Are MD5 hashes always either capital or lowercase?

Asked 17/7, 2017 at 20:55 Answered 7/7, 2021 at 0:39

I'm passing an HMAC-MD5 encoded parameter into a form and the vendor is returning it as invalid. However, it matches what their hash generator gives me, with the exception of capitalization on the letters. What I did to get around this was use an lcase command. I'm wondering if this will cause me trouble later. Coldfusion generates the hashed string in capital letters, the vendor always seems to use lowercase; is it always one or the other or will they ever be mixed?

Elliellicott answered 17/7, 2017 at 20:55 Comment(5)

Like I said, my hash doesn't match the vendors simply because of the casing of the letters. They use it for authentication. – Elliellicott 17/7, 2017 at 21:52

If they're using MD5 for anything they're living in the past. As far as case goes, I've tried to answer that. – Physicochemical 17/7, 2017 at 21:52

I don't know anything about hashes, I'm surprised to hear it's dated as this for a payment gateway for a large electronic payment processor. – Elliellicott 17/7, 2017 at 22:9

Yes, ColdFusion always generates uppercase hex characters A-F. Using lCase() is perfectly safe here. – Enidenigma 17/7, 2017 at 23:20

Okay. I thought it would be strange if they coincidentally matched but I wanted to be sure. – Elliellicott 17/7, 2017 at 23:30

MD5 as every other hash function will produce binary output, in case of MD5 it is 16 bytes.

Because those bytes are difficult to handle, they are encoded to a string. In case of MD5 they are usually encoded to 32 lowercase hexadecimal digits, so every byte is represented by 2 characters.

Whether the target system accepts upper- or lowercase encodings or both is up to the system, it is unrelated to the hash function, both are different representations of a the same MD5 hash. So to answer your question, format the output as the target system requires it.

Eight answered 18/7, 2017 at 6:14 Comment(1)

@RodrigoPolo - Yes, that's exactly what I wrote in the first sentence. – Eight 13/7, 2019 at 7:56

While RFC-1321 MD5 Message-Digest Algorithm doesn't discuss hexadecimal string encoding, the test suite does show results in lowercase.

The MD5 test suite (driver option "-x") should print the following results:

MD5 test suite:
MD5 ("") = d41d8cd98f00b204e9800998ecf8427e
MD5 ("a") = 0cc175b9c0f1b6a831c399e269772661
MD5 ("abc") = 900150983cd24fb0d6963f7d28e17f72
MD5 ("message digest") = f96b697d7cb7938d525a2f31aaf161d0
MD5 ("abcdefghijklmnopqrstuvwxyz") = c3fcd3d76192e4007dfb496cca67e13b
MD5 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =
d174ab98d277d9f5a5611c2c9f419d9f
MD5 ("123456789012345678901234567890123456789012345678901234567890123456
78901234567890") = 57edf4a22be3c955ac49da2e2107b67a

Lowercase is simply the outcome of C/C++ printf() format specifier %02x, not a requirement: "should print", not "must print".

Ref: RFC-1321 Appendix A.5 Test suite

Maurene answered 7/7, 2021 at 0:39 Comment(0)

A hex string can contain anything in the 0-9 and a-f, A-F range, so you should anticipate both upper and lower-case versions.

If you're really stuck trying to interface between two highly opinionated systems, force upper or lower case depending on your requirements.

Physicochemical answered 17/7, 2017 at 20:57 Comment(3)

Isn't a-f and A-F the same thing? MD5's are hex, which means 0-9 and a-f, but not A-F. If it is, they're both the same thing. – Draughtsman 17/7, 2017 at 21:0

@Draughtsman They should be, but some legacy software can be very cantankerous. – Physicochemical 17/7, 2017 at 21:53

Some (questionable) systems encrypt or encode MD5 in an additional step, making case relevant for the final output. Always follow the documented/recommended way to avoid discrepancies. – Enidenigma 17/7, 2017 at 23:23

Recommended topics

Hot tags