Solved

How hackable are 56 bit field encrypted FileMaker Pro databases?

Posted on 2014-03-04
3
1,358 Views
Last Modified: 2014-03-10
We have contracted with an outside vendor to do some data management for us and we are assessing the level at which they are protecting our data.  We do not have any FileMaker Pro or encryption experts on staff, so I'm turning to EE.

So far we have determined that the vendor is storing (and making publicly available per necessity) a CD containing a FileMaker Pro database (currently fp7 but I upgraded it to fmp12 easily).  The database is password protected but a cheap $30 hack tool found what appears to be a non-admin account username and password.  Their database appears "protected" by a startup script, but my understanding is that anyone with FMP Adv can bypass that script.  I wasn't able to block the script with FMP.

Either way, by creating a new database and using relationships, I have been able to extract what appears to be all of the fields in the database into an excel file.  While most fields are plain text, we know the critical few fields are protected with 56-bit Blowfish encryption.  Obviously a hacker would have no direct way of knowing the key.

My question to the hackers out there - how safe is 56-bit blowfish encryption?  With modern desktop computing power, and 100,000+ records in the file, each with several encrypted fields, wouldn't even a brute force attack by a novice hacker be able to decrypt the file within hours or at most a few days?  I thought 56-bit went out in the late 90s.  

The data isn't super sensitive but we still don't want it easily hacked.  How secure do you experts feel a start up script, password protected FileMaker Pro database is using 56-bit blowfish encryption at the field level.  Would someone be able to use FileMaker Pro Adv to block the startup script, view the script source and find the encryption key?  I assume the key must be stored in the database somewhere, or can FileMaker Pro files be compiled to make the information hidden?  Would you be comfortable having your data protected in this way?

Thank you for your help.
0
Comment
Question by:FNDAdmin
3 Comments
 
LVL 23

Assisted Solution

by:Mysidia
Mysidia earned 250 total points
ID: 39905570
"Would someone be able to use FileMaker Pro Adv to block the startup script, view the script source and find the encryption key?  I assume the key must be stored in the database somewhere"

This may depend on the Filemaker version.  I understand Filemaker 13 Advanced uses AES-256 encryption;   this could be secure as long as the keys are adequately secured, AND you do not distribute your encryption key together with the database.
http://www.dbservices.com/articles/rest-easy-with-encrypted-databases-in-filemaker-13


If you can easily get valid user credentials to "open" the database up to the point of running scripts ----  and the key is indeed stored there... then presumably with some effort, the blowfish encryption can be bypassed.

For the blowfish field encryption to be secured , the encryption key itself needs to be secured via either separate storage or by requiring a strong password  to decrypt/gain access to the blowfish key.
0
 
LVL 6

Accepted Solution

by:
slinkygn earned 250 total points
ID: 39914200
Well, since you've extracted the data from the FM database successfully, this is less a FileMaker question and more a security/encryption question -- as 56-bit Blowfish is 56-bit Blowfish, no matter what the data source.

That being said, there are two fairly common Blowfish plugins for FileMaker, and so two likely ways those fields were encrypted.  The currently most well-known is from SkyDancer Studios: http://www.skydancerstudios.com/ but the more likely one for an older database is probably the MonkeyBread Software plugin: http://www.monkeybreadsoftware.de/filemaker/ that does Blowfish encryption and about a bazillion other things.  If you install one or both of those plugins, and can enter the file using FileMaker and some account with sufficient access to this (and perhaps bypass that open script -- yes, FMP Advanced is the easiest way to do that), you may be able to access the data unencrypted.

If that fails, and you are sure that it's 56-bit Blowfish (that's an unusual size for a Blowfish key, and it's suspiciously similar to the max-key-size 56 *bytes* or 448 bits for Blowfish -- are we sure it's 56 bits?), then yes, brute-force attacks against 56-bit keys should be trivially easy with a modern processor.  Days at most, hours if you have decent hardware for it.  The Linux software Jack the Ripper is pretty much the gold-standard brute-force tool for this sort of thing... but we're getting a little bit away from the original intent of the question at that point, I think?
0
 

Author Comment

by:FNDAdmin
ID: 39917428
Turns out it was 56-byte not 56-bit, but Mysidia's [point that the key might not be stored securely is something we are looking into now.  Thank you.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now