Gems in SAP Cloud Platform Security – “FIPS – Encryption is Key”

SAP Cloud Platform is an essential ingredient of SAP’s digital strategy. It is the platform for our customers’ and partners’ transformation journey towards digital business models and thus is of utmost importance for SAP.

And so is security in SAP Cloud Platform!

You think, encrypted communication between your browser and a server is secure?

In times of Big Data, recording and storing encrypted communication has become pretty easy – and even more, it has become increasingly interesting. Although we don’t know for sure, there is a certain probability that some malicious groups or countries already store large amounts of encrypted communication data.

Why should they do this?

Secure communication between your browser and a server significantly relies on the integrity of the server certificate’s private key. This private key is used for encrypting your communication, so you would assume this to be secure. As long as this private key is not compromised… Otherwise, exposure of the private key would enable an attacker to decrypt all recorded data even years later.

Perfect Forward Secrecy (PFS) is the answer.

PFS is based on generating unique session keys for every session a user initiates. And, most important, the session key is derived from complex mathematical operations without involving the server certificate, which remains as digital identity for authentication only. Even if at any later point the server certificate’s private key is compromised, this doesn’t help decrypting the recorded communication. And more than that, in case an attacker would actually manage to compromise the key of one session, this might only allow to decrypt that particular communication. However, no previous or future session would be compromised.

The particular algorithms required by PFS are part of SAP’s CommonCryptoLib Crypto Kernel which is used by many SAP solutions such as SAP HANA where it enables encryption of data in transit. For many customers in certain industries it is becoming increasingly important that SAP’s cryptography modules are both secure and free of backdoors. A widely-accepted validation for this is an official certification defined by the National Institute of Standards and Technology NIST: The Federal Information Processing Standards FIPS 140-2 validation.

SAP’s CommonCryptoLib Crypto Kernel version 8.4.47.0 has just received their FIPS 140-2 certification. It is the result of a certification and validation procedure started in 2015 together with TÜViT, the only German test laboratory approved by NIST. The validation was done early 2016 in-house at SAP.

Interesting to know: each correction to the cryptographic module which has undergone this validation process requires a re-certification! Our CommonCryptoLib Crypto Kernel however is stable since that – Kudos to the development team!

“Gems in Cloud Platform Security” is a new series of blogs. It takes you on a tour to discover how security is seamlessly woven into the success of SAP Cloud Platform.

More information:

FIPS 140-2 certification of SAP’s CommonCryptoLib Crypto Kernel

Diffie-Hellman key exchange (Wikipedia)

NIST Computer Security Division – Cryptographic Module Validation Program (CMVP)