Technologies for Encryption |
SASProprietary |
SASProprietary is a fixed encoding algorithm that is included with Base SAS software. It requires no additional SAS product licenses. The SAS proprietary algorithm is strong enough to protect your data from casual viewing. SASProprietary provides a medium level of security. SAS/SECURE and SSL provide a high level of security.
SAS 9.2 supports SASProprietary under these operating environments:
OpenVMS
UNIX
Windows
z/OS
SASProprietary is part of Base SAS. Separate installation is not required.
For an example of configuring and using SASProprietary in your environment, see SASProprietary for SAS/SHARE: Example.
SAS/SECURE |
SAS/SECURE software is an add-on product that provides industry standard encryption capabilities in addition to the SASProprietary algorithm. SAS/SECURE requires a license, and it must be installed on each computer that runs a Foundation SAS client and a server that will use the encryption algorithms.
Note: SAS/SECURE provides encryption of data in transit. It does not provide authentication or authorization capabilities.
SAS 9.2 supports SAS/SECURE under these operating environments:
UNIX
Windows
z/OS
For software licensing and delivery purposes, SAS/SECURE is the product within the SAS System. For U.S. export licensing purposes, SAS designates each product based on the encryption algorithms and the product's functional capability. SAS/SECURE 9.2 is available to most commercial and government users inside and outside the U.S. However, some countries (for example, Russia, China, and France) have import restrictions on products that contain encryption, and the U.S. prohibits the export of encryption software to specific embargoed or restricted destinations.
SAS/SECURE for UNIX and z/OS includes the following encryption algorithms:
RC2 using up to 128-bit keys
RC4 using up to 128-bit keys
DES using up to 56-bit keys
TripleDES using up to 168-bit keys
AES using 256-bit keys
SAS/SECURE for Windows uses the encryption algorithms that are available in Microsoft CryptoAPI. The level of the SAS/SECURE encryption algorithms under Windows depends on the level of the encryption support in Microsoft CryptoAPI under Windows.
SAS/SECURE must be installed on the SAS server computer, the client computer, and possibly other computers, depending on the SAS software that requires encryption. For installation details, see the SAS documentation for the software that uses encryption.
For examples of configuring and using SAS/SECURE in your environment, see Encryption Technologies: Examples.
Secure Sockets Layer (SSL) |
SSL is an abbreviation for Secure Sockets Layer, which is a protocol that provides network data privacy, data integrity, and authentication. Developed by Netscape Communications, SSL uses encryption algorithms that include RC2, RC4, DES, TripleDES, AES and others.
In addition to providing encryption services, SSL performs client and server authentication, and it uses message authentication codes to ensure data integrity. SSL is supported by Netscape Navigator, Internet Explorer, and Mozilla Firefox. Many Web sites use the protocol to protect confidential user information, such as credit card numbers. The SSL protocol is application independent and allows protocols such as HTTP, FTP, and Telnet to be transparently layered above it. SSL is optimized for HTTP. SSL includes software that was developed by the OpenSSL Project for use in the OpenSSL Toolkit. For more information see www.OpenSSL.org .
Note: Transport Layer Security (TLS) is the successor to SSL V3.0. The Internet Engineering Task Force (IETF) took SSL V3.0, which was the de facto standard, modified it, renamed it TLS V1.0, and adopted it as a standard.
SAS 9 and later releases support SSL V2.0, SSL V3.0 and TLS V1.0.
SAS 9.2 supports SSL under these operating environments:
UNIX
Windows
z/OS (new for SAS 9.2)
OpenVMS
Note: The SAS/SECURE SSL software is included in the SAS installation software only for countries that allow the importation of encryption software.
The following concepts are fundamental to understanding SSL:
Cryptography products provide security services by using digital certificates, public-key cryptography, private-key cryptography, and digital signatures. Certification authorities (CAs) create and maintain digital certificates, which also help preserve confidentiality.
Various commercial CAs, such as VeriSign and Thawte, provide competitive services for the e-commerce market. You can also develop your own CA by using products from companies such as RSA Security and Microsoft or from the Open Source Toolkit OpenSSL.
Note: z/OS provides the PACDCERT command and PKI Services for implementing a CA.
From a trusted CA, members of an enterprise can obtain digital certificates to facilitate their e-business needs. The CA provides a variety of ongoing services to the business client that include handling digital certificate requests, issuing digital certificates, and revoking digital certificates.Public-key cryptography uses a public and a private key pair. The public key can be known by anyone, so anyone can send a confidential message. The private key is confidential and known only to the owner of the key pair, so only the owner can read the encrypted message. The public key is used primarily for encryption, but it can also be used to verify digital signatures. The private key is used primarily for decryption, but it can also be used to generate a digital signature.
A digital signature affixed to an electronic document or to a network data packet is like a personal signature that concludes a hand-written letter or that validates a credit card transaction. Digital signatures are a safeguard against fraud. A unique digital signature results from using a private key to encrypt a message digest. Receipt of a document that contains a digital signature enables the receiver to verify the source of the document. Electronic documents can be verified if you know where the document came from, who sent it, and when it was sent. Another form of verification comes from Message Authentication Codes (MAC), which ensure that a document has not been changed since it was signed. A MAC is attached to a document to indicate the document's authenticity. Receipt of the document that contains a MAC enables the receiver (who also has the secret key) to know that the document is authentic.
Digital certificates are electronic documents that ensure the binding of a public key to an individual or an organization. Digital certificates provide protection from fraud.
Usually, a digital certificate contains a public key, a user's name, and an expiration date. It also contains the name of the Certification Authority (CA) that issued the digital certificate and a digital signature that is generated by the CA. The CA's validation of an individual or an organization allows that individual or organization to be accepted at sites that trust the CA.
The instructions that you use to install and configure SSL at your site depend on whether you use UNIX, Windows, or z/OS. See the appropriate details:
For examples of configuring and using SSL in your environment, see Encryption Technologies: Examples.
SSH (Secure Shell) |
SSH is an abbreviation for Secure Shell, which is a protocol that enables users to access a remote computer via a secure connection. SSH is available through various commercial products and as freeware. OpenSSH is a free version of the SSH protocol suite of network connectivity tools.
Although SAS software does not directly support SSH functionality, you can use the tunneling feature of SSH to enable data to flow between a SAS client and a SAS server. Port forwarding is another term for tunneling. The SSH client and SSH server act as agents between the SAS client and the SAS server, tunneling information via the SAS client's port to the SAS server's port.
OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
SAS 9.2 supports SSH under these operating environments:
UNIX
Windows
z/OS
For additional resources, see
www.openssh.com
www.ssh.com
ssh(1) UNIX manual page.
Under z/OS, the IBM Ported Tools for z/OS Program Product must be installed for OpenSSH support. See www-03.ibm.com/servers/eserver/zseries/zos/unix/port_tools.html.
An inbound request from a SAS client to a SAS server is shown as follows:
SSH Tunneling Process
The SAS client passes its request to the SSH client's port 5555.
The SSH client forwards the SAS client's request to the SSH server via an encrypted tunnel.
The SSH server forwards the SAS client's request to the SAS server via port 4321.
Outbound, the SAS server's reply to the SAS client's request flows from the SAS server to the SSH server. The SSH server forwards the reply to the SSH client, which passes it to the SAS client.
SSH software must be installed on the client and server computers. Exact details about installing SSH software at the client and the server depend on the particular brand and version of the software that is used. See the installation instructions for your SSH software.
The process for setting up an SSH tunnel consists of the following steps:
SSH tunneling software is installed on the client and server computers. Details about tunnel configuration depend on the specific SSH product that is used.
The SSH client is started as an agent between the SAS client and the SAS server.
The components of the tunnel are set up. The components are a "listen" port, a destination computer, and a destination port. The SAS client will access the listen port, which gets forwarded to the destination port on the destination computer. SSH establishes an encrypted tunnel that indirectly connects the SAS client to the SAS server.
Copyright © 2010 by SAS Institute Inc., Cary, NC, USA. All rights reserved.