![]() ![]() It is usually deployed with a weak cipher that can be broken in realistic time, but the protocol itself is fairly sound (other than being vulnerable to a MITM relay, which seems impossible to defeat when we have one way communication.Knock Codes are a knowledge-based unlock authentication scheme used on LG smartphones where a user enters a code by tapping or "knocking" a sequence on a 2x2 grid. A simple but clever protocol widely used in “rolling code” systems for remote door unlocking using low powered devices with very limited computation, only one of which can transmit.the typical 5 minute lockout after 3 wrong guesses.) Of course, any such method will also require rate limiting (e.g. KNOCKKNOCK SECURITY PASSWORD(Currently 38 minutes past the hour on 19th of the month, giving 399 if my password is OPENSESAME the current code is NEE.)Ī smart eavesdropper will eventually figure out this sort of system, but it will take quite a lot of interceptions, typically at only one per day and the defender may change the password and / or algorithm from time to time. Use each digit to pick a letter from a password, and tap it out in Morse. For a simple example: add the current day of month to 10 x the minutes past the hour. No algorithm that you can do in your head will be remotely as secure as a modern cryptographic protocol, but it is not difficult to come up with ones that will frustrate limited eavesdropping. through Morse code, or as binary numbers), and an algorithm to generate new knocks which can be interpreted by the processor in the lock. What is required is that the user be able to easily represent a variety of coded knocks (e.g. It is possible to make this system more resistant to replay without nearly that much complication. IIRC that system resisted replay attacks through the Keeloq protocol. It was noted that the acoustic data channel has a number of potential advantages. ![]() You can see that the tap code wouldn’t be easily detected by someone hiding in the bushes, which is what happened to the original “Open, sesame!” because it wouldn’t come into play except in an emergency.Īs Thunderbird points out, a much more sophisticated system (with an electronic device to do the knocking) has been discussed previously, and is commercially available. Zebbie called the cadence "Drunken Soldier." Jacob said that it was "Bumboat." Deety claimed that its title was "Pay Day," because she had heard it from Jane's grandfather." The tapping code took even less, it being based on an old military cadence-its trickiness being that a thief would be unlikely to guess that this car would open if tapped a certain way and in guessing the correct cadence. That took a couple of hours, with Deety helping Zebbie. “Part of the problem lay in the fact that Gay Deceiver was a one-man girl her doors unlocked only to her master’s voice or to his thumbprint, or to a tapping code if he were shy both voice and right thumb Zeb tended to plan ahead-“Outwitting Murphy’s Law,” he called it, “Anything that can go wrong, will go wrong.” (Grandma called it “The Butter-Side Down Rule.”) First priority was to introduce us to Gay Deceiver-teach her that all four voices and right thumbprints were acceptable. ![]() ![]() “temporarily shift authorisation”, “withdraw temporary authorisation”, …) it seems that it leaves the user with the same problems the physical key does - but with more trade-offs. Starting to look at this doorlock security system from the use cases beyond the obvious “open the door now” (e.g. On the other hand: What if you want to give the key to your lessor who has to give it to some plumbing company who will give it to the local contractor who comes over to your place to fix a broken pipe while you are at work? In that case the process of moving authorisation is not so easy because it’s chinese whispers.Īnd what’s about the passive failure rate? How much “being off beat” does the lock tolerate? Hard to tell for the owner.Īnd the active failure rate? How good is the lock at recognising an intoxicated, tired, ill-tempered owner? In fact, it’s not even possible to prove that an attacker has copied the key (“No, I didn’t listen to your knocking, sir, I was just thinking about something that just came to my mind…”) It’s almost impossible for the flat owner to know when his authentication token (the knocking sequence) has been compromised because “copying” the token is even easier than copying a physical door key: the attacker needs less budget and less risk tolerance. What’s brittle about the system is that again identification, authentication and authorisation fall together into one step - that’s no progress compared to the physical key-and-lock: Of course prone to replay attack unless you memorize a list of one-time-pass”knocks”. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |