Allowing end-users to open the interactive sheet music viewer to view and/or print the music in their "Print-Ready" music collection is very similar to previewing it. The only difference is that vendors need to provide additional values to the DMC via the URL. In addition to the MD5 hash of the vendor's username and the Legato music ID, vendors also need to provide the end-user's Legato user ID and a hash of the end-user's Legato password:
While the Legato music and user ID can be outputted directly from the database, the end-user's password must be hashed and thus requires an additional step. An algorithm has been created and adjusted for hashing the end-user's password. The following code is an example of this algorithm written in PHP:
function ssha($password){ mt_srand((double)microtime()*1000000); $salt = pack("CCCC", mt_rand(), mt_rand(), mt_rand(), mt_rand()); $hash = base64_encode(pack("H*", sha1($password . $salt)) . $salt); $hash = str_replace('+', '@', $hash); $hash = str_replace('/', '.', $hash); return $hash; }This function first creates a salt value to be used. This is done by formatting four random numbers as unsigned characters packed in a binary string.
The hash is created using the SHA1 (RFC 3174) hashing alogrithm. The user's plaintext password is first combined with the salt, and hashed using SHA1. That result is also combined with the original salt value, and packed as a binary string, formatted as a Hex string, high nibble first. The resultant string is then base64-encoded (RFC 3548), and the + and / characters are replaced with @ and . characters, respectively.
The resulting hash should be different with each request. When this method is used within the security of SSL, the user's identity is protected.
Vendors will be responsible for storing a user's password. Legato recommend that passwords be stored in an encrypted state that is easily decrypted by the vendor.
