Encryption services increase the security of transmissions across networks
There is a great need to ensure the confidentiality of business transactions over a network between an enterprise and its consumers, between enterprises and within an enterprise. SAS products and third-party strategies for protecting data and credentials (user IDs and passwords) are exchanged in a networked environment. This process of protecting data is called encryption.
Encryption is the transformation of intelligible data (plaintext) into an unintelligible form (ciphertext) by means of a mathematical process. The ciphertext is translated back to plaintext when the appropriate key that is necessary for decrypting (unlocking) the ciphertext is applied. SAS offers two classes of encryption strength:
- If you don't have SAS/SECURE, only the SASProprietary algorithm is available. SASProprietary uses 32-bit fixed encoding and is appropriate only for preventing accidental exposure of information. SASProprietary is licensed with Base SAS software and is available in all deployments.
- If you have SAS/SECURE, you can use industry-standard encryption algorithms instead of the SASProprietary algorithm. SAS/SECURE is an add-on product that is included with Base SAS 9.4.
Encryption helps to protect information on-disk and in-transit as follows:
- Over-the-wire encryption protects data while in transit. Passwords in transit to and from SAS servers are encrypted or encoded.
- On-disk encryption protects data at rest. Passwords in configuration files and the metadata are encrypted or encoded. Configuration files and metadata repository data sets are also host protected.
SAS/SECURE software is included with Base SAS 9.4 and provides industry-standard encryption capabilities in addition to the SASProprietary algorithm. SAS/SECURE requires a license for Base SAS, and it must be installed on each computer that runs a Foundation SAS client and a server that will use the encryption algorithms.
Note: SAS/SECURE provides encryption of data in transit. It does not provide authentication or authorization capabilities.
SAS/SECURE can be configured to use only services that are part of the Federal Information Processing Standard (FIPS) 140-2 standard. When SAS system option ENCRYPTFIPS is configured, SAS/SECURE uses only FIPS 140-2 validated encryption and hashing algorithms. Refer to FIPS 140-2 Standards Compliance and ENCRYPTFIPS System Option for details.
SAS/SECURE supports industry-standard encryption algorithms. This affects communications among SAS servers and between SAS servers and SAS desktop clients. On UNIX and z/OS, SAS/SECURE supports AES (Advanced Encryption Standard), AES predecessors (DES and TDES), and the RC4 and RC2 algorithms. On Windows, SAS/SECURE supports algorithms that are included in the Microsoft Cryptographic API. Refer to Encryption Algorithms for more information about encryption algorithms supported for use with SAS/SECURE.
SAS/SECURE enables you to provide stronger protection for stored login passwords than is provided by SASProprietary encoding. This affects passwords that are included in configuration files. AES is the encryption algorithm used with the FIPS 140-2 enabled SAS/SECURE software. In the PWENCODE procedure, the METHOD option supports the SAS003 value (AES) only if you have SAS/SECURE. Refer to the PWENCODE Procedure for details.
SAS/SECURE also provides greater protection for stored internal account passwords. The SHA-256 hashing algorithm is used with FIPS 140-2 enabled software. Otherwise, the MD5 hashing algorithm is used.
Export Restrictions for SAS/SECURE
For software licensing and delivery purposes, SAS/SECURE is the product within the SAS System. For US export licensing purposes, SAS designates each product based on the encryption algorithms and the product's functional capability. SAS/SECURE 9.4 is available to most commercial and government users inside and outside the US. However, some countries (for example, Russia, China and France) have import restrictions on products that contain encryption, and the US prohibits the export of encryption software to specific embargoed or restricted destinations. SAS/SECURE for UNIX and z/OS includes the following encryption algorithms:
- RC2 using up to 128-bit keys.
- RC4 using up to 128-bit keys.
- DES using up to 56-bit keys.
- TripleDES using up to 168-bit keys.
- AES using 256-bit keys.
SAS/SECURE for Windows uses the encryption algorithms that are available in Microsoft CryptoAPI. The level of the SAS/SECURE encryption algorithms under Windows depends on the level of the encryption support in Microsoft CryptoAPI under Windows.
Installation and Configuration
SAS/SECURE must be installed on the SAS server computer, the client computer and possibly other computers, depending on the SAS software that requires encryption. For installation details, see the SAS documentation for the software that uses encryption. For examples of configuring and using SAS/SECURE in your environment, see Encryption Technologies: Examples.
FIPS 140-2 Compliant Installation and Configuration
To verify that SAS/SECURE is FIPS 140-2 compliant, configure SAS system option ENCRYPTFIPS at system invocation. Refer to ENCRYPTFIPS System Option for details. In the FIPS 140-2 compliant mode, AES is the only supported encryption algorithm. Refer to NETENCRYPTALGORITHM System Option for details. The SHA-256 hashing algorithm is used instead of the MD5 hashing algorithm for password protection in the FIPS 140-2 compliant mode. Changing your internal account passwords will generate new passwords using the SHA-256 algorithm.
Note: The data transferred between servers and clients prior to SAS 9.3 use hashing passwords that are not FIPS 140-2 compliant. Therefore, you will only be able to connect servers and clients that are enabled for FIPS 140-2 and SAS 9.3.
Ready to learn more?
Call us at 1-800-727-0025 (US and Canada) or request more information.