Protection against studying the lock internals

[Hippo_vibrations]

So, many of the places I've worked in have had private or shared locked offices with the maintenance people having a master key. The quality of the locks have varied, but as far as I can tell from an external assessment, the locks themselves could have been dismantled after having access to any key that opened them. For various, including legal, reasons I never actually started to dismantle office door locks, but the following avenue of attack did spring into mind: I could, in theory, stay at the office a bit late, wait that everyone leaves and quickly dismantle the door lock. Even though many of the more high-sec locks are complicated and picking them is a fine art, their mechanical operation is kinda straightforward; in particular, if I know the cuts on my own non-master key and see the parts of the lock spread out in front of me, I should be able to deduce at least one type of master key. (Of course, there could be several different types of master keys for possibly overlapping collections of doors, but unless the amount of different master keys is big, this should narrow down the options to a testable size.) Now I just go to my metal workshop and produce a master key (or several possible variants) and so I've possibly gained an access to several places in the building that share a master key with my office.

I know that some keys, like the Abloy Protec 2 with it's ball bearing, are complicated to manufacture in a home shop due to moving parts or very high precision required, but I'm interested to know which (non-electric) lock-systems make this outright impossible? E.g. by making the lock casing to open only with a special "dismantling master-key"?

[demux]

What you're thinking of would be a removable or interchangeable core solution. Several manufacturers make them in various formats. SFIC (Best-style) is quite common in large commercial facilities here in the States, but there are also formats made by Corbin-Russwin, Sargent, Yale, Schlage, BiLock, to name a few. With these types of locks a special control key is required to remove the actual core from the housing in order to access the pins. Not that these make disassembly impossible, as there are certain destructive means that could work, and in some cases it's quite easy to produce a working control key from a working change key, but they do raise the bar significantly to be able to decode other keys from the pin stacks.

[femurat]

Search "privilege escalation master key".

Cheers

[jwrm22]

It's hard if not impossible to protect against the attack described.
The paper by Matt blaze as mentioned by Femurat is a good start.

Jos Weyers did a talk on OzSecCon about impressioning a MKS.
In practice you'll only need a few doors/locks to beat the MKS.

Making it hard to disassemble might be the way to go.
For instance with temper detection. But as long it does have keys you can break the system.
Digital locks have different problems like contactless key copy.

[Hippo_vibrations]

Thanks all y'all for the input and comments! Getting specific keywords and names is a tremendous help to googling and other information searching

[demux]

Search "privilege escalation master key".

Yes, good point. Though to carry out that attack one does need access to at least a handful of blanks on the keyway in question, and the ability to reliably cut them. Probably just a slightly higher barrier than disassembly and direct measurement. Even on a restricted keyway where one can't obtain (either directly or through modification) blanks, if you can take the lock apart and examine it there's a fair chance you may be able to file down your existing change key into a row or column master with fairly minimal effort.

[femurat]

Right. That's the reason why master key cuts usually aren't deeper than user key cuts. You can file down a master key to get a user key, but not the other way around.

Cheers

[demux]

Right. That's the reason why master key cuts usually aren't deeper than user key cuts. You can file down a master key to get a user key, but not the other way around.

Not all of them though. Yes, a properly planned system will have at least one cut on every change key that is lower than the master. But some may be higher, else the TMK in every system would be 000000 or 111111. If you happen to have a change key where you have one or two cuts higher, you can file those down and get a row master, column master, etc. You should not be able to get the TMK, but you may well be able to slightly elevate your privileges.

[GWiens2001]

I like to have at least one master cut below the change cut, and most above it. That way it is not always the same, which can make privilege escalation easier. I try not to be too predictable.

Gordon