Index Home About Blog
-------

Date: Fri, 19 Sep 86 15:47:15 edt
From: Douglas Humphrey <deh@eneevax.umd.edu>
Subject: Re:  door-token locks

Speaking of strange contracts, this thing with the token recognition
security devices is something that we have done work on. A Washington
D.C. area security firm contracted with us (Digital Express) a while 
ago to design and build a machine that would, in a nice automated 
fashion, not only intercept valid card entries, but also scan the 
possible codes in an attempt to get into a system. We did the design
for the box, and even figured out how to package it neatly in a boom
box, but they decided that they did not want to lay out the bucks for
us to build and check out the RF stuff. There seems to be little doubt
that the designs we did, once translated into hardware and tuned up, 
would be just the thing to get you into any building that uses the 
Sludgecard (Schlage) or Funnywell (Honeywell) systems. 

The demo that this company no doubt was looking to do would have someone
hang around by the door of the place in question with their box running
(we sacraficed the AM/FM for the electronics, but the tape was still 
there, so I guess that you would just play tapes) and have them 

1 nab a code from a valid entry and then have the box repeat the transmission.
2 scan the possible codes and get in 'cold'
3 jam the entry of people with good codes by transmission of invalid data

Given these possibilities, they could convince most anyone to get  a non-RF
based security system...

Doug

Date: Sun, 5 Oct 86 21:59:12 edt
From: Douglas Humphrey <deh@ENEEVAX.UMD.EDU>
Subject: Re:  door-token locks

The range that Sludge cards are readable at really depends upon the 
gear that is trying to read them, since they are semi-passive devices. 
A higher powered pulse and more sensitive receiver can read them from 
a greater distance. The senario of sitting in the parking lot reading 
cards as people walk by is totaly possible. Fitting that in a boom-box
might be more difficult, might not. Hard to tell without putting that 
hardware group on it, and that's money, so we will stick with guesses,
though educated ones.]

The interference between cards is a big problem for a lot of people. 
I had one of these cards years ago, and it worked in my wallet, but
not in my ID holder which is where I prefered to keep it. The chain and 
small metal tag on the ID holder was messing up the reflected signal 
I would guess, because when they shifted to plastic ID holders than
everything was OK. 

As usual, there is a tradeoff between security and ease-of-use. These cards
are neat because you can keep them in your wallet and have them read if 
they position the reader plate at hip level on a wall next to the door.
They are insecure because you can determine the signature of a card without
actualy having to have physical posesion of the card. It all depends on
what you are protecting, and who has access to it. Many people do not take
security seriously, and feel that they are above it. Some people are 
overly concerned with security to the point that it becomes the mission
and they are above everything else. Hopefully, those of us on the list
here can probe the area inbetween when we are concerned for the security,
but understand that they is also something else that needs to be 
accomplished and that security can not be so intrusive that it gets in 
the way.

Yow ! End Of Flame [EOF]

Doug

Date: Sun, 19 Oct 86 23:47:25 edt
From: Douglas Humphrey <deh@eneevax.umd.edu>
Subject: Re:  Passive security systems

  There are card readers that can read cards within 1 inch proximity;
  users must "bump" their wallets or purses or whatever against
  the reader. It seems more difficult for an "enemy" to read suc
  a card without the user knwoing about it.

Unfortunately, the act of bumping your wallet or purse on a sensor 
is extremely obvious, even to the casual observer. If someone did not
understand at once what was going on when they observe 20 people in 
a row either take out their wallets and push them against the wall,
or bang their purses on the wall, all in the same place, then the 
observer would have to wonder what strange custom or blessing 
ritual these people were doing before entering the building. 

Seriously, security in obscurity does not work in the slightest, and
realy has NO positive value for the cases that we are discussing. 
If more than one person knows it, then it is not a secret, and if
obscurity is being used to hide someone, it will only keep the 
casual observer puzzled; the pro (spy, whatever) will be the FIRST
person to figure it out.  Example of the hiden sensor plate is
Western Unions Operations center in Downtown Washington DC. 
People walk up to the door, which is recessed about 10 feet into the 
side of the building, do a little tango consisting mainly of bumping 
their right hip (males with wallets, anyway) on the right wall, 
and the door is so impressed that it decides to open for them. 
I first noticed this when waiting in a restaurant across from the
place, and it took me about 2 seconds to figure out from the first
guy that he was not having an epileptic fit, so he must simply
be very tall and the sensor is mounted rather low (such is the case).

While I doubt that a box can be built that can allow you to sit in
the restaurant sipping espresso and gathering codes, A wino, or
simply a steet vendor would have no problem setting up shop next to
the door and doing it. 

Doug

Date: Fri, 24 Oct 86 11:57:52 edt
From: Douglas Humphrey <deh@eneevax.umd.edu>
Subject: Re:  Token Door Locks

The idea of having a complex system of random interogation/response
pairs for a token lock system would make the interception of codes
a much more difficult task, but it does not materialy increase the 
level of protection. The receiver/recorder device that is collecting
codes could just as well be concealed as a large potted plant as a boom-box,
and since it does not require an operator, it could collect codes over a 
period of a month or more and compile quite an impressive list of the
interogation/response pairs. 

If you are going to go to this trouble, then have the token contain
an algorithm rather than just a bunch of pre-determined codes and then
the door sends a series of bits out, which are received by the token
and coded according to the unique algorithm in the token, and transmitted
back. The door then runs the results against its calculated set of 
algorithms and thus identifies who it is. 

All of this can help hide the correct interogation/response pair from the
listener, and in fact it can get a LOT more complex than this, but the 
point is that as it gets more complex, it gets more expensive, more prone
to breakdown (note that in the above we have gone from a $5 passive card
to a UHF/VHF receiver with associated microprocessor, etc.) and MUCH 
more difficult to manage, keeping in mind that someone in the real world
has to USE this system, and has to contend with lost cards, new validations,
deletions from the access list, etc.

Doug


From gatech!codas!ki4pv!tanner@RUTGERS.EDU  23-Oct-1987 07:40:52
To:	security@red.rutgers.edu
Subj:	[1262]  Re: Electronic door locks and anti-shoplifting devices
Status: R

The contents of that magical little card (or of the anti-shoplifting
device, which is (as suspected) applied to a sample of the merchandise):
One of more (for a 4-digit system, 4) layers of metal foil, cut in
such a way as to resonate at a certain frequency.

Contents of the door-watching box: an rf source, set to sweep across
the range of frequencies for which the foil layers are set.  Further
contents: an rf dip detector, which notices at which frequencies the
RF power takes a sudden dive (being sucked up by foil layers).

The freqs are numbered, of course, and you can assign a number to any
set of M out of N selected.  Note that order is not important; thus
(eg) {1,4,8,17} will look the same as {1,8,17,4} to the device.

Simpler systems may just (like our school library) have one piece of
foil glued to the inside of the book.  If that freq dips suddenly,
you sound the alarm.  Print something such as the institution's name
on the foil sticker so that people don't realise that it is not just
a name-plate, of course.

					Tanner Andrews, Systems
					CompuData, Inc.  DeLand

Date:	Mon, 24 Apr 89 13:42:00 EDT
From:	deh@eng.umd.edu
Subject: Re:  Card Access information request

WIEGAND is by far the best card technology that is available today
(I exclude smart cards, since they are a new technology and have 
their own special problems). 

Mag cards will get erased by things, and will wear physically, and 
will go bad, and will be an administrative nightmare about a year
(maybe a lot less) after they are installed. WIEGAND cards work
by having a thin bi-metal wire embedded in the card. The wire is
subjected to heating, magnetic fields, and mechanical twisting 
at the factory in order to encode the proper data into it. It is 
NOT a magnetic system, and is not subject to being screwed up
by magnetic fields that you are likely to encounter in reality
(I ruined a WIEGAND card on a Cyclotron Analyser magnet once, 
but that was an exceptional case, since it was bending a 200 Mev
beam at the time, and thus was generating a BIT of a field).

The wire is swept through a magnetic field set up by the reader,
and the field itself is monitored. As the various parts of the 
wire pass through the field, they will cause fluctuations in
it which are read and used as data. Very slick. These readers are 
epoxy encapsulated, so they never fail because of stuff getting
into them and need no maintenance, something that can not be said

for mag cards. Wiegand readers work underwater for example, which 
may sound useless, but there is a US Navy location that has them 
installed on under water weapons storage (mines or something I 
would guess....) vaults in Maryland. It means that if your card
gets soaked in the rain, the card and the reader don't care.
It really is a great technology. I have seen cards for Kastle 
Systems (here in the DC area, they do access control for more
than 350 buildings) that people have been sitting on (in their
back pockets I assume) for years and have shattered them, barely
held together by scotch tape, and they still work fine. Try that
with any other technology.

The RF based cards, refered to as Sludge Cards since the company
that makes them is Sladge (spelling?) are not really all that 
winning, though they do have their good points. They can be read
through your clothes, so you can leave your wallet in your pocket
and just get your rump up against the reader (if they are nice enough
to put it that low!) and zap! you are in, unless you have something
else metal in your wallet that can screw up the RF reading of the
card. The cards are somewhat sensitive to physical damage, not that
they are delicate per se, but if they DO get hurt they stop 
working at once since it changes the RF emmission characteristics
of the card. The other drawback is security; there exists in the 
DC area somewhere (I don't know who ended up with it) and 'Boom
Box' (radio, cassette, etc) that only plays cassettes, since its
innards have been replaced with a modified version of the 
Sludge Card reader. You sit down next to the reader (as close 
as you can get the box to it, in any case) and when the person 
with the card get near, it will read the card while it is still in
their purse, wallet, etc. Walking through a downtown (K street)
McDonalds with this device several years ago (when we built it)
yielded a slew of card data. If you are near their entrance and 
watch them walk in, and get their card data as they pass by, I 
assume that it would not be too hard to build cards to match
the data that you recorded, and then waltz (or bop, or shuffle)
right on in.....

I consider this a security risk.

Doug

Date:	Thu, 11 May 89 12:34:00 EDT
From:	hollombe@ttidca.tti.com
Subject: Re:  Card Access information request

}WIEGAND is by far the best card technology that is available today

We here at the CAT factory have a different view.  We've always thought
our Magic Middle cards were the best technology. (-:

}... WIEGAND cards work
}by having a thin bi-metal wire embedded in the card.

Sorry, I can't talk about how our cards work.  I can tell you your
Cyclotron Analyser wouldn't affect them.  I've also seen one cut in half
and taped back together and it still worked.  Legend has it one hotshot at
Cal Tech was able to crack their encoding.  We hired him. (-:

-- 
The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com)  Illegitimati Nil
Citicorp(+)TTI                                                 Carborundum
3100 Ocean Park Blvd.   (213) 452-9191, x2483
Santa Monica, CA  90405 {csun|philabs|psivax}!ttidca!hollombe

Date:	Tue, 29 Aug 89 03:57:00 EDT
From:	"Craig Finseth" <fin@uf.msc.umn.edu>
Subject: looking for info on VingCards

In recent travels to Europe (particularly the Scandanavian parts), I
encountered "VingCard" type locks on hotel room doors.  I'm looking
for general information on these.  (Just curious)

The keys are thin plastic cards, approx 4.5 x 10.5 cm.  One end has a
7 x 5 grid of hole positions (every other row is offset, forming a
hexagonal array).  This would imply 2^35 possible keys.

Can someone out there help me?

Craig A. Finseth			fin@msc.umn.edu [CAF13]
Minnesota Supercomputer Center, Inc.	(612) 624-3375

[Moderator tack-on:  Hooboy, I could go on for quite a while about these
things, having done some fairly in-depth studies of same.  I'll try to get
to this after Worldcon...   _H*]

Date:	Wed, 27 Sep 89 07:20:00 EDT
From:	*Hobbit* <hobbit@pyrite.rutgers.edu>
Subject: Ving Cards 

There used to be only one kind of Ving card lock.  Now there are two kinds,
as I discovered to my horror a while back while at a convention.  The first
and possibly "classic" version is all-mechanical, while the second is optical
with an electronic controller.  I did a longish article on the mechanical
one back when I got to take it apart, which I will send to anyone who asks,
and since the time of that writing discovered a few more things about it.
I believe this article was sent to this very list years ago...

My examination of the optical type occurred much more recently, and there are
still several things I don't know about it -- in particular how master-keying
is handled in software, since the pin-tumbler cylinder in this type appears
primarily to be for programming.  This lock uses the same technology as the
Yaletronics and its ilk; the matrix of holes is simply read by a bunch of
infrared LED/sensor pairs connected to the inputs of a small processor.  You
feed it the right number, it pulls the solenoid.  There is no mechanical
connection from the pin cylinder to the spring-latch mechanism, so I'm
clueless as to what people do if the batteries die on them.  Even with plenty
of advance battery-low warning, you'd think there would be a mechanical
bypass available...

You can quickly tell which type you have by the noises it makes.  The
mechanical version produces all kinds of racket as the card slides over the
ball-bearings; the optical presents no mechanical impediment to the card
save the little spring-loaded protective bar at the opening.  The mechanicals
have a "combination card" loaded into them through the hinged black cover
on the inside of the door, which is sometimes difficult to install and remove
due to the way the pins sit inside the matrix.

The pin-tumbler cylinders are made in-house by Ving, and sport a rather unique
feature.  About 30 degrees clockwise from the normal drivers there is a set
of "extra" drivers which are retained up in the cylinder housing.  All they
appear to be for is to store extra mastering splits you aren't using in the
regular lock.  Thus to change between several known keys, one would turn key
A over to this position, remove it and insert key B, and return it to the
locked position.  The difference between keys A and B causes splits to be
left at or picked up from the spare driver area.  They also have the magic-
rear-pin-ring dealbolt hack commonly found in hotel systems.

The last address I had for the makers of these things, if you want the
corporate party line, is

	Elkem Ving
	6200 Denton Dr
	Dallas TX
	800 527 5121

If someone tries the above and it's horribly wrong, please let me know, since
all of this was several years ago.

_H*

Date: Fri, 31 Oct 86 08:56:04 est
From: *Hobbit* <AWalker@RED.RUTGERS.EDU>
Subject: electronic hotel card locks

These are wonderful little microcomputer projects masquerading as door locks.
Inside there's a processor running a program, with I/O leads going to things
like the magnetic strip reader, or the infrared LEDs, and the solenoid, and
the lights on the outside.  They are powered entirely by a battery pack, and
the circuitry is designed such that it draws almost nil power while idle.
The cards are usually magnetic-strip or infrared.  The former uses an oxide
strip like a bank card, while the infrared card has a lot of holes punched in
it.  Since IR light passes through most kinds of paper, there is usually a thin
layer of aluminum inside these cards.  The nice thing about these systems is
that the cards are generally expendable; the guest doesn't have to return them
or worry about lost-key charges, the hotel can make them in quantity on the
fly, and the combination changes for each new guest in a given room.  The hotel
therefore doesn't need a fulltime key shop, just a large supply of blank cards.
Duplication isn't a problem either since the keys are invalidated so quickly.

The controlling program basically reads your card, validates the number it
contains against some memory, and optionally pulls a solenoid inside the lock
mechanism allowing you to enter.  The neat thing about them is that card
changes are done automatically and unknowingly by the new incoming guest.  The
processor generates new card numbers using a pseudorandom sequence, so it is
able to know the current valid combination, and the *next* one.  A newly
registered guest is given the *new* card, and when the lock sees that card
instead of  the current [i.e. old guest's] card, it chucks the current
combination, moves the next one into the current one, and generates the new
next.  In addition there is a housekeeping combination that is common to all
the locks on what's usually a floor, or other management-defined unit.

There is no wire or radio connection to the hotel desk.  The desk and the lock
are kept in sync by the assumption that the lock won't ever see the "next"
card until a new guest shows up.  However if you go to the desk and claim to
have lost your card, the new one they give you is often the "next" card
instead.  If you never use it and continue using your old card, the guest
after you will have the wrong "next".  In cases like this when the hotel's
computer and the lock get out of sync, the management has to go up and reset
the lock.  This is probably done with a magic card that the lock always knows
about [like in ROM], and tells it something akin to "use this next card I'm
going to insert as the current combination".  The pseudorandom sequence simply
resumes from there and everything's fixed.  If the lock loses power for some
reason, its current memory will be lost but the magic "reset" card will work.

Rumor has it that these locks always have a back-door means of defeating them,
in case the logic fails.  Needless to say, a given manufacturer's method is
highly proprietary information.  In theory the security of these things is
very high against a "random guess" card since there are usually many bits
involved in the combination, and of course there is no mechanical lock to be
manipulated or picked.  The robustness of the locking hardware itself
sometimes leaves something to be desired, but of course a lock designed for a
hotel door probably isn't the kind of thing you'd mount on your house.

There is one kind of card lock that is purely mechanical, not electronic.
These locks use the stiff plastic cards with large punched holes and are called
VingCard locks.  They of course don't do pseudorandom sequences, but their
combinations are easy to change as well.  They also use a regular key lock as
their backup.  I did a description of these a while back if anyone's
interested.

_H*

-------

From *Hobbit* <AWalker@RED.RUTGERS.EDU>  29-May-1987 06:42:15
Subj:	[6668]  Evaluation: Cor-Key Magnetic locks

I recently had a chance to disassemble and examine yet another type of hotel
security system.  These are all-mechanical magnetic door locks made by
Cor-Key Systems in California.  The user is given a small white plastic
card with rounded ends, and inserts same into a slot in the top of a
rather large doorknob on his room.  Pushing the card all the way into
the slot "connects" the knob to the actual latch hardware and allows
entry; otherwise the knob just spins around.

The neat thing about these is that the latch and the rest of the lock
are a standard lockset that could have been made by anybody, and to upgrade
to the Cor-Key system one simply has to install this other doorknob.  Thus
the hotel, which previously had regular old key locksets, avoided a lot of
expense and retrofitting.

Internally, the lock works entirely by magnetism.  The card is laminated
plastic over a layer of rather granular magnetic material that can be
magnetized in small regions and hold the field virtually forever.  When the
card is inserted into the slot it covers up a matrix of 35 or so holes, and
the tumblers move according to how the north or south regions on the card line
up with the matrix.  The tumblers themselves are small cylindrical permanent
magnets, and are attracted or repelled by the card regions.  About nine of
these are sprinkled around the matrix, leaving a lot of the holes empty.  Each
tumbler has a spot of either red or blue ink on one end to indicate its
polarity.

The parts are arranged as follows, moving toward the door along the axis of the
shaft.  Front doorknob surface, steel plate, card slot, thin nonmagnetic metal
plate, brass plate with holes, plastic slider with wells containing the
tumblers.  Everything except the plastic slider is fixed in place; the slider
is held in place by the tumblers, which normally are attracted partway out
of their wells toward the steel plate and are thus protruding through the 
holes in the brass plate.  Thus the slider can't slide, because the tumblers
are locking it to the brass plate.  The correct key imposes itself down
between the steel plate and the tumblers, and if the regions on the key
repel *all* the tumblers away from itself, all the tumblers retreat into the
plastic housing out of the brass plate.  Then the slider is free to move,
which it does when the key is pushed down the last quarter-inch or so.  This
engages the latch mechanism and connects it to the knob, so the door will
open when the knob is turned.

There is a mechanism for rekeying a door quickly: near the bottom of the
knob there are two small holes through which a small tool can be inserted.
Under these are two rotating alloy carriers, each containing one tumbler.
Each carrier can be rotated to one of four positions, giving a total of
16 combinations between them.  Rotating one of these moves the respective
tumbler to a different point in the matrix, thus disabling one key and
allowing a new one to work.  Guest keys would have variable encoding in
these matrix regions, and the master key[s] would be configured such that
they would address these tumblers regardless of where they were.  Since this
only creates 16 possible combinations between them, it is a "first level"
of mastering which can be changed without disassembly.

More in-depth mastering is done by leaving parts of the static matrix empty,
but the tumblers that are installed will match the corresponding regions of
the master keys.  In an unmastered system, if the entire matrix were filled
with tumblers, all the locks and keys would be configured the same and all keys
would work everywhere.  Each lock is made unique by removing different parts
of the matrix, and each guest key is made unique by differently magnetizing
the "don't care" regions that correspond to the empty parts of the matrix in
the given door.  Thus Guest A's key will correctly address the parts of the
matrix that Room A's knob contains, but the *other* regions in his key will
incorrectly address the filled matrix locations of Room B's lock.  The master
key essentially repels the entire matrix's worth of tumblers, whether it's
there or not.  It was mentioned that the master also has a hole in the
appropriate place to bypass the double-locking mechanism -- normally when the
door is double-locked, a small rod protrudes into the key slot and completely
prevents insertion of a normal key.

Each location in the matrix is numbered [not in any obvious way, but...] so
that the combination can easily be represented by a computer.  Although in the
past when the company started, records of whose lock contained what were kept
in large books, computers are now being used to keep track of this.  The keys
are magnetized at the desk with a machine containing an equivalent matrix full
of electromagnets.  These can generate, I'm told by the Cor-Key people, fields
of 250 gauss or so.  A key region can be made north, south, or neutral; it is
possible to "read" a key's encoding by running a !small!  magnet over it and
feeling if it's attracted, repelled, or ignored.  [One of the tumblers glued
to a piece of flexible wire worked fine.]  However, even examining the part of
the matrix you were given only gives you a small section of the master key, so
it's virtually impossible to generate a hotel master by examining your own
lock.  Pick this one?  Forget it.  The tumblers are inaccessible behind the
thin nonmagnetic plate. Perhaps a very large strong electromagnet could fit
over the entire knob, remagnetize *all* the tumblers one way [good luck!] and
then apply a gentler field in the reverse direction to push them all inward.
I really don't see something like this working either.  An expensive and
precise piece of equipment could concievably be built to stick a small coil
down into the slot and "read" the matrix by applying fields in different
directions while the user listens for each individual tumbler to bang against
one end or the other.  Yuk.  Conceptually, therefore, the Cor-Key is fairly
secure. Unfortunately the workmanship of the lock itself is a bit on the
shoddy side, and I was told by the people who build them that the official
"backdoor" used in cases where the lock is completely screwed up is to drill a
hole in a magic spot and force the latch mechanism to engage.  Furthermore, to
*really* re-key the lock it must be taken completely apart, because any key
encoded the same all over the two changeable regions will open the lock
regardless of where the carriers are rotated to.

_H*

From <matt@oddjob.uchicago.edu>   4-Jun-1987 22:30:31
Subj:	[557]  Re: Evaluation: Cor-Key Magnetic locks

Science marches forward:

A piece of high-temperature superconductor would repel
all the tumblers.

A magnetic metal with a low (but above room temperature)
Curie point could be heated to above the Curie point,
inserted into the slot, and allowed to cool.  It would
then carry a "negative" field of the correct key.  You'd
have to reverse the polarity of each magnetized region.

Gee, what fun.
			Matt Crawford

Index Home About Blog