[edit] electronic lock/ computer idea

[inverseentropy]

I've been thinking quite a bit about an electronic lock the past couple of days. My proposal is to use a small linux device (eg. a $50 wireless router) on the inside of the door, optionally encased in epoxy. It would be possible to get by with less, but a box that has networking capabilities and is capable of running linux offers the greatest possibilities and ease of use in terms of logging and key management. The keyfobs will have microcontrollers (either PIC or AVR) and could communicate using either infrared (cheap and easily available components) or radio (less prone to vandalism). Cryptography is of course used everywhere so that neither the ethernet port on the inside nor the infrared/radio on the outside can become an attack point.

Each door can be accessed by an administrator via a network connection (either the ethernet port or wirelessly if a wireless router is used) using the ssh protocol, which has been well used and trusted for over a decade. The administrator can view accesss logs and perform key management.

There are several possibilities for cryptographic protocol between the keys and the door. The simplest is probably S/KEY. You can look this up on wikipedia, basically this uses a one-way function to create a series of keys. The keyfob owner generates a random number and runs the one-way function on it 10000 times (using a computer). This sequence of numbers is then stored on the keyfob (well, not all of them need to be stored because checkpoints can be used) and the 10000th one is given to the door by the adminstrator. When the keyfob owner wants in they press the button on the keyfob and the 9999th number in the sequence is sent. The door computes the one way function and verifies that the 9999th number leads to the 10000th number. The next time you send the 9998th number, etc. This scheme is secure, but it requires use of a computer in order to generate the key sequence (and this must then be transferred from the computer to the key) and once the sequence runs out it must be refreshed again using a computer. Key management can also be a bit of a pain in the ass.

A much nicer possibility makes use of public key encryption. Look it up in wikipedia if you don't know, but basically there is a public key used to encrypt and a secret key used to decrypt. This is fast on a computer but probably takes several seconds to perform on the typical microcontroller (but possibly under a second depending on the chip used and the effort put forth to optimize the program). That is okay though because it only needs to be done the first time a key is used. Each person owns a single keyfob that grants access to all doors. The keyfob has a secret key and the owner has a public key that they email to everyone, put on their web page, or whatever. To grant access to the door, the administrator just connects to the door and adds the public key to a list of authorized users. When the user then first uses their keyfob to open the door the public key encryption is used to establish a shared secret between the door and the keyfob. This shared secret is used for subsequent accesses (eg. door sends random number, keyfob encrypts that number using shared secret and sends it back to door, door decrypts using shared secret and checks that it matches). Additionally, the keyfob has a display that is capable of showing a one digit number. Each door is assigned a number (one for the first door you use, two for the second one, etc.). As long as the user remembers which number goes with which door a man-in-the-middle attack is not possible. It goes like this: you press the button on the keyfob, the number lights up telling which door you are talking to, and if it is the right door you press the button again to authenticate. If you have more than 10 doors you need a larger display that can say for example "Pentagon room 123B" or whatever.

Now, it is possible (easy even) to duplicate the keyfobs unless you are willing to go with some fancy non-standard chips that are designed to prevent this. This is not so much of a problem as it is with traditional keys for two reasons. Firstly, the logging and key revokation ensure that a disgruntled employee no longer has access to the door after they are fired. Secondly, a sequence number can be used which gets incremented every time a key is used. The valid user will be sending sequence numbers 1, 2, 3, maybe some don't transmit properly so it could go 5, 8, 20, etc., but always increasing. If there is another key in use the sequence will necessarily not be increasing. For example you send sequence 10, they must send something 11 or greater, then next time you send 11 and the door tells you that someone else has cloned your key and it is then automatically revoked. Also, if the user is aware of theft they can send out a special revokation signal to voluntarily revoke their key (if the doors are connected to the internet they can revoke their key for all doors at once).

Now, a big problem with this system is that the computer in the door will be a power hog. It could probably run for a few days (maybe months if you are careful) on batteries but must be primarily connected to wall power. That is the price that must be paid for having something so fancy. In most cases this is perfectly fine and I would guess that a great number of electronic locks rely on external power. The place where I work has card readers for the doors and you would never know it but there are actually wires that go from the lock, through the axis of the hinges, into the door frame, and then who knows where.

Total cost: $5 to $10 per key (can be shared among several doors), $50-$100 for door electronics, and who knows how much for the mechanical portion. There is one device I would like to mention because I think it is neat, although I am not endorsing it because it is expensive and uses nonstandard parts. This is a reprogrammable radio-linked wristwatch from Texas Instruments, the EZ430-Chronos http://wiki.msp430.com/index.php/EZ430-Chronos?DCMP=Chronos&HQS=Other+PR+chronoswiki-pr.

[edit- split from the "welcome" thread- try to keep threads on topic-thanks- unlisted]

[Josh K]

^ I would say stay away from complex electronics. Competent key card systems have already been developed, complete with logging and key control. RFID cards are cheap and easy to duplicate and produce.

I think that this should focus on basic mechanical with a limited electronic scope. What happens when someone wants to just rekey their front door? Can this system be compressed into a $20 cylinder that is easy to change?

[inverseentropy]

The reason for the complexity is to provide the combination of high security and ease of key management. I suspect that the simpler RFID systems don't use a separate code for each door, so it would be possible for example to dismantle one door and gain information needed to create a key for another door. An RFID card without a pushbutton on it also admits the possibility of opening a door though use of a directional antenna pointed at the card (and such things have been demonstrated). Many RFID schemes allow cards to be cloned through information that can be gained through a directional antenna. These attacks are really not all that far-fetched. Swipe cards aren't prone to such radio attacks but they have their own problems such as skimming. Also, it is not possible to share the same swipe card between doors owned by two different people in a secure way. Just like with mechanical locks, you get what you pay for. Also, this aims to be something that can be built by people at home using off-the-shelf components. Anything mass produced would be cheaper. Although RFID cards are cheap, the readers (chip only, no other circuitry) cost upwards of $35 each in quantities available to individuals. I don't think that anything useful could be made in the $20 price range: the cheapest of mass produced mechanical deadbolts approaches that price and the cheapest electromechanical device is, I believe, much more expensive (not including the electronics).

The place I work at uses swipe cards, and each card reader has a wire that runs all the way to some centralized computer that authenticates the cards and tells the door to open or not open. That particular system is neither cheap nor secure because, if it is based on a certain system popular with universities, it uses no encryption and access to any one of the wires can potentially compromise every such door on campus. Also, it is a sort of "shared trust" model where a single administrator (or several) has control over the entire campus.

[Josh K]

Yes, but in the effort to make your system secure I suspect you're going to run into hardware difficulties. You plan on embedding a Linux server in the door? Custom distro or something off the shelf? How vulnerable will it be to standard computer hacks? Remember you're going to have to make the distro and any code open source to fulfill the TOSL idea.

I think it's overly complicated and not easy to install / setup. The average homeowner can go to Home Depot and pick up a new lock set. The progression towards TOSL should be similar.

[inverseentropy]

I am thinking of an off-the-shelf linux distro with a single custom software package to be added. All of the crypto stuff has already been written. Many wireless routers have had linux ported to them and have a large number of users already. It is my belief that this is among the simplest of do-it-yourself options (at least in the realm of electronic options) as it consists of a single piece of off-the-shelf hardware (the router) and a small custom I/O board that can be home-built or bought. The whole package could come pre-built if you are willing to trust someone else to do it for you. Also keep in mind that if the wireless functionality is disabled, direct access to the device is only available from one side of the door, as is the case with mechanical locks. And if someone finds a hole in linux or ssh then screwing with doors will be among the least profitable criminal options available to that person.

Probably some people will want a mechanical only lock and others will want an electronic lock. It all depends on the application. Each has advantages and disadvantages. Mechanical locks require metalworking knowledge and tools to implement, electronic locks require computer knowledge and electronics tools to implement. Mechanical locks can be a work of art, electronic locks can be a brick of epoxy taped to the door, etc.

[Josh K]

What happens when the router crashes or you have a kernel panic? What if the power goes out? Would this be something that could be suited to a non door lock?

[inverseentropy]

Well, I think it would also need a mechanical backup. Power outages may not be so big a problem because of battery backup but other unforeseen problems could of course lead to lockout, as with any electronic system. Probably if there is only a single user a mechanical only system would make more sense, but if someone wants multiple keys or other features the electronic system would be better. Again, both have advantages and disadvantages. An indestructible mechanical lock can turn into a real bad day if a neighborhood kid gets creative with a can of epoxy, and a safe with digital keypad can be mighty inconvenient if a battery falls out.

[Josh K]

Well, I think it would also need a mechanical backup. Power outages may not be so big a problem because of battery backup but other unforeseen problems could of course lead to lockout, as with any electronic system. Probably if there is only a single user a mechanical only system would make more sense, but if someone wants multiple keys or other features the electronic system would be better. Again, both have advantages and disadvantages. An indestructible mechanical lock can turn into a real bad day if a neighborhood kid gets creative with a can of epoxy, and a safe with digital keypad can be mighty inconvenient if a battery falls out.

Correct. Now we're in the quandary of how much electronic and how much electric. Mechanical bypasses are just that, bypasses. You don't need all the fancy electronic stuff if you have a simple Schlage cylinder in there that can be picked or bumped open.

[unlisted]

Guys, this is a welcome topic, not a discuss ideas here topic..

Copy/pasted the above into a new thread.

[Arrowofdarkness]

What happens when the router crashes or you have a kernel panic? What if the power goes out? Would this be something that could be suited to a non door lock?

Most linux distros are EXTREMELY stable, and servers have an uptime of years not weeks (like their windows counterparts!).

I would recommend something like a SheevaPlug, and if you want to interface directly with the electronics couple it with an Arduino if you want to go for the whole DIY element. The Sheevaplug runs a pre-release version of Ubuntu 9.04 (Embedded ARM), but I'm hoping they at least upgraded that to the Release or 9.10 by now. It is headless (meaning you have to ssh into it, or there is a serial usb debug port). It runs as fast as a PIII while using about 2 watts idle and 7 watts on full load.

You can run a website with full Apache/PHP/MySQL if you wanted to (not recommended for a high traffic website) and indeed a good website for resources about it is hosted ON a sheevaplug.

You CAN do all of that, however as people have mentioned above me, there are some short comings to that system and it shouldn't be the end all way to get into your house. Put a high security lock on your back door and call it a day!

[Josh K]

What happens when the router crashes or you have a kernel panic? What if the power goes out? Would this be something that could be suited to a non door lock?

Most linux distros are EXTREMELY stable, and servers have an uptime of years not weeks (like their windows counterparts!).

I understand that they are reliable, I'm saying if something were to happen it could put a damper in things.

[Arrowofdarkness]

Well you are right, but Power outage is ALOT more likely than a embedded server going down in a closed environment, and get a UPS so the door will still work for a while if you get a decent UPS as it will only be drawing very little bits of power. I wouldn't like it if my door lock were to fail, but if on the off chance that it does fail I would prepare for worst case scenario and have it fail gracefully and have a backup way to get into my house without compromising security.

Might I recommend an underground tunnel guarded by ligers ... they are the only reliable guard animal.

[sfodd]

As others have said an electronic lock has the issue of needing a backup mechanical lock putting us back at square one of needing an open source mechanical lock.

IF you were able to create some sort of redundant electronics/battery backup to keep the system running as much as possible so you won't need a mechanical lock. The way I would attack the system would be to try to do a denial of service type attack on it. Cutting power, jamming radio frequencies, etc. Basically anything that would make the user regret they installed that system and turn it off for a simpler mechanical lock and hence bypassing it.

[Evan]

The reason for the complexity is to provide the combination of high security and ease of key management. I suspect that the simpler RFID systems don't use a separate code for each door, so it would be possible for example to dismantle one door and gain information needed to create a key for another door. An RFID card without a pushbutton on it also admits the possibility of opening a door though use of a directional antenna pointed at the card (and such things have been demonstrated). Many RFID schemes allow cards to be cloned through information that can be gained through a directional antenna. These attacks are really not all that far-fetched. Swipe cards aren't prone to such radio attacks but they have their own problems such as skimming. Also, it is not possible to share the same swipe card between doors owned by two different people in a secure way. Just like with mechanical locks, you get what you pay for. Also, this aims to be something that can be built by people at home using off-the-shelf components. Anything mass produced would be cheaper. Although RFID cards are cheap, the readers (chip only, no other circuitry) cost upwards of $35 each in quantities available to individuals. I don't think that anything useful could be made in the $20 price range: the cheapest of mass produced mechanical deadbolts approaches that price and the cheapest electromechanical device is, I believe, much more expensive (not including the electronics).

RFID systems use a central database of credentials where each door controller is given a unique address and a list of authorized credentials that can access it... There is no such thing as a "coded alike" electronic lock, each device has a unique internal code which allows for the logging of use at each device... Several individual door lock controller units can be grouped together into the same access level privilege group permission, yet in order to be able to log usage at a specific opening, each device is still uniquely identified within the system itself and don't share the same coding in the hardware as a keyed alike mechanical lock would... Credentials can be listed to allow access at all doors or only one door in a system... Stand alone systems are programmed with that list inside the lock...

If you are that worried about someone snooping an RFID credentials code number, then construct an RF shielded man trap entry at the secured doorway where the credential holder can enter the outer door without using the credential and when the user presents the credential to the reader the outer door is closed and the man trap shielded... The ranges involved in snooping those codes aren't something that is done over a distance -- it is something that must be done up close and personal (within a few feet, not something done from hundreds of feet away)... Usually done by tampering with the reader head and adding something to or around it to record the signals...

The RFID cards themselves can not be "cloned" as they are programmed with certain unchangeable information when they are manufactured, yet you can "record" a card's code and "play it back" to the reader... Not using a CARD to access the door will look suspicious and attract attention in a facility with a true security plan in place, it would only be of use in a building where the access control on the door is being used as a magical solution in place of real security... It is MUCH easier to duplicate a swipe card with an encoder which is readily available on the internet... Yet both of those things are rather difficult to set up and do in front of the protected door without attracting attention to yourself...

As far as "it is not possible to share the same swipe card between doors owned by two different people in a secure way" you are obviously not as familiar with swipe card locks as you think you are... There are many ways this is possible but the inter-relationship between the two systems has to be planned for when they are initially designed and set up by both parties cooperating with each other... It is not something that can be mashed together at a later date without essentially reprogramming every lock and re-recoding every card in the access control system... Doing so is basically resetting all the devices in either one system or the other or both to accommodate the inter-relationship... The easiest way to do it involves one facility using one track on the mag strip and the other using a different one, that way each facility can do whatever it wants with their system without having to fully cooperate and share system information with the other... In fact when using different tracks, the locking devices used don't have to even be compatible with each other...

The place I work at uses swipe cards, and each card reader has a wire that runs all the way to some centralized computer that authenticates the cards and tells the door to open or not open. That particular system is neither cheap nor secure because, if it is based on a certain system popular with universities, it uses no encryption and access to any one of the wires can potentially compromise every such door on campus. Also, it is a sort of "shared trust" model where a single administrator (or several) has control over the entire campus.

LOL... No, the wire runs from the reader head to the door controller cabinet which is usually less than 150' of wiring run away from the opening it is managing... In a typical system there are at least 4 wires running from each door to its controller: the credential reader connection, the lock release connection, the door position sensor and the request to exit circuit... More complicated systems can monitor key override cylinders and latch bolts to detect manipulation attempts and alert security personnel... The door controller is then networked to the system controller using a different communications connection protocol method and repeats the credential code and waits for a response from the central controller for go/no go on opening the door... Some more sophisticated systems are able to store credential codes for critical access in the door controller local memory for use in power-failure mode to allow security during the disruption to normal operations, some controllers will revert to allowing any credential with the correct "facility code" access when the connection to the system controller has failed -- that all depends on how the system was set up and what features it is capable of...

How would someone attempting covert entry to an area protected by access control gain access to those wires which you say accessing one would make the whole system useless... Those wires are typically located INSIDE walls and ABOVE ceilings located within the protected space -- they aren't run along the floor to a wall outlet like LAN cables... As far as trying to tap into the reader head loop, most controllers out there have a tamper circuit option which will shut down the reader head and activate an alarm summoning personnel to come investigate what is going on with the door...

Also I don't know where you are getting this "shared trust" model from but every access control system I have seen in the last ten years has been made up of compartments and levels of access... System Administrators can have system-wide access, or control over only one or two access points in a larger system... (I.E. Human Resources and Security personnel can control system-wide, but the Accounting Department secretary and manager can only add and delete users for their small group of access points...)

~~ Evan

[inverseentropy]

When I say "it is not possible to share the same swipe card between doors owned by two different people in a secure way" I mean something like the following: your employer owns one door and the other door is on your house or is owned by another employer. The same key is to be used for all doors. In this case the owners of the various doors do not trust each other. A swipe card does not work in this case because your employer (or rather the agent that installed the door for them) can read all information off of your card when you swipe it. They could then use that to make a copy of the card which will open the door on your house.

Another scenario would be a situation where various rooms of a building have different security levels. There are a hundred doors that are low security and are installed by untrusted civilian technicians. A dozen doors in the basement guard high security areas and must be installed by trusted technicians with security clearance. An employee has one key that can open all of the rooms they have permission to access. If a technician put bad stuff in one of the low security doors then the high security doors are not comprimised.

This sort of deal is easy to accomplish using cryptographic techniques and can be implemented using $2 microcontrollers (plus the price of all the other parts like interfaces and motors). Something resembling RFID can be used to interface to the lock, but it would also be possible to just have a couple of electrical terminals (eg. nails) sticking out of the lock and interface using something like the Dallas 1-wire protocol (which also supplies power). A bit of isolation circuitry would be needed in case some joker decides to hook it to a tesla coil or something.