[1182] in cryptography@c2.net mail archive
Re: MS Access 'known database attack'
daemon@ATHENA.MIT.EDU (Frank (Giff) Gifford)
Wed Jul 9 12:48:37 1997
Date: Tue, 8 Jul 1997 15:37:34 -0400 (EDT)
From: "Frank (Giff) Gifford" <giff@va.pubnix.com>
To: "Joshua E. Hill" <jehill@w6bhz.calpoly.edu>
cc: mrosen@peganet.com, cryptography@c2.net
In-Reply-To: <199707081911.MAA02958@mordor.boxes.org>
On Tue, 8 Jul 1997, Joshua E. Hill wrote:
> Frank said:
> > However, encrypting with MS Access has a major flaw: It does not ask you
> > for a password!
>
> [snip]
>
> > The method to break:
> > - Create a known database which is at least as large as the database you
> > are trying to break.
> > - Encrypt it.
> > - Find the XOR between the known database and its encryption. This is
> > the key stream.
> > - XOR the key stream against the target database you are trying to break.
> >
> > So there is no need for a brute force attack.
>
> We could brute force the 32 bit key space, and then get the _one_
> key for all access databases. I think it would be nice to distribute
> a small, easy to use Access Database breaker (with appropriate hoopla,
> etc). If we attributed the ease of the break to the administration's
> crypto controls (instead of Microsoft's incompetence) we might even
> get MS to make a helpful press release...
>
> Josh
>
> -----------------------------Joshua E. Hill-----------------------------
> | Murphy's Corollary: |
> | It is impossible to make anything foolproof |
> | because fools are so ingenious |
> -------jehill@<gauss.elee|galaxy.csc|w6bhz|tuba.aix>.calpoly.edu--------
>
The key would really be based on the page number (or some function to
calculate against it). So you can search the 32 bit space for page 0,
then another 32 bit space for page 1, etc. Then with those keys in hand
try to see what relationship there is between them so that you don't need
to search the key space for the remaining pages.
Page 0 is always encrypted with the same key, but page 1 is encrypted
with a different key, etc. Making an Access solver would not be terribly
impractical, but using the method you describe will be harder than
looking for a single key in a 32 bit space.
Many Access DB's I have seen have been around 1 Meg in size [Access code
only - not including data which may be on a back-end]. So that is ~32768
keys to find. So your total keyspace is (32768)*(2^32). If it takes 10
minutes to find a key for a given page, this will take 227 days.
Maybe you will get lucky and find that the key is F(pagenum) where F() is
a simple function. Perhaps ("Bill" XOR (long) pagenum). :)
If F() is a complex function, this will make it difficult to have a
breaking program which doesn't depend on having your own copy of Access.
-Giff
