MD5 Calculation

Ensure that crucial information in the request and response to/from DIBS is not tampered with

DIBS offers MD5-key control in order to secure that the data sent between your system and DIBS system has not been tampered with, either due to communication errors, hacking or interfering malware. The control works for both the request from your system to DIBS and for the response from DIBS back to your system. As default the MD5-key control is optional, but can be made mandatory by activating the functionality in the DIBS Administration.

You can find your md5 key pair in DIBS Admin in the following menu:

Integration / MD5 Keys

Request to the DIBS server

Several payment functions utilize MD5-key control, and before calling these functions an MD5-key can be calculated by the shop based on critical parameters in the request as well as a set of private keys found in the DIBS Administration. The specific parameters that should be used in the calculation differs based on the function used. When DIBS receives a request with an MD5-key, a corresponding calculation is done internally, and if the calculated key matches the received key the request is approved, otherwise denied.

Flow:

  1. The shop calculates the md5key.
  2. The md5key is sent to DIBS along with the other variables.
  3. DIBS makes the same calculation and compares the keys.
  4. If they are identical, the request is accepted, otherwise it is rejected.

Due to the orderid being an essential parameter of the MD5-calculation, the orderid must always be unique when using MD5-keys.

Calculation algorithms

Below is an overview of the algorithms that should be used when calculating the MD5-key for the different API functions. In the algorithms, k1 and k2 denotes the shop-specific secret keys found in the DIBS Administration and parameters marked with <> denotes the parameter values for the specific request.

 

For 3dsecure.cgi and auth.cgi:

md5key = MD5(k2 + MD5(k1 + "merchant=<merchant>&orderid=<orderid>&currency=<currency>&amount=<amount>"))

For cancel.cgi:

md5key = MD5(k2 + MD5(k1 + "merchant=<merchant>&orderid=<orderid>&transact=<transact>"))

For capture.cgi, refund.cgi and suppl_auth.cgi:

md5key = MD5(k2 + MD5(k1 + "merchant=<merchant>&orderid=<orderid>&transact=<transact>&amount=<amount>"))

For ticket_auth.cgi:

md5key = MD5(k2 + MD5(k1 + "merchant=<merchant>&orderid=<orderid>&ticket=<ticket>&currency=<currency>&amount=<amount>"))

 

Response from the DIBS server

A successfull ticket registration or authorization will result in DIBS returning an MD5-key in the 'authkey' parameter. The calculation is done in one of two ways depending on which kind of transaction it is.

Flow:

  1. When responding to an authorization or ticket registration, DIBS calculates the value of authkey.
  2. When the shop receives the response, it performs the same calculation.
  3. If the keys do not match, the transaction should be rejected.

Apart from authkey verification, it should be checked that the amount and currency matches the original order made using the order ID.

Calculation algorithms

Please note that the when specifying the currency, it must be in the numeric format. See the ISO4217 standard for more information.

For a normal approved authorization, the authkey is calculated as the following:

authkey = MD5(k2 + MD5(k1 + transact=<transact>&amount=<amount>&currency=<currency>))

For a successful ticket registration, the authkey is calculated as the following:

authkey = MD5(k2 + MD5(k1 + transact=<transact>&preauth=true&currency=<currency>))

Again, k1 and k2 denotes the shop-specific secret keys found in the DIBS Administration and parameters marked with <> denotes the parameter values found in the response.

 

Notes

  • The keys are calculated using the MD5 algorithm (RSA Data Security Inc.). MD5 is a standard function which is implemented in most scripting and programming languages, such as PHP, Perl, C/C++, ASP and Java.
  • When using the payment window and the calcfee functionality, the amount value must be set to the sum of the base amount and the fee.
  • When using the "split" parameter from FlexWin, "transact" is replaced by "transact1", "transact2", "transact3", and so forth, one transaction per amount.
Do you have question or need help?
Follow us
DIBS Payment Services
Stockholm +46 (0)8-527 525 00
Göteborg +46 031-600 800
København +45 7020 3077
Oslo +47 21 55 44 00