if you never warn the > users and never fix the weakness? It is the prevailing opinion in the physical security space that users are not the best qualified to judge their own threat models. Whether or not this is correct could be up for debate, but trying to force high-security locks on someone who doesn't need it is viewed with the same sort of disdain that you might have for a company trying to sell Tempest-shielding to a small business owners. The actual lock is very rarely the point of least resistance for an attack. [These and other weaknesses are, in fact, addressed in a number of high-security locks. Most users won't want to pay for them.] > In scientific research, we credit the first person to publish new > knowledge. Sure, maybe you've invented a cure for cancer ... but if > you don't tell anyone, you don't get the credit, and you haven't done > much good for the world. > > I think, on balance, Matt Blaze's paper seems likely to be beneficial > for users of locks. It helps us more accurately evaluate our own > security and be smarter about how we select physical security defenses. > That seems likely to lead to greater security for all of us in the end. > We should be grateful to Blaze for publishing, not dismissive. Matt's paper is beneficial to fledgling locksmiths, but I'm uncertain if it will have any effect on users. Perhaps I'm cynical. Here's a story you might find interesting. A few years ago, a certain employee of a Silicon Valley company with which both you and Matt may be familiar asked me to evaluate the physical defenses of one of their facilities. The goal was to see how close I could get to the center of the building. They had a magnetically-sealed front door, a hand geometry scanner on one inner door, iButton access on another, and fairly secure physical lock cylinders. I was able to get inside with nothing more than a coat hanger, credit card, and a pen knife. This is the reality of physical security. Designing a burglar-proof installation is tricky business, and using secure locks is usually the least of the problem. A user who needs full security should be engaging a qualified physical security specialist to do the design and installation, and a security professional who knows how to address all the other potential attacks will surely be aware of key decoding techniques, and how to defend against them. Matt's technique is clever, and I am impressed that he came up with it on his own. His paper is well-written, and explains a lot about master-keyed systems in general. People interested in becoming locksmiths or entering the physical security business will definitely want to read it. I don't think it is going to significantly increase security in the real world, however. --Len. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
I have no particular interest in seeing you eat crickets (and before I went veggie I've eaten a few myself; taste like whatever they're cooked in), but I've done it on Medecos; it's no problem. The angles will be the same on the master as the change key; only the cut depth will differ. If you have a code cutter at the oracle lock it's no different from doing the attack regular locks, except that Medeco's MACS restrictions mean you have to be careful about whether you use the change depth or previously learned master depth at the positions adjacent to the position under test. If you're using a file at the oracle lock, just use a code machine to pre-cut a #1 cut at the right angle at each position; the sharp angle actually makes filing a bit easier than on locks with a standard cut. I recommend a light garlic sauce. -matt > > (On another list, I joked that if Matt could get his technique to work on > a Medeco master-keyed system by July, I'd eat a pound of live crickets at > DEFCON. I'll hold myself to that.) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
Len Sassaman wrote: >This is a rather clever technique for discovering the second key of a >dual-keyed lock; however, it wasn't previously unknown. > >It was described to me in 1997, when I first started working with >locksmithing, [...] > >The fact that AT&T couldn't find much public mention of this technique >isn't surprising. Locksmithing is a more secretive discipline than >cryptography. Locksmiths generally don't discuss the plethora of ways to >defeat standard physical security techniques with the general public. If those locksmiths didn't publish the vulnerability, phooey on them. Matt Blaze deserves full credit for being the first to publish. What good is it to know about a vulnerability if you never warn the users and never fix the weakness? In scientific research, we credit the first person to publish new knowledge. Sure, maybe you've invented a cure for cancer ... but if you don't tell anyone, you don't get the credit, and you haven't done much good for the world. I think, on balance, Matt Blaze's paper seems likely to be beneficial for users of locks. It helps us more accurately evaluate our own security and be smarter about how we select physical security defenses. That seems likely to lead to greater security for all of us in the end. We should be grateful to Blaze for publishing, not dismissive. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
On Fri, 24 Jan 2003, Arnold G. Reinhold wrote: > If all the master cuts are higher than the change cuts, I believe you > can carry out Len's procedure with a single blank. You start with the > master key and file it down one pin position at a time until it > becomes the change key. If that were the case, sure. However, you usually can't know that the master key sheer line is higher than the change key, so this doesn't work in practice. > The apparently common restrictions on where the master cuts can be > relative to the change cuts would seem to severely limit the number > of possible master keys for any given lock style. Note that these aren't actually direct restrictions on where the master key sheer line is in relation to the change key sheer line, but instead restrictions on the height difference between a given pin and the pins adjacent to it. This has the side-effect of limiting where the master key sheer line is in respect to the change sheer line, because both of these must be within the allowed distance of steps between pins. (This is a purely physical limitation. If you had pins that were of drastically different heights next to each other, key insertion would be extremely difficult or impossible.) > It might well be possible to construct a priori a set of all possible > master keys for a given lock style. This would make such systems > vulnerable to someone who lacks even a change key. Heck, it's possible to construct a set of all possible *keys* for a given lock. Even with the optimizations of knowing which pin combinations are physically impossible to use, however, this is still a lot of combinations. > A careful lock picker could also deduce a lot of information on where > the master cuts are. Yes. A very talented locksmith could decode a pin combination on a lock using special lock-picking tools, such as a feeler. However, in nearly all real-world scenarios, this would not make sense. Most of the time, the lock is not the weakest point of attack. Attacking the lock in this manner is analogous to breaking a crypto-system by attacking the cipher. Usually, other parts of the implementation are much weaker. (And, in the case of a legitimate entry by a locksmith, destroying the lock by drilling or other means would probably be cheaper than the labor costs.) If you have a location which is secured in such a manner that the lock's security is of concern, you should look into a lock such as Medeco, which employs a number of security features which resist these attacks. (Angled cuts, restricted key blanks, etc.) (On another list, I joked that if Matt could get his technique to work on a Medeco master-keyed system by July, I'd eat a pound of live crickets at DEFCON. I'll hold myself to that.) --Len. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
At 6:16 PM -0800 1/23/03, Harvey Acker wrote: The content, once extracted, was interesting to someone who did not know how locks worked, but the attack was obvious as soon as one read the description of how master keys worked. I knew how master keys worked. I had one when I was at MIT and I've picked a few locks myself. I know a little crypto too, but I didn't think of this attack. Lots of things are obvious once you've read them. To dress this up with "P(H-1) key blanks", "rights amplification", oracles, and other crypto analogies, was silly. I'm sure there is street argot for most of these terms, but Matt's paper is great tutorial on what they mean in a practical, physical setting. Anyway, it got his picture in New York Times: http://www.nytimes.com/2003/01/23/business/23LOCK.html At 9:38 AM -0800 1/24/03, Len Sassaman wrote: ... This is a rather clever technique for discovering the second key of a dual-keyed lock; however, it wasn't previously unknown. I do give Matt a lot of credit for having come up with it independently, though I think it is worth pointing out that any good locksmith would already have been aware of this. It was described to me in 1997, when I first started working with locksmithing, as a way of determining a given lock's change key knowing only the master key (and having access to the lock, but not the ability or desire to disassemble it.) Using this to find a change key when you have a master key isn't nearly as interesting from the point of view of an attacker, but is the more common use of this technique in the locksmithing field. If all the master cuts are higher than the change cuts, I believe you can carry out Len's procedure with a single blank. You start with the master key and file it down one pin position at a time until it becomes the change key. The apparently common restrictions on where the master cuts can be relative to the change cuts would seem to severely limit the number of possible master keys for any given lock style. It might well be possible to construct a priori a set of all possible master keys for a given lock style. This would make such systems vulnerable to someone who lacks even a change key. A careful lock picker could also deduce a lot of information on where the master cuts are. Arnold Reinhold - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
> On Thu, 23 Jan 2003, Matt Blaze wrote: > > > A brief summary is available on my web page at > > http://www.crypto.com/masterkey.html > > with links to the full (4MB) paper. > > > > Note that this is a bit slashdotted at the moment... > > This is a rather clever technique for discovering the second key of a > dual-keyed lock; however, it wasn't previously unknown. > > I do give Matt a lot of credit for having come up with it independently, > though I think it is worth pointing out that any good locksmith would > already have been aware of this. > > It was described to me in 1997, when I first started working with > locksmithing, as a way of determining a given lock's change key knowing > only the master key (and having access to the lock, but not the ability or > desire to disassemble it.) Using this to find a change key when you have a > master key isn't nearly as interesting from the point of view of an > attacker, but is the more common use of this technique in the locksmithing > field. > > The fact that AT&T couldn't find much public mention of this technique > isn't surprising. Locksmithing is a more secretive discipline than > cryptography. Locksmiths generally don't discuss the plethora of ways to > defeat standard physical security techniques with the general public. > Sometimes I think they understand the issue of threat-models better than > cryptographers do. They certainly understand that the public doesn't > understand. Actually, I think this is a perfect example of the complete failure of the "keep vulnerabilities secret" model. Apparently locksmiths, criminals, and curious students have been discovering and rediscovering this and related techniques for the last 100 years, and instead of writing it down in a coherent body of literature so that less vulnerable approaches to master keying could be developed to resist this threat, it has been either kept secret or passed along as folklore. 100 years should be plenty of time to fix this sort security vulnerability, and in fact, there are lock designs (like master rings) that turn out resist this attack but that have died a quite death in the market because users (and locksmiths) didn't know about this. See http://www.crypto.com/hobbs.html for an interesting perspective; we computer security people actually took the notion that publishing vulnerabilities increases security from the locksmiths, who have since reverted to trying to keep their secrets. -matt - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
On Thu, 23 Jan 2003, Matt Blaze wrote: > A brief summary is available on my web page at > http://www.crypto.com/masterkey.html > with links to the full (4MB) paper. > > Note that this is a bit slashdotted at the moment... This is a rather clever technique for discovering the second key of a dual-keyed lock; however, it wasn't previously unknown. I do give Matt a lot of credit for having come up with it independently, though I think it is worth pointing out that any good locksmith would already have been aware of this. It was described to me in 1997, when I first started working with locksmithing, as a way of determining a given lock's change key knowing only the master key (and having access to the lock, but not the ability or desire to disassemble it.) Using this to find a change key when you have a master key isn't nearly as interesting from the point of view of an attacker, but is the more common use of this technique in the locksmithing field. The fact that AT&T couldn't find much public mention of this technique isn't surprising. Locksmithing is a more secretive discipline than cryptography. Locksmiths generally don't discuss the plethora of ways to defeat standard physical security techniques with the general public. Sometimes I think they understand the issue of threat-models better than cryptographers do. They certainly understand that the public doesn't understand. --Len. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
The content, once extracted, was interesting to someone who did not know how locks worked, but the attack was obvious as soon as one read the description of how master keys worked. To dress this up with "P(H-1) key blanks", "rights amplification", oracles, and other crypto analogies, was silly. Harv Matt Blaze wrote: > > A brief summary is available on my web page at > http://www.crypto.com/masterkey.html > with links to the full (4MB) paper. > > Note that this is a bit slashdotted at the moment... > > -matt > > - > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
A brief summary is available on my web page at http://www.crypto.com/masterkey.html with links to the full (4MB) paper. Note that this is a bit slashdotted at the moment... -matt - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
The paper was at http://www.crypto.com/papers/mk.pdf early this morning. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
[IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
--- begin forwarded text Status: RO User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Thu, 23 Jan 2003 16:57:25 +0900 Subject: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs) From: Dave Farber <[EMAIL PROTECTED]> To: ip <[EMAIL PROTECTED]> Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Master Key Copying Revealed January 23, 2003 By JOHN SCHWARTZ A security researcher has revealed a little-known vulnerability in many locks that lets a person create a copy of the master key for an entire building by starting with any key from that building. The researcher, Matt Blaze of AT&T Labs-Research, found the vulnerability by applying his area of expertise - the security flaws that allow hackers to break into computer networks - to the real-world locks and keys that have been used for more than a century in office buildings, college campuses and some residential complexes. The attack described by Mr. Blaze, which is known by some locksmiths, leaves no evidence of tampering. It can be used without resorting to removing the lock and taking it apart or other suspicious behavior that can give away ordinary lock pickers. All that is needed, Mr. Blaze wrote, is access to a key and to the lock that it opens, as well as a small number of uncut key blanks and a tool to cut them to the proper shape. No special skills or tools are required; key-cutting machines costing hundreds of dollars apiece make the task easier, but the same results can be achieved with a simple metal file. After testing the technique repeatedly against the hardware from major lock companies, Mr. Blaze wrote, "it required only a few minutes to carry out, even when using a file to cut the keys." AT&T decided that the risk of abuse of the information was great, so it has taken the unusual step of posting an alert to law enforcement agencies nationwide. The alert describes the technique and the possible defenses against it, though the company warns that no simple solution exists. The paper, which Mr. Blaze has submitted for publication in a computer security journal, has troubled security experts who have seen it. Marc Weber Tobias, a locks expert who works as a security consultant to law enforcement agencies, said he was rewriting his police guide to locks and lock-picking because of the paper. He said the technique could open doors worldwide for criminals and terrorists. "I view the problem as pretty serious," he said, adding that the technique was so simple, "an idiot could do it." The technique is not news to locksmiths, said Lloyd Seliber, the head instructor of master-key classes for Schlage, a lock company that is part of Ingersoll-Rand. He said he even taught the technique, which he calls decoding, in his training program for locksmiths. "This has been true for 150 years," Mr. Seliber said. Variations on the decoding technique have also been mentioned in passing in locksmith trade journals, but usually as a way for locksmiths to replace a lost master key and not as a security risk. When told that Mr. Seliber taught the technique to his students, Mr. Tobias said: "He may teach it, but it's new in the security industry. Security managers don't know about it." In the paper, Mr. Blaze applies the principles of cryptanalysis, ordinarily used to break secret codes, to the analysis of mechanical lock designs. He describes a logical, deductive approach to learning the shape of a master key by building on clues provided by the key in hand - an approach that cryptanalysts call an oracle attack. The technique narrows the number of tries that would be necessary to discover a master-key configuration to only dozens of attempts, not the thousands of blind tries that would otherwise be necessary. The research paper might seem an odd choice of topics for a computer scientist, but Mr. Blaze noted that in his role as a security researcher for AT&T Labs, he examined issues that went to the heart of business security wherever they arose, whether in the digital world or the world of steel and brass. Since publishing Mr. Blaze's technique could lead to an increase in thefts and other crimes, it presented an ethical quandary for him and for AT&T Labs - the kind of quandary that must also be confronted whenever new security holes are discovered in computing. "There's no way to warn the good guys without also alerting the bad guys," Mr. Blaze said. "If there were, then it would be much simpler - we would just tell the good guys." Publishing a paper about vulnerable locks, however, presented greater challenges than a paper on computer flaws. The Internet makes getting the word out to those who manage computer networks easy, and fixing a computer vulnerability is often as simple as downloading a software patch. Getting word out to the larger, more amorphous world of security officers and locksmiths is a mo