Skip to content

Security concerns with existing password implementation for the Server #1037

Open
@gdsmith

Description

@gdsmith

I was looking to implement a version of the CredentialProvider for a MySQL proxy. I was trying to understand how to store the password so I could return what was expected. Looking at how the password is used during authentication it is required that the server gets the password in plain text, therefore it is required for the CredentialProvider to be able to provide the password in plain text.

I believe this is a big security issue in the code that can be easily avoided if you correctly follow the MySQL implementations.

As an example, if you look at how this is implemented for the mysql_native_password in MySQL proper you will see that they rather use the salt/seed to encrypt the hash_stage1 and then generate the hash_stage2 from that for comparison with what is stored on the server.

  SERVER:  public_seed=generate_user_salt()
           send(public_seed)

  CLIENT:  recv(public_seed)
           hash_stage1=sha1("password")
           hash_stage2=sha1(hash_stage1)
           reply=xor(hash_stage1, sha1(public_seed,hash_stage2)

           // this three steps are done in scramble()

           send(reply)


  SERVER:  recv(reply)
           hash_stage1=xor(reply, sha1(public_seed,hash_stage2))
           candidate_hash2=sha1(hash_stage1)
           check(candidate_hash2==hash_stage2)

The reason for doing this is so the actual password does not need to be stored anywhere on the server, you just need to store the hash_stage2 of the password.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions