Results 1 to 13 of 13
  1. #1
    Join Date
    Mar 2004
    Posts
    139

    Unanswered: password encryption

    Is there any way, inherent or otherwise, to encrypt, store and compare passwords in an .adp application?
    Thanks,
    Bill

  2. #2
    Join Date
    Nov 2003
    Posts
    1,487
    Here is a very simple function that will both encrypt and decrypt passwords or any string you like. Simply pass the function the password string you wish to encrypt, and a short key (to make it much harder to break your encryption), and it will return a Encrypted String. If you pass this function the Encypted String then it will translate it back into plain text again.

    All you need do is to place this function into a database code module. Where and how you use it is up to you.
    Code:
    Public Function StrgEncrypt(ByVal Strg As String, ByVal StrgKey As String) As String
       Dim CharCount As Long
       Dim LngPointer As Long
       For CharCount = 1 To Len(Strg)
    		Mid(Strg, CharCount, 1) = Chr((Asc(Mid(Strg, CharCount, 1))) Xor (Asc(Mid(StrgKey, LngPointer + 1, 1))))
    		LngPointer = ((LngPointer + 1) Mod Len(StrgKey))
       Next CharCount
       StrgEncrypt = Strg
    End Function

    .
    Last edited by CyberLynx; 11-02-05 at 00:11.
    Environment:
    Self Taught In ALL Environments.....And It Shows!


  3. #3
    Join Date
    Dec 2002
    Location
    Préverenges, Switzerland
    Posts
    3,740
    homemade crypto is always a risk, consider using one of the standard algos.


    e.g. set a reference to the capicom library and...

    Public Function myHash(plainText As String) As String
    Dim obHash As New CAPICOM.HashedData
    obHash.Algorithm = CAPICOM_HASH_ALGORITHM_SHA1
    obHash.Hash ByVal plainText
    myHash = obHash.Value
    End Function

    ...SHA1 is not perfect. there are stronger algos in capicom - try some experiments.

    store only the hashed password. hash the user input and compare with the saved hash.

    izy
    Last edited by izyrider; 10-29-05 at 05:27.
    currently using SS 2008R2

  4. #4
    Join Date
    Mar 2004
    Posts
    139
    Thanks for both of the tips. If I understand Capicom correctly, I would need to install the Capicom.dll on all of the client machines, which isn't feasible in my environment. Can Capicom be executed via calls to stored procedures so that I would only need to install the Capicom.dll on my SQL server?
    Thanks,
    Bill

  5. #5
    Join Date
    Nov 2004
    Location
    out on a limb
    Posts
    13,692
    Provided Answers: 59
    Before writing off the dll - have a look to see if it is already installed. It is on XP & NT machines (or at least those I can look at today)

    Agree with izyrider, homebrew encryption is usually flawed and fairly easily broken (if someone has a mind to). However it may be sufficient - I suppose it depends on who you are trying to protect against, and how senstivie the data is, or how costly a breach of security is. In any event uunless you are deploying as an MDE any routine you write or use is visible to users of an MDB - another good reason to use the DLL or and MDE.

  6. #6
    Join Date
    Dec 2002
    Location
    Préverenges, Switzerland
    Posts
    3,740
    installing capicom is not beyond the average user and it is freely downloadable from m$

    capicom makes working with cryptoapi soooooo easy. you can of course work directly with cryptoapi, but it is way more difficult.

    the net is not rich in access examples using cryptoapi... if you want to explore, some decent places to start (that wont require too much translation) include:

    vb & cryptoapi:
    http://www.rgagnon.com/examples/cryptoapi_in_vb.txt
    http://www.thevbzone.com/cCrypt.cls
    http://www.codetoad.com/vb_crypto_api.asp
    http://www.flying-pasty.ndtilda.co.uk/CryptoAPI.txt

    mentalis also has good stuff. start with
    http://www.mentalis.org/apilist/CryptCreateHash.shtml
    and browse around

    worth a read:
    http://blogs.msdn.com/ericlippert/ar...07/368569.aspx

    and finally, another comment on homemade crypto:
    http://discuss.fogcreek.com/joelonso...w&ixPost=57153

    have fun!

    izy
    Last edited by izyrider; 10-29-05 at 13:42.
    currently using SS 2008R2

  7. #7
    Join Date
    Mar 2004
    Posts
    139
    Thanks izy...it's not that installing the dll is complicated...just that as someone put it, would the network IT trolls allow it. In my environment it takes an act of Congress to get anything put on a client machine...or provincially, an act of Parliament in Healdem's case, or an act of the Assemblée Fédérale for you.

    Thanks again...
    Thanks,
    Bill

  8. #8
    Join Date
    Mar 2004
    Posts
    139
    Thanks for the links, they're helpful. In the Microsoft documentation there are all kinds of references to the capicom.dll...but as I look at the encryption examples in the links they all reference the advapi32.dll, don't see reference to capicom.dll.
    Thanks,
    Bill

  9. #9
    Join Date
    Dec 2002
    Location
    Préverenges, Switzerland
    Posts
    3,740
    capicom is an interface to advapi32.dll (which is microsoft's "CryptoAPI")

    even with capicom, all the crypto work is done by advapi32.dll

    you can make capicom do something useful with a few lines of code.

    it is much more complex to work with advapi directly - multiple declares and a careful call sequence ...the vb URLs i listed should show what a pain it is, but it is still very do-able.

    izy
    currently using SS 2008R2

  10. #10
    Join Date
    Dec 2002
    Location
    Préverenges, Switzerland
    Posts
    3,740
    google gives me this as it's first hit for "capicom". no idea what a COM interface (and i don't care as long as it makes my life easier!).

    What Is CAPICOM?
    CAPICOM is a Microsoft® ActiveX® control that provides a COM interface to Microsoft CryptoAPI. It exposes a select set of CryptoAPI functions to enable application developers to easily incorporate digital signing and encryption functionality into their applications. Because it uses COM, application developers can access this functionality in a number of programming environments such as Microsoft® Visual Basic®, Visual Basic Script, Active Server Pages, Microsoft® JScript®, C++, and others. CAPICOM is packaged as an ActiveX control, allowing Web developers to utilize it in Web based applications as well.

    at microblurb


    izy
    currently using SS 2008R2

  11. #11
    Join Date
    Mar 2003
    Location
    The Bottom of The Barrel
    Posts
    6,102
    Provided Answers: 1
    Just out of curiosity, what kind of authentication are you using server side? If your using ntauth, what is the purpose of crypto? Do you have some application level security built in?
    oh yeah... documentation... I have heard of that.

    *** What Do You Want In The MS Access Forum? ***

  12. #12
    Join Date
    Mar 2004
    Posts
    139
    Yes...it uses authentication but there is another app layer security.
    Thanks,
    Bill

  13. #13
    Join Date
    Mar 2003
    Location
    The Bottom of The Barrel
    Posts
    6,102
    Provided Answers: 1
    Well, if you have ntauth server side, you could refer to control tables to determine credentials for whatever app-level activities you're trying to regulate. Unless you run a tangible risk of more than one user logging on with the same ntauth, then I can see where this is absolutely necessary.
    oh yeah... documentation... I have heard of that.

    *** What Do You Want In The MS Access Forum? ***

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •