21

I have gone through the android finger print sample provided by Google.

https://github.com/googlesamples/android-FingerprintDialog

As I am new to security standards, I am unable to understand the following.

  1. Why we need to use Keystore, key, CryptoObject... etc? Simply It could be like, ask fingerprint manager to authenticate the user and it can simply return the status(success/failed)
  2. Do I need to generate new key every time on each authentication?
Abhishek Jain
  • 3,261
  • 1
  • 23
  • 41
Ponsuyambu
  • 4,730
  • 2
  • 20
  • 35
  • 3
    "Simply It could be like, ask finger print manager to authenticate the user and it can simply return the status(success/failed)" -- see [the `authenticate()` method on `FingerprintManager`](https://developer.android.com/reference/android/hardware/fingerprint/FingerprintManager.html#authenticate(android.hardware.fingerprint.FingerprintManager.CryptoObject,%20android.os.CancellationSignal,%20int,%20android.hardware.fingerprint.FingerprintManager.AuthenticationCallback,%20android.os.Handler)). The `CryptoObject` can be `null`. – CommonsWare Sep 13 '16 at 12:30
  • Thanks, I am planning to use finger print authentication for my app, Is it still advisable to use key, keystore, etc? Could you point me to the direction to understand this concept? – Ponsuyambu Sep 14 '16 at 09:03
  • 1
    I recommend that you ask a separate Stack Overflow question, where you explain **in detail** what you want out of fingerprint authentication and what exactly you are trying to protect by it (API keys? user data? something else?), and ask there what facets of the fingerprint API would be best suited for your needs. – CommonsWare Sep 14 '16 at 11:33

3 Answers3

15

Why we need to use Keystore, key, CryptoObject... etc? Simply It could be like, ask finger print manager to authenticate the user and it can simply return the status(success/failed)

You don't have to. You can make fingerprint authentication without a CryptoObject, just pass a null value. Then won't have to mess with keystore and other stuff.

The only use of a CryptoObject in a Fingerprint Authentication context is to know if a new fingerprint was added since last time the user authenticated via fingerprint.

Do I need to generate new key every time on each authentication?

If a new fingerprint is added, you will have to prompt a password to verify the user's identity and then generate new keys (because they became invalid when the new fingerprint was added).

Again you won't have to mess with these if you pass a null CryptoObject

A matter of point of view

Fingerprint authentication doesn't require a CryptoObject, in fact it's quite the opposite.

When you make cryptographic operations on Android, you can use one of these objects : Cipher, Signature, Mac (and others). One of these three can be used to build a CryptoObject.

When you generate keys for these objects, there is a method nammed setUserAuthenticationRequired(boolean) which manages to get the keys valids only if the user has authenticated via fingerprint before.

Thus, in case of a client/server communication for instance, if the client can use the keys, it means he authenticated via fingerprint and his identity is known.

That said, you might want to check my library which makes the whole thing a lot easier :

https://github.com/OmarAflak/Fingerprint

Omar Aflak
  • 2,588
  • 16
  • 36
  • 4
    _"The only use of a `CryptoObject` in the case of a Fingerprint Authentication is to know if a new fingerprint was added since last time the user authenticated via fingerprint."_ That's certainly not the only use. Just listening for `onAuthenticationSucceeded` and using that as a `true`/`false` condition for whether the user should be allowed to do something does not provide particularly strong security. – Michael Jun 12 '18 at 10:54
  • 1
    If you use a fingerprint-protected key to perform a cryptographic operation, such as creating a digital signature or decrypting some sensitive data, that's something that's a lot harder to bypass. – Michael Jun 12 '18 at 10:54
  • 1
    Downvoted because of this incorrect statement: _The only use of a CryptoObject in a Fingerprint Authentication context is to know if a new fingerprint was added since last time the user authenticated via fingerprint._ – Chad Bingham Jan 16 '19 at 22:27
6

Why we need to use Keystore, key, CryptoObject... etc? Simply It could >be like, ask finger print manager to authenticate the user and it can >simply return the status(success/failed)

I thought the same thing when I first read about fingerprint for android. Through my research, I think I can summarize the CryptoObject for you in plain english, which is what you are looking for because technical descriptions does not help with understanding concepts:

The CryptoObject is created by a key in your android keystore, which is inherently considered "secure"[1]. So passing in a CryptoObject to the fingerprint manager lets the manager have an anchor that confirms the the finger print auth results were not tampered with, which is theoretically possible [2].

Think of it this way, if you pass in null, the fingerprint manager blindly trusts the results from a finger print match result. if you pass in a crypto object, which is created by a key that only your application can access because of keystore, then the results coming back will probably have this cryptoObject which only your app can successfully identify. Here is another quote that makes more common sense.

"The CryptoObject makes the process more secure because if that object is not backed by the KeyStore, it’s always going to fail." [3]

The picture in [4] link also gives you an idea.

[1] https://developer.android.com/training/articles/keystore

[2] https://docs.microsoft.com/en-us/xamarin/android/platform/fingerprint-authentication/creating-a-cryptoobject

[3]https://medium.com/@manuelvicnt/android-fingerprint-authentication-f8c7c76c50f8

[4]https://infinum.co/the-capsized-eight/android-fingerprint-security

Bqin1
  • 389
  • 1
  • 6
  • 18
1

The answere to one of your questions,

We will create a key with the alias and use alias to retrieve the key. alias is the key of the key.there will be list of aliases stored for the app sandbox. It retrieves the key on subsequent attempts of trying to generate the key with same alias.

Isanaka
  • 125
  • 1
  • 7
  • Can you explain this a bit more : `.There is a chance that third party can intercept the results returned by fingerprint scanner. Crypto object is used to encrypt the results returned by fingerprint scanner. ` – Yash Jun 02 '17 at 09:57
  • 2
    What you said about third party is **absolutely false**. Anyway, there is no data to be intercepted. From [Android Doc](https://source.android.com/security/authentication/fingerprint-hal) : `Thus, raw images and processed fingerprint features must not be passed in untrusted memory. All such biometric data needs to be secured within sensor hardware or trusted memory. (Memory inside the TEE is considered as trusted memory; memory outside the TEE is considered untrusted.)` – Omar Aflak Jul 11 '17 at 14:39