I guess bar one, 'cause the one I tested just generated a username
and encryption string for creating a new user with appropriate SID.
You say it did that directly from the mdb, without requiring an mdw? If so,
the products in question must have progressed a bit, since I checked them
out a year or so ago :-( Can you confirm this please, so I am up to speed
with the current state of the game?
Given the encryption key and the SID, all you have to do is just
encrypt using random strings until you find one that gives you the
correct SID. Presumably the cracker had to run through 1000's if
not billions of possibilities before finding the crack, but on a
pentium III it took seconds, not minutes. Or possibly there is
an unencryption algorithm that takes you backwards from the SID
to a valid encryption string.
By "encryption string" you mean the Personal Identifier (PID). The SID is
determined by encrypting the username and PID, using a symmetric cipher, and
a so-called secret key. Unfortunately, the secret key can be recovered.
Thus, given any SID from the mdb file, you can decrypt it using the secret
key, and voila: username and PID! (This is not giving much away. It will
not let Joe Programmer go out & write a cracking product. And there are
easier ways of doing it, without using crypto at all.)
Unfortunately this whole scheme is the cryptographic equivalent of a
"schoolboy howler". If MS had bothered to have a competent cryptographer
check it out, he or she could have given them a **one line fix** that would
make it impossible to do any of this - or to recover the passwords from a
workgroup file. Crypto is full of nastry traps for the unwary - and MS fell
right into one, when they decided how to encrypt the user information in the
workgroup file.
One only hopes that MS have learned from that experience, & get their
current products checked-out better!
Cheers,
TC
(david)
TC said:
(snip)
hiding or stealing a workgroup security file has no significance:
You still have to crack the password if the database is secured,
and it is no more difficult to crack than it is to create a new
user and password.
Do you mean the ULS password(s)?
If someone steals the mdb without the workgroup file, & the mdb has been
properly secured, none of the freely available cracking products (perhaps
bar one) will be able to unlock the mdb, afaik. But if they steal the
workgroup file as well, they can use those products to recover the
(hopelessly encrypted) ULS passwords, & start using the mdb. In that regard,
stealing the workgroup file >is< significant, IMO.
"Creating a new user and [ULS] password" will not help, unless they use the
same PID - which they won't know.
Cheers,
TC
(david)
Hello ~
After reading "Microsoft Access Security FAQ Document", I am still
wondering: what's to prevent someone, in a front end / back end
multiuser environment, from making a copy of BOTH the secure Access DB
AND the mdw. file, to which they belong, and setting themselves up on
another machine?
'Thinking the answer lies in securing the network drive containing the
.mdw file on it. Like locking up the car keys.
