# Connecting via caching\_sha2\_password

## Overview

Caching `SHA256` first sends an `SHA256`-encrypted password. MySQL server has an in-memory cache of `SHA256` key for successful authentication. When a cache hit occurs, the connection is validated, if not, using some more steps to a process similar to [sha256\_password](/docs/server/reference/clientserver-protocol/1-connecting/sha256_password-plugin.md).

Caching SHA256 authentication possible exchanges:

* Client sends an [SHA-2 encrypted password](#sha-2-encrypted-password).
* Server result is either [OK\_Packet](/docs/server/reference/clientserver-protocol/4-server-response-packets/ok_packet.md) , [ERR\_Packet](/docs/server/reference/clientserver-protocol/4-server-response-packets/err_packet.md), or ["fast" authentication result](#fast-authentication-result).
* If fast authentication result:
  * If connection uses SSL ([SSLRequest](/docs/server/reference/clientserver-protocol/1-connecting/connection.md#sslrequest-packet) Packet sent):
    * Client sends a [clear password answer](#client-clear-password-answer).
  * Else:
    * If client doesn't know server RSA public key:
      * Client sends a [public key request](#public-key-request).
      * Server sends a [public key response](#public-key-response).
    * Client sends an [RSA encrypted password](#rsa-encrypted-password).
    * Ends with server sending either [OK\_Packet](/docs/server/reference/clientserver-protocol/4-server-response-packets/ok_packet.md) , [ERR\_Packet](/docs/server/reference/clientserver-protocol/4-server-response-packets/err_packet.md).

## Authentication

### SHA-2 Encrypted Password

Encryption is `XOR`(`SHA256`(password), `SHA256`(seed, `SHA256`(`SHA256`(password)))).

* [byte<32>](/docs/server/reference/clientserver-protocol/protocol-data-types.md#fixed-length-bytes) encrypted password.

### "Fast" Authentication Result

Result of fast authentication.

* [byte\<lenenc>](/docs/server/reference/clientserver-protocol/protocol-data-types.md#length-encoded-bytes) authentication result.

`0x03` value means success authentication.\
`0x04` value means continue.

### Client Clear Password Answer

* [string\<NUL>](/docs/server/reference/clientserver-protocol/protocol-data-types.md#null-terminated-strings) password without encryption.

### Public Key Request

{% hint style="warning" %}
Value send is not `0x01` like sha256\_password use, but `0x02`.
{% endhint %}

* [byte<1>](/docs/server/reference/clientserver-protocol/protocol-data-types.md#fixed-length-bytes) fixed 0x02 value.

### Public Key Response

* [byte<1>](/docs/server/reference/clientserver-protocol/protocol-data-types.md#fixed-length-bytes) fixed 0x01 value.
* [byte\<EOF>](/docs/server/reference/clientserver-protocol/protocol-data-types.md#end-of-file-length-bytes) public key data.

### RSA Encrypted Password

* [byte<256>](/docs/server/reference/clientserver-protocol/protocol-data-types.md#fixed-length-bytes) RSA encrypted password.

RSA encrypted value of `XOR` (password, seed) using server public key (`RSA_PKCS1_OAEP_PADDING`).

<sub>*This page is licensed: CC BY-SA / Gnu FDL*</sub>

{% @marketo/form formId="4316" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://mariadb.com/docs/server/reference/clientserver-protocol/1-connecting/caching_sha2_password-authentication-plugin.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.