> What is the general purpose of it? It is a hash. A hash is a small summary of a larger piece of data originally used in data communications protocols to verify that a chunk of data was transmitted correctly. It used to be quite standard just 10-20 years ago that a bit or two were distorted somewhere along the line. So, for example the Xmodem protocol sent data in 128 byte chunks (if I recall correctly). As the computer was sending it, it calculated a very simple hash called checksum. It just added all 128 bytes up, discarding any carry. It then sent the checksum out right after the 128 bytes. The receiving computer read the 128 bytes, computed the checksum, and compared the result to the checksum it received. It they were the same, it assumed the 128 bytes were undistorted, and added them to a file. Otherwise, it assumed an error and asked the sender to resend the chunk.
Alas, it could (and did) happen that two errors cancelled each other as far as a simple checksum is concerned. So, the data could be distorted and still come with the correct checksum. A more sophisticated hash was needed. This was CRC-32, used in the Zmodem protocol and its derivatives. This calculated a 32-bit value (checksum was an 8-bit value) and used a more complex algorithm. As a result, the kind of changes that happens in data transmission would produce a different CRC-32 in something like 99.996% of cases. MD5 takes the idea even further. The algorithm is even more complex. The hash is 128 bits wide. This makes the odds against an original file (stream of data) and a modified file (stream of data) computing the same MD5 astronomical (though not absolutely impossible). This is far more than is necessary for data transmission. Its purpose is for the verification of the authenticity of data. In e-gold's specific case, it calculates the hash (MD5) of a stream of data. Some of this data is transmitted to you, but some (your secret "alternate passphrase") is not. There are astronomical odds against data tampering that way. If someone would like to pretend to be e-gold.com sending you the acknowledgment of payment, they would need to know your secret passphrase to create the proper hash. So, when you receive your data, you insert your secret passphrase in the stream, calculate the MD5 hash and compare it to the one the calling server sent you. If they do not match, you refuse to accept the data as valid. If they do match, well, you know that the sender is either e-gold.com or someone who knows your secret passphrase. To be completely safe, you need to choose a good passphrase, one that cannot be figured out with a dictionary attack (since it is quite simple to send you some 60,000 attempts going through a dictionary until they find a match). This kind of attack cannot find your log-in passphrase (unless you use the same passphrase for logging in and for your alternate, which is a very bad idea). They cannot steal your gold. They can steal your services. If you are selling digital data which you send out automatically as soon as a customer spends the proper weight of e-gold and you receive your acknowledgement, the dictionary attack could get the attacker a free copy of your digital product (this is why you also need to verify that the payment information did indeed come from e-gold.com's server). I hope this answers your question. :) Adam --- You are currently subscribed to e-gold-tech as: archive@jab.org To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.