2.4 Enable network password encryption

Information

Sybase ASE 15.0.2 supports the use of asymmetric encryption to securely transmit
passwords from the client to the server using the RSA public key encryption algorithm.
This setting is enabled via the net password encryption reqd configuration parameter.
This feature does not depend on PKI, Kerberos, nor SSL.

There are three possible settings for the value of the net password encryption reqd
configuration parameter:


. 0 This setting allows the client to choose the encryption types, including no
encryption. This is the default settings.
. 1 This setting causes the server to permit either the older proprietary ASE
encryption or the RSA algorithm only.
. 2 This setting causes the server to permit only the RSA algorithm.

If all client applications within your organization support the RSA algorithm (i.e. they use
client libraries accompanying ASE 15.0.2 or are RSA algorithm aware) then it is
recommended that setting 2 is enabled, otherwise it is recommended that setting 1 is
enabled.

Note that this setting is not supported by ASE 15.0 or 15.0.1.

Rationale:

Enabling network password encryption prevents an attacker positioned between the client
and the server from sniffing the password during the login process. The RSA algorithm is
preferred over the proprietary ASE algorithm since RSA is a widely accepted and analyzed
algorithm.

Solution

1. Connect to the database as a user with the sso_role and execute the following SQL
statement to set the network password encryption to 2:

exec sp_configure 'net password encryption reqd', 2

See Also

https://workbench.cisecurity.org/files/1612

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(c)

Plugin: SybaseDB

Control ID: afb6a3109452d521a0893b11f63c38ca3eaa21672d82dc402790833c4560824d