[thelist] authorize.net says md5 algorithm error prone
Erik Heerlein
erik at erikheerlein.com
Sun Jun 5 21:50:22 CDT 2005
> Can you describe exactly what is being hashed by md5?
>
> MD5 isn't error prone, AFAIK. What is "error prone" is how some people
> use it, as if it were an encryption method. People, for instance, use
> md5 to 'encrypt' passwords that they then store in cookies.
Here are the instructions given by Authorize.net for incorporating the
MD5 hash security feature.
=================================
How is the Signature Constructed?
The MD5 signature is a hash of the following four fields:
MD5 Hash Value
Login ID
Transaction ID
Amount
For example, if the merchant’s hash value was "wilson," the merchant
Login ID was "mylogin," the transaction ID was "987654321," and the
amount was "1.00," the MD5 algorithm would be run on the following
string: "wilsonmylogin9876543211.00".
How Should the Feature be Set Up on the Merchant’s Server?
The following steps are used by the merchant to evaluate the MD5
signature:
1. Create a script to receive transaction results.
2. Run the MD5 algorithm on the fields indicated above.
3. Determine if the signature created matches the signature that was
returned by the gateway.
4. If the signatures match, the response was sent by the gateway.
=================================
The "MD5 Hash Value" is just a string that I made up which only I and
Authorize.net have. Now for the transaction in question, the signature
did not match, but the transaction was approved and the customer was
kosher. So I was puzzled as to why the signature, on this particular
transaction, had failed.
> However, neither of these explains why authorize.net would send you an
> md5 hash that was incorrect. I suspect you were talking to a tech
> support dude(tte) who didn't quite know what he/she was talking about.
Well, I agree with you there. But if my system rejects the order as
being fraudulent and I never fulfill the order, but Authorize.net
charges the card, you can understand how that is not good for business.
So I don't no whether to leave it and possibly piss off some customers
or take it off and possibly open up my site to attack. Either way, I'm
not happy with Authorize.net and the error or their explanation.
[>] Erik Heerlein
Web Developer
843-762-9382
erik at erikheerlein.com
http://www.erikheerlein.com
More information about the thelist
mailing list