Catchy title, that. Of course, I don't think they know they've done this.
By now, most people who are reading this have seen some reference to Matt Blaze's paper on decoding master key lock systems. An article in the New York Times will provide that kind of deep coverage. He's done a nice thing there - he's taken the rigor and planning that would normally be applied to analyzing a computer-based security system, and used it to analyze a physical security system instead.
It turns out that you can go the other way, too.
This is an idea that's been flipping around in my head for some time, but the arrival of this issue on the scene makes it an ideal time to release it into the great big world. And, as with Matt Blaze's attack, it may not even be a new idea - others may have had the same thoughts. The core of the idea is so simple that I'm certain other people have started down this path before. However, to simplify my job here, you need some basic understanding of how locks work. Matt Blaze's paper is a good start, so go scan through it.
As you read Matt Blaze's paper, at several points he describes how a key is cut by using a sequence of numbers representing the depths of the cut. "11111" represents a 5 pin key, all with the same cut depth. "44444" is a different key. For a locksmith using a standardized notation, that 'number' is the critical piece of information needed to turn a key blank into a working key. Given a working key, it is also possible to determine what number would describe the key - there is a one-to-one relationship between numbers and keys.
So, the keys are like passwords. Your lock is a mechanism for testing your password.
Now, I don't want to just protect doors. I also want to protect - for example -online music files. So here is what I will do. I wll build a device that connects to my computer, and has what looks like a lock in the front. But it functions a little differently - when you insert the key and turn it, the device measures the key cuts, and determines the "number" (see above) corresponding to that key. This number is then sent to the computer. Special software at the computer takes that number, and uses it to enable access to otherwise unavailable files. If you register your key with - for example - a music service, then you could download files that only you, with your key, can play back.
This has some nice effects - just insert my key, and the computer enables access to all my files and applications. Other people with different keys can use the same machine, and our files are separate and secure. Now, you could do this more cheaply using a USB key, for example, or using one of several dongle-style systems available for exactly this purpose. But my system still has a couple of advantages. Metal keys are very robust - they can be dropped in water, microwaved, crashed against other keys, and they will continue to work just fine. They're convenient, since most people already carry a key-ring. They don't need batteries. They're even immune to EMP attacks. Try THAT with a smartcard!
But that's not the big advantage. In fact, the big advantage is likely something that most of you are considering to be a disadvantage. You may be pointing out that all I have to do is go down to the hardware store, and they will copy the key for me. Then I can give copies of all those music files to a friend along with the key. And you would be correct - for now.
See, in use, the key system seems reasonably effective. It's not perfect - but nothing is in this domain. And since I'm using it to protect against the illicit disemination of copyrighted materials, I have a great big stick to back me up - the DMCA. And using the DMCA, I can insist that the hardware store not copy keys. Furthermore, I can insist that manufacturers of key-copying equipment no longer manufacture or sell such equipment. And if they continue, I can get them charged with a criminal offence.
Now, think about the arguments against this line of reasoning. First one - they've been doing this for years, and it was never illegal before. True - but the DMCA is a new law, creating new offences. It has to be this way, otherwise all the ways of breaking into digital files from before 1998 would remain legal. Note that the key is not simply "throwing a switch" somewhere - copying the key actually copies the "key value". There is no way to copy a key without doing that. They might argue that this is hardware, not computer stuff. Sorry, that can't be OK either, because the DMCA refers to 'devices', which the key copying machine certainly is. They may state that there are legitimate uses for the key copying machine - which is true, but isn't a defence under the DMCA (think Elcomsoft). And that's another one - the Elcomsoft trial means that such devices are allowable. My rough not-a-lawyer reading of the decision says "no" - Elcomsoft was not guilty because they didn't really understand that they were breaking the law - and once they had that explained to them, they stopped selling the offending item.
In fact, this device could be highly useful in a world where key copying is outright illegal. If they defend themselves in court, your argument is roughly as follows - my device protects files from copying, just like many other things in the marketplace. Those things are from companies who are my competition, and THEY have the DMCA to help protect their business. I simply want a level playing field, and the question of whether this key-copying equipment is ok is not the most important question. Of more importance is the idea that if the DMCA is to stand as a law, then it must apply equally, even if some companies can no longer sell certain devices.
Again - not-a-lawyer here, but I think you have more than a good chance of succeeding in one of two ways.
You may get an Elcomsoft style result - the company isn't guilty, but the key-copiers are off the market. Or they just take them off the market, and it never goes to court. Either way, you have one rather irate company, with employees, whose chief executive calls up his Congressman and asks what the hell is going on in Washington that they passed a law to put his company-of-three-decades out of business. Meanwhile, we can go back to the drawing board, and find another real-world security mechanism to target under the DMCA. I'm reasonably confident that drafting a law to allow physical key-copiers without also allowing software key-copiers can't work. The determining factor might be the "physical access" argument, which provides a DMCA exemption if the copier is only providing physical access. In that case, I'll write another article, explaining how to use some common software protection mechanism to lock my front door, and how the software (from Elcomsoft, perhaps?) is only needed to give me "physical access".
Your other outcome is a kick to the DMCA, where a judge looks at it and says (by the way, I-am-not-a-judge, either) all your arguments are correct, but the result is silly - reductio ad absurdum, the law must be bad. You'll still have to wade through the appeals, though.
So that's my idea. I can see any number of ways to implementing it - little levers whose level is read using mouse-ball optical encoders to determine the key depths. Or a small optical scanner that reads the outline of the key and determines cut depths that way. And I would add an intermediate layer of software to transform raw "key values" into "file key values" so that I can copyright my software and protect my device in the marketplace for my lifetime plus 70 years.
But I can be VERY generous on licensing terms...