Discussion:
Krypto parameter calculation
(too old to reply)
g***@hotmail.com
2006-10-17 21:39:15 UTC
Permalink
Hello,

How is the Krypto parameter calculated from the inputs? Perhaps I'm mistaken, but if it is calculated on the client side based on the paramters, how can it actually be secure? Since the actual content of the krypto parameter is freely available by looking at the inputs of the HTML code, and the syntax is described in the Commerce server documentation, couldn't some malicious user just call the script function that creates the krypto parameter with the appropriate field values and fudge the parameters?

Thanks,
Dave
geo
2006-10-19 12:51:06 UTC
Permalink
This just makes the parameters unreadable on the URL line. Anyone with
access to the JSPHelper class can decrypt them. None of this is client
side. It is done server side when you invoke a command that is set to be
secure, but is invoked from an http enroute to https.
Post by g***@hotmail.com
Hello,
How is the Krypto parameter calculated from the inputs? Perhaps I'm
mistaken, but if it is calculated on the client side based on the
paramters, how can it actually be secure? Since the actual content of the
krypto parameter is freely available by looking at the inputs of the HTML
code, and the syntax is described in the Commerce server documentation,
couldn't some malicious user just call the script function that creates
the krypto parameter with the appropriate field values and fudge the
parameters?
Thanks,
Dave
Nicolai Dufva Nielsen
2006-11-01 14:45:59 UTC
Permalink
The krypto parameters is simply the original GET parameters encrypted
using the merchant key. As George writes, the URL is calculated on the
server.
Post by g***@hotmail.com
Hello,
How is the Krypto parameter calculated from the inputs? Perhaps I'm mistaken, but if it is calculated on the client side based on the paramters, how can it actually be secure? Since the actual content of the krypto parameter is freely available by looking at the inputs of the HTML code, and the syntax is described in the Commerce server documentation, couldn't some malicious user just call the script function that creates the krypto parameter with the appropriate field values and fudge the parameters?
Thanks,
Dave
Loading...