cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to decrypt security answer in UME

Go to solution
Former Member

on ‎09-19-2008 11:45 PM

0 Kudos

We have created a Web Dynpro project to retrieve the password of a user if they forgot it. The program uses the default security question and answer attributes of the IUser object. The problem is that the security answer is encrypted in the DB. It looks like SSHA encryption, as the value of field starts with .

Does anyone know how to decryt the security answer?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

vmadhuvarshi_
Contributor
‎09-22-2008 9:34 PM
0 Kudos

Andrew,

Satyajit has rightly stated that SSHA is a one way algorithm and cannot be reversed and that you need to know the salt value to get the encrypted value of clear text string.

Aarthi has pointed out that the same security answer for two users did not match after SSHA encryption. Reason for this disparity is that SHA1 uses a random salt each time an encryption is done. However, the salt is stored with the encrypted password as Base64 encoded data. First 20 bytes of encrypted String contain the actual Clear Text while later 12 Bytes contain the Base64 encoded salt used for encryption.

Theoretically, You can split the encrypted string to get the salt, base64.decode the salt and use it again to encode a clear text and match if both are equal. Take a look at [this|http://www.securitydocs.com/library/3439] very useful article. This might help you and Aarthi both.

Vishwas.

Show replies
Show replies
Former Member
‎09-23-2008 12:52 AM
0 Kudos

Vishwas,

Your post has been most helpful. We feel that we are very close, but we are still not getting matching values.

value from DB: 1zhaHvjkZ1sSFxJLT8kCIlIkCsCyv/6tLyE= value from code: OmA4GjFf9hEOCi4xxF57IwD94Sqyv/6tLyE=

The answer in this case is "red".

Here is what we did:

- Extracted the salt from the answer in the DB.

- Used the salt to digest (encode) the user input.

- Appended the salt to the digested value.

- Base64 encoded the appended value.

- Prepended to the Base64 encode value.

You can see that the salt vlaue is the same in each value, but the rest does not match.

Are we missing something? Do you have any additional ideas that we could try?

Thank you,

Andrew

vmadhuvarshi_
Contributor
‎09-23-2008 1:40 AM
0 Kudos

Andrew,

Try using this approach for encryption.

Get the source string and salt as separate binary objects
Concatenate the 2 binary values
SHA hash the concatenation into SaltedPasswordHash
Base64Encode(concat(SaltedPasswordHash, Salt))

This will translate to code something like this.


public String createDigest(byte[] salt, String entity) {
       String label = "{SSHA}";
       // Update digest object with byte array of clear text string and salt
       sha.reset();
       sha.update(entity.getBytes());
       sha.update(salt);
       // Complete hash computation, this results in binary data
       byte[] pwhash = sha.digest();
       return label + new String(Base64.encode(concatenate(pwhash, salt)));
}

and this to decrypt.

Strip the hash identifier from the Digest
Base64Decode(Digest)
Split Digest into 2 byte arrays, one for bytes 0 u2013 20(pwhash), one for bytes 21 u2013 32 (salt)
Get the target string and salt as separate binary object

This should translate to code like this.



public void checkDigest(String digest) {
   
       digest = digest.substring(6); // ignore the {SSHA} hash ID

       // extract the hashed data into hs[0], salt into hs[1]
       byte[][] hs = split(Base64.decode(digest), 20);
       byte[] hash = hs[0];
       byte[] salt = hs[1];

   }

This should work. source for this code is [this article|http://www.securitydocs.com/library/3439].

Vishwas.

Former Member
‎09-23-2008 5:33 PM
0 Kudos

Vishwas,

Your answer is the correct one. We were able to get it to work by converted the user input to upper case, then encrypted it and comparing it to the value in the database. It appears that SAP makes the answer upper case before it encrypts it and stores it in the database.

vmadhuvarshi_
Contributor
‎09-23-2008 5:48 PM
0 Kudos

Good that I could help.

former_member194668
Active Participant
‎09-25-2008 4:47 PM
0 Kudos

Thanks Vishwas,

I tested with hashed password, I was able to compare it.

It was nice info.

-Aarthi

Former Member
‎05-20-2010 6:32 AM
0 Kudos

Hi Aarthi,

I am trying the same approach comparing the hash password, i have followed all the steps provided in the reference links, still while comparing its always giving output as"Hashes DON'T match:".

Can you please help me to implement this scenario.

Thanks alot.

Swati Pandey

Answers (1)

Answers (1)

Former Member
‎09-20-2008 12:34 AM
0 Kudos

Hi,

Since it's a salted SHA you need to know the salt value. Apart from that SSHA is an one-way hash algorithm, you cannot decrypt to get back the original string.

So what you need to do is encrypt the security answer entered by the user, hash it and then match it with the value in the database. If they match then it's a valid answer.

Regards,

Satyajit.

Show replies
Show replies
Former Member
‎09-22-2008 3:31 PM
0 Kudos

Satyajit,

Do you know what API to use to encrypt the the answer entered by the user?

Former Member
‎09-22-2008 7:20 PM
0 Kudos

Hi,

You can use the Java Cryptography Extension (JCE) APIs. More details can be found [here|http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.html].

Regards,

Satyajit.

former_member194668
Active Participant
‎09-22-2008 8:03 PM
0 Kudos

Hi,

I had similar requirment...

/message/5073819#5073819 [original link is broken]

I even stored the same security answer for 2 different users, and tried to match them. They were not equal.

And there is no API like comparePassword for security answer.

Finall we opened a OSS message with SAP and they replied that it needs a new development request.

So as of now, we used a custom attribute instead of standard attribute.

-Aarthi

Ask a Question