cancel
Showing results for 
Search instead for 
Did you mean: 

MD5 Hash not matching for auth_capture / ARB

Hello,

I have set up a silent post listener to track ARB transactions, however recently (before receiving any ARB responses) we have run a Credit card manually (auth_capture) through the authorize.net interface, and looking at my server logs, it appears that the x_md5_hash was different than I excepted it to be.

Unless I am mistaken, there seems to be a discrepancy between the ARB documentation (http://www.authorize.net/support/ARB_guide.pdf) and the receipt page (http://www.authorize.net/support/merchant/Integration_Settings/Receipt_Page_Options.htm) on how the x_md5_hash is generated. Although the live help representative indicated that hashes are not generated differently depending on type, the ARB pdf doesn't specify the APILogin and also says that "If you are using the MD5 Hash to authenticate non-ARB transactions, the fields used are different."

I am not entirely sure that my hash is incorrect, but it looks likely that either my process is wrong, or there is a difference between auth_capture and ARB transaction hash responses.

I am hoping that someone can either point out a flaw in my process, or let me know if there is a difference in the incoming hash code depending on my transaction type.

I have borrowed the HMAC_MD5 function from the SIM vb.net code as my solution is in vb.net. The output of my code below is: 5334a24aa6511d7a840faffa9d1e88f8

Also, I have tried different combinations of the variables, but haven’t been able to generate the x_trans_id.
    
    Sub test_hash()
    
        '  the variables below are dummy values
        
        dim x_trans_id = "1234567891"


        dim authNetAPILogin = "itsme"


        dim x_amount = "1.00"


        dim authNetHashKey = "random"
     
        dim strValue = authNetAPILogin & x_trans_id & x_amount
    
        dim fingerprint As String = HMAC_MD5( authNetHashKey,  strValue )
        
        Response.Write(fingerprint)
        
    End Sub

webguy
Member
1 ACCEPTED SOLUTION

Accepted Solutions

Thank you so much for for your very thorough and helpful response.

View solution in original post

5 REPLIES 5

1. You need to create the correct string for the MD5 function depending on the kind of silent post you've received.

 

a. For ARB silent posts, the string used for the MD5 function is a concatenation of: authNetHashKey & x_trans_id & x_amount

 

b. For non-ARB silent posts, the string used for the MD5 function is slightly different, namely, a concatenation of authNetHashKey & authNetAPILoginID & x_trans_id & x_amount

 

2. After you've created your string, you need the 32-character hexadecimal-formatted MD5 hash of that string.  Note that MD5 and HMAC MD5 are not the same function.  HMAC MD5 is NOT the function used for the MD5 calculation for verifying the silent post.  HMAC MD5 is used for the SIM fingerprint calculation.  For the MD5 calculation for silent post, you need to use MD5, not HMAC MD5.

 

In VB.NET, the MD5 calculation is provided by the MD5CryptoServiceProvider class:

http://msdn.microsoft.com/en-us/library/system.security.cryptography.md5cryptoserviceprovider.aspx

(Note the discussion in the linked document about a result array of 16 bytes vs a 32-character hexadecimal-formatted hash result.  You need the 32-character hexadecimal-formatted hash result.  The result is lowercase.)

 

In PHP, the MD5 calculation is provided by the md5 function:

http://us.php.net/manual/en/function.md5.php

(It returns a 32-character hexadecimal result in lowercase characters)

 

3. Note that the 32-character hexadecimal result you've created is in lowercase characters but the x_MD5_Hash value provided in the silent post is in uppercase characters.  You will either need to convert one to be the same case as the other -OR- use a case-insensitve string comparison to test for a match.

karenb
Contributor

Thank you so much for for your very thorough and helpful response.

I got the Solution from your reply

I've followed your instructions for non-ARB transactions perfectly in php and still no - go.

 

Here's what I'm doing:

 

$hash = md5($hash_key . $api_login_id . $_REQUEST['x_trans_id'] . $_REQUEST['x_amount'] );

 

Here are a couple of things I was thinking may be an issue:

 

1. I'm in test mode in my authorize.net account.

2. I'm using the Virtual Terminal to run test transactions.

 

Let me know what / if there's anything I'm doing wrong for these non-ARB transactions.

 

Thanks!

Blair

Here is an implementation in C#.

 

        public static string MD5(string value)         {             byte[] data = (new System.Text.ASCIIEncoding()).GetBytes(value);             var md5 = new MD5CryptoServiceProvider();             byte[] result = md5.ComputeHash(data);             string hash = "";             for (int i = 0; i < result.Length; i++)             {                 hash += result[i].ToString("x").PadLeft(2, '0');             }             return hash.ToUpper();         }