Find Answers

Find Answers

Specified Languages
British English
English

Contact Us

Merchant Support

Toll-Free Phone:
(877) 447-3938

Support Hours:
24x7
(Closed major holidays)


Reseller Support

Toll-Free Phone:
(888) 437-0481

Support Hours:
M–F: 6 AM – 5 PM PDT
(Closed major holidays)


Affilate Support

Toll-Free Phone:
(866) 682-4131

Support Hours:
M–F: 6 AM – 5 PM PDT
(Closed major holidays)


Corporate Offices

Authorize.Net (Utah)
P.O. Box 947
American Fork, UT 84003-0947
Tel: 801.492.6450
Fax: 801.492.6489

Do I need to upgrade my transaction fingerprint from HMAC-MD5 to HMAC-SHA512, and how?


Doc ID:    A1706
Version:    1.0
Status:    Published
Published date:    08/05/2016
 

Answer

If you are using our Server Integration Method (SIM) with our Hosted Payment Form, or if you are using the Direct Post Method (DPM), you will need to upgrade your transaction fingerprint so that it uses HMAC-SHA512, instead of HMAC-MD5.

You will first need to generate a Signature Key.

To generate a Signature Key:
 
  1. Log into the Merchant Interface at https://account.authorize.net.
  2. Click Account from the main toolbar.
  3. Click Settings from the menu on the left.
  4. Click API Credentials & Keys from the General Security Settings section.
  5. Under Create New Key(s), enter the answer to your Secret Question.
  6. Select the New Signature Key radio button.
  7. When obtaining a new Signature Key, you may choose to immediately disable the old Signature Key by clicking on the box titled, Disable Old Signature Key Immediately. If you have current software installations, do not check this box unless you need to cease immediately all payment processing that uses the Signature Key.
  8. Click Submit.
It is important to note that the Signature Key is presented in the Merchant Interface, in hexadecimal format. You will need to convert the Signature Key to binary format before calculating the HMAC-SHA512 hash. Please check your scripting language/framework documentation for details on how to convert hexadecimal strings to their binary equivalent.

The construction of the HMAC-SHA512 hash is similar to the HMAC-MD5 hash. In particular, the input to be hashed is built from these values, in order, and separated by carets ("^"):
 
  • The API Login ID (x_login);
  • The unique merchant-generated sequence number (x_fp_sequence);
  • The transaction's timestamp in UNIX Epoch time, i.e. how many seconds have passed since Midnight UTC on January 1, 1970 (x_fp_timestamp);
  • The transaction amount (x_amount);
  • The currency code (x_currency_code), which should be blank if no currency code is submitted.

For example, if we presume an API Login ID of "authnettest", a sequence number of "789", a timestamp of "67897654," an amount of "10.50", and no currency code, the hash input would look like this:
 

authnettest^789^67897654^10.50^


If a currency code of "USD" were submitted, the hash input would look like this:
 

authnettest^789^67897654^10.50^USD

You would then hash this input with the HMAC-SHA512 algorithm, using the binary-encoded Signature Key as the HMAC key.

The resulting hash should be submitted to us as x_fp_hash, just as you do with the HMAC-MD5 hash. We will know which hashing algorithm you used, by the size of the value for x_fp_hash.

All existing Response Reason Codes that indicate issues with the transaction fingerprint, will apply for the HMAC-SHA512 version as well as the legacy HMAC-MD5 version. Specifically, you may see these errors:

  • RRC 97, indicating that the transaction fingerprint has expired;
  • RRC 98, indicating that the transaction fingerprint has already been used;
  • RRC 99, indicating a mismatch between the transaction fingerprint you submitted, and the fingerprint we expected;
  • RRC 103, which is caused when the transaction fingerprint is generally invalid.


The Wikipedia entry on HMAC includes links to HMAC implementations in various scripting languages and frameworks.


 


Rate This Item