Search This Blog

Tuesday, March 22, 2011

SAP Note 874738 - New password hash calculation procedure (code version E)

Validity: valid since 11.10.2005





Symptom
Previous password hash procedures (code versions B and D) may cause the following error scenarios:
  • Users whose passwords contain certain special characters (for details: see below), may also log on to the system using changed passwords: it seems that the system treats all special characters equally.
    (For more information: see Note 735356)
  • When calculating the password hash values the system under certain circumstances does not take into account all characters of the password (the password is actually truncated). This applies to both the old password hash procedure (code version B) and the new password hash procedure (code version D) that was implemented with Note 735356; with the usage of non-ASCII characters or Unicode characters this problem occurs more often.

Other terms
USR02-CODVN, UTF8, hash collisions


Reason and Prerequisites
The reason is an incorrect implementation in the kernel (password code versions B and D).


Solution
Use a new kernel and a Support Package/a correction instruction:
  • Systems with SAP_BASIS 4.6x:
    Kernel 4.6 as of patch number 2121.
    In addition, read Note 318846 (usage of a downward-compatible kernel).
    In addition you should implement the ABAP corrections from Note 735356.
  • Systems with SAP_BASIS 6.x:
    Kernel 6.40 as of patch number 90.
    In addition read Note 664679 (usage of a downward-compatible kernel).
    In addition you should implement the ABAP corrections from Note 735356.
  • Systems with SAP_BASIS 7.0:
    Kernel 7.0 as of patch number 23.
    In addition you should implement the ABAP corrections from this note.

For Systems with Basis Release 3.x, 4.0 or 4.5 no solution is available (since UTF8 is not supported prior to kernel Release 4.6).

For systems as of Basis Release 7.0 the password code versions B, D and E are actually only of interest because of the downward compatibility. As of Release 7.0 new (downward compatible) password code versions (F and G) are supported, which allow the usage of longer passwords (of up to 40 characters), where an additional distinction will be made between uppercase and lowercase letters.
For more information , see Note 862989.



Remark when using the Central User Administration (CUA)
As already described in Note 735356, the implementation of a new password hash procedure (here: code version E) is a change that may cause problems when using a Central User Administration (CUA). It must be ensured that all participating systems of a Central User Administration support the new password encoding procedure (through the usage of the combined ABAP correction and kernel correction). You may only activate the new procedure by setting profile parameter login/password_charset to value 2 (see Note 735356) if this is true.


General restrictions when using the password hash procedure in non-Unicode systems
Some (European) characters exist both as lowercase and as uppercase letters. However, in some code pages in non-Unicode systems only the lowercase letters of some characters exist (for example, Latin-1: characters µ (0xB5) and ÿ (0xFF)); the related uppercase letter character does not exist in the code page. When converting the password to uppercase letters, these characters are not converted (in non-Unicode systems); in Unicode systems, however, the characters are converted. As a result, it can happen that users who have passwords that contain such characters cannot log on to the system with their passwords after an upgrade from a non-Unicode system to a Unicode system.




Affected Releases
Software
Component
Release
From
Release
To
Release
And
subsequent
SAP_BASIS
46
46C
46D
 
SAP_BASIS
60
610
640
 
SAP_BASIS
70
700
700
 

Correction delivered in Support Package
Support
Packages
Release
Package
Name
SAP_BASIS
700

Corrections Instructions
Correction
Instruction
Valid
from
Valid
to
Software
Component
Last
Modifcation
700
700
SAP_BASIS
07.10.2005  14:29:19

No comments:

Post a Comment