Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
FW: MS Access 'known database attack'Matt Barrie SYD (Matt_BarrieOTI.COM)
Wed, 9 Jul 1997 20:19:07 -0600
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Dalvenjah FoxFire: "Re: Solaris Ping bug (DoS)"
- Previous message: der Mouse: "Re: Buffer overflow in "lpr""
Looks like another bad implementation of something that should have been more secure: On Sun, 6 Jul 1997, Mark Rosen wrote: [Included message below] I have examined the encryption on MS Access (v 2.0) and found that it was= =20 really easy to break without ever having to determine the key. I wasn't=20 aware that it was RC4 based. During my examination of it, I found it=20 behaved as a stream cipher where the stream was XORed with the database. MS Access databases grow in 2K increments, so it makes since that=20 everything is done the way described below. However, encrypting with MS Access has a major flaw: It does not ask you=20 for a password! You might expect that, like almost every other thing=20 with encryption, you would be prompted for a password. In effect the=20 same key is used for encryption and decryption. The method to break: - Create a known database which is at least as large as the database you=20 are trying to break. - Encrypt it. - Find the XOR between the known database and its encryption. This is=20 the key stream. - XOR the key stream against the target database you are trying to break. So there is no need for a brute force attack. MS can use a 900,000+ bit=20 key and it won't matter. :) As a result, the encryption is a thin layer on top of the pseudo-security= =20 objects which Access has. Good enough to keep people from simply walking= =20 through the database with DEBUG, but it isn't enough for real security. -Giff giffuu.net [relevant inclusion] > > I recently had cause to investigate the cryptography used in > > one of the applications of a very popular office suite, released > > this year. A password recovery specialist I spoke to claimed that= =20 > > the crypto used was 40-bit RC4! If this is true, it may apply to > > all of the applications of that suite, and thus the apps are > > susceptible to brute force attacks of quite modest scale - ones > > which may be undertaken in a small office in a relatively short > > time. > >=20 > > Producing key search apps which can brute the crypto in this > > suite would force the manufacturer to answer as to why it chose > > such poor cryptography, and produce a stronger (albeit currently > > unexportable) version. It would also light a fire under the=20 > > manufacturer to lend it's not inconsiderable weight in the=20 > > export battle. >=20 > =09Microsoft Access uses 32-bit encryption (RC4 I assume... not sure). Th= is > is ripe for the picking! Giggle. Most large corporations use an Access > database. Here's the KB article: >=20 > Knowledge Base >=20 >=20 >=20 > INF: How Microsoft Access Uses Encryption >=20 > Article ID: Q140406=20 > Creation Date: 29-NOV-1995 > Revision Date: 20-SEP-1996=20 >=20 > The information in this article applies to:=20 > =95Microsoft Access versions 1.0, 1.1, 2.0, 7.0=20 >=20 >=20 >=20 >=20 > SUMMARY=20 >=20 >=20 > Advanced: Requires expert coding, interoperability, and multi-user skills= .=20 >=20 > This article discusses how encryption is used in Microsoft Access.=20 >=20 >=20 >=20 > MORE INFORMATION=20 >=20 >=20 > Encryption enables you to prevent anyone from using a utility program or > word processor to read and write data in a Microsoft Access database (.md= b) > file. This feature is different from Microsoft Access security (which set= s > user and group permissions on database objects); its sole purpose is to > make a database indecipherable by a file or disk editor.=20 >=20 > Microsoft Access uses an RC4 encryption algorithm with a 32-bit key from > RSA Data Security Incorporated. If you are creating an international > application, this algorithm is acceptable for export outside of the Unite= d > States (according United States export laws) because the key is less than > 40-bits.=20 >=20 > When you encrypt a database, all objects (tables, forms, queries, indexes= , > and so on) are affected because encryption is implemented at the page- > level and not at the data-level. Microsoft Access encrypts a database in = 2K > (kilobyte) pages, regardless of the data stored in a page. Each encrypted > page is assigned a unique 32-bit key.=20 >=20 >=20