Hi Eric,
The server sends a 20-byte scramble with the first handshake packet
(con->scramble in the code below). The client then does the following
with the plaintext password (con->password):
/* First hash the password. */
SHA1Init(&ctx);
SHA1Update(&ctx, (uint8_t *)(con->password), strlen(con->password));
SHA1Final(hash_tmp1, &ctx);
/* Second, hash the password hash. */
SHA1Init(&ctx);
SHA1Update(&ctx, hash_tmp1, SHA1_DIGEST_LENGTH);
SHA1Final(hash_tmp2, &ctx);
/* Third, hash the scramble and the double password hash. */
SHA1Init(&ctx);
SHA1Update(&ctx, con->scramble, SHA1_DIGEST_LENGTH);
SHA1Update(&ctx, hash_tmp2, SHA1_DIGEST_LENGTH);
SHA1Final(buffer, &ctx);
/* Fourth, xor the last hash against the first password hash. */
for (x= 0; x < SHA1_DIGEST_LENGTH; x++)
buffer[x]= buffer[x] ^ hash_tmp1[x];
The 'buffer' is then sent back to the server for verification using
the stored password hash and the same scramble the server sent to
the client.
-Eric
On Tue, May 19, 2009 at 11:20:56AM -0700, zǝıɹɟǝp ɔıɹǝ wrote:
> can someone explain to me how mysql user authentication happens over
> the network? i've seen
> http://dev.mysql.com/doc/refman/5.1/en/password-hashing.html but i'm
> wondering more about key exchange, CRAM, etc, SSL aside. given the
> password hash (as stored in the mysql.user table) and the ability to
> sniff a successful authentication (but not the ability to spoof
> DNS/hijack the connection) how computationally difficult is it to
> compute the password or successfully impersonate the user to mysql?
>
> thanks,
> eric
>
> --
> MySQL Internals Mailing List
> For list archives: http://lists.mysql.com/internals
> To unsubscribe: http://lists.mysql.com/internals?unsub=1
