[e-gold-tech] Re: MD5 Hash - Questions.

Mon, 17 Dec 2001 19:02:48 -0800 

> So do I create a MD5 hash with the fields which are being submitted to
> verify.asp, and then match it up with the values returned?

verify.asp is only used with the automation interface? What are you trying
to do?


> What is the general purpose of it?

The general purpose of the MD5 hash, in this case, is to verify that the
payment notification is coming e-gold itself, and not some spoofer/thief.
The way to create a MD5 hash is to take all the values that are sent to
you, add in the shared secret which in this case is the
AlternatePassphrase (not your login passphrase), separate them by a ":",
and then run this string through a MD5 hashing function.

I'm a perl-monger, so I'll show how to do it in Perl.

#####################################################
# $AltPassphrase - MD5 hash of the AlternatePassphrase 
#                  (replace this with your hashed AlternatePassphrase)
# $handshake - the MD5 hash created locally
# $Form(xxx) - the values sent to you (supposedly) by the e-gold server
# $Form{"V2_HASH"} - the MD5 hash sent with the values
#####################################################

use Digest::Perl::MD5 'md5_hex';

$AltPassphrase="ABCDEF1234567890ABCDEF1234567890";

# the $handshake declaration should all be on 1 line 
# with no separation in the string
# any unneccesary spaces will create a different MD5 hash
$handshake=uc(md5_hex qq!$Form{"PAYMENT_ID"}:$Form{"PAYEE_ACCOUNT"}:
$Form{"PAYMENT_AMOUNT"}:$Form{"PAYMENT_UNITS"}:$Form{"PAYMENT_METAL_ID"}:
$Form{"PAYMENT_BATCH_NUM"}:$Form{"PAYER_ACCOUNT"}:$AltPassphrase:
$Form{"ACTUAL_PAYMENT_OUNCES"}:$Form{"USD_PER_OUNCE"}:
$Form{"FEEWEIGHT"}:$Form{"TIMESTAMPGMT"}!);

chop($Form{"V2_HASH"});

if ($handshake eq $Form{"V2_HASH"})
{
# Do stuff
}

#####################################################

If the MD5 hash you compute matches the MD5 hash sent to you, then you can
be reasonably sure that it was in fact e-gold that sent it to you. You can
be absolutely, positively sure that the sender knew your & e-gold's shared
secret - the AlternatePassphrase. Be very careful with both the
(regular/login) passphrase and the AlternatePassphrase. If you let the
AlternatePassphrase loose, some unscrupulous people could send you fake
payment notifications.

This is described in a more detail in the SCI spec at:
http://www.e-gold.com/docs/e-gold_sci.html#_Toc517753361

Hope this helps.


Viking Coder
____________
http://www.two-cents-worth.com/?VikingCoder 

---
You are currently subscribed to e-gold-tech as: archive@jab.org
To unsubscribe send a blank email to [EMAIL PROTECTED]

Reply via email to