[thelist] authorize.net says md5 algorithm error prone

Erik Heerlein erik at erikheerlein.com
Sun Jun 5 21:50:22 CDT 2005

> Can you describe exactly what is being hashed by md5?
> MD5 isn't error prone, AFAIK. What is "error prone" is how some people
> use it, as if it were an encryption method. People, for instance, use
> md5 to 'encrypt' passwords that they then store in cookies.

Here are the instructions given by Authorize.net for incorporating the 
MD5 hash security feature.
How is the Signature Constructed?
The MD5 signature is a hash of the following four fields:
MD5 Hash Value
Login ID
Transaction ID

For example, if the merchant’s hash value was "wilson," the merchant 
Login ID was "mylogin," the transaction ID was "987654321," and the 
amount was "1.00," the MD5 algorithm would be run on the following 
string: "wilsonmylogin9876543211.00".

How Should the Feature be Set Up on the Merchant’s Server?
The following steps are used by the merchant to evaluate the MD5 
1.  Create a script to receive transaction results.
2.  Run the MD5 algorithm on the fields indicated above.
3.  Determine if the signature created matches the signature that was 
returned by the gateway.
4.  If the signatures match, the response was sent by the gateway.

The "MD5 Hash Value" is just a string that I made up which only I and 
Authorize.net have. Now for the transaction in question, the signature 
did not match, but the transaction was approved and the customer was 
kosher. So I was puzzled as to why the signature, on this particular 
transaction, had failed.

> However, neither of these explains why authorize.net would send you an
> md5 hash that was incorrect. I suspect you were talking to a tech
> support dude(tte) who didn't quite know what he/she was talking about.

Well, I agree with you there. But if my system rejects the order as 
being fraudulent and I never fulfill the order, but Authorize.net 
charges the card, you can understand how that is not good for business. 
So I don't no whether to leave it and possibly piss off some customers 
or take it off and possibly open up my site to attack. Either way, I'm 
not happy with Authorize.net and the error or their explanation.

[>] Erik Heerlein
     Web Developer

     erik at erikheerlein.com

More information about the thelist mailing list