Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-119499

Document QMessageAuthenticationCode using HMAC

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • P3: Somewhat important
    • 6.5.4, 6.6.2, 6.7.0 FF
    • 6.6.1
    • Documentation
    • None
    • 21eeef83f (dev), ac0e037f9 (6.6), b7d849b57 (tqtc/lts-6.5)

    Description

      From a security report:

      Moreover, it was found that the documentation for the QMesssageAuthenticationCode class [...] does not list the type of MAC algorithm used. Looking at the padding bytes used in the implementation, 0x36 and 0x5c, it can be assumed that the secure HMAC algorithm is used. Hence, the algorithm is not susceptible to length extension attacks, as was mentioned in the interview. However, this is not mentioned in the documentation, which may lead developers to believe that the algorithm is unsafe to use with hash functions, which rely on the Merkle-Damgård construction.

      The class documentation says 'hash-based message authentication code' though, which is - according to wikipedia - one valid expanded version of HMAC..

      But it might be good to include the word 'HMAC" nevertheless, for clarity and SEO purposes?

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            docteam Qt Documentation Team
            kkohne Kai Köhne
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes