PGP Security

In this blog, I want to explain what is PGP encryption and it will be used in SAP CPI.?

What is PGP ?

Pretty Good Privacy (PGP) is a security program used to decrypt and encrypt email and authenticate email messages through digital signatures and file encryption. 

PGP(Pretty Good Encryption) was first designed and developed in the year 1991 by Paul Zimmerman, a political activist. PGP software was owned and sold by a company called "PGP Corporation", which was founded in 2002 then sold to "Symantec" in 2010. 

Email is a main attack method for cyber criminals who can easily forge messages by using a victim’s name or identity. PGP aims to solve this and enhance email security by encrypting the data to make the communication method is more private. 

PGP was one of the first public-key cryptography software publicly available for free download. Initially, it was used to enable individual users to communicate on bulletin board system computer servers. Later, it was standardized and supported by other applications such as email. It has now become a core standard in email security and has been widely used to protect individuals and organizations data. 

The data encryption program provides cryptographic authentication and privacy for data used in online communication. This allows PGP to be used for encrypting and decrypting text messages, emails, and files.

How PGP Works

1. Key Generation:

   • PGP uses a pair of cryptographic keys: a public key and a private key.
   • The public key is shared openly with anyone who wants to send you encrypted messages.
   • The private key is kept secret and is used to decrypt messages encrypted with the corresponding public key.

2. Encrypting a Message:

   • When someone wants to send you an encrypted message, they use your public key to encrypt the message.
   • PGP also compresses the message before encryption to save space and improve security.
   • After encryption, the message can only be decrypted by your private key.

3. Decrypting a Message:

   • Upon receiving an encrypted message, you use your private key to decrypt it.
   • After decryption, the message is decompressed to retrieve the original content.

4. Signing a Message:

   • PGP also allows for digital signatures, which authenticate the identity of the sender.
   • The sender creates a hash (a fixed-size string of bytes) of the message and then encrypts this hash with their private key to create a digital signature.
   • The recipient can then use the sender's public key to decrypt the signature and compare it with their own hash of the message to verify its authenticity and integrity.

5. Verification:

   • To verify the authenticity of a signed message, the recipient decrypts the signature using the sender's public key and compares the resulting hash with a hash of the received message.
   • If the two hashes match, the recipient can be confident that the message has not been altered and that it was indeed sent by the owner of the private key.

Example Workflow:

1. Alice generates a public/private key pair using PGP.
2. She shares her public key with Bob.
3. Bob writes a message to Alice, encrypts it with her public key, and sends it.
4. Alice receives the encrypted message and uses her private key to decrypt it.
5. Optionally, Bob signs the message with his private key, and Alice uses Bob's public key to verify the signature, ensuring the message's authenticity.

Applications of PGP:

• Email Encryption: PGP is commonly used to encrypt emails, ensuring that only the intended recipient can read them.
• File Encryption: PGP can encrypt files, ensuring that only authorized users can access them.
• Authentication: PGP digital signatures are used to verify the identity of the sender and the integrity of the message.

Next, we will see how to generate public/private keys for our case study...

In real-time, we will be receiving PGP - public key/private key from  Infra team / Basis team.

For learning purpose, I am using Kleopatra (open source) tool to generate PGP public/private keys.

Download Kleopatra from here..

https://files.gpg4win.org/Beta/

Version : 3.1.x, Version 4.x does not support our requirement.

Goto File> New Key Pair ...click on Next

Enter Name and Email (optional, but these details are useful when you refer in SAP CPI)

Click on Advanced Settings..select DSA and click on OK

Keys will be generating in 1 or 2 min

Generated Key pairs are available as shown below..

Now export Public Key and Private (Secret) Key to your local folder.

Note: Private key is your own key and should be shared with your customers. We need to share only Public key.

To extract Public Key..right click on Sample Key pair

To extract Private Key, right click on Sample Key pair again and select Export Secret Key

Cool...keys are ready for encryption and decryption ...

Part 1: Encryption

First, we need to import PGP Public key into PGP Keys Repository.

Next, create a simple HTTPS flow to get encrypted message by using Public Key.

Select PGP Encryptor under Security Elements and then go to properties and specify Key Pair Name..

Test the flow from Postman or Soap UI by passing some test as payload.

Part 2: Decryption

Decryption flow is also same as above, but we need to import Private Key (Secret Key)

Test the flow by using Postman and note the payload is "Encrypted" data (above o/p)

The result is "Actual Input" before encrypted 

Thanks for reading :-)

Log Trace

In this blog, I want to share important points of Log Trace for IFLOWS.

Log level in SAP Cloud Platform Integration (CPI) is a critical setting that determines the amount of detail captured in the Message Processing Log (MPL). It directly impacts the troubleshooting and monitoring capabilities of your integration 

Log levels in CPI include:

NONE: No data is recorded.   

INFO: Basic information about message processing steps and detailed information about the last processing step for failed messages.  

ERROR: Logs are created for failed executions only

DEBUG

Detailed information will be recorded for all steps during processing.
It should be used in test environments only.
Log Level 'Debug' expires after a configured time period, typically 24 hours.
After expiry the log level switches back to the previous log level 'Info'.

TRACE: 

Extremely detailed information, including internal system data.
It should be used in test environments only.
Log Level 'Trace' expires after a configured time period, typically 10 mins.
After expiry the log level switches back to the previous log level 'Info'.
Trace data is removed after the configured retention period, typically 1 hour.

Groovy script will be used to store a message payload as an MPL attachment in case an MPL log level 

is DEBUG or TRACE

import com.sap.gateway.ip.core.customdev.util.Message

Message processData(Message message) {

    String logLevel = message.getProperty('SAP_MessageProcessingLogConfiguration').logLevel.toString()

    if (logLevel in ['DEBUG', 'TRACE']) {

        messageLogFactory.getMessageLog(message)?.addAttachmentAsString('Payload', message.getBody(String), 'text/plain')

    }

    return message

}

Whenever you change the Log level to either DEBUG or TRACE, then payload will be logged as an attachment.

Important points to remember:

• INFO level is often sufficient for identifying general issues and error points.  
• For complex or intermittent problems, increasing the log level to DEBUG or TRACE can provide invaluable insights into the message flow and potential root causes.
• High log levels can impact performance, especially in production environments.
• Balancing detailed logging with performance considerations is essential.
• Sensitive data might be logged at higher levels. So carefully consider the information logged, especially in production environments.
• Log data can be used for monitoring integration flow health and performance.
• Appropriate log levels ensure you have the necessary data for monitoring.

Thanks for reading :-)