[CONC-544] No downgrade protection for ed25519 client authentication - Jira

XML

Word

Printable

Details

Type: Task
Status: Closed (View Workflow)
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.3.0
Component/s: None
Labels:
- authentication
- ed25519

Description

As discussed on this thread:
https://mariadb.org/history-of-mysql-mariadb-authentication-protocols/#comment-48934

.. there is no existing downgrade protection on the client that could prevent a compromised server from forcing the client down to simple password auth and thereby stealing the long-term credentials.

This defeats one of the stated goals:
"With the goal that not the traffic sniffing, not the mysql.user table, not both together, not even a fully compromised server would be able to recover the password"

A compromised server can downgrade the auth to simple password and thereby recover it on next client authentication.

Attachments

Issue Links

relates to

CONCPP-75 Restrict authentication plugin list by option

Open

CONJ-872 Restrict authentication plugin list by option

Closed

CONJS-166 Restrict authentication plugin list by option

Closed

R2DBC-23 Restrict authentication plugin list by option

Closed

Activity

People

Assignee:: Georg Richter

Reporter:: Kenny Simpson

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2018-05-23 04:22

Updated:: 2021-09-14 05:11

Resolved:: 2021-09-14 04:33

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.