There is an undeniable mystique surrounding safes and vaults. Containers to safeguard valuables and secrets from theft and prying eyes have existed almost as long as the concepts of valuables and secrets themselves, and yet in spite of the “Internet age,” details of safes and the methods used to defeat them remain shrouded in obscurity and even a certain amount of mystery.
For all the reticence surrounding the subject, however, safes and safe locks (and how they are defeated) are worthy topics of study for students not only of locksmithing but of information security. An unfortunate side effect of the obscurity of safe and vault technology is the obscurity of tools and techniques that deserve to be better known and more widely applied to other disciplines.
The attack models against which safes are evaluated, for example, are far more sophisticated than their counterparts in computer science. Many of the attacks, too, will remind us of similar vulnerabilities in computer systems, in spite of having been discovered (and countermeasures developed against them) decades earlier.
A safe or vault is a container designed to resist unauthorized entry by force. Even the best safes and vaults are not absolutely impenetrable, of course; their strength is constrained by both physics and economics. Safes are distinguished from one another not by whether they can be penetrated, but by how long it would be expected to take, the resources required, and the evidence it produces
The most obvious lock security factor is the number of distinct combinations; it provides a bound on the time required for exhaustive search. Most safe and vault lock dials are divided into 100 graduations with three or occasionally four dialed numbers in the combination.
Safecracking For The Computer Scientist is a well illustrated treatise which will examine security against forced, covert and surreptitious safe opening, focusing on the mechanical combination locks most commonly used on commercial safes in the US.
Following topics are discussed in Safecracking For The Computer Scientist:
- Safe and vault security: a computer science perspective
- Safe and vault construction
- Container security metrics
- Lock security metrics
- The combination keyspace
- Manipulation resistance
- Using security metrics
- Group 2 mechanical combination locks
- Retracting the lock bolt: the drive cam and lever
- Enforcing the combination: the fence and wheel pack
- Dialing the combination
- Other considerations and design variants
- Attacks against containers
- Forced entry: brute force
- Covert entry: drilling
- Principles of destructive decoding and bypass
- Determining drilling points
- Hardplate drilling techniques
- Surreptitious entry: lock manipulation
- Manipulation principles
- Measuring relative fence depth
- Wheel pack analysis: the simple case
- Wheel pack analysis: complex cases
- Learning manipulation
- Design variants and manipulation countermeasures
- Appendix: Acknowledgments and further reading