Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

How to decrypt security answer in UME

We have created a Web Dynpro project to retrieve the password of a user if they forgot it. The program uses the default security question and answer attributes of the IUser object. The problem is that the security answer is encrypted in the DB. It looks like SSHA encryption, as the value of field starts with .

Does anyone know how to decryt the security answer?

Former Member
Former Member replied

Andrew,

Try using this approach for encryption.

Get the source string and salt as separate binary objects

Concatenate the 2 binary values

SHA hash the concatenation into SaltedPasswordHash

Base64Encode(concat(SaltedPasswordHash, Salt))

This will translate to code something like this.

public String createDigest(byte[] salt, String entity) {
       String label = "{SSHA}";
       // Update digest object with byte array of clear text string and salt
       sha.reset();
       sha.update(entity.getBytes());
       sha.update(salt);
       // Complete hash computation, this results in binary data
       byte[] pwhash = sha.digest();
       return label + new String(Base64.encode(concatenate(pwhash, salt)));
}

and this to decrypt.

Strip the hash identifier from the Digest

Base64Decode(Digest)

Split Digest into 2 byte arrays, one for bytes 0 u2013 20(pwhash), one for bytes 21 u2013 32 (salt)

Get the target string and salt as separate binary object

This should translate to code like this.


public void checkDigest(String digest) {
   
       digest = digest.substring(6); // ignore the {SSHA} hash ID

       // extract the hashed data into hs[0], salt into hs[1]
       byte[][] hs = split(Base64.decode(digest), 20);
       byte[] hash = hs[0];
       byte[] salt = hs[1];

   }


This should work. source for this code is [this article|http://www.securitydocs.com/library/3439].

Vishwas.

0 View this answer in context
Not what you were looking for? View more on this topic or Ask a question