02-19-2014 6:05 AM
I am trying to determine which encryption algorithm is in use during saprouter to saprouter SNC connections.
In a lab environment, I have implemented saprouter to saprouter with SNC using some locally signed digital certificates. For these tests I used saprouter version 40.4 and sapcryptolib 5.5.5C pl36:
Platform: Linux on x86_64/x64 64-bit (linuxx86_64_gcc33)
Versions: SAPGENPSE 1.5 pl36 (Jul 3 2013)
SAPCRYPTOLIB 5.5.5C pl36 (Jul 3 2013) MT,AESNI,NB
I can verify from the saprouter log file that the sessions between the saprouters are indeed using SNC:
Tue Oct 29 15:59:57 2013 CONNECT FROM C19/- host 127.0.0.1/37733 (localhost)
Tue Oct 29 15:59:57 2013 CONNECT TO S19/12 host 127.0.0.1/3298 (127.0.0.1) (p:CN=saprtr2)
Tue Oct 29 15:59:57 2013 ESTABLISHED S19/12 (-/SNC)
Tue Oct 29 15:59:57 2013 DISCONNECT C19/12 host 127.0.0.1/37733 (localhost)
In the saprouter level 3 trace files I see the following:
->> SncSetQOP(snc_hdl=0x1c435b0, min=default, max=default, qop=default)
<<- SncSetQOP()==SAP_O_K
in: qop values = "min=8 (default), max=8 (default), use=8 (default)"
resulting = "min=3 (old:3), max=3 (old:3), use=3 (old:3)"
where I understand QOP to be "Quality of Privacy" and level 9 is the highest. So here I'm nowhere near the highest privacy level. Perhaps I have no encryption on my SNC session at all?
I'm in the process of repeating the tests with commoncryptolib and the SAP Note 1848999 refers to many different encryption algorithms.
So my questions are:
1. How can I determine which encryption alogrithm is in use during an SNC session?
2. How can I specify a minimum privacy level for SNC with saprouter?
Thank you,
Josh
02-19-2014 6:32 AM
When using SNC between saprouters, the maximum available QoP is always used. From the SAProuter documentation, is the following true in your case:
The following are prerequisites for setting up an SNC connection between two SAProuters:
02-19-2014 8:54 AM
Hi,
I think you are fine. 1. means authentication only (an attacker can see and manipulate data), 2 means integrity protection (attacker can see data but can't change them) and 3 means privacy protection (attacker can't see anything). Hence this line
resulting = "min=3 (old:3), max=3 (old:3), use=3 (old:3)"
should mean that you will always use the highest protection mode available. BTW if you sniff network traffic then you should immediately see if you can see a stream of bytes indistinguishable from random string or plain text.
I can't find which cipher suite is actually used. It would be really nice to know.
Cheers
05-20-2014 4:50 PM