There are several different things going on.
The only bit that we can look at is what goes on in the Javascript.
When you attempt top load the API code, your key is sent to the API
loader server in the &key= field.
If you paste the URL of a key request directly into your browser's
address bar you'll see the Javascript code that the server has
generated. Within that code you'll see this:
if (!GValidateKey("51c0f86eb5b5819b28fcd86a3f1fa26513b12f14")) {
G_INCOMPAT = true;
alert("The Google Maps API key used on this web site was registered
for a different web site. You can generate a new key for this
web site at http://code.google.com/apis/maps/.";);
return;
}
The "51c0f86eb5b5819b28fcd86a3f1fa26513b12f14" bit is what Google call a
hash, but it's what we called an authenticator when I worked in a bank.
Note that the server managed to produce this hash from the key without
knowing the URL of my site. (When I pasted the URL directly into my
browser address bar, it got the same result, even though my web site was
not involved).
GValidateKey() extracts various bits from window.location and generates
several probe strings. This allows for the fact that you are allowed to
generate keys that work for your whole domain, for just one subdomain,
or for a one directory, and work for both https and http. For each such
probe string it performs this processing to calculate the hash.
function pq(a){
var b=[1518500249,1859775393,2400959708,3395469782];
a+=String.fromCharCode(128);
var c=j(a),d=Qc(c/4)+2,e=Qc(d/16),f=new Array(e);
for(var g=0;g<e;g++){
f[g]=new Array(16);
for(var
h=0;h<16;h++)f[g][h]=a.charCodeAt(g*64+h*4)<<24|a.charCodeAt(g*64+h*4+1)<
<16|a.charCodeAt(g*64+h*4+2)<<8|a.charCodeAt(g*64+h*4+3)
}
f[e-1][14]=(c-1>>>30)*8; f[e-1][15]=(c-1)*8&4294967295;
var i=1732584193,k=4023233417,m=2562383102,n=271733878,q=3285377520,
s=new Array(80),v,z,w,N,A;
for(var g=0;g<e;g++){
for(var da=0;da<16;da++)s[da]=f[g][da];
for(var
da=16;da<80;da++)s[da]=(s[da-3]^s[da-8]^s[da-14]^s[da-16])<<1|(s[da-3]^s[
da-8]^s[da-14]^s[da-16])>>>31;
v=i;
z=k;
w=m;
N=n;
A=q;
for(var da=0;da<80;da++){
var
Ea=Tc(da/20),Qa=(v<<5|v>>>27)+qq(Ea,z,w,N)+A+b[Ea]+s[da]&4294967295;
A=N;
N=w;
w=z<<30|z>>>2;
z=v;
v=Qa
}
i=i+v&4294967295;
k=k+z&4294967295;
m=m+w&4294967295;
n=n+N&4294967295;
q=q+A&4294967295
}
return rq(i)+rq(k)+rq(m)+rq(n)+rq(q)
}
Perhaps you recognise that algorithm.
It then checks the return value from that function against the hash that
it got from the loader server. If that matches for one of the probes,
then the key is accepted. E.g.
pq("http://econym.googlepages.com";) =
"51c0f86eb5b5819b28fcd86a3f1fa26513b12f14"
If you wanted to break it you could just grab a copy of the generated
loader code and remove the GValidateKey() call.
Not all strings of the right length are valid key strings. Some of the
characters are redundant. If you change a few characters of a key then
the loader generates GValidateKey("") which won't match any of the
probes.
I suspect that the server also has a short blacklist of API keys (or
partial keys). If you're really naughty, and get your key entered into
the blacklist, then the loader probably generates GValidateKey("").
The API key is 86 characters long. The first 8 characters are
"ABQIAAAA". The next 22 characters somehow encode the Google Account.
The next 28 characters somehow encode the registered URL. This makes it
possible for the servers to do things like blacklisting all keys
generated by a particular Google Account.
As well as the client side key check, there are server side key checks
for services like geocoding, routing, GgeoXml and static maps. If the
server request contains header information that identifies the URL of
the initial web page, then the key is matched to that URL. If the server
request doesn't contain such information, then any valid key string is
accepted. Details of the server side key checks are not visible.
Key validation is performed once on the client side when the API code is
loaded and on the server side each time a geocoding, routing, GgeoXml or
static maps request is performed.
--
http://econym.googlepages.com/index.htm
The Blackpool Community Church Javascript Team
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Maps API" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/Google-Maps-API?hl=en
-~----------~----~----~----~------~----~------~--~---
