Generating HMAC-SHA512 Fingerprint

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Generating HMAC-SHA512 Fingerprint

Mike Ealy-2
Hi All,

Authorize.net is ending the life of HMAC-MD5 and moving to HMAC-SHA512. What
are my options for generating a fingerprint from HMAC-SHA512 using Lasso 8
on a Mac running OS 10.11?

I have been using Authorize.net's Server Integration Method (SIM) for years
now. That means I collect some information about my customer (name, address,
etc.) and then pass the transaction to Authorize where credit card details
are entered. Upon successfully charging the card (or not), Authorize passes
the transaction back to my site where I take over again.

In order to continue connecting with Authorize in this way, I need to
upgrade the transaction fingerprint so that it uses HMAC-SHA512 instead of
HMAC-MD5. I've been using the Lasso Encrypt_HMAC tag as follows.

[var:'x_fp_hash'=(Encrypt_HMAC: $transactionkey, $x_login + '^' +
$x_fp_sequence + '^' + ($utc_timestamp) + '^' + $x_amount + '^', -cram)]

I know I've been procrastinating this move, but Authorize.net has stopped
extending this rollout and is finally bringing HMAC-MD5 to a close. Mac OS
10.11 does support TLSv1.2 so I there may be a possible solution with
os_process and curl.

Steve Piercy wrote:
> Lasso 8 can use TLS v1.2. Use os_process and shell
> to invoke curl, and the operating system must
> support TLS v1.2.  My AuthorizeNet_AIM tag supports it.
> It's easy, and the benefits in security and ease
> of use of curl are totally worth it.

I read Steve's github for implementing AuthorizeNet_AIM at
https://github.com/stevepiercy/AuthorizeNet_AIM , but I'm not sure how to
put all these pieces in place to get it working. Since I'm using SIM instead
of AIM will Steve's tag even work for me? I'll keep at it but in the
meantime, if someone could point me in the right direction I would certainly
appreciate it.

Thanks,
Mike Ealy





#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Generating HMAC-SHA512 Fingerprint

bienvenue
Hello Mike,

We have faced the same problem a few month age with a deprecated hashing mode in an online payment system...

You may refer to this post :
HMAC with openssl dgst -sha512 and Lasso 8.6 / CentOS
http://lasso.2283332.n4.nabble.com/HMAC-with-openssl-dgst-sha512-and-Lasso-8-6-CentOS-td4646498.html <http://lasso.2283332.n4.nabble.com/HMAC-with-openssl-dgst-sha512-and-Lasso-8-6-CentOS-td4646498.html>

In which we tried to defer the hashing to the system through OSProcess...

In facts, and In the end we created a tag to call a PHP file itself returning the hash to Lasso with a PHP file calling hash_hmac() or pack() through an include_url()

SImple, a bit dirty but working, after hours of fails with other trick...

Regards
JP - E SYSTEMES France
----

> Le 22 févr. 2019 à 14:00, Mike Ealy <[hidden email]> a écrit :
>
> Hi All,
>
> Authorize.net is ending the life of HMAC-MD5 and moving to HMAC-SHA512. What
> are my options for generating a fingerprint from HMAC-SHA512 using Lasso 8
> on a Mac running OS 10.11?
>
> I have been using Authorize.net's Server Integration Method (SIM) for years
> now. That means I collect some information about my customer (name, address,
> etc.) and then pass the transaction to Authorize where credit card details
> are entered. Upon successfully charging the card (or not), Authorize passes
> the transaction back to my site where I take over again.
>
> In order to continue connecting with Authorize in this way, I need to
> upgrade the transaction fingerprint so that it uses HMAC-SHA512 instead of
> HMAC-MD5. I've been using the Lasso Encrypt_HMAC tag as follows.
>
> [var:'x_fp_hash'=(Encrypt_HMAC: $transactionkey, $x_login + '^' +
> $x_fp_sequence + '^' + ($utc_timestamp) + '^' + $x_amount + '^', -cram)]
>
> I know I've been procrastinating this move, but Authorize.net has stopped
> extending this rollout and is finally bringing HMAC-MD5 to a close. Mac OS
> 10.11 does support TLSv1.2 so I there may be a possible solution with
> os_process and curl.
>
> Steve Piercy wrote:
>> Lasso 8 can use TLS v1.2. Use os_process and shell
>> to invoke curl, and the operating system must
>> support TLS v1.2.  My AuthorizeNet_AIM tag supports it.
>> It's easy, and the benefits in security and ease
>> of use of curl are totally worth it.
>
> I read Steve's github for implementing AuthorizeNet_AIM at
> https://github.com/stevepiercy/AuthorizeNet_AIM , but I'm not sure how to
> put all these pieces in place to get it working. Since I'm using SIM instead
> of AIM will Steve's tag even work for me? I'll keep at it but in the
> meantime, if someone could point me in the right direction I would certainly
> appreciate it.
>
> Thanks,
> Mike Ealy
>
>
>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Generating HMAC-SHA512 Fingerprint

stevepiercy
In reply to this post by Mike Ealy-2
My AIM tag has nothing to do with SIM.  They're totally
different methods.  The only thing they share in common is that
Authorize.net deprecated both.

https://developer.authorize.net/api/upgrade_guide/

If you ignore that advice, you can try to hobble along to get
your SIM method to work.

First check available ciphers with `openssl dgst --help`.

If HMAC-SHA512 is not listed, or the command does not run, then
you need to install a more recent version of openssl, preferably
via brew.

Next try `echo 'string_to_hash' | openssl dgst -sha512`.  It
should output a hash.  Note it for comparison later.

Nest install [shell] and configure os_process (which the
Language Guide thoroughly documents).

After you've got that all set up, then this will get you a hash.

     #hash = shell('echo -n ' + #string_to_hash + ' |
/path/to/openssl dgst -sha512')

--steve


On 2/22/19 at 8:00 AM, [hidden email] (Mike Ealy) pronounced:

>Hi All,
>
>Authorize.net is ending the life of HMAC-MD5 and moving to HMAC-SHA512. What
>are my options for generating a fingerprint from HMAC-SHA512 using Lasso 8
>on a Mac running OS 10.11?
>
>I have been using Authorize.net's Server Integration Method (SIM) for years
>now. That means I collect some information about my customer (name, address,
>etc.) and then pass the transaction to Authorize where credit card details
>are entered. Upon successfully charging the card (or not), Authorize passes
>the transaction back to my site where I take over again.
>
>In order to continue connecting with Authorize in this way, I need to
>upgrade the transaction fingerprint so that it uses HMAC-SHA512 instead of
>HMAC-MD5. I've been using the Lasso Encrypt_HMAC tag as follows.
>
>[var:'x_fp_hash'=(Encrypt_HMAC: $transactionkey, $x_login + '^' +
>$x_fp_sequence + '^' + ($utc_timestamp) + '^' + $x_amount + '^', -cram)]
>
>I know I've been procrastinating this move, but Authorize.net has stopped
>extending this rollout and is finally bringing HMAC-MD5 to a close. Mac OS
>10.11 does support TLSv1.2 so I there may be a possible solution with
>os_process and curl.
>
>Steve Piercy wrote:
>>Lasso 8 can use TLS v1.2. Use os_process and shell
>>to invoke curl, and the operating system must
>>support TLS v1.2.  My AuthorizeNet_AIM tag supports it.
>>It's easy, and the benefits in security and ease
>>of use of curl are totally worth it.
>
>I read Steve's github for implementing AuthorizeNet_AIM at
>https://github.com/stevepiercy/AuthorizeNet_AIM , but I'm not sure how to
>put all these pieces in place to get it working. Since I'm using SIM instead
>of AIM will Steve's tag even work for me? I'll keep at it but in the
>meantime, if someone could point me in the right direction I would certainly
>appreciate it.
>
>Thanks,
>Mike Ealy
>
>
>
>
>
>#############################################################
>
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email]
>Official list archives available at http://www.lassotalk.com
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy              Website Builder              Eugene, OR
<[hidden email]>               <http://www.stevepiercy.com/>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Generating HMAC-SHA512 Fingerprint

Mike Ealy-2
I was able to create an -sha512 hash using your guidance. Thanks Steve! I'll
try to move to the Accept Hosted option with Authorize. Seems over my head
at first look. I'm going to try to stick with the payment form hosted by
Authorize where they will pass the transaction back to my site after
processing the cc. Advice from anyone who has implemented the Accept Hosted
option with Lasso 8 would be appreciated.

Mike



> My AIM tag has nothing to do with SIM.  They're totally
> different methods.  The only thing they share in common is that
> Authorize.net deprecated both.
>
> https://developer.authorize.net/api/upgrade_guide/
>
> If you ignore that advice, you can try to hobble along to get
> your SIM method to work.
>
> First check available ciphers with `openssl dgst --help`.
>
> If HMAC-SHA512 is not listed, or the command does not run, then
> you need to install a more recent version of openssl, preferably
> via brew.
>
> Next try `echo 'string_to_hash' | openssl dgst -sha512`.  It
> should output a hash.  Note it for comparison later.
>
> Nest install [shell] and configure os_process (which the
> Language Guide thoroughly documents).
>
> After you've got that all set up, then this will get you a hash.
>
>      #hash = shell('echo -n ' + #string_to_hash + ' |
> /path/to/openssl dgst -sha512')
>
> --steve
>
>
> On 2/22/19 at 8:00 AM, [hidden email] (Mike Ealy) pronounced:
>
>> Hi All,
>>
>> Authorize.net is ending the life of HMAC-MD5 and moving to HMAC-SHA512. What
>> are my options for generating a fingerprint from HMAC-SHA512 using Lasso 8
>> on a Mac running OS 10.11?
>>
>> I have been using Authorize.net's Server Integration Method (SIM) for years
>> now. That means I collect some information about my customer (name, address,
>> etc.) and then pass the transaction to Authorize where credit card details
>> are entered. Upon successfully charging the card (or not), Authorize passes
>> the transaction back to my site where I take over again.
>>
>> In order to continue connecting with Authorize in this way, I need to
>> upgrade the transaction fingerprint so that it uses HMAC-SHA512 instead of
>> HMAC-MD5. I've been using the Lasso Encrypt_HMAC tag as follows.
>>
>> [var:'x_fp_hash'=(Encrypt_HMAC: $transactionkey, $x_login + '^' +
>> $x_fp_sequence + '^' + ($utc_timestamp) + '^' + $x_amount + '^', -cram)]
>>
>> I know I've been procrastinating this move, but Authorize.net has stopped
>> extending this rollout and is finally bringing HMAC-MD5 to a close. Mac OS
>> 10.11 does support TLSv1.2 so I there may be a possible solution with
>> os_process and curl.
>>
>> Steve Piercy wrote:
>>> Lasso 8 can use TLS v1.2. Use os_process and shell
>>> to invoke curl, and the operating system must
>>> support TLS v1.2.  My AuthorizeNet_AIM tag supports it.
>>> It's easy, and the benefits in security and ease
>>> of use of curl are totally worth it.
>>
>> I read Steve's github for implementing AuthorizeNet_AIM at
>> https://github.com/stevepiercy/AuthorizeNet_AIM , but I'm not sure how to
>> put all these pieces in place to get it working. Since I'm using SIM instead
>> of AIM will Steve's tag even work for me? I'll keep at it but in the
>> meantime, if someone could point me in the right direction I would certainly
>> appreciate it.
>>
>> Thanks,
>> Mike Ealy
>>
>>
>>
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
> Steve Piercy              Website Builder              Eugene, OR
> <[hidden email]>               <http://www.stevepiercy.com/>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>   the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>



#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Generating HMAC-SHA512 Fingerprint

stevepiercy
After reading the documentation, you will need to ask specific
questions about what you do not understand.

https://developer.authorize.net/api/reference/features/accept_hosted.html

I do not recommend setting it aside because it is over your
head.  I made the same avoidance mistake by sticking with Lasso
longer than I should have and deferred diving into Python and
the Pyramid web framework.  I should have just sucked it up and
taken the leap back in 2010 instead waiting a couple of years.

Now I have emails sent to [hidden email] bouncing due to
a "451 Could not load DRD" error when my legacy Lasso 8.6 server
serial claims it has expired when it has not, and the
Server/SiteAdmin goes into lockdown mode.

--steve


On 2/23/19 at 9:38 AM, [hidden email] (Mike Ealy) pronounced:

>I was able to create an -sha512 hash using your guidance. Thanks Steve! I'll
>try to move to the Accept Hosted option with Authorize. Seems over my head
>at first look. I'm going to try to stick with the payment form hosted by
>Authorize where they will pass the transaction back to my site after
>processing the cc. Advice from anyone who has implemented the Accept Hosted
>option with Lasso 8 would be appreciated.
>
>Mike
>
>
>
>>My AIM tag has nothing to do with SIM.  They're totally
>>different methods.  The only thing they share in common is that
>>Authorize.net deprecated both.
>>
>>https://developer.authorize.net/api/upgrade_guide/
>>
>>If you ignore that advice, you can try to hobble along to get
>>your SIM method to work.
>>
>>First check available ciphers with `openssl dgst --help`.
>>
>>If HMAC-SHA512 is not listed, or the command does not run, then
>>you need to install a more recent version of openssl, preferably
>>via brew.
>>
>>Next try `echo 'string_to_hash' | openssl dgst -sha512`.  It
>>should output a hash.  Note it for comparison later.
>>
>>Nest install [shell] and configure os_process (which the
>>Language Guide thoroughly documents).
>>
>>After you've got that all set up, then this will get you a hash.
>>
>>#hash = shell('echo -n ' + #string_to_hash + ' |
>>/path/to/openssl dgst -sha512')
>>
>>--steve
>>
>>
>>On 2/22/19 at 8:00 AM, [hidden email] (Mike Ealy) pronounced:
>>
>>> Hi All,
>>>   Authorize.net is ending the life of HMAC-MD5 and moving to
>>>HMAC-SHA512. What
>>> are my options for generating a fingerprint from HMAC-SHA512 using Lasso 8
>>> on a Mac running OS 10.11?
>>>   I have been using Authorize.net's Server Integration
>>>Method (SIM) for years
>>> now. That means I collect some information about my customer (name, address,
>>> etc.) and then pass the transaction to Authorize where credit card details
>>> are entered. Upon successfully charging the card (or not), Authorize passes
>>> the transaction back to my site where I take over again.
>>>   In order to continue connecting with Authorize in this
>>>way, I need to
>>> upgrade the transaction fingerprint so that it uses HMAC-SHA512 instead of
>>> HMAC-MD5. I've been using the Lasso Encrypt_HMAC tag as follows.
>>>   [var:'x_fp_hash'=(Encrypt_HMAC: $transactionkey, $x_login
>>>+ '^' +
>>> $x_fp_sequence + '^' + ($utc_timestamp) + '^' + $x_amount + '^', -cram)]
>>>   I know I've been procrastinating this move, but
>>>Authorize.net has stopped
>>> extending this rollout and is finally bringing HMAC-MD5 to a close. Mac OS
>>> 10.11 does support TLSv1.2 so I there may be a possible solution with
>>> os_process and curl.
>>>   Steve Piercy wrote:
>>>> Lasso 8 can use TLS v1.2. Use os_process and shell
>>>> to invoke curl, and the operating system must
>>>> support TLS v1.2.  My AuthorizeNet_AIM tag supports it.
>>>> It's easy, and the benefits in security and ease
>>>> of use of curl are totally worth it.
>>>   I read Steve's github for implementing AuthorizeNet_AIM at
>>> https://github.com/stevepiercy/AuthorizeNet_AIM , but I'm not sure how to
>>> put all these pieces in place to get it working. Since I'm using SIM instead
>>> of AIM will Steve's tag even work for me? I'll keep at it but in the
>>> meantime, if someone could point me in the right direction I would certainly
>>> appreciate it.
>>>   Thanks,
>>> Mike Ealy
>>>       #############################################################
>>>   This message is sent to you because you are subscribed to
>>> the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>
>>-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
>>Steve Piercy              Website Builder              Eugene, OR
>><[hidden email]>               <http://www.stevepiercy.com/>
>>
>>
>>#############################################################
>>
>>This message is sent to you because you are subscribed to
>>the mailing list Lasso [hidden email]
>>Official list archives available at http://www.lassotalk.com
>>To unsubscribe, E-mail to: <[hidden email]>
>>Send administrative queries to  <[hidden email]>
>
>
>
>#############################################################
>
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email]
>Official list archives available at http://www.lassotalk.com
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy              Website Builder              Eugene, OR
<[hidden email]>               <http://www.stevepiercy.com/>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>