07-06-2011 2:33 PM
Hello all,
Overview of issue -
SAP is encrypting payroll XML file using SSF Technology. The external agency uses RSACryptoServiceProvider in VB>Net for decryption. The encrypted data is sent to SAP in Binary format.
The SAP system is ECC 6.0 and we are using SAPCryptolib and we are using the public key share by external agency to do the encryption. Security Product is SAPSECULIB, SSF format PKCS#7.
While decrypting the file using Base64 option they are getting error of invalid characters.
So I converted the encrypted data into BASE64 and tryied decryption. Then we are getting error Invalid File Length.
Request help on this - Is this a data issue on the SAP side OR is this something not technically possible because we are using different security products for encryption(RSACryptoServiceProvider) and decryption(SAPSECULIB)
Thanks
Monika
07-07-2011 12:09 AM
Hi,
what do you mean by "using Base64 option"? As you said SSF produces output in PKCS#7 format. So receiver needs to be able to decrypt this format. You can use Base64 encoding for transfer on binary data between systems but it's not related to encryption. Other thing what you can do is to convert your data to Base64 encoding and then use SSF to encrypt them into PKCS#7 format.
Cheers
07-07-2011 12:09 AM
Hi,
what do you mean by "using Base64 option"? As you said SSF produces output in PKCS#7 format. So receiver needs to be able to decrypt this format. You can use Base64 encoding for transfer on binary data between systems but it's not related to encryption. Other thing what you can do is to convert your data to Base64 encoding and then use SSF to encrypt them into PKCS#7 format.
Cheers
07-07-2011 8:25 AM
Can u please clear my doubts :
1. SSF Encryptionis Symmetric or Assymetric ?
2. After encrypting the file using receivers Public key, Which details I want to send him back. Currently i am sending only encrypted file. What else I need to send him?
Any Inputs Please.
Thanks
Monika
Edited by: monika dhumal on Jul 7, 2011 11:15 AM
07-07-2011 11:15 AM
1. Both. It generates session key which is used to encrypt data using symmetric cipher (e.g. AES) and this key is encrypted using assymetric cipher (e.g. RSA)
2. Receiver needs to have access to private key. It uses it to decrypt session key.
Cheers
07-07-2011 11:39 AM
Hi,
Thanks for your valuable reply.
I have encrypted the file through SSF_KRN_ENVELOP using public key of the external server.
As per my understanding The Encrypted key also included in the encrypted file. Is it right?
Our external server is VB.NET . They are not able to decrypt the file.
They are asking for which method u r using for encryption. Symmetric or Asymmetric?
If you are using symmetric then please provide us the Encrypted key.
How to giv them Encrypted key? Where i should get that. I am sure that encrypted key is there in the encrypted file. How to read that key.
very new to SSF and no much documentation available on SSF Functionality. Please help
Thanks in advance.
Hello experts. Please advice.
Edited by: monika dhumal on Jul 7, 2011 1:32 PM
07-07-2011 12:56 PM
Each AS ABAP server owns a public and private key pair to use for digitally signing. The private key is contained in the system PSE (personal security environment) (filename SAPSYS.pse; in Release 4.5, filename SAPSECU.pse), which is located in the subdirectory sec of the directory specified by the profile parameter DIR-INSTANCE. Only the user running the application server process (for example, <sid>adm) is allowed to access the files in the sec directory.
Try to pass to VBNET 3rd party developer, public and/or provate key.
07-07-2011 10:16 PM
Yes, you are right. The session key is included in the file. You just need to tell them that it's in PKCS#7 format. For encryption, you need to know public key. For decryption you need to know private key. It's not clear what certificate you use but I would suggest to create a new one and import only public key into ABAP AS and only VB.NET application will have private key.
If you search for SSF here then you will find some threads about how it works and how to define new certificate.
Cheers
07-08-2011 7:59 AM
Hello Martin,
Thanks a lot for your replies.
I have done everything from my side. My encrypted file contains encrytped secret key and encrypted data.
On the external server I have given this file and they have their private key also.
But they are asking for the separate files for Encrypted Secret key and Encrypted data.
They are not able to decrypt the encrypted secret key. Their platform is VB.NET
Is their any input you can give to separte the encrypted key from encrypted file?
It will be very helpful.
Will it be possible from SAP Side or they have to do separation of key and file.
Thanks in advance.
Monika
07-08-2011 11:42 AM
Just tell them to google PKCS#7. You can find for example [this|http://www.jensign.com/JavaScience/verify/VerifyPKCS7.txt]. Maybe they can start with [wikipedia|http://en.wikipedia.org/wiki/Cryptographic_Message_Syntax].
Cheers
07-11-2011 10:08 AM
Hi Martin,
thanks for your valueabel reply. But still they are not able to decrypt the file as they just want two separate file encrypted key and encrypted data.
Can you provide some hine so that I can share that with them.
How to decrypt the file encrypted by SAP ABAP using SSF ?
Thanks in advance.
Monika
Please help...
Edited by: monika dhumal on Jul 12, 2011 8:04 AM
07-12-2011 1:41 PM
Hi,
Can anybody tell me the details of PKCS#7 enveloped data packet.
As per my info it contains :
1. Version number
2. Receipent Information
3. Encrypted data
in 2. Receipient info :
it has a. Version
b. Issuer/serial number
c. Key encryption algoithm
d. encrypted key
can anybody tell me the length of session key. from where to where the session key is stored.
like 1 octet is version number
8 octets are key id
1 octet is used algorithm id
and string of octects having session key.
But i need the length of session key.
can anybody help me in this.
External server is not able to decrypt the file as both key and data is encrypted in the same packet.
how can we separate that?
Hello Experts, Waiting for your inputs. From SAP side, which prerequisite VB.NET needs to decrypt the file?
Thanks in advance.
Monika
Edited by: monika dhumal on Jul 13, 2011 8:02 AM
Edited by: monika dhumal on Jul 13, 2011 9:01 AM
07-13-2011 12:41 PM
Hi Everyone,
Finally my external agency got a success in decryption.
They used CryptoAPI for Decryption.
But the file gets decrypted without XML Tags. Only data gets decrypted. How to recover that tags.?
Any idea.
Thanks
Monika
07-14-2011 12:09 AM
That's weird. Anyway, you can try to use base64 encoding to encode your data before encryption. The other side will have to decrypt and then decode from base64.
Cheers
07-10-2011 10:50 PM
There may be some confusion of terms here....
SSF with the sapseculib only supports digital signatures, not encryption with decryption.
You must have cryptographic libraries installed, even although the params for the ssf are called seculib and not cryptolib etc..
Cheers,
Julius