This article is split into two parts:
As most Access developers know, the encryption system used in Microsoft Access prior to v2007 was as useful as chocolate teapot. Seriously.
I won't be going over the details again here as it’s been proven many times before that all the option does is slow down your database activity
without providing any real protection.
Access 2007 is a different ball game. Access 2007 solves this by using the
Crypto API
coupled with using the database password as the encryption key, just like all the other Office applications. The Crypto API itself gives developers and
users access to a number of different ‘Cryptographic Service Providers’. These providers each offer various encryption algorithms and key length options,
depending on what the provider was designed for. Those kind people at Microsoft have provided us with many different providers, giving us access to a wide variety algorithms for free
(since they are built in to the operating system).
At this point I should mention that the new encryption system is only provided in the new .ACCDB file format. Older .MDB formats are not affected.
A question on the subject of the new Access 2007 encryption got forwarded to me the other day from Garry Robinson over at vb123.com (originally from a guy named Mark Jacobs):
Hi Garry,
I hope you can help me with an issue concerning Access 2007 encryption
as I have not found anything on the web that has addressed it.
I'm getting pushback from my Security group because they do not think
Access 2007 can use the Microsoft Enhanced RSA and AES Cryptographic Provider.
All we see when we load an encrypted Access database in notepad is
M i c r o s o f t B a s e C r y p t o g r a p h i c P r o v i d e r v 1 . 0.
Microsoft quoted otherwise in their article (see link) and that is where the
confusion lies:
Office 2007 Security Guide
Maybe there is some sort of XP [group] setting I don't know about.
Any ideas would be appreciated as I am at my wit's end.
Thank you,
Mark Jacobs
Good question, Mark. Indeed, the mentioned article is definitely
wrong.
The default encryption provider for Microsoft Access is the 'Microsoft Base Cryptographic Provider v1.0',
with
RC4 encryption (using a 40-bit key) and the
SHA-1 algorithm for password/key hashing.
Why RC4?
Although Access 2007 now uses the Crypto API, we are limited in what encryption algorithms we can use due to the way in
which Access reads and writes to the database file. To understand why, let’s discuss the technical details.
The Access Database Engine stores data in pages (or ‘chunks’) of 4096 bytes in length. Understandably, encryption also
occurs at page-level within the file (each page being encrypted with a different encryption key).
If Access was to read and write to the file in full 4096 byte pages, then we could theoretically use any block cipher encryption
such as the much stronger AES algorithm. Unfortunately this is not the case, by default. When Record-level locking is switched
on, Access writes to each record individually. In other words, when you change values in a record within a table, the whole 4096
byte page is not re-written to disk – only the single record data is written out.
Normal block ciphers will not work in this scenario since data is encrypted in blocks, not byte by byte. Encryption that is done
by the byte (or even per bit) requires a special type of algorithm – called a
stream cipher. (There is a way around this limitation
which will be discussed later in part 2)
The standard Microsoft Cryptographic Service Providers (CSPs) only provide support for one stream cipher… RC4. So unless you have
third party CSPs that offer other stream ciphers, we’re stuck with RC4.
So we're stuck with RC4. What's the protection like?
By modern standards it does fall short, although in reality it's not too shabby. It's implemented very well into Access to prevent
from known RC4 crypto attacks that prey on the weaknesses of the algorithm. For example, every encrypted 'page' has a unique key
which is derived from a password hash (which includes random base data) combined with a
nonce.
The default encryption uses only a 40-bit key, which does let it down a little, but fortunately this can be bumped up to 128-bit (read on).
The database password is no longer stored in the file, so only brute-force password recovery is possible.
Recommendations
Switch to RC4-128 bit key length (read on for more details)
Use strong passwords to prevent brute-force attack
Stronger than the 'Microsoft Base Cryptographic Provider'
The default Cryptographic Service Provider is 'Microsoft Base Cryptographic Provider' and this provider allows RC4
with up to 56-bit key length. I suggest we need to increase this to 128-bit, but you will need to change the
Cryptographic Service Provider setting in the registry in order to do this.
At this point I’m going to introduce you to a freeware utility that will allow you to change the default encryption
provider very easily without having to worry about the technical details…
The Encryption Manager for Microsoft Access 2007
The Encryption Manager lets you change the encryption type on any already encrypted .ACCDB database, and also
gives you the option to change the registry setting that overrides the default encryption provider in Microsoft Access.
Download here:
http://www.everythingaccess.com/downloads/EncryptionManagerv1.zip
When you open the application you’re given 3 options;
Option 1 is for viewing and changing the encryption used on a particular database
Option 2 is for viewing the details on all of the Cryptographic Service providers installed on your machine.
Option 3 is for changing the default CSP and algorithms used by Microsoft Access 2007.
You want the third option. My recommendation is to set the default to
'Microsoft Enhanced Cryptographic Provider v1.0' with RC4-128
as it is available on almost all modern systems.
Once the setting has been saved, each time you use the 'Encrypt with Password' option in Access 2007 your file
will be saved with the new RC4-128 encryption. This can be checked by using the Encryption Manager (option 1)
to open the file and it will show you exactly what encryption settings have been used on your file.
If you’d prefer to modify the registry yourself, read the note further below.
Don't forget to have a look at the follow up article (Page 2) here:
Part 2 – Breaking through the boundaries - Upgrading the encryption to AES-256
Modifying the registry manually
Warning: Backup your registry before making changes
Before proceeding please read the restrictions. (The free Encryption Manager application does all this for you)
Restrictions on changing the default Cryptographic Service Provider
1. The Cryptographic Service Provider you choose must support the RC4 algorithm (CALG_RC4)
2. The Cryptographic Service Provider you choose must support the SHA-1 algorithm (CALG_SHA)
For details on the Microsoft installed CSPs capabilities, please see this article:
CryptoAPI Cryptographic Service Providers or use the Encryption Manager (option 2) which shows all the details you need for the CSPs installed on your machine.
My recommendation is to use the 'Microsoft Enhanced Cryptographic Provider v1.0' with RC4-128. I will now show you exactly how to achieve this.
Changing the default Cryptographic Service Provider
To change the Cryptographic Service Provider, you need to alter a registry setting. The registry key is as follows;
1. Create registry key (if it doesn't exist):
HKEY_CURRENT_USER/Software/Microsoft/Office/12.0/Common/Security
2. Create Multi-String Value (if doesn't exist):
HKEY_CURRENT_USER/Software/Microsoft/Office/12.0/Common/Security/DefaultEncryption
The format for the multi-value string is:
Value 1. Encryption provider name
Value 2. Encryption Algorithm
Value 3. Encryption Key Length
More details here:
Important Aspects of Password and Encryption Protection (see heading 'Updating Encryption', although this article applies to
Office 2003 but does not affect Access 2003 encryption)
3. For the purpose of this example, enter (on 3 seperate lines):
Microsoft Enhanced Cryptographic Provider v1.0
RC4
128
