Mark Matthews wrote:
[ ... ]
> Mike Moran wrote:
>>I've been looking into what algorithm MySQL 4.1.7 uses for password
>>hashing/encryption, with a view to ascertaining how secure it is. Does
>>it conform to any combinations of published Specs e.g. MD5/SHA-1/etc?
[ ... ]
> MySQL-4.1.7 uses SHA-1. The code you're looking at is for MySQL-4.0 and
> older. See MysqlIO.secureAuth411(), which also happens to have the
> entire algorithm in a comment block ;)
Ta for that (and also the SciBit person). I think I understand what is
going on here, going by the doc comment you mention. However, I'm unsure
why the password is being hashed twice i.e. why is hash_stage2 needed? I
suppose it doesn't hurt, but I'm just curious. Also, I take it from this
that the authentication algorithm/protocol used is MySQL-specific?
Incidentally, I notice Security#scramble411() uses getBytes() without
specifying a character set. As far as I understand it, because
getBytes() uses the default platform character set, this will give a
different scramble value on different Java platforms when you use
characters outside the small range which is encoded the same in multiple
character sets e.g. if you use a non-ASCII password. I haven't
double-checked this; I just noticed it in passing.