06-13-2016 5:09 PM
There are classes like CL_ABAP_RANDOM
and some even more amusing functions called QF05_random_int but all are Pseudo Random number generators.
Given SAP has a serious encryption library i was hoping that a cryptographically secure Random byte generator might be available to call.
Any ideas on how to get a random byte stream in abap ?
One that a security expert wont cry at.
06-14-2016 9:13 AM
Funny thing. I myself was looking for a more "secure" random number generator as "CL_ABAB_RANDOM".
My use case would be generating security codes for vouchers we issue from our system. While we take measures that we'd only accept vouchers that we actually issued ourselves, I, from an IT point of view would love to see a more "secure" implementation than above discussed built-in classes or FMs.
After some research I found this note http://service.sap.com/sap/support/notes/1410548 which mentions a kernel implemented "random number generator" that is touted to be secure and could be used to "secure communication".
The name of the FM is "GENERATE_SEC_RANDOM". Maybe this will suit your (and my) needs
Cheers
Jens
06-13-2016 7:33 PM
Have you checked if cl_system_uuid or FM guid_create suits your needs?
06-13-2016 7:44 PM
Unfortunately not. Unique is very different to random. Indeed the sap GUID cl_system_uuid is a poor guid implementation. It isnt evenly spread. Unique but thats all. Being evenly spread and unique is a good guid. Check GUIDs on your SAP system, you will notice that the first 4-6 digits are common most likely. In other words the opposite of random. And poor for keys in large tables.
The weakness in SAP GUID is why BANK_DISTRIBUTED_ID_CREATE was created.
No GUIDs are predictable and not suitable in cryptography.
Accessing the SAP crypto library remains the heart of the question.
But thanks for trying...
06-13-2016 8:24 PM
Phil Soady wrote:
Unfortunately not. Unique is very different to random. Indeed the sap GUID cl_system_uuid is a poor guid implementation.
True, I mixed them.
And what about calling system command to generate random then?
06-13-2016 8:41 PM
Von Neumann said "Any one who considers arithmetical methods of producing random digits is, of course, in a state of sin." Just thought I'd mention it, since I kind of like that quote!
All random number generators, unless connected to a random source like a lump of uranium, are necessarily pseudo, aren't they? So what you're looking for would be a CSPRNG, not a CSRNG?
HANA offers RAND_SECURE() which is cryptographically secure, but I don't know of one directly accessible from ABAP.
06-14-2016 12:53 AM
Yes without quantum fluctuations to provide entropy, im happy to have a decent CSPRNG
Nice quote.... So im a sinner. Whats new
I dont have a HANA system. I wonder what rand_secure does ?
SAP must have a decent CSPRNG inside sapcryptolib. Just need them to expose it.
06-14-2016 9:13 AM
Funny thing. I myself was looking for a more "secure" random number generator as "CL_ABAB_RANDOM".
My use case would be generating security codes for vouchers we issue from our system. While we take measures that we'd only accept vouchers that we actually issued ourselves, I, from an IT point of view would love to see a more "secure" implementation than above discussed built-in classes or FMs.
After some research I found this note http://service.sap.com/sap/support/notes/1410548 which mentions a kernel implemented "random number generator" that is touted to be secure and could be used to "secure communication".
The name of the FM is "GENERATE_SEC_RANDOM". Maybe this will suit your (and my) needs
Cheers
Jens
06-14-2016 1:55 PM
06-14-2016 2:10 PM