Is the password hashing algorithm SAP uses known?

Question

Version used: SAP B1 9.0

Background

We want to supply a simple authentication web form for external users, and would like to use the SAP B1 user management to administrate users (and of course passwords).

Since we were not able to find the algorithm behind the password hashing, my boss also considered using a different field from the SAP User like eg Mobile Device ID and store a password there. Having it stored there as plain text, as well as potentially being seen by other users in various forms however seems like a really bad idea to me, which is why I am asking here for ideas.

Most preferably someone here knows the hashing algorithm, whether salts are stored separately, etc. :-)

Info

The web application has access to the SQL Database where the SAP data is stored, but no "direct" communciation with SAP.

The actual question(s)

• What kind of hashing algorithm does SAP use
• Or is there a different work around, if it is not known

Answer 1

This is a interessting and difficult question.

I've tried something but I have not found a working solution. But here my results, maybe it helps:

The password hash seems to be an SHA1 with salt.

The password salt is stored in OUSR.STData. There is also a field OUSR.NoSTPwdNum but I don't know how it works all together.

The DIAPI-SDK-Helpfile describes the fields as follows:

• STData: User Password Salt | nVarchar(40)
• NoSTPwdNum: Password encrypted w/o Salt (cryptography) | Int(6)

I have tried some ways but none of them worked. E.g. salt before and after the password, hash password and add salt, hash/salt as upper and lowercase and so on.

Answer 2

While I do not know, whether or not the algorithm is publicly known, there is a workaround: you can use the supplied username & password and try to open a connection to the DI-API with those credentials. This way you can be sure that all access constrains imposed by SBO are actually honored (like inactive users).