How to store a secret key for HMAC calculation in ABAP
In a recent assignment I needed to securely store a secret key that we had received from a third party for HMAC calculation. As it was of utmost importance that the secret key would never be retrieved even by individuals with debug authorization on the system it was not an option to save it in a table (even with some base64 or other encoding).
The problem of storing a secret key for calculation of an HMAC is not a new one and SAP itself has solved it using the ABAP Secure Storage. After some research into how SAP Standard applications make use of ABAP Secure Storage it became apparent how we as SAP customers can also make use of it in custom implementations. Those findings are documented here.
How to use ABAP Secure Storage to keep secret keys
Once the secret key has been set in the above way you can see it in ABAP Secure Storage using transaction code SECSTORE. On the initial screen choose ‘Selected Application’ ‘Secure Hash Function (HMAC)’. Note the ‘record number’ under which the secret key has been stored. This is the value that you provided to parameter ‘record_number’ when you called function module ‘SET_HMAC_KEY’. You can store up to 99 different secret keys for one application. ‘Application’ in this context is the global class that called the ‘SET_HMAC_KEY’ function. The secret key in transaction SECSTORE looks like this:
The secret key can now be used for HMAC calculation using function module ‘CALCULATE_HMAC_FOR_CHAR’. Note that you have to provide the same value for parameter ‘record_number’ that you provided when you called function module ‘SET_HMAC_KEY’.
The good thing about using the ‘CALCULATE_HMAC_FOR_CHAR’ function is that the HMAC calculation and hence also the retrieval of the HMAC key for encryption happens in a call to the system’s kernel, i.e. it cannot be debugged. This leads to ultimate safety to ensure that the secure key is not compromised.
I hope this approach clarifies how you can use the ABAP Secure Storage to keep secret keys for HMAC calculation in custom development in a way that cannot be compromised.