Adaptive Server allows the use of asymmetric encryption to securely transmit passwords from client to server using the RSA public key encryption algorithm. Adaptive Server generates the asymmetric key pair and sends the public key to clients that use the new login protocol. The client encrypts the user’s login password with the public key before sending it to the server. The server decrypts the password with the private key to begin the authentication of the client connecting.
You can configure Adaptive Server to require clients to use this protocol. Set the Adaptive Server configuration parameter net password encryption reqd to require all username- and password-based authentication requests to use RSA asymmetric encryption. See “net password encryption reqd” for more information.
Adaptive Server generates a new key pair:
At each server startup,
Automatically at 24-hour intervals using the Adaptive Server housekeeper mechanism, and
When an administrator with sso_role requests key pair regeneration.
The key pair is kept in memory. A message is recorded in the errorlog and in the audit trail when the key pair is regenerated.
To generate the key pair on demand, use:
sp_passwordpolicy "regenerate keypair"
Depending on the system load, there may be a delay between
the time this command is executed and the time the key pair is actually
generated. This is because the housekeeper task runs at a low priority
and may be delayed by higher priority tasks.
To generate the key pair at a specific time, use:
sp_passwordpolicy "regenerate keypair", “datetime string”
For example, a datetime string of “Jan 16, 2007 11:00PM” generates the key pair at the specified time. The datetime string can also just be a time of day, such as “4:07AM”. When only time of day is specified, key pair regeneration is scheduled for that time of day in the next 24 hour period.
Adaptive Server also acts as a client when establishing a remote procedure call (RPC).
When connecting to remote servers, Adaptive Server uses on the “net password encryption” server option to determine whether it will use password encryption.
Adaptive Server uses either RSA or Sybase proprietary algorithms when this server option is set to “true.” The command to enable “net password encryption” is:
sp_serveroption server, "net password encryption", "true"
The setting is stored in master..sysservers and the value of server options are displayed using sp_helpserver stored procedure.
In this release, the default value for net password encryption is “true” for any new server added using sp_addserver. During upgrade, Adaptive Server sets net password encryption to “true” for sysservers entries with an ASEnterprise class value. No other server classes are modified. This is done to improve password security between two communicating Adaptive Servers.
The administrator may reset net password encryption to false if
you encounter problems establishing a connection to a server. However,
if the option is set to false, your password is transmitted in clear
text on the network.
Sybase recommends that you use the RSA algorithm to protect passwords on the network.
To use the RSA algorithm, you must have Adaptive Server version 15.0.2 and new Connectivity SDK clients (version 15.0 ESD#7 and later.) Sybase provides the net password encryption reqd configuration parameter and the net password encryption server option to allow settings equivalent to pre-15.0.2 release and maintain backward compatibility with older clients and older servers.
Older clients that do not support RSA algorithm can set the property to encrypt passwords using the Sybase proprietary algorithm, available since pre-12.0 releases. Adaptive Server then uses the Sybase proprietary algorithm.
New clients that support both RSA and Sybase proprietary algorithms can set properties for both algorithms. When communicating with such clients, Adaptive Server 15.0.2 uses RSA encryption. A pre-15.0.2 Adaptive Server uses Sybase’s proprietary algorithm.
