Solved: Encryption and Decryption between SSF SAP and VB.N...

monika_dhumal · ‎07-06-2011

Hello all,

Overview of issue -

SAP is encrypting payroll XML file using SSF Technology. The external agency uses RSACryptoServiceProvider in VB>Net for decryption. The encrypted data is sent to SAP in Binary format.

The SAP system is ECC 6.0 and we are using SAPCryptolib and we are using the public key share by external agency to do the encryption. Security Product is SAPSECULIB, SSF format PKCS#7.

While decrypting the file using Base64 option they are getting error of invalid characters.

So I converted the encrypted data into BASE64 and tryied decryption. Then we are getting error Invalid File Length.

Request help on this - Is this a data issue on the SAP side OR is this something not technically possible because we are using different security products for encryption(RSACryptoServiceProvider) and decryption(SAPSECULIB)

Thanks

Monika

martin_voros · ‎07-07-2011

Hi,

what do you mean by "using Base64 option"? As you said SSF produces output in PKCS#7 format. So receiver needs to be able to decrypt this format. You can use Base64 encoding for transfer on binary data between systems but it's not related to encryption. Other thing what you can do is to convert your data to Base64 encoding and then use SSF to encrypt them into PKCS#7 format.

Cheers

martin_voros · ‎07-07-2011

Hi,

what do you mean by "using Base64 option"? As you said SSF produces output in PKCS#7 format. So receiver needs to be able to decrypt this format. You can use Base64 encoding for transfer on binary data between systems but it's not related to encryption. Other thing what you can do is to convert your data to Base64 encoding and then use SSF to encrypt them into PKCS#7 format.

Cheers

monika_dhumal · ‎07-07-2011

Can u please clear my doubts :

1. SSF Encryptionis Symmetric or Assymetric ?

2. After encrypting the file using receivers Public key, Which details I want to send him back. Currently i am sending only encrypted file. What else I need to send him?

Any Inputs Please.

Thanks

Monika

Edited by: monika dhumal on Jul 7, 2011 11:15 AM

martin_voros · ‎07-07-2011

1. Both. It generates session key which is used to encrypt data using symmetric cipher (e.g. AES) and this key is encrypted using assymetric cipher (e.g. RSA)

2. Receiver needs to have access to private key. It uses it to decrypt session key.

Cheers

monika_dhumal · ‎07-07-2011

Hi,

Thanks for your valuable reply.

I have encrypted the file through SSF_KRN_ENVELOP using public key of the external server.

As per my understanding The Encrypted key also included in the encrypted file. Is it right?

Our external server is VB.NET . They are not able to decrypt the file.

They are asking for which method u r using for encryption. Symmetric or Asymmetric?

If you are using symmetric then please provide us the Encrypted key.

How to giv them Encrypted key? Where i should get that. I am sure that encrypted key is there in the encrypted file. How to read that key.

very new to SSF and no much documentation available on SSF Functionality. Please help

Thanks in advance.

Hello experts. Please advice.

Edited by: monika dhumal on Jul 7, 2011 1:32 PM

Former Member · ‎07-07-2011

Each AS ABAP server owns a public and private key pair to use for digitally signing. The private key is contained in the system PSE (personal security environment) (filename SAPSYS.pse; in Release 4.5, filename SAPSECU.pse), which is located in the subdirectory sec of the directory specified by the profile parameter DIR-INSTANCE. Only the user running the application server process (for example, <sid>adm) is allowed to access the files in the sec directory.

Try to pass to VBNET 3rd party developer, public and/or provate key.

martin_voros · ‎07-07-2011

Yes, you are right. The session key is included in the file. You just need to tell them that it's in PKCS#7 format. For encryption, you need to know public key. For decryption you need to know private key. It's not clear what certificate you use but I would suggest to create a new one and import only public key into ABAP AS and only VB.NET application will have private key.

If you search for SSF here then you will find some threads about how it works and how to define new certificate.

Cheers

monika_dhumal · ‎07-08-2011

Hello Martin,

Thanks a lot for your replies.

I have done everything from my side. My encrypted file contains encrytped secret key and encrypted data.

On the external server I have given this file and they have their private key also.

But they are asking for the separate files for Encrypted Secret key and Encrypted data.

They are not able to decrypt the encrypted secret key. Their platform is VB.NET

Is their any input you can give to separte the encrypted key from encrypted file?

It will be very helpful.

Will it be possible from SAP Side or they have to do separation of key and file.

Thanks in advance.

Monika

martin_voros · ‎07-08-2011

Just tell them to google PKCS#7. You can find for example [this|http://www.jensign.com/JavaScience/verify/VerifyPKCS7.txt]. Maybe they can start with [wikipedia|http://en.wikipedia.org/wiki/Cryptographic_Message_Syntax].

Cheers

monika_dhumal · ‎07-11-2011

Hi Martin,

thanks for your valueabel reply. But still they are not able to decrypt the file as they just want two separate file encrypted key and encrypted data.

Can you provide some hine so that I can share that with them.

How to decrypt the file encrypted by SAP ABAP using SSF ?

Thanks in advance.

Monika

Please help...

Edited by: monika dhumal on Jul 12, 2011 8:04 AM

monika_dhumal · ‎07-12-2011

Hi,

Can anybody tell me the details of PKCS#7 enveloped data packet.

As per my info it contains :

1. Version number

2. Receipent Information

3. Encrypted data

in 2. Receipient info :

it has a. Version

b. Issuer/serial number

c. Key encryption algoithm

d. encrypted key

can anybody tell me the length of session key. from where to where the session key is stored.

like 1 octet is version number

8 octets are key id

1 octet is used algorithm id

and string of octects having session key.

But i need the length of session key.

can anybody help me in this.

External server is not able to decrypt the file as both key and data is encrypted in the same packet.

how can we separate that?

Hello Experts, Waiting for your inputs. From SAP side, which prerequisite VB.NET needs to decrypt the file?

Thanks in advance.

Monika

Edited by: monika dhumal on Jul 13, 2011 8:02 AM

Edited by: monika dhumal on Jul 13, 2011 9:01 AM

monika_dhumal · ‎07-13-2011

Hi Everyone,

Finally my external agency got a success in decryption.

They used CryptoAPI for Decryption.

But the file gets decrypted without XML Tags. Only data gets decrypted. How to recover that tags.?

Any idea.

Thanks

Monika

martin_voros · ‎07-14-2011

That's weird. Anyway, you can try to use base64 encoding to encode your data before encryption. The other side will have to decrypt and then decode from base64.

Cheers

Former Member · ‎07-10-2011

There may be some confusion of terms here....

SSF with the sapseculib only supports digital signatures, not encryption with decryption.

You must have cryptographic libraries installed, even although the params for the ssf are called seculib and not cryptolib etc..

Cheers,

Julius

Encryption and Decryption between SSF SAP and VB.Net