HMAC MD-5 Encoding

[Rob Mikkelsen]

All,

I am working on a payment interface to Authorize.Net.  As part of the transaction, they require an MD-5 hash of a few pieces of information.  Is there an HMAC MD-5 encryption algorithm built into NetTalk, or do you know where I can get the code that I can integrate (or better yet, HAS been integrated! <g>).

Thanks!

Rob

[Bruce]

Hi Rob,

It might be your lucky day.
There's a function exported from the DLL called NetMD5.
It's prototyped as
NetMD5(*string p_InputStr, long p_InputStrLen, *string p_OutputStr)

You pass it the input string, and a variable to say how long the input string is. You can't use "0" in this case, you must specify the length you want to hash (otherwise trailing spaces, which might be important, would be ignored.)

The output string needs to be at least 32 characters long.

Cheers
Bruce

[Larry Sand]

Bruce,
The HMAC just uses MD5 as it's hash algorithm. http://en.wikipedia.org/wiki/HMAC describes it well.  Also there are different methods used to encode them, Hex, Base64 maybe others.

Rob do you need it in the client or the Server?  Here's a JavaScript implementation for the client: http://pajhome.org.uk/crypt/md5/instructions.html

Larry Sand

[Rob Mikkelsen]

Larry,

I have looked at the javascript from pajhome.co.uk.  Unfortunately, there is a transaction key that must remain secure that is encoded with other data into the hash.  This code cannot be viewed by the client so the hash code has to reside on the server, not as a parameter on the client side.

Another parameter Authorize.Net requires is the time, in seconds UTC elapsed since January 1, 1970.  A task I can perform but I will need to ensure the time remains synched because they only allow a five minute variance in the time between the server and their host (assuming that the client immediately transmits the time hack created by the local server). 

I will check out the wikipaedia link and test Bruce's function to confirm that it returns the same values as the web sites that demo the HMAC MD-5 hash.

Thanks!

Rob

[Larry Sand]

Hi Rob,

Is the HMAC Hex encoded?  I wrote a function using the MS Crypto API to calculate the HEX HMAC MD5, you just pass it the hex md5 key, and msg to hash with that key and it returns the hex encoded HMAC.  I could give you a lib to link into your program if you'd like.

Larry Sand

[Rob Mikkelsen]

Larry,

I did a little research on the web site and looked at some sample code with function calls in other languages (each language appears to have its own implementation of the HMAC MD-5 protocol - can NetTalk? <g>).  The Perl implementation refers to the function as hmac_md5_hex so it appears that the output is hex.

Thanks for the offer - that is too kind of you and, yes, I would love to take a look at it!

Rob

[Bruce]

Hi Rob,

I investigated the NetTalk function a bit and discovered that it uses the standard C source code (did you know your Clarion compiler can compile C code?) with a small Clarion wrapper function. The result of the clarion function is a 32 character string, where each char in the string is a nibble in the actual hash. In other words, the answer is provided as a hex-encoded string of the 128 bit MD5 result.

Given that it's using common off-the-shelf MD5 code I would expect the answer to be the same as any other MD5 implementation (otherwise it'd be fairly useless.)

Cheers
Bruce

[Larry Sand]

Hi Bruce and Rob,

It's not that there's anything wrong with the NetTalk implementation of the MD5 hash, it's just that the HMAC is different. 

In the attached example program: 
Create a public key with the button, enter a secret value for both the client and server.  They both use the same public key to create a HMAC of the secret value.  Then if both HMACs match, the same secret value was used to create the HMAC with the public key.

HTH
Larry Sand


[attachment deleted by admin]

[Rob Mikkelsen]

Larry,

This appears to be exactly what I need.  I will test tonight with Authorize.Net and see if their hash is the same as mine (and it should be).  Thanks for putting together the example program - it is all crystal clear to me now.  I will let you know tomorrow if it matches their code.

Bruce,

The difference between the standard MD5 hash and the HMAC MD5 hash is that MD5 uses a private key that is known both to the sender and receiver (but no others) to create a unique value to ensure that the sender is legitimate. 

All the values except the private key are passed to allow the receiver to recreate the hash (why they do it that way is beyond my understanding, because the public key is a combination of the company's transaction account number, the invoice total, the random sequence number and (get this) the number of seconds that have elapsed since January 1, 1970 - a bit of overkill).
 
My understanding of the standard MD5 hash is to create an obfuscated value (such as a password) that cannot (supposedly) be compromised, even by the system administrators.

This HMAC MD-5 encryption sounds like a kludge for this company only that will not be used by anyone else, but it may become more popular in time.
 
Cheers!

Rob

[Larry Sand]

Hi Rob,

It's not a kludge, this kind of signature is fairly common.  For example Amazon market place web services uses HMAC SHA1 or SHA256.  Here's a good description: http://mws.amazon.com/docs/devGuide/index.html?Signatures.html

Larry Sand

[Rob Mikkelsen]

Larry,

In that case, it think it would be a great addition to NetTalk.

I tried to incorporate it into my NetTalk app but encountered GPFs.  Could be a conflict with the MD5 hash in NetTalk.  I modified the code into an app on its own and didn't have any problems.  I HOPE that I can create a Clarion .DLL that will avoid the confliction.

Work got in the way of testing today, but I will run the app seperately and put entry fields into the NetTalk app to see if the hash is acceptable by the portal - I am quite sure that it will be. 

I believe that you have provided the answer.  I hope to thank you properly the next time our paths cross (as they did in Las Vegas during the Capesoft World Tour...).

Thanks!

Rob

[Larry Sand]

Hi Rob,

You're welcome.  I'm not certain why you had a GPF, I have it in a mulit-DLL NTWS without problem.

Larry Sand

[Rob Mikkelsen]

All,

After much assistance and education from Larry as well as a bit of research, I have successfully cracked the HMAC-MD5 nut.

Attached is an app that uses Bruce's MD-5 routine to create a hash based on a text message (up to 256 bytes) and a key up to 64 characters.  You can redefine the length of the strings if you would like.  Keys longer than 64 characters are run through the MD-5 routine to create a 16 character string before processing.

This app is written as a window for testing but can easily be converted into source code to incorporate into your own projects.  Please feel free to use it as you see fit and let me know if you encounter any problems with it.  I have not tested it with keys > 64 characters but the code is simple enough that it should work. 

The specification for the HMAC-MD5 encryption can be found at http://tools.ietf.org/html/draft-ietf-ipsec-hmac-md5-00 .  I have put some comments into the code that should help with understanding the process.  It is pretty simple process, but very exacting in its application.

Bruce, feel free to clean up the code and incorporate this functionality into the next release of NetTalk 4.  I think this would be a good tool for the NetTalk arsenal.

Cheers!

Rob

[attachment deleted by admin]