create md5 hash using coldfusion with a supplied key

I am working on integration to a Credit Card Gateway.  The Gateway provider has provided me with a "Hash Key".  All values I send to the gateway need to be "md5 hashed against the Hash Key".

How am I best to "MD5 hash my values using the supplied key"?  I have been investigating both hash() and Encrypt(), but can't really be sure which is going to give me exactly what I need and how exactly to go about it.  

Thanks in advance for all advice.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MD5 is one of the preferred algorithm used for hashing, so it's better to use Hash()

The coldfusion hash value allows you to specify the algorthm, so this is all you need..

<cfset theHashedValue = #hash(yourValue, "MD5")#

Jay1607Author Commented:
Thank you for your replies..

The problem with Hash is that I can't specify my own key.

For example, I pass 'myValue' into hash, but I can't pass 'myKey'.

With Encrypt, according to documentation, I can pass in myKey, and I can also specify MD5 as the algorithm, but I am not sure if encrypting using the MD5 algorithm is the same as creating an "MD5 Hash", or if it is something else.

In other words, if I do .... Encrypt(myValue,myKey,"MD5").... is the result of this an "MD5 hash"?

Thanks again..
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

> In other words, if I do .... Encrypt(myValue,myKey,"MD5").... is the result of this an "MD5 hash"?

   No.  First "MD5" isn't a valid value for Encrypt().  Encrypting and Hashing are two totally different things.
   Hashing does not use a key, and is NOT reversible.  ie You can't reverse it to get the original plain text string back.
   Encrypting _is_ reversible and _does_ use a key. So you can figure out the original plain text string, if you have
   the right key (iv, etc... ) information.  There are different encryption algorithms you can use like Triple DES, etc..
   But again, it's totally different than Hashing.

   Did the provider give you an example you can post? (in any language ..) Maybe we can help clear up some of
   your confusion.
> Hashing does not use a key

   Correction.  That s/b: MD5 hashing doesn't use a key
Why don't you use some other algorithm instead of MD5 with Encrypt() function?
Jay1607Author Commented:
Thanks guys..

The instrucitons are actually from MasterCard to integrate with their MIGS Credit Card Gateway.

The instruction I am currently trying to understand is: "All the input values are md5 hashed against your Secure Hash Secret. This is to ensure the fields remain unchanged in transit between your system and our systems."

Note: The 'Secure Hash Secret" is a key provided to me by the MIGS system.

I will see if I can get an example and post it here.

 It's the hash function you need, not encryption.

 Follow their example, which will be something like the following where you combine all the values you are sending them along with a secret key.  Then you hash it and send that value as well.  

<cfset valueToHash =  oneValue & twoValue & threeValue & theSecretKey>

<cfset theHashedValue = hash(valueToHash , "MD5")>

The purpose of the hash is to ensure the values are not being changed.  On their end, they will take the values you send them along with the same secret key (which you and they both know) and recreate the hash.  They will compare the hash you send them with the hash they created to be sure they are the same.  If they are not, the data has changed and they will reject the send.

You just need to get their example and follow it exactly.   They will reproduce it so they both have to be done the same way.  For example, if you do valueTwo before valueOne, the hashes will not match.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jay1607Author Commented:
Sage, I think you are on the right track.  What you are saying makes a lot of sense.

I have attached the ASP sample provided by the MIGS team of what I need to do.
<%@ LANGUAGE=vbscript %>

' Force explicit declaration of all variables
Option Explicit

' Turn off default error checking, as any errors are explicitly handled
On Error Resume Next

' Include the MD5 code that will be used to create the secure hash if required
<!--#include file="VPC_md5.asp"-->
' *******************************************
' *******************************************

' The Page redirects the cardholder to the Virtual Payment Client (VPC)

' Define Constants
' ----------------
' This is secret for encoding the MD5 hash
' This secret will vary from merchant to merchant
' To not create a secure hash, let SECURE_SECRET be an empty string - ""
' Const SECURE_SECRET = "Your-Secure-Secret"
Const SECURE_SECRET = "33F0C6344A10E9F02D94B27CF07D392F"

' Stop the page being cached on the web server
Response.Expires = 0

' *******************************************
' Define Variables
' *******************************************

Dim message
Dim count
Dim item
Dim seperator
Dim redirectURL

' Create a 2 dimensional Array that we will use if we need a Secure Hash
If Len(SECURE_SECRET) > 0 Then
    Dim MyArray
    ReDim MyArray(Request.Form.Count,1)
End If

' Create the URL that will send the data to the Virtual Payment Client
redirectURL = Request("virtualPaymentClientURL")

' Add each of the appropriate form variables to the data.
seperator = "?"
count = 1
For Each item In Request.Form

    ' Do not include the Virtual Payment Client URL, the Submit button 
    ' from the form post, or any empty form fields, as we do not want to send 
    ' these fields to the Virtual Payment Client. 
    ' Also construct the VPC URL QueryString while looping through the Form data.
    If Request(item) <> "" And item <> "SubButL" And item <> "virtualPaymentClientURL" Then

        ' Add the item to the array if we need a Secure Hash
        If Len(SECURE_SECRET) > 0 Then
            MyArray (count,0) = CStr(item)
            MyArray (count,1) = CStr(Request(item))
        End If
        ' Add the data to the VPC URL QueryString
        redirectURL = redirectURL & seperator & Server.URLEncode(CStr(item)) & "=" & Server.URLEncode(CStr(Request(item)))
        seperator = "&"

        ' Increment the count to the next array location
        count = count + 1

    End If

' NOTE: The againLink is the URL of the HTML Order Page that generated this
' request so that it can be used for another transaction. 
' This demonstrates how a user field (such as an application Session ID) could
' be added.
' Add the againLink to the VPC URL QueryString
redirectURL = redirectURL & seperator & "AgainLink=" & Server.URLEncode(CStr(Request.ServerVariables("HTTP_REFERER")))

If Err Then
    message = "Error creating request data: " & Err.Source & " - " & Err.number & " - " & Err.Description
    Response.Redirect Request("vpc_ReturnURL") & "?vpc_Message=" & message
End If

' If there is no Secure Secret then there is no need to create the Secure Hash
If Len(SECURE_SECRET) > 0 Then

    ' Add the againLink to the Array if we need a Secure Hash
    MyArray (count,0) = "AgainLink"
    MyArray (count,1) = CStr(Request.ServerVariables("HTTP_REFERER"))

    ' Create MD5 Message-Digest Algorithm hash and add it to the data to be sent
    redirectURL = redirectURL & seperator & "vpc_SecureHash=" & doSecureHash

    If Err Then
        message = "Error creating Secure Hash: " & Err.Source & " - " & Err.number & " - " & Err.Description
        Response.Redirect Request("vpc_ReturnURL") & "?vpc_Message=" & message
    End If

End If

' FINISH TRANSACTION - Send the cardholder to the VPC
' ===================================================
' For the purposes of demonstration, we perform a standard URL redirect. 
Response.Redirect redirectURL

' *******************
' *******************

'  -----------------------------------------------------------------------------

Function doSecureHash()

    Dim md5HashData
    Dim index
    ' sort the array only if we are creating the MD5 hash
    MyArray = sortArray(MyArray)

    ' start the MD5 input
    md5HashData = SECURE_SECRET
    ' loop though the array and add each parameter value to the MD5 input
    index = 0
    count = 0
    For index = 0 to UBound(MyArray)
        If (Len(MyArray(index,1)) > 0) Then
            md5HashData = md5HashData & MyArray(index,1)
            count = count + 1
        End If
    ' increment the count to the next array location
    count = count + 1
    doSecureHash = MD5(md5HashData)

End Function

'  -----------------------------------------------------------------------------

' This function takes an array and sorts it
' @param MyArray is the array to be sorted
Function SortArray(MyArray)

    Dim keepChecking
    Dim loopCounter
    Dim firstKey
    Dim secondKey
    Dim firstValue
    Dim secondValue
    keepChecking = TRUE
    loopCounter = 0
    Do Until keepChecking = FALSE
        keepChecking = FALSE
        For loopCounter = 0 To (UBound(MyArray)-1)
            If MyArray(loopCounter,0) > MyArray((loopCounter+1),0) Then
                ' transpose the key
                firstKey = MyArray(loopCounter,0)
                secondKey = MyArray((loopCounter+1),0)
                MyArray(loopCounter,0) = secondKey
                MyArray((loopCounter+1),0) = firstKey
                ' transpose the key's value
                firstValue = MyArray(loopCounter,1)
                secondValue = MyArray((loopCounter+1),1)
                MyArray(loopCounter,1) = secondValue
                MyArray((loopCounter+1),1) = firstValue
                keepChecking = TRUE
            End If
    SortArray = MyArray
End Function

'  -----------------------------------------------------------------------------

Open in new window

Jay1607Author Commented:
Thank you.  You hit the nail on the head.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ColdFusion Language

From novice to tech pro — start learning today.