Security handshaking: encrypted password

Sybase Servers uses encrypted password handshakes if the client requests password encryption. Encrypted password security handshaking occurs while the connection to the server is being established.

NoteApplications must request password encryption by setting by the CS_SEC_ENCRYPTION connection property to CS_TRUE (the default is CS_FALSE). Otherwise, the password is sent to the server as plain text.


The password encryption process

When password encryption is enabled, the server receives the user passwords and remote-server passwords as follows:

  1. Client-Library initially sends a dummy password to the server consisting of a zero-length string.

  2. The server responds by asking the client for the encrypted passwords and sending an encryption key to the client.


Using password encryption in Client-Library applications

Password encryption is disabled by default, so applications that need password encryption must set the CS_SEC_ENCRYPTION property to CS_TRUE before calling ct_connect. The following code fragment enables password encryption:

CS_BOOL boolval;
 /*
 ** Enable password encryption for the connection 
 ** attempt. 
 */
 boolval = CS_TRUE; 
 if (ct_con_props(conn, CS_SET, 
                 CS_SEC_ENCRYPTION, 
                 (CS_VOID *)&boolval,
                 CS_UNUSED,(CS_INT *)NULL) 
     != CS_SUCCEED)
 {
   fprintf(stdout,
    "ct_con_props(SEC_ENCRYPTION) failed. Exiting\n"
          );
  (CS_VOID)ct_con_drop(conn);
   (CS_VOID)ct_exit(ctx, CS_FORCE_EXIT);
   (CS_VOID)cs_ctx_drop(ctx);
   exit(1);
 }

Password encryption is performed either by Client-Library’s default encryption handler or by an application handler installed with ct_callback.

The default encryption handler performs the encryption expected by Adaptive Server. Applications that connect to Adaptive Server or an Open Server gateway to Adaptive Server should rely on the default encryption. Most applications fall into this category.

Applications that require an encryption handler include the following:

For information about defining a password encryption callback, see “Defining an encryption callback”.