[thelist] authorize.net says md5 algorithm error prone

Keith cache at dowebs.com
Mon Jun 6 16:22:05 CDT 2005


At 11:21 AM Monday 6/6/2005, you wrote:


>I think you may be confusing MD5 with encryption techniques. The only
>way to salt an MD5 hashing, as far as i know, is to prepend/append a
>salt string to the subject being hashed. e.g.:

If the standard MD5 crypt() one-way-hash (used by Unix for 20 years for 
password encryption) is not given a salt, it uses the first two characters 
of the value being transliterated, as you suggested. That would be 
worthless in validation in this scheme because the salt would be obvious. 
To use MD5 encryption for schemes like this you can salt the crypt function 
with a shared salt, thus:

$value="myString"
$salt="tp"
$result=crypt($value,$salt)
"tp" is the shared secret.

The crypt() function can not read more than the first 8 characters of the 
value. So with a string of undetermined length you would break the string 
into 8 character chunks and join the results. Therefore the shared salt may 
be longer that 2 characters, anticipating unique salts for multiple chunks. 
Depending on how the value string is split into chunks, problems may arise 
if the string is longer than anticipated max length.




-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.6.4 - Release Date: 6/6/2005




More information about the thelist mailing list