Skip to Content
Technical Articles
Author's profile photo Stefan Keuker

How to store a secret key for HMAC calculation in ABAP

Introduction

In a recent assignment I needed to securely store a secret key that we had received from a third party for HMAC calculation. As it was of utmost importance that the secret key would never be retrieved even by individuals with debug authorization on the system it was not an option to save it in a table (even with some base64 or other encoding).

The problem of storing a secret key for calculation of an HMAC is not a new one and SAP itself has solved it using the ABAP Secure Storage. After some research into how SAP Standard applications make use of ABAP Secure Storage it became apparent how we as SAP customers can also make use of it in custom implementations. Those findings are documented here.

How to use ABAP Secure Storage to keep secret keys

The solution to the problem was to create a global ABAP class that in one of its methods saves the secret key for HMAC encryption to ABAP Secure Storage using function module ‘SET_HMAC_KEY’ and in another method uses function module ‘CALCULATE_HMAC_FOR_CHAR’ to use that secret key for HMAC calculation. It is of central importance, that those ‘setter’ and ‘getter’ methods are part of the same class: the ABAP Secure Storage will otherwise deny use of the secret key for calcuation of the HMAC.

This is how the call to function module ‘SET_HMAC_KEY’ looks in my specific case:

Save%20HMAC%20secret%20key%20to%20ABAP%20Secure%20Storage

Save HMAC secret key to ABAP Secure Storage

Once the secret key has been set in the above way you can see it in ABAP Secure Storage using transaction code SECSTORE. On the initial screen choose ‘Selected Application’ ‘Secure Hash Function (HMAC)’. Note the ‘record number’ under which the secret key has been stored. This is the value that you provided to parameter ‘record_number’ when you called function module ‘SET_HMAC_KEY’. You can store up to 99 different secret keys for one application. ‘Application’ in this context is the global class that called the ‘SET_HMAC_KEY’ function. The secret key in transaction SECSTORE looks like this:

HMAC%20secret%20key%20shown%20in%20transaction%20SECSTORE

HMAC secret key shown in transaction SECSTORE

The secret key can now be used for HMAC calculation using function module ‘CALCULATE_HMAC_FOR_CHAR’. Note that you have to provide the same value for parameter ‘record_number’ that you provided when you called function module ‘SET_HMAC_KEY’.

Use%20HMAC%20secret%20key%20for%20HMAC%20encryption

Use HMAC secret key for HMAC encryption

The good thing about using the ‘CALCULATE_HMAC_FOR_CHAR’ function is that the HMAC calculation and hence also the retrieval of the HMAC key for encryption happens in a call to the system’s kernel, i.e. it cannot be debugged. This leads to ultimate safety to ensure that the secure key is not compromised.

Conclusion

I hope this approach clarifies how you can use the ABAP Secure Storage to keep secret keys for HMAC calculation in custom development in a way that cannot be compromised.

Assigned Tags

      4 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Lars Hvam
      Lars Hvam

      Do note the legal restrictions for using secure storage in customer developments,

      For legal reasons, only SAP applications may use the secure storage. We therefore use technical measures to prevent the secure storage being used in customer developments.

      https://help.sap.com/doc/saphelp_nw74/7.4.16/en-us/4e/eb2dce10f2398de10000000a42189b/content.htm?no_cache=true

      Author's profile photo Stefan Keuker
      Stefan Keuker
      Blog Post Author

      Hi Lars,

      function module 'SET_HMAC_KEY' is using the standard SAP Secure Store Application 'Secure Hash Function (HMAC)'. Because of the HMAC use case no technical measures prevented the use of ABAP Secure Storage.

      Stefan

      Author's profile photo Matthew Billingham
      Matthew Billingham

      You do understand that FM SET_HMAC_KEY is not released, which means that outside of SAP you're not supposed to use it. Also, in  debugger you can change sy-cprog and sy-repid and sy-xform which immediately makes your "solution" insecure.

      Encrypt. Compare, check the hashes. It's called security.

       

      Author's profile photo Michael Keller
      Michael Keller

      Good and important note!