TOSL Project. A community project to "build a better mousetrap".
by mh » 2 Sep 2008 16:03
Hello!
Welcome to the brand new "The Open Source Lock" (TOSL) section of LockPicking101.com!
(Click here to view the full TOSL section.)
In this forum, we can discuss everything about the TOSL project - a community project geared towards the development of a quality, high security lock - The Open Source Lock - the lock that has no secrets except the one that you will choose yourself
"Open source" [1] essentially means everything will be well understood and tested: there will be no obscurity, hidden secrets or backdoors.
Together we will create a lock that will be tested by the the world's best experts - you and the rest of the locksport and hacker communities - and it will be improved until it's so secure that no one but yourself can open it [2].
Together we will show that locksport is not only about proving that somebody else's lock designs are not secure (although I have to admit that's a lot of fun  ), but that we can also make something better.
The idea for this project is not new - we discussed about it already in 2007 in this thread. In fact, TOWCH even made a first prototype.
This time however I really want to get the project started
Let me explain which flavor of lock I'm looking for and why:
- A door lock that can be used as a replacement for standard deadbolts (in my part of the world that's a Euro cylinder lock). This means that the lock will actually be useful to many people, including those who I hope will contribute to the project, incl. locksport enthusiasts, but also cryptography experts, electronics wizards, software gurus, mechanical engineers, and the like

- The lock would be quite strong [2] against destructive attacks. This is a no-brainer - the best anti-manipulation protection wouldn't mean much if it could be drilled open in 30 seconds. However, it's ok once it's as strong as the door it's mounted on. For the Euro cylinder version, a strong off-the-shelf pull-protected escutcheon plate will probably be useful.
- The lock would be completely secure against non-destructive attacks. This is of course the really difficult part and it's what makes the project so interesting to me
No chance with picking, bumping, vibration, try-outs, decoding, magnets, x-raying, ultrasonic measuring etc. Not even in theory. In my opinion this leads automatically to
- It would be electronic. Strong mechanics with a bump- / vibration- / magnet-proof electric actuator, and the unlocking decision would be made by software. Strong and well tested software that uses a strong and well tested cryptographic protocol to talk to the key.
There are also some nice options I was thinking of, like
- A wireless key. These are simple to design these days, most hacker conferences nowadays use small wireless-enabled embedded systems as badges. It also makes the lock very secure against any type of electric high voltage attacks, because you can't reach the electronics from the outside.
- A powered thumb turn on the inside, operated by the wireless key. Very nice and comfortable. A small motor and a gear box should do the trick.
- A thumbturn on the outside in case the battery runs out. It could actually power the lock's electronics via a small electric generator, enough to check the wireless key, or a 20 digit secret code that you can dial on the outside thumbturn in case you lost the key
, then couple the outside thumbturn to the deadbolt...
And more...
But that's only my favorite flavor of the lock, there could be a lot of different versions coming out of this project (e.g. at least one Euro cylinder version and one American deadbolt style version). The first thing we should do is agree on some specifications - which form factors (Euro style? American deadbolt?) should we look at?
- is the mechanics / electronics combination something you like to work on?
- if yes: what are the requirements for the cryptography part?
- what are the requirements for the mechanical part?
- which known limitations can we live with?
- are there any embedded hardware / software platforms you are experienced with and which you would recommend?
- ...
So this was my introduction to TOSL, now I'm curious about your ideas and opinions
mh
[1] Wikipedia on Open Source: Open Source Software and Open Source Hardware
[2] Regarding destructive methods: Of course all locks can be destroyed eventually, but if you like, you will be able to build a version of The Open Source Lock that fulfills the highest insurance rating criteria, and that means an attacker would need quite a lot of time...
"The techs discovered that German locks were particularly difficult" - Robert Wallace, H. Keith Melton w. Henry R. Schlesinger, Spycraft: The secret history of the CIA's spytechs from communism to Al-Qaeda (New York: Dutton, 2008), p. 210
-
mh
- Moderator
-
- Posts: 2437
- Joined: 3 Mar 2006 4:32
- Location: Germany
-
by n2oah » 2 Sep 2008 16:54
mh wrote:The first thing we should do is agree on some specifications - which form factors (Euro style? American deadbolt?) should we look at?
- is the mechanics / electronics combination something you like to work on?
- if yes: what are the requirements for the cryptography part?
- what are the requirements for the mechanical part?
- which known limitations can we live with?
- are there any embedded hardware / software platforms you are experienced with and which you would recommend?
- ...
I really like the idea presented here. TOSL sounds like a lot of fun, and I'd be willing to help out in whatever way I can. I think we should start off using an American Deadbolt design, but maybe that's just my ethnocentrism speaking...
"Lockpicking is what robbing is all about!" says Jim King.
-
n2oah
-
- Posts: 3180
- Joined: 13 May 2005 22:03
- Location: Menomonie, WI, USA
-
by n2oah » 2 Sep 2008 16:57
Thanks for fixing that botched quote. 
"Lockpicking is what robbing is all about!" says Jim King.
-
n2oah
-
- Posts: 3180
- Joined: 13 May 2005 22:03
- Location: Menomonie, WI, USA
-
by mh » 2 Sep 2008 17:01
BTW, the TOSL part of LP101 is not yet listed on the left navigation panel, so to get here again, you can
Cheers,
mh
"The techs discovered that German locks were particularly difficult" - Robert Wallace, H. Keith Melton w. Henry R. Schlesinger, Spycraft: The secret history of the CIA's spytechs from communism to Al-Qaeda (New York: Dutton, 2008), p. 210
-
mh
- Moderator
-
- Posts: 2437
- Joined: 3 Mar 2006 4:32
- Location: Germany
-
by mitch.capper » 2 Sep 2008 18:13
First thing this makes me think of is the RKS, while certainly not an open source lock, the key is and it certainly has been developed with the community feedback for quite some time.
Now one of the biggest issues I think with the goals of the TOSL is the wireless/electronic locks are as follows:
The lock needs a battery, a lock outside for 20 years is going to have zero charge.
The key also needs a battery which can be an annoyance for users when that runs out too.
You talk about having an onlock external generator or external entry pad but this is going to greatly increase your size requirements to do this without an interface that is super easy to break.
Aside from the whole battery issues with household locks you have the massive security issues with electronic locks. While certainly doing proper key authentication is possible if done wrong you can instantly have a compromise of a large quantity of locks (Look at the milfare systems or RFID). Better encryption means more battery use.
So aside from these negatives that can come with electronic and wireless locks I do have some suggestions:)
Ability to work in the smallest form factors leaves you with two options:
A) Multiple form factors for the core system or
B) A form factor small enough to fit in them all.
This means KIK / Cam / Small Padlock (assuming you want to support these)
The RKS does this very nicely through a super small form factor that fits in the smallest systems it needs, in addition works well at retrofitting with a similar sidebar requirement to medeco locks.
From the start make sure to think about the use of magnets, either blocking or not being effected by magnets (either as a bypass or to disable the lock from future use).
If electronic combination transmission is to be used some tips:
*A strong key size and algorithm
*Mutual authentication prior to key authentication
*Anti-Replay attacks
*Anti-MIM
Now ensuring you are only passing information to the lock is somewhat easy using a Public Private key system you can encrypt whatever information you are passing the lock with its public key to avoid anyone else from decrypting it. In addition generally the systems use a randomly generated string that must be part of the message you encrypt to the lock (which it sends you when you want to connect) to ensure the same message couldn't be sent back to the lock and re-open it at a later date (must make sure that random nonce has enough variance you can't just capture all the possibilities for replay).
Now the trick is in ensuring the message the lock sends you gets to you. To do this the best solution is during the handshake you actually send a public key encrypted with the locks public key to the lock so that when it responds it encrypts it with the key you passed (and signed the message).
In short you want to replicate SSL, although instead of using trusted cert chains the best solution is to have the individual approved certs stored on the key for each lock (but for a master keyed system chained certs could be useful).
Using a protocol similar to SSL is very good given the fact SSL is a time tested solution and some of the current libraries may be possible to use.
Also this will involve talking about some very sophisticated lock bypass techniques which is not quite normally non-advanced material.
Anyway just some initial notes:)
-
mitch.capper
- Supporter

-
- Posts: 208
- Joined: 18 Sep 2007 20:02
- Location: USA
-
by digital_blue » 2 Sep 2008 19:03
In the interest of spit-balling a bit, here are some thoughts I have regarding this project:
Along the way, there will almost certainly be great ideas generated that don't fit the project exactly. As a result, a variety of "forks" of design and mechanism will likely emerge. It might be wise to, from the very beginning, plan for those forks and have a system in place to allow the project to carry on down several forks simultaneously.
For instance, personally, I would be far more interested in pursuing designs that are purely or primarily mechanical in nature. Electronic systems have never been a real "hot button" for me. Also, my vision of the "end goal" of a project such as TOSL would probably be to design a competent High Security (ANSI/UL-rated) lock that is also highly affordable to the end consumer, along with being as close to pick-/bump-proof as can be obtained (read: as good or better than anything currently available in mechanical locks). However, the project as it is laid out is not exactly geared toward that end goal, which is fine since it's not "my" project.
But nonetheless, it seems likely that an undertaking like this has the ability to generate all sorts of ideas and perhaps feed more than one fork at the same time, all the while allowing "a little something for everyone" who is interested in participating.
At the moment, and without giving it a whole lot of thought, I'm not exactly sure what the system might look like that would allow for such divergence from the "main plot", but I would possibly propose something like this: If a new branch is to be forged, it is done so by way of a formal document (post) outlining the scope of the new fork.
Something like that.
Discuss. 

-
digital_blue
- Admin Emeritus
-
- Posts: 9974
- Joined: 6 Jan 2005 15:16
- Location: Manitoba
-
by mh » 2 Sep 2008 23:35
Wow, you guys are much faster with good ideas than I expected
I tried to edit this a bit and copied your first comments to the "Brainstorming:" threads, hoping that new readers will be able to browse through everything a bit more easily.
Cheers,
mh
"The techs discovered that German locks were particularly difficult" - Robert Wallace, H. Keith Melton w. Henry R. Schlesinger, Spycraft: The secret history of the CIA's spytechs from communism to Al-Qaeda (New York: Dutton, 2008), p. 210
-
mh
- Moderator
-
- Posts: 2437
- Joined: 3 Mar 2006 4:32
- Location: Germany
-
by globallockytoo » 3 Sep 2008 1:01
Interesting thread.
I personally think that the idea has excellent merits, although perhaps concentrating on cylinders only, rather than the complete lock mechanism, might make the project more widely scoped.
Designing a high security cylinder that is adaptable to the variations of manufacturers already out there, would enable multiple manufacturers products to be keyed together.
Also, this way, there would not be the need to engineer a new complete lock, but adapt the cylinder (which we are all interested in anyway) to cross over the wide divides, worldwide.
One One was a race horse, one one won one race, one two was a racehorse, one two won one too.
Disclaimer: Do not pull tag off mattress. Not responsible for legal advice while laughing. Bilock - The Original True Bump Proof Pin Tumbler System!
-
globallockytoo
-
- Posts: 2269
- Joined: 26 Jul 2006 13:33
by digital_blue » 3 Sep 2008 19:37
globallockytoo wrote:Interesting thread.
I personally think that the idea has excellent merits, although perhaps concentrating on cylinders only, rather than the complete lock mechanism, might make the project more widely scoped.
Designing a high security cylinder that is adaptable to the variations of manufacturers already out there, would enable multiple manufacturers products to be keyed together.
Also, this way, there would not be the need to engineer a new complete lock, but adapt the cylinder (which we are all interested in anyway) to cross over the wide divides, worldwide.
+1
I'm digital_blue and I approve of this message.  Seriously though, I think global hit the nail on the head. A cylinder (or cylinders if you wish to accommodate the various North American and Euro standards) designed to replace existing technology would be infinitely practical and, in my ever-so-humble opinion, stands the greatest chance of seeing the light of day in terms of a viable ready-for-market product.
It's probably the greatest need that I see out there, as far as anything this project could hope to fill.
That's my 2c on the matter, at any rate.
db

-
digital_blue
- Admin Emeritus
-
- Posts: 9974
- Joined: 6 Jan 2005 15:16
- Location: Manitoba
-
by greyman » 22 Sep 2008 16:27
mh wrote:Hello! Welcome to the brand new "The Open Source Lock" (TOSL) section of LockPicking101.com! [*] The lock would be completely secure against non-destructive attacks. This is of course the really difficult part and it's what makes the project so interesting to me  No chance with picking, bumping, vibration, try-outs, decoding, magnets, x-raying, ultrasonic measuring etc. Not even in theory. And more... [/list] But that's only my favorite flavor of the lock, there could be a lot of different versions coming out of this project (e.g. at least one Euro cylinder version and one American deadbolt style version). The first thing we should do is agree on some specifications [list] [...] So this was my introduction to TOSL, now I'm curious about your ideas and opinions  mh
MH - maybe this is being just abit ambitious. There is no such thing as *completely secure against ND attacks*. If it can be opened by a key, there is always some chance that someone can happen across the right key by some other method. 10,000+ patents claiming the "pickproof" lock are my witness 

-
greyman
-
- Posts: 1026
- Joined: 21 Mar 2005 16:43
- Location: NSW, Australia
by mh » 22 Sep 2008 16:37
greyman wrote:MH - maybe this is being just abit ambitious. There is no such thing as *completely secure against ND attacks*. If it can be opened by a key, there is always some chance that someone can happen across the right key by some other method. 10,000+ patents claiming the "pickproof" lock are my witness 
with all due respect  I do believe that electronic security can be designed 100% secure.
That does not mean that there is 0 chance that someone can simply guess the correct key with a limited number of tries within her/his lifetime, but that would be acceptable IMHO. All the other methods like hacking, magnets, vibrations, etc. can be prevented.
It will be very difficult, and that's why we need the intellectual power that can be found in an open source project.
Cheers,
mh
P.S. Hope to see you in Sneek 
"The techs discovered that German locks were particularly difficult" - Robert Wallace, H. Keith Melton w. Henry R. Schlesinger, Spycraft: The secret history of the CIA's spytechs from communism to Al-Qaeda (New York: Dutton, 2008), p. 210
-
mh
- Moderator
-
- Posts: 2437
- Joined: 3 Mar 2006 4:32
- Location: Germany
-
by greyman » 23 Sep 2008 3:26
mh - fair enough. We are just differing on our definition of 100% secure. To me that means zero probability of guessing/arriving at the right combination. If you want, we can define it as an arbitrarily small probability of being cracked or something. I think it's an important difference, but maybe that is just splitting hairs. Let's move on with the project 
-
greyman
-
- Posts: 1026
- Joined: 21 Mar 2005 16:43
- Location: NSW, Australia
by Arcturus » 23 Sep 2008 11:10
So is there any consensus on whether this lock should be strictly electronic or electromechanical hybrids? I know the lock industry is slowly migrating toward fully electronic solutions, but there still seems to be strong interest in continuing the mechanical tradition (i.e. RKS et al.).
Didn't Barry Wels once mention that he would like to see mechanical locks become obsolete? Personally, I would love mechanical locks to become even more innovative, sophisticated, and most importantly, secure. However, my analytical side and simple economics agrees with Barry. Electronic keys will move centerstage as the leading solution for our future security needs.
-
Arcturus
-
- Posts: 16
- Joined: 21 Sep 2008 8:08
by NKT » 7 Oct 2008 18:45
Interesting topic.
The X-09 is as close to a perfect lock as you can currently get. But there is simply no hope of making something like that as a cheap, open-source lock for the masses! It just isn't going to happen. In fact, getting a fine electronic lock off the page is incredibly unlikely. I'd not bother with it, because electronics are a bit of a black art - sure, I know it to degree level, but actually fabbing a custom chip to work your "perfect" lock?!? Perhaps not. (And don't say "Use a PIC" or whatever, because that would be trivially switched, and interrogated, and replaced with the one great flaw that all electronics has - no sureness that there is no backdoor!)
I vote for mechanical or "mostly mechanical" with a secure physical key and (perhaps) an electronic part.
For form factor, for home people to copy, it will have to be a Euro or a Rim Cylinder, the rim cylinder giving a lot more room to play with, at up to 30mm in diameter, rather than the tighter confines of a euro.
Loading pithy, witty comment in 3... 2... 1...
-
NKT
-
- Posts: 1273
- Joined: 13 Feb 2005 16:35
- Location: West Mercia, England
-
by globallockytoo » 7 Oct 2008 22:41
I see where you are heading with this. Although in all practicallity, I see the future locking systems for doors being more about biometrics than mechanical.
If you remember the movie Back To The Future III, the house in Hilldale of the future, had a entry that was activated by a biometric signature. No physical keyhole as such would make an attempt at covert entry, virtually impossible.
Walk up to door...sensor recognizes you by your unique biometric signature and automatically opens to touch. This eradicates the need for keys of any type completely.
I believe this will be the wave of the future...that will eventually replace all mechanical key type cylinders. It might take 100 years or more, but I think that it will be the most truest form of physical security protection for entry systems.
One One was a race horse, one one won one race, one two was a racehorse, one two won one too.
Disclaimer: Do not pull tag off mattress. Not responsible for legal advice while laughing. Bilock - The Original True Bump Proof Pin Tumbler System!
-
globallockytoo
-
- Posts: 2269
- Joined: 26 Jul 2006 13:33
Return to The Open Source Lock
Who is online
Users browsing this forum: No registered users and 1 guest
|