Enhance security with MD5

This topic explains how to add MD5 encryption. Use to improve security, whether using a ready-built shopping cart or a bespoke online store.

How does MD5 encryption work?

Using MD5, you can choose which parts of an order you want our gateway to check for unauthorised tampering.

You can also create a password to send as part of your order information, the 'MD5 secret'. This is only known to us. We can check each order you send to make sure it corresponds with your password.

Note: We reject the transaction if the signature does not match this password.

Note: You must still include all mandatory parameters in the order details submission.

Use MD5 encryption

To use MD5 encryption, your store must be set up using either of these:

  • Aready-built shopping cartthat can use MD5 encryption (please consult your cart vendor for advice).

  • Abespoke setupgenerated using a programming language with an available MD5 library, such as C, C++, Visual Basic, PHP, ASP and Perl (but not HTML or Javascript).

Note: HTML and JavaScript are not suitable for this feature. It is essential that the encryption process happens server-side to ensure data security.

If you use a ready-built shopping cart

If you use an off-the-shelf shopping cart, you need to take the following steps to add MD5 encryption:

  1. Enable MD5 encryption in your store, following the advice of your shopping cart provider. Implementation of MD5 varies, depending on which shopping cart you use. You need to choose the fields included in the encrypted signature, and supply your shopping cart with the 'MD5 secret' used to encrypt the signature.

    The MD5 secret should be a string (spaces are not permitted) of 20 to 30 characters, known only to yourself and to us. It must contain at least one upper case letter, one lower case letter, one number and one symbol.

  2. Set your MD5 secret in the Merchant Interface. To do this, enter this value into the MD5 secret for transactions field in the Integration Setup for your installation using the Merchant Interface > Installations option. If you can't locate this field, send an email tosupport@worldpay.com. Click Save changes.

    Note: If you have specified a secret, you must sign all transactions correctly. Otherwise, they are rejected. If you wish to disable the MD5 functionality at any point, simply remove the secret key value from your installation.

  3. Specify your protected parameters to us. These parameters must be entered into the SignatureFields field in the Integration Setup for your installation, and must match the value in your shopping cart.

If you use a bespoke setup

To add MD5 encryption to your site if you have built a bespoke store, follow the steps:

Note: You can also set up MD5 encryption on the Installation Administration page of the Merchant Interface. For more information, refer to the Customising Guide (Advanced).

  1. Choose an MD5 secret to encrypt the parameters you wish to protect. This should be a string (spaces are permitted) of 20 to 30 characters, known only to yourself and to us. Capitals, numerals and punctuation are all permitted.

  2. Set your MD5 secret in the Merchant Interface. To do this, enter this value into the MD5 secret for transactions field in the Integration setup for your installation using the Merchant Interface > Installations option. If you can't locate this field, send an email to Support onsupport@worldpay.com. Click Save Changes.

    Note: If you have specified a secret, you must sign all transactions correctly otherwise they are rejected. If you wish to disable the MD5 functionality at any point, simply remove the secret key value from your installation.

  3. Choose which of the order detail parameters you wish to protect with the signature. You can encrypt whichever parameters you like, including custom parameters (C, M and MC_). You must specify these as a colon-separated list in the Integration setup for your installation, using the Merchant Interface.

    We recommend that you include: amount, currency, instId and cartId parameters.

    Copied!
    Example: instId:amount:currency:cartId:MC_userId
  4. Construct a string consisting of the secret and the values of the parameters you want to encrypt. The items in this string should be separated by colons. For example, if you choose the phrase Lions&2Tigers&3Panthers as your secret, and the fields you have chosen to encrypt have the following values: amount=123.00, currency=GBP and cart Id=ABC123, your string should look like this:

    Copied!
    Lions&2Tigers&3Panthers:123.00:GBP:ABC123

    Note: It is vital that you list the parameter values in the same order in which you listed them in the SignatureFields parameter.

  5. Calculate an MD5 signature from this string, and include the signature in the order details. The MD5 algorithm returns a hexadecimal value 32 characters long. You need to include this digital signature when you submit your order details as the value of a parameter named 'signature':

    Copied!
    <input type="hidden"name="signature" value="58e41db32a6f2ff9c3c96eea6583ffbd">

    The way you use MD5 encryption for a bespoke setup depends on the code used to build your store. Regrettably, we are not able to help you with incorporating the code into your store, but can provide you with instructions on how to send that information to us. For more information about MD5, refer to sectionMD5 reference sites.

Additional security - for reference only

As an additional security feature in HTML Redirect, you can set a time period for which a transaction is valid. This limits the amount of time available for an unauthorised user to try to decrypt the transaction.

To specify this time limit, use the parameter authValidTo. The value of authValidTo needs to be a date and time given in the Unix time standard: seconds since 1st January 1970. An example below:

Copied!
<input type="hidden" name=authValidTo value="938736000000">

15 minutes is a commonly-used period of validity, but you may choose to reduce this time period to ten or even five minutes.

To implement this feature, follow the steps:

  1. Ensure the clock on your server is synchronised to an accurate time source (for example, by using NTP atwww.ntp.org/.

  2. Take a time-reading from your server at the time of the transaction, and convert it to the Unix time standard, if necessary.

  3. Multiply the number of seconds you want the order details to be valid for, by 1000, and add this to the time. This is the value of authValidTo.

MD5 reference sites

Click the below links to find out more about MD5 encryption, and how to use it:

  • http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/md2-md4-and-md5.htm: RSA Laboratories definition of MD5

  • http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html: details on how to implement MD5 in many program languages

  • www.faqs.org/rfcs/rfc1321.html: specification of the MD5 function provided by the inventor at MIT