circle-info
Webinar | The Great Database Exodus: Navigating Strategic Risk in the Post-Oracle MySQL Era
Watch Nowarrow-up-right
search
Download MariaDBContact Us

Authentication Plugin - PARSEC

PARSEC is a modern, secure authentication plugin that uses salted passwords and elliptic curve cryptography to prevent replay attacks and secure user credentials.

circle-info

This plugin is available from MariaDB 11.6.

The PARSEC Authentication Plugin is intended to be the default in a future release.

The PARSEC (Password Authentication using Response Signed with Elliptic Curve) authentication plugin uses salted passwords, key derivation, extensible password storage format, and both server- and client-side scrambles.

It signs the response with ed25519, but it uses stock unmodified ed25519 as provided by OpenSSL/WolfSSL/GnuTLS.

hashtag
Description

  • The KDF function is pbkdf2 (supported by everything, including windows nativearrow-up-right, Java, javascript, PHP, .NET.

  • Parameters to the pbkdf2 are stored in with authentication plugin data : hash function (SHA512,SHA256), iteration count, salt, key_length, together with derived key = PBKDF2(func, password, salt, iteration_count, key_length).

  • The number of iterations is a power of 2, greater than 9.

  • The algorithm is ed25519, "hash" is the public key generated using ed25519 from the PBKDF2(password).

The authentication string, stored by the server, is this:

concat('P', conv(log2(iterations)-10, 10, 62), ':', base64(salt), ':', base64(hash))

For example, it looks like this: P0:WW9sXaaL/o:vubFBzIrapbfHct1/J72dnUryz5VS7lA6XHH8sIx4TI

  • It consists of colon-separated fields.

  • The first field is 'P' (denotes KDF algorithm = PBKDF2) and the number of iterations, '0' means 1024, '1' means 2048, etc.

  • This is followed by the salt.

  • This is followed by the password hash.

The first two fields together are called ext-salt, extended salt.

hashtag
Login Process, Packet Exchange

  1. The server sends an Authentication Switch Request with a 32-byte random scramble.

  2. The client sends an empty packet to the server to request the ext-salt.

  3. The server sends the ext-salt to the client.

  4. The client sends the random 32-byte scramble, and the concat(server scramble, client scramble) ed25519-signed by a secret key generated from the function PBKDF2(password, ext-salt).

  5. The server replies with "ok" or "access denied".

hashtag
Installing

If you run into the error ERROR 1524 (HY000): Plugin 'parsec' is not loaded it means you need to install the authentication plugin first. You can do it on a running server with:

There is no need to pass additional command-line options or have config files to keep the PARSEC authentication method available. Running the INSTALL SONAME once is enough and the MariaDB Server will remember it even if server is restarted or upgraded.

hashtag
Example

hashtag
Future

PARSEC is currently available in latest MariaDB versions, but not installed or used by default yetarrow-up-right. Once MDEV-12320arrow-up-right is implemented, MariaDB plans to start using PARSEC as the default password authentication method.

This page is licensed: CC BY-SA / Gnu FDL

spinner
PreviousAuthentication Plugin - Named PipeNextAuthentication Plugin - SHA-256

Last updated

Was this helpful?