Solved: Encrypt password with a keyword

Former Member · ‎06-11-2009

Hello

I want to store passwords in a data table.

The passwords must be encrypt with a keyword. The idea is that we need this keyword to decrypt the password.

So only the users who knows the keyword will be able to decrypt the password stored in the table through a specific transaction.

Do you know if there are function modules which can make this kind of encryption / decryption ?

Thank you for your help.

Former Member · ‎11-10-2009

Hey Jean-Christophe,

did you find any solution for this demand?

I also need an en-/decryption of a string with a keyword.

All the mentioned functions like FIEB_PASSWORD_ENCRYPT, DECODE_SLDPWD_BASE64, DB_CRYPTO_PASSWORD, HTTP_SCRAMBLE ... do not provide any keyword to encode the string with.

Thanks a lot,

Steffi

SimoneMilesi · ‎06-11-2009

These FM encrypt and decrypt password but with a standard procedure, without a given keywords.

FIEB_PASSWORD_ENCRYPT

FIEB_PASSWORD_DECRYPT

You can always use these and choose to give the authorization (via auth. objects/transaction) for the report to manage your custom table to the people you need.

Former Member · ‎06-11-2009

Yes, I know these functions but it's not sufficient.

We really need to encrypt the passwords with a keyword in order to guarantee the security.

The standard authorisation are not sufficient because anyone who can access to SE37 will be able to decrypt the passwords.

That's why we want that only the users who knows that keyword will be able to decrypt.

SimoneMilesi · ‎06-11-2009

Then I think you should create a custom FM based on these 😕

Former Member · ‎06-11-2009

> Yes, I know these functions but it's not sufficient.

> We really need to encrypt the passwords with a keyword in order to guarantee the security.

Thank you for that. These function modules are urban legends caused by their misleading names.

Last I heard, they will be deleted in a future release.

> The standard authorisation are not sufficient because anyone who can access to SE37 will be able to decrypt the passwords.

Well, you can and should protect that in a productive environment... (the ability to display, and execute, the FM - see SAP Note 587410).

> That's why we want that only the users who knows that keyword will be able to decrypt.

Then you will need to prompt the user for a password, before the decryption.

So there are 2 issues:

Password prompt

You can create a symbolic user without any access (roles) and manage it's password. Before the decryption, check that the calling user at least knows the password of this user.

You can do this locally in the same client (see report RDDPWDCHK for coding examples - carefull, it updates the "lock count" for failed password attempts now) or remotly using an RFC connection without saved login data to a different client or system. The latter can be usefull, as the ability to set the password = the ability to decrypt.

Encryption / Decryption

You will need to save the algorithm somewhere, or use an existing function which offers the ability to decrypt. Obviously, the latter option can bypass your prompt...

One way of doing it would be to write your own external RFC server program which does this task, and protect it.

Another way would be to store the sensitive parts of the code in an encrypted file which can only be accessed from your program context. It would then only be "visible" at runtime. In this case, folks could also access the hidden parts via developer traces or short dumps or debugging.

Restricting access to the "real" code is the easiest option, and other more complicated approaches generally require restricted access anyway.

> anyone who can access to SE37 will be able to decrypt the passwords.

If someone has access to display source code and single-test all function modules, then all security is toasted anyway...

Cheers,

Julius

Former Member · ‎06-11-2009

Ps: Perhaps you can explain your requirement in more detail, as I thought of another standard option.

Possibly you are looking for a client side authorization to call a function? This is possible in SAP standard.

The SM59 RFC user's logon data (password) is encrypted in the SecureStore --> that problem solved.

Then assign an authorization group to that RFC destination on the "Security & Login" data tab.

This not only activates a protection of maintaining the connection data (object S_RFC_ADM), but also the ability to call the destination (the client context needs authority for object S_ICF of type DEST).

Please take a look into that if it makes sense. It would be much easier (and supported!).

Cheers,

Julius

WolfgangJanzen · ‎06-12-2009

>


> Yes, I know these functions but it's not sufficient.
> We really need to encrypt the passwords with a keyword in order to guarantee the security.
> 
> The standard authorisation are not sufficient because anyone who can access to SE37 will be able to decrypt the passwords.
> That's why we want that only the users who knows that keyword will be able to decrypt.

May I ask for the intended purpose?

What do you need the passwords for?

To access an external system?

If yes, would it be an option to make use of the existing capabilities of the "destinations" (SM59)?

Well, ABAP systems do provide a so-called "Secure Storage" (see: ABAP transaction SECSTORE) which is exactly designed for that purpose (to store passwords and control access by code-based authorizations). However there's a big "BUT": due to legal constraints the usage of the "Secure Storage" needs to be controlled: before an application can make use of the Secure Storage (API) it needs to be "approved" (by the SAP Security Development department). This applies to SAP applications - it's not possible that partners or customers make use of that API. Thus, you have to check which existing mechanism (e.g. the one provided by the communication framework: SM59 destinations for outbound communication) can be used.

Best regards, Wolfgang

Former Member · ‎06-11-2009

Hi,

Use the following FM to encrypt

CALL FUNCTION 'FIEB_PASSWORD_ENCRYPT'

Use the following FM to decrypt

CALL FUNCTION 'FIEB_PASSWORD_DECRYPT'

By these FM you can encrypt & decrypt any fields of the Program.

Two more things:

1. You can't use these FM to decode user passwords.

2. Although their import parameters are case sensitive, when you test them from se37, the import parameters are converted to uppercase (thus, it may seem that they aren't working). A suggestion: encapsulate them in a custom FM that receives a string to be encrytped/decrypted and a parameter that says if you want to encrypt or decrypt and call this fm from your program. Test them very carefully, because once the string has been encrypted the decryption side is the only way to get it back.

Regards

Former Member · ‎11-10-2009

Hey Jean-Christophe,

did you find any solution for this demand?

I also need an en-/decryption of a string with a keyword.

All the mentioned functions like FIEB_PASSWORD_ENCRYPT, DECODE_SLDPWD_BASE64, DB_CRYPTO_PASSWORD, HTTP_SCRAMBLE ... do not provide any keyword to encode the string with.

Thanks a lot,

Steffi

Former Member · ‎11-10-2009

I see that you have "bounced" this in the ABAP forums as well =>

Have you considered that the ABAP system (as the client for the scenario) can also have an identity (PSE => transaction STRUST)

...and feelings ...

The function modules ABAPers generally use are based on their names and they are misleading (to express it nicely..)

Distributing a password in any encrypted form and expecting it to be permanently secure is a joke, because the decryption function must be available. So you need to have a trust to the system anyway...

You might as well ditch the password and go for an alternate form of authentication based on trusted hosts / identities.

Please explain what you want to achieve here. I am sure there is a more sustainably secure way of going about it...

I suspect that you have a communication partner which requests a password (presented in plaintext) and wants you to "hide" it locally in the ABAP system.

Cheers,

Julius

Former Member · ‎02-15-2011

Hi.

This is want you want. You have to send the data which will encrypting by table.

FORM FRM_ENCRYPT  USING    keyword
              CHANGING P_BTAB.

  CALL METHOD CL_RSDMD_CRYPT=>ENCRYPT
  EXPORTING
    I_PASSWORD       = keyword
*    I_UUN            = rs_c_true
  CHANGING
    C_T_ABAP         = P_BTAB.
*  EXCEPTIONS
*    CANCELED_BY_USER = 1
*    others           = 2
  .
  IF SY-SUBRC <> 0.
* MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
*            WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
  ENDIF.

ENDFORM.

Best REgards.

Emir Aras From TURKEY

WolfgangJanzen · ‎02-15-2011

>


> Hello
> 
> I want to store passwords in a data table. 
> 
> The passwords must be encrypt with a keyword. The idea is that we need this keyword to decrypt the password. 
> So only the users who knows the keyword will be able to decrypt the password stored in the table through a specific transaction.
> 
> Do you know if there are function modules which can make this kind of encryption / decryption ?
> 
> 
> Thank you for your help.

Asking again:

Can you elaborate the use-case?

What are those passwords used for? To whom or what do they belong?