Higher Security Locks, A Two Stage Method

------The present article relates to a two stage method to be built into lock designs to improve resistance to surreptitious opening. This resistance is acquired through a interconnection of the parts necessary to permit complete rotation of a main rotary plug after the variable parts, which can be affected by a key, are set to positions which may or may not allow rotation of the main rotary plug.

------Resistance to surreptitious opening is an important concern for any lock. In past designs of key operated mechanical locks the key moves parts into a position which removes obstructions preventing the lock from moving another main obstruction. Examples are keys moving pins or wafers which prevent rotation of a cylinder retracting a bolt, or a key which rotates discs in a rotary plug allowing a side bar to fall in notches cut in those discs which then allows the rotary plug to turn and retract a bolt. Most often improved resistance to surreptitious manipulation has been acquired through adding additional or more awkward obstructions which the key must operate. The problem with these designs that allows quick manipulation, such as single pin picking, is that the obstructions which the key must operate can be manipulated and tested for correct placement individually with small tools while applying torque to the main rotary plug. It can be thought of almost like signing a name on a paper at a bank where you can watch the teller's response to know if you are going in the right direction. The designs for these locks assume the obstructions cannot be manipulated individually on paper, but after natural manufacturing errors, such as the corrosion of a drill bit which keeps pins from perfect alignment in a pin tumbler lock, small defects can be exploited allowing obstructions to be worked on individually. Most locks currently made do not take steps to ensure the fastening and interconnection of all obstructions or parts operated on by the key when torque is applied to the main rotary plug. Even combination safe dial cams are not cut in perfect circles during manufacturing, and because of this and the only semi interconnection they can be tested semi individually for locations of notches that allow a side bar like bolt to fall in place and retract the main obstruction or bolt. In the end, the use of just a side bar does not prevent individual manipulation of key controlled parts, and constant semi interconnection of key controlled parts does not fully provide individual part manipulation resistance while allowing parts to be manipulated individually as necessary with a key. The problem faced with constant full interconnection of key controlled parts is this creates a lock where if one part is correctly manipulated all others are as well, the problem faced with key operated parts being constantly locked is the lock could never open, but constant interconnection and locking is not necessary. Interconnection and locking is only necessary when torque to rotate the main plug is applied. This leads to a two-step or stage lock. One which allows key operated parts to be operated on individually by a key at one stage, but interconnects and locks them in place in a second stage when rotation of the main rotary plug is attempted. This is more like signing a name, placing it in an envelope and handing it to the teller. The picker must wait for the teller's response on the name as a whole. In this method the only way of making progress is through slight unavoidable changes on the tellers face telling you if you are littler closer after you have tried a new name. One important note is the interconnection and fastening must be applied when the main rotary plug begins to turn and not only when torque is applied. By ensuring the key operated parts are locked in place before they are tested for correct placement one ensures they cannot be manipulated by lowering the torque applied to the rotary plug. One may vary the amount of torque used during the manipulation of a rotary plug, but if they want the main obstruction or bolt to be relocated they must turn the main plug a certain amount of degrees. By ensuring all parts are locked as the plug begins to rotate a variation in torque will not affect the locks resistance to manipulation. The present article describes this two stage method to improve resistance to surreptitious opening.

This first following section will briefly go over some past pick resistant lock designs and their fallbacks. The next section will focus more on the general idea which is the two stage method and its benefits, which will then by followed by a section demonstrating some possible implementations of the method.

------The locks addressed below do not represent all lock designs or even all designs for pick resistance. They represent the more eye-catching designs found when searching for pick resistant patents. They can demonstrate where the most energy has been invested in pick resistant designs. All the locks listed in this section are vulnerable to single pin picking or an equivalent method of surreptitious opening. The most common locking designs as well as most of the locks shown here revolve around the pin tumbler do to its wide use and ability to allow simple keys to be made and used in a single rotation. There have been many attempts to improve these locks resistance to manipulation, however most of them involve adding more pins or altering the way they are moved. These locks include some high security ones like the Medeco, BiLock, and Mul-T-Lock. Patent 3303677 is an example of a design which while provides pick resistance through adding additional pins in awkward positions it provides no protection for each individual pin. Other designs like patent 3478549 try to alter the key way making it more restrictive to tools, but it still allows tools, or in this case, even bump keys to be used. Patent 6058752 nicely and simply makes the key way more awkward, but still is still ineffective and could be quickly bypassed with a custom tension wrench. Changing the key ways seems to be a favorite technique of lock manufacturers to acquire new patents, they may even expand this to include a check pin. A check spring can be seen in patent 3216230, but this can easily be defeated because it simply acts like an additional pin which can be moved with a tension wrench or picked with a probe. Many attempt to lower the amount of feedback given to the picker. One example is patent 3494158 which allows driver and key pins to catch on each other, lowering the rotation of the plug when a pin is set. This does help compensate for errors in manufacturing, but still does not prevent feedback to the picker while manipulating pins individually. Patent 5001914 claims to offer increased pick resistance, but a closer looks appears to show the method it uses to make oversetting a wafer easier is also necessary for the lock to prevent simply oversetting all the wafers followed by pulling them all down, and it still cannot protect from a skilled pickers ability to vary tension to prevent oversetting. Patent 3045468 uses an elaborate system combining patent 3783660 and the mushroom pin to provide many opportunities to get false sets during manipulation but once again does not provide protection from varying tension during picking. In this case careful picking or even bumping may be possible after the lock has been falsely set. Many simply use spool or serrated pins, discs, or wafers as can be seen in patent 3762193 and 4977768, which are naturally based off torque applied to the inner or main locking mechanism, and not the degree of movement for the same. The problems these locks are facing are very similar. They add additional variable parts which must be set by a key or manipulated, insert obstacles to restrict access, and base the locking of these parts off torque. Some are implementing mechanisms to catch pins, which is the right direction. It is a method of locking pins in place. However most only catch pins if they are incorrectly maneuvered and do not interconnect the pins when they are caught. Most locks, if using a locking mechanism to hold parts in place at all, are made as patent 3045468 was, "to prevent picking by these and other methods we provide a lock cylinder therein which prevent the tumblers from manipulated when torque is applied during operations and which also serve to baffle and person tampering with the lock cylinder toy him from feeling or otherwise determining the unlocking positions of the tumblers". Many lock pickers have shown they are not baffled by these tricks and can teach their hands and eyes to identify unlocking positions by controlling tension. Tools are also available online which provide methods to constantly control and measure this tension as shown here.


3303677	3478549	6058752


3216230	3494158	5001914	3045468


3783660	3762193	4977768

------The fall back of the locks mentioned above and the vast majority of other locks on the market is that they are vulnerable to manipulation using torque and probes to feel the resistance of individual parts as they encounter an obstruction. While this is not the only vulnerability, it is the most common. The solution to this, as was mentioned above, is one which allows key operated parts to be operated on individually by a key at one stage, but interconnects and locks them in place in a second stage when rotation of the main rotary plug is attempted. The parts operated on by a key need to be able to move free of each other when they are being properly positioned. There is no problem with this when regarding surreptitious manipulation. This is not saying no method can fully compromise a lock with out placing tension on the plug to rotate it (or instead of rotating a plug, the movement main housing that's normally blocked from shifting), but that allowing parts operated on by a key to move freely prior to rotation is never a concern. Bump keys and wapping can further complicate this rule. They lead to a more fundamental lock law which says parts must be in a certain position at the time of rotation, versus parts must not be in certain position at the time of rotation (which most tumblers follow). This leads to not only checking the shear line for the position of pins, but also any cavity a pin should not be in, or using a method which says if the sheer line is free the part must be here, versus somewhere else in this cavity (once again, at the time of rotation). Bump keys and wapping also do not rely on the individual manipulation of parts, and therefore are not inherently protected from by the main the method I'm discussing. There are also methods which can compromise a locks security through decoding the parts operated on by a key prior to attempting rotation, but these methods are not based off the parts being able to move freely. Decoding is most often based off finding access points in those parts created to allow an obstruction to fall into, or feeling other access points further in the lock housing. There are also bypass methods, which as the name says, bypass the locking cylinders and usually attempt to manipulate the final obstruction keeping the lock closed, which may not be locked into the locks key control cylinder. These are problems based on individual lock designs and manufacturers imperfections. The method discussed here does nothing to prevent them nor does it try to. The problem of bypass techniques or presenting some simple ideal methods of connecting the key controlled locking mechanism to the main locking bolt is a topic for another paper. The problem of decoding is mostly a concern for a manufacturer. So, there is no reason to try and hinder the free movement of pins or obstructions when the cylinder is not attempting to rotate. This is what the first stage is reserved for, the free movement of parts acted on by a key to a position which allows the lock to open.

The second stage interconnects and locks all variable parts dealing with validation or key control in place, must be initiated for the lock to open, and does so prior to those parts being tested for correct placement. The interconnection of the parts should serve to essentially create one part which is later checked for correct placement. This does not need to be complicated; a simple side bar falling into all the parts serves this purpose. This prevents individual manipulation, by saying if one part moves that all must move. The locking of the parts in place is essentially done by interconnecting, but the parts as a whole can still be manipulated. Ideally, the second stage would not allow this new part to be moved for complete security and would implement a method to prevent manipulation of any kind on the new interconnected part. However, this appears impossible do to the essential nature of mechanical locks, which says this part must be pressed against something based off rotation of the plug (which represents a certain amount of force which can be varied). If this part can be manipulated it may be tested during the validation process with varying levels of force, in turn creating different levels of feedback. None the less, by creating and splitting the functions of a lock this way you create a system where the tolerances of the lock will have to be measured in multiple positions to provide information on individual parts and the positions which must be measured cannot be gone through without returning the locks position to a previous state. The amount of movement necessary to return to the previous state (stage one) can be designed for different levels of protection. Of course this second stage must be required for the lock to open, otherwise attackers would try to bypass it, and therefore it must also be initiated by the key. Even if an attacker cannot bypass the method as a whole, if he can recognize feedback from the mechanics of the lock, when interlocking parts based off of their position, he can use this to manipulate the lock. This is because if the initiation of the second stage is based off of the position of pins the lock has essentially just created a second set of contact points on a sheer line, allowing single pin picking. When this stage is initiated is must be based off of movements of parts which must be moved to open the lock. This is a critical step. If the initiation is based off tension, the tension can be manipulated. However, when you know that for a lock to open certain parts must be in place you can initiate the locking of the key variable parts based off those movements. Because of Newton's first law, you know that any new movement of these parts requires some amount of force and you know that by implementing the locking of key variable parts off this movement you have accommodated for any variation in force or torque. All this must be accomplished before these parts are tested for correct placement (as they would be positioned by a correct key). While on paper it may be possible for these parts to be securely locked and tested simultaneously, constant minute imperfections resulting from the manufacturing process show it is not a capability of locks made with today's technology. The distance parts must travel from the where they are secured to where they are tested for correct placement must be greater then the tolerances of the lock. As was mentioned earlier, the amount of movement necessary to return to the previous state (stage one) can be designed for different levels of protection.

It may be at this point much of these details are redundant or unnecessary. They are added to try and clarify exactly what is needed. Many of the pick resistant methods used in the past take parts of this method, complicate them, and allow them to be compromised because all the other details noted are skipped. For example the mushroom pin attempts to lock a cylinder when the pin is at an incorrect height, but because it only locks the pins when they are at the wrong height pickers can identify them based off the rotation of the plug or their feel (as they can still be manipulated while the lock is trying to turn, because they are based off torque). The same problem affects serrated pin designs in rough or rifled chambers. Side bars alone try to interlock all parts, but they try to lock and test pins at the same time which just creates a new type of sheer line. Patent 2596720 nicely tries to implement the two stage method into a pin tumbler, and offers interesting pick resistance. It however initiates the locking of pins into the lock based off their position while the cylinder attempts to rotate and then adds a small pin to create false sets. While this design is very nice it limits its own potential security, allowing smaller amount of possible correct pin positions to be found through single pin picking because of some small deviations from important factors.

2596720

------The implementation of this method does not need to be very complicated, and has been done successfully in the past. Multiple requirements of the lock can be acquired through individual parts. For example, when a lock effectively removes the ability to manipulate parts and allows only the amount of cylinder rotation to be altered then it must have incorporated the parts into the lock, meaning they are also interconnected with each other. A side bar used to interlock parts can be fit into a groove in the shell whose angle determines the necessary rotation before other steps in the unlocking process are taken. When first making a system other factors can also be considered. For example, to start preventing bumping and other unforeseen methods of manipulation the lock can use a testing system which does not check for the absence of a blocking part in a cavity, but instead ensures for the cavity to be free the key variable part must be located in one sport. While creating a cavity in which the parts operated on by a key sit in does not need to be avoided, it should be that this cavity is not large enough for the testing system (likely a side bar) to fall into while the parts are elsewhere in the cavity. For example using a single pin with holes allowing a side bar to fall in, inside a chamber which has a near same diameter and is less then twice its length would ensure this.

The only product I know of currently being sold fully using this method is the Abloy Protec. It accomplishes this through what it calls a Disc Blocking System. The rotary discs of the lock are locked in place after a ninety-degree rotation of the key, which turns a 0-disc that engages a return bar. The return bar is essentially a side bar which interlocks into grooves on the bottom side of the discs. The return bar locks the discs in place (and is later used to realign them when locking), and a separate side bar (the locking bar) is used to check their position. The locking bar is implemented in a way which prevents it from testing the discs position based off pressure applied to it from the lock housing until the rotary discs are locked. This excellent design explains why in some circles this lock is considered unpickable except through brute force trial and error using an auto dialer. This lock, like all locks, is weak to educated trial and error based off testing and measuring its tolerances, however, the only possible weakness that appears which could allow picking with real time feedback is the locking bar rests on the rotary discs. It is theoretically possible to amplify the feedback from the minute friction it exerts on the discs to identify the gates in them. It may also be theoretically possible to find a force which can put pressure on the locking disc while bypassing the return bar and other metal obstacles preventing access to it to identify gates, such as pressure from conflicting magnetic fields. However, even these possibilities rely on the 0-discs being improperly manufactured allowing low spots in their diameter to be exploited or there being a moment when the 0-discs allow the locking bar to fall into gates before the return bar has rotated enough to secure the combination discs. On paper this is not the case, but because the rotation necessary between locking the discs and testing them is so small the feasibility of these ideas may well depend on the manufacturing tolerances (which appear very precise) in the 0-discs and the blocking gates. Two good sources for more information on this lock are http://www.toool.nl/abloypart3.pdf and http://mitchcapper.com/cutaways/factory/4-abloy-protec-mortise/ .


Locking Bar 1	Locking Bar 2	Return Bar 1	Return Bar 2

The following designs are more meant to serve as ideas then outlines for implementation, which is probably apparent by their quality. There are likely more efficient or secure methods of designing them, and there are many ways in which they can be modified for the needs of the dealer, manufacturer, or customer.

The first design below uses a pin and two side bars to split the stages and check pin positions. In this design there are two side bars, one fitted around the longer. The longer side bar, will hit the outer shell first when rotation is attempted and be pushed into notches, holes, or serrations in the pin locking it in place. As the inner plug rotates further the second side bar will be pressed against the outside of this first cavity, and depending on how far the side bar can be pushed in it the plug may or may not rotate fully. This design is a good example of how pins can be troublesome to be able to lock in place in any position a key could place them in. Not shown in the drawing is if this pin where to be able to rotate and still maintain integrity it would need to have obstructions running vertically as well. Of course in my drawing the distance the side bars need to travel to allow rotation of the cylinder is greater then the pin diameter, but surely a fix for this can be imagined.

This next design simplifies the mechanics used in the Abloy Protec accomplishing the necessary functions for the two-step method, while not all the bells and whistles which come with the Protec. It is also susceptible to the manipulation techniques mentioned with Abloy Protec. The following design shows the combination disc in the front followed by a driver disc. There would only be one driver disc, combined with multiple combination discs. Each combination disc would need to have a false gate anywhere a gate could be. The false gates would need to be deep enough so if the side bar falls into them it cannot be manipulated without adjusting the driver disc. In this implementation, the more amount of combinations, the more false gates, the more security. Multiple driver discs could be used with out compromising the two-step method as long as they where not considered to be combination discs which could be relied on to increase possible combinations. If they where used as combination discs they would compromise security, if they where used to compensate for the imperfections in manufacturing along with an appropriate amount of combination discs they could improve security.

Quick notes regarding rotary discs which do not use driving discs (0-discs)... If the false gates lock the side bar in them, then there is an order in which the discs must be rotated. If the false gates do not fully lock the side bar in them, then the discs may be manipulated individually without returning the lock to any other state of rotation by varying tension.

The last design uses a series of gears operated on at different times based of the rotation of a single driving gear to initiate the two stages. In this drawing the gears which align a gate the side bar will later fall into are located in the front of the lock, which we can call combination gears. Behind them are the driving gears. The combination gears are first turned by a key using a series of gears on it whose length around the key determine the amount of rotation of the combination gears. After the combination gears are set in place the driving gears are initiated by a gear on the key. The driving gears interlock with the combination gears and inner plug (which the side bar is located on) and rotate the two into each other. One advantage of this implementation is any pressure on individual combination gears (while interlocked with the driving gears) is not only fruitless, but also provides torque on the side bar in the opposite direction of the necessary rotation. It does not require false gates as the gears around the circumference of the discs naturally interlock the discs in any position they may fall in. This design could also use the same parts in every lock, as their placement in the lock determines the necessary rotation of themselves. This design has no measures to prevent the combination gears from being changed. This means in its current raw form any manipulation which was not fully reversed would prevent the lock from opening with the correct key. An implementation of return bars as used on the Abloy Protec might be a nice finishing touch. The combination gears which protrude into the key way could likely be modified so a control key would be necessary to realign the combination gears containing the gates. In some situations it may even be desirable for the lock to never open if there is a risk of an attacker. As mentioned earlier, these are ideas to be customized.

------Hopefully this article can be used to provide better understanding of problems and solutions in current lock designs, as well as provide some new effective ideas for future locking designs. For any questions, comments, or errors feel free to contact me at knowthebird@gmail.com.