Welcome to our world exploring the Historical, Political and Technological aspects of Locks, Keys and Safes

Results 1 to 6 of 6
  1. #1
    Join Date
    Dec 2009
    Posts
    1,485
    Country: United States

    Default High-tech Low-tech security fail

    An interesting security "fail" occurred last week (Feb 14 2020). This not Antique in any way but it might entertain the group.

    A critical part of the Internet is DNS, Domain Name Service, and a secure DNS (DNSSEC) is being deployed which relies on signed cryptographic certificates. The security of the cryptographic keys is very important and the Key Signing Key (KSK) is kept in a building in a locked cage inside two safes. Once every three months a key signing "ceremony" is held to sign new certificates and a very detailed protocol is followed which includes opening the safes.

    Before the ceremony starts, some checks are made, including a test opening of the safes. One of the safes would not open! The ceremony was canceled and a locksmith was called to drill the safe (or hopefully do some other work first, like use a soft-blow hammer). I haven't found anything more so far about what went wrong other than it was, in fact, drilled. Video is supposed to be posted later.

    KSK ceremonies are live-streamed and put on Youtube to demonstrate transparency, integrity, and so on. Here is the recent one: https://www.youtube.com/watch?v=B46cWBUU2l4

    It's not very interesting except I did skip to the safe openings. At 14:15 or so they start to unlock the cage which seems to need more than one person. At 15:25 they start to open one of the safes which requires a single person. And so on.

    Here's a screen grab of Safe 2 open with Safe 1 in view:

    Click image for larger version. 

Name:	S2.jpg 
Views:	26 
Size:	253.8 KB 
ID:	22113

    Some random observations --

    The locks all seem to be electronic, the safe locks are dial type such as Kaba Mas X-10 or S&G 2740B. In no case was there any apparent attempt to check audit logs, such as the number of successful openings and/or unsuccessful openings.

    If they had asked me, I might have suggested two different safes from different makers with different locks.

    I generally don't like electronic locks but in this case it might be OK because of the audit log, but only if they check the audit log.

    Video from the previous ceremony in their other facility shows their locks are X-10 (based on the color). The safes appear to be bolted to the floor using some sort of strap. I'd rather see them bolted down from the inside.

    Click image for larger version. 

Name:	S2b.jpg 
Views:	30 
Size:	143.4 KB 
ID:	22114

    Does anybody recognize the safes? In both facilities there is an apparent magnetic sensor, lower-left on the front door and frame.

  2. #2
    Join Date
    Oct 2009
    Location
    Cleveland, Ohio USA
    Posts
    1,433
    Country: United States

    Default

    They look like fairly new typical GSA chests that would come with the X10 locks installed. I don't do that much GSA but the safes are made to spec so the brand doesn't matter much in this case. Likely the lock was the problem but once in a while it would be a safe problem. Even the drilling and repair is regulated to ensure it is properly done.

  3. #3
    Join Date
    Jun 2008
    Location
    Hartford CT
    Posts
    191
    Country: United States

    Default Will-Burt

    Click image for larger version. 

Name:	S2b.jpg 
Views:	30 
Size:	143.4 KB 
ID:	22114

    Does anybody recognize the safes? In both facilities there is an apparent magnetic sensor, lower-left on the front door and frame.[/QUOTE]

    ---------------

    Will-Burt, GSA Class 5, Red Label General Purpose Security Container. The same container can carry the GSA Diebold-Mosler Security Label.

    I agree, if the extent of the security is as shown, it doesn't make sense why they're not utilizing the dual and audit functions of the X-series lock.

  4. #4
    Join Date
    Jul 2014
    Posts
    266
    Country: Germany

    Default

    On the photos on twitter you can read Mosler-Diebold.

    I am unsure if it is a IPS or maps container. I don't see any air vents, so I tend to favor the maps container., but slide 7 of an dns-oarc presentation mentions an IPS.

  5. #5
    Join Date
    Oct 2009
    Location
    Cleveland, Ohio USA
    Posts
    1,433
    Country: United States

    Default

    Doesn't look like map container to me, unless they have greatly changed the shape. Map and plan chests are tall and narrow.

  6. #6
    Join Date
    Jul 2014
    Posts
    266
    Country: Germany

    Default

    A size IV should about fit.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •