cancel
Showing results for 
Search instead for 
Did you mean: 

MD5 Hash Removal

Hello,

 

I am using the php-sdk. (can you tell me how to find what version I am running?)

I received the email about the removal of the MD5 hash, but I'm wondering where I'm using it?

From the instructions here>> it appears I need to create a function to compare the value of transHashSHA2 with the output from the HMAC-SHA512. 

 

My question is, is this replacing an MD5 version of a function where I am doing close to the same thing? In the sample code I used there is nothing like this. 

 

The last change I had to make was to update my cert.pem.

 

Thanks - any clarification you can give me would be appreciated.

 

- Don

fifty-git
Regular Contributor
10 REPLIES 10

I found my version of the php-sdk:  1.8.8.0 - then just upgraded to 1.9.9

fifty-git
Regular Contributor
Hashing is done to verify that information sent to your webserver comes from authorize.net. This is for things like webhooks, where authorize sends information about transactions to your server as they occur.
The hashing is done for the security of your application.

So say you are enrolled in webhooks and you have a series of automated actions that take place when a webhook delivers transaction data to your server. The issue is that anyone on earth with a computer can try to send data to your server and if they have malicious intent they may try to compromise your application by having your automated actions take place on ill formed information.

So the way around this is for your and authorize to do a little handshake every time they send you data.
Only you and authorize.net have your signature key. So authorize hashes transaction data with your signature key. It essentially turns the original data into a completely incomprehensible mess.

On your end, you capture the original data and hash it with your signature key. You will now have an incomprehensible mess as well.

Now what happens is you compare your incomprehensible mess to what is sent to you. If it matches, that means that there is essentially 0 chance of the information hitting your server being from anyone other than authorize.net. That means you are safe to let your application use what is sent to you to perform those actions safely.

MD5 is an older hash method that gets less secure all the time due to computing power. SHA512 is a much better hash and I’m sure that’s why they did this.

There are probably plenty of things besides webhooks that this is used for. That is just the example I know and use. So the short answer is you probably don’t have to do anything. If your application was having data you or your developer would have had to program it to do that. The fact that you don’t know is a good indicator that this functionality is something you haven’t used.



Renaissance
All Star

The php-sdk still has the md5 hash.. hopefully someone will update it soon.

 

Tried this but it wasn't working for me.

 

return hash_hmac('sha512', $loginid . "^" . $sequence . "^" . $tstamp . "^" . $amount . "^" . $currency, $transaction_key);
I’m not so sure. I get sha512 in transaction response objects and also in webhooks notifications. I don’t use them in anything other than webhooks, but I am also using the php sdk. There is certainly a lot I don’t know regarding this, but is there a reason your hash function has more and different parameters than what authorize recommends in the link the original post contained? And also you do not appear to be using a signature key. The currency and timestamp are not in on the page from that link as parameters.

For webhooks I can vet 100% that a sha512 hash is in the headers and can be used to validate. I see not much reason to use this for anything outside of webhooks, but there’s obviously something I’m missing or they wouldn’t have it. Suppose it would be good as insurance if authorize was ever compromised.

I also have a bunch of questions. We are using Python with DPM option. Followed the hash upgrade link instructions from here:

https://developer.authorize.net/support/hash_upgrade/

 

 

DPM post fails with "This transaction cannot be accepted." 

 

I am stuck and don't know how to proceed. Need a clear example for the following:

 

How to generate the SHA512 hash in Python

How to verify the returned hash in Python

Here is what I tried that results in failure:

 

 fingerprint = hmac.new(binascii.unhexlify(security_tokens["SIGNATURE_KEY"]),
"^"+security_tokens["LOGIN_ID"]+"^"+self.seq+"^"+ts+"^"+self.amount+"^", digestmod=hashlib.sha512).hexdigest()

 

When I do a DPM post with this generated hash in x_fp_hash, I get  "This transaction cannot be accepted."

Still don't know the exact python code to verify the returned SHA512 hash.

"The php-sdk still has the md5 hash.. hopefully someone will update it soon."

 

Hi, could you tell me where you are finding this in the SKD code?

 

Thanks,

Don

fifty-git
Regular Contributor

Hopefully someone can post the php code for this soon. The confusing part for me is "Step 2. Convert the Signature Key into a byte array." since php doesn't seem to have this built in.

jts74
Member

Currently I don't see transHashSHA2 in the transaction response object, just transHash. 

This is using my testing sandbox.

 

- Don

fifty-git
Regular Contributor

php sdk is on github

https://github.com/AuthorizeNet/sdk-php

 

Seems to be getting regular updates but not one for the sha512 change yet.