-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication protocol client_ed25519 #138
Comments
@daniel-pfeiffer, Hi.
This is because the
If you'll be able to implement this please consider filing a PR — it's not always possible to put time and effort in features I'm not personally interested in, so the only way for the library to evolve comprehensively is the community contributions |
@blackbeam Hi Anatoly, thanks for the pointers! Since no crypto expert stepped in, I’ll look at this. In packets/mod.rs you use the 3 More confusing: matching the latter there is a similar named file kind regards – Daniel |
We are reconsidering using this at all. Based on this well founded answer, with our security experts, we have done some experiments. It seems that MariaDB took a good signature algorithm, and misapplied it to passwords. Since these are usually low entropy, that’s a bad fit. Anybody capturing the password storage, can hope to crack them too easily, as they are stored unsalted. We have asked MariaDB to justify this. Let’s see, if they manage to convince us that they do know what they are doing. Update: They were already aware of these concerns, and are working on a new auth plugin. |
@daniel-pfeiffer Have you put any meaningful effort into implementing this already? I might take a shot at implementing this and creating a PR, although I am by no means an expert on cryptography. Even though MariaDB is moving to PARSEC now, it might be nice to have this functionality in the crate for completeness. |
Hi CraiOn,
there seem to be 2 lines of thought: implement it anyway because the
auditor (vaguely heard about it and thus) said we should. Or ignore it,
because it's not fit for purpose. I adhere to the latter, and hope this
whole thing will be buried quietly.
…-----Original-Nachricht-----
Betreff: Re: [blackbeam/rust_mysql_common] Authentication protocol
client_ed25519 (Issue #138)
Datum: 2024-09-03T13:35:31+0200
Von: "crai0n" ***@***.***>
An: "blackbeam/rust_mysql_common" ***@***.***>
@daniel-pfeiffer <https://github.com/daniel-pfeiffer> Have you put any
meaningful effort into implementing this already? I might take a shot at
implementing this and creating a PR, although I am by no means an expert on
cryptography.
Even though MariaDB is moving to PARSEC now, it might be nice to have this
functionality in the crate for completeness.
—
Reply to this email directly, view it on GitHub
<#138 (comment)>
, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACITTVBNKHK55S32PKWQZ4DZUWMODAVCNFSM6AAAAABIWKX3S6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMRWGI4DENJQGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
[ { ***@***.***": "http://schema.org", ***@***.***": "EmailMessage",
"potentialAction": { ***@***.***": "ViewAction", "target":
"#138 (comment)",
"url":
"#138 (comment)",
"name": "View Issue" }, "description": "View this Issue on GitHub",
"publisher": { ***@***.***": "Organization", "name": "GitHub", "url":
"https://github.com" } } ]
|
MariaDB seems to have reacted to this criticism by introducing the PARSEC plugin. It looks like a version 2 renamed ed25519 plugin. I don’t know if that is secure, but at least it fixes the worst security sin of unsalted password storage and transmission. It’s been six weeks (or more? 11.6.1 only internal?) since PARSEC stabilisation with 11.6.2. Yet MariaDB don’t seem to be transparent about this. The ed25519 plugin documentation still doesn’t even mention its shortcomings, leave alone announce whether it will be deprecated. Nor does it mention PARSEC as a successor (other than it being mechanically listed in the sidebar.) Their Pluggable Authentication Overview also has nothing to say about PARSEC yet. So far only the PARSEC page claims that it is the future, leaving everyone to discover it by chance. |
Our DBAs are (due to PCI/DSS compliance) switching to this password scheme. When connecting to such a server with crate
mysql
I getI see
ed25519_dalek
and underlyingcurve25519-dalek
are separate crates, but I don’t know how to tie them in. I hope this isn’t meant to say that’s currently impossible:What needs to be done?
The text was updated successfully, but these errors were encountered: