Eruption - What is LavaRnd?
Obsidian - FAQ
Lava - Demos
Lavaologists - About us
Strata - New and old stuff
Magma - Download
Bedrock - Developers

A Tale of Locks and Woe

college diploma college library college flag

There once was a University that had a system for producing locks and keys. It was thought that the most efficient way to maintain records on which keys opened which doors without having to keep track of every key/door pair and do so without mistakingly duplicating any keys was to produce them in sequence. A sequenced set of keys would then be deployed within a given building, on a given floor, in door number order.

key in a door lock key in a door lock key in a door lock key in a door lock
... door 15
... key 102
door 16
key 103
door 17
key 104
door 18 ...
key 105 ...

What do we mean by keys ''in sequence?''
side view of a key with notches in a lock side view of a key with last notch a little deeper
Note the two keys above, the depth of the notch under the 5th pin is slightly deeper in the second key when compared to the first. If a 3rd key's 5th notch were slightly deeper still, one could say that the 3 keys are ''in sequence.''

Students were given keys to both their dorm room and the kitchen on their floor. Two physics students living on either side of the kitchen remarked at how similar their dorm room keys were to the common kitchen key. This caused them to compare their dorm room keys with each other. It did not take long for them to realize that a pattern was at play.

college dorm student #1 view inside a kitchen college dorm student #2 closet door with monster

Given these observations they decided to attempt to create a key for the utility closet door adjacent to one of the dorm rooms by modifying one of the common kitchen keys. With the additional knowledge gained from having successfully opened the utility closet, all the locks on the floor were soon compromised.

Their experiment was repeated on another floor with one borrowed kitchen key. Soon they tested their theory on other University buildings throughout the campus.

The students, being honest, never took unfair advantage of their knowledge. Instead the two students reported their findings to the University. But the University, in a futile effort to fix the key problem swapped locks and keys on some doors, and changed the locks on other doors. Unfortunately the number of keys was small enough that a determined student could find the right key with a bit of trial and error. The University key and lock system was fundamentally flawed.

So what really happened here?

  • Individual keys were related to each other inappropriately
  • The students observed the relationship and predicted the shape of other keys
  • Because of the relationship, the compromise of one key put all other keys and locks at risk
  • Too few key/door pairs in combination with keys inappropriately related to each other provides for a practical exhaustive search

Predictable key pattern = Security Risk!

Does this story hold true in the Internet today? That is to say, in the on-line world, can keys used to protect personal information about me and about others be at risk? What about the encryption keys and web cookies that hold vital information such as credit cards, bank accounts, and medical records?

At the basis of most computer security systems is the use of Random Number Generators which generate numbers that become on-line keys that can unlock and gain access to private / personal / financial information. In other words:

Poor Random Number Generator = Predictable keys = On-line Security Risk!

If a Random Number Generator suffers from the same weaknesses:

  • Output is predictable
  • Exhaustive search is practical
  • Discovery of one value allows other values to be predicted

that the University key system suffered from, then the exposure of just one number produced by a Random Number Generator could compromise ALL keys past, present and future. This in turn can compromise the integrity of whatever these keys may be protecting.

Lets now examine LavaRnd, a Cryptographically Sound Random Number Generator.

What is next?

Disclaimer: While the above tale is the stuff of which urban legends are made of, the moral of this story has relevance to the on-line world of the Internet.
Disclaimer: If it puts your mind at ease about the lock on your home: In the end, the University employed the services of a competent lock-smith who used best practices among which was to make the keys from a very large set and deployed them in difficult to observe pattern. If you are doubt about your own physical locks, you should consult a competent and experienced lock-smith.
SourceForge.net Logo
Home  |   LavaRnd?  |   FAQ  |   Demos  |   About us  |   New & Old  |   Download  |   Developers  |   Tour