An attack on MySQL's login protocol

Ivan Arce; Emiliano Kargieman; Gerardo Richarte; Carlos Sarraute,; Ariel Waissbein (CoreLabs; Core Security Technologies)

arXiv:1006.2411·cs.CR·June 15, 2010

An attack on MySQL's login protocol

Ivan Arce, Emiliano Kargieman, Gerardo Richarte, Carlos Sarraute,, Ariel Waissbein (CoreLabs, Core Security Technologies)

PDF

Open Access

TL;DR

This paper demonstrates that MySQL's challenge-response login protocol is insecure, allowing eavesdroppers to impersonate users after minimal observation, and discusses implications and statistical findings.

Contribution

It presents a practical attack on MySQL's authentication protocol, revealing its vulnerabilities and analyzing potential implementation issues.

Findings

01

Eavesdroppers can impersonate users after observing a few protocol executions.

02

The attack algorithm is detailed and proven effective.

03

Statistical analysis supports the attack's feasibility.

Abstract

The MySQL challenge-and-response authentication protocol is proved insecure. We show how can an eavesdropper impersonate a valid user after witnessing only a few executions of this protocol. The algorithm of the underlying attack is presented. Finally we comment about implementations and statistical results.

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsCryptography and Data Security · Spam and Phishing Detection · User Authentication and Security Systems