[1180] in cryptography@c2.net mail archive
Re: MS Access 'known database attack'
daemon@ATHENA.MIT.EDU (Joshua E. Hill)
Wed Jul 9 12:45:49 1997
From: "Joshua E. Hill" <jehill@w6bhz.calpoly.edu>
To: giff@va.pubnix.com (Frank)
Date: Tue, 8 Jul 1997 12:11:07 -0700 (PDT)
Cc: mrosen@peganet.com, cryptography@c2.net
In-Reply-To: <Pine.BSI.3.91.970708110823.6124B-100000@crossbow.va.pubnix.com> from Frank at "Jul 8, 97 11:24:20 am"
Frank said:
> However, encrypting with MS Access has a major flaw: It does not ask you
> for a password!
[snip]
> The method to break:
> - Create a known database which is at least as large as the database you
> are trying to break.
> - Encrypt it.
> - Find the XOR between the known database and its encryption. This is
> the key stream.
> - XOR the key stream against the target database you are trying to break.
>
> So there is no need for a brute force attack.
We could brute force the 32 bit key space, and then get the _one_
key for all access databases. I think it would be nice to distribute
a small, easy to use Access Database breaker (with appropriate hoopla,
etc). If we attributed the ease of the break to the administration's
crypto controls (instead of Microsoft's incompetence) we might even
get MS to make a helpful press release...
Josh
-----------------------------Joshua E. Hill-----------------------------
| Murphy's Corollary: |
| It is impossible to make anything foolproof |
| because fools are so ingenious |
-------jehill@<gauss.elee|galaxy.csc|w6bhz|tuba.aix>.calpoly.edu--------
