Go Back   Access World Forums > Microsoft Access Discussion > General

 
Reply
 
Thread Tools Rate Thread Display Modes
Old 10-07-2018, 03:46 PM   #16
The_Doc_Man
Happy Retired Curmudgeon
 
Join Date: Feb 2001
Location: Suburban New Orleans, LA, USA
Posts: 12,472
Thanks: 62
Thanked 1,175 Times in 1,075 Posts
The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold
Re: Microsoft Windows / Office upgrade woes

Quote:
Originally Posted by isladogs
Whilst I'm not totally clear about what that all means
I can try to explain.

Quote:
Jet 3: The database password, when set, is stored as plain text in the MDB file header.
= Anyone with notepad can quickly find the password since the header is early in the file.

Code:
Jet 4: The database password, when set, is obfuscated with a simple XOR pattern algorithm based on the file creation date/time (stored inside the file) which is then stored in the MDB file header.
= Anybody with a hex editor can manually find two things: The binary file creation date & time and the password, and can figure out the password as long as they understand XOR. Both of those things are in the header so it wouldn't take long to find them.

Quote:
Jet 3 AND 4: The MDB file header itself is further obfuscated with an XOR pattern – although its a constant XOR stream this time.
The file header's encryption is a simple XOR pattern. If you know other things that should be in the header and know them in clear text, you can probably work backwards or write a VERY simple algorithm to decrypt the header. Because the XOR pattern will even encrypt 0 - and in the process will give you the inverse of the XOR key.

Quote:
ACCDB Files: The password is no longer stored as obfuscated plain text in the file header. Instead, a hash is used to check that the user has entered the valid password. The hash is generated from a combination of RC4 and SHA-1 algorithms.
The hash-checking algorithm is based on the same technology that gives you digital signatures. In essence, a signature is a polynomial (in binary, of course) based on some obscure formula that gives you a long string of bits by multiplying two numbers together in some orderly pattern. When you complete the multiplication you have a hash (which in math is sometimes called a "characteristic") that depends on the contents of the thing you were trying to sign. It doesn't matter whether the thing being protected is short or long. When you attach the hash value as part of the item you have signed the item in a way that is very difficult to spoof. If you send the hash in a separate signature file, your recipient can confirm your identity.

In general, if you have a 128 bit hash, that hash sequence has 2^128 possible values, which is roughly 512 * ( 10^36 ). So the odds of accidentally generating the same hash value from two different inputs SHOULD be 1 divided by that number, which is pretty small - something like 0.2 * ( 10^ -38 ).

There are ways to determine how big a file has to get before that probability gets big enough to even worry about. But the point is, if you store the HASH of something and then later input that something again, you can't compare the something - but you CAN compute the HASH of something and compare it to the stored hash. If the hashes match, the inputs probably also matched.

Now, the only other two things that might be confusing is that RC4 and SHA-1 are two popular hash-generating algorithms. Each is based on a different polynomial. So if you enter a password and BOTH of the resulting two hashes match the stored hashes, you are fairly sure that the right thing was entered. After that, the database decryption key can be generated from the password.

Why is this any better than simply obscuring the password? (You might ask?) Because the hash computation is one-way. It is irreversible. The fact that the hash is of a fixed length means that if an overflow occurs out of the high-order bit of the hash slot, bits get lost and without those lost bits, you have a very large number of possible solutions to the polynomial. Not QUITE infinite since the inputs had to be finite - but it is a REALLY BIG number of possible solutions.

However, just before I left the Navy, they were upgrading requirements to use the 192 bit or 256 bit versions of SHA-1 and the other hashing methods. As tough a nut as the SHA-1/128 was to crack, SHA-1/256 is a nightmare.

__________________
I'm a certified grandpa (3 times now) and proud of it.
Retired over one year and survived being home all day with the wife. She must really love me.
If I have helped you, please either click the thanks or click the scales.
The_Doc_Man is offline   Reply With Quote
The Following 2 Users Say Thank You to The_Doc_Man For This Useful Post:
isladogs (10-08-2018), RuralGuy (10-08-2018)
Old 10-07-2018, 04:59 PM   #17
RuralGuy
AWF VIP
 
RuralGuy's Avatar
 
Join Date: Jul 2005
Location: @ 8300' in the Colorado Rockies
Posts: 13,814
Thanks: 7
Thanked 309 Times in 299 Posts
RuralGuy is just really nice RuralGuy is just really nice RuralGuy is just really nice RuralGuy is just really nice RuralGuy is just really nice
Re: Microsoft Windows / Office upgrade woes

Thanks once again Doc. The depth of your knowledge is astounding.
__________________
(RG for short) aka Allan Bunch Previous MS Access MVP acXP, ac07, ac10, ac13 - WinXP Pro, Win7 Pro, Win10 Pro
Please post back to this Forum so all may benefit.
Teaching is not filling a bucket but lighting a fire.
RuralGuy is offline   Reply With Quote
Old 10-07-2018, 06:31 PM   #18
The_Doc_Man
Happy Retired Curmudgeon
 
Join Date: Feb 2001
Location: Suburban New Orleans, LA, USA
Posts: 12,472
Thanks: 62
Thanked 1,175 Times in 1,075 Posts
The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold
Re: Microsoft Windows / Office upgrade woes

You're welcome, Allan.

That's the sort of stuff I had to learn as a Navy sys admin on a machine that carried sensitive and HIPAA data. I also had to learn how to constructively use them. But since they didn't want me to be a hacker ("certified ethical" or otherwise), I never got that deep into the specific polynomials.

__________________
I'm a certified grandpa (3 times now) and proud of it.
Retired over one year and survived being home all day with the wife. She must really love me.
If I have helped you, please either click the thanks or click the scales.
The_Doc_Man is offline   Reply With Quote
Old 10-08-2018, 12:28 AM   #19
isladogs
Part time moderator
 
isladogs's Avatar
 
Join Date: Jan 2017
Location: Somerset, UK
Posts: 6,987
Thanks: 92
Thanked 1,715 Times in 1,592 Posts
isladogs is just really nice isladogs is just really nice isladogs is just really nice isladogs is just really nice isladogs is just really nice
Re: Microsoft Windows / Office upgrade woes

Hi Doc

Actually I understood almost all of it before but your explanation was so clearly written that it filled in the gaps perfectly ...and with no obfuscation!
Well deserved RPs awarded to you.

As you may know, I wrote a lengthy article on Access file security at http://www.mendipdatasystems.co.uk/c...ity/4594431226 .
In that article, I gave several examples showing how a hex editor can be used to read the contents of both MDB and MDE files including those supposedly password protected.
I've done this for files created in Access 97 onwards. I also showed the results for ACCDB files

With your permission I would like to add your explanation to the article.

However, the one part of the original that still isn't clear to me is that, after describing each separately, the JET 3 and 4 section gives different info from that given earlier.
Can you explain the Jet 3 disparity as I have no JET 3 files available to look at (see request below)

Also a request to anyone who can help.
I would like to use a text editor to view an old JET 3 MDB file with a password that was created in Access 95 or earlier.
If anyone has something non confidential I can use, please could you zip and post it here or email it using the link in my signature line.
__________________
If this answer has helped, please click the Thanks button and/or click the 'reputation scales' symbol on the left.

Website links:
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


Colin
Previously known as ridders : Access 2010 32-bit, Access 2016 32-bit & 64-bit, SQL Server Express 2014, Windows 10,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
isladogs is offline   Reply With Quote
Old 10-08-2018, 07:46 AM   #20
shadow9449
Newly Registered User
 
Join Date: Mar 2004
Location: Toronto, Ontario
Posts: 945
Thanks: 6
Thanked 36 Times in 34 Posts
shadow9449 will become famous soon enough shadow9449 will become famous soon enough
Re: Microsoft Windows / Office upgrade woes

Quote:
Originally Posted by isladogs View Post
By comparison, password protected encryption in ACCDB files is 128-bit and the entire file is encrypted.
I'm not saying its the best security there is but you'd need to know what you were doing and still work very hard indeed to break the code.
Ok, so 2 (somewhat similar questions):

1. Is it advisable (or even legal) to store credit card information in an ecrypted ACCDB?

2. Is it acceptable in most jurisdictions to use encrypted ACCDBs for patient health records, which are privacy-protected by law?

- If yes, then I will agree that this security opens whole new industries and uses for Access that could not be legally implemented in older versions.

- If not, then the protection that it offers means that we've upgraded the security from only locking out people who know very little about anything more than how to use the basic interface (which is probably the majority of users, to be honest) to locking out more determined and more technical baddies. The benefit of this is not substantial enough to redefine what Access can be used for IMO.
shadow9449 is offline   Reply With Quote
Old 10-08-2018, 08:10 AM   #21
isladogs
Part time moderator
 
isladogs's Avatar
 
Join Date: Jan 2017
Location: Somerset, UK
Posts: 6,987
Thanks: 92
Thanked 1,715 Times in 1,592 Posts
isladogs is just really nice isladogs is just really nice isladogs is just really nice isladogs is just really nice isladogs is just really nice
Re: Microsoft Windows / Office upgrade woes

I don't know the legal requirements with regard to credit card info but I believe there has to be physical separation between client personal details and credit card info. In other words, never stored in the same database.

Similarly I wouldn't recommend storing user passwords in a database. Where clients state it has to be done, I encrypt that information using an RC4 cipher and then separately encrypt the entire datafile

With regard to both examples you gave I definitely wouldn't use Access for this information but not just for security reasons. SQL Server or similar will provide both additional security but also increased stability and scalability.

However, where Access is suitable in terms of stability and scalability, there is no question in my mind. Both MDB and MDE files are completely insecure. The passwords can be hacked easily and even without doing that, the files can be read using a text editor.

Encrypted ACCDB/ACCDE files are significantly more secure. Using a text editor reveals nothing. Passwords are very difficult to hack and can only be done using brute force. If a strong password is used that will take many hours and possibly more than a day. Will any hacker have access to the file for that long or think its worth the time and effort?

So if your data is in your opinion suited for storage in Access but contains anything remotely private/confidential, I would definitely advise converting to encrypted ACCDB/ACCDE or SQL Server
__________________
If this answer has helped, please click the Thanks button and/or click the 'reputation scales' symbol on the left.

Website links:
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


Colin
Previously known as ridders : Access 2010 32-bit, Access 2016 32-bit & 64-bit, SQL Server Express 2014, Windows 10,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
isladogs is offline   Reply With Quote
Old 10-08-2018, 10:26 PM   #22
The_Doc_Man
Happy Retired Curmudgeon
 
Join Date: Feb 2001
Location: Suburban New Orleans, LA, USA
Posts: 12,472
Thanks: 62
Thanked 1,175 Times in 1,075 Posts
The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold
Re: Microsoft Windows / Office upgrade woes

Quote:
1. Is it advisable (or even legal) to store credit card information in an ecrypted ACCDB?
In general, legality is a matter of jurisdiction in the USA. However, I would say that it is probably NOT advisable for a pure Access solution. If you had an Access FE and the encrypted stuff was in a back-end that provided some encryption, you might be OK. There IS such a thing as Encrypted SQLnet.

Quote:
2. Is it acceptable in most jurisdictions to use encrypted ACCDBs for patient health records, which are privacy-protected by law?
In the USA, the HIPAA records must be kept according to strict standards. I don't recall that you can make Access use 256-bit encryption and probably cannot choose which of the many encryption algorithms you will use. That would be a barrier. The government standard is going to be one of the block-chain ciphers (of which there are several) and will certainly be of the 256-bit variety. (Which for encryption is the length of the chosen encryption key.) So offhand, I'd say no to medical records, too.

__________________
I'm a certified grandpa (3 times now) and proud of it.
Retired over one year and survived being home all day with the wife. She must really love me.
If I have helped you, please either click the thanks or click the scales.
The_Doc_Man is offline   Reply With Quote
Old 10-08-2018, 10:32 PM   #23
The_Doc_Man
Happy Retired Curmudgeon
 
Join Date: Feb 2001
Location: Suburban New Orleans, LA, USA
Posts: 12,472
Thanks: 62
Thanked 1,175 Times in 1,075 Posts
The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold The_Doc_Man is a splendid one to behold
Re: Microsoft Windows / Office upgrade woes

Quote:
Originally Posted by isladogs
With your permission I would like to add your explanation to the article.
Permission granted.

Can't help you much with the "old JET" stuff since I don't have anything going back that far any more. When my wife's previous computer went wheels-up in the ditch a couple of years ago (euphemism for a really ugly hard-drive crash), the last JET3 I had went with it and I had to upgrade the backup copy to the next nearest version of Access I had, which involved JET 4.
__________________
I'm a certified grandpa (3 times now) and proud of it.
Retired over one year and survived being home all day with the wife. She must really love me.
If I have helped you, please either click the thanks or click the scales.
The_Doc_Man is offline   Reply With Quote
Old 10-09-2018, 05:37 AM   #24
shadow9449
Newly Registered User
 
Join Date: Mar 2004
Location: Toronto, Ontario
Posts: 945
Thanks: 6
Thanked 36 Times in 34 Posts
shadow9449 will become famous soon enough shadow9449 will become famous soon enough
Re: Microsoft Windows / Office upgrade woes

@Doc_Man and Colin:

So, I think we've had a good summary of the extent of the security improvements of Access 2010 over the old ULS. In short, it makes it far less likely for someone to hack sensitive data but still not secure enough to open up the medical industry or the ability to integrate with credit card processing to Access users. I think that going ALL the way would be nice...

Cheers
shadow9449 is offline   Reply With Quote
Old 10-09-2018, 06:07 AM   #25
isladogs
Part time moderator
 
isladogs's Avatar
 
Join Date: Jan 2017
Location: Somerset, UK
Posts: 6,987
Thanks: 92
Thanked 1,715 Times in 1,592 Posts
isladogs is just really nice isladogs is just really nice isladogs is just really nice isladogs is just really nice isladogs is just really nice
Re: Microsoft Windows / Office upgrade woes

Hi shadow
Following my request a forum member kindly sent me what they thought was an Access 95 password protected split database. In fact it was an Access 2000 MDB file with ULS but no password.
It took me less than a minute to open the frontend and copy all database objects & code to a new unprotected database.

ULS is almost completely useless & MS were in my view wise to drop the feature for Access 2007.

You deliberately chose two examples where security issues probably make Access unsuitable. Fair enough!
Where that is needed or legally required, another database is more suitable

However, for the vast majority of databases, 256-bit encryption is unnecessary. The current 128-bit encryption is perfectly good enough for almost all databases.

Nevertheless you can use strong encryption on selected data if you need it e.g. user passwords. You MAY even be able to do that with old MDB files
__________________
If this answer has helped, please click the Thanks button and/or click the 'reputation scales' symbol on the left.

Website links:
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


Colin
Previously known as ridders : Access 2010 32-bit, Access 2016 32-bit & 64-bit, SQL Server Express 2014, Windows 10,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
isladogs is offline   Reply With Quote
Old 10-09-2018, 06:31 AM   #26
shadow9449
Newly Registered User
 
Join Date: Mar 2004
Location: Toronto, Ontario
Posts: 945
Thanks: 6
Thanked 36 Times in 34 Posts
shadow9449 will become famous soon enough shadow9449 will become famous soon enough
Re: Microsoft Windows / Office upgrade woes

Quote:
Originally Posted by isladogs View Post
Hi shadow

You deliberately chose two examples where security issues probably make Access unsuitable. Fair enough!
Where that is needed or legally required, another database is more suitable
Exactly. Because in the context of the discussion, this is the point I was making.

i.e. Microsoft DID enhance the security, but not enough to be a game changer. To me, a game changer would mean that I can use An Access/ACE solution for completely new industries that I could not before. It's a bit disappointing that if they are adding encryption anyway that they didn't bother making it HIPAA grade so Access developers have more of a market.

And I do think that if they would, it would be reason for me to migrate.

Makes sense?
shadow9449 is offline   Reply With Quote
Old 10-09-2018, 10:52 AM   #27
June7
Newly Registered User
 
Join Date: Mar 2014
Posts: 819
Thanks: 0
Thanked 185 Times in 185 Posts
June7 will become famous soon enough
Re: Microsoft Windows / Office upgrade woes

I also recommend updating to 2010 - and maybe stopping there. Among other features, couple enhancements you might appreciate (I think both actually came in with 2007):

1. 50 rules available for Conditional Formatting

2. ControlSource property added to Image control
__________________
To provide db: copy, remove confidential data, run compact & repair, zip w/Windows Compression. Attachment Manager is below Advanced editor window, click Go Advanced below Quick Reply window.

Last edited by June7; 10-09-2018 at 11:07 AM.
June7 is offline   Reply With Quote
Old 10-12-2018, 09:49 AM   #28
isladogs
Part time moderator
 
isladogs's Avatar
 
Join Date: Jan 2017
Location: Somerset, UK
Posts: 6,987
Thanks: 92
Thanked 1,715 Times in 1,592 Posts
isladogs is just really nice isladogs is just really nice isladogs is just really nice isladogs is just really nice isladogs is just really nice
Re: Microsoft Windows / Office upgrade woes

For info, I have updated and extended the article on my website comparing security in Access MDB/MDE with ACCDB/ACCDE files.

Additional information has been added regarding security features available in each version of Access. Many thanks to the Doc_Man for his detailed explanation re encoding/encryption in JET3/JET4/ACE. If you are interested, see:
http://www.mendipdatasystems.co.uk/c...ity/4594444323
http://www.mendipdatasystems.co.uk/a...ion/4594444347

The only version I am currently unable to check fully is Access 2000 as I no longer have the 2000 CD.
If anyone is able to assist by providing me with an ISO file for Office 2000 Pro or Access 2000, I would be very grateful.

__________________
If this answer has helped, please click the Thanks button and/or click the 'reputation scales' symbol on the left.

Website links:
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


Colin
Previously known as ridders : Access 2010 32-bit, Access 2016 32-bit & 64-bit, SQL Server Express 2014, Windows 10,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
isladogs is offline   Reply With Quote
Reply

Tags
office update , windows update

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows 10 Upgrade Modern Setup Host Has Stopped Working error during free upgrade Rx_ Windows 1 01-02-2016 10:36 AM
office upgrade jjosephson General 8 05-05-2015 08:42 AM
Windows 7 Microsoft Office Icons Have Changed Aussie60 Windows 8 12-22-2011 05:23 PM
Invite: Chat About Microsoft Office and Windows with Microsoft MVP Experts HiTechCoach General 0 10-13-2010 01:34 PM
Help! - 2 DIFFERENT problems since Win & Office XP upgrade russi General 2 04-18-2003 04:33 AM




All times are GMT -8. The time now is 01:57 AM.


Microsoft Access Help
General
Tables
Queries
Forms
Reports
Macros
Modules & VBA
Theory & Practice
Access FAQs
Code Repository
Sample Databases
Video Tutorials

Sponsored Links

How to advertise

Media Kit


Powered by vBulletin®
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
(c) copyright 2017 Access World