Adaptive Server allows the use of asymmetric encryption to securely transmit passwords from client to server using the RSA public key encryption algorithm. Adaptive Server generates the asymmetric key pair and sends the public key to clients that use a login protocol. For example, the client encrypts the user’s login password with the public key before sending it to the server. The server decrypts the password with the private key to begin the authentication of the client connecting.
You can configure Adaptive Server to require clients to use a login protocol. Set the Adaptive Server configuration parameter net password encryption reqd to require all user name- and password-based authentication requests to use RSA asymmetric encryption. See "net password encryption required," in Chapter 5, "Setting Configuration Parameters" in the System Administration Guide: Volume 1.
Adaptive Server supports two versions of the login protocol using RSA asymmetric encryption. One ensures a unique keypair per login session and the second employs a random number during the login protocol. When there are many user connections using network password encryption, the unique keypair per session may cause computation peaks due to computation of new keypairs. The second approach is less computationally demanding. The second approach requires a recompiled client program that supports the newer login protocol that uses RSA asymmetric encryption with a random number.
For RSA asymmetric encryption with random number, Adaptive Server generates a new key pair:
At each server start-up,
Automatically at 24-hour intervals using the Adaptive Server housekeeper mechanism, and
When an administrator with sso_role requests key pair regeneration.
The key pair is kept in memory. A message is recorded in the error log and in the audit trail when the key pair is regenerated.
For RSA asymmetric encryption without random number, by default, a key pair is generated for each connection.
Procedure sp_passwordpolicy option unique keypair per session may be used to turn on or off the generation of a key pair for each connection with this login protocol. However this should only be used in environments where network password security is not a concern because the key pair is reused without the benefit of the random number component.
To generate the key pair on demand, use:
sp_passwordpolicy "regenerate keypair"
Depending on the system load, there may be a delay between
the time this command is executed and the time the key pair is actually
generated. This is because the housekeeper task runs at a low priority
and may be delayed by higher priority tasks.
To generate the key pair at a specific time, use:
sp_passwordpolicy "regenerate keypair", datetime
where datetime is the date and time you want to regenerate the key pair.
For example, a datetime string of “Jan 16, 2007 11:00PM” generates the key pair at the specified time. The datetime string can also just be a time of day, such as “4:07a.m.”. When only time of day is specified, key-pair regeneration is scheduled for that time of day in the next 24-hour period.
sp_passwordpolicy lets you configure the frequency of key-pair regeneration, as well as what Adaptive Server should do when a key pair generation fails:
‘keypair regeneration period’, { ([keypair regeneration frequency], datetime of first generation) | (keypair regeneration frequency, [datetime of first generation]) }
“keypair error retry [ wait | count ]”, “value”
See sp_passwordpolicy in Reference Manual: System Procedure.
Adaptive Server also acts as a client when establishing a remote procedure call (RPC).
When connecting to remote servers, Adaptive Server uses the net password encryption option to determine whether it will use password encryption.
Adaptive Server uses either RSA or Sybase proprietary algorithms when this server option is set to true. The command to enable net password encryption is:
sp_serveroption server, "net password encryption", "true"
The setting is stored in master..sysservers and you can display the value of server options using the sp_helpserver stored procedure.
The default value for net password encryption is true for any new server added using sp_addserver. During upgrade, Adaptive Server sets net password encryption to true for sysservers entries with an ASEnterprise class value. No other server classes are modified. This improves password security between two communicating Adaptive Servers.
The administrator can optionally reset net
password encryption to false if you
encounter problems establishing a connection to a server. However,
if the option is set to false, passwords are transmitted in clear
text on the network.
Sybase recommends that you use the RSA algorithm to protect passwords on the network.
To use the RSA algorithm with random number, you must have Adaptive Server version 15.7 ESD #1 or later and use new Connectivity SDK clients version 15.7 ESD #1 or later.
To use the RSA algorithm, without random number, you must have Adaptive Server version 15.0.2 and new Connectivity SDK clients version 15.0 ESD #7 and later.
Sybase provides the net password encryption reqd configuration parameter and the net password encryption server option to allow settings equivalent to versions earlier than 15.0.2 and maintain backward compatibility with older clients and older servers.
Older clients that do not support the RSA algorithm can set the property to encrypt passwords using the Sybase proprietary algorithm, which has been available version 12.0. Adaptive Server then uses the Sybase proprietary algorithm.
New clients that support both RSA and Sybase proprietary algorithms can set properties for both algorithms. When communicating with such clients, Adaptive Server 15.0.2 and later uses RSA encryption. A pre-15.0.2 Adaptive Server uses the Sybase proprietary algorithm.
