How to create same MD5 token in different platforms?

Question

I am using MD5 hashing first time, I am trying to create a token to secure my web-services. I have found three different md5 hashing method for Android, IOS and C#. Before I call any webservice, I create a token and send it as a parameter. Then, when I get the token in service side, I create a token with the same algorithm in C# too and compare those two tokens. If the tokens are the same, I permit to the process. If not, I throw an exeption. My problem is, tokens are always different. I suppose that the difference of md5 creation methods causes this problem.

MD5 method in the C# code:

public static string MD5(string stringToEncrypted)
    {
        // step 1, calculate MD5 hash from input
        var md5 = System.Security.Cryptography.MD5.Create();
        byte[] inputBytes = System.Text.Encoding.ASCII.GetBytes(stringToEncrypted);
        byte[] hash = md5.ComputeHash(inputBytes);

        // step 2, convert byte array to hex string
        var sb = new StringBuilder();
        for (int i = 0; i < hash.Length; i++)
        {
            sb.Append(hash[i].ToString("X2"));
        }
        return sb.ToString();
    }

In Swift Code:

    extension String
    {
        var md5: String!
        {
           let str = self.cStringUsingEncoding(NSUTF8StringEncoding)
           let strLen = CC_LONG(self.lengthOfBytesUsingEncoding(NSUTF8StringEncoding))
           let digestLen = Int(CC_MD5_DIGEST_LENGTH)
           let result = UnsafeMutablePointer<CUnsignedChar>.alloc(digestLen)

           CC_MD5(str!, strLen, result)

           var hash = NSMutableString()
           for i in 0..<digestLen
           {
              hash.appendFormat("%02x", result[i])
           }

           result.destroy()

           return String(format: hash)
        }
    }

In Android Code:

public static final String md5(final String stringToEncrypted) 
{
    final String MD5 = "MD5";
    try 
    {
        // Create MD5 Hash
        MessageDigest digest = java.security.MessageDigest.getInstance(MD5);
        digest.update(stringToEncrypted.getBytes());
        byte messageDigest[] = digest.digest();

        // Create Hex String
        StringBuilder hexString = new StringBuilder();
        for (byte aMessageDigest : messageDigest) 
        {
            String h = Integer.toHexString(0xFF & aMessageDigest);
            while (h.length() < 2)
                h = "0" + h;
            hexString.append(h);
        }
        return hexString.toString();
    } 
    catch (NoSuchAlgorithmException e) 
    {
        e.printStackTrace();
    }
    return "";
}

In Android using: h = "0" + h;

In IOS using: hash.appendFormat("%02x", result[i])

In C# using: sb.Append(hash[i].ToString("X2"));

Do these differences cause this problem ?

Thank you for your answers,

Best regards

Are there any solution for this problem such as a link or tutorial ? I have searched a lot, but I couldnt find the exact solution. @SLaks — Ahmet Yılmış, Dec 22 '14 at 15:04
MD5 is insecure, and should not be used for token authentication. — pixelbadger, Dec 22 '14 at 15:08
What are your suggestions to do it ? What do you think about "Cipher" method ? @magos — Ahmet Yılmış, Dec 22 '14 at 15:12
HMAC (using MD5 as the hashing algorithm). Look at http://www.wolfe.id.au/2012/10/20/what-is-hmac-and-why-is-it-useful/ for more info. — pixelbadger, Dec 22 '14 at 15:23
Use SHA-256 for hashing. Use HMAC if you know what to do with the key. Best advice, get a security domain expert if you want real good security. — zaph, Dec 23 '14 at 00:08
@magos Even my wife says not to use MD5, there are way to may collisions. — zaph, Dec 23 '14 at 00:15

score 0 · Accepted Answer · edited May 23 '17 at 12:13

Code example from SO Answer

func doSha256(#dataIn:NSData) -> NSData {
    var shaOut: NSMutableData! = NSMutableData(length: Int(CC_SHA256_DIGEST_LENGTH));
    CC_SHA256(dataIn.bytes, CC_LONG(dataIn.length), UnsafeMutablePointer<UInt8>(shaOut.mutableBytes));

    return shaOut;
}

Obviously just change the constants for other hash methods.

If you want another format, say Base64 or hex put those conversions in a wrapper method that calls this method. It is better not to co-mingle methods, allow each to do a single thing. (Single Responsibility Principle) It also allows for easier testing and debugging.

How to create same MD5 token in different platforms?

1 Answers1