To counter a newly publicized threat to master-key systems, facility executives should look to old measures
By Lynn Proctor Windle March 2003 - Security Article Use Policy
If your building is protected by a master-keyed lock system, it might be time to review your security measures.
A little-known technique for creating a master key from any key in the lock system is making the rounds on the Internet, providing public access to what was once considered a trade secret among locksmiths.
The technique, described in a paper published by an AT&T Laboratories research scientist, describes a flaw in the inherent design of master-keyed lock systems and explains how anyone with little more than a file and key blanks could carve an unauthorized master key.
According to report author Matt Blaze, a computer security expert and cryptographer, the technique, which is called “rights amplification, ” requires no special skill. Once the illicit master key is functional, its use is virtually undetectable.
“Individuals and institutions that depend on such locks to protect their safety and property should be aware of these risks and consider alternatives to eliminate or reduce their exposure to this threat, ” Blaze wrote in his report.
Despite the new-found interest in this particular hacking approach, locksmiths say the technique is hardly new.
“It is one of the many risks of master keying, and it is generally accepted to be one of the lesser risks, ” says Lloyd Seliber, a senior training manager for Schlage Lock Co., who is also a certified master locksmith. “Most locksmiths feel there are far more relevant security implications than the rather obscure attack that Mr. Blaze described.”
Seliber says the pin-tumbler lock design is vulnerable to several types of attacks, all of which are well-documented within the lock and security industries.
“Copying a master key is a far greater concern to most property owners and managers than a rights amplification attack, ” he says. “Master keys can be copied just like any other key. Throw it on the key machine, stick the correct blank in the other end, and copy away. The only way to stop it is to control the blanks.”
“If you can get a copy of your key at the corner store, your system is vulnerable to many forms of attack, including the rights amplification attack described in Mr. Blaze’s report, ” Seliber says.
Simple – In Theory
Blaze said that while the rights amplification technique is a bit involved, it requires no special mechanical skills or tools. Figuring out a master combination is a methodical process of elimination, determining pin by pin how deep to cut the key.
“The skill level required is very low, ” Blaze says. “Someone with access to a single lock and its associated key can probe their own lock in a structured way to learn what the master key looks like and make a working copy of it. The procedure is very simple. It does not require special skill or much practice the way, say, picking locks does.”
While the process seems simple on paper, lock experts say that would-be hackers must have some basic locksmithing skills.
“This paper assumes that the person knows what the manufacturer’s key cuts are, ” says Clyde Roberson, a certified master locksmith and director of technical services for Medeco High Security Locks. “That’s a piece of locksmithing knowledge you would have to have. A motivated individual could learn to do it, but it’s not that easy, and it becomes more difficult as the quality of the lock increases.”
Blaze says that some lock designs, such as “master ring, ” are not susceptible to this technique.
While the difficulty level of this particular key hacking method is debatable, it doesn’t change the fact that master-keyed lock systems are at risk. On this point, Blaze and lock experts agree.
One of the best ways to reduce vulnerabilities is to eliminate public access to key blanks for these systems, lock experts say.
The way to do that is known as key control: the use of either restricted cylinders or patent-protected, high-security cylinders.
Blanks for restricted keys are sold only by the original equipment manufacturer and made available only to certain distributors, but the keys could still be available to the public from third-party after-market manufacturers, he says.
Blanks to high-security cylinders will never be available in the commercial market. They are available only from the manufacturer via locksmiths who sign stringent distribution agreements, says Billy B. Edwards Jr., key records manager for Master Lock Company and a certified master locksmith. In many cases, only the locksmith who installed the original system can make duplicate keys.
“If you limit the availability of key blanks, the attack can’t be performed, ” Roberson says.
The locks that Blaze used in his research were off-the-shelf products, none of which were restricted or high security, Roberson adds.
Seliber agrees that limiting access to blanks is critical to improving security. “Protection against unauthorized duplication of a master key is the most important security measure for building owners and property managers, ” he says.
In most cases, he says, that means using restricted or high-security cylinders. “Today, almost every lock manufacturer in America makes one of these products, so it is easy to find competitive alternatives, ” Seliber says. “Some manufacturers make several, depending on what other types of attack the owner needs to deter.”
“When you consider the total security and safety picture, conventional cylinders have a lot of weaknesses, ” Blaze says. He says that restricted cylinders are a big improvement over conventional cylinders; high-security cylinders are a bigger improvement still.
Beyond key control systems, there are other measures property managers can employ to improve lock systems and building security.
“After you have protected against unauthorized key duplication and taken away access to key blanks, you can look at other countermeasures, such as breaking up the system and keeping ‘target’ areas off the master, ” Seliber said.
Before purchasing any lock system, Roberson recommends checking the product’s UL 437 safety rating. This rating tells the buyer what level of assault the lock is designed to withstand.
From the ALOA, Lowell offers these additional security tips:
- Key locks on exterior building doors to a single key that is not master-keyed.
- Key areas or groups of like doors to a single key without master-keying. This will increase convenience without decreasing security.
- In high-rise office buildings and hotels, use a separate master key for each floor or wing, thus restricting key decoding to limited areas.
- In apartments, key each apartment separately and store a key for each apartment in a key safe for emergency entry.
In the grand scheme of things, removing the rights amplification threat does little to improve security if properly issued keys go unaccounted for. Robert Harazin, a senior security consultant with Sako & Associates Inc., suggests that property managers implement rigid key tracking systems.
Master keys should never leave the building, particularly if the facility is a large office building. When master keys are not in use, they should be kept under lock and key, he said. When the master keys are in use, the property manager should track who uses them and when, he said.
“There’s no reason for the master key to leave the building, ” Harazin says. “If a master key is lost, replacing locks can be costly.”