Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Decrypt using Triple-DES algorithm

Former Member
0 Kudos

Hi folks,

The scenario is: My client receives messages in XML format; some of the fields are encrypted with algorithm Triple-DES. This information is stored into a Z table of a SAP ERP 2005. The idea is develop an ABAP report that reads this table and decrypt the encrypted fields.

I already read all most information about Triple-DES on SAP help. The SSF (Secure Store and Forward) supports this kind algorithm. But a contradiction happens, the Triple-DES is a symmetric algorithm (the same key is used to encrypt and decrypt data), however, the infrastructure mentioned on a SAP Help shows only the public key technology (asymmetric cryptography). Also SFF functions have parameters to fill, like recipient information, etc… it means that those functions are to be used with public key algorithm?

As I have all the encrypted data into the tables and also the private key on my own, I think that I only need to call a function to decrypt data. So, it means only a SSF_DEVELOPE function is necessary?

I have more questions:

Where is the safe place to save the private key? (Transaction)

Which extra configurations I need to do to start my ABAP report?

Which functions of a SSFG function group I need to use? Like I said before I think that I only need to decrypt the encrypted data, so it means only a SSF_DEVELOPE function is necessary?

Thanks a lot for your help.

Regards,

Ricardo.

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hello Ricardo,

the idea behind SSF is having a strong and save encryption (and signature) of data. To ensure this, SSF uses hybride encryption technology. The message itself is encrypted using a symmetric algorithm. For security reasons the key is randomly generated for each message, so there is no need to secure distribute and store a symmetric key. The key itself is then encrypted using a public key algorithm and attached to the encrypted message which is formatted in a certain way (PKCS#7, S/MIME, etc.)

So I think, you will not be successfull decrypting your ciphertext with the SSF library.....

5 REPLIES 5

Former Member
0 Kudos

Hello Ricardo,

the idea behind SSF is having a strong and save encryption (and signature) of data. To ensure this, SSF uses hybride encryption technology. The message itself is encrypted using a symmetric algorithm. For security reasons the key is randomly generated for each message, so there is no need to secure distribute and store a symmetric key. The key itself is then encrypted using a public key algorithm and attached to the encrypted message which is formatted in a certain way (PKCS#7, S/MIME, etc.)

So I think, you will not be successfull decrypting your ciphertext with the SSF library.....

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Well, when there is a message recipient then there's also a message sender. In your approach both have to share a symmetric key - this approach will not scale (without severe security impact). Furthermore the 3DES key seems to be static - and needs to be exchanged prior usage ("somehow" offline).

As Michael has pointed out, there is a much better (hybride) approach. In that case the recipient has to know the public key of the sender - and vice versa, the sender has to know the public key(s) of the (intended) recipient(s). That implies the requirement for a PKI (Public Key Infrastructure). This approach might look more complicated at first glimpse but has multiple advantages (regarding scalability and data security, including also aspects such as non-repudiation which cannot be achieved by using shared symmetric keys).

Especially for XML documents there are standards called "XML encryption" and "XML signature".

Regards, Wolfgang

Former Member
0 Kudos

Hi folks,

For your information, I would like to tell you that the problem of my customer was fixed without SSF functions

I used the advantage of XI that it has and develop an interface between SAP ERP and XI via ABAP proxy.

The scenario is: on se38 runs a report that calls an outbound synchronous method of ABAP proxy. The encrypted fields are sent to XI, in your turn; XI sends the message to the inbound interface (also ABAP proxy). This inbound interface has a simple role of send the message back as it has (ex. move input to output.). Between interface, I develop a java mapping and inside of them, I call a crypto class with TDES algorithm and with the own key.

It works fine and the customer is satisfied

Thanks for all,

Ricardo Pereira.

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Well, that's one possible approach.

Another one would be: write your own "decryption service" (either implemented as web service in Java or as RFC server in C) and call it from your ABAP application.

As stated above: there is no ABAP function module providing (plain) decryption functions. So, you have to find alternative solutions - as you did.

Still remains valid:

such symmetric algorithms (with static stored keys) are not a good solution.

That's why you'll not find any offerings in the standard (ABAP). For J2EE things are different.

Cheers, Wolfgang

0 Kudos

Wolfgang Janzen wrote:

As stated above: there is no ABAP function module providing (plain) decryption functions.

Hello Wolfgang (and others), is this statement of yours still true, now as of the year 2016?

So in other words: Can one use SAP SSF somehow to decrypt AES- (or alike) encrypted data?

Cheers!