topic Re: Upgrading MD5 to new hash (SIM) in Integration and Testing

Upgrading MD5 to new hash (SIM)

cwdsl — Mon, 14 Jan 2019 11:58:09 GMT

I am trying to upgrade from MD5 to the new hash method as described here:- https://developer.authorize.net/support/hash_upgrade

We are using SIM still do in addition I read the guide at https://support.authorize.net/s/article/Do-I-need-to-upgrade-my-transaction-fingerprint-from-HMAC-MD5-to-HMAC-SHA512-and-how. This second link seems to talk about generating the fingerprint with more values than the first link above does, more similar to how wo do MD5 currently.

I’m having trouble validating matching the value I submit to what is returned in the response. Note: We need this to work with SIM as we can’t upgrade to the new API currently.

I am creating the hash using the new method and submitting it to the x_fp_hash during the post. I assume my x_fp_hash is correct because I was previously getting error 99’s which is a fingerprint error, but no longer do.

The response comes back after doing the payment in the x_SHA2_Hash field. It doesn't compare to x_fp_hash. So I thought there is more to this. Looking in the SIM guide, on page 73 at https://www.authorize.net/content/dam/authorize/documents/SIM_guide.pdf it mentions generating a hash from 30 fields.

I've done this and it still doesn't compare to x_SHA2_Hash. So I assume I am doing something wrong, but not sure. The documentation doesn't really give any examples of how to do this so I am uncertain what my issue is.

Re: Upgrading MD5 to new hash (SIM)

keksa — Mon, 14 Jan 2019 14:00:47 GMT

Hello, we're using SIM (or more precisely DPM) as well and currently don't have time to upgrade to the Accept Hosted solution.

I tried the new hash and it seems no matter what I do, it just does not match with what is returned in the relay POST data. The MD5 hash is still fine, but the SHA2 not.

I even tried to run the provided C# example to see if there was any problem with my implementation, but even that returned different hash, than what was sent in the relay response (x_SHA2_Hash field).

I used exactly what the upgrade post says to generate the message, i.e. my API Login ID, the returned transaction ID (x_trans_id field) and the returned amount (x_amount field) delimited and wrapped in carets exactly per the article.

Re: Upgrading MD5 to new hash (SIM)

xero — Mon, 14 Jan 2019 20:55:38 GMT

We are using SIM and having the same issue while follwing the steps from https://developer.authorize.net/support/hash_upgrade/

the has does not match computed hash does not match x_SHA2_Hash.

Re: Upgrading MD5 to new hash (SIM)

stw — Tue, 15 Jan 2019 18:44:36 GMT

I just found out this am about the upcoming change. Although it does read as the option for the hash will be gone Jan 31,2019, and the ability at a later date to be announced.

Currently:

We use DPM

Use our form with field posted like x_fp_sequence,x_fp_hash, x_fp_timestamp etc. Using a relay repsonse from authorize.

This is what I did and everything worked on our end. We use PHP:

Through developer account, created a signature key

On developer side of our site, I did the rest to test this:

1. Took new signature key and converted hex to dec:

$newKey = base_convert($signatureKey,16,2);

2. Changed our php func:

$hashedVar = hash_hmac('sha512','allthesuff^separated^as^usual^','$newKey ) ;

3. Everything else stays the same, we sent the hashed variable and other vars back to the form then posted that form to authorize.

4. Authorize's relay repsonse wasn't touched on our end

5. successful transaction was done and everything on our end completed as needed. Including the slient post.

I wasn't sure what to do about the comparison as mentioned (https://developer.authorize.net/support/hash_upgrade/), but it didn't seem to need it.

Our relay response is quite generic:

$response = new AuthorizeNetSIM($apiLoginID, $md5Setting);

if ($response->isAuthorizeNet()) {
if ($response->approved) {

$redirect_url = '';

}

else{//declined

$redirect_url = '';

}

echo AuthorizeNetDPM::getRelayResponseSnippet($redirect_url);

}.....

That's the basics of it. So was this all is what is needed and not as offsensive as documentation makes it out to be?

Re: Upgrading MD5 to new hash (SIM)

stw — Tue, 15 Jan 2019 18:49:25 GMT

I just found out this am about the upcoming change. Although it does read as the option for the hash will be gone Jan 31,2019, and the ability at a later date to be announced.

Currently:

We use DPM

Use our form with field posted like x_fp_sequence,x_fp_hash, x_fp_timestamp etc. Using a relay repsonse from authorize.

This is what I did and everything worked on our end. We use PHP:

Through developer account, created a signature key

On developer side of our site, I did the rest to test this:

1. Took new signature key and converted hex to dec:

$newKey = base_convert($signatureKey,16,2);

2. Changed our php func:

hash_hmac('sha512','allthesuff^separated^as^usual^','$newKey ) ;

3. Everything else stays the same, we sent the hashed variable and other vars back to the form then posted that form to authorize.

4. Authorize's relay repsonse wasn't touched on our end

5. successful transaction was done and everything on our end completed as needed. Including the slient post.

I wasn't sure what to do about the comparison as mentioned (https://developer.authorize.net/support/hash_upgrade/), but it didn't seem to need it.

Our relay response is quite generic:

$response = new AuthorizeNetSIM($apiLoginID, $md5Setting);

if ($response->isAuthorizeNet()) {
if ($response->approved) {

$redirect_url = '';

}

else{//declined

$redirect_url = '';

}

echo AuthorizeNetDPM::getRelayResponseSnippet($redirect_url);

}.....

That's the basics of it. So was this all is what is needed and not as offsensive as documentation makes it out to be?

Re: Upgrading MD5 to new hash (SIM)

dsstrainer — Tue, 15 Jan 2019 21:03:47 GMT

Can't get this working in SIM.

Simply replaced

return hash_hmac("md5", $loginid . "^" . $sequence . "^" . $tstamp . "^" . $amount . "^" . $currency, $x_tran_key);

with

return hash_hmac("sha512", $loginid . "^" . $sequence . "^" . $tstamp . "^" . $amount . "^" . $currency, base_convert($x_tran_key,16,2));

and changed from a transaction key to a signature key.

But I get Error 99 everytime using my developer account.

If I switch back to md5 and the transaction key, everything works fine.

Re: Upgrading MD5 to new hash (SIM)

cwdsl — Tue, 15 Jan 2019 21:11:09 GMT

The hash as I understand it has always been optional. You don’t have to verify the MD5 and going forwards you don’t have to verify the new hash. But the point is you should, so that you are verifying the payment came from Authorize.Net.

Unless I am misunderstanding the PHP example above (2nd post up), you are simply not verifying it. The SIM guide talks about verifying against 30 response fields, but I can’t figure out how.

Re: Upgrading MD5 to new hash (SIM)

mps38 — Tue, 15 Jan 2019 22:00:39 GMT

I'm having difficulty as well. Are you using your signature key instead of your transaction key?

Anyway, I'm trying to convert the hex key to binary as per the documentation using PHP:

base_convert('MySignatureKey',16,2);

However, this simply returns this as the binary value which can't possible be correct:

0000000000000000000000000000000000000000000000000000000000000000

Re: Upgrading MD5 to new hash (SIM)

dsstrainer — Tue, 15 Jan 2019 22:22:44 GMT

You are trying to convert the literal string "MySignatureKey" which why you are getting all zeros.

Re: Upgrading MD5 to new hash (SIM)

dsstrainer — Tue, 15 Jan 2019 22:26:51 GMT

I think the terminology is just confusing here. We aren't talking about the "md5 hash" which as you noted was always optional. This is about the new fingerprint which is also referred to as "x_fp_hash" and used to use the login id and transaction key but now uses login id and signature key. Really don't see the difference as its just a new name for a new key that does the same thing. Typical over-engineering from payment gateway companies.

In any case, swapping out the keys and changing the hash algorithm from md5 to sha512 doesn't seem to work for everyone.

Also has anyone noticed the huge mistake in the email that Authnet sent out refers to "SHA256" but all the places on the dev site refer to "SHA512". I assume sha512 is correct and they just need to fire their email staff.

Re: Upgrading MD5 to new hash (SIM)

xero — Tue, 15 Jan 2019 22:49:24 GMT

"x_fp_hash" is not new, it has always been there, but previously is set to the MD5 hash. With the the instruction from

https://support.authorize.net/s/article/Do-I-need-to-upgrade-my-transaction-fingerprint-from-HMAC-MD5-to-HMAC-SHA512-and-how

it says to switch to the Signature key compute the hash.

The second part is the relay response also contains "x_MD5_Hash" and "x_SHA2_Hash" which is used to verify the response is from authorize.net.

From what I understand "x_fp_hash" and "x_SHA2_Hash" need to be using the 128 bit Signature key to compute the hash. But the hash I generate never match "x_SHA2_Hash" from the relay response.

Re: Upgrading MD5 to new hash (SIM)

Renaissance — Tue, 15 Jan 2019 23:51:17 GMT

I don't think I have a need for this but I've been working on it on and off for the past several hours. I think there may be some quirks that have to be worked out of authorize.net's end. The format of the signature key you need is an unsigned 8 bit integer, per their link.

php is not amenable to using arrays in hashing, but I am not sure that you need an array. The documentation references "a byte version" of your signature key, and then references the array below.

I am noticing that almost everyone who posts about this is using SIM or DPM. That explains something as I use Accept Hosted. This feature seems more tailored for your needs. If you're using SIM and are pulling your hair out right now, Accept Hosted is extremely easy to integrate and it took me about 10 minutes to get the sha512 hash integration working on the webhooks.

I've fried quite a load of brain cells on this for no good reason at this point. If you're looking for a reason to upgrade this may be it. I figured it would take me 10 minutes like the webhooks did, and I figured why not validate the response on my refund API calls for such a small investment, although it is useless in all but the most remote circumstances I can imagine.

Re: Upgrading MD5 to new hash (SIM)

Renaissance — Wed, 16 Jan 2019 05:20:22 GMT

Here is what I came up with. It works 100% with the PHP SDK and I believe will work for other methods with only slight modification.

https://community.developer.authorize.net/t5/Integration-and-Testing/Working-php-hash-verification/td-p/65774

Re: Upgrading MD5 to new hash (SIM)

cwdsl — Wed, 16 Jan 2019 09:32:58 GMT

@Renaissance, thanks for your example. As you mentioned, I posted this question originally because it is SIM that I am trying to get working. SIM from what I understand works differently to Accepted Hosted in how the hash works. Your PHP SDK example looks great, but I need to get this working with SIM, at least temporarily.

@xero, @dsstrainer... I am using VB.NET, but I'll try to explain what I've done so far.

Firstly, here is the old code, with MD5...

                    Dim Random As New Random
                    Dim Sequence = Random.Next(0, 1000)
                    Dim TimeStamp = CInt((DateTime.UtcNow - New DateTime(1970, 1, 1)).TotalSeconds)
                    Dim Fingerprint = GetAuthorizeNetMD5(anTransactionKey, anAPILoginID & "^" & Sequence & "^" & TimeStamp & "^" & Total.ToString("0.##") & "^USD")

When I post my initial transaction off to Authorize.Net, x_fp_sequence is assigned the Sequence, x_fp_timestamp is assigned the TimeStamp and x_fp_hash is assigned the Fingerprint variable.

This is the GetAuthorizeNetMD5 function from the above example, which passes in the Transaction Key, API Login ID, Sequence, TimeStamp, Amount and Currency Code.

        Public Shared Function GetAuthorizeNetMD5(ByVal Key, ByVal Value)

            Dim HMACkey() As Byte = (New ASCIIEncoding()).GetBytes(Key)
            Dim HMACdata() As Byte = (New ASCIIEncoding()).GetBytes(Value)

            Dim TempHMACMD5 As New System.Security.Cryptography.HMACMD5(HMACkey)

            Dim HMAChash() As Byte = TempHMACMD5.ComputeHash(HMACdata)

            Dim Fingerprint = ""
            For i = 0 To HMAChash.Length - 1
                Fingerprint &= HMAChash(i).ToString("x").PadLeft(2, "0")
            Next

            Return Fingerprint

        End Function

The relay URL then receives back the MD5_Hash value. We then compare this to the MD5 Hash Key similar to the code below...

        Public Shared Function AuthorizeNetMD5Matched(MD5HashKey As String, APILoginID As String, TransactionID As String, Amount As Decimal, MD5Hash As String) As Boolean

            Dim AmountStr As String = Amount.ToString("0.00")

            Dim Unencrypted = String.Format("{0}{1}{2}{3}", MD5HashKey, APILoginID, TransactionID, AmountStr)

            Dim MD5 = New System.Security.Cryptography.MD5CryptoServiceProvider()
            Dim Hashed = Regex.Replace(BitConverter.ToString(MD5.ComputeHash(ASCIIEncoding.[Default].GetBytes(Unencrypted))), "-", "")

            Return Hashed.Equals(MD5Hash)

        End Function

        If Not PaymentRepository.AuthorizeNetMD5Matched(MD5HashKey, APILoginID, TransactionID, Amount, MD5Hash) Then
            ' Code to abandon the transaction
        End If

So the above example passes into the AuthorizeNetMD5Matched function the MD5 Hash key and then using MD5 it then attempts to match the combination of the API Login, Transaction ID, Amount and the MD5_Hash returned.

Now the above code works with MD5 and the challenge is to know how to update this to work with SHA512.

Firstly, I decided to change how the fingerprint is generated...

Dim Fingerprint = GetAuthorizeNetHMACSHA512(anSignatureKey, anAPILoginID & "^" & Sequence & "^" & TimeStamp & "^" & Total.ToString("0.##") & "^USD")

The code above calls the function below, but instead of passing in the Transaction Key (like with MD5) I instead pass in the Signature Key instead, which I generated within my Sandbox account.

        Public Shared Function GetAuthorizeNetHMACSHA512(ByVal key As String, ByVal textToHash As String)

            If String.IsNullOrEmpty(Key) Then Throw New ArgumentNullException("HMACSHA512: key", "Parameter cannot be empty.")
            If String.IsNullOrEmpty(textToHash) Then Throw New ArgumentNullException("HMACSHA512: textToHash", "Parameter cannot be empty.")

            If Key.Length Mod 2 <> 0 OrElse Key.Trim().Length < 2 Then
                Throw New ArgumentNullException("HMACSHA512: key", "Parameter cannot be odd or less than 2 characters.")
            End If

            Try
                Dim k As Byte() = Enumerable.Range(0, Key.Length).Where(Function(x) x Mod 2 = 0).[Select](Function(x) Convert.ToByte(Key.Substring(x, 2), 16)).ToArray()

                Dim hmac As System.Security.Cryptography.HMACSHA512 = New System.Security.Cryptography.HMACSHA512(k)

                Dim HashedValue As Byte() = hmac.ComputeHash((New System.Text.ASCIIEncoding()).GetBytes(textToHash))
                Return BitConverter.ToString(HashedValue).Replace("-", String.Empty)


            Catch ex As Exception
                Throw New Exception("HMACSHA512: " & ex.Message)
            End Try


        End Function

The above function is a VB.NET equivelent of the example at https://developer.authorize.net/support/hash_upgrade/.

Now, I think this bit so far is correct. I say this because I was getting error 99's on the fingerprint being invalid, but this now works fine.

What I am now struggling to do is compare the x_SHA2_Hash that is returned in the relay response to anything. Page 73 of the SIM guide at https://www.authorize.net/content/dam/authorize/documents/SIM_guide.pdf implies you have to build a hash from 30 of the response fields and compare that, but I can't figure it out.

Re: Upgrading MD5 to new hash (SIM)

tmnejp — Wed, 16 Jan 2019 15:24:15 GMT

@cwdsl, your link to Page 73 of the SIM guide was exactly what I needed. I was attempting to compare x_SHA2_Hash to the a hash of the value provided in the hash upgrade guide (of the format: ^ANet123^20987654321^9.99^). I needed to hash the 30 part carat separated value as specified in the pdf:

^x_trans_id^x_test_request^x_response_code^x_auth_code^x_cvv2_resp_code^x_cavv_response^x_avs_code^x_method^x_account_number^x_amount^x_company^x_first_name^x_last_name^x_address^x_city^x_state^x_zip^x_country^x_phone^x_fax^x_email^x_ship_to_company^x_ship_to_first_name^x_ship_to_last_name^x_ship_to_address^x_ship_to_city^x_ship_to_state^x_ship_to_zip^x_ship_to_country^x_invoice_num^

Re: Upgrading MD5 to new hash (SIM)

cwdsl — Wed, 16 Jan 2019 15:29:03 GMT

@tmnejp, so is that working for you?

I've tried comparing the x_SHA2_Hash to the hash of the 30 fields and they don't produce the same value for me. Don't know what I am missing. Are the 30 fields hashed using the Signature Key?

Re: Upgrading MD5 to new hash (SIM)

tmnejp — Wed, 16 Jan 2019 15:41:47 GMT

Yes it's hashed using the signature key. It also took a little effort to translate the Signature Key from a hex string to it's actual binary value (@Renaissance has a php solution to this in his/her example). In perl this was:

$key = pack 'H*', $signature_key;

Re: Upgrading MD5 to new hash (SIM)

cwdsl — Wed, 16 Jan 2019 16:31:51 GMT

@tmnejp, okay thanks. I still can't figure it out though.

I created a variable called TextToHash that is set to the response the 30 values, in this format...

Example:

TextToHash = "^12345678901^false^1^ABCDEF^P^2^Y^CC^XXXX0027^64.88^^John^Smith^Main Street^London^^L11AA^United+Kingdom^^^^^^^^^^^^123^"

I then pass that these values into the HMACSHA512 function (as described at https://developer.authorize.net/support/hash_upgrade/)...

Example:

HashedStr = HMACSHA512(SignatureKey, TextToHash)

HashedStr does not equal the SHA2_Hash returned in the relay response, so I know I am missing something, but can't figure out what yet.

Re: Upgrading MD5 to new hash (SIM)

lightwave365 — Wed, 16 Jan 2019 16:37:56 GMT

So wait, the the upgrade guide is stright up lying to us? We don't hash 3 values, we hash 30 of them? Where do you see hashing the 30 as a solution in their documentation?

Re: Upgrading MD5 to new hash (SIM)

cwdsl — Wed, 16 Jan 2019 16:41:25 GMT

@lightwave365, for the SIM integration method I believe so. On Page 73 at https://www.authorize.net/content/dam/authorize/documents/SIM_guide.pdf it mentions 30 fields.

I presume the upgrade guide was only written with the newer API's in mind, but don't know that for a fact.