Jay1607
asked on
create md5 hash using coldfusion with a supplied key
I am working on integration to a Credit Card Gateway. The Gateway provider has provided me with a "Hash Key". All values I send to the gateway need to be "md5 hashed against the Hash Key".
How am I best to "MD5 hash my values using the supplied key"? I have been investigating both hash() and Encrypt(), but can't really be sure which is going to give me exactly what I need and how exactly to go about it.
Thanks in advance for all advice.
Jason
How am I best to "MD5 hash my values using the supplied key"? I have been investigating both hash() and Encrypt(), but can't really be sure which is going to give me exactly what I need and how exactly to go about it.
Thanks in advance for all advice.
Jason
The coldfusion hash value allows you to specify the algorthm, so this is all you need..
<cfset theHashedValue = #hash(yourValue, "MD5")#
ASKER
Thank you for your replies..
The problem with Hash is that I can't specify my own key.
For example, I pass 'myValue' into hash, but I can't pass 'myKey'.
With Encrypt, according to documentation, I can pass in myKey, and I can also specify MD5 as the algorithm, but I am not sure if encrypting using the MD5 algorithm is the same as creating an "MD5 Hash", or if it is something else.
In other words, if I do .... Encrypt(myValue,myKey,"MD5 ").... is the result of this an "MD5 hash"?
Thanks again..
The problem with Hash is that I can't specify my own key.
For example, I pass 'myValue' into hash, but I can't pass 'myKey'.
With Encrypt, according to documentation, I can pass in myKey, and I can also specify MD5 as the algorithm, but I am not sure if encrypting using the MD5 algorithm is the same as creating an "MD5 Hash", or if it is something else.
In other words, if I do .... Encrypt(myValue,myKey,"MD5
Thanks again..
> In other words, if I do .... Encrypt(myValue,myKey,"MD5 ").... is the result of this an "MD5 hash"?
No. First "MD5" isn't a valid value for Encrypt(). Encrypting and Hashing are two totally different things.
Hashing does not use a key, and is NOT reversible. ie You can't reverse it to get the original plain text string back.
Encrypting _is_ reversible and _does_ use a key. So you can figure out the original plain text string, if you have
the right key (iv, etc... ) information. There are different encryption algorithms you can use like Triple DES, etc..
But again, it's totally different than Hashing.
Did the provider give you an example you can post? (in any language ..) Maybe we can help clear up some of
your confusion.
No. First "MD5" isn't a valid value for Encrypt(). Encrypting and Hashing are two totally different things.
Hashing does not use a key, and is NOT reversible. ie You can't reverse it to get the original plain text string back.
Encrypting _is_ reversible and _does_ use a key. So you can figure out the original plain text string, if you have
the right key (iv, etc... ) information. There are different encryption algorithms you can use like Triple DES, etc..
But again, it's totally different than Hashing.
Did the provider give you an example you can post? (in any language ..) Maybe we can help clear up some of
your confusion.
> Hashing does not use a key
Correction. That s/b: MD5 hashing doesn't use a key
Correction. That s/b: MD5 hashing doesn't use a key
Why don't you use some other algorithm instead of MD5 with Encrypt() function?
ASKER
Thanks guys..
The instrucitons are actually from MasterCard to integrate with their MIGS Credit Card Gateway.
The instruction I am currently trying to understand is: "All the input values are md5 hashed against your Secure Hash Secret. This is to ensure the fields remain unchanged in transit between your system and our systems."
Note: The 'Secure Hash Secret" is a key provided to me by the MIGS system.
I will see if I can get an example and post it here.
The instrucitons are actually from MasterCard to integrate with their MIGS Credit Card Gateway.
The instruction I am currently trying to understand is: "All the input values are md5 hashed against your Secure Hash Secret. This is to ensure the fields remain unchanged in transit between your system and our systems."
Note: The 'Secure Hash Secret" is a key provided to me by the MIGS system.
I will see if I can get an example and post it here.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sage, I think you are on the right track. What you are saying makes a lot of sense.
I have attached the ASP sample provided by the MIGS team of what I need to do.
I have attached the ASP sample provided by the MIGS team of what I need to do.
<%@ LANGUAGE=vbscript %>
<%
' Force explicit declaration of all variables
Option Explicit
' Turn off default error checking, as any errors are explicitly handled
On Error Resume Next
' Include the MD5 code that will be used to create the secure hash if required
%>
<!--#include file="VPC_md5.asp"-->
<%
' *******************************************
' START OF MAIN PROGRAM
' *******************************************
' The Page redirects the cardholder to the Virtual Payment Client (VPC)
' Define Constants
' ----------------
' This is secret for encoding the MD5 hash
' This secret will vary from merchant to merchant
' To not create a secure hash, let SECURE_SECRET be an empty string - ""
' Const SECURE_SECRET = "Your-Secure-Secret"
Const SECURE_SECRET = "33F0C6344A10E9F02D94B27CF07D392F"
' Stop the page being cached on the web server
Response.Expires = 0
' *******************************************
' Define Variables
' *******************************************
Dim message
Dim count
Dim item
Dim seperator
Dim redirectURL
' Create a 2 dimensional Array that we will use if we need a Secure Hash
If Len(SECURE_SECRET) > 0 Then
Dim MyArray
ReDim MyArray(Request.Form.Count,1)
End If
' Create the URL that will send the data to the Virtual Payment Client
redirectURL = Request("virtualPaymentClientURL")
' Add each of the appropriate form variables to the data.
seperator = "?"
count = 1
For Each item In Request.Form
' Do not include the Virtual Payment Client URL, the Submit button
' from the form post, or any empty form fields, as we do not want to send
' these fields to the Virtual Payment Client.
' Also construct the VPC URL QueryString while looping through the Form data.
If Request(item) <> "" And item <> "SubButL" And item <> "virtualPaymentClientURL" Then
' Add the item to the array if we need a Secure Hash
If Len(SECURE_SECRET) > 0 Then
MyArray (count,0) = CStr(item)
MyArray (count,1) = CStr(Request(item))
End If
' Add the data to the VPC URL QueryString
redirectURL = redirectURL & seperator & Server.URLEncode(CStr(item)) & "=" & Server.URLEncode(CStr(Request(item)))
seperator = "&"
' Increment the count to the next array location
count = count + 1
End If
Next
' NOTE: The againLink is the URL of the HTML Order Page that generated this
' request so that it can be used for another transaction.
' This demonstrates how a user field (such as an application Session ID) could
' be added.
' Add the againLink to the VPC URL QueryString
redirectURL = redirectURL & seperator & "AgainLink=" & Server.URLEncode(CStr(Request.ServerVariables("HTTP_REFERER")))
If Err Then
message = "Error creating request data: " & Err.Source & " - " & Err.number & " - " & Err.Description
Response.Redirect Request("vpc_ReturnURL") & "?vpc_Message=" & message
Response.End
End If
' If there is no Secure Secret then there is no need to create the Secure Hash
If Len(SECURE_SECRET) > 0 Then
' Add the againLink to the Array if we need a Secure Hash
MyArray (count,0) = "AgainLink"
MyArray (count,1) = CStr(Request.ServerVariables("HTTP_REFERER"))
' Create MD5 Message-Digest Algorithm hash and add it to the data to be sent
redirectURL = redirectURL & seperator & "vpc_SecureHash=" & doSecureHash
If Err Then
message = "Error creating Secure Hash: " & Err.Source & " - " & Err.number & " - " & Err.Description
Response.Redirect Request("vpc_ReturnURL") & "?vpc_Message=" & message
Response.End
End If
End If
' FINISH TRANSACTION - Send the cardholder to the VPC
' ===================================================
' For the purposes of demonstration, we perform a standard URL redirect.
Response.Redirect redirectURL
Response.End
' *******************
' END OF MAIN PROGRAM
' *******************
' -----------------------------------------------------------------------------
Function doSecureHash()
Dim md5HashData
Dim index
' sort the array only if we are creating the MD5 hash
MyArray = sortArray(MyArray)
' start the MD5 input
md5HashData = SECURE_SECRET
' loop though the array and add each parameter value to the MD5 input
index = 0
count = 0
For index = 0 to UBound(MyArray)
If (Len(MyArray(index,1)) > 0) Then
md5HashData = md5HashData & MyArray(index,1)
count = count + 1
End If
Next
' increment the count to the next array location
count = count + 1
doSecureHash = MD5(md5HashData)
End Function
' -----------------------------------------------------------------------------
' This function takes an array and sorts it
'
' @param MyArray is the array to be sorted
Function SortArray(MyArray)
Dim keepChecking
Dim loopCounter
Dim firstKey
Dim secondKey
Dim firstValue
Dim secondValue
keepChecking = TRUE
loopCounter = 0
Do Until keepChecking = FALSE
keepChecking = FALSE
For loopCounter = 0 To (UBound(MyArray)-1)
If MyArray(loopCounter,0) > MyArray((loopCounter+1),0) Then
' transpose the key
firstKey = MyArray(loopCounter,0)
secondKey = MyArray((loopCounter+1),0)
MyArray(loopCounter,0) = secondKey
MyArray((loopCounter+1),0) = firstKey
' transpose the key's value
firstValue = MyArray(loopCounter,1)
secondValue = MyArray((loopCounter+1),1)
MyArray(loopCounter,1) = secondValue
MyArray((loopCounter+1),1) = firstValue
keepChecking = TRUE
End If
Next
Loop
SortArray = MyArray
End Function
' -----------------------------------------------------------------------------
%>
ASKER
Thank you. You hit the nail on the head.
http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=functions_h-im_01.html#1105551