Password generation and storage

• the KDF function is pbkdf2 (supported by everything, including windows native, Java, javascript, PHP, .NET
• parameters to the pbkdf2 are stored in with authentication plugin data : hash function (SHA512,SHA256), iteration count, salt, key_length, together with derived key = PBKDF2(func, password, salt, iteration_count, key_length)
• number of iterations is a power of 2, greater than 9
• the algorithm is ed25519, "hash" is the public key generated using ed25519 from the PBKDF2(password)

The authentication string, stored by the server, is

concat('P', conv(log2(iterations)-10, 10, 62), ':', base64(salt), ':', base64(hash))

that e.g. P0:WW9sXaaL/o:vubFBzIrapbfHct1/J72dnUryz5VS7lA6XHH8sIx4TI

• it consists of colon-separated fields
• first field is 'P' (denotes KDF algorithm = PBKDF2) and the number of iterations, '0' means 1024, '1' means 2048, etc
• then salt
• then the password hash

Let's call everything except the password hash the ext-salt, in the example above it's P0:WW9sXaaL/o

Login process, packet exchange

1. Server sends the welcome packet with a 32-byte random scramble

2 . if the ext-salt was specified in the .my.cnf, the client skips to step 4, otherwise it sends the user name (and nothing else) to the server

3. Server sends the ext-salt to the client

4. Client sends the random 32-byte scramble, and the concat(server scramble, client scramble) ed25519-signed by a secret key generated from the PBKDF2(password, ext-salt)

5. Server replies with "ok" or "acces denied"

Rough idea

• the KDF function is pbkdf2 (supported by everything, including windows native, Java, javascript, PHP, .NET
• parameters to the pbkdf2 are stored in with authentication plugin data : hash function (SHA512,SHA256), interation count, salt, key_length, together with derived key = PBKDF2(func, password, oalt, iteration_count, key_length)

Login process, packet exchange

1. Server sends ServerPluginParameters message with hash function, interation count, salt, key_length.
This is the only unencrypted message during entire exchange

2 . Client computes derived key from password and parameters:
derived_key= PBKDF2(hash_func, password, salt, iteration_count, key_length)
Client sends ServerVerificationChallenge = AES_ENCRYPT(client_scramble,derived_key) to server

3. server decrypts ServerVerificationChallenge and sends

ServerVerificationResponse = AES_ENCRYPT(concat(server_scramble,client_scramble)), derived_key))

4. client verifies AES_DECRYPT(ServerVerificationResponse, derived_key) =concat(server_scramble,client_scramble).
If they don't match, client could not verify the server, and error is reported.

Client still has to prove it has the password, not just the derived key
So it sends
ClientEncryptedPassword message = AES_ENCRYPT(concat(hash_func(password),server_scramble,client_scramble)),derived_key)

5. Server verifies the client
a) tmp = AES_DECRYPT(ClientEncryptedPassword. derived_key)
b) hashed_password=substr(tmp, hash_length)
c) derived_key2 = PBKDF2(hash_func, hashed_password, salt, iteration_count, key_length)
and compares derived_key and derived_key2 for equality, (due to the HMAC_collisions property of pbkdf2, password and hash_func(password) would produce the same keys)
Server sends OK or ERR packet