Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Access 2002 Encryption

2 views
Skip to first unread message

Bob Berryman

unread,
Sep 24, 2002, 8:37:06 AM9/24/02
to
How strong is MSAcess encryption ?

TIA..........Bob

Thilo Immel

unread,
Sep 24, 2002, 9:20:02 AM9/24/02
to
On Tue, 24 Sep 2002 05:37:06 -0700, "Bob Berryman" <moc.nagolnas@bob>
wrote:

>How strong is MSAcess encryption ?
>
>TIA..........Bob

It is not an encryption, it's a coding.

It is not secure.

You can decrypt a database in less a minute without knowing any
password. You only need the information the way Access manages
encryption.

Regards

Thilo Immel

www.access-emergency.com

Bob B

unread,
Sep 24, 2002, 10:40:21 AM9/24/02
to
Thanks for that

my next question is How many people know how to do it?

>.
>

Gary

unread,
Sep 24, 2002, 10:52:23 AM9/24/02
to
To answer that, you can try this little test I ran a while ago:

I asked five of the secretaries in our offices to search the internet
for ways to get around Access security, and to keep note of how long it
took them. The criteria were that they did not have to understand what
they were being told to do by any of the sites, just that they had to
find a tool or a list of instructions to do it, and that they had an
imaginary budget of 50 pounds.

The shortest time to find a solution was 8 minutes, the longest just
over an hour. All of them found at least one solution or tool. The
highest cost was £23. These ladies were not trained hackers, only one of
them had ever heard of Access, but they accurately found methods to get
around Access's security in a very short length of time.

Now, the question to you is, what environment is your Access solution
likely to be in, and how big a concern is security really likely to be?

Regards,

Gary

Peter Miller

unread,
Sep 24, 2002, 11:36:11 AM9/24/02
to

Bob,

On Tue, 24 Sep 2002 07:40:21 -0700, "Bob B" <moc.nagolnas@bob> wrote
in microsoft.public.access.security:

>my next question is How many people know how to do it?

I like Gary's post and blind test. It proves the point well.

But let me follow up with a different type of answer.

The problem with Access encryption is that although the algorithm is
of a, let's say, non-trivial nature, the implementation is very poor
indeed. Ask yourself this. Why is that that any copy of Access with
or without the correct workgroup file can decrypt an encrypted
database file? (I'm not saying you as a user can get Access to
decrypt the file without a good workgroup file, but Access itself
clearly 'looks into' the encrypted file and gathers certain system
information whether or not the proper workgroup is present). So if
user-level security is not necessary in order to decrypt the file
internally, what is? The answer would seem obvious. Either all
versions of Access use the same encryption key(s) hard coded into the
product, or the key, which can vary by db, is contained in the db in a
way it can easily be grabbed.

Without going into the matter further, does either of these
possibilities sound remotely difficult to compromise? They shouldn't.
Thilo is correct that it is absolutely trivial to decrypt an Access
database of any version. Access security is barely worth the time it
takes to implement it. I say barely because it does have value in
preventing inadvertent misuse of a database, but it poses little to no
barrier against intentional misuse.

The key failing, from my perspective, in the encryption implementation
is that it should have been obvious to Msft that the means to decrypt
a file should not be present outside of the user-level security model.
Sure, such an implementation would still be crackable, but the goal
should have been to force, if at all possible, an exhaustive key
search rather than simply making the key plainly available for easy
decryption without requiring that the security model also be
compromised. As with any security system, a chain is only as strong
as its weakest link. Encryption is a hopelessly weak link, and it
makes all the other security features useless as well, by stripping
away from them any level of protection encryption could have offered.

That's my opinion, anyway.

Note that this doesn't prevent Access from being an excellent tool for
fronting rdbms's with better security models, like SQL Server and
Oracle. It just means that a jet based db is terribly insecure.

Peter Miller
PK Solutions
_____________________________________________________

For Microsoft Access related tools and services,
including our Data Recovery Rescue Service for
Microsoft Access, please visit our site (below)...
_____________________________________________________

www: www.pksolutions.com
e-mail: pmi...@pksolutions.com

Tel: +1 (800) 987-7716 Fax: +1 (619) 839-3900
_____________________________________________________

0 new messages