On Wed, Dec 30, 2015 at 11:30 AM, Jon Paris <jon.paris@xxxxxxxxxxxxxx> wrote:
// Form the MD5 hash using the transaction key
Jon, is that your comment, or theirs (Payeezy's)?
The reason I ask is that if it's their comment, then it's no wonder
Jack was a little confused. If it's your comment, well, I'll
respectfully suggest changing it to read "HMAC-MD5" instead of simply
"MD5", to reduce the chance for confusion among people who are reading
that code later.
As Tim and Kevin said, they're not the same thing. HMAC is a method of
constructing a hash from repeated application of some other (take your
pick) basic hash function. In Jack's and your case, the basic hash
function is MD5, but the HMAC method works with various others, as you
probably gathered from the fact that "hash algorithm" is a parameter
in any generalized HMAC function, like both PHP's hash_hmac and IBM's
In simplistic terms, HMAC involves first prepending the key to the
message and hashing that (using your chosen algorithm) to get an
intermediate result; then prepending the key to the intermediate
result and hashing that (using your chosen algorithm) to get the final
There are other technical details which make it at best annoying to
implement HMAC yourself, and at worst, you'll get it wrong (very, very
easy to do). So it's no wonder HMAC is usually provided as a
pre-implemented function or API.