Secure hash function with salt to create a not spoofable PRC (SAP CRM)

Hello SAP Security Community,
SAP CRM Marketing provides a functionality called Personalized Response Code (PRC, 10 characters). This code can be used in mail, fax, sms or letters to customers. When the customer returns the PRC to the communication initiator, it can be mapped to a campaign and the business partner number of the customer. See also the [SAP Standard Help|http://help.sap.com/saphelp_crm700_ehp01/helpdata/EN/2a/c13463f09c4a1f9c45903e7a0a7230/frameset.htm].
By default this standard implementation of the BAdI CRM_MKT_PRC_CONVERT is called:
METHOD if_ex_crm_mkt_prc_convert~convert_prc.
  DATA lv_no      TYPE  crmt_mkt_icrh_prc_num.
  DATA lv_string  TYPE  string.
  DATA lv_pos     TYPE  int4.
  DATA lv_base31  TYPE  string VALUE '0123456789BCDFGHJKLMNPQRSTVWXYZ'.
**** converting the numeric-base10 into base31
  lv_no = iv_prc.
  CLEAR lv_string.
  DO.
    lv_pos = lv_no MOD 31.
    lv_no  = lv_no DIV 31.
    CONCATENATE lv_base31+lv_pos(1) lv_string INTO lv_string.
    IF lv_no = 0.
      EXIT.
    ENDIF.
  ENDDO.
  MOVE lv_string TO ev_prc.
ENDMETHOD.
As you can see it does a simple base31 encoding of the provided input parameter iv_prc which is a number provided by the number range for PRC's.
I want to use the PRC to make our customers registration process for a trade fair easier. We send out the PRC via a letter to the customers where we don't have an E-Mail address. The letter contains instructions which point the user to a Website that has an input field for the PRC. When the user submits the PRC I'd like to show him/her some personal information (Name, Address, E-Mail) that we lookup using the PRC in the CRM System. This information is then posted to a 3rd party website that has to be used to do the trade fair registration.
If I would use the simple base31 encoding, then the current counter state could be easily decoded, the next number can be chosen and by applying base31 encoding again, the next valid PRC is created. This could then be misused to read personal information of another customer. I think what could solve this problem would be to use a secure hash function that allows also to be salted to create the PRC.
Do you think I'm on the right track? Or would it be OK to use the classes described in [Note 1410294 - Support SHA2-family for Message Digest and HMAC|https://service.sap.com/sap/support/notes/1410294] and before doing the hashing add a random number to the PRC number that I've got from the number range? What problems do I run in as the PRC could not be longer than 12 characters? For sure I have to check that I don't create any PRC twice.
Best regards
Gregor

Knowledge of PCR should not reveal any personal information to you.
OK, but in this case the PCR is mapped to the campaign number and the BP-number. It would reveal the information.  Hence a second hash which only allows further processing if it matches. The second hash is a "signature" of the PCR.
I don't agree with this. The security should NOT be based on hiding how system works. Only key should be secret. In this case it should all depend on quality of PRNG. Check Kerckhoffs's principle. Whenever I see proprietary algorithm in crypto I start to feel nervous about the system.
Ok, you convinced me. That is also true, but you will have to save the key or the hash it produces to be able to verify it again when the user returns to the website - and in this case it is in clear text ABAP (unless Mr. Wolf wants to create an external program, like SAP does with C-calls).
From the perspective of the user it is a password and they must be able to transfer it from a snail-mail readable text on paper into a website field.
As Mr. Wolf has noticed, the next PCRs can be obtained by anyone who can decode standard code (knowing that the BADI is activated).
I think a correctly placed split and concatenation does the trick for a 20 character field without knowing which part is the PCR and which is the signature (a human can still enter that into a website field).
I think the big question (appart from the principle - which I agree with you on) is whether the admins and their family members are allowed to bid? Also do the bidders have acces to this system as technical consultants?? (for example to single test methods and function modules in the production system??).
Also how does the process continue and finally get concluded? Typically there is some "horse trading" in the end anyway... 
All these factors should influence the strength and complexity of the design, and maintenance of it IMO.
But generally you are correct and I rest my case.
@ Mr. Wolf: Are you enjoying the debate too much or are you going to give us more insight?
Cheers,
Jules

Similar Messages

  • Nesting of AGO or TODATE functions with differing level arguments is not supported

    I have a column in BMM which calculates the Year-To-Date Sales. This function uses the ToDate function to caculate the YTD.
    I need to develop another formula column which shows the last-year's YTD.
    I develop this formula in BMM by AGO on the YTD column which already uses a ToDate function.
    In BI Answers when selecting this column, results in the below message:
    State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 43113] Message returned from OBIS. [nQSError: 43119] Query Failed: [nQSError: 22044] Nesting of AGO or TODATE functions with differing level arguments is not supported. (HY000)

    To reply to my own question. It appears I got it working, that is, the error message problem is solved, but I still have questions on how to use these functions.
    To get it to work, I added the primary key D_TIJD.TIJDKEY at the level of the lowest grain in my dimension (level tab).
    What I still wonder is how to make it select the right values. I have the following hierarchy: bookyear - bookperiod - week. A bookperiod contains 4 or 5 weeks (4,4,5 in a quarter), so 12 periods in one year. I defined a measure at period level and another at that level with the ago function, that should return the figures for that same period of the year before. My first question is, whether to go back 12 periods or 52 weeks (which is the lowest grain in my dimension)?
    The second question is how to use a combination of TODATE and AGO so that if I calculate the current period (of which only 2 weeks are passed), I also only want to include the same two weeks for that period one year ago in order to make a correct comparison. How do I do that???

  • Steps to create a generic datasource from SAP CRM

    Dear Forum,
    Could you please provide me with the steps to create a generic datasource from SAP CRM
    Thanks for you time and efforts
    Regards,

    Hi,
    Initially create a view or identify the table to create generic extractions, remaining process is same in all data bases such as CRM........
    GENERIC EXTARCTIONS:
    https://www.sdn.sap.com/irj/sdn/wiki?path=/display/bi/generic%2bextraction
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d3219af2-0c01-0010-71ac-dbb4356cf4bf
    Generic Delta:
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/84bf4d68-0601-0010-13b5-b062adbb3e33
    Assign points if these are useful.
    Rgs,
    I.R.K

  • Create a service contract under SAP CRM

    Hi,
    I try to create a service contract under SAP CRM with transaction code CRMD_ORDER but when I click on "Create" button, nothing display !
    Is it possible to create a contract under SAP CRM ?
    In the end, I would like to replicate a contract from CRM to ISU.
    Thanks by advance for your help !
    Best regards,
    Rémi

    Hi Remi,
    In transaction CRMD_ORDER, click F5 button and under "Service Contract", just choose the transaction type you'd like to use. Examples:
    Contract w. ERP Bill
    ITIL Serv. Contract
    Remote Service Contr
    Serv Cont Quote.
    Service Contract
    UBB Service Contract
    If nothing is displayed, this may mean that transactions have been blocked. Therefore, you have to follow the path under IMG: Customer Relationship Management -> Transactions -> Basic Settings -> Define Transaction Types, and disable the "Inactive" flag.
    So yes, it is definitely possible to create a service contract in SAP CRM. However, it is recommended that you use WebClient UI with business role SERVICEPRO instead of GUI, for most of the time.
    Edited by: Kivanc Bilgin on May 18, 2011 2:39 PM

  • Error Message when we create a Service Ticket in SAP CRM 2007

    Hi All we are having a serious production issue when we create a S.Ticket in SAP CRM 2007 We get the following error message we are not trying to send any information to R/3 We have a planned go live this saturday. So any help would be greatly appreciated.
    An error occurred in system EDIES during account assignment
    Message no. CRM_ORDER_MISC 060
    Diagnosis
    Errors occurred when assigning an account assignment object to a business transaction. To view the error message, see the accompanying log file.
    Transfer Log
    No controlling type could be determined (Notification E IAOM 012)
    No controlling type could be determined (Notification E IAOM 012)
    Regards
    Sathya

    Hi,
    I have looked into your issue.
    For this service ticket, kindly check the Org Unit maintained in Transaction and table OFIC_BILLORG_SRV are same. If not same kindly make changes in the following path in SPRO.
    ==> SAP Implementation Guide
    ==> Customer Relationship Management
    ==> Organizational Management
    ==> Cross-System Assignment of Organizational Units
    ==> Assign Billing Units to Service/Sales Organizations
    If the above information is not helpful kindly take a look at note 861116.
    I hope this helps.
    Regards,
    Venkat

  • Creating a Sales BOM in SAP CRM 7.0

    Hi All,
    How to create a Sales BOM in SAP CRM 7.0 system?  What is the transaction code for it ? I want to define a high level Package material in the BOM and 3-4 low level items in this BOM. What are the steps to achieve this ? We do not have ECC system connected to CRM and we are using CRM 7.0 as stand-alone system.
    Thanks in advance.
    --R D

    Hi R D,
    Please could you let me know how you achieved this. I am trying to do the same thing. But when I assign products in the component relationship, it does not explode when I use it in a contract. Please let me know if the solution you used.
    Regards,
    Neena.

  • How to Create Customer Contact data in SAP CRM

    Hi All,
    Would want to create Customer Contact data in SAP CRM, could please guide me step by step that how can i create the customer contact data in SAP CRM?
    Regards
    Avinav

    Hello Avinav,
    In CRM 6.0 and 7.0 GUI is no more used, you can use WEB UI and login using SALESPRO role to create a contact.
    1. Logon to CRM web UI
    2. Choose Create Contact from the Navigation bar
    3. Enter all the data - Title, first name, last name, account id,
    street, stree2, street3, street4, street5, city, postal code, email,
    mobile no and website.
    4. Press the Save key.
    Hope it will help! Please award points in case this helps!
    Best Regards
    Lata

  • Is it possible to use variant configuration (with a Non-SAP solution) when creating ERP sales orders in SAP CRM WebUI

    Hello,
    our customer plans to use a Non-SAP solution for variant configuration (Camos) in SAP ERP (ECC 6.0) and in SAP CRM 7.0 EHP1 as well.
    ERP sales orders (and ERP quotations) should be created in SAP CRM (CRM WebUI).
    Is it possible to use variant configuration (with an external variant configuration tool) when creating ERP sales orders and quotations in the SAP CRM WebUI or do we have to implement SAP IPC for this?
    Thanks in advance.
    Regards,
    AEV

    Dear AEV,
    I think LORD (lean orders) should work with variant configuration as well. In the note 1236015 there is not restriction listed. However you need lord2 activated in ECC, and ECC system should be on EHP4.
    Best regards
    Rene

  • How to create a custom Report in SAP CRM using the Bol Framework

    Hi Guys
    I have developed a report in SE38 which calls a custom Function Module within it and it works all good.
    Now I want to take my Function Module as well as the external structures I created for this report and use them to make a View in SAP CRM which will allow the user to make selection and then when they click on a button another view has to be shown which should have the content of the report based on the selection.
    I know how to create a view based on the standard object types but this time I want to use my custom function Module..
    Kindly advice or refer me to a link that might be useful.
    Regards
    * Thato                                                                        *

    You want to create a View in SE11 calling FM that you created? Is it?

  • How can we create Versions for Products in SAP CRM

    Hi All,
    We want use Product Versions in our CRM IC Webclient. We want to be able to select a product and then have a list of versions to pick from. Can anyone tell me if they have configured Versions for Products in their SAP CRM system. If yes, then how did you go about it.
    Thanks,
    Ramesh Nallabelli

    Hi Arup and Shanthala,
    Thanks for the prompt responses. Appreciate your help. We want to create Product versions like this: Product: Windows OS Version: 95, 98, XP, Vista, 7, etc.
    When I try to create a configurable product, using the Configuration tab, to create or use a product model I see an error message: PME installation with errors The long text is: The environment variable PME_HOME that includes the PME application has to exist locally in order to start the PME from CRM.
    This indicates the configuration of IPC in our CRM system. This is something that we have not undertaken so far.
    When I use the Poduct Variants tab to create a product variant for a configurable product, I can't edit here. This view opens in a display only mode. After reading some more about this, It looks like variant configuration needs to be used in tandem with ERP variant configuration. There might also be a need to recreate this in the Java configuration engine. We are going to create these products in CRM only, so this might not work for us.
    Regards,
    Ramesh

  • Security sync issue with a newly create group

    We have created some groups like A to D . in that for C we are not able to refresh the security . we have added 2 users only. later we have deleted the group and created the same. even then also we are not able to find the group or not able to do refresh from web. its telleing failed. if i check the log i found like : another child with name C already exists under parent. failed to sync with user provisions. Could you please suggest me any solution on this to resolve it.
    Edited by: user4483519 on Sep 30, 2009 4:52 AM

    So you can see the MSAD group in the user management console as well as the users part of this group, right?
    Try deprovisioning the group completely, then synch native directory, refresh security from Shared Services (in AAS - Only if you have externalised your Essbase users) and run a Planning security refresh.
    In theory the refresh should complete successfully.
    If it does try reprovisioning your group.
    Are you sure you dont have another group or user called C either in your MSAD directory or in the native directory?
    Seb
    www.capiotech.com

  • Secure LDAP lookup with 2005Q4 Outlook Connector 7 not working

    Hello all,
    I have Sun Java(TM) System Directory Server/5.2_Patch_4 B2005.230.0041 (64-bit) installed and the latest 2005Q4 Calendar, Messaging and UWC Server. When testing the Outlook Connector, I can get the 2005Q1 version 7 connector to work just fine with all features. I uninstalled the 2005Q1 connector and installed the 2005Q4 connector into a new profile and everyting works expect if I try to make the LDAP lookups secure for the global address list. Changing the port to 636 for ldap causes Outlook to timeout on the lookup. I checked the directory server logs and noticed that the secure connection is being made without errors, but after a minute an ABANDON operation takes place on the secure connection and Outlook gives up. When using port 389 for lookups, the Connector has no issues.

    Jay,
    I think I found the fix. I upgraded the 2005Q1 -> 2005Q4 Sun Java Connectory Deployment Tool. After I uninstalled the deployment tool and then reinstalled the 2005Q4 I was able to create and .exe and create an Outlook profile that did not have any LDAP over SSL problems.

  • OfficeJet 6310xi - recognized and functional with iOS ePrint app but not AIO app. Why?

    As noted - OJ 6310xi is on same netork as other printers and all computing devices.  The iOS app "HP ePrint" recognizes and allows printing to the 6310xi.
    The AIO Remote app will find all printers on the network except the 6310xi.  The 6310xi is not WiFi enabled and is not an "ePrint" printer, but it is networked to WiFi accessible network.  Works with one app, why not the other?  Am I overlooking a setting somewhere?

    Hi MedMarkCo
    I'm sorry to hear that you are encountering difficulties connecting your printer to different apps. 
    The HP ePrint app is designed to work with your home wireless network as well as with your mobile device's data access.  As you have your printer connected directly to your router via an ethernet cable is available on your wireless network for the app to "see" the printer.  For further information on the HP ePrint app I have included a link to the HP ePrint Mobile App FAQs document.
    I have done some research on the AIO Remove app you mentioned in your post.  I have included a link to their website and they have a way for you to contact them if you need assistance or have feedback.
    AIOR All In One Remote
    http://www.aioremote.net/home
    HP ePrint Mobile App FAQs
    http://h10025.www1.hp.com/ewfrf/wc/document?cc=us&lc=en&dlc=en&docname=c01923321
    Regards,
    Happytohelp01
    Please click on the Thumbs Up on the right to say “Thanks” for helping!
    Please click “Accept as Solution ” on the post that solves your issue to help others find the solution.
    I work on behalf of HP

  • How to create custom BSP application in SAP CRM?

    Hi Experts,
    I would like to seek help from you. I am new in developing CRM objects. My first requirement is to create a custom program that will generate a PDF report.
    First thing I would like to know is the transaction code where I need to create a BSP application that will be able to run in crm webclient. Please clarify if it is in BSP_WD_CMPWB or in SE80 because it is said that I should create BSP application using MVC.
    Second thing is how will I be able to call a smartforms in a BSP application. The scenario for my custom program would be, I should have a two input fields in the selection-screen which are Business Partner ID and Product Lines. together with a button that will trigger the form when ticked.
    Hope to hear from all of you. Your help will be very much appreciated.
    Thanks and Regards,
    Monica

    Hello MonicAnna,
    You can find some information on this page.
    (http://help.sap.com/saphelp_nw70/helpdata/en/59/cd7daa07d711d5b66f006094192fe3/content.htm)
    And also you dont have to use se80 to create new Bsp appliaction. You can create new application by this transaction BSP_WD_CMPWB.
    Zafer,
    Edited by: Zafer Kuru on Dec 5, 2011 10:12 AM

  • HR Integration - ability to create Employees in both HR & SAP CRM

    We have a requirement to be able to transfer an HR Org structure holding permanent "Employees" into CRM but we require that for contract/casual employees not to be entered into HR but staight into CRM. The problem is that once CRM has been set up to exchange the HR Org model then BP's of type Employee are no longer available to be created in CRM.
    Is it possible to be able to work around this situation , so that CRM can create BP's with the role of Employee and also to be able to transfer Employee data from HR.

    We have a requirement to be able to transfer an HR Org structure holding permanent "Employees" into CRM but we require that for contract/casual employees not to be entered into HR but staight into CRM. The problem is that once CRM has been set up to exchange the HR Org model then BP's of type Employee are no longer available to be created in CRM.
    Is it possible to be able to work around this situation , so that CRM can create BP's with the role of Employee and also to be able to transfer Employee data from HR.

Maybe you are looking for