Issue while using Android fingerprint: IV required when decrypting. Use IvParameterSpec or AlgorithmParameters to provide it

Question

I'm following the ConfirmCredential Android example provided by Google, but it only shows how to encrypt the data. When I try to decrypt it I get exception:

java.security.InvalidKeyException: IV required when decrypting. Use IvParameterSpec or AlgorithmParameters to provide it.

I use the following code:

String transforation = KeyProperties.KEY_ALGORITHM_AES + "/" + KeyProperties.BLOCK_MODE_CBC + "/" + KeyProperties.ENCRYPTION_PADDING_PKCS7;

KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
keyStore.load(null);
SecretKey secretKey = (SecretKey) keyStore.getKey(KEY_NAME, null);

// encrypt
Cipher cipher = Cipher.getInstance(transforation);
cipher.init(Cipher.ENCRYPT_MODE, secretKey);
String encriptedPassword = cipher.doFinal("Some Password".getBytes("UTF-8"));

// decrypt
cipher = Cipher.getInstance(transforation);
cipher.init(Cipher.DECRYPT_MODE, secretKey);
String password = new String(cipher.doFinal(encriptedPassword), "UTF-8"));

The exception is thrown at line:

cipher.init(Cipher.DECRYPT_MODE, secretKey);

Any idea on what is the proper way to do the decryption in this case?

Look at http://stackoverflow.com/questions/6669181/why-does-my-aes-encryption-throws-an-invalidkeyexception and see if using using an IvParameterSpec helps. — ditkin, Oct 19 '15 at 12:37
@ditkin I had already tried adding IV, but it resulted with exception: java.security.InvalidAlgorithmParameterException: Caller-provided IV not permitted when encrypting. — Zlatko, Oct 19 '15 at 12:48

Qianqian · Accepted Answer · 2016-01-25T19:24:39.747

Basically you have to pass the IvParameterSpec for the decrypt mode whereas you should not manually set it for encryption mode.

So here is what I did and it worked well:

private initCipher(int mode) {
    try {
        byte[] iv;
        mCipher = Cipher.getInstance(KeyProperties.KEY_ALGORITHM_AES + "/"
                + KeyProperties.BLOCK_MODE_CBC + "/"
                + KeyProperties.ENCRYPTION_PADDING_PKCS7);
        IvParameterSpec ivParams;
        if(mode == Cipher.ENCRYPT_MODE) {
            mCipher.init(mode, generateKey());
            ivParams = mCipher.getParameters().getParameterSpec(IvParameterSpec.class);
            iv = ivParams.getIV();
            fos = getContext().openFileOutput(IV_FILE, Context.MODE_PRIVATE);
            fos.write(iv);
            fos.close();
        }
        else {
            key = (SecretKey)keyStore.getKey(KEY_NAME, null);
            File file = new File(getContext().getFilesDir()+"/"+IV_FILE);
            int fileSize = (int)file.length();
            iv = new byte[fileSize];
            FileInputStream fis = getContext().openFileInput(IV_FILE);
            fis.read(iv, 0, fileSize);
            fis.close();
            ivParams = new IvParameterSpec(iv);
            mCipher.init(mode, key, ivParams);
        }
        mCryptoObject = new FingerprintManager.CryptoObject(mCipher);
    } catch(....)
}

You can also encode the IV data with Base64 and save it under shared preferences instead of saving it under a file.

In either case, If you have employed the new full backup feature for Android M, keep in mind that this data should NOT be allowed to backup/restore since it is invalid when a user reinstall the app or install the app on another device.

@derHugo It's a simple method to generate the key by calling KeyGenerator.build after setting some necessary attributes. I didn't think it important to this question so i omitted them. — Qianqian, Jun 06 '18 at 01:40
Ok thanks, I see. I already have seen another how-to on that one .. It just was like the missing thing in the puzzle ;) — derHugo, Jun 06 '18 at 08:27

score 4 · Answer 2 · answered Nov 01 '15 at 16:25

I created an issue in the github project for the sample provided by google (link to the issue here). The response I got is that I must use the IV that was generated when the value was encrypted. (same as in the solution provided by @Qianqian)

cipher.init(Cipher.DECRYPT_MODE, secretKey, new IvParameterSpec(encryptCipher.getIV()));
byte[] decryptedBytes = cipher.doFinal(encryptedBytes);

I created a sample application that shows how to do this. It is available on github, here.

Hope this is useful to someone.

What is **encryptCipher**? – IgorGanapolsky May 27 '18 at 18:19 — IgorGanapolsky, May 27 '18 at 18:19

score 0 · Answer 3 · answered Oct 21 '15 at 03:33

0

How about this,

mCipher.init(Cipher.DECRYPT_MODE, key, mCipher.getParameters());

If you use the sample code from Google repo, above line will work, also note, for every mChiper.init we need to authenticate with fingerprint once, that means two fingerprint auth is required, one for encryption and one for decryption.

https://github.com/googlesamples/android-FingerprintDialog

answered Oct 21 '15 at 03:33

Riyaz Mohammed Ibrahim

9,505
5
26
33

Thanks for the feedback, but it again resulted with java.security.InvalidAlgorithmParameterException: IV required when decrypting. Use IvParameterSpec or AlgorithmParameters to provide it. I use https://github.com/googlesamples/android-ConfirmCredential and have AUTHENTICATION_DURATION_SECONDS set to 30, so I expect that only once fingerprint scan will be required. – Zlatko Oct 21 '15 at 11:50

Issue while using Android fingerprint: IV required when decrypting. Use IvParameterSpec or AlgorithmParameters to provide it

3 Answers3

Linked