Adaptive Server allows the use of asymmetric encryption to securely transmit passwords from client to server using the RSA public key encryption algorithm. Adaptive Server generates the asymmetric key pair and sends the public key to clients that use a login protocol. For example, the client encrypts the user’s login password with the public key before sending it to the server. The server decrypts the password with the private key to begin the authentication of the client connecting.
You can configure Adaptive Server to require clients to use a login protocol. Set the Adaptive Server configuration parameter net password encryption reqd to require all user name- and password-based authentication requests to use RSA asymmetric encryption. See “net password encryption required”.
Adaptive Server generates a new key pair:
At each server start-up,
Automatically at 24-hour intervals using the Adaptive Server housekeeper mechanism, and
When an administrator with sso_role requests key pair regeneration.
The key pair is kept in memory. A message is recorded in the error log and in the audit trail when the key pair is regenerated.
To generate the key pair on demand, use:
sp_passwordpolicy "regenerate keypair"
Depending on the system load, there may be a delay between
the time this command is executed and the time the key pair is actually
generated. This is because the housekeeper task runs at a low priority
and may be delayed by higher priority tasks.
To generate the key pair at a specific time, use:
sp_passwordpolicy "regenerate keypair", “datetime string”
For example, a datetime string of “Jan 16, 2007 11:00PM” generates the key pair at the specified time. The datetime string can also just be a time of day, such as “4:07a.m.”. When only time of day is specified, key-pair regeneration is scheduled for that time of day in the next 24 hour period.
Adaptive Server also acts as a client when establishing a remote procedure call (RPC).
When connecting to remote servers, Adaptive Server uses the net password encryption option to determine whether it will use password encryption.
Adaptive Server uses either RSA or Sybase proprietary algorithms when this server option is set to true. The command to enable net password encryption is:
sp_serveroption server, "net password encryption", "true"
The setting is stored in master..sysservers and you can display the value of server options using the sp_helpserver stored procedure.
The default value for net password encryption is true for any new server added using sp_addserver. During upgrade, Adaptive Server sets net password encryption to true for sysservers entries with an ASEnterprise class value. No other server classes are modified. This improves password security between two communicating Adaptive Servers.
The administrator can optionally reset net
password encryption to false if you
encounter problems establishing a connection to a server. However,
if the option is set to false, passwords are transmitted in clear
text on the network.
Sybase recommends that you use the RSA algorithm to protect passwords on the network.
To use the RSA algorithm, you must have Adaptive Server version 15.0.2 and new Connectivity SDK clients (version 15.0 ESD #7 and later.) Sybase provides the net password encryption reqd configuration parameter and the net password encryption server option to allow settings equivalent to versions earlier than 15.0.2 and maintain backward compatibility with older clients and older servers.
Older clients that do not support the RSA algorithm can set the property to encrypt passwords using the Sybase proprietary algorithm, which has been available version 12.0. Adaptive Server then uses the Sybase proprietary algorithm.
New clients that support both RSA and Sybase proprietary algorithms can set properties for both algorithms. When communicating with such clients, Adaptive Server 15.0.2 uses RSA encryption. A pre-15.0.2 Adaptive Server uses the Sybase proprietary algorithm.
