cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

What is the internal function to un-hash

Go to solution
Former Member

on ‎02-22-2013 3:06 AM

0 Kudos

Hi

SAP IDM uses uGenHash internal function to hash a string for attributes like (MX_PASSWORD,MX_AUTHQ_XXX,etc.)

Does SAP IDM provides an Internal Function to un-hash the hashed string?

I have checked various internal function, every encryption[uEncrypt,uDESencrypt] function is associated with an decryption[uDecrypt,uDESdecrypt] function. But there is no un-hashing function available in IDM.

I understand the aim of Hashing is to ensure that text cannot be brought in it's original form again. But before coming to conclusion,just wanted to seek an advise from you.

Experts, please advise if this function is available or has anyone developed this before.

Thanks,

Anuj

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member2987
Active Contributor
‎02-22-2013 2:15 PM
0 Kudos

Anuj,

Chris raises a valid point here.

However I have done a workaround in the past by editing the task that hashes the MX_AUTH values and adding in some custom attributes that then encrypt those values at the same time.

We then had a task limited to the help desk and SAP security teams that could view the answers to these questions in order to verify a caller's identity for phone based password changes.

Hope this helps!

Matt

Show replies
Show replies
Former Member
‎02-24-2013 1:45 AM
0 Kudos

Hi Matt,

We have a similar requirement to verify user's identify over phone call.

Which task is used to hash the MX_AUTH values? I don't see any task mentioned on this attribute.Is there a default task that is picked up based on the property of the attribute?

Thanks,

Anuj

former_member2987
Active Contributor
‎02-24-2013 5:20 PM
0 Kudos

Anuj,

Take a look at the Edit Authentication Questions task which you are directed to create as part of the Self-Service Password Reset Document from SAP. (http://scn.sap.com/docs/DOC-17111)

Regards,

Matt

Former Member
‎02-25-2013 9:13 AM
0 Kudos

Matt is right, you can modify the task where the authentication question/answers are registered to store the answers in clear-text or encrypted form in other attributes in addition to the hash.

My question to both of you though, since you both have a similar requirement that makes my security senses go crazy 🙂

Since you want to make these responses visible, do you (and how) let the end-users know that these answers can be seen by support-staff and not to use questions/answers used in other private settings like banking or social media accounts? Do you have a checkbox for them to verify that they understand what information they're potentially giving away? Do you let them choose their on questions to answer, or pre-define them? Do you log access by support staff when viewing these answers in clear-text?

Br,

Chris

former_member2987
Active Contributor
‎02-25-2013 12:51 PM
0 Kudos

Chris,

In reality this is no different than the distinction between MX_PASSWORD and MX_ENCRYPTED_PASSWORD. That being said, I completely understand how you feel, and when I was first given the customer requirement, I raised the same points.

The idea is that there would be some Governance rules around visibility to these attributes. The task where the attribute was made visible is only open to 2 roles, and after the task has been completed, the attributes holding clear text answers were wiped from the database. Otherwise the attributes are held in encrypted form.

That's an interesting point about making the end user aware of how this data is used.  I guess that needs to be made part of the overall privacy policy for external and internal users.  I will have to remember that if I'm ever given the requirement again.  I also like the ideas about maintaining an external log of access to the task.

Former Member
‎02-26-2013 1:01 AM
0 Kudos

Thanks Matt ,Chris.

I'll take note of all the considerations before implementing the solution.

Answers (1)

Answers (1)

Former Member
‎02-22-2013 9:38 AM
0 Kudos

A hash by definition cannot be unhashed, as you say, and the original value is not stored. Brute force or dictionary attacks are the only way of finding the original value.

You should look at the uEncrypt function if you need reversible encoding. MX_ENCRYPTED_PASSWORD can be used when password provisioning is implemented as part of the IDM configuration.

Br,

Chris

Show replies
Show replies
Ask a Question