[thelist] authorize.net says md5 algorithm error prone
Erik Heerlein
erik at erikheerlein.com
Mon Jun 6 13:41:54 CDT 2005
On Jun 6, 2005, at 1:05 PM, Keith wrote:
>
>> I'm not familiar with Authorize.net's scheme, but I use the same MD5
>> concept a lot to validate transactions. There should be another piece
>> to this puzzle when using an MD5 authentication - both parties must
>> be sharing a secret. That secret is a "salt" used by MD5's crypt() to
>> generate the signature.
>
> I think you may be confusing MD5 with encryption techniques. The only
> way to salt an MD5 hashing, as far as i know, is to prepend/append a
> salt string to the subject being hashed. e.g.:
>
> $foo = 'hash me';
> $salt = 'jsl802fkas';
> $foohash = md5($salt . $foo);
This is correct, part of the signature is a string that only I and
Authorize.net know about.
> If it's happening intermittently then I'd suspect that either
> Authorize.net, or your validation script, is occasionally using the
> wrong salt (failure to correctly read the salt). This could happen on
> Authorize.net's end for a variety of reasons, mainly traffic overload
> that times-out their look up of your salt in their database.
I checked my script and it checks out. Failure on their end sounds more
likely to me since they know they have had issues with it in the past.
> My personal experience, Authorize.net has never been in the business
> of making people happy.
My experience is drawing the same conclusions.
> But I would not disable it, especially if you are delivering digital
> goods at the time of the transaction. Alter your validation script to
> write all such errors to a separate log and spit out an email to you
> each time it happens.
Good advice, thanks for the help and doing authorize.net's job.
[>] Erik Heerlein
erik at erikheerlein.com
More information about the thelist
mailing list