[thelist] authorize.net says md5 algorithm error prone
Keith
cache at dowebs.com
Mon Jun 6 16:22:05 CDT 2005
At 11:21 AM Monday 6/6/2005, you wrote:
>I think you may be confusing MD5 with encryption techniques. The only
>way to salt an MD5 hashing, as far as i know, is to prepend/append a
>salt string to the subject being hashed. e.g.:
If the standard MD5 crypt() one-way-hash (used by Unix for 20 years for
password encryption) is not given a salt, it uses the first two characters
of the value being transliterated, as you suggested. That would be
worthless in validation in this scheme because the salt would be obvious.
To use MD5 encryption for schemes like this you can salt the crypt function
with a shared salt, thus:
$value="myString"
$salt="tp"
$result=crypt($value,$salt)
"tp" is the shared secret.
The crypt() function can not read more than the first 8 characters of the
value. So with a string of undetermined length you would break the string
into 8 character chunks and join the results. Therefore the shared salt may
be longer that 2 characters, anticipating unique salts for multiple chunks.
Depending on how the value string is split into chunks, problems may arise
if the string is longer than anticipated max length.
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.6.4 - Release Date: 6/6/2005
More information about the thelist
mailing list