Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SHA-1 Encryption of passwords

Go to solution
Former Member

‎11-28-2007 10:36 PM

0 Kudos

I believe that in Netweaver 6.4 and above SHA-1 is used for password encryption. Does anyone know if a 'salt' is used when encrypting? If not, can use of a 'salt' be configured, and also verified? Thanks in advance.

1 ACCEPTED SOLUTION

Go to solution
WolfgangJanzen
Product and Topic Expert
Product and Topic Expert

‎11-29-2007 8:36 AM

0 Kudos

Hi Ron,

1st of all: SHA-1 is a hash function; that has nothing to do with encryption; encrypted data can be decrypted - however hashed data cannot be converted back to plain text. That's an advantage (when dealing with passwords).

Well, as of NetWeaver 7.0 (aka "2004s") ABAP systems support not only case-sensitive and longer passwords (up to 40 characters) but also use SHA-1 to calculate the password hash value. Yes, a salt is used - it's a deterministic salt (not a random salt) which is calculated based on the plaintext password and the userID. So, if two users have the same plaintext password their password hash values are different.

As of NetWeaver 7.1 ABAP systems do support (iterated) random-salted password hash algorithms (iterated SSHA-1).

Related SAP Notes:

- <a href="https://service.sap.com/sap/support/notes/1023437">1023437</a> (NW 7.0)

- <a href="https://service.sap.com/sap/support/notes/991968">991968</a> (NW 7.1)

Regards, Wolfgang

1 REPLY 1

Go to solution
WolfgangJanzen
Product and Topic Expert
Product and Topic Expert

‎11-29-2007 8:36 AM

0 Kudos

Hi Ron,

1st of all: SHA-1 is a hash function; that has nothing to do with encryption; encrypted data can be decrypted - however hashed data cannot be converted back to plain text. That's an advantage (when dealing with passwords).

Well, as of NetWeaver 7.0 (aka "2004s") ABAP systems support not only case-sensitive and longer passwords (up to 40 characters) but also use SHA-1 to calculate the password hash value. Yes, a salt is used - it's a deterministic salt (not a random salt) which is calculated based on the plaintext password and the userID. So, if two users have the same plaintext password their password hash values are different.

As of NetWeaver 7.1 ABAP systems do support (iterated) random-salted password hash algorithms (iterated SSHA-1).

Related SAP Notes:

- <a href="https://service.sap.com/sap/support/notes/1023437">1023437</a> (NW 7.0)

- <a href="https://service.sap.com/sap/support/notes/991968">991968</a> (NW 7.1)

Regards, Wolfgang