[thelist] authorize.net says md5 algorithm error prone

Erik Heerlein erik at erikheerlein.com
Mon Jun 6 13:41:54 CDT 2005

On Jun 6, 2005, at 1:05 PM, Keith wrote:
>> I'm not familiar with Authorize.net's scheme, but I use the same MD5 
>> concept a lot to validate transactions. There should be another piece 
>> to this puzzle when using an MD5 authentication - both parties must 
>> be sharing a secret. That secret is a "salt" used by MD5's crypt() to 
>> generate the signature.
> I think you may be confusing MD5 with encryption techniques. The only
> way to salt an MD5 hashing, as far as i know, is to prepend/append a
> salt string to the subject being hashed. e.g.:
> $foo = 'hash me';
> $salt = 'jsl802fkas';
> $foohash = md5($salt . $foo);

This is correct, part of the signature is a string that only I and 
Authorize.net know about.

> If it's happening intermittently then I'd suspect that either 
> Authorize.net, or your validation script, is occasionally using the 
> wrong salt (failure to correctly read the salt). This could happen on 
> Authorize.net's end for a variety of reasons, mainly traffic overload 
> that times-out their look up of your salt in their database.

I checked my script and it checks out. Failure on their end sounds more 
likely to me since they know they have had issues with it in the past.

> My personal experience, Authorize.net has never been in the business 
> of making people happy.

My experience is drawing the same conclusions.

>  But I would not disable it, especially if you are delivering digital 
> goods at the time of the transaction. Alter your validation script to 
> write all such errors to a separate log and spit out an email to you 
> each time it happens.

Good advice, thanks for the help and doing authorize.net's job.

[>] Erik Heerlein
     erik at erikheerlein.com

More information about the thelist mailing list