HMAC SHA1 and MD5 encryption under classic ASP

I’ve run into this problem twice now; I needed SHA encryption or an MD5 hash in classic ASP. iDeal for example need it, and so does Amazon’s S3 service. Of course there are a lot of programming languages with examples in the documentation of iDeal and Amazon, but none for classic ASP.

Twice is once too many for me, so I took a javascript-implementation of SHA1 and MD5 and baked them into a WSC for my fellow ASP programmers. The javascript implementation isn’t mine, but Paul Johnston’s, detailed descriptions of it’s inner workings are here.

There already is a solution in which the javascript code is included into an ASP page, but IMHO there is a better way. So here is the WSC. For people unfamiliar with WSC’s in classic ASP;

A WSC is a Windows Scripting Component, a shared component like an OCX or a DLL, but written in an interpreted language such as javascript or vbscript. The fun thing is that using WSC you can make your classic ASP code modular. Just write your components in your favorite scripting-language with all the methods and properties you need. The implementation of the SHA1 component, for example is:

<%@ Language=VBScript %>
<% Option Explicit %>
<%
Dim sha1
set sha1 =  GetObject("script:"&Server.MapPath("/components/sha1.wsc"))
    ' set a property
    sha1.hexcase = 1
Dim result
    ' call a function
    result = sha1.hex_hmac_sha1("0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", "Hi There")
 %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
    <title>test</title>
</head>
<body>
            HMAC-SHA1 result: <%= result %>
</body>
</html>
<% Set sha1 = Nothing %>

This example assumes the SHA1.WSC present in the directory “/components/”.
As you can see, after initialisation, different properties and methods can be called. These correspond with the variables and functions in the original javascript code.

The second advantage is that you can use this component from any environment, not just ASP and that you don’t even have to register it in Windows. (it’s possible, but not required). This way you can run your code at any ASP webhost, even if they don’t allow you to register your own components.

Now for the links: sha1.wsc , md5.wsc

Happy programming!

Advertisements

Tags:

24 Responses to “HMAC SHA1 and MD5 encryption under classic ASP”

  1. Steve Says:

    Hi,
    Thanks for the code above. I have to admit I’m new to this, so I’m not sure how I would supply my key for encryption. Any suggestions?
    Thanks!

  2. precompiled Says:

    Hi Steve,

    The component works exactly like the javascript code on Paul Johnston’s page, so this should work:

    result = sha1.hex_hmac_sha1(“key”, “data”)

    In fact, this is exactly like my example above, so just paste that into a new ASP page, make sure you have the SHA1.wsc in the correct location and try it out. You can find the documentation for the SHA1 code here: http://pajhome.org.uk/crypt/md5/instructions.html under “keyed hashes”.
    You can call any of the functions that they describe there, only use the name you have given to the object as a prefix, so :

    hex_hmac_sha1(“key”, “data”)

    becomes:

    sha1.hex_hmac_sha1(“key”, “data”)

  3. ModelosPR Says:

    I’m looking for a programmer with experience using Classic ASP and S3 services. Need to display photos on website from a Private Bucket and send files directly to browser for download from Private Bucket.

    Please contact me if interested.

    Thanks!

  4. Andre Says:

    Thank you for the work. At last I have something to work with!

  5. rednael Says:

    Please read the following article:
    http://blog.rednael.com/2008/09/30/SecuringYourPasswordTransfersWithKeyedHashingHMACCramMD5.aspx

    It’s a walkthrough example of implementing HMAC-MD5 / Cram-MD5 on a website. The same technique can be used for various client-server situations.
    The article explains the benefits of using such a password system and shows you how to implement it using the .Net library at server side (examples in C#), and using Paj’s MD5 Javascript functions at client-side.

  6. Astralis Says:

    Seeing as how you experienced severe problems with wsc files on your server (with IE7), is there another method that can be used without using wsc files?

  7. precompiled Says:

    Hi Astralis,

    I actually don’t think WSC’s are the problem, but more that the vbscript.dll version 5.7 performs worse. But ofcourse, a WSC file just contains script code (in this case, jscript), so just copying the code to an ASP page or an include file (leave the XML out) should work (make sure you set the language to jscript). The only thing you would have to change are the properties of the component:
    In the WSC there are some properties defined (they are just some global variables in the component), together with some getter and setter functions to change and/or read these properties. These properties are used to set up the component. You could remove the getter/setter functions and just set the variable-values directly. Your code would look something like this.

    <%

    ‘ set a property
    hexcase = 1

    Dim result
    ‘ call a function
    result = hex_hmac_sha1(“0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b”, “Hi There”)
    %>

  8. Dan Says:

    Exactly the solution I needed. Thank you so much for providing this.

  9. Tim Kouters Says:

    Thank you,

    This was exactly what i needed.

    Kind regards,
    Tim

  10. Andre Says:

    Hi

    Thanks for the demo. I have it working, but how do I pass the text and the key (Is this the public or private key?) to the function as a variable instead of hard coding it?

    I want to use the routine to sign text for Amazon’s AWS services.

    Best regards

    Andre F Bruton

  11. Andre Says:

    I managed to answer my own post above! Here is code that passes variables to the SHA1 encryptor. I also checked the final output with other encryptors and it is correct!

    test

    From website: https://precompiled.wordpress.com/2007/11/26/hmac-sha1-encryptie-onder-classic-asp/

    HMAC-SHA1 result:

    Text:

  12. Fred Says:

    Hi precompiled,
    I’m a newbie on iDeal and only know classic ASP, no .NET. And last-but-not-least didn’t see any iDeal docs yet.
    But do you have a working ASP example for iDeal to share? I have to make an inventory on building a solution.
    Would appreciate your help!
    Cheers,
    Fred

  13. precompiled Says:

    Hi Fred,

    I have a working implementation, but it depends very much on what iDeal method you want to use. Also, I’m not too keen on giving away the sourcecode for that :)

    iDeal has different implementation methods you can use. The easiest is with a simple form. What you need to do is ask your customer to contact their bank-contact. The bank can set up iDeal and supply you with a merchant-account and documentation. Your customer needs an account with a bank that supports iDeal to be able to use it.
    You need to set up that iDeal account, there you can also indicate what method you want to use.
    Using the form-method, you need to generate a form with all the information of the products and the customer. One of the fields is a concatenation of a number of values you need to do a SHA1 on:

    concatString = ideal_hash_key & business & subID & total_amount & purchaseID & “ideal” & timestamp_later & productString

    dim sha1,idealhash
    set sha1 = GetObject(“script:”&Server.MapPath(“/~components/sha1.wsc”))
    hashString = concatString
    idealhash = sha1.hex_sha1(concatString)
    set sha1 = nothing

    This should get you on your way.

  14. Julio Loayza Says:

    A very elegant solution. Bearing in mind it seems there are no such algorithms implemented in ASP it’s just what I was looking for. Thanks!

    Nice blog too. Added to my feeds!

  15. Fred Says:

    Thanks precompiled!!
    I will get the documentation first.

  16. Dave Says:

    Thanks for this but I am still having troubles using this to authenticate on AWS.

    I am comparing the results from the “Amazon S3 Signature Tester in JavaScript” to your code and I can not get the results to match.

    (http://developer.amazonwebservices.com/connect/entry.jspa?externalID=199&categoryID=47)

    In the component there are three different versions of the SHA1 encoder (hex,str, b64) which one do you use for AWS?

    For SimpleDB the example string to sign using linefeeds (\n) and so I am using (vblf). Is that correct or I am supposed to just pass the \n?

    Not sure why AWS gives me so much trouble :(

  17. Dave Says:

    If it wasn’t o much trouble a sample AWS REST request would be a world of help :)

  18. Dave Says:

    Success!! Here are two more links that helped me finally authenticate a rest request with AWS SDB using classic asp with hmac sha256

    http://developer.amazonwebservices.com/connect/message.jspa?messageID=138958

    http://chrisroos.co.uk/blog/2009-02-01-test-data-for-version-2-of-the-amazon-web-services-signing-protocol

  19. precompiled Says:

    Hi Dave,

    Sorry I couldn’t respond. I’m glad you’ve figured it out by yourself and that you are willing to share.
    I haven’t implemented AWS myself in classic ASP (yet). I needed the encryption for other services.

  20. Maftei Catalin Says:

    what about whne you need to pass the key in hex ?

  21. Amazon Cart Encoding and Signing with Classic ASP | Kyle J Howard Says:

    […] https://precompiled.wordpress.com/2007/11/26/hmac-sha1-encryptie-onder-classic-asp/ […]

  22. Kyle Howard Says:

    Hey, I got Amazon Cart signing working in classic asp with some slight modifications to your code! See my article on it http://kylejhoward.com/2010/12/23/amazon-cart-encoding-and-signing-with-classic-asp/

    Thanks alot!

  23. Dave W Says:

    The .wsc files are no longer available using the links above. However the SHA1 file can be found here – http://uwblog.googlecode.com/svn/trunk/includes/sha1.wsc and the MD5 file here – pajhome.org.uk/crypt/md5/contrib/md5.wsc

  24. Dom Says:

    Anyone know where I can get my hands on the sha1.wsc file? The link on googlecode.com (mentioned in previous comment) now also returns a 404 error.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: