Error after Fingerprint touched on Samsung phones: android.security.KeyStoreException: Key user not authenticated

android encryption android-6.0-marshmallow fingerprint android-keystore
petrsyn picture petrsyn · Mar 16, 2016 · Viewed 12.9k times · Source

My app uses Android 6.0 Fingerprint API to protect AES key in the Android KeyStore. The stored key can be used only when user is authenticated by fingerprint sensor because the KeyGenParameterSpec is initialized with setUserAuthenticationRequired(true).

When the user touches the sensor I get the initialized Cipher from the callback onAuthenticationSucceeded(Cipher) and I use it for decryption.

This works perfectly except on Samsung phones with Android 6. When I try to use the returned Cipher, Samsung phones sometimes throw android.security.KeyStoreException: Key user not authenticated. So even though the Cipher is returned by the onAuthenticationSucceeded(Cipher) the Android KeyStore thinks user was NOT authenticated by the fingerprint sensor.

It seems that the crash happens rather when the app was not used for longer time. When the app is wormed up all is working correctly usually.

As this error happens randomly and only on Samsung phones... It seems it is caused by some internal timing issue inside the Samsung implementation of Android 6.0 KeyStore and FingerPrint API.

Edit: This issue was also experienced in OnePlus and Acer phones.

Answer

NullPointer picture NullPointer · Jul 28, 2016

Setting KeyGenParameterSpec.setUserAuthenticationRequired(false) can be a potential security issue. The above error should be handled similar to KeyPermanentlyInvalidatedException. KeyPermanentlyInvalidatedException is thrown on Cipher initialization if new fingerprints are added after your SecretKey is created. But, if the Cipher is initialized before the new fingerprints are added, you'll get the above KeyStoreException for Key User not authenticated, when you're trying to encrypt or decrypt with that Cipher.

It's easy to reproduce this error. While your app's fingerprint verification screen is in the background, try adding a new fingerprint. Now switch back to the app, and enter the fingerprint, the encryption or decryption methods would throw this error. I could resolve this issue by catching the exception and treating it the same way as KeyPermanentlyInvalidatedException.

Related questions

android 6.0 javax.crypto.BadPaddingException: error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT

this code works well before android 6.0, but get an error on 6.0 if encrypted file size less than about 1k bytes. public static byte[] decode(byte[] decrypteSrcBuffer) throws Exception { Key deskey = null; DESedeKeySpec spec = new DESedeKeySpec(mKeyBytes); SecretKeyFactory keyfactory = SecretKeyFactory.getInstance("…

Read More
Android encryption / decryption using AES

Is there a good example of how to encrypt and decrypt image and other files with AES on Android?

Read More
What is the most appropriate way to store user settings in Android application

I am creating an application which connects to the server using username/password and I would like to enable the option "Save password" so the user wouldn't have to type the password each time the application starts. I was trying …

Read More