Implementing Login 5.3 from Isladogs (1 Viewer)

JMongi

Active member
Local time
Today, 13:34
Joined
Jan 6, 2021
Messages
802
I'm working on integrating isladgos login download into my operations database. There are a few minor questions I have. I tried searching and didn't find them answered.

1. Looking at the Click Event code for the Log-In button, that opens the included "frmSessions" form. I presume this is just a placeholder for my main operations screen/form and I should substitute the form load here.

2. In the "frmLogin" form there is a sub called "Form_Timer". I'm not sure exactly what it's purpose is. Aside from that there is a comment "Normally this would connect to a BE file." I'm not sure how to connect this to my BE? Here is the code:

Code:
Private Sub Form_Timer()
 
 'Normally this would connect to a BE file
 'As this is a demo it is using a self contained ACCDB file
 
On Error GoTo Err_Handler

    If Repeat = False Then
       ' Me.TimerInterval = 0
        'Call RefreshLinks
        Repeat = True
    Else
        'Get first character
        Dim FChar As String
        FChar = Left(Me.lblMarquee.Caption, 1)
        'Remove first character
        Me.lblMarquee.Caption = Mid$(Me.lblMarquee.Caption, 2, Len(Me.lblMarquee.Caption) - 1)
        'Put 1st character at the end of the message.
        Me.lblMarquee.Caption = Me.lblMarquee.Caption + FChar
    End If
    
Exit_Handler:
    Exit Sub
    
Err_Handler:
    MsgBox "Error " & Err.Number & " in Form_Timer procedure: " & Err.Description
    Resume Exit_Handler
    
End Sub

3. It is recommended that the RC4 cipher be encrypted via a different method. It is stored as public constant in the encryption module. I'm not really certain how to go about encrypting this cipher via a different method. I would like to, just need some guidance.

I think that covers my current questions.
 

theDBguy

I’m here to help
Staff member
Local time
Today, 10:34
Joined
Oct 29, 2018
Messages
21,358
On #2, I think that's for displaying a marquee or a scrolling text on the form.

On #3, I think he meant use something like 3DES or AES or something else other than RC4, for the secret key.
 

JMongi

Active member
Local time
Today, 13:34
Joined
Jan 6, 2021
Messages
802
Thanks DBguy!

#2 - That's what I thought as well, I just can't figure out the "connect to BE" comment.
#3 - I should have been more specific. I know about AES and other encryption standards. My question is I'm not sure how Access is using this key, how to handle the encryption/decryption/how to pass that into the VBA module for use. Right now the key is hardcoded into the constant. I don't know enough about how to pass that info securely.

Sorry for the vagueness. I have a very basic understanding of the concepts but not a whole lot of tangible practical experience.
 

isladogs

MVP / VIP
Local time
Today, 17:34
Joined
Jan 14, 2017
Messages
18,186
Hi @JMongi
I've only just seen this as it didn't alert me to your thread.
I would probably have seen this quicker if you had alerted me in the same way as I've done above for you....

First of all, see attached for an updated version 5,4 which fixed a couple of errors related to the use of RC4 encryption.
Although v5.3 works, version 5.4 fixes an issue with the cipher
This was discussed recently at another forum: UtterAccess.com

I would also suggest reading the article about this example app on my website: Password Login - Mendip Data Systems

Anyway in answer to your questions:
1. Yes. Substitute frmSessions for your own form or forms. You may wish to have a different form opened depending on user level.
However don't delete frmSessions as it will be useful for the program admins in order to track logins

2. The timer event is indeed used for the scrolling or 'marquee' text which was added by request from another user. If you would prefer not to have scrolling text, set the timer interval to 0 (or remove the Form_Timer code

The comment is purely meant to indicate that the login form would normally be used with a split database. I'm not sure why I wrote the comment in that particular event as its nothing to do with the scrolling text. Apologies for any confusion.

3. The idea is to obscure the RC4 cipher for added security. If you think about it, you can't use RC4 encryption to do that. Any other method will be OK including those DBG suggested ...or just XOR encoding. I sometimes use a function called CP for this purpose (and another called ucp to reverse it):

Code:
Public Function CP(S)
Dim L As Integer
If Not IsNull(S) Then
L = Len(S)
CP = ""
For intCount1 = 1 To L
CP = CP & Chr(Asc((Mid(S, intCount1, 1))) + L)
Next intCount1
End If

End Function

Code:
Public Function ucp(S)
Dim L As Integer
L = Len(S)
ucp = ""
For intCount1 = 1 To L
ucp = ucp & Chr(Asc((Mid(S, intCount1, 1))) - L)
Next intCount1
End Function

Hope that helps
 

Attachments

  • PasswordLogin_RC4_v5.4.zip
    90.6 KB · Views: 262

JMongi

Active member
Local time
Today, 13:34
Joined
Jan 6, 2021
Messages
802
Woah, I've done that before without knowing that's what it was doing! Good to know.
Also, I replied before I saw your new message. Let me read it.
 

JMongi

Active member
Local time
Today, 13:34
Joined
Jan 6, 2021
Messages
802
Thanks for the updated version! I'm trying to understand your cipher encrypt and decrypt you posted above. I assume this XOR being done in VBA? Also, I presume the idea is for the cipher to be stored outside of Access in some fashion? I guess I'm extremely light on how to pull information into the database from exterior sources. Sorry, if I'm asking basic questions.
 

JMongi

Active member
Local time
Today, 13:34
Joined
Jan 6, 2021
Messages
802
@isladogs - Ok. I reread your post. Please correct me if I'm wrong. So, in your sample code, the RC4 cipher is shown unaltered as a public constant. Is the idea to run it through the encrypt function above and then put that resultant string as the public constant? Then you would have to pass the constant into the decrypt function and use the output of that in your RC4 code blocks?
 
Last edited:

JMongi

Active member
Local time
Today, 13:34
Joined
Jan 6, 2021
Messages
802
Another thing, I'm running into...the custom message box "FormattedMsgBox" is throwing an error when it's called:
"Compile error: Ambiguous name detected: FormattedMsgBox"

Edit: Figured this one out. Imported 2 different modules from isladogs. Both had this function defined. Commented out one. No problems.
 
Last edited:

isladogs

MVP / VIP
Local time
Today, 17:34
Joined
Jan 14, 2017
Messages
18,186
I'll try and answer posts #6/#7/#8 together.

RC4 encryption is totally different to XOR encoding and is significantly more secure. Encoding is relatively easy to crack. 128-bit encryption such as RC4 is almost impossible to break unless the cipher is known.
If the cipher is stored 'unscrambled' in an unencrypted ACCDB file, it is easy to read that info from outside Access. If the file is encrypted with a password and compiled as an ACCDE, it is much more difficult but not impossible to read the cipher value. Better still, encode or encrypt the cipher constant in your VBA code as well as making an ACCDE encrypted with a password.

Sorry but I'm not really sure what you are asking in post #7.

As for the ambiguous name error, you have somehow managed to import two copies of the FormattedMsgBox function. I've rechecked my v5.4 & the function is only given once in modFunctions. You need to find and delete your duplicate copy of the function
 

JMongi

Active member
Local time
Today, 13:34
Joined
Jan 6, 2021
Messages
802
I downloaded your application window sample DB as well. That had it's own function named the same. I figured that out and commented it out fo the time being.

So, I'll try to restate #7 to be clearer.

If I store the encrypted cipher in the the code you have:
Code:
Public Const RC4_Key = "isladogs" 'This key is used to store the passwords - ideally it should be encrypted by a different method
should become:
Code:
Public Const RC4_Key = "!@#$%^&*" 'This key is used to store the passwords - ideally it should be encrypted by a different method

I would then need to pass this encrypted cipher through the decrypt function (the diffferent one) before feeding the now decrypted cipher to your RC4 encryption/decryption code blocks. Am I understanding this correctly?
 

isladogs

MVP / VIP
Local time
Today, 17:34
Joined
Jan 14, 2017
Messages
18,186
Let me try to explain it with reference to the CP& UCP functions mentioned in post #10 (though any other encoding/encryption method would work for this purpose)

Assume the RC4_Key is actually "isladogs",
Code:
CP("isladogs")= "q{tilwo{"

So you would use as your public constant:
Code:
Public Const RC4_Key = "q{tilwo{"

Then wherever you need to decrypt the values, you would use UCP(RC4_Key) as the key in your RC4 expression.

Hope that's clear now
 
Last edited:

JMongi

Active member
Local time
Today, 13:34
Joined
Jan 6, 2021
Messages
802
Thanks! That's basically what I was imagining but it's nice to see the implementation of the exact steps. Now to figure out how to incorporate your custom window code. Thanks for all of your hard work and being willing to share it and help implement it! :)
 

JMongi

Active member
Local time
Today, 13:34
Joined
Jan 6, 2021
Messages
802
So right now I'm getting this error with this line of code highlighted:
Code:
For intCount1 = 1 To L

Compile Error: Variable not defined (highlighting intCount1)
 

JMongi

Active member
Local time
Today, 13:34
Joined
Jan 6, 2021
Messages
802
Ok so the code should be...

Code:
Public Function CP(S as String)
Dim L As Integer
Dim intCount1 as Integer
If Not IsNull(S) Then
    L = Len(S)
    CP = ""
    For intCount1 = 1 To L
        CP = CP & Chr(Asc((Mid(S, intCount1, 1))) + L)
    Next intCount1
End If

End Function
 

JMongi

Active member
Local time
Today, 13:34
Joined
Jan 6, 2021
Messages
802
So, call me crazy, but I don't see the public constant "RC4_Key" used anywhere other than the public constant declaration. What am I missing?

Edit: Nevermind, I thougt I had it toggled to search my whole project. I found the RC4_Key references in the login form code.

Let me make sure I am doing this correctly. This line of code (and others like it):
Code:
    strPassword = RC4(Me.cboUser.Column(2), "RC4_Key")

should become:
Code:
    strPassword = RC4(Me.cboUser.Column(2), ucp("RC4_Key"))
 
Last edited:

JMongi

Active member
Local time
Today, 13:34
Joined
Jan 6, 2021
Messages
802
You guys are the VBA experts...but...should that be ucp(RC4_Key)? or do the quotes not matter.?
 

isladogs

MVP / VIP
Local time
Today, 17:34
Joined
Jan 14, 2017
Messages
18,186
If you read post #11 again, you will find your answer.
 

JMongi

Active member
Local time
Today, 13:34
Joined
Jan 6, 2021
Messages
802
Indeed. That is where my confusion comes from. In #11 you typed ucp(RC4_Key) which makes sense. Throughout the downloaded code "RC4_Key" is used not RC4_KEY. This would indicate that the string "RC4_Key" was being passed instead of the string constant RC4_Key that was publicly declared.
 

isladogs

MVP / VIP
Local time
Today, 17:34
Joined
Jan 14, 2017
Messages
18,186
As previously explained, version 5.3 incorrectly used RC4_KEY in quotes. It worked but only because it used that string throughout.
I updated it to version 5.4 purely to remove the quotes throughout the app. There were 8 locations where these were removed.
Please use v5.4
 

JMongi

Active member
Local time
Today, 13:34
Joined
Jan 6, 2021
Messages
802
Hmm. Sorry for the mixup! I downloaded 5.4 after your original post. I thought I had reimported the new code into my DB. I must not have. Thanks for pointing that out!
 

Users who are viewing this thread

Top Bottom