Authentication Plugin - PARSEC

MariaDB starting with 11.6

The PARSEC Authentication Plugin was introduced in MariaDB 11.6. It is intended to be the default from MariaDB 11.7.

The PARSEC (Password Authentication using Response Signed with Elliptic Curve) authentication plugin uses salted passwords, key derivation, extensible password storage format, and both server- and client-side scrambles.

It signs the response with ed25519, but it uses stock unmodified ed25519 as provided by OpenSSL/WolfSSL/GnuTLS.

Description

  • the KDF function is pbkdf2 (supported by everything, including windows native, Java, javascript, PHP, .NET
  • parameters to the pbkdf2 are stored in with authentication plugin data : hash function (SHA512,SHA256), iteration count, salt, key_length, together with derived key = PBKDF2(func, password, salt, iteration_count, key_length)
  • number of iterations is a power of 2, greater than 9
  • the algorithm is ed25519, "hash" is the public key generated using ed25519 from the PBKDF2(password)

The authentication string, stored by the server, is

concat('P', conv(log2(iterations)-10, 10, 62), ':', base64(salt), ':', base64(hash))

for example {{P0:WW9sXaaL/o:vubFBzIrapbfHct1/J72dnUryz5VS7lA6XHH8sIx4TI}}

  • it consists of colon-separated fields
  • first field is 'P' (denotes KDF algorithm = PBKDF2) and the number of iterations, '0' means 1024, '1' means 2048, etc
  • then salt
  • then the password hash

Login Process, Packet Exchange

  1. Server sends the welcome packet with a 32-byte random scramble
  2. If the ext-salt was specified in the .my.cnf, the client skips to step 4, otherwise it sends the user name (and nothing else) to the server
  3. Server sends the ext-salt to the client
  4. Client sends the random 32-byte scramble, and the concat(server scramble, client scramble) ed25519-signed by a secret key generated from the PBKDF2(password, ext-salt)
  5. Server replies with "ok" or "acces denied" {panel}

Installing

install soname 'auth_parsec'; 

Example

create user test1@'%' identified via parsec using PASSWORD('pwd');

Comments

Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.