[1184] in cryptography@c2.net mail archive
RE: MS Access 'known database attack'
daemon@ATHENA.MIT.EDU (Herb Sutter)
Wed Jul 9 13:23:22 1997
From: Herb Sutter <HerbS@CNTC.com>
To: "'cryptography@c2.net'" <cryptography@c2.net>
Date: Wed, 9 Jul 1997 12:45:21 -0400
>> We could brute force the 32 bit key space, and then get the _one_
>> key for all access databases. I think it would be nice to distribute
>
>The key would really be based on the page number (or some function to
>
>If F() is a complex function, this will make it difficult to have a
>breaking program which doesn't depend on having your own copy of
>Access.
Unless I'm missing something, why not just determine both the hard-coded
key and the function using a debugger? If Access can decrypt a database
starting from scratch with no human input (e.g., password) this has to
work... in fact, you could probably snip the actual decryption code
right out of the Access binaries and wrap a cracker mainline around it.
Of course, it might be more useful to get the key this way and then
complain about the _length_, not the implementation, for export pressure
purposes.
