HomeNewsProducts & ServicesDownloadsAccess TutorialsContact UsCheckout  View Cart
Tutorial Tools
Search
Related Tutorials
Protect and Secure Your Database With The Operating System
Outlook Send E-mail Without Security Warning
Microsoft Access Protection - Links
How to make design changes to an Access MDE file
Protect the VBA source code in your MDE files
Tutorial Categories
Beginner Tips
3
Bugs
15
Conversion
2
Corruption
4
Forms
29
General
24
Queries
11
Reports
15
Samples
5
Security
8
Tables
24
VBA / Modules
30

Changing the encryption type in Access 2007


Category:SecurityUser Rating:**** (3 votes)
Applies to:AccesViews:1,174
User Level:IntermediateYour Rating:Your rating: PoorYour rating: Not so goodYour rating: AverageYour rating: GoodYour rating: Excellent
Author:Wayne PhillipsUser Comments:4   Have your say...
Revision:1.2
Date:28/05/2008Bookmark & share:Bookmark with Del.icio.us Digg This! Post to Reddit Share on Facebook Post to StumbleUpon Bookmark with Yahoo Bookmark with Google 

Sign up for our free e-mail newsletter to receive our latest tutorials by e-mail

Access 2007 Encryption Uncovered – Part 1


This article is split into two parts:

As most Access developers know, the encryption system used in Microsoft Access prior to v2007 was as useful as chocolate teapot.  Seriously.   I won't be going over the details again here as it’s been proven many times before that all the option does is slow down your database activity without providing any real protection.

Access 2007 is a different ball game.  Access 2007 solves this by using the Crypto API coupled with using the database password as the encryption key, just like all the other Office applications.  The Crypto API itself gives developers and users access to a number of different ‘Cryptographic Service Providers’.  These providers each offer various encryption algorithms and key length options, depending on what the provider was designed for.  Those kind people at Microsoft have provided us with many different providers, giving us access to a wide variety algorithms for free (since they are built in to the operating system).

At this point I should mention that the new encryption system is only provided in the new .ACCDB file format.  Older .MDB formats are not affected.

A question on the subject of the new Access 2007 encryption got forwarded to me the other day from Garry Robinson over at vb123.com (originally from a guy named Mark Jacobs): 
Hi Garry,

 I hope you can help me with an issue concerning Access 2007 encryption 
 as I have not found anything on the web that has addressed it. 

 I'm getting pushback from my Security group because they do not think 
 Access 2007 can use the Microsoft Enhanced RSA and AES Cryptographic Provider. 
 All we see when we load an encrypted Access database in notepad is 
 M i c r o s o f t B a s e C r y p t o g r a p h i c P r o v i d e r v 1 . 0. 
 
 Microsoft quoted otherwise in their article (see link) and that is where the 
 confusion lies:
 
 Office 2007 Security Guide 

 Maybe there is some sort of XP [group] setting I don't know about. 
 Any ideas would be appreciated as I am at my wit's end. 

 Thank you, 
 
 Mark Jacobs
Good question, Mark.  Indeed, the mentioned article is definitely wrong.

The default encryption provider for Microsoft Access is the 'Microsoft Base Cryptographic Provider v1.0', with RC4 encryption (using a 40-bit key) and the SHA-1 algorithm for password/key hashing.


Why RC4?

Although Access 2007 now uses the Crypto API, we are limited in what encryption algorithms we can use due to the way in which Access reads and writes to the database file.  To understand why, let’s discuss the technical details.

The Access Database Engine stores data in pages (or ‘chunks’) of 4096 bytes in length.  Understandably, encryption also occurs at page-level within the file (each page being encrypted with a different encryption key).

If Access was to read and write to the file in full 4096 byte pages, then we could theoretically use any block cipher encryption such as the much stronger AES algorithm.  Unfortunately this is not the case, by default.  When Record-level locking is switched on, Access writes to each record individually.  In other words, when you change values in a record within a table, the whole 4096 byte page is not re-written to disk – only the single record data is written out.

Normal block ciphers will not work in this scenario since data is encrypted in blocks, not byte by byte.  Encryption that is done by the byte (or even per bit) requires a special type of algorithm – called a stream cipher.  (There is a way around this limitation which will be discussed later in part 2)

The standard Microsoft Cryptographic Service Providers (CSPs) only provide support for one stream cipher…  RC4.  So unless you have third party CSPs that offer other stream ciphers, we’re stuck with RC4.

So we're stuck with RC4.  What's the protection like?

By modern standards it does fall short, although in reality it's not too shabby.  It's implemented very well into Access to prevent from known RC4 crypto attacks that prey on the weaknesses of the algorithm.  For example, every encrypted 'page' has a unique key which is derived from a password hash (which includes random base data) combined with a nonce.

The default encryption uses only a 40-bit key, which does let it down a little, but fortunately this can be bumped up to 128-bit (read on).

The database password is no longer stored in the file, so only brute-force password recovery is possible.

Recommendations

Switch to RC4-128 bit key length (read on for more details)
Use strong passwords to prevent brute-force attack


Stronger than the 'Microsoft Base Cryptographic Provider'

The default Cryptographic Service Provider is 'Microsoft Base Cryptographic Provider' and this provider allows RC4 with up to 56-bit key length.  I suggest we need to increase this to 128-bit, but you will need to change the Cryptographic Service Provider setting in the registry in order to do this.

At this point I’m going to introduce you to a freeware utility that will allow you to change the default encryption provider very easily without having to worry about the technical details…

The Encryption Manager for Microsoft Access 2007

The Encryption Manager lets you change the encryption type on any already encrypted .ACCDB database, and also gives you the option to change the registry setting that overrides the default encryption provider in Microsoft Access.

Download here:  http://www.everythingaccess.com/downloads/EncryptionManagerv1.zip

When you open the application you’re given 3 options;

Option 1 is for viewing and changing the encryption used on a particular database
Option 2 is for viewing the details on all of the Cryptographic Service providers installed on your machine.
Option 3 is for changing the default CSP and algorithms used by Microsoft Access 2007.

You want the third option.  My recommendation is to set the default to 'Microsoft Enhanced Cryptographic Provider v1.0' with RC4-128 as it is available on almost all modern systems.

Once the setting has been saved, each time you use the 'Encrypt with Password' option in Access 2007 your file will be saved with the new RC4-128 encryption.  This can be checked by using the Encryption Manager (option 1) to open the file and it will show you exactly what encryption settings have been used on your file.

If you’d prefer to modify the registry yourself, read the note further below.

Don't forget to have a look at the follow up article (Page 2) here:
Part 2 – Breaking through the boundaries - Upgrading the encryption to AES-256


Modifying the registry manually

Warning: Backup your registry before making changes

Before proceeding please read the restrictions.  (The free Encryption Manager application does all this for you)

Restrictions on changing the default Cryptographic Service Provider

1. The Cryptographic Service Provider you choose must support the RC4 algorithm (CALG_RC4)
2. The Cryptographic Service Provider you choose must support the SHA-1 algorithm (CALG_SHA)

For details on the Microsoft installed CSPs capabilities, please see this article: CryptoAPI Cryptographic Service Providers or use the Encryption Manager (option 2) which shows all the details you need for the CSPs installed on your machine.

My recommendation is to use the 'Microsoft Enhanced Cryptographic Provider v1.0' with RC4-128.  I will now show you exactly how to achieve this.

Changing the default Cryptographic Service Provider

To change the Cryptographic Service Provider, you need to alter a registry setting. The registry key is as follows;

1. Create registry key (if it doesn't exist): 
HKEY_CURRENT_USER/Software/Microsoft/Office/12.0/Common/Security

2. Create Multi-String Value (if doesn't exist): 
HKEY_CURRENT_USER/Software/Microsoft/Office/12.0/Common/Security/DefaultEncryption
The format for the multi-value string is: 
Value 1.  Encryption provider name
Value 2.  Encryption Algorithm
Value 3.  Encryption Key Length
More details here: Important Aspects of Password and Encryption Protection (see heading 'Updating Encryption', although this article applies to Office 2003 but does not affect Access 2003 encryption)
3. For the purpose of this example, enter (on 3 seperate lines): 
Microsoft Enhanced Cryptographic Provider v1.0
RC4
128





Bookmark & share:
Bookmark with Del.icio.us Del.icio.us
Digg This! Digg This!
Post to Reddit Reddit
Share on Facebook Facebook
Post to StumbleUpon StumbleUpon
Bookmark with Yahoo Yahoo
Bookmark with Google Google

Have your say - comment on this article.
What did you think of 'Changing the encryption type in Access 2007'?

What others thought...

1.

Tony Jollans says...

04 June 2008

 
Information on this subject seems sparse. I am trying to make this work in Word but can't get very far with it.

There is a Microsoft KB ((http://support.microsoft.com/kb/946621).) that says the registry Value should be called "DefaultEncryption12" instead of "DefaultEncryption".

When I use "DefaultEncryption" (in compatibity mode), Word 2007 crashes. When I use "DefaultEncryption12" it doesn't crash but it seems to ignore the registry value and insists on using Word 97/2000 compatible 40 bit encryption.

I do realise that this may be 'just' a problem with Word but I do have a couple of questions:
1. Does it work in Access - even using "DefaultEncryption"?
2. Is there another setting somewhere that affects this?

2.

Wayne Phillips says...

05 June 2008

 
@Tony...

Well, from an Access point of view it is definitely DefaultEncryption. DefaultEncryption12 does not work. DefaultEncryption does.

Use the Encryption Manager for Access 2007 (provided with this article) to change the registry key, to be safe (the registry key is common to Word 2007 when saving in Word 2003 format)

I've just tested on Word 2007, saving to Word 2003 format, with the same DefaultEncryption registry entry (provided by the Encryption Manager) and it worked just fine. I then opened the file in a hex editor and could find the Cryptographic Service Provider name I chose in Unicode somewhere in the file, so it worked.

However, I did experience a crash once upon changing the password (I couldn't reproduce it though). It seems a little flakey in Word 2007 SP1, to be honest.

3.

Tony Jollans says...

05 June 2008

 
Thank you, Wayne,

I think the "DefaultEncryption12" may be a red herring - I'll see what I can find out about it.

I had been working with documents created in Word 2003 and hadn't thought to try to create a 2003-format document in 2007. I now see that that works with "DefaultEncryption" as you say so my problem is related to how Word 2007 handles documents created in 2003.

I won't take up any more of your Access time :)

4.

Wayne Phillips says...

05 June 2008

 
No problem, Tony.

If you find out more about the DefaultEncryption12 setting, let me know.

Have your say...
Name
E-mail (e-mail address will not be shown on the website)
Comments
Verification CodeVerify Code
 
Please note:All comments are approved before being displayed on this web page.  This process may take up to 24 hours.


© 2008 iTech Masters. All rights reservedAccess Database RepairTerms of serviceLinksNewsletter