Using only the SHA-256 algorithm  Upgrade and and downgrade behavior

Chapter 14: Managing Adaptive Server Logins, Database Users, and Client Connections

Character set considerations for passwords

Passwords and other sensitive data that is encrypted must consider the character set of the clear text to accurately interpret the result when it is decrypted or when hash values are compared during authentication.

For example, a client connects to Adaptive Server using isql and establishes a new password. Regardless of the character set used in the client, characters are always converted to the server’s default character set for processing within Adaptive Server. Assuming the Adaptive Server default character set is “iso_1,” consider the procedure call:

sp_password old_passwd, new_passwd

The parameters are of type varchar and are expressed as a quoted string and stored with “iso_1” encoding before encryption. If the Adaptive Server default character set changes later, the encrypted password remains an encrypted string of characters encoded with the old default character set. This could result in authentication failure due to mismatched character mapping. Although changing default character set is a rare occurrence, it becomes more important when migration occurs between platforms.

To address this limitation with character sets, Adaptive Server converts the clear text password to canonical form before encryption so that it can be used across platforms, chip architectures, and character sets.

To use canoncial form for storage in syslogins:

  1. Convert clear text password string to UTF-16.

  2. Convert the UTF-16 string to network byte order.

  3. Append a small buffer (the salt) with random bytes to the password.

  4. Apply SHA-256 hash algorithm.

  5. Store digest, salt, and version in the password column.

At authentication time, the steps are:

  1. Convert clear text password string to UTF-16.

  2. Convert the UTF-16 string to network byte order.

  3. Append the salt from the password column in syslogins to the password.

  4. Apply the hash algorithm.

  5. Compare results with password column in syslogins, if they match then authentication is successful.

Use of the new SHA-256 algorithm with the above steps allow passwords to be transported across platforms, chip architectures, and character sets.




Copyright © 2008. Sybase Inc. All rights reserved. Upgrade and and downgrade behavior

View this document as PDF