Hello SAP Security Community,
SAP CRM Marketing provides a functionality called Personalized Response Code (PRC, 10 characters). This code can be used in mail, fax, sms or letters to customers. When the customer returns the PRC to the communication initiator, it can be mapped to a campaign and the business partner number of the customer. See also the [SAP Standard Help|http://help.sap.com/saphelp_crm700_ehp01/helpdata/EN/2a/c13463f09c4a1f9c45903e7a0a7230/frameset.htm].
By default this standard implementation of the BAdI CRM_MKT_PRC_CONVERT is called:
METHOD if_ex_crm_mkt_prc_convert~convert_prc. DATA lv_no TYPE crmt_mkt_icrh_prc_num. DATA lv_string TYPE string. DATA lv_pos TYPE int4. DATA lv_base31 TYPE string VALUE '0123456789BCDFGHJKLMNPQRSTVWXYZ'. **** converting the numeric-base10 into base31 lv_no = iv_prc. CLEAR lv_string. DO. lv_pos = lv_no MOD 31. lv_no = lv_no DIV 31. CONCATENATE lv_base31+lv_pos(1) lv_string INTO lv_string. IF lv_no = 0. EXIT. ENDIF. ENDDO. MOVE lv_string TO ev_prc. ENDMETHOD.
As you can see it does a simple base31 encoding of the provided input parameter iv_prc which is a number provided by the number range for PRC's.
I want to use the PRC to make our customers registration process for a trade fair easier. We send out the PRC via a letter to the customers where we don't have an E-Mail address. The letter contains instructions which point the user to a Website that has an input field for the PRC. When the user submits the PRC I'd like to show him/her some personal information (Name, Address, E-Mail) that we lookup using the PRC in the CRM System. This information is then posted to a 3rd party website that has to be used to do the trade fair registration.
If I would use the simple base31 encoding, then the current counter state could be easily decoded, the next number can be chosen and by applying base31 encoding again, the next valid PRC is created. This could then be misused to read personal information of another customer. I think what could solve this problem would be to use a secure hash function that allows also to be salted to create the PRC.
Do you think I'm on the right track? Or would it be OK to use the classes described in [Note 1410294 - Support SHA2-family for Message Digest and HMAC|https://service.sap.com/sap/support/notes/1410294] and before doing the hashing add a random number to the PRC number that I've got from the number range? What problems do I run in as the PRC could not be longer than 12 characters? For sure I have to check that I don't create any PRC twice.