What Electronic Door Lock Would You Buy?

zentigger asks: "I work for an ISP that supports internet in several dozen remote areas. Our POPs are typically fairly small shed-like structures, with a couple racks of equipment. For the most part, we can manage this stuff in-band, but frequently we need to have a local agent physically access the equipment for some minor maintenance work or adjustments. As time goes on, the shuffle of keys is becoming farcical and expensive. What we need is an electronic lock of some sort that can be reprogrammed remotely (preferably from a remote console via serial or directly via ethernet) that will stand up to extreme weather. Google certainly turns up lots of glossy brochures — although I don't see how they can -all- be 'The heaviest duty lock you can buy!' Does anyone have good experiences with any particular products or perhaps other means of dealing with the key shuffle?"

A GSA approved lock of course

[laing]

Sargent & Greenleaf are *THE* stanrdard when it comes to electronic locks. See here [sglocks.com].

Bit o' Warning

[thesameguy]

A while back I did some consulting for a somewhat remote municipality, who was in your exact same situation. They had small "equipment sheds" located throughout the region, and were having problems maintaining physical access. Their solution was to invest in a bunch of programmable electronic combination locks that they could reprogram as people were fired and/or promoted and not have to go through the whole rekeying process. This created an entirely new problem: People forgetting access codes that changed every several months. These workers worked around the problem the only way they could: Prying open the doors with tools, breaking the doors and sometimes the locks in the process. This forward-thinking municipality ended up footing the bill for the lock retrofit, a bunch of broken doors, and ultimately a return to standard keyed locks. FYI, YMMV...

S&G, HID are standard

[mlts]

Most companies I see use HID or S&G for card access. I personally would recommend HID (one of their newer card reader lines that use two-way authentication).

For mechanical lock backup, go with Medeco, Mul-T-Lock, or Abloy. All of which are immune to bumping, are restricted in key duplication, but keys are still decently available when you need copies made at a locksmith with your card.

Lastly, if you want a solution that is a hybrid, requiring only cylinders changed rather than lock hardware, you might consider the Mul-T-Lock CLIQ series. The CLIQ keys are mechanical and electronic, and the reader is in the cylinder, so no wiring of doors is needed. To remove a key from the authorized list, you just code the programmer key to remove it, then walk around and stick the key in the appropriate doors.

From a locksmith's perspective

[Big Bob the Finder]

I worked my way through college as a locksmith. I've always favored hardware security (keys) over electronic widgetry. Talking to a Medeco dealer about getting your locks on a solid masterkey system would give you a solid system, but allowing remote sites to be accessed- possibly by different agents each time- wouldn't work.

One solution might be Videx. I've only glossed over their literature, but they seem to have a pretty good solution in place.

http://www.videx.com/products/detail/cyberlock.h tml

Specifically, the section on how "the CyberKey Authorizer enhances CyberLock systems by providing the ability to program and download CyberKeys at remote locations." That might be too pricey for your application. I've never priced out "door" costs on Videx hardware.

Re:Can you have the locks keyed the same?

[Big Bob the Finder]

With high-security systems, the blanks are under patent. Only locksmiths who service those locks have access to them. With most systems, you end up with regional distributors, and if you walk in asking to get a copy made, they'll recognize it as one of theirs and confiscate it- and inform the true owner of what happened. I've actually seen that happen- it's pretty unfortunate for the guy working for a major bank to lose his job over that sort of thing. They can then mike the key and determine whose it is; if it is stamped with a serial number, it's even easier.

All bets are off if a machinist is available to duplicate it. This is made very difficult with sidebar locks such as ASSA, or with odd keys such as Abloy. A machinist would also have to duplicate the wards and angle cuts if duplicating Medeco keys.

So while the possibility is there, I have yet to hear of it happening.

Re:Using iButtons as keys

[mmontour]

You unlock them using the Dallas Semiconductor iButtons. Each one has a unique serial number imbedded it it and it can't be copied.

A serial number certainly can be copied. Relying on it for security is like relying on MAC-address filtering on a wireless router (i.e. insufficient). You can't copy the serial number onto another iButton, but you can program a little microcontroller to speak the same 1-wire protocol and pretend to be the iButton interest. It's not hard to discover the serial number of an iButton; it's printed right on the case of each device.

There used to be a "crypto iButton" that provided real copy-proof security. It could be programmed with a private RSA key, and could be challenged to produce a signature that you could then verify with the user's public key. The physical device was quite tamper-resistant so it would be very difficult for an attacker to extract the private key. However this product seems to have been discontinued a few years ago.