Authentication Plugin - PARSEC

The PARSEC (Password Authentication using Response Signed with Elliptic Curve) authentication plugin uses salted passwords, key derivation, extensible password storage format, and both server- and client-side scrambles.

It signs the response with ed25519, but it uses stock unmodified ed25519 as provided by OpenSSL/WolfSSL/GnuTLS.

Description

• the KDF function is pbkdf2 (supported by everything, including windows native, Java, javascript, PHP, .NET
• parameters to the pbkdf2 are stored in with authentication plugin data : hash function (SHA512,SHA256), iteration count, salt, key_length, together with derived key = PBKDF2(func, password, salt, iteration_count, key_length)
• number of iterations is a power of 2, greater than 9
• the algorithm is ed25519, "hash" is the public key generated using ed25519 from the PBKDF2(password)

The authentication string, stored by the server, is

concat('P', conv(log2(iterations)-10, 10, 62), ':', base64(salt), ':', base64(hash))

for example {{P0:WW9sXaaL/o:vubFBzIrapbfHct1/J72dnUryz5VS7lA6XHH8sIx4TI}}

• it consists of colon-separated fields
• first field is 'P' (denotes KDF algorithm = PBKDF2) and the number of iterations, '0' means 1024, '1' means 2048, etc
• then salt
• then the password hash

Login Process, Packet Exchange

1. Server sends the welcome packet with a 32-byte random scramble
2. If the ext-salt was specified in the .my.cnf, the client skips to step 4, otherwise it sends the user name (and nothing else) to the server
3. Server sends the ext-salt to the client
4. Client sends the random 32-byte scramble, and the concat(server scramble, client scramble) ed25519-signed by a secret key generated from the PBKDF2(password, ext-salt)
5. Server replies with "ok" or "acces denied" {panel}

Installing

install soname 'auth_parsec'; 

Example

create user test1@'%' identified via parsec using PASSWORD('pwd');