Safe security

Bruce Schneier posts on the furore surrounding this safe-cracking paper by Matt Blaze (a computer scientist), mostly among safe & physical security professionals. The paper makes for very good reading. [via BoingBoing]

Most of the fuss is because principles such as security through obscurity are dearly held in the safe and lock industry, to their detriment, as Kryptonite discovered. Applying principles from computer security and cryptography in a different domain of expertise is causing heart-burn, which might, on first blush, be reasonable. But in addition to being fascinating, it's also slightly alarming in places:

Most locks have a wider dialing tolerance than the dial graduations would suggest, allowing an error of anywhere between ±.75 and ±1.25 in each dialed number, depending on the lock model. So although there may be 100 marked positions on the dial, there may be as few as 40 mechanically distinct positions.

[...more possible keys removed...]

For locks with the full ±1.25 dialing tolerance allowed under [standard], these recommendations seem especially misguided, leaving only 22,330 distinct “good” combinations. Observe that this is less than 2.5% of the apparent keyspace of 1,000,000.

Similar reductions in effective keyspace will be familiar to observers of many computer password authentication systems.

That's not the kind of thing that a cryptographer can get away with when designing cryptosystems. Before long, safe-makers may not be able to either.

No comments: