Password encryption..

Former Member · ‎03-31-2010

Hi Experts,

I am having a webdynpro java application..

There is a intermediate conversion /encryption of password done and is stored in a ztable..

Could neone tell me what are ways in which encryption is done..

Best Regards,

Navin Fernandes.

Former Member · ‎03-31-2010

Hi Navin,

Not sure I fully understand what you're asking, but here's a general comment on password storage: In general passwords used as logon data in an application are not stored encrypted, but rather encoded via a one-way function, the so called [cryptographic hash function|http://en.wikipedia.org/wiki/Cryptographic_hash_function] or digest. Encryption would imply that it is possible to decrypt the passwords, which is not required (well, only necessary if your application actually stores passwords that it needs to use itself for logging on to another system, but that's another story).

As in any good cooking, we usually add a grain of [salt|http://en.wikipedia.org/wiki/Password_salt]. Basically the salt (a couple of individual - per password - but known random bits) is added to the password (concatenation) before computing the hash. This makes dictionary attacks harder.

Cheers, harald

Former Member · ‎03-31-2010

Hi Harald,

So u mean its a conversion fucntion available in java class..

Could you provide some documentation regarding the same..

Thank You for your inputs..

Best Regards,

navin fernandes.

Former Member · ‎03-31-2010


So u mean its a conversion fucntion available in java class...

Kind of. Java provides you the basic building blocks, but you'd still have to code the actual functionality.


Could you provide some documentation regarding the same..

Start off with the two links that I gave above. They contain some further references, also examples on password checks. I'd say this is a topic that usually requires some thought to prevent opening up any security holes.

For creating your own hashes the Java class java.security.MessageDigest is what you're looking for. Note that you still have to specify which algorithm/hash function you want to use - most likely this is SHA-1 or even better SHA-2 (MD5 is already questionable, because of existing attacks against it).

One thing that I forgot to mention before: When calculating hash values for passwords one not only adds a salt, but also applies the hash function recursively (certain number of <em>iterations</em>) several times. There's probably lots of other things that I forgot to mention, so if you implement your own logic, make sure to do some reading up-front...

Cheers, harald

Former Member · ‎04-21-2010

Hi harald,

Thank You for explaining the Hashing function. That was very helpful.

I need to know one more thing.. the exsisting application is bypassing the sapnetweaver login and password..and directs to the webdynpro java login page ( webdynpro application ) which authenticates userid and password created in a ztable..

i think they are encrypting the password in the java function and den calling a function module ( Adaptive RFC Model )

to store the same.

How can you make settings to bypass sapnetweaver login in NWDS for webdynpro java applications ( I think something related to SSO ) ..?

Can you guide me thru this..?

Best Regards,

Navin Fernandes.

Edited by: NAVIN FERNANDES on Apr 21, 2010 2:03 PM

Former Member · ‎03-31-2010

> There is a intermediate conversion /encryption of password done and is stored in a ztable..

There is no reliable way to do this without a decryption being possible. You can obfuscate it, hide your algorithm, etc but it can be broken.

The correct approach is to save the password in the correct location: the SAP securestore or authentocate the caller and "federate" their identity further.

The call-stacks of the securestorage are protected. You cannot use it for Z-tables / Z- programs. These are destined for misuse.

Cheers,

Julius

WolfgangJanzen · ‎04-01-2010

>


> Hi Experts,
> 
> I am having a webdynpro java application..
> There is a intermediate conversion /encryption of password done and is stored in a ztable..
> Could neone tell me what are ways in which encryption is done..
> 
> 
> Best Regards,
> Navin Fernandes.

Please consider to use the Java Destination service to store credentials which are required to logon to a remote system.

Those credentials will be stored in the Secure Storage (provided by NWAS Java); access to this Secure Storage is controlled and restricted: only the communication runtime components can retrieve the information (required to establish an outbound communication).

In ABAP the "Destination Service" is called "SM59" ...

Refrain from own implementations.

Former Member · ‎04-13-2010

Hi Janzen,

Thank You for the information.

Could you give me some steps as to how i can store the userid password with the help of Java Destination service and also

can you tell me if this same thing is possible to store in a ztable..?

Any links to information regarding the same will also be helpful..!

Best Regards,

Navin Fernandes.

Bernhard_SAP · ‎04-13-2010

Hello Navin,

more information can be found at http://help.sap.com/saphelp_nw70ehp1/helpdata/en/07/0d27932264284b883dab13ce1008a6/frameset.htm ...

b.rgds, bernhard

Former Member · ‎04-21-2010

Hi Bernard,

Can you tell me how do we bypass sapnetweaver login when we create webdynpro java application.. Is this related to

Single sign On ....?

Best Regards,

Navin Fernandes.

p330068 · ‎04-21-2010

Hi Navin,

You need to modify com.sap.runtime.logon par file to redirecting sapnetweaver login to web dynpro applciation in NWDS.

Hope it helps

Regards

Arun

Former Member · ‎04-22-2010

Hi Arun,

Could you elaborate on how to do the same.

I do not know how to modify and redirect in this files..

Best Regards,

Navin Fernandes.

Former Member · ‎05-05-2010

Hi Navin,

Did you find solution to the problem. I am facing similar issue here. I want to authenticate user against SAP NW User Details stored in SAP DB .At present SAP is using hashing mechanism to store the password , is there any way tht i can encrypt password provided by user to generate same hash value.

Thanks & Regards

Swati

Former Member · ‎05-05-2010

Hi swaeyy,

I did find something on these lines and came across this info..

The Java class which are provided by sap have the Hashing Function which are used for encryption.

so in order to get this we need to find the java class which are used for encryption..

Databe storage of the user details and password validation can be done with the help of adaptive RFC..

Hope this helps..

Best Regards,

Navin Fernandes.

WolfgangJanzen · ‎05-05-2010

Please elaborate what you intend to do.

Hash functions do not encrypt data - encrypted data could be decrypted, but hash functions are not reversible (you cannot obtain the cleartext password for a given hash value - by intend).

As stated previously: if you need to establish an outbound communication to another server and you need to provide userID and password to logon at the server, then you should have a closer loot at the Java Destination Service.

Former Member · ‎05-05-2010

Hi,

My requirement is to authenticate SAP user through external server. As of now , sap stores user password as a hash value,

I intend to convert user input (password) as a hash value, and the compare the same in the end to authenticate the sap user.

Need help over the hash function used by SAP to secure password. Is there any doc available to guide through it.

Thanks & regards

Swati Pandey

WolfgangJanzen · ‎05-05-2010

 My requirement is to authenticate SAP user through external server.

Assuming that "SAP" refers to "ABAP" and assuming that "authenticate ... through external server" means "external server wants to validate userID and password of an ABAP user account" the answer is: yes, there is an API which allows to validate ABAP userID and password (same is done by UME).

This API also handles failed logon attempts; after a configurable number of failed password logon attempts, further password vailidation requests will be rejected to prevent brute force / dictionary attacks. The API (ABAP function module) can be called via JCO/RFC using a service user connection.

Is this what you intend?

Former Member · ‎05-05-2010

>


> 
> Assuming that "SAP" refers to "ABAP" and assuming that "authenticate ... through external server" means "external server wants to validate userID and password of an ABAP user account"

I want to authenticate a UME User through a java application residing in external application server (JBOSS in our case). As UME standalone initialization is not supporting for SAP CE 7.1 , ume api is not being of much help. Is there any mechanism through which i can authenticate UME User through external app server.