Solved

How hackable are 56 bit field encrypted FileMaker Pro databases?

Posted on 2014-03-04
3
1,388 Views
Last Modified: 2014-03-10
We have contracted with an outside vendor to do some data management for us and we are assessing the level at which they are protecting our data.  We do not have any FileMaker Pro or encryption experts on staff, so I'm turning to EE.

So far we have determined that the vendor is storing (and making publicly available per necessity) a CD containing a FileMaker Pro database (currently fp7 but I upgraded it to fmp12 easily).  The database is password protected but a cheap $30 hack tool found what appears to be a non-admin account username and password.  Their database appears "protected" by a startup script, but my understanding is that anyone with FMP Adv can bypass that script.  I wasn't able to block the script with FMP.

Either way, by creating a new database and using relationships, I have been able to extract what appears to be all of the fields in the database into an excel file.  While most fields are plain text, we know the critical few fields are protected with 56-bit Blowfish encryption.  Obviously a hacker would have no direct way of knowing the key.

My question to the hackers out there - how safe is 56-bit blowfish encryption?  With modern desktop computing power, and 100,000+ records in the file, each with several encrypted fields, wouldn't even a brute force attack by a novice hacker be able to decrypt the file within hours or at most a few days?  I thought 56-bit went out in the late 90s.  

The data isn't super sensitive but we still don't want it easily hacked.  How secure do you experts feel a start up script, password protected FileMaker Pro database is using 56-bit blowfish encryption at the field level.  Would someone be able to use FileMaker Pro Adv to block the startup script, view the script source and find the encryption key?  I assume the key must be stored in the database somewhere, or can FileMaker Pro files be compiled to make the information hidden?  Would you be comfortable having your data protected in this way?

Thank you for your help.
0
Comment
Question by:FNDAdmin
3 Comments
 
LVL 23

Assisted Solution

by:Mysidia
Mysidia earned 250 total points
ID: 39905570
"Would someone be able to use FileMaker Pro Adv to block the startup script, view the script source and find the encryption key?  I assume the key must be stored in the database somewhere"

This may depend on the Filemaker version.  I understand Filemaker 13 Advanced uses AES-256 encryption;   this could be secure as long as the keys are adequately secured, AND you do not distribute your encryption key together with the database.
http://www.dbservices.com/articles/rest-easy-with-encrypted-databases-in-filemaker-13


If you can easily get valid user credentials to "open" the database up to the point of running scripts ----  and the key is indeed stored there... then presumably with some effort, the blowfish encryption can be bypassed.

For the blowfish field encryption to be secured , the encryption key itself needs to be secured via either separate storage or by requiring a strong password  to decrypt/gain access to the blowfish key.
0
 
LVL 6

Accepted Solution

by:
slinkygn earned 250 total points
ID: 39914200
Well, since you've extracted the data from the FM database successfully, this is less a FileMaker question and more a security/encryption question -- as 56-bit Blowfish is 56-bit Blowfish, no matter what the data source.

That being said, there are two fairly common Blowfish plugins for FileMaker, and so two likely ways those fields were encrypted.  The currently most well-known is from SkyDancer Studios: http://www.skydancerstudios.com/ but the more likely one for an older database is probably the MonkeyBread Software plugin: http://www.monkeybreadsoftware.de/filemaker/ that does Blowfish encryption and about a bazillion other things.  If you install one or both of those plugins, and can enter the file using FileMaker and some account with sufficient access to this (and perhaps bypass that open script -- yes, FMP Advanced is the easiest way to do that), you may be able to access the data unencrypted.

If that fails, and you are sure that it's 56-bit Blowfish (that's an unusual size for a Blowfish key, and it's suspiciously similar to the max-key-size 56 *bytes* or 448 bits for Blowfish -- are we sure it's 56 bits?), then yes, brute-force attacks against 56-bit keys should be trivially easy with a modern processor.  Days at most, hours if you have decent hardware for it.  The Linux software Jack the Ripper is pretty much the gold-standard brute-force tool for this sort of thing... but we're getting a little bit away from the original intent of the question at that point, I think?
0
 

Author Comment

by:FNDAdmin
ID: 39917428
Turns out it was 56-byte not 56-bit, but Mysidia's [point that the key might not be stored securely is something we are looking into now.  Thank you.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question