MySQL client link MySQL server authentication method

See also: http://forge.mysql.com/wiki/MySQL_Internals_ClientServer_Protocol#Password_functions

I paraphrase, roughly is the following content:

Before the 4.0 version

1, the server sends the random string (Scramble_buff) to the client.

2, the client will encrypt the user plaintext password, and then the hash plus the server's random string encryption to become a new scramble_buff. (see Sql/password.c:scramble ()).

3, the client will encrypt the Scramble_buff value to the service side.

4, the server will Mysql.user.Password value plus the original random string for encryption.

5, the server than the encryption after the hash value and service-side sent over the encryption of the Scramble_buff.

6, if the same, then verify success.

is basically a challenge mechanism. But note: The real meaning of the password is plaintext password encrypted hash value; If someone knows the Mysql.user.Password of the user (without having to know the original plaintext password), he can log on to the server directly.

4.1 Version later

4.1 After the database saved password is encrypted with SHA1: SHA1 (SHA1 (password))

1, the server sends the random string (scramble) to the client.

2. The client makes the following calculation:

Stage1_hash = SHA1 (plaintext password).

token = SHA1 (scramble + SHA1 (stage1_hash)) XOR Stage1_hash

3, the client will send token to the service side

4. The service end is calculated as follows:

Stage1_hash = token XOR SHA1 (scramble + mysql.user.Password)

5, service-side SHA1 (Stage1_hash) and Mysql.user.Password, if matching, the authentication is correct.

Note: SHA1 (a+b) means SHA1 (a string connecting the B string).

There is no previous version of the flaw. With Mysql.user.Password and scramble, you can't get token. Because he couldn't get stage1_hash.

But if this person has this user's Mysql.user.Password and the network interception of a complete verification data, he can also based on the interception of the token and scramble back to solve Stage1_hash value. And because the stage1_hash is unchanged, so the next connection, he acquired a new scramble, his own encryption token, sent to the server can also be authenticated to connect to the servers.

Finally put a 5.1 of the certified grab results, pay attention to the place marked red:

Server > 127.0.0.1.49130:handshake

127.0.0.1.49130 > Server:handshake (New auth)

　　

 
  
  

  
   
   
Server > 127.0.0.1.49130:handshake <proto ver 5.1.41-3ubuntu12.6 thd, Scramble 1egu9\aq8_uni_ ' @l<*y >
  
   
   
127.0.0.1.49130 > Server:handshake (new auth) <user root db (null) token 6D2C7025C412B997788525B19A5167C89DAFCBE MA X PKT 16777216>
  
   
   
Server > 127.0.0.1.49130:ok <fields 0 Affected rows 0 Insert ID 0 warnings 0>