more on worth readingKey Bumping

[David Farber <dave () farber net>]

Begin forwarded message:

From: Matt Blaze <mab () crypto com>
Date: January 4, 2006 3:33:31 PM EST
To: David Farber <dave () farber net>, "Steven M. Bellovin"  
<smb () cs columbia edu>
Subject: Re: [IP] Key Bumping


For IP if you wish (with typo corrected):

On Jan 4, 2006, at 12:37, Steven M. Bellovin wrote:

> In message <06BF5AC9-43F9-49BD-8503-26CAB62A3C2C () farber net>, David  
> Farber writ
> es:
> > Begin forwarded message:
> >
> > From: Brian Randell <Brian.Randell () newcastle ac uk>
> > Date: January 4, 2006 12:23:37 PM EST
> > To: dave () farber net
> > Subject: Re: [IP] Key Bumping
> >
> > Hi Dave:
> >
> > > Folks, I just found out about the "bumpkey" from
> > > http://www.toool.nl/bumpkey-alert.wmv.  Don't download that on a  
> > > slow
> > > connection, but if you watch it you'll get a real feeling of
> > > insecurity
> > > about expecting locks to protect your house.  Apparently (see, for
> > > example, http://www.toool.nl/index-eng.php), "bumping" is real  
> > > and as
> > > soon as the idea spreads, houses may as well not have mechanical  
> > > locks
> > > on them.  :(
> >
> > The (naive) impression I have is that this works for the various
> > types of cylinder lock, i.e a lock in which the key is pushed in past
> > a set of spring-loaded pins - it's not obvious to me that it would be
> > effective with lever locks. Does anyone know whether this is in fact
> > correct?
> >
> > cheers
>
> Matt Blaze is the guy to ask.
>
>                 --Steven M. Bellovin, http://www.cs.columbia.edu/~smb

"Bump" keys do open most pin-tumbler locks, working under the same
principle as a "pick gun": by transferring energy (simultaneously
on all tumblers) through the "bottom" pin segments to create for
a moment a gap at the shear line that allows the lock to rotate.

The basic idea is this: a standard key that fits the lock
in question is cut for the deepest cut (at all tumbler positions).
The key is inserted into the lock and withdrawn by one tumbler
position.  Then, while applying slight torque, it is struck
rapidly with a hammer.  The ridges between cuts strike the
pins, which in turn transfer energy to move the other pin segments
but without moving much themselves (just as a billiard ball transfers
energy to the next ball).  This creates, briefly, a gap at the shear
line, during which the lock will turn.

Spring loaded "pick guns" that do the same thing have been around
for a while -- at least 50 years -- but bump keys appear to be a
somewhat more recent refinement.  The technique is mentioned briefly
in the '98 edition of Tobias' _Locks,_Safes_and_Security.  Barry
Wels and Rop Gonggrijp's paper goes into more detail, and shows
that it can be effective even against so-called "high security"
locks.

The main advantage to the attacker of the bump key technique
over a pick gun is that it requires no special (or suspicious)
tools: just an ordinary key and a hammer or screwdriver.  It also
appears to be a bit easier to master, and bump keys can be
fabricated even for locks that conventional pick guns don't easily
fit (such as dimple key locks).   The main disadvantage to
the attacker is that it requires having a separate bump key
(and obtaining a key blank) for each brand of lock.

Is it the end of the world for the many pin tumbler lock
designs that are susceptible to the technique?  Well,
that coffin should have quite a few nails in it already, yet
these locks continue to dominate the market in the US and many
other countries.  The primary significance of the technique
is that it lowers the bar against many "high security" products
that are widely though to be much more resistant to attack
than they actually are.

-matt




-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/