SHA-1 Encryption of passwords

I believe that in Netweaver 6.4 and above SHA-1 is used for password encryption.  Does anyone know if a 'salt' is used when encrypting?  If not, can use of a 'salt' be configured, and also verified?  Thanks in advance.

Hi Ron,
1st of all: SHA-1 is a hash function; that has nothing to do with encryption; encrypted data can be decrypted - however hashed data cannot be converted back to plain text. That's an advantage (when dealing with passwords).
Well, as of NetWeaver 7.0 (aka "2004s") ABAP systems support not only case-sensitive and longer passwords (up to 40 characters) but also use SHA-1 to calculate the password hash value. Yes, a salt is used - it's a deterministic salt (not a random salt) which is calculated based on the plaintext password and the userID. So, if two users have the same plaintext password their password hash values are different.
As of NetWeaver 7.1 ABAP systems do support (iterated) random-salted password hash algorithms (iterated SSHA-1).
Related SAP Notes:
   - <a href="https://service.sap.com/sap/support/notes/1023437">1023437</a> (NW 7.0)
   - <a href="https://service.sap.com/sap/support/notes/991968">991968</a> (NW 7.1)
Regards, Wolfgang

Similar Messages

  • SHA-1 Encryption is not working in Container managed security

    Hi,
    I have to turn to your help after no luck with other possible resource.
    I implemented container managed security on my apps and it works well without the encrypted password(clear text) in the table column. Now I referred OC4J Security guide to implement the password encryption as follows:
    1. Using the DBTableOraDataSourceLoginModule, set the option pw_encoding_class = oracle.security.jazn.login.module.db.util.DBLoginModuleSHA1Encoder
    2. run the following procedure:
    DECLARE
        l_password VARCHAR2(50) := 'welcome';
        l_password_raw RAW(128) := utl_raw.CAST_TO_RAW(l_password);
        l_encrypted_raw RAW(2048);
        l_encrypted_string VARCHAR2(2048);
        l_encrypted_string2 VARCHAR2(2048);
    BEGIN
        dbms_output.put_line('Password in String: ' || l_password);
        dbms_output.put_line('Password in raw: ' || l_password_raw);
        l_encrypted_raw := dbms_crypto.hash(l_password_raw, dbms_crypto.HASH_SH1);
        dbms_output.put_line('SH1: ' || l_encrypted_raw);
        l_encrypted_string := UTL_ENCODE.BASE64_ENCODE(l_encrypted_raw);
        dbms_output.put_line('Base64Encoding: ' || l_encrypted_string);
    END;
    3. update the clear text password with the SHA-1 encrypted password and encoded in Base64Encoding (in my case, it's the parameter "l_encrypted_string")Now I run the application and login says "password not matching!" If anyone know what's going on, please advise me what's wrong...pls
    thanks very much,

    Hi,
    hard to say without knowing the code the OC4J team uses in their login module. I know they based it on a JAAS LoginModule I wrote some years ago, but they did change some parts of it. In the original version. the password was read from the database and then compared with the provided password string. Using encryption it uses a class to encode and decode the password queried from teh database. My guess is that the returned string - after decoding - doesn't meet the password string you provide when authenticating. Since this piece of code is owned by the OC4J team, I suggest to try the Application Server forum or the Security forum
    Frank

  • Encryption of password, then validate PW at login

    Hi all!
    I am new to java.
    I am writing a client server application using JDK 1.3 and I want the user to enter in a user name and password and have my app check the password against the users password stored in a central database. I guess I am looking to understand what is the approach or method that is best to use.
    For example, from what I've read I can encrypt the password stored in the DB using a byte-array encryption. I think I understand how to do this. But I am not sure how to "validate" the user's PW at login against it. Does this involve a comparison of hash values?
    As you can see, I may really not know what i am talking about. Any guidence or direction to resources on this would be greatly appreciated. Any code samples always appreciated as well.
    Thanks.
    Eric

    Hi, Eric
    Just wanted to tell you about two things:
    1. While hashing is better than storing the PW as clear text there is a vulnerability if you just hash the PW. You leave your PW database open to a "dictionary" attack. This means that an attacker compiles a dictionary of common passwords and stores the passwords together with their hash values (either SHA-1 or MD5 or whatever it is). He then looks in the PW database for a hash value that matches one in his dictionary. If he finds a match he has the PW.
    E.g. the U**X developers saw this problem and added a number called "salt" to the passwd fields. Each PW entry has a unique "salt" value, so that the same clear text PW is never mapped to the same hash. You just store this number together with the PW hash and it's used in calculating the hash from the clear text PW by concatening it to the PW.
    It is even better to add still another number, called an "iteration count" to the PW database. This means that you call the hash function a certain number of times to generate the hash, not just only once.
    For a good discussion of all this see PKCS#5: http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/index.html
    2. Never use client side PW calculations! If one of your users enters a PW into the web form the JavaScript code posted here calculates the MD5 hash and sends it to the server. That's great for an attacker. He just needs to the sniff the network, wait for the user id and the MD5 hash to flow by and then he can use the hash in a "doctored" client which just wants the hash of the PW to be entered instead of the PW itself. So he doesn't even need to know the PW!
    It's better to use an TLS/SSL connection to the server and to transfer the PW to the server which creates the hash from the PW. This way an attacker is not able to gain anything from sniffing.
    If that is not possible you could use one of the many challenge/response protocols which are quite sophisticated (e.g. RFC 2831). However, they are difficult to implement in a browser environment.
    Regards,
    Frank

  • SHA-1 Encryption is not working under OC4J security

    Hi,
    I have to turn to your help after no luck with other possible resource.
    I implemented container managed security on my apps and it works well without the encrypted password(clear text) in the table column.
    (Jdeveloper 10g, OC4J 10g)
    Now I referred OC4J Security guide to implement the password encryption as follows:
    1. Using the DBTableOraDataSourceLoginModule, set the option pw_encoding_class = oracle.security.jazn.login.module.db.util.DBLoginModuleSHA1Encoder
    2. run the following procedure:
    DECLARE
        l_password VARCHAR2(50) := 'welcome';
        l_password_raw RAW(128) := utl_raw.CAST_TO_RAW(l_password);
        l_encrypted_raw RAW(2048);
        l_encrypted_string VARCHAR2(2048);
        l_encrypted_string2 VARCHAR2(2048);
    BEGIN
        dbms_output.put_line('Password in String: ' || l_password);
        dbms_output.put_line('Password in raw: ' || l_password_raw);
        l_encrypted_raw := dbms_crypto.hash(l_password_raw, dbms_crypto.HASH_SH1);
        dbms_output.put_line('SH1: ' || l_encrypted_raw);
        l_encrypted_string := UTL_ENCODE.BASE64_ENCODE(l_encrypted_raw);
        dbms_output.put_line('Base64Encoding: ' || l_encrypted_string);
    END;
    3. update the clear text password with the SHA-1 encrypted password and encoded in Base64Encoding (in my case, it's the parameter "l_encrypted_string")Before setting up pw_encoding_class option, the DBTableOraDataSourceLoginModule with the clearText password in table column is working well.
    Now after the above steps, I run the application and login says "password not matching!" If anyone know what's going on, please advise me what's wrong...pls
    thanks very much,

    Hi,
    hard to say without knowing the code the OC4J team uses in their login module. I know they based it on a JAAS LoginModule I wrote some years ago, but they did change some parts of it. In the original version. the password was read from the database and then compared with the provided password string. Using encryption it uses a class to encode and decode the password queried from teh database. My guess is that the returned string - after decoding - doesn't meet the password string you provide when authenticating. Since this piece of code is owned by the OC4J team, I suggest to try the Application Server forum or the Security forum
    Frank

  • Encrypt / Decrypt password

    Hi
    I'm new in Java and I need to create a function to encrypt / decrypt passwords using the Blowfish algorithm. I know how to create a key, but I don't know how to recover it to decrypt the password.
    Another question, Is it possible to use public/private keys in this case???.
    Can you give some links or examples please???
    Regards
    J.C.

    This is typically done either one of two ways:
    1) PBE based encryption. This uses a password or pass phrase to derive
    a key to use with a symmetric algorithm.
    2) Asymmetric using something like RSA. Typically RSA is used to wrap
    the actual symmetric key used to do the encryption but for very short
    plaintext it can be used directly on the plaintext. Passwords are a
    good example of short plaintext.
    Obviously symmetric encryption is a great deal faster than asymmetric
    encryption. So if your plaintext was large you would want to use
    symmetric. Also Asymmetric encryption is length dependant. AKA if your
    public key's modulus is 1024 bits then you could encrypt any plaintext
    that was 121 bytes or shorter.
    PBE takes a salt (a random byte array) and an iteration count and
    hashes a passphrase with the salt iteration number of times to generate
    a key that can be reproduced over and over again and used with a
    symmetric algorithm. The issue here is that your salt/ic either need
    to be hard coded and reused or the values for any single encryption
    need to be saved along with the ciphertext. Using the same ic/salt for
    a large number of plaintext to ciphertext operations can lead to a
    weakening of the pass phrase (aka the key) and aids a cryptoanalyst in
    breaking the code. Although it is still difficult it becomes easier
    with each successive encryption.
    Its upto you which route you take but you should note that private keys
    used in asymmetric encryption use PBE to keep them private anyway so in
    a sense if you use asymmetric encryption you are really using both
    asymmetric encryption and PBE...

  • Preview - PDF - Encrypt - Add password

    I am trying to be a loyal Mac user and rely on Preview for management of my secure PDF files.
    (I have used Adobe Acrobat Professional -AAP- for several years; I am trying to avoid installing it on my clean SL installation.)
    1.) How do I use Preview to open a PDF file created, encrypted, and password protected in AAP? (I get an error: The file “Secure.pdf” could not be opened. It may be damaged or use a file format that Preview doesn’t recognize."
    2.) Can someone give me simple step by step instructions to add Automator functions to Preview to allow me to encrypt and password protect individual files on a file by file basis?
    All of this is very simple in AAP. Seems unnecessarily difficult in SL...
    Help?

    Well, Dr. Midnight,
    There IS an answer. The "Password Protect PDF" file is a function in Automator that comes up as a Service in Preview.
    For me the problem is that Automator is not very intuitive and I am too old and too lazy to learn a new programming language just to replace/repair functionality that I had with Acrobat Professional in Leopard that got broken in Snow Leopard.
    Ok, - in truth - not broken, but moved and changed and made less easy to use. Preview becomes the default PDF handler in Snow Leopard. I though - ok - if Preview will do what Acrobat Professional used to do for me, I'll be a good little loyal Apple user and move from Acrobat Professional to Preview (and stop paying for Acrobat upgrades).
    Then I figured out it is a PITA to learn Automator and I learned that no one on this forum seems to know (or be willing to share) simple steps to enable one Automator Service.
    So I reinstalled Acrobat since I already own two licenses and since it does what I want simply and intuitively.
    By the way, thanks for checking in. Nice to know I am not all alone out here ....

  • "How to Unlock iPad encrypted Backup -Password When Forgoten?"

    "How to Unlock iPad encrypted Backup -Password When Forgoten?"
    I can't remember my password for the encrypted backup.

    Look at this link http://osxdaily.com/2013/06/26/recover-lost-encrypted-backup-password-ios/
     Cheers, Tom

  • Is there a way to de-encrypt the password field in dba_users

    Is there a way to de-encrypt the password field in dba_users

    Can you be a little more specific. I've forgot my old password. Now, without the old password will it allow me to create a new password? I know that whenever i altered any user generally it won't asks for the old password. Then how oracle knows that who is authentic user and who is not? Can you explain it.
    Regards.
    Satyaki De.

  • Make a field encrypted like password field

    Hi,
    I want to make a text field encrypted like password field in find user form so that that filed comes as dot when a user enter that field. For that I made secret = true for that field. But after doing that the find user form is not working for that text field (search criteria). I think we need to decrypt that field as well to make the search functionality working. But I am unable to-do that.pleases help.

    In addition to secret = true, try to add noEncrypt = true on that Field.

  • Encrypt/Decrypt passwords

    Hi...
    Another thread with that same, old subject... right? Perhaps yes!! But I am not able to move further without help.
    I am developing an application where user needs to login by entering the password. My requirement is to encrypt the password first (while registering the user) and store it in a database (using MS Access 2007). Later, while logging in, I need to decrypt that stored password and validate the entered password by user.
    As I am quite new to this, not able to understand how to proceed. Checked in this forum, even in net - got many stuffs as well - but still I am not able to develop this.
    Any suggestion, help would be appreciated.
    I have few simple logics, that could be used: 1. replace each characters with the next (or next to next) characters, 2. insert some junk characters in between each characters and creating a string... etc
    But I am looking for some serious encryption/decryption techniques.
    Thanks in Advance...

    >
    Oh yeah.. what an 'Aloo Paratha' with no salt. But not able to understand how to add this 'Salt' to my paratha.. :(
    TiA...Suppose I had read access to the password table, where I also had an account:
    | user_name | digested_password | ...
    +-----------+-------------------+--
    | bdlh      | efagukfuilfehilef |
    | smith     | fiopwefiopf890fnk |
    ...I can't guess smith's password from his digest, but what if I notice:
    | user_name | digested_password | ...
    +-----------+-------------------+--
    | bdlh      | efagukfuilfehilef |
    | smith     | fiopwefiopf890fnk |
    | kumar     | efagukfuilfehilef |Hey! kumar and I happen to have the same digest! We have the same password! (Or as good as.) I can log on as kumar and have jolly time at his expense.
    Now change things with a pinch of salt: a randomly generated unique string. One's digested_password is actually the digest of password+salt:
    | user_name | digested_password | salt     |
    +-----------+-------------------+----------+
    | bdlh      | efagukfuilfehilef | efaghkku |
    | smith     | fiopwefiopf890fnk | h23bh9m0 |
    | kumar     | vjlvsr8u0w780w4bj | 789r2bh7 |Now even if kumar and I happen to have the same password, our salts make the digests different.
    As for "how to digest", use MessageDigest: [http://java.sun.com/javase/6/docs/api/java/security/MessageDigest.html]

  • Please Help!!!  Encrypt/Decrypt Password

    i'm a newbie to Cryptography...and i know that this question have been asked MILLIONS of time...but i'm going to ask it again. i searched through the forum, and i didn't find anything useful...but:
    i want to write a program to encrypt the password i type in the JPasswordField...save it out to a Properties file...when i'm trying to authentication, get the password...decrypt the password...and authentication.
    i pretty much have the JPasswordField and Properties file done...i just need the encryption and decryption left.
    can someone please help??? please post example code...please don't suggest hashcode!!!
    sin sai

    Try this, found at:
    [ http://java.ittoolbox.com/documents/document.asp?i=1676 ]
    You can convert your password to MD5 format as follows:
    import java.security.*;
    import java.lang.*;
    public class PasswordEncrypt {
    * Constructor for the PasswordEncrypt object
    public PasswordEncrypt() { }
    * This is the method which converts the any string value to MD5
    format.
    *@param str password
    *@return encrypted password in MD5
    public String encrypt(String str) {
    StringBuffer retString = new StringBuffer();
    try {
    MessageDigest alg = MessageDigest.getInstance("MD5", "SUN");
    String myVar = str;
    byte bs[] = myVar.getBytes();
    byte digest[] = alg.digest(bs);
    for (int i = 0; i < digest.length; ++i) {
    retString.append(Integer.toHexString(0x0100 + (digest[i] &
    0x00FF)).substring(1));
    } catch (Exception e) {
    System.out.println("there appears to have been an error " + e);
    return retString.toString();
    ---

  • Unity 7.0 & Lotus Domino 8.5.3 "Error Encrypting notes password"

    Hi Guys,
    Hope I can seek a little help here. I am trying to setup a Unity 7.0 in a lab to use Lotus Domino 8.5.3 as the message store. I've installed ES41 so that it support domino 8.5.3.
    I already have the UnityInstall, UnityAdmin & UnitySvc accounts configured and ran the permission wizard successfully.
    But when come to the message store configuration wizard, i'm hitting the bump of "error encrypting notes password" and second error of "could not set the config password"
    I've found a similiar thread for this but the solution doesn't work for me. (https://supportforums.cisco.com/message/1213310#1213310)
    things I've done so far:
    reinstall notes, manually create the notes 6.0 5.0 registry key as per bug id CSCsb76049, change the password as per CSCsx19170,
    also checked the whoami /priv did have backup & restore listed.
    Any help on this is much appreciated.
    Thanks
    Regards,
    Alex
    https://supportforums.cisco.com/message/1213310#1213

    Update on this, I've also done the procedures of "Patch Cisco Unity for IBM Lotus Notes 8.x Support" &
    "Add the Domino 8.5.x MailFileTmplt Registry Key on the Cisco Unity Server" according to
    http://www.cisco.com/en/US/docs/voice_ip_comm/unity/7x/release/notes/702curelnotes.html#wp593368 but without any luck.
    Any kind soul?
    Rgrds,
    Alex

  • Encrypt with password- Help

    I created a pdf, used Advanced/Security/Encrypt with Password.  I did not provide a password..  Acrobat must have.  How do I find or fix?What did acrobat use to create the password?  I was expecting a prompt.  Next thing I know its protected with an unknown pw?  Help.
    Thanks
    It is looking for a 'permissions password'.  I did not provide one.  My bad here it seems.

    It's impossible not to enter a password when applying protection using that menu item. Acrobat wouldn't make one up and will not accept a blank entry on the dialog box.
    Are you sure you didn't apply a previously-created Security Policy, in which you chose to store the password inside the policy?

  • Retrieving encrypted(MD5) password in LDAP

    I have this code that retrieves LDAP entries particularly the common name (cn), e-mail address (mail) and password (userpassword). Everything is ok except for the password. Password of each users appears the same which is not correct because when I try connecting to LDAP using telnet, it displays different values.
    The password that I'm always getting is: [B@7ee6fc
    The code in particular is:
    for (Enumeration vals = attr.getAll(); vals.hasMoreElements(); )
    System.out.println("\t" + vals.nextElement());
    Is there a problem with my code?� Apparently, it is
    not getting the exact string, while the other attributes
    are correct.
    By the way, our LDAP is using MD5 for the encryption of passwords.
    (I'm also having problems with my MD5 code in JAVA, but that's another story :) For now, I have to retrieve the correct userpassword)
    Thanks in advance.

    The password must be a byte array. Try to convert into byte[]

  • Encrypt backup password

    Hello Folks,
    I am not very good with forums so please excuse my language.
    I have an iPhone 5 which i got unlocked from AT&T and was doing Restore iPhone. I forgot the encrypt backup password. Now my phone is getting restored to last BackUp done on icloud which is from 4 months ago. Please tell me how can I get into my most current backup. I am using the most current ios.
    Thanks for all your input.

    If you have an encrypted backup, the only way to use that backup is to remember the password. If you cannot remember the password, you will have to delete that backup and create a new one. If you have already restored the phone, you will only be able to use the latest un-encrypted backup to restore with if you cannot remember the password.

Maybe you are looking for

  • Upgrading to CS5 suite

    Hi: I am upgrading from a CS3 Suite to CS5 shortly. Once the CS5 is in place and settled, can I uninstall the CS3 programs to conserve space, or should they stay in? Thx, Ned

  • Portal Down Again

    Our development portal is down again, this time after rebooting to add servers to the pool. After login, no page is displayed, and the following is evident in the jserv error log: ORA-06510: PL/SQL: unhandled user-defined exception ORA-06512: at "POR

  • Installing Premier Elements 9

    I need help to re-install Premier Elements 9 after I deleted the pre-installed copy on my HP laptop.  I've downloaded files from Adobe, but they won't install.  What files do I need?  How can I ensure that my ownership of the pre-installed version is

  • Where is front row in lion?

    anyone know where lion moved front row to?  did they eliminate it?  don't tell me i need to boot up my old laptop for this presentation!

  • Onlocation captured  mpg 's are corrupted when import in premiere pro

    Oke, yesterday i made this really sweet time lapse recording in Adobe Onlocation CS3. In Adobe Onlocation I can view the recordings 30sec each and there really good. Now I followed the instructions and ejected the clips, but now that I've imported th