Description:
Challenge and respond that uses public key digital signature can be used as a mean for authentication. In situations where system administrators need to conduct DBA related activities, they can use this authentication to replace password as it's to a degree immune to keyloggers except for keyloggers that also get data from clipboard that's.
How to repeat:
Similar to description.
Suggested fix:
Challenge and respond with digital signature typically works like the following.
1. Client generates a digital signature keypair.
2. Client sends digital signature keypair's public key to the server during sign up.
3. Server generates a public disclosable random data called challenge that's at least 128 bits in length.
4. Client gets the challenge from server.
5. Client signs the challenge with digital signature keypair's private key.
6. Client sends the signed challenge to the server.
7. Server do signature verification with the submitted client's public key on the signed challenge. (If success, authentication succeeded, else fails.)
I do know that there're some plugins which takes passwords and did the similar thing like the steps stated above though it typically involves KDF in cryptography. However, I am requesting that this feature as these plugins that use kdf on passwords may not seem to be fit or suitable in certain cases.
Libsodium is an open source and security audited cryptography library. It provides Curve25519 which has both ED25519 and X25519 but in this case, only ED25519 was needed along with its CRNG.
What can MySQL devs do is the following. (Follow by order as it's important)
1. Allows creation of account that uses public key as authentication.
2. When such specific account needs to login, "void randombytes_buf(void * const buf, const size_t size);" from libsodium can be used to generate challenge. It might be best that this challenge has a valid time duration but from my experience, the challenge valid for 7-8 minutes should be acceptable. (There may have many ways to store the challenge and I think it might be best to have another mysql table created just for this purpose.)
3. Such challenge were then display to the client.
4. Client gets this challenge and signs it with their private key.
5. This signed challenge were then submitted by client to the server for signature verification purpose (needs to use "int crypto_sign_open(unsigned char *m, unsigned long long *mlen_p,
const unsigned char *sm, unsigned long long smlen,
const unsigned char *pk);" from libsodium).
This is my feature request and I think that having this option enabled though the main problem is the privilege problem of a DBA. It can help to secure a lot of databases out there as it provides another mean of secure authentication.
Description: Challenge and respond that uses public key digital signature can be used as a mean for authentication. In situations where system administrators need to conduct DBA related activities, they can use this authentication to replace password as it's to a degree immune to keyloggers except for keyloggers that also get data from clipboard that's. How to repeat: Similar to description. Suggested fix: Challenge and respond with digital signature typically works like the following. 1. Client generates a digital signature keypair. 2. Client sends digital signature keypair's public key to the server during sign up. 3. Server generates a public disclosable random data called challenge that's at least 128 bits in length. 4. Client gets the challenge from server. 5. Client signs the challenge with digital signature keypair's private key. 6. Client sends the signed challenge to the server. 7. Server do signature verification with the submitted client's public key on the signed challenge. (If success, authentication succeeded, else fails.) I do know that there're some plugins which takes passwords and did the similar thing like the steps stated above though it typically involves KDF in cryptography. However, I am requesting that this feature as these plugins that use kdf on passwords may not seem to be fit or suitable in certain cases. Libsodium is an open source and security audited cryptography library. It provides Curve25519 which has both ED25519 and X25519 but in this case, only ED25519 was needed along with its CRNG. What can MySQL devs do is the following. (Follow by order as it's important) 1. Allows creation of account that uses public key as authentication. 2. When such specific account needs to login, "void randombytes_buf(void * const buf, const size_t size);" from libsodium can be used to generate challenge. It might be best that this challenge has a valid time duration but from my experience, the challenge valid for 7-8 minutes should be acceptable. (There may have many ways to store the challenge and I think it might be best to have another mysql table created just for this purpose.) 3. Such challenge were then display to the client. 4. Client gets this challenge and signs it with their private key. 5. This signed challenge were then submitted by client to the server for signature verification purpose (needs to use "int crypto_sign_open(unsigned char *m, unsigned long long *mlen_p, const unsigned char *sm, unsigned long long smlen, const unsigned char *pk);" from libsodium). This is my feature request and I think that having this option enabled though the main problem is the privilege problem of a DBA. It can help to secure a lot of databases out there as it provides another mean of secure authentication.