Overview of Encryption

Security Concepts

SAS provides strategies for protecting information that is associated with a SAS deployment. Some components supporting this protection are based on third-party components that are incorporated into the SAS product delivery, and some are SAS-specific components. SAS provides products and third-party strategies for protecting data and credentials (user IDs and passwords) that are exchanged in a networked environment. Various security strategies are used to maintain data usability and data confidentiality, as well as to validate the integrity of content. Various encryption, hashing, and encoding algorithms are used by SAS to protect your data in transit or data at rest.
encoding
Encoding transforms data into another format using a scheme that is publicly available so that it can easily be reversed. It does not require a key. The only thing required to decode it is the algorithm that was used to encode it.
Encoding obfuscates the data. Your data should be protected by other security controls as well. Use file system permissions or other access control mechanisms. Encoding does not provide data confidentiality.
Examples are SAS002, SAS003, and SAS004 encoding and SAS Proprietary 32-bit fixed key encoding.
encryption
Encryption transforms data into another format in such a way that only specific individual(s) can reverse the transformation. It uses a key that is kept secret, in conjunction with the plaintext and the algorithm, in order to perform the encryption operation. As such, the ciphertext, algorithm, and key are all required to return to the plaintext. Example encryption algorithms are AES and RSA.
hashing
Hashes are commonly used to store passwords to prevent them from being viewed. Hash algorithms are one way functions. They turn any amount of data into a fixed-length "fingerprint" that cannot be reversed. If the input changes by even a tiny bit, the resulting hash is completely different. When passwords are hashed, only the hash is kept. To verify a password, you hash the password and check to see whether the password matches the stored hash.
Examples are SHA-256 and 512 hashing algorithms.
salting
Salt is data used as an additional input to the encryption algorithm. When the salt is being used, the first eight bytes of the encrypted data are reserved for the salt. The salt value is generated at random when encrypting a file and read from the encrypted file when it is decrypted.
Examples are AES with 16-bit salt (SAS003) and AES with 64-bit salt (SAS004).

Two Classes of Encryption Strength

Two classes of encryption strength are available:
  • For compatibility with legacy systems, SASProprietary encoding is supported. These methods are available in all deployments and are appropriate for preventing accidental exposure of information. They have minimal impact on performance.
  • For a higher level of security, it is recommended to use industry-standard encryption and hashing algorithms. These methods provide stronger protection and are available in all deployments, except where prohibited by import restrictions.
    Note: Industry-standard algorithms are provided by SAS/SECURE. For details about supported algorithms and availability, see, Providers of Encryption.
SAS recommends that you use the strongest security standards available for your environment.

Two Contexts for Encryption Coverage

SAS provides encryption in two contexts:
  • Data-at-rest encryption protects data at rest. The emphasis is on protection of passwords in configuration files and in the metadata repository, and on encryption of SAS data sets.
  • Data-in-motion encryption protects data in transit. The emphasis is on protection of passwords and data in transit. You can also choose to protect all traffic in transit between SAS servers and SAS desktop clients.
    Note: To ensure that only FIPS-validated encryption algorithms are used, set the ENCRYPTFIPS system option. See ENCRYPTFIPS System Option.