Connecting via caching_sha2_password

Overview

Caching SHA256 first sends an SHA256-encrypted password. MySQL server has an in-memory cache of SHA256 key for successful authentication. When a cache hit occurs, the connection is validated, if not, using some more steps to a process similar to sha256_password.

Caching SHA256 authentication possible exchanges:

• Client sends an SHA-2 encrypted password.

• Server result is either OK_Packet , ERR_Packet, or "fast" authentication result.

• If fast authentication result:

  • If connection uses SSL (SSLRequest Packet sent):

    • Client sends a clear password answer.

  • Else:

    • If client doesn't know server RSA public key:

      • Client sends a public key request.

      • Server sends a public key response.

    • Client sends an RSA encrypted password.

    • Ends with server sending either OK_Packet , ERR_Packet.

Authentication

SHA-2 Encrypted Password

Encryption is XOR(SHA256(password), SHA256(seed, SHA256(SHA256(password)))).

• byte<32> encrypted password.

"Fast" Authentication Result

Result of fast authentication.

• byte<lenenc> authentication result.

0x03 value means success authentication. 0x04 value means continue.

Client Clear Password Answer

• string<NUL> password without encryption.

Public Key Request

• byte<1> fixed 0x02 value.

Public Key Response

• byte<1> fixed 0x01 value.

• byte<EOF> public key data.

RSA Encrypted Password

• byte<256> RSA encrypted password.

RSA encrypted value of XOR (password, seed) using server public key (RSA_PKCS1_OAEP_PADDING).

_{This page is licensed: CC BY-SA / Gnu FDL}