Solved: Proper random number/bytes in SAP ABAP

phil_soady · ‎06-13-2016

There are classes like CL_ABAP_RANDOM

and some even more amusing functions called QF05_random_int but all are Pseudo Random number generators.

Given SAP has a serious encryption library i was hoping that a cryptographically secure Random byte generator might be available to call.

Any ideas on how to get a random byte stream in abap ?

One that a security expert wont cry at.

JaySchwendemann · ‎06-14-2016

Funny thing. I myself was looking for a more "secure" random number generator as "CL_ABAB_RANDOM".

My use case would be generating security codes for vouchers we issue from our system. While we take measures that we'd only accept vouchers that we actually issued ourselves, I, from an IT point of view would love to see a more "secure" implementation than above discussed built-in classes or FMs.

After some research I found this note http://service.sap.com/sap/support/notes/1410548 which mentions a kernel implemented "random number generator" that is touted to be secure and could be used to "secure communication".

The name of the FM is "GENERATE_SEC_RANDOM". Maybe this will suit your (and my) needs

Cheers

Jens

ŁukaszPęgiel · ‎06-13-2016

Have you checked if cl_system_uuid or FM guid_create suits your needs?

phil_soady · ‎06-13-2016

Unfortunately not. Unique is very different to random. Indeed the sap GUID cl_system_uuid is a poor guid implementation. It isnt evenly spread. Unique but thats all. Being evenly spread and unique is a good guid. Check GUIDs on your SAP system, you will notice that the first 4-6 digits are common most likely. In other words the opposite of random. And poor for keys in large tables.

The weakness in SAP GUID is why BANK_DISTRIBUTED_ID_CREATE was created.

No GUIDs are predictable and not suitable in cryptography.

Accessing the SAP crypto library remains the heart of the question.

But thanks for trying...

ŁukaszPęgiel · ‎06-13-2016


Phil Soady wrote:

Unfortunately not. Unique is very different to random.  Indeed the sap GUID cl_system_uuid is a poor guid implementation.

True, I mixed them.

And what about calling system command to generate random then?

matt · ‎06-13-2016

Von Neumann said "Any one who considers arithmetical methods of producing random digits is, of course, in a state of sin." Just thought I'd mention it, since I kind of like that quote!

All random number generators, unless connected to a random source like a lump of uranium, are necessarily pseudo, aren't they? So what you're looking for would be a CSPRNG, not a CSRNG?

HANA offers RAND_SECURE() which is cryptographically secure, but I don't know of one directly accessible from ABAP.

phil_soady · ‎06-14-2016

Yes without quantum fluctuations to provide entropy, im happy to have a decent CSPRNG

Nice quote.... So im a sinner. Whats new

I dont have a HANA system. I wonder what rand_secure does ?

SAP must have a decent CSPRNG inside sapcryptolib. Just need them to expose it.

JaySchwendemann · ‎06-14-2016

Funny thing. I myself was looking for a more "secure" random number generator as "CL_ABAB_RANDOM".

My use case would be generating security codes for vouchers we issue from our system. While we take measures that we'd only accept vouchers that we actually issued ourselves, I, from an IT point of view would love to see a more "secure" implementation than above discussed built-in classes or FMs.

After some research I found this note http://service.sap.com/sap/support/notes/1410548 which mentions a kernel implemented "random number generator" that is touted to be secure and could be used to "secure communication".

The name of the FM is "GENERATE_SEC_RANDOM". Maybe this will suit your (and my) needs

Cheers

Jens

phil_soady · ‎06-14-2016

perfect Jens.

Looks like it was bundelled with SSF and XML docs.

JaySchwendemann · ‎06-14-2016

Great, glad to be of some help