Why crypto object is needed for Android fingerprint authentication?

Question

I have gone through the android finger print sample provided by Google.

https://github.com/googlesamples/android-FingerprintDialog

As I am new to security standa

Answer 1

Why we need to use Keystore, key, CryptoObject... etc? Simply It could >be like, ask finger print manager to authenticate the user and it can >simply return the status(success/failed)

I thought the same thing when I first read about fingerprint for android. Through my research, I think I can summarize the CryptoObject for you in plain english, which is what you are looking for because technical descriptions does not help with understanding concepts:

The CryptoObject is created by a key in your android keystore, which is inherently considered "secure"[1]. So passing in a CryptoObject to the fingerprint manager lets the manager have an anchor that confirms the the finger print auth results were not tampered with, which is theoretically possible [2].

Think of it this way, if you pass in null, the fingerprint manager blindly trusts the results from a finger print match result. if you pass in a crypto object, which is created by a key that only your application can access because of keystore, then the results coming back will probably have this cryptoObject which only your app can successfully identify. Here is another quote that makes more common sense.

"The CryptoObject makes the process more secure because if that object is not backed by the KeyStore, it’s always going to fail." [3]

The picture in [4] link also gives you an idea.

[1] https://developer.android.com/training/articles/keystore

[2] https://docs.microsoft.com/en-us/xamarin/android/platform/fingerprint-authentication/creating-a-cryptoobject

[3]https://medium.com/@manuelvicnt/android-fingerprint-authentication-f8c7c76c50f8

[4]https://infinum.co/the-capsized-eight/android-fingerprint-security

Answer 2

Why we need to use Keystore, key, CryptoObject... etc? Simply It could be like, ask finger print manager to authenticate the user and it can simply return the status(success/failed)

You don't have to. You can make fingerprint authentication without a CryptoObject, just pass a null value. Then won't have to mess with keystore and other stuff.

The only use of a CryptoObject in a Fingerprint Authentication context is to know if a new fingerprint was added since last time the user authenticated via fingerprint.

Do I need to generate new key every time on each authentication?

If a new fingerprint is added, you will have to prompt a password to verify the user's identity and then generate new keys (because they became invalid when the new fingerprint was added).

Again you won't have to mess with these if you pass a null CryptoObject

A matter of point of view

Fingerprint authentication doesn't require a CryptoObject, in fact it's quite the opposite.

When you make cryptographic operations on Android, you can use one of these objects : Cipher, Signature, Mac (and others). One of these three can be used to build a CryptoObject.

When you generate keys for these objects, there is a method nammed setUserAuthenticationRequired(boolean) which manages to get the keys valids only if the user has authenticated via fingerprint before.

Thus, in case of a client/server communication for instance, if the client can use the keys, it means he authenticated via fingerprint and his identity is known.

That said, you might want to check my library which makes the whole thing a lot easier :

https://github.com/OmarAflak/Fingerprint

Answer 3

The answere to one of your questions,

We will create a key with the alias and use alias to retrieve the key. alias is the key of the key.there will be list of aliases stored for the app sandbox. It retrieves the key on subsequent attempts of trying to generate the key with same alias.