The Surprisingly Deep Engineering Behind a Modern Door Lock
by Scott
There is something almost philosophically interesting about a door lock. It is a device that most people interact with multiple times every day, that has existed in recognisable form for thousands of years, and that almost nobody thinks about unless it fails. The lock sits at the intersection of mechanical engineering, metallurgy, security theory, human factors design, and in its modern forms, electronics and cryptography. It is one of the most thoroughly solved problems in engineering history and simultaneously one that has never been solved completely, because the adversary it is designed to resist is human ingenuity itself, and human ingenuity does not stop improving.
The pin tumbler lock, which is the mechanism inside the vast majority of door locks in use today, was patented by Linus Yale Jr in 1861, though its basic concept predates his patent by several thousand years in various forms. Understanding how it works illuminates not just the lock itself but the general principle of mechanical security that underlies almost all physical access control. The lock cylinder, the part that rotates when the correct key is inserted, sits inside a housing that does not rotate. A series of small chambers drilled through both the cylinder and the housing contain pairs of small metal pins, a key pin at the bottom and a driver pin above it, with a spring above the driver pin pushing the whole stack downward. When no key is inserted, the driver pins sit with their bottom edges crossing the boundary between the rotating cylinder and the fixed housing, a boundary called the shear line. Because the driver pins span the shear line, the cylinder cannot rotate.
When the correct key is inserted, the irregular cuts along the key blade push each key pin upward by a specific amount determined by the depth of the corresponding cut. The depth of each cut is precisely calibrated so that it pushes its key pin upward by exactly the right distance to align the boundary between the key pin and the driver pin with the shear line. When every pin pair is at exactly the correct height simultaneously, no metal crosses the shear line and the cylinder can rotate freely. The key is in effect a physical encoding of a set of heights, and the lock is a device that checks all heights simultaneously and allows rotation only when all are correct.
The precision required for this system to work reliably is considerable. The tolerance between the cylinder and its housing is measured in thousandths of an inch, tight enough to prevent pins from moving sideways but loose enough that the cylinder can rotate smoothly when all pins are correctly aligned. The springs must provide consistent pressure without being so strong that the key requires excessive force to turn or so weak that pins do not return reliably to the default position. The key pins and driver pins must be manufactured to precise lengths, and the cuts in the key blade must be machined to depths that correspond to those lengths within very fine tolerances. A well-made pin tumbler lock achieves all of this from components that can be manufactured at low cost and assembled quickly, which is why the design has remained dominant for over a century and a half.
The security properties of a pin tumbler lock depend on the number of pins it contains and the number of distinct depths available for each cut. A lock with five pins and ten possible depths per pin has ten to the fifth power, or a hundred thousand, possible key combinations. A lock with six pins and ten depths has a million combinations. This combinatorial space is the theoretical maximum number of keys that the lock can distinguish between, and it represents the lock’s key space. In practice, not all combinations are usable because adjacent cuts that are too similar in depth can create keys that are difficult to machine reliably or that wear quickly, so the effective key space is somewhat smaller than the theoretical maximum.
The key space determines resistance to one form of attack, the attempt to simply try every possible key. For a physical lock this attack is rarely practical because manufacturing a large number of keys and trying each one takes considerable time and is obviously visible. But the pin tumbler lock is vulnerable to several other attacks that exploit characteristics of its mechanical design, and understanding these attacks illuminates both the cleverness of the design and its inherent limitations.
Lock picking exploits the manufacturing tolerances that exist in every pin tumbler lock. In a theoretically perfect lock, all pin chambers would be perfectly aligned and all springs would exert perfectly equal pressure, so no individual pin would be easier to manipulate than any other. In a real lock, manufacturing tolerances mean that the pin chambers are not perfectly aligned, and one chamber will be very slightly offset from the others. When a picker applies rotational tension to the cylinder using a tool called a tension wrench, the offset chamber binds against the cylinder while the others float freely. The picker uses a second tool called a pick to push up the pin in the binding chamber until it reaches the shear line, at which point the tension causes the cylinder to rotate very slightly, and the driver pin of that chamber catches on the edge of the housing, holding the key pin in place. The picker then moves to the next binding chamber and repeats the process, setting each pin one at a time until all are at the shear line and the lock opens.
The security industry’s response to picking attacks has produced several engineering refinements to the basic pin tumbler design. Security pins replace the standard cylindrical driver pins with pins of irregular shape, such as spool pins that have a narrowed waist or serrated pins with multiple narrow sections. When a spool pin is partially lifted and the cylinder rotates slightly under tension, the narrow waist of the spool catches on the shear line, creating a false set in which the cylinder appears to have rotated but has not fully opened. The picker receives tactile feedback suggesting a pin has been set when it has not, and the process of getting from the false set to a true set requires releasing some tension and reapplying it, significantly complicating the picking process and requiring considerably more skill and time.
High security locks go further by incorporating secondary locking mechanisms that operate independently of the pin tumblers. Sidebar locks add a sidebar mechanism that must be satisfied simultaneously with the pin tumblers, with keys that have cuts on their sides as well as their edges to control rotating elements inside the cylinder that must align with notches in the sidebar for it to retract. This adds a second independent layer that must be defeated simultaneously with the pin tumblers, which substantially increases the difficulty of picking because the picker must satisfy both mechanisms at the same time while managing tension on the cylinder.
Disc detainer locks use an entirely different mechanism that replaces pin tumblers with a series of rotating discs. Each disc has a notch cut into its circumference at a specific angular position, and the key rotates each disc to precisely the correct angle to align all notches simultaneously, allowing a sidebar to retract and the cylinder to rotate. Disc detainer locks are highly resistant to conventional picking tools because the attack technique developed for pin tumbler locks does not directly apply, and specialised tools required for picking disc detainer locks are expensive and require significant skill to use.
Dimple locks, sometimes called radial pin tumbler locks, arrange pin chambers radially around the cylinder rather than in a line along the top. The key is flat with dimples drilled to specific depths on its faces and sides, and the pins enter from multiple directions. The added dimensionality increases the key space and makes the picking geometry more complex, and high quality dimple locks frequently combine the dimple mechanism with security pins and sidebars to create a layered defence.
The materials used in lock manufacturing contribute significantly to security properties that are often invisible to the consumer. The cylinder of a high security lock may be made from hardened brass or from a brass alloy that incorporates small steel inserts or balls embedded in the material. When a drill bit contacts these inserts it is deflected or dulled, significantly increasing the time and effort required to drill out the cylinder. The housing of a quality lock incorporates anti-drill hardened steel plates that protect the mechanism from the drilling attacks that would otherwise bypass all the pin engineering entirely.
Key control is another dimension of lock security that involves engineering decisions about key blank design and cutting rights. A high security lock uses key blanks with complex cross-section profiles that cannot be duplicated on standard key cutting machines and may be protected by patents or trademarks that restrict who can legally manufacture the blank. The combination of a mechanically complex blank and restricted duplication rights means that even if an unauthorised person obtains a key to examine or photograph, they cannot readily have a copy made. Some high security systems require proof of authorisation before cutting a copy, and the keys may incorporate features like electronic chips or laser-cut markings that are difficult to reproduce without proper equipment.
The integration of electronic systems with mechanical lock mechanisms has created an entirely new category of engineering challenge and security consideration. Electronic locks range from simple battery-powered deadbolts that accept a numeric code or a wireless credential, through to sophisticated access control systems used in commercial and institutional settings that log every access event, communicate with central management systems, and can be programmed and audited remotely. The security of these systems involves not just the mechanical strength of the lock but the cryptographic security of the wireless protocols used for credential transmission, the tamper resistance of the electronics, the security of the credential management system, and the resilience of the system to power loss and communication failure.
Bluetooth and near-field communication based smart locks have become consumer products with a genuine market, and their security engineering involves considerations that are entirely absent from purely mechanical locks. The cryptographic protocol used to transmit credentials must resist replay attacks, in which an attacker records a valid credential transmission and replays it to gain access. It must resist relay attacks, in which an attacker uses radio equipment to extend the range of a credential so that the owner’s phone appears to be near the lock when it is actually far away. It must resist brute force attacks on the credential space. And it must be implemented correctly in software, because a cryptographically sound protocol that is implemented with a software vulnerability provides no real security. The history of smart lock security research includes multiple examples of well-intentioned products with serious vulnerabilities in their wireless protocols or their mobile applications that would allow unauthorised access.
The keypad lock, which accepts a numeric PIN rather than a physical key or wireless credential, presents its own characteristic security challenges. The obvious attack of trying every possible code is limited by lockout mechanisms that disable the keypad after a certain number of incorrect attempts, but keypad locks are vulnerable to a subtle physical attack called smudge analysis, in which an attacker examines the oils left on the keypad surface by the user’s fingers to identify which digits are used in the code. On a four digit code using four distinct digits, the smudge attack can reduce the number of codes to try from ten thousand to twenty-four, a reduction by a factor of more than four hundred. Countermeasures include keypads that light up in patterns that encourage users to touch all buttons, surface coatings that dissipate finger oils quickly, and randomised digit layouts that change position on each use.
The door itself, and the frame it sits in, constitute the final and often neglected layer of the physical security system. A high security lock in a weak door frame provides false assurance, because a determined attacker can simply kick the door open at the frame without interacting with the lock at all. The engineering of door security therefore extends to the strike plate that receives the bolt, the length of the screws that secure the strike plate to the frame, the reinforcement of the frame itself, and the design of the bolt or latch that engages with the strike plate. A properly engineered door security system uses a strike plate secured with three inch screws that penetrate through the door frame into the structural framing of the wall, distributing the force of a kick across a much larger area and requiring a substantially higher force to defeat.
The lock is, in the end, a physical embodiment of a mathematical concept, the idea that access can be controlled by requiring the presentation of specific information that only authorised parties possess. The elegance of the pin tumbler mechanism is that it performs this check mechanically, simultaneously, without power, and at a cost that makes it accessible for virtually every application that requires it. The sophistication of high security locks and electronic access control systems reflects the continuous arms race between the engineering of access control and the ingenuity of those who wish to defeat it. What appears to be a mundane object performing a mundane function is, on examination, a dense and fascinating accumulation of engineering thinking that has evolved continuously for thousands of years and shows no sign of having reached a final form.