Client-Library provides three categories of security features:
Network-based security – Client-Library and Server-Library applications may be integrated with the security services provided by network system software such as DCE, or Microsoft LAN Manager. Among other services, this feature provides unified login (users connect to a Sybase server using their network user name and password), and per-packet security services (such as encrypting all communications between the client and the server).
This feature requires separate Sybase-supported network security software and a Sybase-supplied security driver for that software. Network-based security was introduced to Client-Library at version 11.1 and requires a server based on Open Server 11.1 or later.
Adaptive Server 11.0 and above do not support network-based security services.
Secure Sockets Layer (SSL) network-based security – From version 12.5, Client-Library and Server-Library applications include a network-library driver to enable SSL, session-based security.
SSL is an industry standard for sending wire- or socket-level encrypted data over client-to-server and server-to server connections. A client sends a connection request to the server along with its supported SSL options. The server responds with a server certificate that proves that the server is what it claims to be, along with a list of its supported CipherSuites. An SSL-enabled session begins when the client and the server agree upon a CipherSuite, and all transmitted data is protected by session-based encryption.
Sybase security features – these features include password encryption and challenge/response security handshakes.
Client-Library encrypts user passwords if an application requests it. Passwords are encrypted with a handshaking protocol where the server sends an encryption key and the client uses the key to encrypt the user’s passwords.
Challenge/response handshaking allows applications to implement a security strategy where the server challenges clients at connect time. In this strategy, the server refuses connections from clients who cannot provide the expected response to the challenge.
These features are part of the TDS protocol and require no external software. Adaptive Server and Open Server version 10.0 or later support these features.