Hunting crypto secrets in SAP systems

If you’re securing things in a proper way, cryptographic material should be all around your SAP systems: for protecting communications with HTTPS, TLS and SNC, Single-Sign-On, digital signatures and so on. Ever wondered how SAP systems stores that credentials and cryptographic keys in your system? Do you know if your private keys are properly protected? Succeed at a pentest and want to know how to extract and what to do with crypto secrets from a compromised host?

In this talk we’ll share our analysis on how cryptographic material and credentials are stored and managed by SAP’s cryptographic libraries. Hopefully, a good amount of acronyms such as PSE, LPS, DP, TPM or INT will have more sense after attending this talk. We’ll make our try to make sure you know how to properly protect those as well.

PARENTAL ADVISORY: this talk will feature explicit crypto operations and ASN.1 parsing routines that might be unsuitable for crypto-sensible people.

This talk will deep dive into the details of how SAP’s CommonCryptoLibrary stores and handles cryptographic material and credentials (private keys, certificates, SSO logins, etc.). The results of our analysis by understanding the PSE/Credv2 file formats and the protection mechanisms in place (LPS, PIN-based encryption, DP/TPM/INT, etc.) will be shared. As part of this talk support for handling those file formats in open source tools will be released as well.