My application uses MS access database to save some sensitive information. Though that information itself is protected, I need to convince a client that there is an another wall of database encryption with strong password that has to be broken first.
Do you know which encryption algorithm/method is used for encrypting access database?
For Access 2003 there are some options regarding encryption. Some of the possible encryption types you might find in the Encryption Type dialog are:
Source: Important Aspects of Password and Encryption Protection
If you are using Access 2007, here is a good article, which you could use as reference:
What type of encryption does Access 2007 use?
Access 2007 uses the Microsoft Cryptographic API. This means that it will support any cryptographic algorithm available within Windows as a Cryptographic Service Provider (CSP). This is a great improvement over earlier versions of Access, which only supported a built-in, weak encryption algorithm.
I need to convince a client that there is an another wall of database encryption with strong password that has to be broken first.
I don't think you can because the password protection is weak. So...
that information itself is protected
...how you have protected the information yourself (encryption?) could be your only line of defence.
Also, consider upgrading to Access2007, whose database encryption is stronger (though user level security has been removed).
EDIT: I'm still searching for the Holy Grail, being the documentation for the Jet engine. One great things about the changes made to the engine for Access2007 is that the Access team revealed a few details about the old engine, in the context of 'the new is better than the old because...' It's not surprising that they didn't publically announce the encrytion was weak until after they fixed it! You will find a few details in Microsoft Access Team Blog: Access 12 Security Model.
Another link: Microsoft Access 2002 Technical Articles: Exploring Microsoft Access Security "Jet (the database engine used by Access) uses a very weak method of encryption and should never be used to protect sensitive data."
Last one: Jet MDB security - under the hood Simple database password: The database password, when set, is obfuscated with a simple XOR pattern algorithm based on the file creation date/time (stored inside the file) which is then stored in the MDB file header....The MDB file header itself is further obfuscated with an XOR pattern – although its a constant XOR stream this time. (I describe these XOR encryption algorithms as obfuscation rather than encryption, given how simple they are). When you open your MDB file, you are prompted for the password and then Jet can easily decode the original password to check it matches perfectly with the password that was entered.
Pros Simple to set up.
Cons Password is easily retrievable since it is effectively stored in plain text (very simple obfuscation).