Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-32618

new auth plugin

    XMLWordPrintable

Details

    Description

      New auth plugin:

      • uses KDF (try to use what openssl provides)
      • salted
      • uses server- and client-side scrambles
      • set as default auth plugin
      • ed25519 based? (or try to use what openssl provides)
      • support old hashes?

      reduce roundtrips:

      • set as default
      • allow clients to provide the salt (--plugin-salt=XXX)
        • if it's incorrect — connection fails.
        • PASSWORD() returns the salt in a Note

      Rough idea

      • the KDF function is pbkdf2 (supported by everything, including windows native, Java, javascript, PHP, .NET
      • parameters to the pbkdf2 are stored in with authentication plugin data : hash function (SHA512,SHA256), interation count, salt, key_length, together with derived key = PBKDF2(func, password, oalt, iteration_count, key_length)

      Login process, packet exchange

      1. Server sends ServerPluginParameters message with hash function, interation count, salt, key_length.
      This is the only unencrypted message during entire exchange

      2 . Client computes derived key from password and parameters:
      derived_key= PBKDF2(hash_func, password, salt, iteration_count, key_length)
      Client sends ServerVerificationChallenge = AES_ENCRYPT(client_scramble,derived_key) to server

      3. server decrypts ServerVerificationChallenge and sends

      ServerVerificationResponse = AES_ENCRYPT(concat(server_scramble,client_scramble)), derived_key))

      4. client verifies AES_DECRYPT(ServerVerificationResponse, derived_key) =concat(server_scramble,client_scramble).
      If they don't match, client could not verify the server, and error is reported.

      Client still has to prove it has the password, not just the derived key
      So it sends
      ClientEncryptedPassword message = AES_ENCRYPT(concat(hash_func(password),server_scramble,client_scramble)),derived_key)

      5. Server verifies the client
      a) tmp = AES_DECRYPT(ClientEncryptedPassword. derived_key)
      b) hashed_password=substr(tmp, hash_length)
      c) derived_key2 = PBKDF2(hash_func, hashed_password, salt, iteration_count, key_length)
      and compares derived_key and derived_key2 for equality, (due to the HMAC_collisions property of pbkdf2, password and hash_func(password) would produce the same keys)
      Server sends OK or ERR packet

      Attachments

        Activity

          People

            wlad Vladislav Vaintroub
            serg Sergei Golubchik
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.