Providers of Encryption

SASProprietary
SASProprietary Overview
SASProprietary System Requirements
SASProprietary Installation and Configuration
SAS/SECURE
SAS/SECURE Overview
SAS/SECURE System Requirements
SAS/SECURE Software Availability
Export Restrictions for SAS/SECURE
SAS/SECURE Installation and Configuration
SAS/SECURE FIPS 140-2 Compliant Installation and Configuration
Secure Sockets Layer (SSL)
Secure Sockets Layer (SSL) Overview
SSL System Requirements
SSL Software Availability
SSL Concepts
SSL Installation and Configuration
SSL: FIPS 140-2 Compliant Installation and Configuration
SSH (Secure Shell)
SSH (Secure Shell) Overview
SSH System Requirements
SSH Tunneling Process
SSH Tunneling: Process for Installation and Setup

SASProprietary

SASProprietary Overview

SASProprietary is a fixed encoding algorithm that is included with Base SAS software. It requires no additional SAS product licenses. The SAS proprietary algorithm is strong enough to protect your data from casual viewing. SASProprietary provides a medium level of security. SAS/SECURE and SSL provide a high level of security.

SASProprietary System Requirements

SAS supports SASProprietary under these operating environments:
  • UNIX
  • Windows
  • z/OS

SASProprietary Installation and Configuration

SASProprietary is part of Base SAS. Separate installation is not required.
For an example of configuring and using SASProprietary in your environment, see SASProprietary for SAS/SHARE: Example .

SAS/SECURE

SAS/SECURE Overview

SAS/SECURE software is an add-on product that provides industry standard encryption capabilities in addition to the SASProprietary algorithm. SAS/SECURE requires a license, and it must be installed on each computer that runs a SAS Foundation client and a server that uses the encryption algorithms.
Note: SAS/SECURE provides encryption of data in transit. It does not provide authentication or authorization capabilities.
SAS/SECURE supports industry-standard encryption algorithms. This affects communications among SAS servers and between SAS servers and SAS desktop clients. On UNIX, z/OS, and Windows, SAS/SECURE supports the following encyrption algorithims:
  • SASProprietary
  • RC2
  • RC4
  • DES
  • TripleDES
  • AES
  • SSL
Note: These algorithms are supported by SAS/SECURE on Windows by using the Microsoft Cryptographic API libraries that are included with the operating system.
Refer to Encryption Algorithms for more information about encryption algorithms supported for use with SAS/SECURE.
SAS/SECURE enables you to provide stronger protection for stored login passwords than is provided by SASProprietary encoding. This affects passwords that are included in configuration files. AES is the encryption algorithm used with the FIPS 140-2 enabled SAS/SECURE software. In the PWENCODE procedure, the METHOD option supports the SAS003 value (AES) only if you have SAS/SECURE. Refer to the PWENCODE Procedure for details.
In SAS 9.3, you can instruct SAS/SECURE to use only services that are part of the Federal Information Processing Standard (FIPS) 140-2 standard. When SAS system option ENCRYPTFIPS is configured, SAS/SECURE uses only FIPS 140-2 validated encryption and hashing algorithms. Refer to FIPS 140-2 Standards Compliance and ENCRYPTFIPS System Option for details.
SAS/SECURE also provides greater protection for stored internal account passwords. The SHA-256 hashing algorithm is used with FIPS 140-2 enabled software. Otherwise, the MD5 hashing algorithm is used.
CAUTION:
In SAS 9.2, the password hash list was created using the MD5 hash algorithm. In SAS 9.3 when you are configuring your system to be FIPS 140-2 compliant, you need to reset your hash password five times to clear all previously stored passwords. When you reset the passwords, they use the SHA-256 hashing algorithm.

SAS/SECURE System Requirements

SAS supports SAS/SECURE under these operating environments:
  • UNIX
  • Windows
  • z/OS

SAS/SECURE Software Availability

SAS/SECURE software is an add-on product that provides industry standard encryption capabilities in addition to the SASProprietary algorithm. SAS/SECURE requires a license, and it must be installed on each computer that runs a SAS Foundation client and a server that uses the encryption algorithms.

Export Restrictions for SAS/SECURE

For software licensing and delivery purposes, SAS/SECURE is the product within the SAS System. For U.S. export licensing purposes, SAS designates each product based on the encryption algorithms and the product's functional capability. SAS/SECURE 9.3 is available to most commercial and government users inside and outside the U.S. However, some countries (for example, Russia, China, and France) have import restrictions on products that contain encryption, and the U.S. prohibits the export of encryption software to specific embargoed or restricted destinations.
SAS/SECURE for UNIX and z/OS includes the following encryption algorithms:
  • RC2 using up to 128-bit keys
  • RC4 using up to 128-bit keys
  • DES using up to 56-bit keys
  • TripleDES using up to 168-bit keys
  • AES using 256-bit keys
SAS/SECURE for Windows uses the encryption algorithms that are available in Microsoft CryptoAPI. The level of the SAS/SECURE encryption algorithms under Windows depends on the level of the encryption support in Microsoft CryptoAPI under Windows.

SAS/SECURE Installation and Configuration

SAS/SECURE must be installed on the SAS server computer, the client computer, and possibly other computers, depending on the SAS software that requires encryption. For installation details, see the SAS documentation for the software that uses encryption.
To use the higher forms of encryption provided by SAS/SECURE for communications and networking, specify the NETENCRYPT system option and set the NETENCRALG= system option to a value of RC2, RC4, DES, TRIPLEDES, AES, or SSL. Refer to NETENCRYPT System Option and NETENCRYPTALGORITHM System Option.
For examples of configuring and using SAS/SECURE in your environment, see Encryption Technologies: Examples.

SAS/SECURE FIPS 140-2 Compliant Installation and Configuration

To configure a FIPS 140-2 compliant system, you must use SAS/SECURE or SSL (or TLS). When using SAS/SECURE, specify SAS system options ENCRYPTFIPS and NETENCRALG= (set to AES) for UNIX, z/OS, or Windows. When ENCRYPTFIPS is specified, an INFO message is written at server start-up to indicate that FIPS encryption is enabled. Refer to ENCRYPTFIPS System Option for details.
In the FIPS 140-2 compliant mode, AES or SSL are the only supported encryption algorithms. Refer to NETENCRYPTALGORITHM System Option for details.
In the FIPS 140-2 compliant mode, the SHA-256 hashing algorithm is used for stored password protection. The data transferred between servers and clients prior to SAS 9.3 uses hashing passwords that are not FIPS 140-2 compliant. Therefore, you can connect only servers and clients that are enabled for FIPS 140-2 using SAS 9.3 and above.
CAUTION:
In SAS 9.2, the password hash list was created using the MD5 hash algorithm. If you are moving from SAS 9.2 to a higher version of SAS and configuring your system to be FIPS 140-2 compliant, you need to clear all previously stored passwords. When you reset the passwords, they use the SHA-256 hashing algorithm.
For information about using FIPS with SSL, refer to SSL: FIPS 140-2 Compliant Installation and Configuration.
There is a Microsoft issue that needs attention before configuring FIPS on Microsoft Windows 2003 servers.
Services that run on a computer that uses Microsoft Windows Server 2003 might not recognize Windows environment variable changes. To resolve this issue, perform these steps:
  1. Go to the Microsoft support website and apply the fix located at http://support.microsoft.com/kb/887693. This website provides detailed information about the Windows 2003 Server issue.
  2. Run the configuration file that specifies the ENCRYPTFIPS system option.
For examples of configuring and using SAS/SECURE in your environment, see Encryption Technologies: Examples.

Secure Sockets Layer (SSL)

Secure Sockets Layer (SSL) Overview

SSL is an abbreviation for Secure Sockets Layer, a protocol that provides network data privacy, data integrity, and authentication. Developed by Netscape Communications, SSL uses encryption algorithms that include RC2, RC4, DES, TripleDES, AES, and others.
SSL uses X.509 certificates and hence asymmetric cryptography to assure the party with whom they are communicating, and to exchange a symmetric key. As a consequence of choosing X.509 certificates, certificate authorities and a public key infrastructure are necessary to verify the relation between a certificate and its owner, as well as to generate, sign, and administer the validity of certificates.
In addition to providing encryption services, SSL performs client and server authentication, and it uses message authentication codes to ensure data integrity. The client requests a certificate from the server, which it compares to the certificate that the client stores locally. The client then verifies the identity of the server and negotiates with the server to select a cipher (encryption method). The cipher that is selected is the first match between the ciphers that are supported on both the client and the server. All subsequent data transfers for the current request are then encrypted with the selected encryption method.
SSL uses encryption algorithms that include RC2, RC4, DES, TripleDES, and AES.
SSL is supported by Internet Explorer and Firefox. Many websites use the protocol to protect confidential user information, such as credit card numbers. The SSL protocol is application independent and allows protocols such as HTTP, FTP, and Telnet to be transparently layered above it. SSL is optimized for HTTP. SSL includes software that was developed by the OpenSSL Project for use in the OpenSSL Toolkit. For more information see OpenSSL.
Note: Transport Layer Security (TLS) is the successor to SSL 3.0. The Internet Engineering Task Force (IETF) took SSL 3.0, the de facto standard, modified it, renamed it TLS V1.0, and adopted it as a standard.
In SAS 9.3, you can configure SSL to run in FIPS 140-2 compliant mode. For an overview of FIPS 140-2 compliancy, refer to FIPS 140-2 Standards Compliance. FIPS 140-2 compliant SSL supports the AES encryption algorithm and the SHA-256 hashing algorithm. Refer to ENCRYPTFIPS System Option and SSL Installation and Configuration for configuration instructions.

SSL System Requirements

SAS supports SSL under these operating environments:
  • UNIX
  • Windows
  • z/OS
Note: The SSL software is included in the SAS installation software only for countries that allow the importation of encryption software.
Note: The FIPS-2 encryption standard is not supported on z/OS.

SSL Software Availability

Starting in the second maintenance release for SAS 9.3, SAS supports SSL on the Windows, UNIX, and z/OS platforms for the following versions of SSL:
  • SSL 3.0
  • TLS 1.0
When security hot fixes are applied in the second maintenance release for SAS 9.3, the default minimum protocol for OpenSSL is TLS 1.0. OpenSSL 0.9.8 libraries can use only SSL 3.0 and TLS 1.0. However, it is highly recommended that TLS 1.0 and higher be used.
Note: If you need to override the default protocol, you can set the SAS_SSL_MIN_PROTOCOL environment variable. For information, see SAS_SSL_MIN_PROTOCOL Environment Variable.
OpenSSL is shipped with Base SAS for UNIX and z/OS.
For Windows, SAS uses the SChannel library that comes with the Windows operating system.
To find the OpenSSL code base version that is used to build the SSL and TLS libraries provided by SAS for each release, see Mapping Between SAS Version and OpenSSL Version.
Note: Different operating systems require the use of different library file extensions. For example, HPUX, Linux, and Solaris use libcrypto.so.0.9.8 and libssl.so.0.9.8. AIX uses libcrypto.so and libssl.so. Refer to your operating system vendor documentation when using the vendor’s OpenSSL libraries. There might be additional procedures that need to be followed to make the libraries work properly in your environment.
The SSL version shipped with SAS for Windows is FIPS 140-2 compliant. The SSL version shipped with SAS for UNIX is not FIPS 140-2 compliant. However, you can compile a FIPS 140-2 compliant version of OpenSSL and install it. For more information, see SSL: FIPS 140-2 Compliant Installation and Configuration.

SSL Concepts

The following concepts are fundamental to understanding SSL:
Certification Authorities (CAs)
Cryptography products provide security services by using digital certificates, public-key cryptography, private-key cryptography, and digital signatures. Certification authorities (CAs) create and maintain digital certificates, which also help preserve confidentiality.
Various commercial CAs, such as VeriSign and Thawte, provide competitive services for the e-commerce market. You can also develop your own CA by using products from companies such as RSA Security and Microsoft or from the Open-Source Toolkit OpenSSL.
Note: z/OS provides the PACDCERT command and PKI Services for implementing a CA.
From a trusted CA, members of an enterprise can obtain digital certificates to facilitate their e-business needs. The CA provides a variety of ongoing services to the business client that include handling digital certificate requests, issuing digital certificates, and revoking digital certificates.
Public and Private Keys
Public-key cryptography uses a public and a private key pair. The public key can be known by anyone, so anyone can send a confidential message. The private key is confidential and known only to the owner of the key pair, so only the owner can read the encrypted message. The public key is used primarily for encryption, but it can also be used to verify digital signatures. The private key is used primarily for decryption, but it can also be used to generate a digital signature.
Digital Signatures
A digital signature affixed to an electronic document or to a network data packet is like a personal signature that concludes a hand-written letter or that validates a credit card transaction. Digital signatures are a safeguard against fraud. A unique digital signature results from using a private key to encrypt a message digest. Receipt of a document that contains a digital signature enables the receiver to verify the source of the document. Electronic documents can be verified if you know where the document came from, who sent it, and when it was sent. Another form of verification comes from Message Authentication Codes (MAC), which ensure that a document has not been changed since it was signed. A MAC is attached to a document to indicate the document's authenticity. Receipt of the document that contains a MAC enables the receiver (who also has the secret key) to know that the document is authentic.
Digital Certificates
Digital certificates are electronic documents that ensure the binding of a public key to an individual or an organization. Digital certificates provide protection from fraud.
Usually, a digital certificate contains a public key, a user's name, and an expiration date. It also contains the name of the Certification Authority (CA) that issued the digital certificate and a digital signature that is generated by the CA. The CA's validation of an individual or an organization allows that individual or organization to be accepted at sites that trust the CA.

SSL Installation and Configuration

SSL for UNIX, z/OS, and Windows is shipped with Base SAS. No additional software installation is required.
The instructions that you use to install and configure SSL at your site depend on whether you use UNIX, Windows, or z/OS. See the appropriate details:
For examples of configuring and using SSL in your environment, see Encryption Technologies: Examples.

SSL: FIPS 140-2 Compliant Installation and Configuration

Starting in SAS 9.3, you can configure SSL to run in FIPS 140-2 compliant mode.
To configure a FIPS 140-2 compliant system, specify SAS system options ENCRYPTFIPS and NETENCRALG= (set to AES or SSL). When ENCRYPTFIPS is specified, an INFO message is written at server start-up to indicate that FIPS encryption is enabled. For more information, refer to ENCRYPTFIPS System Option and NETENCRYPTALGORITHM System Option.
The SSL versions shipped with SAS for Windows are FIPS 140-2 compliant. The SSL version shipped with SAS for UNIX is not FIPS 140-2 compliant. However, you can compile a FIPS 140-2 compliant version of OpenSSL and install it. For more information, see Building FIPS 140-2 Capable OpenSSL for UNIX and FIPS 140-2 Capable SSL for Windows.
Note: The SSL version shipped with SAS for z/OS is not FIPS 140-2 compliant. However, you can use SAS/SECURE with AES to provide FIPS on z/OS.
For an overview of FIPS 140-2 compliancy, refer to FIPS 140-2 Standards Compliance.

SSH (Secure Shell)

SSH (Secure Shell) Overview

SSH is an abbreviation for Secure Shell. SSH is a protocol that enables users to access a remote computer via a secure connection. SSH is available through various commercial products and as freeware. OpenSSH is a free version of the SSH protocol suite of network connectivity tools.
Although SAS software does not directly support SSH functionality, you can use the tunneling feature of SSH to enable data to flow between a SAS client and a SAS server. Port forwarding is another term for tunneling. The SSH client and SSH server act as agents between the SAS client and the SAS server, tunneling information via the SAS client's port to the SAS server's port.

SSH System Requirements

OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
SAS supports SSH under these operating environments:
  • UNIX
  • Windows
  • z/OS
For additional resources, see
  • www.openssh.com
  • www.ssh.com
  • ssh(1) UNIX manual page.
Under z/OS, the IBM Ported Tools for z/OS Program Product must be installed for OpenSSH support. See www-03.ibm.com/servers/eserver/zseries/zos/unix/port_tools.html.

SSH Tunneling Process

An inbound request from a SAS client to a SAS server is shown as follows:
SSH Tunneling Process
SSH Tunneling Process
  1. The SAS client passes its request to the SSH client's port 5555.
  2. The SSH client forwards the SAS client's request to the SSH server via an encrypted tunnel.
  3. The SSH server forwards the SAS client's request to the SAS server via port 4321.
Outbound, the SAS server's reply to the SAS client's request flows from the SAS server to the SSH server. The SSH server forwards the reply to the SSH client, which passes it to the SAS client.

SSH Tunneling: Process for Installation and Setup

SSH software must be installed on the client and server computers. Exact details about installing SSH software at the client and the server depend on the particular brand and version of the software that is used. See the installation instructions for your SSH software.
The process for setting up an SSH tunnel consists of the following steps:
  • SSH tunneling software is installed on the client and server computers. Details about tunnel configuration depend on the specific SSH product that is used.
  • The SSH client is started as an agent between the SAS client and the SAS server.
  • The components of the tunnel are set up. The components are a “listen” port, a destination computer, and a destination port. The SAS client accesses the listen port, which is forwarded to the destination port on the destination computer. SSH establishes an encrypted tunnel that indirectly connects the SAS client to the SAS server.
For examples of setting up and using a tunnel, see SSH Tunnel for SAS/CONNECT: Example and SSH Tunnel for SAS/SHARE: Example .
Copyright © SAS Institute Inc. All rights reserved.