using MD5 hash for e-commerce system

Maldar

Hi
How much is secure using MD5 hash for sending credit numbers and passwords(confidential data) in an e-commerce system over the internet? and why??
I know about SSL but want to try MD5 and worry about it.
In my reagon I can not use verisign or paypal certificates,thus I'm searching another way that provide best security for this system(I must save my customer's credit numbers in database I know that it is very bad idea but have no other way to do)
Please help me

Thanks in advance

mrhappiness

you don't want to use md5 to send encrypted credit card number over theinternet since you will have difficulties decrypting the data

md5 is a one-way-hash-function generating kind of finger print for a given message (credit card #) and if you have several finger prints in front of you you can't see to whom the belong can you?

Maldar

Thanks.
but credit card numbers and all of their another information are saved in databse before publishing credits between people
I need to check for encrypted data that sended from user with encrypted data that saved in database with MD5 hash algorithm.
Is it impossible?

Weedpacket

Hash the incoming data with MD5 and compare it to the hashed data stored in the database. Using MD5 on the same data gives the same result every time.

But why are you storing credit card details?

Maldar

Thanks
main reason for saving credit card number in db is restriction in my reagon.
but I must ensure for transmition security over the internet.
can you tell me how much is secure using MD5 ?
it is very important to me .

Buddha443556

Why can't you use SSL? If you want "transmition security" that what SSL is for, isn't it?

MD5 is a one-function. It's not intended for data encryption. Also make sure you salt the MD5 too because most credit card numbers aren't really 16-18 digits. Half of those digits identify the bank and credit network. Which makes the MD5 even more vulnerable to dictionary attacks and brute forcing.

Just my two cents. 😉

Weedpacket

The official reference on MD5 is RFC1321. I'm not going to go into the subject of how secure or not it is (Buddha443556 makes a very valid point in this particular instance, however), since if it has been discussed n times on these forums, it has been discussed n+1. Search for md5 - if you want, restrict the search to thread titles. That should give you pages and pages of discussion.