Skip to Content
0
Former Member
Jan 08, 2008 at 08:42 PM

Use of SAPcryptolib and resolving its shortcommings in OSS note 766703

58 Views

Is anyone aware whether SAP has resolved the issue below, highlighted in OSS note 766703 related to the SAPcredit card encryption solution SAPCryptolib?

The encryption prevents direct database accesses to the tables that contain the payment card information or direct selects from the R/3 environment (for example, transaction SE16 or SE17) or simple reports.

Due to the system design, you cannot prevent the following attacks:

a) If the attacker has full database access, he can also manipulate the source code delivered by SAP and hence deactivate or bypass the encryption.

b) If the attacker obtains the authorization to change the source code in a SAP system, or if he is authorized to call the encryption routines required for the authorization within reports or transactions that are part of the system, the encryption does not provide any enhanced protection.

c) Users with debugging authorization can display individual payment card numbers at certain points of the document processing where the number must be decrypted temporarily for further processing.

Please let me know if anyone has found a solution, workaround or a fix for this issue.

Thanks for your time.

Bill Bochert