In the past, user names and passwords were felt to be a secure authentication method for users accessing SAP applications, but these days this may not be enough. Security lapses arise from the fact that users make their lives easier by choosing easy-to-remember passwords or by writing down complicated passwords. A risk also exists if they store their user names and passwords using cookies, since these are easy to read and can therefore compromise security. Added to these problems is the fact that, when users change to a different SAP application, they have to enter their user name and password again.
One way of solving these difficulties is to use the security solution SECUDE for mySAP.com from SAP software partner SECUDE of Darmstadt in conjunction with the eToken PRO from Aladdin Knowledge Systems Germany. The eToken PRO is a piece of encryption hardware which stores a user’s key material and performs the necessary encryption operations. This allows users to authenticate themselves securely in a single sign-on procedure which simply requires a password.
Single sign-on for SAP applications
When used in conjunction with the SECUDE for mySAP.com security software, the eToken PRO delivers reliable, very secure authentication using a digital ID, and also enables single sign-on. Users plug the eToken PRO into the USB port of a computer and use it as a personal security key to authenticate themselves with their password. The SAP client accesses the certificate which is stored on the key. In this way, users of these keys can sign on from any computer within the corporate network and access all available applications without having to enter their password for each one. The security delivered by this method is based on two components. Firstly, the user has to be in physical possession of his key, and secondly, he needs to know his password.
If there is a change of server when a user signs on to an application, a three-way authentication process between client and server takes place in the background without the user being aware of it. The process involves client and server identifying themselves by exchanging digital signatures. Additionally, a session key is generated. This may be valid only for the current SAP session and is only known to the communication partners involved. If a user logs out of the system, this key is discarded. The authentication procedure uses the RSA algorithm, which has a 1024-bit key length, giving 21024 possible combinations. To put this in perspective, just 2 raised to the 64th grains of rice would cover the surface of the earth to a depth of several meters!
Digital ID makes data transfer secure
All the components of a SAP landscape, such as the server, router and printing services, are equipped with a digital ID for purposes of authentication. A 156-bit session key provides digital signature and encryption protection when data packages are transferred. This gives the recipient the security of knowing that the data has not been tampered with on its way to him, and allows him to check the identity of the sender of each data package. The data packages can only be accessed by people authorized to do so.
Users of SAP applications authenticate themselves using X.509v3 certificates. This is the current standard format for certificates and is also used by the eToken PRO. The certificate contains data including the name of the holder, details of the issuing authority (for example a certification office), the period of validity and the public part of the user’s asymmetric key pair. The certificate uniquely links the public key to its owner. The security solution SECUDE for mySAP.com is connected to the SAP system using the Secure Network Communication component.
Aladdin eToken PRO
The eToken PRO features a security architecture which conforms to German signature legislation and a smart card chip. It also has an encryption processor with file structure, an operating system with input and output units, and algorithms. The eToken PRO conducts sensitive operations like a small, free-standing computer. For example, the digital signature is calculated on the key. A user’s signature key does not leave the eToken PRO, nor can it exist in an unprotected form in the PC environment.
Digital certificates, passwords, keys and other forms of proof of authorization are also stored on the eToken PRO. By contrast, access rights are controlled by the relevant application – the file manager, e-mail program or SAP system, for example. The eToken PRO also supports file, folder and hard disk encryption and email signatures and encryption using plug-ins. Additionally, it supports public key infrastructures (PKI), web access, virtual private network (VPN) clients, computer and network logon and boot protection.