Vendor Bank Account Verification under Zero Knowledge, featuring SAP, PRVD Stack, and Shuttle
The LFBK table in SAP ERP contains one of the most heavily guarded (and attacked!!!) pieces of data in an enterprise: the vendor bank account master data.
This data is under routine social engineering and phishing attacks. Everyday, hackers try to manipulate accounts payable and other finance/accounting professionals into changing this information to steal payments out of B2B commerce. Processes to share, update, and verify this data are made deliberately manual and slow to ensure greater privacy - but in some cases fraud, theft or errors can still prevail.
What if you could verify the bank account details, without having to reveal them? This is what zero knowledge cryptography is capable of doing. This repo demonstrates a proof of concept of using zero knowledge in this technical business use case.
Create account at https://shuttle.provide.services
Use your email to create an account. You will be prompted to configure an organization and your org-level Vault configuration along with other agreements to accept.
Define workgroup
Upon creating your organization, you will be immediately prompted to create your work group. Accept the Vault privacy policy and continue.
Configure fields of the bank record synchronization message type.
Choose the PRVD network layer 3 testnet. Continue.
Continue until "Finish onboarding" can be selected.
Upon successful workgroup creation - you will be redirected to the Shuttle homepage.
Configure workflow
Select the workflows tab.
Create the workflow. Save and select + to create workstep.
Configure the workstep. Add a name and description. Select the general consistency circuit. Select the previously configured schema. Add participants as needed. Click save.
Once all worksteps are created - deploy the workflow.
Once successfully deployed - the zk-workflow can be reached/triggered via API
Maintain Shuttle Credentials
Use the email and password in the {{shuttle_email}}
and {{shuttle_password}}
collection variables
Generating the refresh and access tokens
Execute Postman requests in the following order
- Authorize Access Token
- List organizations
- JWT Authenticate - Generate long dated refresh token
- JWT Authenticate - Generate short dated access token from refresh token
Maintain the workgroup id, subject account id
For a given workflow, maintaining the correct workgroup id and subject account id in the collection variables is essential for the protocol messages to work correctly.
Review the console outputs when executing "List organizations". You can verify you have the right workgroup and subject account id in the additional endpoints provided.
Maintain the desired workgroup and subject account id in the collection variables
Test the protocol messaging from Postman While authenticated, Go to the Trigger Bank Account Verification request
Add data to the blank fields and execute
Review ZKP in Shuttle
View the console where you originally deployed the workflow
Pre requisities
Use this SAP sample program does require the install and configuration of provide-abap as a pre-requisite. Additional details are documented here
Credentials onboarding to SAP
Use the SAP folder of the Postman collection
Maintain the SAP basic auth credentials in postman
Execute fetch
Execute tenant creation
Review the record in ZPRVDTENANTS table
Program execution
Execute the SAP program via transaction code SE38 or SE80
This will produce a protocol message reviewable in Shuttle's workflow console as previously demonstrated.
To simulate the scenario in a different, non-SAP vendor system - an example is provided in Javascript as well featuring provide-js
Navigate to the javascript directory
Run command cd javascript
Install packages
Run command npm install
Maintain .env file from Postman collection variables
Create the Provide Axiom zero knowledge proof
Run command node create_protocol_msg
Review ZKP in Shuttle
View the console where you originally deployed the workflow. You'll see an additional protocol message created in the console.
For demonstration purposes, the PRVD stack deployment hosted by Provide is used. However, the open source PRVD stack can be deployed natively to any other corporate host. This how it can be ensured that the vendor bank info from SAP would never leave the "four walls" of the enterprise network while using an integration like this.