[1172] in cryptography@c2.net mail archive
Re: Thoughts on the next target.
daemon@ATHENA.MIT.EDU (Mark Rosen)
Tue Jul 8 11:36:03 1997
From: "Mark Rosen" <mrosen@peganet.com>
To: <trei@process.com>, <coderpunks@toad.com>, <cryptography@c2.net>
Cc: <trei@process.com>
Date: Sun, 6 Jul 1997 20:16:16 -0400
> I recently had cause to investigate the cryptography used in
> one of the applications of a very popular office suite, released
> this year. A password recovery specialist I spoke to claimed that
> the crypto used was 40-bit RC4! If this is true, it may apply to
> all of the applications of that suite, and thus the apps are
> susceptible to brute force attacks of quite modest scale - ones
> which may be undertaken in a small office in a relatively short
> time.
>
> Producing key search apps which can brute the crypto in this
> suite would force the manufacturer to answer as to why it chose
> such poor cryptography, and produce a stronger (albeit currently
> unexportable) version. It would also light a fire under the
> manufacturer to lend it's not inconsiderable weight in the
> export battle.
>
> The above are my personal thoughts which do not neccesarily
> represent those of any other person or any organization. I'd
> appreciate comments.
Microsoft Access uses 32-bit encryption (RC4 I assume... not sure). This
is ripe for the picking! Giggle. Most large corporations use an Access
database. Here's the KB article:
Knowledge Base
INF: How Microsoft Access Uses Encryption
Article ID: Q140406
Creation Date: 29-NOV-1995
Revision Date: 20-SEP-1996
The information in this article applies to:
•Microsoft Access versions 1.0, 1.1, 2.0, 7.0
SUMMARY
Advanced: Requires expert coding, interoperability, and multi-user skills.
This article discusses how encryption is used in Microsoft Access.
MORE INFORMATION
Encryption enables you to prevent anyone from using a utility program or
word processor to read and write data in a Microsoft Access database (.mdb)
file. This feature is different from Microsoft Access security (which sets
user and group permissions on database objects); its sole purpose is to
make a database indecipherable by a file or disk editor.
Microsoft Access uses an RC4 encryption algorithm with a 32-bit key from
RSA Data Security Incorporated. If you are creating an international
application, this algorithm is acceptable for export outside of the United
States (according United States export laws) because the key is less than
40-bits.
When you encrypt a database, all objects (tables, forms, queries, indexes,
and so on) are affected because encryption is implemented at the page-
level and not at the data-level. Microsoft Access encrypts a database in 2K
(kilobyte) pages, regardless of the data stored in a page. Each encrypted
page is assigned a unique 32-bit key.
