[thelist] authorize.net says md5 algorithm error prone
Matt Warden
mwarden at gmail.com
Mon Jun 6 12:21:07 CDT 2005
Keith,
On 6/6/05, Keith <cache at dowebs.com> wrote:
> I'm not familiar with Authorize.net's scheme, but I use the same MD5
> concept a lot to validate transactions. There should be another piece to
> this puzzle when using an MD5 authentication - both parties must be sharing
> a secret. That secret is a "salt" used by MD5's crypt() to generate the
> signature. Without a shared secret salt anyone watching your traffic could
> generate a valid signature for an invalid transaction. If this error is
> happening consistently then I'd suspect your copy of the shared secret is
> wrong.
I think you may be confusing MD5 with encryption techniques. The only
way to salt an MD5 hashing, as far as i know, is to prepend/append a
salt string to the subject being hashed. e.g.:
$foo = 'hash me';
$salt = 'jsl802fkas';
$foohash = md5($salt . $foo);
I didn't have a lot of time to confirm this, but a brief review of the
algorithm seems to support:
http://www.faqs.org/rfcs/rfc1321
--
Matt Warden
Miami University
Oxford, OH, USA
http://mattwarden.com
This email proudly and graciously contributes to entropy.
More information about the thelist
mailing list