Solved

How hackable are 56 bit field encrypted FileMaker Pro databases?

Posted on 2014-03-04
3
1,340 Views
Last Modified: 2014-03-10
We have contracted with an outside vendor to do some data management for us and we are assessing the level at which they are protecting our data.  We do not have any FileMaker Pro or encryption experts on staff, so I'm turning to EE.

So far we have determined that the vendor is storing (and making publicly available per necessity) a CD containing a FileMaker Pro database (currently fp7 but I upgraded it to fmp12 easily).  The database is password protected but a cheap $30 hack tool found what appears to be a non-admin account username and password.  Their database appears "protected" by a startup script, but my understanding is that anyone with FMP Adv can bypass that script.  I wasn't able to block the script with FMP.

Either way, by creating a new database and using relationships, I have been able to extract what appears to be all of the fields in the database into an excel file.  While most fields are plain text, we know the critical few fields are protected with 56-bit Blowfish encryption.  Obviously a hacker would have no direct way of knowing the key.

My question to the hackers out there - how safe is 56-bit blowfish encryption?  With modern desktop computing power, and 100,000+ records in the file, each with several encrypted fields, wouldn't even a brute force attack by a novice hacker be able to decrypt the file within hours or at most a few days?  I thought 56-bit went out in the late 90s.  

The data isn't super sensitive but we still don't want it easily hacked.  How secure do you experts feel a start up script, password protected FileMaker Pro database is using 56-bit blowfish encryption at the field level.  Would someone be able to use FileMaker Pro Adv to block the startup script, view the script source and find the encryption key?  I assume the key must be stored in the database somewhere, or can FileMaker Pro files be compiled to make the information hidden?  Would you be comfortable having your data protected in this way?

Thank you for your help.
0
Comment
Question by:FNDAdmin
3 Comments
 
LVL 23

Assisted Solution

by:Mysidia
Mysidia earned 250 total points
ID: 39905570
"Would someone be able to use FileMaker Pro Adv to block the startup script, view the script source and find the encryption key?  I assume the key must be stored in the database somewhere"

This may depend on the Filemaker version.  I understand Filemaker 13 Advanced uses AES-256 encryption;   this could be secure as long as the keys are adequately secured, AND you do not distribute your encryption key together with the database.
http://www.dbservices.com/articles/rest-easy-with-encrypted-databases-in-filemaker-13


If you can easily get valid user credentials to "open" the database up to the point of running scripts ----  and the key is indeed stored there... then presumably with some effort, the blowfish encryption can be bypassed.

For the blowfish field encryption to be secured , the encryption key itself needs to be secured via either separate storage or by requiring a strong password  to decrypt/gain access to the blowfish key.
0
 
LVL 6

Accepted Solution

by:
slinkygn earned 250 total points
ID: 39914200
Well, since you've extracted the data from the FM database successfully, this is less a FileMaker question and more a security/encryption question -- as 56-bit Blowfish is 56-bit Blowfish, no matter what the data source.

That being said, there are two fairly common Blowfish plugins for FileMaker, and so two likely ways those fields were encrypted.  The currently most well-known is from SkyDancer Studios: http://www.skydancerstudios.com/ but the more likely one for an older database is probably the MonkeyBread Software plugin: http://www.monkeybreadsoftware.de/filemaker/ that does Blowfish encryption and about a bazillion other things.  If you install one or both of those plugins, and can enter the file using FileMaker and some account with sufficient access to this (and perhaps bypass that open script -- yes, FMP Advanced is the easiest way to do that), you may be able to access the data unencrypted.

If that fails, and you are sure that it's 56-bit Blowfish (that's an unusual size for a Blowfish key, and it's suspiciously similar to the max-key-size 56 *bytes* or 448 bits for Blowfish -- are we sure it's 56 bits?), then yes, brute-force attacks against 56-bit keys should be trivially easy with a modern processor.  Days at most, hours if you have decent hardware for it.  The Linux software Jack the Ripper is pretty much the gold-standard brute-force tool for this sort of thing... but we're getting a little bit away from the original intent of the question at that point, I think?
0
 

Author Comment

by:FNDAdmin
ID: 39917428
Turns out it was 56-byte not 56-bit, but Mysidia's [point that the key might not be stored securely is something we are looking into now.  Thank you.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
question related to SHA-1 2 51
What is ISQL? 6 103
Best RAID for a BDD Oracle 4 27
Update in Sql 7 12
As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now