ABAP Development

Currently Being Moderated

Posted by Fareez Ahamed in ABAP Development on Mar 21, 2012 11:36:02 AM

Most of us use numerous services available on the net such as mails, social networking services, and blogs. So it is obvious to have the question “Can a database administrator working on Facebook can get the password of my Facebook account if he wishes?”. A worthy question it is. But the answer is “No”. Your passwords are never stored as it is. (Well, I don’t know the policy of Facebook regarding this; I mention it just for an example).

When you enter your password for login it should be verified by the server, at the same time, the password should not be stored as it is in the databases. Thinking about encryption is a good option here, but where will you store the key then? “If key can be stored securely in the database, then we could’ve stored password in the same manner!”.

The solution is ‘Hashing’. What is a hash function? A hash function is one in which when you pass data, it will produce an output which looks almost random (but not exactly random, it is produced by some algorithm)

Let A be the data and h(n) be the hash function.

h(A) = X

where X is called the message digest of the data A.

h(n) does not have an inverse function. So given X alone, you cannot arrive at A using any algorithm.

i.e., h-1(X) does not exist.

At the same time, the algorithm should be as such that it does not produce the same message digest for two different messages which is impossible, so the probability of getting same message digest for two different messages should be minimum (Pigeon hole principle explains why it is impossible to avoid collision). Two different messages having a same message digest is called a collision. There are various standard hash functions such as MD2, MD4, MD5, SHA0, SHA1, SHA2 are available which has the above mentioned property. I am not a very good mathematician so it is inappropriate for me to explain more about the mathematical properties of hash functions further, so I stop myself here.

MD5 is one of the most famous hash functions and it gives the above output for ‘Hi’.

Now how to achieve our target? i.e., saving our password in the database server in a way the DBA can’t get it.

We saw that hash is a one way function and no inverse function exists for a hash function. So if we store the message digest of our password in the database, no one can convert it back into password even if they had full access to the database. When we login, the password we enter is converted into message digest and it is compared with the message digest of our original password which is already stored at the database.

There are various function modules available in SAP to do hashing of character or any type of data.

MD5_CALCULATE_HASH_FOR_CHAR

The above function module can be used to hash passwords.

Hope this will be an useful information. For a more generalized info regarding this visit my blog.

- Fareez Ahamed K.N.