This is a read-only copy of the MariaDB Knowledgebase generated on 2024-12-22. For the latest, interactive version please visit https://mariadb.com/kb/.

Authentication Plugin - PARSEC

MariaDB starting with 11.6

The PARSEC Authentication Plugin was introduced in MariaDB 11.6. It is intended to be the default in a future release.

The PARSEC (Password Authentication using Response Signed with Elliptic Curve) authentication plugin uses salted passwords, key derivation, extensible password storage format, and both server- and client-side scrambles.

It signs the response with ed25519, but it uses stock unmodified ed25519 as provided by OpenSSL/WolfSSL/GnuTLS.

Description

  • the KDF function is pbkdf2 (supported by everything, including windows native, Java, javascript, PHP, .NET
  • parameters to the pbkdf2 are stored in with authentication plugin data : hash function (SHA512,SHA256), iteration count, salt, key_length, together with derived key = PBKDF2(func, password, salt, iteration_count, key_length)
  • number of iterations is a power of 2, greater than 9
  • the algorithm is ed25519, "hash" is the public key generated using ed25519 from the PBKDF2(password)

The authentication string, stored by the server, is

concat('P', conv(log2(iterations)-10, 10, 62), ':', base64(salt), ':', base64(hash))

for example P0:WW9sXaaL/o:vubFBzIrapbfHct1/J72dnUryz5VS7lA6XHH8sIx4TI

  • it consists of colon-separated fields
  • first field is 'P' (denotes KDF algorithm = PBKDF2) and the number of iterations, '0' means 1024, '1' means 2048, etc
  • then salt
  • then the password hash

first two fields together are called below ext-salt, extended salt.

Login Process, Packet Exchange

  1. Server sends the welcome packet with a 32-byte random scramble
  2. Client sends the user name (and nothing else) to the server
  3. Server sends the ext-salt to the client
  4. Client sends the random 32-byte scramble, and the concat(server scramble, client scramble) ed25519-signed by a secret key generated from the PBKDF2(password, ext-salt)
  5. Server replies with "ok" or "acces denied" {panel}

Installing

install soname 'auth_parsec'; 

Example

create user test1@'%' identified via parsec using PASSWORD('pwd');
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.