Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Digital Signatures with Smart Cards

Go to solution
Former Member

‎02-05-2007 5:44 PM

0 Kudos

Hi folks,

It is my first time with digital signatures on R/3 system. I’m at customer that uses smart cards (hardware cryptography). We are doing the SAPCRYPTOLIB and front end installations. After finish these tasks, we need to implement the signatures into 3 workflow processes. I already read the SSF programmers guide, API specifications and SSF user guide. But I still have some doubts:

The SSF profile is stored into smart card with private key information, but where are the public keys stored? (PAB – Private Address Book of my trusted circle).

Do I need the CRLs? Note: this is only for workflow processes that run inside of customer landscape; this is not a B2B scenario.

We don’t have clear yet how we sign the data; we are thinking sign a BOR object. Create an attribute and use it to pass the signer data. Note: for the customer, the objective is user authenticity guarantee.

The BOR object instance ends when the flows finish, so wee need to store the signed data for auditable reasons. A database table can be a good approach or there is another standard way?

P.S.: anyone have documentation about this subject, something like how-to with guidelines?

Thanks in advance,

Ricardo.

Message was edited by:

Ricardo Quintino

1 ACCEPTED SOLUTION

Go to solution
WolfgangJanzen
Product and Topic Expert
Product and Topic Expert

‎02-06-2007 9:07 AM

0 Kudos

The SmartCard device is present at the frontend PC - and that's the place where the digital signature operation has to take place. Important is the "What You See Is What You Sign" principle: it has to be ensured that the data that is to be signed (using the private key stored on the SmartCard) is exactly the same as the one that is displayed to the user.

Notice: there is a different scenario where the server is signing the data (after prompting the user for userID and password and validating that information).

The signed data is then transported back to the server where it is stored (to ensure auditibility); usually you'll have to keep the (archived) data for years; the public key need to be archived as well.

Notice: it is possible to attach the certificate (-> public key) which has been used to sign the data to the signed data.

Regards, Wolfgang

1 REPLY 1

Go to solution
WolfgangJanzen
Product and Topic Expert
Product and Topic Expert

‎02-06-2007 9:07 AM

0 Kudos

The SmartCard device is present at the frontend PC - and that's the place where the digital signature operation has to take place. Important is the "What You See Is What You Sign" principle: it has to be ensured that the data that is to be signed (using the private key stored on the SmartCard) is exactly the same as the one that is displayed to the user.

Notice: there is a different scenario where the server is signing the data (after prompting the user for userID and password and validating that information).

The signed data is then transported back to the server where it is stored (to ensure auditibility); usually you'll have to keep the (archived) data for years; the public key need to be archived as well.

Notice: it is possible to attach the certificate (-> public key) which has been used to sign the data to the signed data.

Regards, Wolfgang