Are MD5 hashes always either capital or lowercase?
Solution 1
MD5 as every other hash function will produce binary output, in case of MD5 it is 16 bytes.
Because those bytes are difficult to handle, they are encoded to a string. In case of MD5 they are usually encoded to 32 lowercase hexadecimal digits, so every byte is represented by 2 characters.
Whether the target system accepts upper- or lowercase encodings or both is up to the system, it is unrelated to the hash function, both are different representations of a the same MD5 hash. So to answer your question, format the output as the target system requires it.
Solution 2
While RFC-1321 MD5 Message-Digest Algorithm doesn't discuss hexadecimal string encoding, the test suite does show results in lowercase.
The MD5 test suite (driver option "-x") should print the following results:
MD5 test suite:
MD5 ("") = d41d8cd98f00b204e9800998ecf8427e
MD5 ("a") = 0cc175b9c0f1b6a831c399e269772661
MD5 ("abc") = 900150983cd24fb0d6963f7d28e17f72
MD5 ("message digest") = f96b697d7cb7938d525a2f31aaf161d0
MD5 ("abcdefghijklmnopqrstuvwxyz") = c3fcd3d76192e4007dfb496cca67e13b
MD5 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =
d174ab98d277d9f5a5611c2c9f419d9f
MD5 ("123456789012345678901234567890123456789012345678901234567890123456
78901234567890") = 57edf4a22be3c955ac49da2e2107b67a
Lowercase is simply the outcome of C/C++ printf()
format specifier %02x
, not a requirement: "should print", not "must print".
Ref: RFC-1321 Appendix A.5 Test suite
Related videos on Youtube
Patrick Schomburg
Updated on October 09, 2022Comments
-
Patrick Schomburg over 1 year
I'm passing an HMAC-MD5 encoded parameter into a form and the vendor is returning it as invalid. However, it matches what their hash generator gives me, with the exception of capitalization on the letters. What I did to get around this was use an lcase command. I'm wondering if this will cause me trouble later. Coldfusion generates the hashed string in capital letters, the vendor always seems to use lowercase; is it always one or the other or will they ever be mixed?
-
Patrick Schomburg almost 7 yearsLike I said, my hash doesn't match the vendors simply because of the casing of the letters. They use it for authentication.
-
Alex almost 7 yearsYes, ColdFusion always generates uppercase hex characters A-F. Using
lCase()
is perfectly safe here.
-
-
Christian almost 7 yearsIsn't a-f and A-F the same thing? MD5's are hex, which means 0-9 and a-f, but not A-F. If it is, they're both the same thing.
-
tadman almost 7 years@Christian They should be, but some legacy software can be very cantankerous.
-
Alex almost 7 yearsSome (questionable) systems encrypt or encode MD5 in an additional step, making case relevant for the final output. Always follow the documented/recommended way to avoid discrepancies.
-
Rodrigo Polo almost 5 yearsmd5 = binary(16)
-
martinstoeckli almost 5 years@RodrigoPolo - Yes, that's exactly what I wrote in the first sentence.