10-26-2007 12:59 PM
Hello,
Does someone know where I could find information about the protection of the password of users authenticating remotely to a SAP system (especially when using SAP GUI, and when using RFC connections)?
I'm interested in the encryption algorithm used: is it proprietary? Based on a standard cryptographic algorithm? With what key length and in what mode?
Thanks!
11-05-2007 3:18 PM
Please have a kind look on <a href="https://service.sap.com/sap/support/notes/66687">SAP Note 66687</a> regarding "Secure Network Communication" (SNC).
Without SNC data transmitted via RFC or DIAG (= protocol used by SAPGUI) is not encrypted (due to the fact that cryptographic software is subject of export control).
Notice: SNC is based on GSS-API (Generic Security Service API) and allows to configure the desired Quality-of-Protection (QoP) level, such as
- authentication
- authentication + integrity
- authentication + integrity + confidentiality
If you want to ensure that the transmitted data is encrypted, you need to demand "confidentiality".
Regards, Wolfgang
10-26-2007 3:03 PM
Hi Phil,
Which release level are you on?
Is it ABAP to ABAP RFC call?
Generally speaking, you can eliminate the password using Trusted RFC, but you need to be very careful when you set it up.
There is a security guide on it in service.sap.com/security.
A useful starting point is SAP note 128447.
also contains usefull information and links.
I am not sure about the proprietary interests of the algorithm... I suspect that legality will kick in earlier
Take care,
Julius
10-29-2007 1:30 PM
Hello Julius,
We use SAP R/3 v4.6c.
The links you posted are very interesting. However, I try to understand the reason behinds, and not being a SAP specialist, I lack technical details to make a personal opinion on the best way to handle RFC connections in a secure way.
I need to compile info from several documents to be able to do so, it seems.
Protection of the passwords is just one element, but I could find nowhere what "encryption" is used. I have read in a "blackhat" presentation that passwords are not encrypted, but rather obfuscated. But every official document mention encryption, hence I would like to have some more details about the encryption algorithm. Is it based on a standard like AES or TripleDES, for example.
Thanks again for your help.
10-29-2007 4:22 PM
Hi Phil,
So your concerns are about the transmission of the password and not just the hash saved in table RFCDES. Perhaps the guides and documents in the Infrastructure and Network Security sections will be more helpfull to you then (see topics on SNC for example). However note that those documents are often "geared" towards higher releases than 4.6C, so not all will necessarily be applicable.
If you would like to research a security topic beyond the system at hand and the documentation on it, then I would recommend contacting s e c u r i t y ( a t ) s a p ( d o t ) c o m
From time to time I have asked a question or two about things which I have found and <i>they</i> are responsive and even appreciate efforts to improve security.
Cheers,
Julius
11-05-2007 8:56 AM
11-05-2007 3:18 PM
Please have a kind look on <a href="https://service.sap.com/sap/support/notes/66687">SAP Note 66687</a> regarding "Secure Network Communication" (SNC).
Without SNC data transmitted via RFC or DIAG (= protocol used by SAPGUI) is not encrypted (due to the fact that cryptographic software is subject of export control).
Notice: SNC is based on GSS-API (Generic Security Service API) and allows to configure the desired Quality-of-Protection (QoP) level, such as
- authentication
- authentication + integrity
- authentication + integrity + confidentiality
If you want to ensure that the transmitted data is encrypted, you need to demand "confidentiality".
Regards, Wolfgang