The MySQL challenge-and-response authentication protocol is proved insecure.
We show how can an eavesdropper impersonate a valid user after witnessing only
a few executions of this protocol. The algorithm of the underlying attack is
presented. Finally we comment about implementations and statistical results.Comment: 15 pages, 3 figures. CoreLabs Technical Repor

Arce, Ivan

Kargieman, Emiliano

Richarte, Gerardo