MD5-key control


DIBS offers MD5-key control, in order to secure that the data (parameters) has not been tampered with during the transfer from your server to the DIBS server, i.e. due to errors, or due to hacking. The control works for both transfer of information from your server to the DIBS server, and also for the transfer back to your server.

 

Transfer to the DIBS server 

Before calling the DIBS functions auth.cgi, capture.cgi, refund.cgi, or ticket_auth.cgi an MD5-key must be calculated using important parameters and a set of two shop specific keys. Depending on the function you want to call, a specific algorithm is used for calculating the exact key to send to the DIBS server. Please refer to the documentation for each function for the exact method of calculating the key. Based on the value of the key, submitted along with the other parameters, the DIBS server evaluates whether the parameters have changed, and whether any discrepancies are found, and returns an error message if that is the case. Please note, that the MD5-key control must be activated in the DIBS administration interface a priori. Also note, that MD5-key control requires the use of unique order IDs.

 

Flow:
  1. The shop calculates the md5key (for detailed information please refer to each function: auth.cgi, capture.cgi, refund.cgi, and ticket_auth.cgi).
  2. The md5key is sent to DIBS along with the other variables.
  3. DIBS makes the same calculation and compares the keys.
  4. If they are identical, the request is accepted, otherwise it is rejected.

 

Response from the DIBS server

The function auth.cgi also offers an MD5-key control for the response from the DIBS server. When this option is activated in the DIBS administration interface, the MD5-key is returned in the format authkey=key, where key is a 32-character string generated by DIBS based on an algorithm. This algorithm is described in detail in the documentation of auth.cgi.

 

Whenever the shop receives responses from DIBS, their validity must be checked, thus verifying whether DIBS approved the payment. If the key is missing or has a different value than expected, the purchase should be cancelled.

 

Flow:
  1. When responding to an authorization (auth.cgi), DIBS calculates the value of authkey.
  2. When the shop receives the response, it performs the same calculation.
  3. If the keys do not match, the transaction should be rejected.

 

Calculation when receiving DIBS response

When a payment is approved, the "authkey" is calculated as follows:

authkey = MD5(k2 + MD5(k1 + “transact=tt&amount=aa&currency=cc"))

where tt, aa, and cc are the values of transaction ID, amount, and currency, respectively. Please note, when using the payment window and the calcfee functionality, the amount value must be set to the sum of the base amount and the fee. Also note that when using the "split" parameter from FlexWin, "transact" is replaced by "transact1", "transact2", "transact3", and so forth, one transaction per amount.

 

MD5 information

The keys are calculated using the MD5 algorithm (RSA Data Security Inc.). MD5 is a standard function which is implemented in most scripting and programming languages, such as PHP, Perl, C/C++, ASP and Java.

 

The shop will received two keys from DIBS, k1 and k2. These are constant values that do not change from purchase to purchase. The values are generated in the DIBS Administrations website under the menu item Integration > MD5 keys.

 

tabla.dk has kindly made an ASP-implementation, gathered from the net, available.

Bulk captureMD5-key controlOrder information in DIBSSimple text replygeneratevouchers.cgi