- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MD5 Hash Removal
Hello,
I am using the php-sdk. (can you tell me how to find what version I am running?)
I received the email about the removal of the MD5 hash, but I'm wondering where I'm using it?
From the instructions here>> it appears I need to create a function to compare the value of transHashSHA2 with the output from the HMAC-SHA512.
My question is, is this replacing an MD5 version of a function where I am doing close to the same thing? In the sample code I used there is nothing like this.
The last change I had to make was to update my cert.pem.
Thanks - any clarification you can give me would be appreciated.
- Don
01-10-2019 12:02 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found my version of the php-sdk: 1.8.8.0 - then just upgraded to 1.9.9
01-10-2019 12:46 PM - edited 01-10-2019 12:57 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The hashing is done for the security of your application.
So say you are enrolled in webhooks and you have a series of automated actions that take place when a webhook delivers transaction data to your server. The issue is that anyone on earth with a computer can try to send data to your server and if they have malicious intent they may try to compromise your application by having your automated actions take place on ill formed information.
So the way around this is for your and authorize to do a little handshake every time they send you data.
Only you and authorize.net have your signature key. So authorize hashes transaction data with your signature key. It essentially turns the original data into a completely incomprehensible mess.
On your end, you capture the original data and hash it with your signature key. You will now have an incomprehensible mess as well.
Now what happens is you compare your incomprehensible mess to what is sent to you. If it matches, that means that there is essentially 0 chance of the information hitting your server being from anyone other than authorize.net. That means you are safe to let your application use what is sent to you to perform those actions safely.
MD5 is an older hash method that gets less secure all the time due to computing power. SHA512 is a much better hash and I’m sure that’s why they did this.
There are probably plenty of things besides webhooks that this is used for. That is just the example I know and use. So the short answer is you probably don’t have to do anything. If your application was having data you or your developer would have had to program it to do that. The fact that you don’t know is a good indicator that this functionality is something you haven’t used.
01-10-2019 12:59 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The php-sdk still has the md5 hash.. hopefully someone will update it soon.
Tried this but it wasn't working for me.
return hash_hmac('sha512', $loginid . "^" . $sequence . "^" . $tstamp . "^" . $amount . "^" . $currency, $transaction_key);
01-11-2019 02:17 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For webhooks I can vet 100% that a sha512 hash is in the headers and can be used to validate. I see not much reason to use this for anything outside of webhooks, but there’s obviously something I’m missing or they wouldn’t have it. Suppose it would be good as insurance if authorize was ever compromised.
01-11-2019 02:59 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also have a bunch of questions. We are using Python with DPM option. Followed the hash upgrade link instructions from here:
https://developer.authorize.net/support/hash_upgrade/
DPM post fails with "This transaction cannot be accepted."
I am stuck and don't know how to proceed. Need a clear example for the following:
How to generate the SHA512 hash in Python
How to verify the returned hash in Python
Here is what I tried that results in failure:
fingerprint = hmac.new(binascii.unhexlify(security_tokens["SIGNATURE_KEY"]),
"^"+security_tokens["LOGIN_ID"]+"^"+self.seq+"^"+ts+"^"+self.amount+"^", digestmod=hashlib.sha512).hexdigest()
When I do a DPM post with this generated hash in x_fp_hash, I get "This transaction cannot be accepted."
Still don't know the exact python code to verify the returned SHA512 hash.
01-11-2019 03:21 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"The php-sdk still has the md5 hash.. hopefully someone will update it soon."
Hi, could you tell me where you are finding this in the SKD code?
Thanks,
Don
01-14-2019 07:05 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hopefully someone can post the php code for this soon. The confusing part for me is "Step 2. Convert the Signature Key into a byte array." since php doesn't seem to have this built in.
01-14-2019 07:26 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Currently I don't see transHashSHA2 in the transaction response object, just transHash.
This is using my testing sandbox.
- Don
01-14-2019 11:08 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
php sdk is on github
https://github.com/AuthorizeNet/sdk-php
Seems to be getting regular updates but not one for the sha512 change yet.
01-15-2019 02:29 PM