topic Re: Remote password based authentication in Application Development and Automation Discussions

Remote password based authentication

Former Member — Fri, 26 Oct 2007 11:59:51 GMT

Hello,

Does someone know where I could find information about the protection of the password of users authenticating remotely to a SAP system (especially when using SAP GUI, and when using RFC connections)?

I'm interested in the encryption algorithm used: is it proprietary? Based on a standard cryptographic algorithm? With what key length and in what mode?

Thanks!

Re: Remote password based authentication

Former Member — Fri, 26 Oct 2007 14:03:17 GMT

Hi Phil,

Which release level are you on?

Is it ABAP to ABAP RFC call?

Generally speaking, you can eliminate the password using Trusted RFC, but you need to be very careful when you set it up.

There is a security guide on it in service.sap.com/security.

A useful starting point is SAP note 128447.

also contains usefull information and links.

I am not sure about the proprietary interests of the algorithm... I suspect that legality will kick in earlier

Take care,

Julius

Re: Remote password based authentication

Former Member — Mon, 29 Oct 2007 13:30:42 GMT

Hello Julius,

We use SAP R/3 v4.6c.

The links you posted are very interesting. However, I try to understand the reason behinds, and not being a SAP specialist, I lack technical details to make a personal opinion on the best way to handle RFC connections in a secure way.

I need to compile info from several documents to be able to do so, it seems.

Protection of the passwords is just one element, but I could find nowhere what "encryption" is used. I have read in a "blackhat" presentation that passwords are not encrypted, but rather obfuscated. But every official document mention encryption, hence I would like to have some more details about the encryption algorithm. Is it based on a standard like AES or TripleDES, for example.

Thanks again for your help.

Re: Remote password based authentication

Former Member — Mon, 29 Oct 2007 16:22:40 GMT

Hi Phil,

So your concerns are about the transmission of the password and not just the hash saved in table RFCDES. Perhaps the guides and documents in the Infrastructure and Network Security sections will be more helpfull to you then (see topics on SNC for example). However note that those documents are often "geared" towards higher releases than 4.6C, so not all will necessarily be applicable.

If you would like to research a security topic beyond the system at hand and the documentation on it, then I would recommend contacting s e c u r i t y ( a t ) s a p ( d o t ) c o m

From time to time I have asked a question or two about things which I have found and <i>they</i> are responsive and even appreciate efforts to improve security.

Cheers,

Julius

Re: Remote password based authentication

Former Member — Mon, 05 Nov 2007 08:56:51 GMT

Thanks for your help!

Re: Remote password based authentication

Wolfgang_Janzen — Mon, 05 Nov 2007 15:18:31 GMT

Please have a kind look on <a href="https://service.sap.com/sap/support/notes/66687">SAP Note 66687</a> regarding "Secure Network Communication" (SNC).

Without SNC data transmitted via RFC or DIAG (= protocol used by SAPGUI) is not encrypted (due to the fact that cryptographic software is subject of export control).

Notice: SNC is based on GSS-API (Generic Security Service API) and allows to configure the desired Quality-of-Protection (QoP) level, such as

- authentication

- authentication + integrity

- authentication + integrity + confidentiality

If you want to ensure that the transmitted data is encrypted, you need to demand "confidentiality".

Regards, Wolfgang