Sybase NNTP forums - End Of Life (EOL)

The NNTP forums from Sybase - forums.sybase.com - are now closed.

All new questions should be directed to the appropriate forum at the SAP Community Network (SCN).

Individual products have links to the respective forums on SCN, or you can go to SCN and search for your product in the search box (upper right corner) to find your specific developer center.

Encryption in 12.0.1.

11 posts in Ultralite Last posting was on 2011-04-14 17:57:07.0Z
Shao Chan Posted on 2011-04-13 11:13:03.0Z
Reply-To: "Shao Chan" <nospam@nospam.com>
From: "Shao Chan" <nospam@nospam.com>
Newsgroups: sybase.public.sqlanywhere.ultralite
Subject: Encryption in 12.0.1.
Lines: 67
Organization: Civica
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4da5853f$1@forums-1-dub>
Date: 13 Apr 2011 04:13:03 -0700
X-Trace: forums-1-dub 1302693183 10.22.241.152 (13 Apr 2011 04:13:03 -0700)
X-Original-Trace: 13 Apr 2011 04:13:03 -0700, vip152.sybase.com
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.sqlanywhere.ultralite:12468
Article PK: 1048280

SQL Anywhere 12.0.1.

Hi all,

Just a few querys on encryption.....

1) ECC is more efficient than RSA and RSA FIPS?

2) RSA is free, ECC and RSA FIPS cost?

3) Encryption can be performed:
- Mobilink Sync (RSA, ECC, FIPS)
- Mobilink End To End (RSA, ECC, FIPS)
- Database (FIPS)

4) If I buy a FIPS licence I can encrypt both database and mobilink and
mobilink endtoend?

5) I can mix and match with multiple licenses, e.g.
- Mobilink Sync using RSA
- Mobilink End To End using ECC
- Database using FIPS

6) ECC is 12.0.1. can run over tls and https (in version 9.0.2. can only run
over tls)?

7) Can FIPS run over tls?

8) In the U.K councils are moving to the Goverment Connect compliancy. This
requires all remote devices to be secure and encrypted (on both device and
data transmissions). However, performance has been an issue in the past and
councils use an APN so that the mobilink stream does not need to be
encrypted and neither then does it need to be http traffic as firewall
issues are bypassed.
However, the device database needs to be secure and as well as data
transmissions even if going over an APN.
The way I see it is that because we can still bypass the firewall with a
direct APN connection, then we can still use tls.
So buying a FIPS licence and using it for database encryption and FIPS over
tls would be the more obvious way forward.
If performance is a problem for any reason, I would have to buy a second
licence and change the FIPS transmission to ECC and keep the database on
FIPS right?
Any other suggestions?

The reason I ask this is that:
- HTTP takes at least 2-3 times longer to sync than TCP.
- HTTPS takes at least 3 times longer to sync than TCP.
Now as far as I can tell, HTTPS with RSA or RSA FIPS are no go areas. In
both 9.0.2. and 11.0.1. performance is not acceptable. I doubt 12.0.1.
would be much different.

So, assuming an APN is available but that transmissions must still be
encrypted, are the above my main options or is there other options that I
could consider?

Thanks,

Shao


Jeff Albion [Sybase iAnywhere] Posted on 2011-04-13 16:31:37.0Z
From: "Jeff Albion [Sybase iAnywhere]" <firstname.lastname@sybase.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.15) Gecko/20110303 Lightning/1.0b2 Thunderbird/3.1.9
MIME-Version: 1.0
Newsgroups: sybase.public.sqlanywhere.ultralite
Subject: Re: Encryption in 12.0.1.
References: <4da5853f$1@forums-1-dub>
In-Reply-To: <4da5853f$1@forums-1-dub>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4da5cfe9$1@forums-1-dub>
Date: 13 Apr 2011 09:31:37 -0700
X-Trace: forums-1-dub 1302712297 10.22.241.152 (13 Apr 2011 09:31:37 -0700)
X-Original-Trace: 13 Apr 2011 09:31:37 -0700, vip152.sybase.com
Lines: 113
X-Authenticated-User: techsupp
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.sqlanywhere.ultralite:12469
Article PK: 1048225

Hello Shao,

On 13/04/2011 7:13 AM, Shao Chan wrote:
> 1) ECC is more efficient than RSA and RSA FIPS?

"Efficient" in which ways...? Memory usage? Number of mathematical
operations to generate keys? Time to break the key? Size of key strength
versus encryption strength...?

You will probably find that there are a "few" opinions on this subject
and the important factors of this comparison will depend on personal
preference. I would say that depending on which platform(s) you're
intending to support, this would help dictate which type of certificate
to use:

http://www.sybase.com/detail?id=1091125#UL

> 2) RSA is free, ECC and RSA FIPS cost?

Yes, RSA encryption is included with SQL Anywhere 10 and up. ECC and
RSA-FIPS are "separately licensed components". See your Sales Rep for
more info.

> 3) Encryption can be performed:
> - Mobilink Sync (RSA, ECC, FIPS)
> - Mobilink End To End (RSA, ECC, FIPS)
> - Database (FIPS)

I assume by "database", you mean "database storage", and yes, this can
be "AES" or "AES-FIPS":
http://dcx.sybase.com/index.html#1201/en/uladmin/fo-databases-s-5079628.html

Note: "RSA-FIPS" is not technically a separate encryption scheme to
"RSA"; the "FIPS" specification is due to the Certicom RSA-FIPS library
containing a pre-FIPS-certified cryptographic module ( e.g.
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm ).

> 4) If I buy a FIPS licence I can encrypt both database and mobilink and
> mobilink endtoend?

MobiLink end-to-end encryption (E2EE) does not use "FIPS" specific keys;
it can generate "RSA" (or "ECC") based keys, based on the licensing
available to the product.

Also, the database communication encryption (e.g. "ENC=") can use
RSA/RSA-FIPS and ECC technology.

> 5) I can mix and match with multiple licenses, e.g.
> - Mobilink Sync using RSA
> - Mobilink End To End using ECC
> - Database using FIPS

Yes, but this would be expensive from a licensing perspective...?

> 6) ECC is 12.0.1. can run over tls and https (in version 9.0.2. can only run
> over tls)?

Yes, this was a new feature for version 10.0.0:
http://dcx.sybase.com/index.html#1001/en/dbwnen10/wn-newjasper-s-5619987.html

> 7) Can FIPS run over tls?

Yes: http://dcx.sybase.com/index.html#1201/en/mlserver/ml-syncserver-x.html

> 8) In the U.K councils are moving to the Goverment Connect compliancy. This
> requires all remote devices to be secure and encrypted (on both device and
> data transmissions). However, performance has been an issue in the past and
> councils use an APN so that the mobilink stream does not need to be
> encrypted and neither then does it need to be http traffic as firewall
> issues are bypassed.
> However, the device database needs to be secure and as well as data
> transmissions even if going over an APN.
> The way I see it is that because we can still bypass the firewall with a
> direct APN connection, then we can still use tls.
> So buying a FIPS licence and using it for database encryption and FIPS over
> tls would be the more obvious way forward.
> If performance is a problem for any reason, I would have to buy a second
> licence and change the FIPS transmission to ECC and keep the database on
> FIPS right?
> Any other suggestions?

I am confused; FIPS 140-2 is a U.S. Federal standard (also adhered to by
the Communications Security Establishment (CSE) in Canada). I am not
aware of U.K. agencies requiring "FIPS"-specific certification of
modules, considering that the U.K. runs a separate certification
program, the CESG Assisted Products Service (CAPS):

http://www.cesg.gov.uk/products_services/iacs/caps/index.shtml

... so, are FIPS cryptographic modules recognized by this U.K.
certification program as well?

---

Otherwise, this sounds like a reasonable approach; I would try to keep
everything as "RSA-FIPS"/"AES-FIPS" (or just "RSA"/"AES" if FIPS isn't
needed). Since you can create direct TLS connections to the server, I
wouldn't worry about using E2EE. You might want to consider purchasing
an ECC license to try some internal load testing with tls(rsa) versus
tls(ecc) for performance reasons before you go ahead and deploy to your
client base.

Cheers,

--
Jeff Albion, Sybase iAnywhere, an SAP Company

iAnywhere Developer Community :
http://www.sybase.com/developer/library/sql-anywhere-techcorner
iAnywhere Documentation : http://www.ianywhere.com/developer/product_manuals
SQL Anywhere Patches and EBFs :
http://downloads.sybase.com/swd/summary.do?baseprod=144&client=ianywhere&timeframe=0
Report a Bug/Open a Case : http://case-express.sybase.com/cx/


Shao Chan Posted on 2011-04-13 16:52:07.0Z
Reply-To: "Shao Chan" <nospam@nospam.com>
From: "Shao Chan" <nospam@nospam.com>
Newsgroups: sybase.public.sqlanywhere.ultralite
References: <4da5853f$1@forums-1-dub> <4da5cfe9$1@forums-1-dub>
Subject: Re: Encryption in 12.0.1.
Lines: 180
Organization: Civica
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
X-RFC2646: Format=Flowed; Response
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4da5d4b7@forums-1-dub>
Date: 13 Apr 2011 09:52:07 -0700
X-Trace: forums-1-dub 1302713527 10.22.241.152 (13 Apr 2011 09:52:07 -0700)
X-Original-Trace: 13 Apr 2011 09:52:07 -0700, vip152.sybase.com
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.sqlanywhere.ultralite:12470
Article PK: 1048226

Hi Jeff,

Thanks for that.

My understanding of ECC being more efficient is partially from iAnywhere and
from internet papers. When I last looked into this, ECC took less resource
the more complex the encryption key - I can't remember exactly regarding
whether it is more efficient regarding stream size.

The UK Government has set out guidelines for councils. This is known as
Gov.Connect or Government Connect or Government Conduct of Connection (or
CoCo).

If you Google Government Connect and FIPS you will come across related
documents. Whilst FIPS may or may not be the standard the U.K. use,
nevertheless the FIPS 140-2 standard strength is the benchmark that is
talked about.

Here is an example of an interpretation of the CoCo requirements:
http://www.deslock.com/compliance_code_of_connection_coco_4.1.php
"The code of connection for these communities states that computers, laptops
and portable devices used for mobile / home working with data at rest or in
transit must be encrypted and that a CCTM approved or a FIPS-140-2 certified
product is acceptable for this. Policy guidance from CESG also recommends
the use of CCTM products combined with FIPS-140 cryptographic protection for
data considered as IL1 'Private' and IL2 'Protect'.
Approved to FIPS-140-2 and as a CCTM certified product DESlock+ Business
Desktop will meet the needs of those organisations who are, or wish to be
part of the GSC, GCSX and GSX communities operating with data up to IL2 and
occasional L3 ('Restricted')."

The problem I had last time we got customers to move to HTTPS and RSA was
that some customers found that performance was not acceptable and dropped
back to HTTPS only or TCP. Now our performance tests at the time was that
HTTPS with RSA on both 9.0.2. and 11.0.1. took 3 times longer to sync over
the air than standard TCP. Obviously our options open up a little more with
SQL Anywhere 12.0.1. especially in being able to run HTTPS with ECC -
however, if there is no mileage in that, then we'll need to look at other
options.

Because our customers can use APNs, whilst CoCo standards have to be adhered
to, i.e. Mobilink transmissions have to be encrypted even on a private APN,
we can change the protocol to tcp plus encryption. I would guess that in
this scenario, the encryption does not matter too much as its the tcp > http
that adds the most overhead.

However, as device and infrastructure has improved in the last year since we
got customers reverting back to basic tcp/http, we may find that moving
forward with encryption on HTTP may well perform better today.

Thanks,

Shao

"Jeff Albion [Sybase iAnywhere]" <firstname.lastname@sybase.com> wrote in
message news:4da5cfe9$1@forums-1-dub...
> Hello Shao,
>
> On 13/04/2011 7:13 AM, Shao Chan wrote:
>> 1) ECC is more efficient than RSA and RSA FIPS?
>
> "Efficient" in which ways...? Memory usage? Number of mathematical
> operations to generate keys? Time to break the key? Size of key strength
> versus encryption strength...?
>
> You will probably find that there are a "few" opinions on this subject and
> the important factors of this comparison will depend on personal
> preference. I would say that depending on which platform(s) you're
> intending to support, this would help dictate which type of certificate to
> use:
>
> http://www.sybase.com/detail?id=1091125#UL
>
>> 2) RSA is free, ECC and RSA FIPS cost?
>
> Yes, RSA encryption is included with SQL Anywhere 10 and up. ECC and
> RSA-FIPS are "separately licensed components". See your Sales Rep for more
> info.
>
>> 3) Encryption can be performed:
>> - Mobilink Sync (RSA, ECC, FIPS)
>> - Mobilink End To End (RSA, ECC, FIPS)
>> - Database (FIPS)
>
> I assume by "database", you mean "database storage", and yes, this can be
> "AES" or "AES-FIPS":
> http://dcx.sybase.com/index.html#1201/en/uladmin/fo-databases-s-5079628.html
>
> Note: "RSA-FIPS" is not technically a separate encryption scheme to "RSA";
> the "FIPS" specification is due to the Certicom RSA-FIPS library
> containing a pre-FIPS-certified cryptographic module ( e.g.
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm ).
>
>> 4) If I buy a FIPS licence I can encrypt both database and mobilink and
>> mobilink endtoend?
>
> MobiLink end-to-end encryption (E2EE) does not use "FIPS" specific keys;
> it can generate "RSA" (or "ECC") based keys, based on the licensing
> available to the product.
>
> Also, the database communication encryption (e.g. "ENC=") can use
> RSA/RSA-FIPS and ECC technology.
>
>> 5) I can mix and match with multiple licenses, e.g.
>> - Mobilink Sync using RSA
>> - Mobilink End To End using ECC
>> - Database using FIPS
>
> Yes, but this would be expensive from a licensing perspective...?
>
>> 6) ECC is 12.0.1. can run over tls and https (in version 9.0.2. can only
>> run
>> over tls)?
>
> Yes, this was a new feature for version 10.0.0:
> http://dcx.sybase.com/index.html#1001/en/dbwnen10/wn-newjasper-s-5619987.html
>
>> 7) Can FIPS run over tls?
>
> Yes:
> http://dcx.sybase.com/index.html#1201/en/mlserver/ml-syncserver-x.html
>
>> 8) In the U.K councils are moving to the Goverment Connect compliancy.
>> This
>> requires all remote devices to be secure and encrypted (on both device
>> and
>> data transmissions). However, performance has been an issue in the past
>> and
>> councils use an APN so that the mobilink stream does not need to be
>> encrypted and neither then does it need to be http traffic as firewall
>> issues are bypassed.
>> However, the device database needs to be secure and as well as data
>> transmissions even if going over an APN.
>> The way I see it is that because we can still bypass the firewall with a
>> direct APN connection, then we can still use tls.
>> So buying a FIPS licence and using it for database encryption and FIPS
>> over
>> tls would be the more obvious way forward.
>> If performance is a problem for any reason, I would have to buy a second
>> licence and change the FIPS transmission to ECC and keep the database on
>> FIPS right?
>> Any other suggestions?
>
> I am confused; FIPS 140-2 is a U.S. Federal standard (also adhered to by
> the Communications Security Establishment (CSE) in Canada). I am not aware
> of U.K. agencies requiring "FIPS"-specific certification of modules,
> considering that the U.K. runs a separate certification program, the CESG
> Assisted Products Service (CAPS):
>
> http://www.cesg.gov.uk/products_services/iacs/caps/index.shtml
>
> ... so, are FIPS cryptographic modules recognized by this U.K.
> certification program as well?
>
> ---
>
> Otherwise, this sounds like a reasonable approach; I would try to keep
> everything as "RSA-FIPS"/"AES-FIPS" (or just "RSA"/"AES" if FIPS isn't
> needed). Since you can create direct TLS connections to the server, I
> wouldn't worry about using E2EE. You might want to consider purchasing an
> ECC license to try some internal load testing with tls(rsa) versus
> tls(ecc) for performance reasons before you go ahead and deploy to your
> client base.
>
> Cheers,
>
> --
> Jeff Albion, Sybase iAnywhere, an SAP Company
>
> iAnywhere Developer Community :
> http://www.sybase.com/developer/library/sql-anywhere-techcorner
> iAnywhere Documentation :
> http://www.ianywhere.com/developer/product_manuals
> SQL Anywhere Patches and EBFs :
> http://downloads.sybase.com/swd/summary.do?baseprod=144&client=ianywhere&timeframe=0
> Report a Bug/Open a Case : http://case-express.sybase.com/cx/


Tim McClements [Sybase] Posted on 2011-04-13 19:33:50.0Z
From: "Tim McClements [Sybase]" <mcclemenXnospam@sybase.com>
Newsgroups: sybase.public.sqlanywhere.ultralite
References: <4da5853f$1@forums-1-dub> <4da5cfe9$1@forums-1-dub> <4da5d4b7@forums-1-dub>
Subject: Re: Encryption in 12.0.1.
Lines: 194
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
X-RFC2646: Format=Flowed; Response
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4da5fa9e$1@forums-1-dub>
Date: 13 Apr 2011 12:33:50 -0700
X-Trace: forums-1-dub 1302723230 10.22.241.152 (13 Apr 2011 12:33:50 -0700)
X-Original-Trace: 13 Apr 2011 12:33:50 -0700, vip152.sybase.com
X-Authenticated-User: techsupp
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.sqlanywhere.ultralite:12474
Article PK: 1048289

Regarding HTTPS performance: we have found that HTTPS isn't significantly
slower than HTTP (or TCPIP), as long as you are using persistent
connections. What is costly with encrypted non-persistent HTTP is frequently
reestablishing the connection with an expensive TLS handshake each time.

Further, our network stack is much improved since v9.

- Tim

"Shao Chan" <nospam@nospam.com> wrote in message
news:4da5d4b7@forums-1-dub...
> Hi Jeff,
>
> Thanks for that.
>
> My understanding of ECC being more efficient is partially from iAnywhere
> and from internet papers. When I last looked into this, ECC took less
> resource the more complex the encryption key - I can't remember exactly
> regarding whether it is more efficient regarding stream size.
>
> The UK Government has set out guidelines for councils. This is known as
> Gov.Connect or Government Connect or Government Conduct of Connection (or
> CoCo).
>
> If you Google Government Connect and FIPS you will come across related
> documents. Whilst FIPS may or may not be the standard the U.K. use,
> nevertheless the FIPS 140-2 standard strength is the benchmark that is
> talked about.
>
> Here is an example of an interpretation of the CoCo requirements:
> http://www.deslock.com/compliance_code_of_connection_coco_4.1.php
> "The code of connection for these communities states that computers,
> laptops and portable devices used for mobile / home working with data at
> rest or in transit must be encrypted and that a CCTM approved or a
> FIPS-140-2 certified product is acceptable for this. Policy guidance from
> CESG also recommends the use of CCTM products combined with FIPS-140
> cryptographic protection for data considered as IL1 'Private' and IL2
> 'Protect'.
> Approved to FIPS-140-2 and as a CCTM certified product DESlock+ Business
> Desktop will meet the needs of those organisations who are, or wish to be
> part of the GSC, GCSX and GSX communities operating with data up to IL2
> and occasional L3 ('Restricted')."
>
> The problem I had last time we got customers to move to HTTPS and RSA was
> that some customers found that performance was not acceptable and dropped
> back to HTTPS only or TCP. Now our performance tests at the time was that
> HTTPS with RSA on both 9.0.2. and 11.0.1. took 3 times longer to sync over
> the air than standard TCP. Obviously our options open up a little more
> with SQL Anywhere 12.0.1. especially in being able to run HTTPS with ECC -
> however, if there is no mileage in that, then we'll need to look at other
> options.
>
> Because our customers can use APNs, whilst CoCo standards have to be
> adhered to, i.e. Mobilink transmissions have to be encrypted even on a
> private APN, we can change the protocol to tcp plus encryption. I would
> guess that in this scenario, the encryption does not matter too much as
> its the tcp > http that adds the most overhead.
>
> However, as device and infrastructure has improved in the last year since
> we got customers reverting back to basic tcp/http, we may find that moving
> forward with encryption on HTTP may well perform better today.
>
> Thanks,
>
> Shao
>
>
>
> "Jeff Albion [Sybase iAnywhere]" <firstname.lastname@sybase.com> wrote in
> message news:4da5cfe9$1@forums-1-dub...
>> Hello Shao,
>>
>> On 13/04/2011 7:13 AM, Shao Chan wrote:
>>> 1) ECC is more efficient than RSA and RSA FIPS?
>>
>> "Efficient" in which ways...? Memory usage? Number of mathematical
>> operations to generate keys? Time to break the key? Size of key strength
>> versus encryption strength...?
>>
>> You will probably find that there are a "few" opinions on this subject
>> and the important factors of this comparison will depend on personal
>> preference. I would say that depending on which platform(s) you're
>> intending to support, this would help dictate which type of certificate
>> to use:
>>
>> http://www.sybase.com/detail?id=1091125#UL
>>
>>> 2) RSA is free, ECC and RSA FIPS cost?
>>
>> Yes, RSA encryption is included with SQL Anywhere 10 and up. ECC and
>> RSA-FIPS are "separately licensed components". See your Sales Rep for
>> more info.
>>
>>> 3) Encryption can be performed:
>>> - Mobilink Sync (RSA, ECC, FIPS)
>>> - Mobilink End To End (RSA, ECC, FIPS)
>>> - Database (FIPS)
>>
>> I assume by "database", you mean "database storage", and yes, this can be
>> "AES" or "AES-FIPS":
>> http://dcx.sybase.com/index.html#1201/en/uladmin/fo-databases-s-5079628.html
>>
>> Note: "RSA-FIPS" is not technically a separate encryption scheme to
>> "RSA"; the "FIPS" specification is due to the Certicom RSA-FIPS library
>> containing a pre-FIPS-certified cryptographic module ( e.g.
>> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm ).
>>
>>> 4) If I buy a FIPS licence I can encrypt both database and mobilink and
>>> mobilink endtoend?
>>
>> MobiLink end-to-end encryption (E2EE) does not use "FIPS" specific keys;
>> it can generate "RSA" (or "ECC") based keys, based on the licensing
>> available to the product.
>>
>> Also, the database communication encryption (e.g. "ENC=") can use
>> RSA/RSA-FIPS and ECC technology.
>>
>>> 5) I can mix and match with multiple licenses, e.g.
>>> - Mobilink Sync using RSA
>>> - Mobilink End To End using ECC
>>> - Database using FIPS
>>
>> Yes, but this would be expensive from a licensing perspective...?
>>
>>> 6) ECC is 12.0.1. can run over tls and https (in version 9.0.2. can only
>>> run
>>> over tls)?
>>
>> Yes, this was a new feature for version 10.0.0:
>> http://dcx.sybase.com/index.html#1001/en/dbwnen10/wn-newjasper-s-5619987.html
>>
>>> 7) Can FIPS run over tls?
>>
>> Yes:
>> http://dcx.sybase.com/index.html#1201/en/mlserver/ml-syncserver-x.html
>>
>>> 8) In the U.K councils are moving to the Goverment Connect compliancy.
>>> This
>>> requires all remote devices to be secure and encrypted (on both device
>>> and
>>> data transmissions). However, performance has been an issue in the past
>>> and
>>> councils use an APN so that the mobilink stream does not need to be
>>> encrypted and neither then does it need to be http traffic as firewall
>>> issues are bypassed.
>>> However, the device database needs to be secure and as well as data
>>> transmissions even if going over an APN.
>>> The way I see it is that because we can still bypass the firewall with a
>>> direct APN connection, then we can still use tls.
>>> So buying a FIPS licence and using it for database encryption and FIPS
>>> over
>>> tls would be the more obvious way forward.
>>> If performance is a problem for any reason, I would have to buy a second
>>> licence and change the FIPS transmission to ECC and keep the database on
>>> FIPS right?
>>> Any other suggestions?
>>
>> I am confused; FIPS 140-2 is a U.S. Federal standard (also adhered to by
>> the Communications Security Establishment (CSE) in Canada). I am not
>> aware of U.K. agencies requiring "FIPS"-specific certification of
>> modules, considering that the U.K. runs a separate certification program,
>> the CESG Assisted Products Service (CAPS):
>>
>> http://www.cesg.gov.uk/products_services/iacs/caps/index.shtml
>>
>> ... so, are FIPS cryptographic modules recognized by this U.K.
>> certification program as well?
>>
>> ---
>>
>> Otherwise, this sounds like a reasonable approach; I would try to keep
>> everything as "RSA-FIPS"/"AES-FIPS" (or just "RSA"/"AES" if FIPS isn't
>> needed). Since you can create direct TLS connections to the server, I
>> wouldn't worry about using E2EE. You might want to consider purchasing an
>> ECC license to try some internal load testing with tls(rsa) versus
>> tls(ecc) for performance reasons before you go ahead and deploy to your
>> client base.
>>
>> Cheers,
>>
>> --
>> Jeff Albion, Sybase iAnywhere, an SAP Company
>>
>> iAnywhere Developer Community :
>> http://www.sybase.com/developer/library/sql-anywhere-techcorner
>> iAnywhere Documentation :
>> http://www.ianywhere.com/developer/product_manuals
>> SQL Anywhere Patches and EBFs :
>> http://downloads.sybase.com/swd/summary.do?baseprod=144&client=ianywhere&timeframe=0
>> Report a Bug/Open a Case : http://case-express.sybase.com/cx/
>
>


Shao Chan Posted on 2011-04-13 19:56:17.0Z
Reply-To: "Shao Chan" <nospam@nospam.com>
From: "Shao Chan" <nospam@nospam.com>
Newsgroups: sybase.public.sqlanywhere.ultralite
References: <4da5853f$1@forums-1-dub> <4da5cfe9$1@forums-1-dub> <4da5d4b7@forums-1-dub> <4da5fa9e$1@forums-1-dub>
Subject: Re: Encryption in 12.0.1.
Lines: 236
Organization: Civica
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
X-RFC2646: Format=Flowed; Response
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4da5ffe1@forums-1-dub>
Date: 13 Apr 2011 12:56:17 -0700
X-Trace: forums-1-dub 1302724577 10.22.241.152 (13 Apr 2011 12:56:17 -0700)
X-Original-Trace: 13 Apr 2011 12:56:17 -0700, vip152.sybase.com
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.sqlanywhere.ultralite:12478
Article PK: 1048291

Hi Tim,

Thanks for that. Whilst we did testing in 11.0.1. it was never rolled out
to live environments and so although we have test results mainly based on
synchronisation times, I guess we didn't get complete and reliable data with
a live site.

We expect to be rolling out 12.0.1. in about 3 months if all goes well and
this time round, customers will be testing this in test and live
environments with improved hardware, software and infrastructure and so I am
optimistic that things will be fine this time round.

I am unsure of how many connections a mobilink sync uses, but within our
M-Biz client, we simply hit the Sync button which calls the ultralite to
sync given a set of connection details. Under the bonnet, I don't know how
many times it needs to re-establish connection.

The only major application changes this time around that I can see affecting
performance is that:
1) There are more tables in the main publication as the application has
grown.
2) We make use of the camera on the PDA so a few jpeg images stored in BLOBs
are transmitted.
None of the customer devices are likely to support HSUPA at present and so
we expect to see some synchronisations to be a bit slower but how much
affect HTTP and encryption will have, I don't know. We'll be doing a fair
amount of testing.

Thanks,

Shao

"Tim McClements [Sybase]" <mcclemenXnospam@sybase.com> wrote in message
news:4da5fa9e$1@forums-1-dub...
> Regarding HTTPS performance: we have found that HTTPS isn't significantly
> slower than HTTP (or TCPIP), as long as you are using persistent
> connections. What is costly with encrypted non-persistent HTTP is
> frequently reestablishing the connection with an expensive TLS handshake
> each time.
>
> Further, our network stack is much improved since v9.
>
> - Tim
>
> "Shao Chan" <nospam@nospam.com> wrote in message
> news:4da5d4b7@forums-1-dub...
>> Hi Jeff,
>>
>> Thanks for that.
>>
>> My understanding of ECC being more efficient is partially from iAnywhere
>> and from internet papers. When I last looked into this, ECC took less
>> resource the more complex the encryption key - I can't remember exactly
>> regarding whether it is more efficient regarding stream size.
>>
>> The UK Government has set out guidelines for councils. This is known as
>> Gov.Connect or Government Connect or Government Conduct of Connection (or
>> CoCo).
>>
>> If you Google Government Connect and FIPS you will come across related
>> documents. Whilst FIPS may or may not be the standard the U.K. use,
>> nevertheless the FIPS 140-2 standard strength is the benchmark that is
>> talked about.
>>
>> Here is an example of an interpretation of the CoCo requirements:
>> http://www.deslock.com/compliance_code_of_connection_coco_4.1.php
>> "The code of connection for these communities states that computers,
>> laptops and portable devices used for mobile / home working with data at
>> rest or in transit must be encrypted and that a CCTM approved or a
>> FIPS-140-2 certified product is acceptable for this. Policy guidance from
>> CESG also recommends the use of CCTM products combined with FIPS-140
>> cryptographic protection for data considered as IL1 'Private' and IL2
>> 'Protect'.
>> Approved to FIPS-140-2 and as a CCTM certified product DESlock+ Business
>> Desktop will meet the needs of those organisations who are, or wish to be
>> part of the GSC, GCSX and GSX communities operating with data up to IL2
>> and occasional L3 ('Restricted')."
>>
>> The problem I had last time we got customers to move to HTTPS and RSA was
>> that some customers found that performance was not acceptable and dropped
>> back to HTTPS only or TCP. Now our performance tests at the time was
>> that HTTPS with RSA on both 9.0.2. and 11.0.1. took 3 times longer to
>> sync over the air than standard TCP. Obviously our options open up a
>> little more with SQL Anywhere 12.0.1. especially in being able to run
>> HTTPS with ECC - however, if there is no mileage in that, then we'll need
>> to look at other options.
>>
>> Because our customers can use APNs, whilst CoCo standards have to be
>> adhered to, i.e. Mobilink transmissions have to be encrypted even on a
>> private APN, we can change the protocol to tcp plus encryption. I would
>> guess that in this scenario, the encryption does not matter too much as
>> its the tcp > http that adds the most overhead.
>>
>> However, as device and infrastructure has improved in the last year since
>> we got customers reverting back to basic tcp/http, we may find that
>> moving forward with encryption on HTTP may well perform better today.
>>
>> Thanks,
>>
>> Shao
>>
>>
>>
>> "Jeff Albion [Sybase iAnywhere]" <firstname.lastname@sybase.com> wrote in
>> message news:4da5cfe9$1@forums-1-dub...
>>> Hello Shao,
>>>
>>> On 13/04/2011 7:13 AM, Shao Chan wrote:
>>>> 1) ECC is more efficient than RSA and RSA FIPS?
>>>
>>> "Efficient" in which ways...? Memory usage? Number of mathematical
>>> operations to generate keys? Time to break the key? Size of key strength
>>> versus encryption strength...?
>>>
>>> You will probably find that there are a "few" opinions on this subject
>>> and the important factors of this comparison will depend on personal
>>> preference. I would say that depending on which platform(s) you're
>>> intending to support, this would help dictate which type of certificate
>>> to use:
>>>
>>> http://www.sybase.com/detail?id=1091125#UL
>>>
>>>> 2) RSA is free, ECC and RSA FIPS cost?
>>>
>>> Yes, RSA encryption is included with SQL Anywhere 10 and up. ECC and
>>> RSA-FIPS are "separately licensed components". See your Sales Rep for
>>> more info.
>>>
>>>> 3) Encryption can be performed:
>>>> - Mobilink Sync (RSA, ECC, FIPS)
>>>> - Mobilink End To End (RSA, ECC, FIPS)
>>>> - Database (FIPS)
>>>
>>> I assume by "database", you mean "database storage", and yes, this can
>>> be "AES" or "AES-FIPS":
>>> http://dcx.sybase.com/index.html#1201/en/uladmin/fo-databases-s-5079628.html
>>>
>>> Note: "RSA-FIPS" is not technically a separate encryption scheme to
>>> "RSA"; the "FIPS" specification is due to the Certicom RSA-FIPS library
>>> containing a pre-FIPS-certified cryptographic module ( e.g.
>>> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm ).
>>>
>>>> 4) If I buy a FIPS licence I can encrypt both database and mobilink and
>>>> mobilink endtoend?
>>>
>>> MobiLink end-to-end encryption (E2EE) does not use "FIPS" specific keys;
>>> it can generate "RSA" (or "ECC") based keys, based on the licensing
>>> available to the product.
>>>
>>> Also, the database communication encryption (e.g. "ENC=") can use
>>> RSA/RSA-FIPS and ECC technology.
>>>
>>>> 5) I can mix and match with multiple licenses, e.g.
>>>> - Mobilink Sync using RSA
>>>> - Mobilink End To End using ECC
>>>> - Database using FIPS
>>>
>>> Yes, but this would be expensive from a licensing perspective...?
>>>
>>>> 6) ECC is 12.0.1. can run over tls and https (in version 9.0.2. can
>>>> only run
>>>> over tls)?
>>>
>>> Yes, this was a new feature for version 10.0.0:
>>> http://dcx.sybase.com/index.html#1001/en/dbwnen10/wn-newjasper-s-5619987.html
>>>
>>>> 7) Can FIPS run over tls?
>>>
>>> Yes:
>>> http://dcx.sybase.com/index.html#1201/en/mlserver/ml-syncserver-x.html
>>>
>>>> 8) In the U.K councils are moving to the Goverment Connect compliancy.
>>>> This
>>>> requires all remote devices to be secure and encrypted (on both device
>>>> and
>>>> data transmissions). However, performance has been an issue in the
>>>> past and
>>>> councils use an APN so that the mobilink stream does not need to be
>>>> encrypted and neither then does it need to be http traffic as firewall
>>>> issues are bypassed.
>>>> However, the device database needs to be secure and as well as data
>>>> transmissions even if going over an APN.
>>>> The way I see it is that because we can still bypass the firewall with
>>>> a
>>>> direct APN connection, then we can still use tls.
>>>> So buying a FIPS licence and using it for database encryption and FIPS
>>>> over
>>>> tls would be the more obvious way forward.
>>>> If performance is a problem for any reason, I would have to buy a
>>>> second
>>>> licence and change the FIPS transmission to ECC and keep the database
>>>> on
>>>> FIPS right?
>>>> Any other suggestions?
>>>
>>> I am confused; FIPS 140-2 is a U.S. Federal standard (also adhered to by
>>> the Communications Security Establishment (CSE) in Canada). I am not
>>> aware of U.K. agencies requiring "FIPS"-specific certification of
>>> modules, considering that the U.K. runs a separate certification
>>> program, the CESG Assisted Products Service (CAPS):
>>>
>>> http://www.cesg.gov.uk/products_services/iacs/caps/index.shtml
>>>
>>> ... so, are FIPS cryptographic modules recognized by this U.K.
>>> certification program as well?
>>>
>>> ---
>>>
>>> Otherwise, this sounds like a reasonable approach; I would try to keep
>>> everything as "RSA-FIPS"/"AES-FIPS" (or just "RSA"/"AES" if FIPS isn't
>>> needed). Since you can create direct TLS connections to the server, I
>>> wouldn't worry about using E2EE. You might want to consider purchasing
>>> an ECC license to try some internal load testing with tls(rsa) versus
>>> tls(ecc) for performance reasons before you go ahead and deploy to your
>>> client base.
>>>
>>> Cheers,
>>>
>>> --
>>> Jeff Albion, Sybase iAnywhere, an SAP Company
>>>
>>> iAnywhere Developer Community :
>>> http://www.sybase.com/developer/library/sql-anywhere-techcorner
>>> iAnywhere Documentation :
>>> http://www.ianywhere.com/developer/product_manuals
>>> SQL Anywhere Patches and EBFs :
>>> http://downloads.sybase.com/swd/summary.do?baseprod=144&client=ianywhere&timeframe=0
>>> Report a Bug/Open a Case : http://case-express.sybase.com/cx/
>>
>>
>
>


Tim McClements [Sybase] Posted on 2011-04-14 16:53:19.0Z
From: "Tim McClements [Sybase]" <mcclemenXnospam@sybase.com>
Newsgroups: sybase.public.sqlanywhere.ultralite
References: <4da5853f$1@forums-1-dub> <4da5cfe9$1@forums-1-dub> <4da5d4b7@forums-1-dub> <4da5fa9e$1@forums-1-dub> <4da5ffe1@forums-1-dub>
Subject: Re: Encryption in 12.0.1.
Lines: 256
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
X-RFC2646: Format=Flowed; Response
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4da7267f$1@forums-1-dub>
Date: 14 Apr 2011 09:53:19 -0700
X-Trace: forums-1-dub 1302799999 10.22.241.152 (14 Apr 2011 09:53:19 -0700)
X-Original-Trace: 14 Apr 2011 09:53:19 -0700, vip152.sybase.com
X-Authenticated-User: techsupp
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.sqlanywhere.ultralite:12481
Article PK: 1048246

Well, let us know how it goes :-)

Whether HTTP uses a persistent connection or not is a stream option. The old
default was non-persistent (i.e., slow, but more gentle on web servers
etc.). With v12 I think it's persistent by default now, and can downgrade to
non-persistent automatically if there are problems with intermediary
servers.

You can also experiment with the effect of compression on sync performance
by using the compression=zlib stream option.

- Tim

"Shao Chan" <nospam@nospam.com> wrote in message
news:4da5ffe1@forums-1-dub...
> Hi Tim,
>
> Thanks for that. Whilst we did testing in 11.0.1. it was never rolled out
> to live environments and so although we have test results mainly based on
> synchronisation times, I guess we didn't get complete and reliable data
> with a live site.
>
> We expect to be rolling out 12.0.1. in about 3 months if all goes well and
> this time round, customers will be testing this in test and live
> environments with improved hardware, software and infrastructure and so I
> am optimistic that things will be fine this time round.
>
> I am unsure of how many connections a mobilink sync uses, but within our
> M-Biz client, we simply hit the Sync button which calls the ultralite to
> sync given a set of connection details. Under the bonnet, I don't know
> how many times it needs to re-establish connection.
>
> The only major application changes this time around that I can see
> affecting performance is that:
> 1) There are more tables in the main publication as the application has
> grown.
> 2) We make use of the camera on the PDA so a few jpeg images stored in
> BLOBs are transmitted.
> None of the customer devices are likely to support HSUPA at present and so
> we expect to see some synchronisations to be a bit slower but how much
> affect HTTP and encryption will have, I don't know. We'll be doing a fair
> amount of testing.
>
> Thanks,
>
> Shao
>
>
>
> "Tim McClements [Sybase]" <mcclemenXnospam@sybase.com> wrote in message
> news:4da5fa9e$1@forums-1-dub...
>> Regarding HTTPS performance: we have found that HTTPS isn't significantly
>> slower than HTTP (or TCPIP), as long as you are using persistent
>> connections. What is costly with encrypted non-persistent HTTP is
>> frequently reestablishing the connection with an expensive TLS handshake
>> each time.
>>
>> Further, our network stack is much improved since v9.
>>
>> - Tim
>>
>> "Shao Chan" <nospam@nospam.com> wrote in message
>> news:4da5d4b7@forums-1-dub...
>>> Hi Jeff,
>>>
>>> Thanks for that.
>>>
>>> My understanding of ECC being more efficient is partially from iAnywhere
>>> and from internet papers. When I last looked into this, ECC took less
>>> resource the more complex the encryption key - I can't remember exactly
>>> regarding whether it is more efficient regarding stream size.
>>>
>>> The UK Government has set out guidelines for councils. This is known as
>>> Gov.Connect or Government Connect or Government Conduct of Connection
>>> (or CoCo).
>>>
>>> If you Google Government Connect and FIPS you will come across related
>>> documents. Whilst FIPS may or may not be the standard the U.K. use,
>>> nevertheless the FIPS 140-2 standard strength is the benchmark that is
>>> talked about.
>>>
>>> Here is an example of an interpretation of the CoCo requirements:
>>> http://www.deslock.com/compliance_code_of_connection_coco_4.1.php
>>> "The code of connection for these communities states that computers,
>>> laptops and portable devices used for mobile / home working with data at
>>> rest or in transit must be encrypted and that a CCTM approved or a
>>> FIPS-140-2 certified product is acceptable for this. Policy guidance
>>> from CESG also recommends the use of CCTM products combined with
>>> FIPS-140 cryptographic protection for data considered as IL1 'Private'
>>> and IL2 'Protect'.
>>> Approved to FIPS-140-2 and as a CCTM certified product DESlock+ Business
>>> Desktop will meet the needs of those organisations who are, or wish to
>>> be part of the GSC, GCSX and GSX communities operating with data up to
>>> IL2 and occasional L3 ('Restricted')."
>>>
>>> The problem I had last time we got customers to move to HTTPS and RSA
>>> was that some customers found that performance was not acceptable and
>>> dropped back to HTTPS only or TCP. Now our performance tests at the
>>> time was that HTTPS with RSA on both 9.0.2. and 11.0.1. took 3 times
>>> longer to sync over the air than standard TCP. Obviously our options
>>> open up a little more with SQL Anywhere 12.0.1. especially in being able
>>> to run HTTPS with ECC - however, if there is no mileage in that, then
>>> we'll need to look at other options.
>>>
>>> Because our customers can use APNs, whilst CoCo standards have to be
>>> adhered to, i.e. Mobilink transmissions have to be encrypted even on a
>>> private APN, we can change the protocol to tcp plus encryption. I would
>>> guess that in this scenario, the encryption does not matter too much as
>>> its the tcp > http that adds the most overhead.
>>>
>>> However, as device and infrastructure has improved in the last year
>>> since we got customers reverting back to basic tcp/http, we may find
>>> that moving forward with encryption on HTTP may well perform better
>>> today.
>>>
>>> Thanks,
>>>
>>> Shao
>>>
>>>
>>>
>>> "Jeff Albion [Sybase iAnywhere]" <firstname.lastname@sybase.com> wrote
>>> in message news:4da5cfe9$1@forums-1-dub...
>>>> Hello Shao,
>>>>
>>>> On 13/04/2011 7:13 AM, Shao Chan wrote:
>>>>> 1) ECC is more efficient than RSA and RSA FIPS?
>>>>
>>>> "Efficient" in which ways...? Memory usage? Number of mathematical
>>>> operations to generate keys? Time to break the key? Size of key
>>>> strength versus encryption strength...?
>>>>
>>>> You will probably find that there are a "few" opinions on this subject
>>>> and the important factors of this comparison will depend on personal
>>>> preference. I would say that depending on which platform(s) you're
>>>> intending to support, this would help dictate which type of certificate
>>>> to use:
>>>>
>>>> http://www.sybase.com/detail?id=1091125#UL
>>>>
>>>>> 2) RSA is free, ECC and RSA FIPS cost?
>>>>
>>>> Yes, RSA encryption is included with SQL Anywhere 10 and up. ECC and
>>>> RSA-FIPS are "separately licensed components". See your Sales Rep for
>>>> more info.
>>>>
>>>>> 3) Encryption can be performed:
>>>>> - Mobilink Sync (RSA, ECC, FIPS)
>>>>> - Mobilink End To End (RSA, ECC, FIPS)
>>>>> - Database (FIPS)
>>>>
>>>> I assume by "database", you mean "database storage", and yes, this can
>>>> be "AES" or "AES-FIPS":
>>>> http://dcx.sybase.com/index.html#1201/en/uladmin/fo-databases-s-5079628.html
>>>>
>>>> Note: "RSA-FIPS" is not technically a separate encryption scheme to
>>>> "RSA"; the "FIPS" specification is due to the Certicom RSA-FIPS library
>>>> containing a pre-FIPS-certified cryptographic module ( e.g.
>>>> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm ).
>>>>
>>>>> 4) If I buy a FIPS licence I can encrypt both database and mobilink
>>>>> and
>>>>> mobilink endtoend?
>>>>
>>>> MobiLink end-to-end encryption (E2EE) does not use "FIPS" specific
>>>> keys; it can generate "RSA" (or "ECC") based keys, based on the
>>>> licensing available to the product.
>>>>
>>>> Also, the database communication encryption (e.g. "ENC=") can use
>>>> RSA/RSA-FIPS and ECC technology.
>>>>
>>>>> 5) I can mix and match with multiple licenses, e.g.
>>>>> - Mobilink Sync using RSA
>>>>> - Mobilink End To End using ECC
>>>>> - Database using FIPS
>>>>
>>>> Yes, but this would be expensive from a licensing perspective...?
>>>>
>>>>> 6) ECC is 12.0.1. can run over tls and https (in version 9.0.2. can
>>>>> only run
>>>>> over tls)?
>>>>
>>>> Yes, this was a new feature for version 10.0.0:
>>>> http://dcx.sybase.com/index.html#1001/en/dbwnen10/wn-newjasper-s-5619987.html
>>>>
>>>>> 7) Can FIPS run over tls?
>>>>
>>>> Yes:
>>>> http://dcx.sybase.com/index.html#1201/en/mlserver/ml-syncserver-x.html
>>>>
>>>>> 8) In the U.K councils are moving to the Goverment Connect compliancy.
>>>>> This
>>>>> requires all remote devices to be secure and encrypted (on both device
>>>>> and
>>>>> data transmissions). However, performance has been an issue in the
>>>>> past and
>>>>> councils use an APN so that the mobilink stream does not need to be
>>>>> encrypted and neither then does it need to be http traffic as firewall
>>>>> issues are bypassed.
>>>>> However, the device database needs to be secure and as well as data
>>>>> transmissions even if going over an APN.
>>>>> The way I see it is that because we can still bypass the firewall with
>>>>> a
>>>>> direct APN connection, then we can still use tls.
>>>>> So buying a FIPS licence and using it for database encryption and FIPS
>>>>> over
>>>>> tls would be the more obvious way forward.
>>>>> If performance is a problem for any reason, I would have to buy a
>>>>> second
>>>>> licence and change the FIPS transmission to ECC and keep the database
>>>>> on
>>>>> FIPS right?
>>>>> Any other suggestions?
>>>>
>>>> I am confused; FIPS 140-2 is a U.S. Federal standard (also adhered to
>>>> by the Communications Security Establishment (CSE) in Canada). I am not
>>>> aware of U.K. agencies requiring "FIPS"-specific certification of
>>>> modules, considering that the U.K. runs a separate certification
>>>> program, the CESG Assisted Products Service (CAPS):
>>>>
>>>> http://www.cesg.gov.uk/products_services/iacs/caps/index.shtml
>>>>
>>>> ... so, are FIPS cryptographic modules recognized by this U.K.
>>>> certification program as well?
>>>>
>>>> ---
>>>>
>>>> Otherwise, this sounds like a reasonable approach; I would try to keep
>>>> everything as "RSA-FIPS"/"AES-FIPS" (or just "RSA"/"AES" if FIPS isn't
>>>> needed). Since you can create direct TLS connections to the server, I
>>>> wouldn't worry about using E2EE. You might want to consider purchasing
>>>> an ECC license to try some internal load testing with tls(rsa) versus
>>>> tls(ecc) for performance reasons before you go ahead and deploy to your
>>>> client base.
>>>>
>>>> Cheers,
>>>>
>>>> --
>>>> Jeff Albion, Sybase iAnywhere, an SAP Company
>>>>
>>>> iAnywhere Developer Community :
>>>> http://www.sybase.com/developer/library/sql-anywhere-techcorner
>>>> iAnywhere Documentation :
>>>> http://www.ianywhere.com/developer/product_manuals
>>>> SQL Anywhere Patches and EBFs :
>>>> http://downloads.sybase.com/swd/summary.do?baseprod=144&client=ianywhere&timeframe=0
>>>> Report a Bug/Open a Case : http://case-express.sybase.com/cx/
>>>
>>>
>>
>>
>
>


Shao Chan Posted on 2011-04-14 17:57:07.0Z
Reply-To: "Shao Chan" <nospam@nospam.com>
From: "Shao Chan" <nospam@nospam.com>
Newsgroups: sybase.public.sqlanywhere.ultralite
References: <4da5853f$1@forums-1-dub> <4da5cfe9$1@forums-1-dub> <4da5d4b7@forums-1-dub> <4da5fa9e$1@forums-1-dub> <4da5ffe1@forums-1-dub> <4da7267f$1@forums-1-dub>
Subject: Re: Encryption in 12.0.1.
Lines: 272
Organization: Civica
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
X-RFC2646: Format=Flowed; Response
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4da73573@forums-1-dub>
Date: 14 Apr 2011 10:57:07 -0700
X-Trace: forums-1-dub 1302803827 10.22.241.152 (14 Apr 2011 10:57:07 -0700)
X-Original-Trace: 14 Apr 2011 10:57:07 -0700, vip152.sybase.com
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.sqlanywhere.ultralite:12484
Article PK: 1048243

Thanks Tim.

We've already put the zlib compression into it - I need to refamiliarise
myself with it, as I put it into 11.0.1. which was not released, but I
ported it to 12.0.1. (I don't recall needing to make any changes).

Cheers,

Shao

"Tim McClements [Sybase]" <mcclemenXnospam@sybase.com> wrote in message
news:4da7267f$1@forums-1-dub...
> Well, let us know how it goes :-)
>
> Whether HTTP uses a persistent connection or not is a stream option. The
> old default was non-persistent (i.e., slow, but more gentle on web servers
> etc.). With v12 I think it's persistent by default now, and can downgrade
> to non-persistent automatically if there are problems with intermediary
> servers.
>
> You can also experiment with the effect of compression on sync performance
> by using the compression=zlib stream option.
>
> - Tim
>
>
> "Shao Chan" <nospam@nospam.com> wrote in message
> news:4da5ffe1@forums-1-dub...
>> Hi Tim,
>>
>> Thanks for that. Whilst we did testing in 11.0.1. it was never rolled
>> out to live environments and so although we have test results mainly
>> based on synchronisation times, I guess we didn't get complete and
>> reliable data with a live site.
>>
>> We expect to be rolling out 12.0.1. in about 3 months if all goes well
>> and this time round, customers will be testing this in test and live
>> environments with improved hardware, software and infrastructure and so I
>> am optimistic that things will be fine this time round.
>>
>> I am unsure of how many connections a mobilink sync uses, but within our
>> M-Biz client, we simply hit the Sync button which calls the ultralite to
>> sync given a set of connection details. Under the bonnet, I don't know
>> how many times it needs to re-establish connection.
>>
>> The only major application changes this time around that I can see
>> affecting performance is that:
>> 1) There are more tables in the main publication as the application has
>> grown.
>> 2) We make use of the camera on the PDA so a few jpeg images stored in
>> BLOBs are transmitted.
>> None of the customer devices are likely to support HSUPA at present and
>> so we expect to see some synchronisations to be a bit slower but how much
>> affect HTTP and encryption will have, I don't know. We'll be doing a
>> fair amount of testing.
>>
>> Thanks,
>>
>> Shao
>>
>>
>>
>> "Tim McClements [Sybase]" <mcclemenXnospam@sybase.com> wrote in message
>> news:4da5fa9e$1@forums-1-dub...
>>> Regarding HTTPS performance: we have found that HTTPS isn't
>>> significantly slower than HTTP (or TCPIP), as long as you are using
>>> persistent connections. What is costly with encrypted non-persistent
>>> HTTP is frequently reestablishing the connection with an expensive TLS
>>> handshake each time.
>>>
>>> Further, our network stack is much improved since v9.
>>>
>>> - Tim
>>>
>>> "Shao Chan" <nospam@nospam.com> wrote in message
>>> news:4da5d4b7@forums-1-dub...
>>>> Hi Jeff,
>>>>
>>>> Thanks for that.
>>>>
>>>> My understanding of ECC being more efficient is partially from
>>>> iAnywhere and from internet papers. When I last looked into this, ECC
>>>> took less resource the more complex the encryption key - I can't
>>>> remember exactly regarding whether it is more efficient regarding
>>>> stream size.
>>>>
>>>> The UK Government has set out guidelines for councils. This is known
>>>> as Gov.Connect or Government Connect or Government Conduct of
>>>> Connection (or CoCo).
>>>>
>>>> If you Google Government Connect and FIPS you will come across related
>>>> documents. Whilst FIPS may or may not be the standard the U.K. use,
>>>> nevertheless the FIPS 140-2 standard strength is the benchmark that is
>>>> talked about.
>>>>
>>>> Here is an example of an interpretation of the CoCo requirements:
>>>> http://www.deslock.com/compliance_code_of_connection_coco_4.1.php
>>>> "The code of connection for these communities states that computers,
>>>> laptops and portable devices used for mobile / home working with data
>>>> at rest or in transit must be encrypted and that a CCTM approved or a
>>>> FIPS-140-2 certified product is acceptable for this. Policy guidance
>>>> from CESG also recommends the use of CCTM products combined with
>>>> FIPS-140 cryptographic protection for data considered as IL1 'Private'
>>>> and IL2 'Protect'.
>>>> Approved to FIPS-140-2 and as a CCTM certified product DESlock+
>>>> Business Desktop will meet the needs of those organisations who are, or
>>>> wish to be part of the GSC, GCSX and GSX communities operating with
>>>> data up to IL2 and occasional L3 ('Restricted')."
>>>>
>>>> The problem I had last time we got customers to move to HTTPS and RSA
>>>> was that some customers found that performance was not acceptable and
>>>> dropped back to HTTPS only or TCP. Now our performance tests at the
>>>> time was that HTTPS with RSA on both 9.0.2. and 11.0.1. took 3 times
>>>> longer to sync over the air than standard TCP. Obviously our options
>>>> open up a little more with SQL Anywhere 12.0.1. especially in being
>>>> able to run HTTPS with ECC - however, if there is no mileage in that,
>>>> then we'll need to look at other options.
>>>>
>>>> Because our customers can use APNs, whilst CoCo standards have to be
>>>> adhered to, i.e. Mobilink transmissions have to be encrypted even on a
>>>> private APN, we can change the protocol to tcp plus encryption. I
>>>> would guess that in this scenario, the encryption does not matter too
>>>> much as its the tcp > http that adds the most overhead.
>>>>
>>>> However, as device and infrastructure has improved in the last year
>>>> since we got customers reverting back to basic tcp/http, we may find
>>>> that moving forward with encryption on HTTP may well perform better
>>>> today.
>>>>
>>>> Thanks,
>>>>
>>>> Shao
>>>>
>>>>
>>>>
>>>> "Jeff Albion [Sybase iAnywhere]" <firstname.lastname@sybase.com> wrote
>>>> in message news:4da5cfe9$1@forums-1-dub...
>>>>> Hello Shao,
>>>>>
>>>>> On 13/04/2011 7:13 AM, Shao Chan wrote:
>>>>>> 1) ECC is more efficient than RSA and RSA FIPS?
>>>>>
>>>>> "Efficient" in which ways...? Memory usage? Number of mathematical
>>>>> operations to generate keys? Time to break the key? Size of key
>>>>> strength versus encryption strength...?
>>>>>
>>>>> You will probably find that there are a "few" opinions on this subject
>>>>> and the important factors of this comparison will depend on personal
>>>>> preference. I would say that depending on which platform(s) you're
>>>>> intending to support, this would help dictate which type of
>>>>> certificate to use:
>>>>>
>>>>> http://www.sybase.com/detail?id=1091125#UL
>>>>>
>>>>>> 2) RSA is free, ECC and RSA FIPS cost?
>>>>>
>>>>> Yes, RSA encryption is included with SQL Anywhere 10 and up. ECC and
>>>>> RSA-FIPS are "separately licensed components". See your Sales Rep for
>>>>> more info.
>>>>>
>>>>>> 3) Encryption can be performed:
>>>>>> - Mobilink Sync (RSA, ECC, FIPS)
>>>>>> - Mobilink End To End (RSA, ECC, FIPS)
>>>>>> - Database (FIPS)
>>>>>
>>>>> I assume by "database", you mean "database storage", and yes, this can
>>>>> be "AES" or "AES-FIPS":
>>>>> http://dcx.sybase.com/index.html#1201/en/uladmin/fo-databases-s-5079628.html
>>>>>
>>>>> Note: "RSA-FIPS" is not technically a separate encryption scheme to
>>>>> "RSA"; the "FIPS" specification is due to the Certicom RSA-FIPS
>>>>> library containing a pre-FIPS-certified cryptographic module ( e.g.
>>>>> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm ).
>>>>>
>>>>>> 4) If I buy a FIPS licence I can encrypt both database and mobilink
>>>>>> and
>>>>>> mobilink endtoend?
>>>>>
>>>>> MobiLink end-to-end encryption (E2EE) does not use "FIPS" specific
>>>>> keys; it can generate "RSA" (or "ECC") based keys, based on the
>>>>> licensing available to the product.
>>>>>
>>>>> Also, the database communication encryption (e.g. "ENC=") can use
>>>>> RSA/RSA-FIPS and ECC technology.
>>>>>
>>>>>> 5) I can mix and match with multiple licenses, e.g.
>>>>>> - Mobilink Sync using RSA
>>>>>> - Mobilink End To End using ECC
>>>>>> - Database using FIPS
>>>>>
>>>>> Yes, but this would be expensive from a licensing perspective...?
>>>>>
>>>>>> 6) ECC is 12.0.1. can run over tls and https (in version 9.0.2. can
>>>>>> only run
>>>>>> over tls)?
>>>>>
>>>>> Yes, this was a new feature for version 10.0.0:
>>>>> http://dcx.sybase.com/index.html#1001/en/dbwnen10/wn-newjasper-s-5619987.html
>>>>>
>>>>>> 7) Can FIPS run over tls?
>>>>>
>>>>> Yes:
>>>>> http://dcx.sybase.com/index.html#1201/en/mlserver/ml-syncserver-x.html
>>>>>
>>>>>> 8) In the U.K councils are moving to the Goverment Connect
>>>>>> compliancy. This
>>>>>> requires all remote devices to be secure and encrypted (on both
>>>>>> device and
>>>>>> data transmissions). However, performance has been an issue in the
>>>>>> past and
>>>>>> councils use an APN so that the mobilink stream does not need to be
>>>>>> encrypted and neither then does it need to be http traffic as
>>>>>> firewall
>>>>>> issues are bypassed.
>>>>>> However, the device database needs to be secure and as well as data
>>>>>> transmissions even if going over an APN.
>>>>>> The way I see it is that because we can still bypass the firewall
>>>>>> with a
>>>>>> direct APN connection, then we can still use tls.
>>>>>> So buying a FIPS licence and using it for database encryption and
>>>>>> FIPS over
>>>>>> tls would be the more obvious way forward.
>>>>>> If performance is a problem for any reason, I would have to buy a
>>>>>> second
>>>>>> licence and change the FIPS transmission to ECC and keep the database
>>>>>> on
>>>>>> FIPS right?
>>>>>> Any other suggestions?
>>>>>
>>>>> I am confused; FIPS 140-2 is a U.S. Federal standard (also adhered to
>>>>> by the Communications Security Establishment (CSE) in Canada). I am
>>>>> not aware of U.K. agencies requiring "FIPS"-specific certification of
>>>>> modules, considering that the U.K. runs a separate certification
>>>>> program, the CESG Assisted Products Service (CAPS):
>>>>>
>>>>> http://www.cesg.gov.uk/products_services/iacs/caps/index.shtml
>>>>>
>>>>> ... so, are FIPS cryptographic modules recognized by this U.K.
>>>>> certification program as well?
>>>>>
>>>>> ---
>>>>>
>>>>> Otherwise, this sounds like a reasonable approach; I would try to keep
>>>>> everything as "RSA-FIPS"/"AES-FIPS" (or just "RSA"/"AES" if FIPS isn't
>>>>> needed). Since you can create direct TLS connections to the server, I
>>>>> wouldn't worry about using E2EE. You might want to consider purchasing
>>>>> an ECC license to try some internal load testing with tls(rsa) versus
>>>>> tls(ecc) for performance reasons before you go ahead and deploy to
>>>>> your client base.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> --
>>>>> Jeff Albion, Sybase iAnywhere, an SAP Company
>>>>>
>>>>> iAnywhere Developer Community :
>>>>> http://www.sybase.com/developer/library/sql-anywhere-techcorner
>>>>> iAnywhere Documentation :
>>>>> http://www.ianywhere.com/developer/product_manuals
>>>>> SQL Anywhere Patches and EBFs :
>>>>> http://downloads.sybase.com/swd/summary.do?baseprod=144&client=ianywhere&timeframe=0
>>>>> Report a Bug/Open a Case : http://case-express.sybase.com/cx/
>>>>
>>>>
>>>
>>>
>>
>>
>
>


Tim McClements [Sybase] Posted on 2011-04-13 19:25:52.0Z
From: "Tim McClements [Sybase]" <mcclemenXnospam@sybase.com>
Newsgroups: sybase.public.sqlanywhere.ultralite
References: <4da5853f$1@forums-1-dub> <4da5cfe9$1@forums-1-dub>
Subject: Re: Encryption in 12.0.1.
Lines: 55
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
X-RFC2646: Format=Flowed; Response
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4da5f8c0$1@forums-1-dub>
Date: 13 Apr 2011 12:25:52 -0700
X-Trace: forums-1-dub 1302722752 10.22.241.152 (13 Apr 2011 12:25:52 -0700)
X-Original-Trace: 13 Apr 2011 12:25:52 -0700, vip152.sybase.com
X-Authenticated-User: techsupp
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.sqlanywhere.ultralite:12473
Article PK: 1048282

Further information below... - Tim

"Jeff Albion [Sybase iAnywhere]" <firstname.lastname@sybase.com> wrote in
message news:4da5cfe9$1@forums-1-dub...
> Hello Shao,
>
> On 13/04/2011 7:13 AM, Shao Chan wrote:
>> 1) ECC is more efficient than RSA and RSA FIPS?
>
> "Efficient" in which ways...? Memory usage? Number of mathematical
> operations to generate keys? Time to break the key? Size of key strength
> versus encryption strength...?
>
> You will probably find that there are a "few" opinions on this subject and
> the important factors of this comparison will depend on personal
> preference. I would say that depending on which platform(s) you're
> intending to support, this would help dictate which type of certificate to
> use:
>
> http://www.sybase.com/detail?id=1091125#UL

In theory, ECC is smaller (memory) and faster. However, with typical key
sizes (1-2k for RSA) we don't think you'll see a significant difference.

>> 4) If I buy a FIPS licence I can encrypt both database and mobilink and
>> mobilink endtoend?
>
> MobiLink end-to-end encryption (E2EE) does not use "FIPS" specific keys;
> it can generate "RSA" (or "ECC") based keys, based on the licensing
> available to the product.
>
> Also, the database communication encryption (e.g. "ENC=") can use
> RSA/RSA-FIPS and ECC technology.

The short answer is yes: FIPS can apply to all with the one license.

>> 5) I can mix and match with multiple licenses, e.g.
>> - Mobilink Sync using RSA
>> - Mobilink End To End using ECC
>> - Database using FIPS
>
> Yes, but this would be expensive from a licensing perspective...?

We expect that you'd use the same encryption scheme in all places - and this
is what we primarily test.

>> 7) Can FIPS run over tls?
>
> Yes:
> http://dcx.sybase.com/index.html#1201/en/mlserver/ml-syncserver-x.html

(Note that FIPS doesn't run _over_ TLS... FIPS means you are using a
certified _implementation_ of RSA TLS.)


Shao Chan Posted on 2011-04-13 19:47:37.0Z
Reply-To: "Shao Chan" <nospam@nospam.com>
From: "Shao Chan" <nospam@nospam.com>
Newsgroups: sybase.public.sqlanywhere.ultralite
References: <4da5853f$1@forums-1-dub> <4da5cfe9$1@forums-1-dub> <4da5f8c0$1@forums-1-dub>
Subject: Re: Encryption in 12.0.1.
Lines: 76
Organization: Civica
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
X-RFC2646: Format=Flowed; Response
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4da5fdd9@forums-1-dub>
Date: 13 Apr 2011 12:47:37 -0700
X-Trace: forums-1-dub 1302724057 10.22.241.152 (13 Apr 2011 12:47:37 -0700)
X-Original-Trace: 13 Apr 2011 12:47:37 -0700, vip152.sybase.com
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.sqlanywhere.ultralite:12477
Article PK: 1048288

Hi Tim,

Thanks for that additional response to Jeff's post especially the bit about
key sizes being small in our context such that the difference would be
negligable in the grand scheme of things.

I think we'll look at FIPS all the way.

The Gov.Connect policy has been around for a while, but I think that
councils will be making a big effort for compliance this year and we need to
know our options.

Thanks,

Shao

"Tim McClements [Sybase]" <mcclemenXnospam@sybase.com> wrote in message
news:4da5f8c0$1@forums-1-dub...
> Further information below... - Tim
>
> "Jeff Albion [Sybase iAnywhere]" <firstname.lastname@sybase.com> wrote in
> message news:4da5cfe9$1@forums-1-dub...
>> Hello Shao,
>>
>> On 13/04/2011 7:13 AM, Shao Chan wrote:
>>> 1) ECC is more efficient than RSA and RSA FIPS?
>>
>> "Efficient" in which ways...? Memory usage? Number of mathematical
>> operations to generate keys? Time to break the key? Size of key strength
>> versus encryption strength...?
>>
>> You will probably find that there are a "few" opinions on this subject
>> and the important factors of this comparison will depend on personal
>> preference. I would say that depending on which platform(s) you're
>> intending to support, this would help dictate which type of certificate
>> to use:
>>
>> http://www.sybase.com/detail?id=1091125#UL
>
> In theory, ECC is smaller (memory) and faster. However, with typical key
> sizes (1-2k for RSA) we don't think you'll see a significant difference.
>
>>> 4) If I buy a FIPS licence I can encrypt both database and mobilink and
>>> mobilink endtoend?
>>
>> MobiLink end-to-end encryption (E2EE) does not use "FIPS" specific keys;
>> it can generate "RSA" (or "ECC") based keys, based on the licensing
>> available to the product.
>>
>> Also, the database communication encryption (e.g. "ENC=") can use
>> RSA/RSA-FIPS and ECC technology.
>
> The short answer is yes: FIPS can apply to all with the one license.
>
>>> 5) I can mix and match with multiple licenses, e.g.
>>> - Mobilink Sync using RSA
>>> - Mobilink End To End using ECC
>>> - Database using FIPS
>>
>> Yes, but this would be expensive from a licensing perspective...?
>
> We expect that you'd use the same encryption scheme in all places - and
> this is what we primarily test.
>
>>> 7) Can FIPS run over tls?
>>
>> Yes:
>> http://dcx.sybase.com/index.html#1201/en/mlserver/ml-syncserver-x.html
>
> (Note that FIPS doesn't run _over_ TLS... FIPS means you are using a
> certified _implementation_ of RSA TLS.)
>
>


Tim McClements [Sybase] Posted on 2011-04-13 20:29:16.0Z
From: "Tim McClements [Sybase]" <mcclemenXnospam@sybase.com>
Newsgroups: sybase.public.sqlanywhere.ultralite
References: <4da5853f$1@forums-1-dub> <4da5cfe9$1@forums-1-dub> <4da5f8c0$1@forums-1-dub> <4da5fdd9@forums-1-dub>
Subject: Re: Encryption in 12.0.1.
Lines: 84
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
X-RFC2646: Format=Flowed; Response
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4da6079c@forums-1-dub>
Date: 13 Apr 2011 13:29:16 -0700
X-Trace: forums-1-dub 1302726556 10.22.241.152 (13 Apr 2011 13:29:16 -0700)
X-Original-Trace: 13 Apr 2011 13:29:16 -0700, vip152.sybase.com
X-Authenticated-User: techsupp
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.sqlanywhere.ultralite:12479
Article PK: 1048293

Note that we don't have FIPS on Android right now...

- Tim

"Shao Chan" <nospam@nospam.com> wrote in message
news:4da5fdd9@forums-1-dub...
> Hi Tim,
>
> Thanks for that additional response to Jeff's post especially the bit
> about key sizes being small in our context such that the difference would
> be negligable in the grand scheme of things.
>
> I think we'll look at FIPS all the way.
>
> The Gov.Connect policy has been around for a while, but I think that
> councils will be making a big effort for compliance this year and we need
> to know our options.
>
> Thanks,
>
> Shao
>
>
> "Tim McClements [Sybase]" <mcclemenXnospam@sybase.com> wrote in message
> news:4da5f8c0$1@forums-1-dub...
>> Further information below... - Tim
>>
>> "Jeff Albion [Sybase iAnywhere]" <firstname.lastname@sybase.com> wrote in
>> message news:4da5cfe9$1@forums-1-dub...
>>> Hello Shao,
>>>
>>> On 13/04/2011 7:13 AM, Shao Chan wrote:
>>>> 1) ECC is more efficient than RSA and RSA FIPS?
>>>
>>> "Efficient" in which ways...? Memory usage? Number of mathematical
>>> operations to generate keys? Time to break the key? Size of key strength
>>> versus encryption strength...?
>>>
>>> You will probably find that there are a "few" opinions on this subject
>>> and the important factors of this comparison will depend on personal
>>> preference. I would say that depending on which platform(s) you're
>>> intending to support, this would help dictate which type of certificate
>>> to use:
>>>
>>> http://www.sybase.com/detail?id=1091125#UL
>>
>> In theory, ECC is smaller (memory) and faster. However, with typical key
>> sizes (1-2k for RSA) we don't think you'll see a significant difference.
>>
>>>> 4) If I buy a FIPS licence I can encrypt both database and mobilink and
>>>> mobilink endtoend?
>>>
>>> MobiLink end-to-end encryption (E2EE) does not use "FIPS" specific keys;
>>> it can generate "RSA" (or "ECC") based keys, based on the licensing
>>> available to the product.
>>>
>>> Also, the database communication encryption (e.g. "ENC=") can use
>>> RSA/RSA-FIPS and ECC technology.
>>
>> The short answer is yes: FIPS can apply to all with the one license.
>>
>>>> 5) I can mix and match with multiple licenses, e.g.
>>>> - Mobilink Sync using RSA
>>>> - Mobilink End To End using ECC
>>>> - Database using FIPS
>>>
>>> Yes, but this would be expensive from a licensing perspective...?
>>
>> We expect that you'd use the same encryption scheme in all places - and
>> this is what we primarily test.
>>
>>>> 7) Can FIPS run over tls?
>>>
>>> Yes:
>>> http://dcx.sybase.com/index.html#1201/en/mlserver/ml-syncserver-x.html
>>
>> (Note that FIPS doesn't run _over_ TLS... FIPS means you are using a
>> certified _implementation_ of RSA TLS.)
>>
>>
>
>


Shao Chan Posted on 2011-04-14 06:40:34.0Z
Reply-To: "Shao Chan" <nospam@nospam.com>
From: "Shao Chan" <nospam@nospam.com>
Newsgroups: sybase.public.sqlanywhere.ultralite
References: <4da5853f$1@forums-1-dub> <4da5cfe9$1@forums-1-dub> <4da5f8c0$1@forums-1-dub> <4da5fdd9@forums-1-dub> <4da6079c@forums-1-dub>
Subject: Re: Encryption in 12.0.1.
Lines: 98
Organization: Civica
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
X-RFC2646: Format=Flowed; Response
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4da696e2$1@forums-1-dub>
Date: 13 Apr 2011 23:40:34 -0700
X-Trace: forums-1-dub 1302763234 10.22.241.152 (13 Apr 2011 23:40:34 -0700)
X-Original-Trace: 13 Apr 2011 23:40:34 -0700, vip152.sybase.com
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.sqlanywhere.ultralite:12480
Article PK: 1048292

Ah - good point to know.

Is this something likely to be resolved within 18 months?

Thanks.

Shao

"Tim McClements [Sybase]" <mcclemenXnospam@sybase.com> wrote in message
news:4da6079c@forums-1-dub...
> Note that we don't have FIPS on Android right now...
>
> - Tim
>
> "Shao Chan" <nospam@nospam.com> wrote in message
> news:4da5fdd9@forums-1-dub...
>> Hi Tim,
>>
>> Thanks for that additional response to Jeff's post especially the bit
>> about key sizes being small in our context such that the difference would
>> be negligable in the grand scheme of things.
>>
>> I think we'll look at FIPS all the way.
>>
>> The Gov.Connect policy has been around for a while, but I think that
>> councils will be making a big effort for compliance this year and we need
>> to know our options.
>>
>> Thanks,
>>
>> Shao
>>
>>
>> "Tim McClements [Sybase]" <mcclemenXnospam@sybase.com> wrote in message
>> news:4da5f8c0$1@forums-1-dub...
>>> Further information below... - Tim
>>>
>>> "Jeff Albion [Sybase iAnywhere]" <firstname.lastname@sybase.com> wrote
>>> in message news:4da5cfe9$1@forums-1-dub...
>>>> Hello Shao,
>>>>
>>>> On 13/04/2011 7:13 AM, Shao Chan wrote:
>>>>> 1) ECC is more efficient than RSA and RSA FIPS?
>>>>
>>>> "Efficient" in which ways...? Memory usage? Number of mathematical
>>>> operations to generate keys? Time to break the key? Size of key
>>>> strength versus encryption strength...?
>>>>
>>>> You will probably find that there are a "few" opinions on this subject
>>>> and the important factors of this comparison will depend on personal
>>>> preference. I would say that depending on which platform(s) you're
>>>> intending to support, this would help dictate which type of certificate
>>>> to use:
>>>>
>>>> http://www.sybase.com/detail?id=1091125#UL
>>>
>>> In theory, ECC is smaller (memory) and faster. However, with typical key
>>> sizes (1-2k for RSA) we don't think you'll see a significant difference.
>>>
>>>>> 4) If I buy a FIPS licence I can encrypt both database and mobilink
>>>>> and
>>>>> mobilink endtoend?
>>>>
>>>> MobiLink end-to-end encryption (E2EE) does not use "FIPS" specific
>>>> keys; it can generate "RSA" (or "ECC") based keys, based on the
>>>> licensing available to the product.
>>>>
>>>> Also, the database communication encryption (e.g. "ENC=") can use
>>>> RSA/RSA-FIPS and ECC technology.
>>>
>>> The short answer is yes: FIPS can apply to all with the one license.
>>>
>>>>> 5) I can mix and match with multiple licenses, e.g.
>>>>> - Mobilink Sync using RSA
>>>>> - Mobilink End To End using ECC
>>>>> - Database using FIPS
>>>>
>>>> Yes, but this would be expensive from a licensing perspective...?
>>>
>>> We expect that you'd use the same encryption scheme in all places - and
>>> this is what we primarily test.
>>>
>>>>> 7) Can FIPS run over tls?
>>>>
>>>> Yes:
>>>> http://dcx.sybase.com/index.html#1201/en/mlserver/ml-syncserver-x.html
>>>
>>> (Note that FIPS doesn't run _over_ TLS... FIPS means you are using a
>>> certified _implementation_ of RSA TLS.)
>>>
>>>
>>
>>
>
>