SAP Security Authentication Authorization Cryptography

SAP Security Authentication is the method that's used for verifying that users, applications, or companies are literally who they say they are. Authentication is the cornerstone of any safety infrastructure or technology.SAP’s standard user authentication verifies a consumer’s identification by manner of using log on passwords. Unsuccessful log on makes an attempt will trigger the session to terminate and activate user locks. As normal security measures, SAP supplies a quantity of log in profile parameters and an initial set of password guidelines which you'll be able to increase based on your needs. Normal safety measures already present a average to high degree of protection. Person authentication applies mainly on the presentation degree, but a breach will affect other layers as well.

Limitations on SAP commonplace authentication have to do with the authorized export rules of different countries when together with encryption software program and algorithms. SAP overcame these limits by together with SNC in the kernel.

Extra safety measures to boost your system to the very best safety degree embody:

  1. Utilizing exterior security merchandise that assist encryption. Any such merchandise, nevertheless, should be SNC compliant .
  2. Utilizing techniques equivalent to client certificates or log on tickets for Net consumer authentication security. Nonetheless, these strategies can solely work if other security layers, such because the community and the Web, are also properly protected over secure protocols resembling SSL.

Smart Card Authentication

SAP’s customary good card authentication allows a safer authentication process.The customers use playing cards, sensible playing cards, as an alternative of passwords to go online to the safety system.No password information is transmitted over the communication lines. As a outcome of the smart playing cards are sometimes protected with a password or PIN, it's much more difficult for someone to compromise a user’s authentication information. The utilization of hardware gadgets comparable to sensible playing cards is often configured utilizing an external security system based mostly on the SNC interface. The sensible cards that can be used for log in to the mySAP Office are actually holders of the personal keys of customers, in order that they work as digital certificates that authenticate the holder.


Authorization is the method that is used for determining what accesses or privileges are allowed for users. Authorizations are enforced by the use of entry controls, that are in cost of restricting person accesses.

SAP’s Person Authorization Concept

SAP’s normal Consumer Authorization secures consumer access to business knowledge and transactions,making certain that only preauthorized customers gain access to data and processes.Consumer authorizations are outlined by authorization directors in coordination with key enterprise users in authorization profiles which are stored in the SAP user grasp records. An preliminary set of authorization profiles is predefined by SAP; you can modify or add to those profiles and you can use the Profile Generator to create new profiles routinely primarily based on user activity information. Authorization applies mainly to the applying level, but distant communications, operating system instructions, and the CTS (Change and Transport System) should even be taken into account.

The SAP authorization system may be very comprehensive, but it surely arduous to implement totally to attain the strictest safety standards. It is arduous to implement and maintain as a outcome of it has quite quite a bit of organizational tasks the place customers, key customers, managers, and technical consultants are involved. Due to this fact, it's a should to audit and monitor important system authorizations. The SAP online documentation and the SAP safety guide provide a very good basic understanding and methodology for implementing the authorization concept.

You presumably can improve the security stage of SAP’s Person Authorization system by together with well-outlined creating requirements together with a excessive quality management that filters applications that do not implement the mandatory safety and authorization checks.


Privacy is the process that can be utilized for ensuring that data or data sent over a network or communication line is not accessed or read by unauthorized persons. A normal approach of granting privace is by using cryptography technology. Both authorization and privateness ensure the confidentiality of knowledge and information. Within mySAP landscapes, privateness can be thought-about the best security stage that can be set by technological means. It might be enforced via digital signatures, digital envelopes, and the utilization of the SNC and SSF components.


Integrity is the process that verifies that nothing or no one modifies data from a supply to a target. Much like the privacy within mySAP landscapes, integrity can be enforced by means of digital signatures, digital envelopes, and the usage of the SNC and SSF components.

Proof of Obligation

Obligation, or proof of obligation, is necessary for confirming and guaranteeing that a enterprise message is appropriate so it can be thought-about a enterprise transaction between business partners. For this reason, in electronic commerce, there have to be enough security mechanisms to ensure the non repudiation of business messages.


Auditing is the method of gathering and analyzing security data for verifying that the safety coverage and rules are complied with. Accounting is a method of measuring or restricting the use of system resources and, as such, is a type of authorization.


Cryptography is the technique primarily based on mathematical algorithms and different strategies to encode information, thus stopping it from being learn or disclosed. Cryptography is usually defined because the science of secret writing.SAP’s encrypted communications secure the change of important data. This is an necessary safety aspect in e-commerce communications. You have to use SAP’s SNC or SSF options and the SSL (Safe Sockets Layer) protocol to encrypt the information being transferred over HTTPS connections. Data encryption ensures that the data being exchanged is secured end-to-end and protected against being intercepted. SAP doesn't instantly embrace encryption software within their options, nevertheless it offers the potential of exterior security merchandise that are compliant with SNC and SSF, so it may be used for authentication, Single Signal-On, digital signatures and envelopes, and so on.

If safety measures aren't taken severely, the manipulation and disclosure of info or digital paperwork is comparatively easy with the assist of the current technology. Most of the advanced safety measures are primarily based on cryptography technologies. The following sections focus on common matters in fashionable cryptography utilized to info technology.

Public Key Cryptography

Public key cryptography relies on mathematical functions in a single path, which means that it is not possible to reverse the results. With one of these system, every person who originates communications or messages has two keys:

  1. A personal one that is secret
  2. A public one that's distributed to communication companions

Every message that's dispatched with one key can solely be decrypted using the opposite key.Let’s make an example of how this system works. For example, suppose that these keys are the keys for a wood box. From one of the keys there's solely a master copy that you have stored securely, from the opposite one you will have as many copies as you need and also you give them to all of the individuals who need to talk with you. The messages are bins which have two locks (one opens with the key key and the other one opens with the public one), with the special feature that if the field is closed using one of many keys, it could only be opened using the opposite one. Due to this process each communication associate has its own personal key and the normal public keys from other partners.

If a person (sender A) wants to ship a personal message to a different person (receiver B), the process would be as follows: the sender will introduce the message in a field, which would be locked with the normal public key of the receiver so that solely the receiver will have the flexibility to open it with a private key. Then there is the next query: Once the message is acquired, how does the receiver is aware of that the message comes from the person (sender A) and not from one other person who has the public key? This is the form of drawback that digital signatures attempt to solve.

Digital Signatures

Digital signatures are special appendixes which would possibly be added to the digital paperwork to show the authenticity of the origin and the integrity of these documents. A digital signature is equivalent to the traditional handwritten signatures on paper documents. When someone tries to illegally modify a handwritten signature, it often leaves clues that can be detected by physical means. That is normally what guarantees the authenticity and integrity of data and knowledge contained. The digital signature must guarantee the same elements, though utilizing technological
means. The primary necessary point is that every digital signature can be completely different in each document, in every other case, it could be fairly simple to repeat and falsify them. Because of this the digital signature will depend upon the document that is being signed utilizing a mathematical operate in order that this relationship permits for a later verification of the validity and authenticity of the document.

The impossibility to falsify any sort of digital signature is based on utilizing characteristics or data owned by the sender (the one which signs). Each time a person uses its analogical (handwritten) signature, it generates a really similar graphic using its inherent graphological characteristics. In the case of digital signatures, the signatory uses its secret non-public key. This might be a very secure mechanism, as a end result of even if the message is intercepted and someone wants to modify its content, he or she should additionally modify the signature. That can't be carried out with out knowing the secret personal key.

So as to guarantee the security of the digital signatures, it's required that the digital signatures have the following characteristics:

  1. Unique. Only the signatory can generate digital signatures.
  2. Unfalsifiable. In an effort to distort the signature, the felony should resolve very complicated mathematical algorithms (considered computationally protected).
  3. Verifiable. They should be simply verifiable by the receiver or by a competent authority.
  4. Non deniable. The signatory can't deny its own signature.
  5. Feasible. They need to be easily generated by the signatory.

Several different protocols based on non-public key cryptography had been proposed in normal organizations. Nonetheless, currently it has been concluded that the normal public key cryptography is safer. Digital signatures in use and in protecting with the above traits are based mostly on the RSA signature and the DSS (Digital Signature Standard) signature.

In certain countries, digital signatures can already be used legally as in the event that they have been handwritten. When it comes to security this implies proof of obligation and non repudiation.Because of this, using digital signatures based mostly on PKI can increase the system
to a excessive degree of security.

Cryptography within the SAP Programs

Since release 4.0, the SAP Basis (R/3) systems embrace the SSF mechanisms as mechanisms for protecting a variety of the data inside the system. The SAP functions can use the SSF layer for securing the integrity, authenticity, and privacy of certain data. The key point of the SSF is that the info remains to be protected when it leaves the SAP systems. The first applications using SSF are:

  1. Production Planning-Course of Trade
  2. Product Information Administration
  3. Archive Link II

SAP is committed to providing additional functions that support SSF. SSF makes use of digital signatures and digital envelopes for securing the data. The digital signature identifies the sender and ensures the data integrity, whereas the digital envelope ensures that the message can only be opened by the receiver. Besides these features, the SSF consists of others which are quite related and vital for digital transactions:

  1. SSF is asynchronous. The creation, transmission, reception, processing, and confirmation of business transactions are completely different steps that can happen at totally different instances with out locking or affecting the purposes in cost of the process.
  2. Independence of the transport. It ought to be potential to use completely different switch mechanisms, comparable to public networks, Web, online providers, magnetic disks, and so forth, as well as totally different protocols and communication companies equivalent to HTTP, FTP, e-mail, EDI, and so on.

With a purpose to perform these features, SSF requires the use of a 3rd-get together safety product. Since launch 4.5 of SAP R/three, the system includes the SAPSECULIB (SAP Security Library) as default supplier for SSF services. SAPSECULIB is a software program answer, however the performance is limited to digital signatures. With a function to help specific cryptographic hardware such as smart playing cards or for supporting digital envelopes, SSF needs to be complemented by an exterior product that must be licensed by SAP.

To make use of digital signatures effectively, it's vital to hold up a PKI. As a result of there's not an accepted worldwide PKI yet, this infrastructure is required to be established in a secure supplier domain. Digital signatures can be found in SAP methods and the SAP Enterprise Connector and can be utilized to safe business paperwork in

SAP’s standard digital signatures authenticate the R/3 knowledge that's being transmitted and ensures that the senders (signatories) could be clearly determined. The subsequently assigned digital envelope ensures that the data contents will only be visible to the meant recipients. On SAP methods, digital signatures are primarily based on SSF.

SSO (Single Sign-On)

With SAP’s customary SSO answer, customers must enter their passwords only as quickly as after they initially go online to the security system or the working system. The safety system then generates “credential” info in order that the users can later automatically log on to different systems, such as R/3 or other mySAP element programs, with none password information being transmitted over the communication lines.With SAP R/3 and further with the system, there are many possibilities for SSO, though not all of them present the same level of service. Some
of these features are:

  1. Exterior security product that’s compliant with the SNC interface
  2. Makes use of central administration
  3. Trusted systems
  4. Windows NT safety supplier
  5. Cookies
  6. Client certificates (X.509)
  7. Integration with LDAP servers
  8. mySAP log on tickets

LDAP (Light-weight Listing Entry Protocol)

LDAP is a listing entry protocol that provides outlined criteria to search, read, or write inside a directory. Recognized for a really lengthy time (for instance, Novel Listing Services NDS, Netscape Directory Server), directories are having a comeback with the introduction of PKIs that require a LDAP server to retailer the users and certificates and have them accessible for search and verification requests. Additionally, Microsoft launched LDAP performance with the brand new Windows 2000 OS and its capability to use Lively Directory Services.

Single Sign On Protocol

HTTP is the default protocol for transferring files within the World Huge Web. HTTP transports Web sites as plain-text information, so it is doable that a third get together having access to the network can learn or alter the info sent. The protocol has no proper mechanisms to make sure authentication and confidentiality for the data. For that goal, SSL encryption can be used. The HTTPS protocol transfers HTTP over an SSL connection. HTTPS affords choices to encrypt the information and to establish the opposite celebration by its digital certificate.SSL and HTTPS provide confidentiality and integrity of the info transmitted and authentication of the user.

  1. Confidentiality is ensured via strong encryption. The information transmitted can't be decrypted by anyone other than the meant recipient and is unreadable to 3rd parties.
  2. Information integrity ensures that a third celebration did not alter information sent by the network.
  3. Authentication is offered by means of digital certificates, which are very tough to falsify.

When an HTTPS communication is set up, shopper and server first agree on a protocol model and define the encryption algorithms. Then they authenticate every different and use encryption strategies to generate the session information.The following steps present an outline of the steps required to set up a HTTPS connection:

  1. The client sends a request to the SSL-enabled server.
  2. The server sends its public key and its certificate to the client.
  3. The client checks whether the certificate of the server was signed by a certificates authority whom the client trusts. In another case, the shopper will abort the connection to the server.
  4. The shopper compares the data from the certificates with these it just received concerning the server: domain title and public key. If the knowledge matches, the shopper accepts the server as authenticated. At this level, the server would possibly request a certificates from the client as well.
  5. The consumer creates a session key, encrypts it with the basic public key of the server, and sends it the server.
  6. The server receives the session key and decrypts it with its non-public key.
  7. Shopper and server use the session key to encrypt and decrypt the data they send and receive.
Related posts

sap internet transaction architecture
SAP internet transaction application components
MySAP Office Fundamentals
SAP authorization and client administration in
SAP Authorization and ALE
Authorization and implementation of SAP
Mysap market place introduction
Customer interface in mysap market place
MySAP environment security solutions


Money Investing Issues

Money management techniques debt problems and solutions
Managing debt crisis and bankruptcy solution
Money investing sentiments and brain role
Basics of investing in mortgages
Refinancing mortgage with best loan officer
How much money you need to invest to satisfy goals
Comparison of conventional and roth IRA Invest money in 401k and 403b roth and conventional
401 k and 403 B Minimum distribution rules

No comments :

Post a Comment