ArbiterPay Security Flaw

[Camron Rust]

Quote:

Originally Posted by LRZ

What is a "1-way hash"?

It is a transformation of the data from one form to another cryptic form such that you can never reverse the operation. I could give you my password in the transformed format and, even if you had a powerful computer working on it for years, you'd never be able to figure out the original password....even if you knew the exact algorithm I used to transform it.

The only thing you can do with it is use it to confirm that newly supplied information is the same as previously supplied information.

It goes like this:

1. You set a new password.....abc123
2. That password gets converted to dlkVj08.9Auf3@uQl839&dRsa
3. That converted value is stored in the database with your username
4. Later, you log in and provide abc123 as your password
5. The system converts that in to the same as above (the conversion is repeatable).
6. Since you provided the same password as you set up in step 1, the converted values will match and you are allowed in.

A similar technique is used to sign documents or files for downloads. The publisher of the file provides and MD5 checksum (and it is only 32 ascii characters long). If you get the file from an alternate source and check the MD5 of the file you recieved and it matches the one provided by the original publisher, you can be assured that the entire file is the exactly the same. Change even one character anywhere in the file and the MD5 checksum changes dramatically.