Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to audit the in-use encryption algorithm of commoncryptolib?

josh_levy
Discoverer

‎02-19-2014 6:05 AM

0 Kudos

I am trying to determine which encryption algorithm is in use during saprouter to saprouter SNC connections.

In a lab environment, I have implemented saprouter to saprouter with SNC using some locally signed digital certificates. For these tests I used saprouter version 40.4 and sapcryptolib 5.5.5C pl36:

  Platform:   Linux on x86_64/x64 64-bit   (linuxx86_64_gcc33)

  Versions:   SAPGENPSE     1.5    pl36  (Jul  3 2013)

              SAPCRYPTOLIB  5.5.5C pl36  (Jul  3 2013) MT,AESNI,NB

I can verify from the saprouter log file that the sessions between the saprouters are indeed using SNC:

Tue Oct 29 15:59:57 2013 CONNECT FROM C19/- host 127.0.0.1/37733 (localhost)

Tue Oct 29 15:59:57 2013 CONNECT TO   S19/12 host 127.0.0.1/3298 (127.0.0.1) (p:CN=saprtr2)

Tue Oct 29 15:59:57 2013 ESTABLISHED  S19/12 (-/SNC)

Tue Oct 29 15:59:57 2013 DISCONNECT   C19/12 host 127.0.0.1/37733 (localhost)

In the saprouter level 3 trace files I see the following:

->> SncSetQOP(snc_hdl=0x1c435b0, min=default, max=default, qop=default)

<<- SncSetQOP()==SAP_O_K

     in: qop values = "min=8 (default), max=8 (default), use=8 (default)"

          resulting = "min=3 (old:3), max=3 (old:3), use=3 (old:3)"

where I understand QOP to be "Quality of Privacy" and level 9 is the highest. So here I'm nowhere near the highest privacy level. Perhaps I have no encryption on my SNC session at all?

I'm in the process of repeating the tests with commoncryptolib and the SAP Note 1848999 refers to many different encryption algorithms.

So my questions are:

1. How can I determine which encryption alogrithm is in use during an SNC session?

2. How can I specify a minimum privacy level for SNC with saprouter?

Thank you,

Josh

3 REPLIES 3

Former Member

‎02-19-2014 6:32 AM

0 Kudos

When using SNC between saprouters, the maximum available QoP is always used. From the SAProuter documentation, is the following true in your case:

The following are prerequisites for setting up an SNC connection between two SAProuters:

  • Both SAProuters must have been started using the option -K <SNCname> (System i: '-K <SNCname>'). These names ensure the authenticity of a host.
  • There must be a KT entry in the route permission table of the source host. This causes the connection to the target host to use the SNC layer.
  • There must be a KP entry in both route permission tables, allowing the connection

martin_voros
Active Contributor

‎02-19-2014 8:54 AM

0 Kudos

Hi,

I think you are fine. 1. means authentication only (an attacker can see and manipulate data), 2 means integrity protection (attacker can see data  but can't change them) and 3 means privacy protection (attacker can't see anything). Hence this line


resulting = "min=3 (old:3), max=3 (old:3), use=3 (old:3)"

should mean that you will always use the highest protection mode available. BTW if you sniff network traffic then you should immediately see if you can see a stream of bytes indistinguishable from random string or plain text.

I can't find which cipher suite is actually used. It would be really nice to know.

Cheers

Former Member

‎05-20-2014 4:50 PM

0 Kudos

This message was moderated.