Hunting crypto secrets in SAP systems

Presented at TROOPERS18 (2018), March 14, 2018, 1:30 p.m. (Unknown duration).

If you're securing things in a proper way, cryptographic material should be all around your SAP systems: for protecting communications with HTTPS, TLS and SNC, Single-Sign-On, digital signatures and so on. Ever wondered how SAP systems stores that credentials and cryptographic keys in your system? Do you know if your private keys are properly protected? Succeed at a pentest and want to know how to extract and what to do with crypto secrets from a compromised host?

In this talk we'll share our analysis on how cryptographic material and credentials are stored and managed by SAP's cryptographic libraries. Hopefully, a good amount of acronyms such as PSE, LPS, DP, TPM or INT will have more sense after attending this talk. We'll make our try to make sure you know how to properly protect those as well.

PARENTAL ADVISORY: this talk will feature explicit crypto operations and ASN.1 parsing routines that might be unsuitable for crypto-sensible people.

This talk will deep dive into the details of how SAP's CommonCryptoLibrary stores and handles cryptographic material and credentials (private keys, certificates, SSO logins, etc.). The results of our analysis by understanding the PSE/Credv2 file formats and the protection mechanisms in place (LPS, PIN-based encryption, DP/TPM/INT, etc.) will be shared. As part of this talk support for handling those file formats in open source tools will be released as well.


Presenters:

  • Martin Gallo
    Martin is a security professional with more than 10 years of work experience. After a few years in the IT consulting business at one of the big four, he moved to Core Security to take up the challenge of specializing in penetration testing, code reviews and vulnerability hunting. He is passionate about software engineering and learning how to make great products, and his research interests include enterprise software security, vulnerability hunting, threat modeling and reverse engineering. Outside work, he loves spending time with his family and friends, reading sci-fi novels, listening to stoner metal bands and all things basketball.

Links:

Similar Presentations: