Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Encryption problem

Status
Not open for further replies.

easycode

Programmer
Jan 28, 2005
195
US
Hi all

I have found a good encryption routine, it works good, the only problem i have is:
Table encrypted: users table
the users passwords are always encrypted, and iu decrypted when user needs to change password or when user is gonna login the software.

but recently a user was trying to login and he couln't and the password he was typing is correct, the problem is that for some reason the table was encrypted, so if his password was : "abc111" in the encrypted code was "?????"
then the system would never find the "abc111" password, the questions is How can i programmatically identify when the table is encrypted and when is not.

Thanks in advance for any suggestion,

 
Hi EasyCode,

Your info is probalbly not detailed enough to find a solution. It raises some questions:

1) Did you create a custom security system instead of using the access built in system?
2) Is the passwordfield in the table encrypted, or is the whole table encrypted?

EasyIT
 
Hi easyit
you are right, yes i did create a custom security
and just the passwordfield is encrypted, not the whole table.

and also is good the criteria: "to have the password field encrypted all the time, except when user needs to use it in login case or password change"?
or maybe as soon as the user logs in have the encrypted field decrypted and keep in this way during the session and when user is done and before logg off encryt the password field again?
Thanks for replying easyit
 
Hm.

I would suggest you start using the built in security feature. it is a bit harsh to understand at first, but you 'll profit later from the time invested in learning.

Ofcourse, this is not helping you with your orignal question.

If you can encrypt and decrypt the field, then it is jsut a matter of doing that at the right time. What are you reading from the field in order to check the entered password? A necrypted field? What are you comparing it against? A decrypted string?

How does the ecryption work? What are you using?

EasyIT

Btw Do you realize that by surpassing the built in security EVERYBODY that logs into your app. is a ADMINISTRATOR?
 
In terms of creating your own encryption algorithms I would strongly advise that you don't.

Unless you are extremely lucky (or extremely skillful) they almost certainly won't be secure.

You also run the risk of having a fault in your encryption routine that results in data that cannot be correctly decrypted.

MS Access workgroup security isn't that secure either, but I still agree with EasyIT's advice. The other advantage that you have is that you can protect the design of system objects (and therefore your IP rights, if you have any) as well as the data.

Ed Metcalfe.

Please do not feed the trolls.....
 
Thanks for replying guys

but i don't think i have time to research about the built in security feature, i did it at once and i had a bad time, and also i suppose to release a new version of a customized software at the end of this month, and i need to work with this encryption code that was posted by strongm (MIS)a member of tek-tips forums.
it works fine with one user, but i was testing with 3 users trying to login at the same time, but does not work, it also works when the 3 users login each at diferent time.
Here is the code for the encryption. Thanks again



Option Compare Database
Option Explicit

Private Declare Function CryptAcquireContext Lib "advapi32.dll" Alias "CryptAcquireContextA" (ByRef phProv As Long, ByVal pszContainer As String, ByVal pszProvider As String, ByVal dwProvType As Long, ByVal dwFlags As Long) As Long

Private Declare Function CryptReleaseContext Lib "advapi32.dll" (ByVal hProv As Long, ByVal dwFlags As Long) As Long
Private Declare Function CryptCreateHash Lib "advapi32.dll" (ByVal hProv As Long, ByVal Algid As Long, ByVal hKey As Long, ByVal dwFlags As Long, ByRef phHash As Long) As Long
Private Declare Function CryptHashData Lib "advapi32.dll" (ByVal hHash As Long, ByVal pbData As String, ByVal dwDataLen As Long, ByVal dwFlags As Long) As Long

Private Declare Function CryptDeriveKey Lib "advapi32.dll" (ByVal hProv As Long, ByVal Algid As Long, ByVal hBaseData As Long, ByVal dwFlags As Long, phKey As Long) As Long
Private Declare Function CryptDestroyKey Lib "advapi32.dll" (hKey As Long) As Long

Private Declare Function CryptEncrypt Lib "advapi32.dll" (ByVal hKey As Long, ByVal hHash As Long, ByVal Final As Long, ByVal dwFlags As Long, pbData As Any, pdwDataLen As Long, ByVal dwBufLen As Long) As Long
Private Declare Function CryptDecrypt Lib "advapi32.dll" (ByVal hKey As Long, ByVal hHash As Long, ByVal Final As Long, ByVal dwFlags As Long, pbData As Any, pdwDataLen As Long) As Long

Private Const ALG_CLASS_DATA_ENCRYPT As Long = 24576
Private Const ALG_TYPE_RSA As Long = 1024
Private Const ALG_SID_RC4 As Long = 1
Private Const ALG_TYPE_STREAM As Long = 2048
Private Const CALG_MD5 As Long = &H8003& ' Hashing algorithm
Private Const CALG_RC4 As Long = (ALG_CLASS_DATA_ENCRYPT Or ALG_TYPE_STREAM Or ALG_SID_RC4)

Private Const MS_DEFAULT_PROVIDER As String = "Microsoft Base Cryptographic Provider v1.0"
Private Const PROV_RSA_FULL As Long = 1
Private Const CRYPT_VERIFYCONTEXT = &HF0000000

Public Enum EncryptionMode
Encrypt
Decrypt
End Enum

Public Function vbEncrypt(strText As String, strPassword As String) As Byte()
vbEncrypt = CoreCrypto(strText, strPassword, Encrypt)
End Function

Public Function vbDecrypt(strText As String, strPassword As String) As Byte()
vbDecrypt = CoreCrypto(strText, strPassword, Decrypt)
End Function

Private Function CoreCrypto(strText As String, strPassword As String, Mode As EncryptionMode) As Byte()
Dim hProv As Long
Dim ByteBuffer() As Byte
Dim strprovider As String
Dim hHash As Long
Dim hKey As Long
Dim datalen As Long


ByteBuffer = strText

' Grab an RSA-based cryptoapi context using Microsoft's base provider
strprovider = MS_DEFAULT_PROVIDER & vbNullChar
Call CryptAcquireContext(hProv, vbNullString, strprovider, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT) ' final param could be 0&

' Generate a hash of the password
Call CryptCreateHash(hProv, CALG_MD5, 0, 0, hHash)
Call CryptHashData(hHash, strPassword, Len(strPassword), 0)

' Derive a key symmetric key based on hashed password
Call CryptDeriveKey(hProv, CALG_RC4, hHash, 0&, hKey)

' Apply decryption or encryption using derived key
datalen = UBound(ByteBuffer)
Select Case Mode
Case Encrypt
Call CryptEncrypt(hKey, 0, 1, 0, ByteBuffer(0), datalen, UBound(ByteBuffer))
Case Decrypt
Call CryptDecrypt(hKey, 0, 1, 0, ByteBuffer(0), UBound(ByteBuffer))
End Select

CoreCrypto = ByteBuffer

' Clean up
CryptDestroyKey hKey
CryptReleaseContext hProv, 0&
End Function


 
Well,

I think you will stay in trouble with this approach. It doesn't seem te be an encryption problem, but a multiuser (security) problem. As I said, every user is a administrator. It is very well possible that anybody loggin in to the DB has done so exclusively - and so preventing others to enter the db properly.

You will be better of using Access security - even if it is flawed. The big flaw is that it is easily hacked with commercial tools that you can purchase online. Nonetheless it does enable you to deploy multiuser db's. just don't store your creditcardnumbers in an access db!

To secure and deploy a db to multiple users you need to do the following steps:

1) secure your de
2) split the db in front end (no tables) end back end (only tables).
2) Make the backend network accesible
3) distribute the (compiled/mde) frontend to the users.

I can guide you thru it if you want - let me know. Basically you can have it running within a day - depending on the size of your app.

EasyIT

 
(an aside) question:

How come you need to decrypt? Wouldn't you be better of using a one-way encryption algorithm - the password is validated by an exact string match on the encrypted strings ie Does the encryped user-supplied password match the stored value.

cheers,
dan.
 
Thanks much for replying
DanJr that's a good idea i'll try to do it.
easyit, i'd like to use the built in security feature, in the meantime i will use DanJr's idea, So please post the "I can guide you thru it if you want", thanks again
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top