Assessing Existing Master Key Systems

June 1, 2008
Two powerful techniques can assist locksmiths when assessing existing master key systems. These techniques work on all types of pin-tumbler locks, regardless of chamber counts, or progressions under the TMK.

Most facility managers or building owners rely on locksmiths to maintain their keying systems. In most cases these keying systems will involve master keying. The details and plans of master keying are complicated and sometimes arcane, and always non-intelligible to the customers of locksmiths.

When managers and owners decide to transfer services from one lock service to the next, they will give the new lock service any keying records and key generation resources left by the former service. At this time, it is beneficial for both the customer and the lock service to assess the condition of the existing keying system.

A proper assessment takes time and some materials, and the customer should be prepared to incur a charge for the time involved. When customers are charged for such services, the assessment needs to take the form of a written statement as to the condition of the key system.

The purpose of the assessment
You wouldn’t buy a home without sending in expert inspectors to determine the condition of the home and to discover any existing problems that are not evident. The inspection of the keying system requires the inspection of an expert to assess the condition of the system and to discover any problems.

The value to the customer is to limit liability and recover repair costs due to negligence or poor workmanship relating to the former lock service. An assessment can identify problems that must be immediately addressed. Customers may use the assessment to persuade the former locksmith to pay for such repairs or sue for damages.

The value to the new lock service is to establish the existing condition of the keying system, so that future services can be evaluated from that point forward and to avoid being held responsible for inherent errors in the system and any prior negligence on the part of the prior lock service.

Locksmiths should be prepared to assess keying systems whether or not it relates to a request to takeover an existing system. Customers may ask locksmiths to assess keying systems that are maintained by other locksmiths as a means of evaluating the integrity of the service, in other words, to keep their vendors honest.

This is fair, and is an effective means for managers and owners to evaluate the quality of services provided.

In order to be fair, locksmiths who perform assessments must be objective and base their findings on fact and science; and never on guesses or opinions.

Performing the assessment
Start assessments by establishing working guidelines.

If the assessment is to evaluate the customer’s existing lock service, rules of engagement need to be established. Does there need to be a company liaison between the assessor and the current vendor? Will the company empower the assessor to approach the vendor directly? Is the assessment to be performed without the direct engagement of the vendor? Guidelines must be set.
A common guideline dictates that the vendor will submit copies of records and will detail how keys are generated. If materials are not forthcoming, it is assumed that materials do not exist. In this manner there is no direct engagement between vendor and assessor.

Another common scenario is that the owner is terminating the lock service and may never get records or key-generation resources. Any missing materials will need to be recreated, taking much time and resources.
Periodic vendor audits are healthy and allow the customer to archive valuable records for safeguard.

Vendor audits and assessments

Audits will determine the level of compliance relative to: key issuance and retention policies, working procedures, record-keeping, and key-generation.
There is always policy relating to key control, ranging from verbal and informal to written and formal. Key policy refers to:
• Persons authorized to order the locksmith to issue keys and rekey locks;
 • Persons who approve keying plans;
 • Who has access to key-generation resources;
• Who keeps the records; and
• Who has access to key records.

Additional policies relate to: how keys that are lost are replaced; if keys are recovered when no longer needed or when keys are turned in; and who sets key policies. The audit should establish that there is a key policy in place, what exactly the key policy is, and the level of compliance regarding the policy.

There are always working procedures. The audit should determine that procedures are cost-effective and yield results. Examining procedures sometimes identify needless repetitive tasks that can be eliminated.
Record-keeping ranges from inaccurate to precise. If the issuance of keys has not been logged into a formal list or database, then key issuance may be generally tracked referring to invoices. Sometimes there are no records at all. An important value to the audit is identifying where improvements can be made that will lower liability and increase integrity.

How keys in the system are generated is very important. Keys can be selected from lists of keys and sub-master keys provided by the hardware company that initiated the original system; keys can be generated from after-market software applications, suited for this purpose; the locksmith that services the system can apply a custom-built application using spreadsheets or hand-written lists; or keys randomly selected out of a bucket can be “mastered” to a Top Master Key (the highest key in the system).

The latter means of key generation is as bad as it gets and unfortunately is more common than it should be. I know of two school districts where this method is still used. This especially happens on old Schlage systems where there initially was a lot of integrity but over time, and without proper oversight, pair of keys that were salvaged and gathered in a bucket were simply selected at random and then “forced” to be master keyed with the TMK.
Usually when negligence is revealed after the audit, it is because of improper key generation or lack of record keeping.

No Records?
Twenty years ago, the facility manager of a university contacted me in a panic as their in-house locksmith went “rogue;” he destroyed all the key registers and original key bitting charts. This was done two weeks before the start of a new school year. Timing-wise, this was critical as instructors would soon need keys to their new rooms.

To this day I have never seen a worse case of destruction. The night before leaving, the locksmith gathered thousands of original keys (from organized key cabinets) and literally shoveled them into a mountainous pile in the middle of the key shop. At the top of the pile he formed a cavity in which he dropped all the key registers, and key-generation lists. He essentially created a hibachi and used it in that manner by setting the registers and lists on fire.

When he was done, there wasn’t so much as a hint of a key reference. Even the key bitting of the TMK was not readily available as everybody’s master keys were worn beyond accurate reading.
Obviously swift action was needed. Because of the size of the campus, immediate rekey could not have been accomplished in time. A decision was made to decode every lock cylinder on campus, essentially recreating the original bitting charts, so keys could be manufactured and immediately distributed.

I could guarantee results in a timely manner as I was privy to an expert technique that I had perfected. It would allow me to determine the exact change key that was intended for each lock cylinder without the need to disassemble and decode the cylinder. I promised that within 24 hours, I would deliver sets of “diagnostic keys” that maintenance persons could effectively use without training or skill. Persons using the diagnostic keys would simply try each key (24 in a set) and note which keys operated the lock. That information would be delivered to the department secretary and she would compose a list of those keys that worked. From the secretary’s list, I could recreate the original bitting chart.

It took two hours to develop and cut four sets of diagnostic keys. I did not disassemble a single lock cylinder. The keys were distributed among four persons who worked all night to try every lock cylinder.
By the morning the project was completed. I spent the next week cutting hundreds of keys for instructors. The campus was then casually rekeyed to a new master key system the next six months.

Expert locksmith technique

Figure 2 shows how to cut the “diagnostic keys” to decode master keyed lock cylinders without disassembling the cylinders.
First determine the TMK. It isn’t necessary to dissemble the lock cylinder, but it is necessary to know the original cuts of one change key that operates a lock cylinder. For example, let’s use a Schlage six-pin change key bitted to: 345058.

Follow the process in Figure 2, decoding a chamber at a time. The process involves progressing and individual cut and then trying the modified key in the lock to see if it turns. If the key turns, it then reveals the cut of the TMK in that same position.

If the maximum cut in a chamber is cut, tried, and doesn’t operate the lock cylinder, start with a new key by code where the cut in the relative position is either a 0 (when the change key is even in that chamber) or 1 (when the change key is odd in that chamber).

Once the TMK cut in a chamber is discovered, repeat the process until the TMK is fully decoded.

Now that the TMK is known, cut 24 diagnostic keys. See Figure 3; the 24 keys are grouped using six rings. Each ring is used to test a specific chamber in the six-pin lock cylinder.

Note: Diagnostic keys are not intended for general use and may exceed the normal safety factor. When cutting diagnostic keys, use a key code machine and blade intended for the purpose of exceeding the safety factor.
Each key has a large number stamped on the left of the key head that designates the chamber being tested. The large number stamped on the right of the key head designates the cut of the key being tested in that chamber (see Figure 5).

Every diagnostic key has five of the six cuts in common with the TMK. The cut not in common with the TMK represents the change key. In this manner the change key can be isolated and independently tested.
This works as each chamber of the master keyed cylinder has a bottom pin and a master wafer installed allowing either a master cut or change cut to operate that chamber. Five of the chambers are lifted to the operating position, leaving the sixth chamber to be tested for a specific “change” cut.

Figure 4 is a closeup of pins in the lock cylinder. Inside each chamber are both a green bottom pin and gold master wafer. Each chamber is designed so that only the TMK or the change key operates there.
Figure 5 displays the diagnostic keys used to test chambers three and four. Notice the keys that test the third chamber are cut exactly the same except regarding the third chamber. The number on the right of each key is the cut that is being tested for. This is the same for the fourth chamber where those keys are cut the same except for the fourth position.

Armed with these keys, anyone can simply note which keys operate a lock cylinder. For instance, when testing all 24 keys, the only keys that operate the lock are stamped: 13, 24, 37, 42, 53, and 66; therefore the cuts of the change key that was originally intended for the lock cylinder are 347236.

Notice that two cuts operated the lock cylinder in the third chamber. This is an indication that the lock cylinder was cross-keyed so that both 347236 and 349236 can operate the lock.
Another test revealed that the only diagnostic keys that operated a lock cylinder were stamped 13, 53, and 66. This lock cylinder was keyed so that the lowest level key operation key is the sub-master 301836 and the highest level key is the TMK.

The example keys above represent diagnostic keys for a six-pin, two-step progression system. Cuts in any given chamber will either be part of the subset of (0, 2, 4, 6, or 8} or (1, 3, 5, 7, or 9}. Four additional keys are needed for seven-pin, two-step progression systems.

Single-step progression systems, where cuts in a given chamber will be part of the subset {1, 2, 3, 4, 5, or 6}, will require 36 diagnostic keys for six-pin systems, and 42 diagnostic keys for a seven-pin system.
Diagnostic keys are an effective tool to positively prove compliance to manufacturing specifications.

The key bitting array (KBA), recreated by using diagnostic keys, is displayed in Figure 1. The order of “progressions” was determined by the order in which the buildings of the campus were keyed. The first cuts that were decoded were entered into a blank KBA form. Eventually the KBA was totally filled in. The sequence was determined as some chambers changed from room-to-room testing, indicating that those chambers sequenced first.

Appending key systems from incomplete records
I was asked to give a preliminary assessment regarding a master key system that was being transferred from one lock company to the next. The only known records were two pages left from the factory when the building was originally rekeyed (Figures 6 and 7), and a single page of instructions created by the last locksmith which revealed how future combinations would be generated (see Figure 8).

The request was to develop 100 more usable combinations to be used for the next year and until the building would be freshly rekeyed. New combinations could not interchange with existing lock cylinders and existing operating keys were not to operate future rekeyed lock cylinders. For the interim, all future and existing lock cylinders were to operate on the existing TMK.

The last locksmith kept no records as to what combinations were used from his expansion scheme (see Figure 9). To make sure work was not being repeated, all of the expansion combinations developed by the last locksmith needed to be eliminated from future use.

Making matters worse, it wasn’t clear if the last locksmith created operating keys with a cut in common with the TMK.

Clearly the objective was to develop 100 operating keys that would not operate existing cylinders while making sure that distributed operating keys would not access future rekey.

To accomplish this, the following steps were taken: system parameters were defined; the KBA was recreated; an analysis determining the operability of distributed keys was made; groups of unique change keys were developed; and everything was documented for future use.

Figure 9 represents the different steps needed to recreate the KBA:

Figure 8 reveals that the TMK is: 452351 and Figures 6 and 7 determine the possible cuts in each position to be part of the subset, {1,2,3,4,5,6}. This will be a six-by-six key bitting array.
The second array in Figure 9 records the cuts used in each position in Figure 6.

The third array in Figure 9 records additional cuts used in each position in Figure 7.

The fourth array in Figure 9 records additional cuts used in each position in Figure 8.

Numbers that are printed in inverse (the last array in Figure 9) were never used.

Once the KBA was recreated and how existing keys were developed, assumptions could be made to develop unique operating keys.

The first assumption is that all distributed keys other than the TMK were cut with a 4 in the first position. This cut was in common with the TMK; therefore every key issued was a sub-master key. To guarantee that new keys would not interchange with existing lock cylinders, new operating keys would be never be cut with a 4 in the first position.

The second assumption is that all new operating keys would contain a cut in common with the TMK in either the second, third, or fifth position. This would guarantee that existing keys could not interface with new lock cylinders.

Armed with these assumptions and the information derived from the last array in Figure 9, the following new combinations can be generated. Each of the arrays in Figure 10 represents a matrix of 625 unique combinations. All conditions were satisfied including the fact that all existing and future lock cylinders can be operated by the TMK.

In Summary
This article demonstrates two powerful techniques that can assist locksmiths when assessing existing master key systems. These techniques work on all types of pin-tumbler locks, regardless of chamber counts, or progressions under the TMK.

Decoding the TMK and creating diagnostic keys can work for any brand pin-tumbler lock providing the master keying methods used were according to factory specifications and key stock is available to cut these special keys.

For institutional locksmiths, diagnostic keys should be regularly used to verify that lock cylinders are properly master keyed.

Photos will be added to this article