0

I am storing fingerprint protected key pairs within AndroidKeyStore on an Android 7 device (Nexus 5X).

These keys have a life cycle that depends on a lot on the status of user fingerprint set for the device and I am facing a scenario that I cannot explain.

Initial situation: A user fingerprint is registered on the device and a fingerprint protected key pair has been generated.

Scenario 1 (NORMAL): if I delete the registered fingerprint from Android fingerprint menu and register a new one right after, without exiting Android fingeprint menu, the key pair previously generated gets invalidated as expected (An 'InvalidKeyException' is thrown when calling a cipher.init using this key pair)

Scenario 2 (ABNORMAL): if I delete the registered fingerprint from Android fingerprint menu, exit Android fingerprint menu and then register a new fingerprint after logging back to Android fingerprint menu, the key pair previously generated is not invalidated. (No 'InvalidKeyException' is thrown when calling a cipher.init using this key pair)

How can the Scenario 2 be explained?

UPDATE:

Scenario 2 is not systematic, from the tries I have made, it appears that if the new fingerprint is defined in a short time interval after the deletion of the former one, the first key pair won't be invalidated. If some time flies (something like 1 minute) before the new fingerprint is defined, the first key pair will be invalidated (normal scenario).

Antelop
  • 157
  • 11
  • Have you tried using the cipher for encryption in scenario 2? I've seen something similar (also with Nexus 5X / Android 7), and I got an `IllegalBlockSizeException` at `doFinal`, and then `KeyPermanentlyInvalidatedException` if I attempt `init` again. – Michael Sep 19 '17 at 11:05
  • I haven't, my goal is to check if there is a key that can be used in the keystore, for that, I though that a successful call of cipher.init with the key was enough. It appears that it is not the case, from your comment I will add the cipher.dofinal call, see the outcome and let you know, thanks! – Antelop Sep 20 '17 at 06:54
  • Well, this is a behavior I've only seen on the Nexus 5X. And unless you've come across a different bug than the one I ran into, you'll get an exception when trying to actually use the cipher. So you could handle the error at that point instead, if you want to avoid any special handling for one particular model. – Michael Sep 20 '17 at 07:00
  • If I pursue Scenario 2 with a call to cipher.doFinal() I got an IllegalBlockSizeException which is normal since the key is protected by fingerprint (the exception cause is "android.security.KeyStoreException: Key user not authenticated"). Then, if I attempt a new call to cipher.init after there is no exception being thrown (independently if it is the same cipher or a new cipher) – Antelop Sep 20 '17 at 14:34
  • This is how I handle key generation in my fingerprint library : [link](https://github.com/OmarAflak/Fingerprint/blob/master/fingerprint/src/main/java/me/aflak/libraries/utils/CipherHelper.java). I just call `getEncryptionCryptoObject` and check if the result is `null` which means that the keys were invalidated. I have a normal behavior on my OnePlus5 in both scenarios, you may want to try on yours. – Omar Aflak Jan 10 '18 at 10:33

0 Answers0