How to store a secret key for HMAC calculation in ABAP

Introduction

In a recent assignment I needed to securely store a secret key that we had received from a third party for HMAC calculation. As it was of utmost importance that the secret key would never be retrieved even by individuals with debug authorization on the system it was not an option to save it in a table (even with some base64 or other encoding).

The problem of storing a secret key for calculation of an HMAC is not a new one and SAP itself has solved it using the ABAP Secure Storage. After some research into how SAP Standard applications make use of ABAP Secure Storage it became apparent how we as SAP customers can also make use of it in custom implementations. Those findings are documented here.

How to use ABAP Secure Storage to keep secret keys

The solution to the problem was to create a global ABAP class that in one of its methods saves the secret key for HMAC encryption to ABAP Secure Storage using function module ‘SET_HMAC_KEY’ and in another method uses function module ‘CALCULATE_HMAC_FOR_CHAR’ to use that secret key for HMAC calculation. It is of central importance, that those ‘setter’ and ‘getter’ methods are part of the same class: the ABAP Secure Storage will otherwise deny use of the secret key for calcuation of the HMAC.

This is how the call to function module ‘SET_HMAC_KEY’ looks in my specific case:

Save HMAC secret key to ABAP Secure Storage

Once the secret key has been set in the above way you can see it in ABAP Secure Storage using transaction code SECSTORE. On the initial screen choose ‘Selected Application’ ‘Secure Hash Function (HMAC)’. Note the ‘record number’ under which the secret key has been stored. This is the value that you provided to parameter ‘record_number’ when you called function module ‘SET_HMAC_KEY’. You can store up to 99 different secret keys for one application. ‘Application’ in this context is the global class that called the ‘SET_HMAC_KEY’ function. The secret key in transaction SECSTORE looks like this:

HMAC secret key shown in transaction SECSTORE

The secret key can now be used for HMAC calculation using function module ‘CALCULATE_HMAC_FOR_CHAR’. Note that you have to provide the same value for parameter ‘record_number’ that you provided when you called function module ‘SET_HMAC_KEY’.

Use HMAC secret key for HMAC encryption

The good thing about using the ‘CALCULATE_HMAC_FOR_CHAR’ function is that the HMAC calculation and hence also the retrieval of the HMAC key for encryption happens in a call to the system’s kernel, i.e. it cannot be debugged. This leads to ultimate safety to ensure that the secure key is not compromised.

Conclusion

I hope this approach clarifies how you can use the ABAP Secure Storage to keep secret keys for HMAC calculation in custom development in a way that cannot be compromised.