Technical Articles
How to store a secret key for HMAC calculation in ABAP
Introduction
In a recent assignment I needed to securely store a secret key that we had received from a third party for HMAC calculation. As it was of utmost importance that the secret key would never be retrieved even by individuals with debug authorization on the system it was not an option to save it in a table (even with some base64 or other encoding).
The problem of storing a secret key for calculation of an HMAC is not a new one and SAP itself has solved it using the ABAP Secure Storage. After some research into how SAP Standard applications make use of ABAP Secure Storage it became apparent how we as SAP customers can also make use of it in custom implementations. Those findings are documented here.
How to use ABAP Secure Storage to keep secret keys
Save HMAC secret key to ABAP Secure Storage
Once the secret key has been set in the above way you can see it in ABAP Secure Storage using transaction code SECSTORE. On the initial screen choose ‘Selected Application’ ‘Secure Hash Function (HMAC)’. Note the ‘record number’ under which the secret key has been stored. This is the value that you provided to parameter ‘record_number’ when you called function module ‘SET_HMAC_KEY’. You can store up to 99 different secret keys for one application. ‘Application’ in this context is the global class that called the ‘SET_HMAC_KEY’ function. The secret key in transaction SECSTORE looks like this:
HMAC secret key shown in transaction SECSTORE
The secret key can now be used for HMAC calculation using function module ‘CALCULATE_HMAC_FOR_CHAR’. Note that you have to provide the same value for parameter ‘record_number’ that you provided when you called function module ‘SET_HMAC_KEY’.
Use HMAC secret key for HMAC encryption
The good thing about using the ‘CALCULATE_HMAC_FOR_CHAR’ function is that the HMAC calculation and hence also the retrieval of the HMAC key for encryption happens in a call to the system’s kernel, i.e. it cannot be debugged. This leads to ultimate safety to ensure that the secure key is not compromised.
Conclusion
I hope this approach clarifies how you can use the ABAP Secure Storage to keep secret keys for HMAC calculation in custom development in a way that cannot be compromised.
Do note the legal restrictions for using secure storage in customer developments,
https://help.sap.com/doc/saphelp_nw74/7.4.16/en-us/4e/eb2dce10f2398de10000000a42189b/content.htm?no_cache=true
Hi Lars,
function module 'SET_HMAC_KEY' is using the standard SAP Secure Store Application 'Secure Hash Function (HMAC)'. Because of the HMAC use case no technical measures prevented the use of ABAP Secure Storage.
Stefan
You do understand that FM SET_HMAC_KEY is not released, which means that outside of SAP you're not supposed to use it. Also, in debugger you can change sy-cprog and sy-repid and sy-xform which immediately makes your "solution" insecure.
Encrypt. Compare, check the hashes. It's called security.
Good and important note!