We were recently purchased by a much larger company. Our new company has a person in charge of application security. This person has said that all communication between sa client and server must be encrypted. We have about 150 sites using various sa 8-12 versions. Please give me suggestions/guidance/links/warnings regarding the changes necessary so that client-server communications at these sites are encrypted. Thank you.

asked 27 Mar '12, 10:12

dejstone's gravatar image

dejstone
959405069
accept rate: 0%

edited 27 Mar '12, 10:13


The change should be relatively simple (depending on your app) but what it entails is changing your connection strings to use TLS encryption and to start your server(s) with the -x tcpip{...} option and specify the TLS certificate.

Please refer to the section in the docs on Transport-layer security for more information.

permanent link

answered 27 Mar '12, 10:23

Mark%20Culp's gravatar image

Mark Culp
24.9k10139297
accept rate: 41%

1

Note, that for older versions, AFAIK not all application types (APIs) support TLS, cf. the v8 docs on the dbsrv8 -ec option:

The -ec option instructs the database server to accept only connections from ODBC, OLE DB, or embedded SQL interfaces that are encrypted using one of the specified types. Connections over the TDS protocol, which include Java applications using jConnect, are always accepted, regardless of encryption.

(27 Mar '12, 10:43) Volker Barth

the "-ec simple" method is truly simple. i included -ec simple as a startup parameter and viola, checking with wireshark, packets were encrypted. i did not even have to change the client odbc dsn (on the network tab) to simple encrypted mode: the clients knew to start communicating in encrypted mode. pretty neat! actually, it all seems too simple. am i missing something? will performance take a serious hit? is the encryption method too simple? too easy to crack?

(23 Apr '12, 11:56) dejstone
Replies hidden
2

I have used those words many times, "it all seems too simple". For 16 years now I have always been impressed that SQLA "just works the way it should". But I forget that isn't necessarily the industry norm until reminded by another example like this of how lucky I am to be using this product!

(23 Apr '12, 13:13) Bill Aumen
Replies hidden
4

"simple encryption" is a very simple proprietary algorithm that is more accurately described as "obfuscation" rather than "encryption". It is intended to prevent casual snooping using packet sniffers and such but is not intended to be unbreakable. It does not perform server authentication, and does not prevent man-in-the-middle or replay attacks, but (as you found) is much easier to set up.

TLS, on the other hand, is intended to be unbreakable, and does prevent these attacks but requires an extra file on the server and each client machine, extra switches on the server line, and extra parameters in the connection string.

On modern machines, the performance impact of either of these is negligible.

(23 Apr '12, 13:22) Graeme Perrow

I sure agree with you generally, Bill, but in this particular situation, I would claim that "-ec simple" really is too simple if security is a real concern, as Graeme has pointed out...

(24 Apr '12, 02:37) Volker Barth

Epilogue: Our manager of program security was very impressed with the "-ec simple" implementation. He commented that he does not even see text of the initial "handshaking" normally seen with other encryption methods. Granted, a hacker with the right knowledge might not need very much computing power to crack "ec simple" encryption, but it looks to be good enough for our purposes. We just don't want someone with 10 minutes of Wireshark experience to be able to see everyone's salaries and ss nbrs, etc. By the way, a few customers run our apps against Oracle. I know of no simple (or cheap) method to take our Oracle customers to "ec simple" equivalent security. From my perspective, it's Kudos to Sybase! Thank you!

permanent link

answered 27 Apr '12, 15:52

dejstone's gravatar image

dejstone
959405069
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×48
×46

question asked: 27 Mar '12, 10:12

question was seen: 4,429 times

last updated: 27 Apr '12, 15:52