Electronic lock idea

[jonwil]

Here is a proposal for an electronic lock.
The key consists of a low power microcontroler based on the ATMEL AVR platform. It will use the V-USB library to provide USB without an external chip and once programmed with the key software, the lock bits will be set to prevent read back. The key then goes into a small case similar to that used for a USB thumb drive. USB is used as it is cheap and readily available.

The lock consists of another low power AVR chip connected to a USB host chip and a power supply (with battery backup in case the mains power goes out). Like the keys, the lock AVR is removable for reprogramming with new data and has the lock bits set to prevent read back. If time limits are desired, you would add a simple Real-time-clock chip to the design. The locking mechanism itself would be an electric strike or electric bolt.

In addition to this, a simple cheap AVR programmer is required that connects to a PC to program the keys and lock.

The key data in this system consists of 2 randomly generated 32 bit numbers, the first is the serial number (identifies the device) and the second is the key (used for authentication)

When you insert the key into the USB port, what happens is this:
1.The lock sends a request to the key over USB asking fot the serial number
2.The key sends the lock the serial number
3.The lock uses the serial number to read the relavent record in the database. It can then (if the feature is implemented) verify access time limits (e.g ."this key can only access the lock at certain times of the day"), and log the access (if its required).
4.The lock then generates a random challenge number
5.This random challenge number is sent to the key
6.Both the key and the lock perform the function response = f(key,challenge) where f is a function such that given "response" and "challenge" you cannot derive "key" except through brute force (my math fu isn't up to the task of finding a simple challenge)

Advantages of this lock over mechanical locks (including high security mechanical locks or combination locks) and over other electronic locks:
1.Unlike key fob locks like most modern cars use the "key" requires no batteries or power source (it draws power from the lock over USB)

2.Unlike mechanical locks, it would allow for logging, time limits and other similar features (e.g. you could set it so that keys used by your teenage kids wont work after a certain time at night so they cant get back in with their key if they sneak out or stay out too late and have to ask for the parents to let them in or e.g. if you have a house cleaner, you could only let them in at the time they are supposed to come and clean)

3.Unlike RFID card type solutions it would not require proprietary SDKs or limit you to one source for the cards.

4.It is completly resistant to bumping, picking, impressioning, manipulation, drilling and most other physical attacks (unless you were able to somehow compromise the door and gain access to the wires leading to the electric bolt/strike and then send an "unlock" signal that is)

5.Even if you had a valid key there are only 2 ways to make a copy. The first is to have access to a chip lab, decap the key and read the contents of the secure MCU (which destroys the MCU in the process) and the second is to brute-force a large number (which is not really possible). A number of commercial electronic locks have been compromised such that its possible to read key material from the key/key-card/whatever and to make a copy without damaging the original. Because this is an open source solution it is trivial to load new software and reprogram all the keys should the algorithms used be compromised. Even having full access to the lock wont allow you to mess with it again due to the lock bits, you need access to the host PC and programmer to reprogram the lock (how you keep the PC and software secure is outside of the scope of this description)

6.Because of #5 above, key control is simple and there is no way for unauthorized copies of the key to be made.

7.Unlike mechanical locks, there are no moving parts except the actual electric locking mechanism (strike or bolt). There is no risk of parts jamming
up or requiring lubrication as is the case with mechanical locks.

8.Should a key be lost or stolen (or even say a key issued to a tradesman or cleaner who is no longer allowed access), it is simple to revoke it whilst allowing all other keys to keep working (unlike mechanical locks where you generally have to re-key or replace the lock and issue new keys to everyone)

9.It is easy to support multiple locks, master keys and any combination you like. Any given key can be set to open any lock or locks you like and can be changed easily. No need to have multiple keys (e.g. one for the main entrance of the building, one for shared areas like laundry rooms or swimming pools and one for your apartment)

10.Because this is electronic, the system is adaptable. It doesn't have to trigger an electric strike or bolt, it can activate other things (e.g. activate a washing machine in an apartment building laundry or be used as a pass key to access a PC, with the PC running software and drivers to talk to the lock and verify access)

11.Unlike many high security locks mechanical locks, you dont need to go back to one of the few locksmiths approved by the manufacturer in order to get new keys cut nor do you have to worry that someone with a legit key will somehow convince such a locksmith to make a copy for them (forged authorization for example)

To answer possible criticism of this system:
To cover key loss, you just give spare keys to your neighbors or friends (same as you might do with a mechanical key)

If the power goes out, the backup battery will kick in and provide power until the mains power comes back on. Access could even be granted to the backup battery from the outside of the lock (so if its failed, you can go to the nearest store and buy a replacement and replace it all without needing access to the inside of the lock)

[inverseentropy]

Sounds good. One thing: if both the key and the door are just microcontrollers there is no reason to use USB to talk between them. A simple 5 volt serial interface would require no parts at all - just wire it straight from one chip to the other, two power and two communication wires needed. There also needs to be worked out some way that the owner can grant access to new keys (or revoke access) without allowing any unauthorized people to do the same. Perhaps when the owner's key is inserted an auxiliary port on the door becomes active.

[jonwil]

I picked USB because its universal and easy to find plugs/sockets for and is less likely to be easily damaged. Also, using USB allows you to use the key with PCs as an access token too. And there exist libraries for AVR chips that can allow them to do USB with no extra chip.

As for revocation and new keys, the way it works is that you simply reprogram the lock microprocessor with the programmer. The PC software will combine the compiled MCU code for the lock with the lock data including the keys and then program the results to the lock MCU.
Anyone with access to the lock MCU and a programmer can reprogram it but they wont have the right data file (with all the existing keys in it). Because the security bits have been set, they cannot read the contents out of the lock MCU, only erase it.
Or if having to remove the lock MCU to reprogram it each time is too difficult, you could build an in-circuit-programmer such that you plug something into a USB port on the device with new programming for the lock MCU (without the right configs you wont be able to produce the correct data for the MCU)

Either way, you need the config file with all the valid keys and settings in it in order to generate the correct programming for the MCU.

Keeping the configs and data files for the lock (with the keys in it) secret is a matter of computer security and is outside the scope of my idea.

[Josh K]

I'll give you props for thinking about AVR chips and USB.

[globallockytoo]

I agree with the USB theory too.

Have you seen or heard of Cylerlock by Videx?

http://www.videx.com/CyberLock/CyberLock.html

[jonwil]

That's a neat idea although you are locked into buying CyberLock products in the future.

My idea is something that's open source so anyone can extend it and add new features

[inverseentropy]

The interesting thing about the CyberLock is that the batteries in the key power the lock, not the other way around. Quite a different way of going about it. They also mention that the keys know which locks they can open and when, which seems backwards to me. It seems like the locks should know which keys they accept and when! Also, I couldn't find anything on their site saying how the protocol works (I didn't even see a mention of whether encryption is used). This is really the advantage of an open source lock - you know that tons of experts are able to take a look at it. A closed source system can just go with whatever is cheapest and hope that nobody figures out how easy it is to break.

[sfodd]

The issue I see with this is that there are several ways to read the flash memory (where the keys would be stored on the AVR chip) and simply copy the key. Since its an open source system I would know exactly where the keys would be stored then I could overwrite part of the flash memory with my own program that reads off the keys to me, then I can rewrite the original code back and return your key and you would be none the wiser. Now if you tried to use some sort of secure off chip storage for the keys that required more money and complexity and there's a series of more attacks one could preform on it. I could rewrite the code again and ask it to read the keys from the secure storage, same as before, and there are others I can think of off the top of my head. Now IF you can securely store the keys and keep me out of your code there are side channel attacks, such as differential power analysis, to recover the keys. Protecting against these attacks is mind bogglingly hard.

[inverseentropy]

sfodd: Some microcontrollers have "secure" features in which neither the data nor code memory can be read or written without physically cracking open the chip (which can be done, even by advanced hobbyists, but is certainly not easy). There is however a way that protocol can be used to prevent key copying. The key and door can negotiate a change of passcode upon every use. This could be something as simple as the door generating a random number and telling the key "use this number next time". If a key is copied then both copies will work, but as soon as one of them is used the other key no longer is in sync and won't work anymore.

[globallockytoo]

While i can appreciate the desire to build better access control locking systems, especially electronic controlled products, I still think that IC core or Bilock QCC with a camera built into the overhead frame or trim plate activated by a toggle or depress switch, sending a time/dated picture of the user back to a hard drive, would be considerably cheaper to secure and manage and require less maintenance than many fully electronic systems.

I think that using a non-powered option that is secure and easily field changeable might be considered a greener option that is also more cost effective, long term.

[jwhou]

Why not just have an RFID circuit respond to a challenge response interaction when energized in an excitation field. Having the ports for a USB key means you could apply voltage sufficient to damage the electronics and the passive nature of a storage medium means it could be easily duplicated by just having the communication monitored either directly or by tempest.

[jonwil]

Why not just have an RFID circuit respond to a challenge response interaction when energized in an excitation field. Having the ports for a USB key means you could apply voltage sufficient to damage the electronics and the passive nature of a storage medium means it could be easily duplicated by just having the communication monitored either directly or by tempest.

The point of my idea is that its not just a storage device, its an MCU you cant get information out of without decapping the chip (big $$$ required there)

[peterwn]

New Zealand Post use Cyberlocks on mail boxes. They used Abloy but there was a continuing problem with lost keys and consequently mail being stolen. Re-keying cost appeared to be ruinous and probably would have been even with Bilock Q core. There are no available power sources for the locks and all lock programming would be via the keyhole. The boxes would always be openable but the courier keys (issued to owner-drivers) would be programmed to fit the boxes on the required round and not operable until the advertised clearance time.

Both locks and keys contain an audit trail, the latter one being routinely checked to make sure all boxes on round were opened and cleared. This would have been an economic benefit to justify the cost of the locks.

Even so, they must have been desperate to adopt the Cyberlock solution instead of sticking to Abloy (changing out the whole lock would not take that much longer than changing a core) or using Bilock Q core.

[jonwil]

The point of the "open source lock" discussion is to discuss locks that can be built using off-the-shelf parts and tools (or parts and tools you fabricate yourself) without the need for proprietary SDKs and components

Thinking further about this idea, one feature that could be added is an ethernet jack (or wireless of some kind) to allow remote control of the lock from anywhere by entering a password to lock/unlock the door into a web page on a secure server. Would be great for tradespeople (no need to be home for the plumber, just have them call you when they get there and you can open the lock for them and close it when they leave) as well as kids who loose their key and cant get in. Could also support notifications where it will notify you via email (or SMS if you build in a cell data modem or find an internet-to-SMS gateway) any time a particuar key is used. (good if you want to be sure the kids came home at the time they said they would)

Also with my system it would be impossible to lock the door from the outside without inserting a valid key, therefore its impossible to accidentally lock yourself out.

RFID cards are in no way secure, there are examples where RFID cards have been hacked and copied (including RFID cards used for building entry)

For holding the door closed you could either use an electric strike plate or a magnetic lock, thus eliminating the need for an electrically operated bolt. (both items are available off the shelf from any number of vendors)

The design I have in mind for this lock creates a system with the following properties:
1.Impossible to copy the key without destroying it (and even then, you need a very fancy set up in order to decap a modern MCU and read the contents)
2.The hardware and software would be 100% open (no "security through obscurity" like some vendors of electronic locks like to use) and easy to replace if you wanted to change things.
3.Requires no batteries in the key. The lock would run off mains power with battery backup for when the power is out.
4.Easy to disable keys anytime you need to. Kicked an ex (or room mate or anyone else) out of your house and dont want them to return? Just disable their key.
5.Easy to add new features to and to expand. Could add a feature whereby the same keys open the front door, back door, garage entrance door and other doors. Could also support time locking (e.g. lock out the key of a teenager who is always sneaking out at night so it only works during the day)
6.Could also (assuming the interface between the key and lock were designed right) use the keys as authentication devices for other things. For example you could build a device that the keys plug into which sits between a TV set or PC or games console and the wall outlet. Kid wants to watch TV? They plug their key into the TV box and that activates the TV (with either set hours they can watch it or time limits on how much they can watch).
Could also link it into home automation (another area with active hacker activity). Insert your key into the lock and not only does the door open but the lights in the front room turn on if the detector detects that its dark and the air conditioner or heater turns on if the temprature is outside the desired range.

Is my idea as well-refined or as compact as a commercial electronic lock? No its not. But it is 100% open (which is the goal of "the open source lock") and can be expanded in ways many commercial electronic locks can't.

In fact, the "key" in this system isnt really a key at all. Its a small secure electronic device capable of talking to whatever gizmo you choose to build that can talk to it and support the right authentication.

[vov35]

So some moron like me comes along and decides to break through this lock. I take a high voltage DC supply to the power pins, completely rape the microcontroller denying you access, short through your power transistor/relay, and subsequently force your latch open. Bear in mind that the current involved isn't very large at all.
wat do.