Credit card encryption using Cryptolib between Ext...

Former Member · ‎07-22-2010

Hello all,

Overview of issue -

SAP is receiving encrypted credit card info in an XML file from an external agency. The external agency uses RSACryptoServiceProvider in Csharp for encryption. The encrypted data is sent to SAP in Base 64 format.

The SAP system is ECC 6.0 and we are using SAPCryptolib and have sent the external agency the public key which they use to do the encryption. Security Product is SAPSECULIB, SSF format PKCS#7, Algorithm RSA.

On the SAP end, we are using FM CCARD_DEVELOPE. We are trying to substitute the encrypted text in record 2 of input structure CCARDEC_S_BIN-TBIN. But this is of type RAW and when we try to enter the data, the data is converted into all 0's or a couple of characters followed by 0's. We have tried using certain conversion functions to convert string to RAW and get errors.

Request help on this - Is this a data issue on the SAP side - how we need to pass to the DEVELOPE FM, use a different FM OR is this something not technically possible because we are using different security products for encryption(RSACryptoServiceProvider) and decryption(SAPSECULIB)

Thanks

Sangeetha

Former Member · ‎07-22-2010

We had a similar issue with webshop(CRM +ECC6.0), why dont you use the sap delivered object for encryption

I think by default the encrypting object does not come in any role, you might have to add this to the business partners role and also to your RFC I forgot the exact auth object XX_XXXX_CARD

Probably you can use this object for authority check in your codes for encryption.

Former Member · ‎07-22-2010

Franklin,

Thanks for responding. We cannot use the standard object because the encryption is done by an non-SAP external agency (ASP, C# system).

Sangeetha

Former Member · ‎07-22-2010

I would suggest looking into "tockenization" before you make any encryption decisions, in this case...

Cheers,

Julius

Former Member · ‎07-22-2010

Julius,

Thanks for the suggestion. Clean solution. I have forwarded this info to our client.

But, We are on a time crunch and they will mostly want to get this working with the current setup - no additional dollars spent:)

Sangeetha

martin_voros · ‎07-23-2010

I agree with this opinion. RSA has published a really nice [document|http://www.rsa.com/innovation/docs/10990_CDS_BRF_0610.pdf] dedicated to tokenization. If you want to go with data encryption then just a reminder that one of the PCI requirement is to change key at least annually. This is not supported by all versions of SAP. Check note 1151936 - Key replacement for encryption of payment card data.

Regarding problem with transformation. Obviously, you can't use just pass binary data encoded with Base64. You can try to use FM SSFC_BASE64_DECODE to convert string into xstring and then split it into chunks of 255 bytes and create a table with type CCARDEC_T_BIN.

Cheers

Former Member · ‎07-27-2010

The External agency sends us the follwing encrypted text for credit card 5454545454545454

Base64 format -

kEQTdyHmBUlatEZCK0xXLD2Pkqi5cRSo6CgMso4Fo95Py4v8hJeFklXWaGJN9Xac1xk94otO3opXm6hjbxeIbMLxlJh8mfxXECoZICcdROVwtC/QZyQaqxCWMfDztG2Y+SYLL6Rno401xlelww80BW8A7rvKpHCkqke2dJNJUtM=

Byte array value

1446819119332305739018070664376874461143146168185113201682324012178142516322279203139252132151133146852141049877245118156215256122613978222138871551689911123136108194241148152124153252871642253239296822911218047208103362617116150492402431801091522493811471641031631415319887165195155251110238187202164112164170711821161477382211

I used FM SSFC_BASE64_DECODE to decode the Base 64 format and get the following text

9044137721E605495AB446422B4C572C3D8F92A8B97114A8E8280CB28E05A3DE4FCB8BFC8497859255D668624DF5769CD7193DE28B4EDE8A579BA8636F17886CC2F1

When I pass this to FM CCARD_DEVELOPE as Record 2 in LX_CCARDEC_S_BIN-TBIN, I get error ' Error when decrypting payment card data: SSF Error: Decoding not possible'.

Am I doing something incorrect in the way I am calling the FM.

Is the issue at a higher level that SAP and the external agency are using 2 different algorithms for encryption/decryption that is causing the issue.

Should we look at other options like coding RFC wrapper around the RSA modules that the external agency is using and call it from SAP.

Thanks for your time and attention.

Former Member · ‎07-27-2010

Hi ,

As explained earlier if you are interfacing credit card information ( from non SAP ) into the SAP environment ?

and you are not able to decrypt ?

martin_voros · ‎07-28-2010

Hi,

I am getting confused here. What key do you use to encrypt credit card details? Even if you use a correct key it does not mean that you can use FM CCARD_DEVELOPE to decrypt data. There might be differences in format which cause decryption failure. I don't understand your comment regarding RFC wrappers. I though that you user public key of SAP system to encrypt data in external system. So only SAP system which has private key is able to decrypt data.

Cheers

Former Member · ‎07-28-2010

Martin,

The external agency has been sent the public key that has been generated in SAP using SSF Security product SAPSECULIB.

SSF Application is Encryption of payment cards in SAP.

They are encrypting the data using this public key/certificate and library RSACryptoServiceProvider in Csharp .

We receive this encrypted data that I am trying to decrypt using CCARD_DEVELOPE and we are running into all these errors. We are executing this FM for decryption in the QA SAP system, where we generated the certificate and sent to the external agency.

What I meant by RFC wrapper is to see if we can build a wrapper around the corresponding decryption function in library RSACRyptoServiceProvider, place it on our app server and call it from SAP to do the decryption passing the encrypted text sent by the external agency and the corresponding keys that we had sent.

Thanks

Sangeetha

martin_voros · ‎07-28-2010

Hi,

your solution with wrapper does not make too much sense. Only SAP box should have a private key and your external system should have only public key of SAP box. So you would have to store private key also in external box which is definitely not a good idea.

As far as I understand you simply use public key to encrypt data in external system using RSACryptoServiceProvider. The problem is that SAP uses PKCS7 format for document encryption. You can encrypt data using FM CCARD_ENVELOPE. So I would try to enter same data into FM CCARD_ENVELOPE and RSACryptoServiceProvider. If the result is same then you should not have any problems to decrypt data from external system. I expect that there will be difference. I am not expert in C# but I would look for API which returns encrypted data in PKCS7 format. You might start [here|http://msdn.microsoft.com/en-us/library/bb885086.aspx].

Cheers

Former Member · ‎07-29-2010

Hi Martin,

Thanks for taking the time to respond.

For the wrapper, I was talking about placing the wrapper function in the SAP box, where we should have the keys.

I will look into the other API's also.

Thanks

Sangeetha

martin_voros · ‎07-30-2010

Hi,

that's common workaround. If you can't do something in ABAP then you just call external program written in some different language. I am just worried about this use case. Your external program needs to access private key of SAP system and also you would have to pass unecrypted text between external program and SAP system. These points bring new risk and issues.

Cheers

Credit card encryption using Cryptolib between Ext Svc & SAP