Develop Reference

How to use Encryption in SAP

SAP servers are capable of encrypting and hashing data. But there doesn't appear to be a suitable API to call. SAP Note 1456433 talks about the class CL_SEC_SXML_XENCRYPTION. The signature of basic encryption is clearly geared towards SSF and unsuitable to basic private key encryption/decryption. I don't want/need envelopes and user certificates. Just private keys.
I found an AES library on GitHub AES library in ABAP and tweaked that to suit us. But it is very slow. I would like to use the encryption libraries SAP has. Clearly, the libraries are there but find a suitably exposed API seems the issue.
Does anybody know how to use basic encryption in SAP?
In SAP ABAP stack, using ABAP.
Eg (a call to use AES-CBC 128, with PKCS7 padding
where only a private key and data to encrypt is required. As example:
public static method encrypt_xstring
importing i_key type xstring
i_data type xstring
i_initialization_vector type xstring optional
i_padding_standard type char10 optional
i_encryption_mode type char10 optional
exporting e_data type xstring
Use case is encrypting data on clients with a private key and sending the data to SAP system. The source supports private keys and libraries like AES-CBC.
And we have encrypted data interchange working.
Next step is to use a supported and faster library.
EDIT: In case anyone needs to encryption / decryption properly in abap
And is looking at the answer. Use class CL_SEC_SXML_WRITER.
CL_SEC_SXML_WRITER was exactly what i was looking for
BUT SAP didnt expose it properly. It is only useful for encryption no decryption.
When interacting with external libraries. Where PKCS7 padding is used and SALTs
or Initialization vectors are required.
SAP offer an ENCRYPT_IV but no Decrypt_IV. Why ????
So you cant use the tool and remain compliant. :(
It is not considered safe to use AES-CBC without IV.
Why would SAP do that ?
ENCRYPT_IV instead of ENCRYPT but no DECRYPT_IV
The offer an Add Padding but no remove padding. OK roll your own padding removal, no big deal. Its like the must be another library for the other direction.
So i can use the tool to encrypt but not decrypt.
My main problem was decrypting quickly strings sent from a mobile device.
So still need to use the old ABAP code for that :(

I have similar requirements and I found the cl_sec_sxml_writer class. Please have a look at the following example. Note that the writer requires XSTRING parameters which is why I'm using conversion classes.
REPORT zged_aes.
DATA lv_message_string TYPE string.
" create message
DATA(lr_conv_sec) = cl_abap_conv_out_ce=>create( ).
lr_conv_sec->write( data = 'This is my secret' ).
" create key
DATA(lr_conv_key) = cl_abap_conv_out_ce=>create( ).
lr_conv_key->write( data = 'MySymmetricKey' ).
" encrypt using AES256
cl_sec_sxml_writer=>encrypt(
EXPORTING
plaintext = lr_conv_sec->get_buffer( )
key = lr_conv_key->get_buffer( )
algorithm = cl_sec_sxml_writer=>co_aes256_algorithm_pem
IMPORTING
ciphertext = DATA(lv_message) ).
" decrypt message
cl_sec_sxml_writer=>decrypt(
EXPORTING
ciphertext = lv_message
key = lr_conv_key->get_buffer( )
algorithm = cl_sec_sxml_writer=>co_aes256_algorithm_pem
IMPORTING
plaintext = DATA(lv_message_decrypted) ).
" convert xstring to string for output
cl_abap_conv_in_ce=>create( input = lv_message_decrypted)->read( IMPORTING data = lv_message_string ).
" output secret message
WRITE lv_message_string.
I tested it on a NetWeaver 7.50 SP 6 system.

I got the ENCRYPT_IV method to work alongside method DECRYPT of class CL_SEC_SXML_WRITER.
The caveat here is that I didn't generate the Symmetric Key and IV by making use of Class cl_abap_conv_out_ce.
I already had my keys and IV from a Java implementation test.
The only thing I needed was to create the Key and IV as an XSTRING and initializing them with the Hex format of my Java implementation (they were in Byte format.
Because of this, I first converted them to Hex and passed those values to the ABAP Xstring types).

rsa decryption data from an encrypted data

I have tried many approaches to get the decryted data. I have used the same public key and private key to encrypt the data as given in the link
Please see the attached link.
RSA encryption/decryption compatible with Javascript and PHP
Finally I got the encrpted data (I have used extjs for encrption).I need to get the decrypted data in java.
Please suggest me a solution to get the decrypted by using same keys or solution to generate random keys for encrytion and decrytion

TCL code that can encrypt and decrypt a string

I need a piece of code that defines functions which can encrypt and decrypt a piece of string. What I basically want is that the string should not be visible to third-party users, so that when the string originates in one file, it is converted to, say, an integer value using the encrypt function and then it is passed as parameter to another file. There the decrpyt function then decrypts it back and uses the string to perform actions on it.
Any suggestions or already available codes will be just fine!
Please help me out. Thanks!

Install tcllib. There are several standard encryption algorithms implemented in tcllib.
The following encryption algorithms are available:
blowfish: http://tcllib.sourceforge.net/doc/blowfish.html
aes: http://tcllib.sourceforge.net/doc/aes.html
des (including triple des): http://tcllib.sourceforge.net/doc/des.html
rc4: http://tcllib.sourceforge.net/doc/rc4.html

The des package in Tcllib should do what you want. It's pretty easy to use:
package require des
set key "12345678"; # Must be 8 bytes long
set msg "abcde"
##### ENCRYPTION
set encryptedMsg [DES::des -dir encrypt -key $key $msg]
# $encryptedMsg is a bunch of bytes; you'll want to send this around...
##### DECRYPTION
set decryptedMsg [DES::des -dir decrypt -key $key $encryptedMsg]
puts "I got '$decryptedMsg'"
Note that DES will pad the message out to a multiple of 8 bytes long.

Please visit the TCL/TK homepage e.g
here:http://wiki.tcl.tk/900
That's just one way of doing it. There will be much more, I'm sure.

Encrypt with a specific key and uncrypt with another specific key

There are some encrypt method that allow I encrypt a string data with a specific unique encode key (write key) and decode it to an another specific decode key (read key)?
For instance: supposing that we have the string Hello World. So we have two keys, one for encoding (like John) and another to decoding (like Doe). So we create an encoded version of string like:
Note: not limited to PHP, it just an easy example for me...
$string = "Hello World";
$encoded = encode($string, "John", "Doe");
//#function encode(string data, string write_key, string read_key);
//#return string "abcdef123456" -- supposing that it is the encoded string!
Now we have the new encoded string of Hello World data as abcdef123456. Now if we try to read this string with the write key we don't will get the original version, but a strange version or just an error like invalid read key.
$decoded = decode($encoded, "John");
//#function decode(string data, string read_key);
//#return false -- invalid read key! or just a strange result data
$decoded = decode($encoded, "Doe");
//#return string "Hello World"
Note: I just need to know if there are some encrypt project like that, but if you know a library, it's ok too. I need it to my project. I know that is possible hash with a key, but the original result never can back. And I know too read-write key encodings, but it doesn't is really what I need.

You are talking about Public key cryptography.
To suggest a library you should specify the language you will be using in your project.

AS3Crypto RSA Signing

I'm having some troubles matching the value returned from RSA signing
a Base64 SHA1 hash in the actionscript as3crypto library with the result returned in c#.
I'm passing in a Base64 hash decoded as a byte array to the sign()
function provided in as3crypto and base64 encoding the result.
However, this result never matches the returned result from a c#
function which performs the same task. Does it matter that the
function takes in and returns hex even though it works at the byte
array level?
Please see my below signing function to check i haven't missed
anything!
private function signHash(hashInBase64:String):String
{
var src:ByteArray = Base64.decodeToByteArray(hashInBase64);
var key:RSAKey = getRSAKey();
var dst:ByteArray = new ByteArray();
key.sign(src, dst, src.length);
return Base64.encodeByteArray(dst);
}
Anyone had much experience with the AS3Crypto library?
Any help would be great!!!
Thanks,
Jon

I assume that your C# version is using RSA PKCS #1 version 1.5. The standard computes signatures by doing an RSA private key operation over a byte string composed as
0x00 0x01 || 0xff* || 0x00 || OID || hash
Looking at the as3crypto code shows that the RSAKey class does not add any OID during the sign operation. Hence if you don't do it you'll get incorrect results.
Looking at the code also shows that as3crypto is vulnerable to this attack, because it does not verify the padding properly. This attack is more than 3 years old. Hence it seems like a good to use a different library than as3crypto.

Now there is an ActionScript crypto library compatible with .NET. Here it is: http://code.google.com/p/flame. Looks like it supports RSA exactly the way .NET does.