> For the complete documentation index, see [llms.txt](https://mariadb.com/docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://mariadb.com/docs/server/reference/clientserver-protocol/1-connecting/caching_sha2_password-authentication-plugin.md).

# Connecting via caching\_sha2\_password

## Overview

Caching `SHA256` first sends an `SHA256`-encrypted password. MySQL server has an in-memory cache of `SHA256` key for successful authentication. When a cache hit occurs, the connection is validated, if not, using some more steps to a process similar to [sha256\_password](/docs/server/reference/clientserver-protocol/1-connecting/sha256_password-plugin.md).

Caching SHA256 authentication possible exchanges:

* Client sends an [SHA-2 encrypted password](#sha-2-encrypted-password).
* Server result is either [OK\_Packet](/docs/server/reference/clientserver-protocol/4-server-response-packets/ok_packet.md) , [ERR\_Packet](/docs/server/reference/clientserver-protocol/4-server-response-packets/err_packet.md), or ["fast" authentication result](#fast-authentication-result).
* If fast authentication result:
  * If connection uses SSL ([SSLRequest](/docs/server/reference/clientserver-protocol/1-connecting/connection.md#sslrequest-packet) Packet sent):
    * Client sends a [clear password answer](#client-clear-password-answer).
  * Else:
    * If client doesn't know server RSA public key:
      * Client sends a [public key request](#public-key-request).
      * Server sends a [public key response](#public-key-response).
    * Client sends an [RSA encrypted password](#rsa-encrypted-password).
    * Ends with server sending either [OK\_Packet](/docs/server/reference/clientserver-protocol/4-server-response-packets/ok_packet.md) , [ERR\_Packet](/docs/server/reference/clientserver-protocol/4-server-response-packets/err_packet.md).

## Authentication

### SHA-2 Encrypted Password

Encryption is `XOR`(`SHA256`(password), `SHA256`(seed, `SHA256`(`SHA256`(password)))).

* [byte<32>](/docs/server/reference/clientserver-protocol/protocol-data-types.md#fixed-length-bytes) encrypted password.

### "Fast" Authentication Result

Result of fast authentication.

* [byte\<lenenc>](/docs/server/reference/clientserver-protocol/protocol-data-types.md#length-encoded-bytes) authentication result.

`0x03` value means success authentication.\
`0x04` value means continue.

### Client Clear Password Answer

* [string\<NUL>](/docs/server/reference/clientserver-protocol/protocol-data-types.md#null-terminated-strings) password without encryption.

### Public Key Request

{% hint style="warning" %}
Value send is not `0x01` like sha256\_password use, but `0x02`.
{% endhint %}

* [byte<1>](/docs/server/reference/clientserver-protocol/protocol-data-types.md#fixed-length-bytes) fixed 0x02 value.

### Public Key Response

* [byte<1>](/docs/server/reference/clientserver-protocol/protocol-data-types.md#fixed-length-bytes) fixed 0x01 value.
* [byte\<EOF>](/docs/server/reference/clientserver-protocol/protocol-data-types.md#end-of-file-length-bytes) public key data.

### RSA Encrypted Password

* [byte<256>](/docs/server/reference/clientserver-protocol/protocol-data-types.md#fixed-length-bytes) RSA encrypted password.

RSA encrypted value of `XOR` (password, seed) using server public key (`RSA_PKCS1_OAEP_PADDING`).

<sub>*This page is licensed: CC BY-SA / Gnu FDL*</sub>

{% @marketo/form formId="4316" %}
