I recently created an Access DB at work, and as horribly exciting as that was for me, it did lead me to one wonder how secure can Access really be? The obvious answer to that is not really at all, but that doesn’t mean you can’t try to lock it and see how far you can get. Sure any good haX0r could crack an Access DB, but what about “average” people. I bet you could easily lock them out completely. That discussion with myself led to me wonder about encrypting the data within the database. This is Access we’re talking about so doing that is more of a nuisance in my opinion than a legitimate exercise in security, but it would at least make getting the data out a pain in the ass even for legitimate hackers.
A Google query, which is what all good projects probably start with, led me to this page on stackexchange. Following one of the links posted there I found this site. Intrigued by the code posted there I decided I wanted to try it. That’s where this post really starts.
If you go through the code in that last link you’ll see everything in that class is more or less hard-coded. i also discovered after dropping in into an Access DB it doesn’t really work. The code is very VB6 and not so much VBA. I’m also not sure exactly where the poster got the code from either. He claims it was taken from “the API-guide” but I have no idea which one, to what, or where.
Finally, after a couple of wasted hours figuring out what I was looking at, and how to make it work for me, I came across some questions for the web to answer for me.
- The code appears to pull directly from the encryption methods built into Windows. In this case I’m on Windows 7. I assume who ever originally wrote it was able to use all the algorithm listed, but I cannot use most of the ones he’s posted. Why is that? What determines which ones are available and which ones are not?
- Instead of just laying out the IDs for each algorithm he goes through some funny junk adding them up. For example, when RC4 in his code is passed into the encryption function, the number 1 isn’t passed in; 26625 is. Why go through the goofy math he does to come up with that? Is it just to help explain each cypher?
- If go to this site you can see all the different algorithms that are supposedly built into Windows. Why can’t I use, probably, 80 to 90% of the ones listed on that page?
That’s all for now. I’ll probably post my version of that code so everyone else can bask in how lame encryption really is for Access using that method. I have since found other sites where people coded AES by hand in VBA. I’ll see how well that works another time.
You can see all the code I eventually ended up with here.