If a mechanical engineer can get their hands on 1,000 sample locks and keys (for instance: by simply buying them) and then imaging them, is it that difficult to reverse engineer the skeleton key system?
It requires access to one (non-master) key as well as a lock which is open-able by that key. It also requires being able to generate a modest number of new keys with a key cutter (however significantly fewer than brute forcing the entire space).
IIRC, the attack boils down to:
- Start with the known non-master key
- Hold all but one of the teeth constant, and try different values of that one tooth until you get a different working key. This other value must be the master key's value.
- Repeat until you have the master value for each tooth.
If TSA locks work the same way as the locks described in this paper, a single lock/key seems sufficient to generate the master key.
I recall reading that it really only takes about one (maybe two) regular office keys to create the master key that unlocks them all. There were flaws in that system which made it easier (given only keys), but I would wager it's not too hard to make a master key given a few locks as well.
It's very easy to do actually, you just need one lock actually. It's called key impressioning, and basically you put a blank in a lock, look for the scratches on it, file it down a bit, rinse/repeat.
It shouldn't be quite that easy, because the engineer has locks A, B, and C, and needs to discern from them the skeleton key that unlocks X, which they do not have.
Forget about leaks for a second.
If a mechanical engineer can get their hands on 1,000 sample locks and keys (for instance: by simply buying them) and then imaging them, is it that difficult to reverse engineer the skeleton key system?