MySQL协议中身份验证的安全性如何? [英] How secure is authentication in mysql protocol?

问题描述

我的用户正在使用MS Access和ODBC连接器连接到我的远程MySQL数据库.从可能向第三方泄露密码的意义上，我想知道这有多安全. mysql协议身份验证对窃听或中间人攻击是否安全?我对防止窃听的安全感到非常满意.请注意，我只关心身份验证，而不关心数据泄露.

My users are using MS Access and ODBC connector to connect to my remote MySQL database. I wonder how secure this is, in the sense of possible password disclosure to 3rd party. Is the mysql protocol authentication safe to eavesdropping or even man-in-the-middle attacks? I would be quite happy with safety against eavesdropping. Note that my concern is only authentication, I'm not concerned about data disclosure.

请不要回答我应该使用SSL.我知道这将是理想的，但是设置似乎并不十分简单.无论如何，我想知道普通mysql协议的安全级别是什么.

Please don't reply that I should use SSL. I know this would be ideal however the setup doesn't seem very simple. Anyway, I would like to know what is the safety level of plain mysql protocol.

推荐答案

您想对"安全进行窃听或中间人攻击"有什么用?您的密码还是您的数据?

What is it that you want to be "safe to eavesdropping or even man-in-the-middle attacks"? Your password, or your data?

您的问题的标题专门指身份验证. MySQL做了合理的工作来保护您的密码免遭窃听(它不会以明文形式发送，并且使用nonce可以克服重放攻击).引用 MySQL协议内部:

The title of your question refers specifically to authentication. MySQL does a reasonable job of protecting your password from eavesdroppers (it is not sent plaintext, and the use of a nonce defeats replay attacks). Citing MySQL protocol internals:

MySQL 4.1及更高版本

MySQL 4.1 and later

请记住，mysql.user.Password存储SHA1(SHA1(password))

Remember that mysql.user.Password stores SHA1(SHA1(password))

• 服务器向客户端发送随机字符串(加扰)
客户计算:
• stage1_hash = SHA1(密码)，使用用户输入的密码.
• 令牌= SHA1(加扰+ SHA1(stage1_hash))XOR stage1_hash
• The server sends a random string (scramble) to the client
• the client calculates:
  • stage1_hash = SHA1(password), using the password that the user has entered.
  • token = SHA1(scramble + SHA1(stage1_hash)) XOR stage1_hash
  • stage1_hash'=令牌XOR SHA1(加扰+ mysql.user.Password)

  (注意SHA1(A + B)是A与B并置的SHA1.)

  (Note SHA1(A+B) is the SHA1 of the concatenation of A with B.)

  此协议可修复旧协议的缺陷，而不会监听 wire或mysql.user.Password都足以成功 连接.但是当同时拥有mysql.user.Password和 在电线上截获到数据后，他有足够的信息可以连接.

  This protocol fixes the flaw of the old one, neither snooping on the wire nor mysql.user.Password are sufficient for a successful connection. But when one has both mysql.user.Password and the intercepted data on the wire, he has enough information to connect.

  但是，经过身份验证的会话将以纯文本继续:窃听者将能够看到所有查询和结果； MITM可以对其进行更改.如手册所述:

  However, authenticated sessions continue in plaintext: an eavesdropper will be able to see all queries and results; and a MITM would be able to make alterations to the same. As stated in the manual:

  默认情况下，MySQL在客户端和服务器之间使用未加密的连接.这意味着可以访问网络的人可以监视您的所有流量，并查看正在发送或接收的数据.他们甚至可以在客户端和服务器之间传输数据时更改数据.

  By default, MySQL uses unencrypted connections between the client and the server. This means that someone with access to the network could watch all your traffic and look at the data being sent or received. They could even change the data while it is in transit between client and server.

  虽然您可能不喜欢答案，但SSL是工具，旨在防止数据窃听(如何对通信进行加密?)和MITM攻击(任何一方可以通过另一方验证其安全性)同行是谁以为是谁?).确实，如果仅mysql客户端-服务器协议就克服了这些威胁，那么就没有理由在SSL上使用mysql(因此，不太可能成为受支持的配置).

  Whilst you may not like the answer, SSL is the tool designed to defeat both data eavesdropping (how else can the communications be encrypted?) and MITM attacks (how else can either party verify that its peer is who it thinks it is?). Indeed, if the mysql client-server protocol alone defeated these threats then there would be no reason to use mysql over SSL (and thus it would be unlikely to be a supported configuration).

  这篇关于MySQL协议中身份验证的安全性如何?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！