2012 Jan 18 7:40 PM
Hi,
I made a RFC to check user/password in R/3. It has two input parameters
IV_USER
IV_PASSWORD
Example:
IV_USER = ROBERTW
IV_PASSWORD = bed123
I'm using function SUSR_LOGIN_CHECK_RFC and it work's fine.
The RFC is called from an external third party device via SAP PI. The third party asks for the user and password and then calls the RFC to check is the values are correct.
Here is the thing. The password isn't encrypted. I want to send the password encrypted, but I don't know how to check if it's the correct password.
Any ideas ?
2012 Jan 24 4:03 AM
Thank you both for the suggestions, thanks for the help !
I'm going to keep the question open so I can post the implementation when I'm done.
2012 Jan 18 7:57 PM
USR02-PASSCODE stores the hashed password. Assuming you used the same hashing algorithm you could compare them, although without doing more research I don't know if or how SAP might be salting that hash.
2012 Jan 18 8:22 PM
agree upon a encription methodology. both use the same.. 3rd party wull encrypt and you will decrypt using the same key. then call the RFC.. for what you need a Wrapper RFC ZFuncMoldule which internally will call this SUSR_LOGIN_CHECK_RFC
2012 Jan 18 8:34 PM
2012 Jan 18 8:53 PM
Rob,
do you mean to say 4th party->3rd party->PI->sap??
but still 4th party needs to password.. right? without password what will they do with the key? keep generating passwords?
2012 Jan 18 8:59 PM
Given bot the key and the encrypted password, a hacker could determine the password.
This is why we use both public and private keys to encrypt and decrypt data.
Rob
2012 Jan 18 9:02 PM
how would the bot know the encrypted password?
rob, i am not arguing, just trying to know what you have experienced.
2012 Jan 18 9:11 PM
I have no experience here, but I do know that single key encryption is weak. Have a look at [Public-key cryptography|http://en.wikipedia.org/wiki/Public/private_key_cryptography]
Germany lost the second world war sooner than it would have because it relied on it's Enigma encryption/decryption devices. They thoght their single key was unbreakable. But Polish code breakers got hold of one and passed it to the British.
Rob
2012 Jan 18 9:25 PM
haha.. you went too deep.
british in that case interfered the German transmissions to get the encrypted message though the transmission lines(waves). in this case also only if 4th party interferes the sent message from 3rd party to PI that will cause a damage..
Moreover, I am waiting for the OP to tell us where does he/she wants the encryption to happen and from whom. i think the result should be leaning towards that
2012 Jan 18 8:56 PM
marian, it would be better if describe the flow and where do you need the encryption.. and from whom do you want to hide this password
2012 Jan 19 4:23 AM
OP Here, sorry for the delay and thanks for your input :).
@Bryan Cain, i've tried to do that but i don't know what hashing algorithm SAP uses to stores passwords in USR02. Do you know what one is it ?
@Soumyaprakash Mishra and @Rob Burbank, here is the complete escenario
We built an smartphone aplication (coded in Java). The communication goes like this
SMARTPHONE -
via a WebService -
> PI --- Via RFC ---> R/3
So, in the Smartphone the user types in ROBERTW / bed123 (user / password) and clicks the button "Login". This data is sended via Web Service to PI, and then to the RFC. (A Wrapper ZFunction Module that calls SUSR_LOGIN_CHECK_RFC)
I think that is a good solution that the Smartphone encrypts the password (with a private key) and then in R/3 I decrypt the password (with the same private key). But, do you know a hashing algorithm that allow encrypt in JAVA and decrypt in ABAP?
I want that in the WebService the password is already crypted so no one can see "bed123", but instead they see "aaf99839adef" or something like that.
2012 Jan 20 8:41 PM
In my 10 minutes of research, I could not find how SAP hashes passwords.
As pointed out above, I don't think you want to use the same key to encrypt and decrypt. If the wrong person gets a hold of your smartphone app they would likely be able to determine the key and therefore be able to intercept and decrypt transmissions. You probably want public/private key encryption. The smartphone app would have your public key. The app could then encrypt the password and only you (with the private key) could decrypt it successfully.
PGP or GPG should do what you need - I believe there are bolt-ons for SAP and there are almost certainly java implementations you could use.
2012 Jan 21 4:08 AM
in se37 go for "*encrypt" and "decrypt*" and F4
but i think you should go for a proper security method agreed by both 3rd party and the ERP owners..
2016 Jan 25 12:04 AM
SAP doesn't encrypt / decrypt the passwords in USR02, but uses hashing algorithms instead.
2012 Jan 24 4:03 AM
Thank you both for the suggestions, thanks for the help !
I'm going to keep the question open so I can post the implementation when I'm done.
2013 Apr 18 3:32 PM
Hello. Posting the solution, a bit late, but here we go.
I encrypted the file myself in the sender with a private key and decrypted in the receiver with the same private key.
Thanks to all !