1

I'm working on a project related to fingerprint and need to handle the fingerprint catalog change. I use secrete key which generated with setUserAuthenticationRequired(true) options to check the fingerprint change. The key should be irreversibly invalidated once a new fingerprint is enrolled or once\ no more fingerprints are enrolled, and attempts to initialize cryptographic operations using such keys will throw KeyPermanentlyInvalidatedException.

I found it works on Galaxy s7, but it doesn't work on on s7 edge. On s7 edge, the key is still validated when adding a new fingerprint.

Below is my code and it's from google FingerprintDialog sample application, did you see this issue before and have any solutions? Thanks!

/**
 * Creates a symmetric key in the Android Key Store which can only be used after the user has
 * authenticated with fingerprint.
 */
public void createKey() {
    try {
        mKeyStore.load(null);
        mKeyGenerator.init(new KeyGenParameterSpec.Builder(KEY_NAME,
                KeyProperties.PURPOSE_ENCRYPT |
                        KeyProperties.PURPOSE_DECRYPT)
                .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
                        // Require the user to authenticate with a fingerprint to authorize every use
                        // of the key
                .setUserAuthenticationRequired(true)
                .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
                .build());
        mKeyGenerator.generateKey();
    } catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException
            | CertificateException | IOException e) {
        throw new RuntimeException(e);
    }
} 


 /**
 * Initialize the {@link Cipher} instance with the created key in the {@link #createKey()}
 * method.
 */
private boolean initCipher() {
    try {
        mKeyStore.load(null);
        SecretKey key = (SecretKey) mKeyStore.getKey(KEY_NAME, null);
        mCipher.init(Cipher.ENCRYPT_MODE, key);
        return true;
    } catch (KeyPermanentlyInvalidatedException e) { //It should throw this exception when adding a new fingerprint, but on s7 edge, it doesn't throw
        return false;
    } catch (KeyStoreException | CertificateException | UnrecoverableKeyException | IOException
            | NoSuchAlgorithmException | InvalidKeyException e) {
        throw new RuntimeException("Failed to init Cipher", e);
    }
}

Model number: SM-G935W8, Android version: 6.0.1, Kenel version: 3.18.14-8421152, Build number: MMB29K. G935W8VLU1APG1, Android security patch level: July 1, 2016

Michael Russo
  • 442
  • 6
  • 14
Rolland Liu
  • 31
  • 6

1 Answers1

2

This issue has been fixed by Samsung's OS update: Kenel version: 3.18.14-9105000, Build number: MMB29K. G935W8VLU2APG1, Android security patch level: September 1, 2016

Rolland Liu
  • 31
  • 6
  • Hi, I am also facing this problem on a Samsung Galaxy Note4. I tried downloading the latest software updates hoping the kernel version and the security patch would be updated to the versions you said, but they didn't...Do you know if there is any solution to the fingerprint issue on this device? Thanks – alvaro.delaserna Nov 30 '16 at 16:33
  • Sorry for the late response. I'm afraid the Note 4 doesn't support the Google Fingerprint API (just the Samsung Fingerprint), and the fingerprint can't be used to protect keys. http://stackoverflow.com/questions/38266406/android-fingerprint-api-ishardwaredetected-returns-false-for-samsung-note-4 – Rolland Liu Dec 12 '16 at 16:53
  • I found out about Samsung's PASS SDK. It does not provide enough security to be used to protect keys. Thanks for your answer – alvaro.delaserna Dec 13 '16 at 07:14