网上有一堆做指纹识别的demo,但是仅限于识别这一步,其实对于一个项目来说,牵扯到的东西可能更多:从无指纹识别版本过渡到可以使用指纹登录,设置密码与指纹关联,识别后如何登录,却没有太多的资料。下面就简单说下这个流程。
一、概述
Android下的指纹识别是在Android6.0后添加的功能,因此,在实现的时候要判断用户机是否支持,然后对于开发来说,使用场景有两种,分别是本地识别和跟服务器交互;
1.本地识别:在本地完成指纹的识别后,跟本地信息绑定登陆;
2.后台交互:在本地完成识别后,将数据传输到服务器;
无论是本地还是与服务器交互,都需要对信息进行加密,通常来说,与本地交互的采用对称加密,与服务器交互则采用非对称加密。
二、对称与非对称加密
1. 对称加密
采用单密钥密码系统的方法,同一密钥作为加密和解密的工具,通过密钥控制加密和解密饿的指令,算法规定如何加密和解密。优点是算法公开、加密解密速度快、效率高,缺点是发送前的双方保持统一密钥,如果泄露则不安全,通常由AES、DES加密算法等;
2. 非对称加密
非对称加密算法需要两个密钥来进行加密和解密,这两个秘钥是公开密钥(简称公钥)和私有密钥(简称私钥),如果一方用公钥进行加密,接受方应用私钥进行解密,反之发送方用私钥进行加密,接收方用公钥进行解密,由于加密和解密使用的不是同一密钥,故称为非对称加密算法;与对称加密算法相比,非对称加密的安全性得到了很大的提升,但是效率上则低了很多,因为解密加密花费的时间更长了,所以适合数据量少的加密,通常有RSA,ECC加密算法等等
三、指纹识别的对称加密
1. 申请权限
2. 检测手机是否支持
FingerprintManagerCompat提供了三个方法:
- isHardwareDetected() 判断是否有硬件支持
- isKeyguardSecure() 判断是否设置锁屏,因为一个手机最少要有两种登录方式
- hasEnrolledFingerprints() 判断系统中是否添加至少一个指纹
/**
* 判断是否支持指纹识别
*/
public static boolean supportFingerprint(Context mContext) {
if (Build.VERSION.SDK_INT < 23) {
Toast.makeText(mContext, "您的系统版本过低,不支持指纹功能", Toast.LENGTH_SHORT).show();
return false;
} else {
KeyguardManager keyguardManager = mContext.getSystemService(KeyguardManager.class);
FingerprintManagerCompat fingerprintManager = FingerprintManagerCompat.from(mContext);
if (!fingerprintManager.isHardwareDetected()) {
Toast.makeText(mContext, "您的系统版本过低,不支持指纹功能", Toast.LENGTH_SHORT).show();
return false;
} else if (keyguardManager != null && !keyguardManager.isKeyguardSecure()) {
Toast.makeText(mContext, "您的手机不支持指纹功能", Toast.LENGTH_SHORT).show();
return false;
} else if (!fingerprintManager.hasEnrolledFingerprints()) {
Toast.makeText(mContext, "您至少需要在系统设置中添加一个指纹", Toast.LENGTH_SHORT).show();
return false;
}
}
return true;
}
3. 开启指纹登录,一般来说都是弹出个提示框用于显示指纹识别的状态。
这时要注意,应该区分加密和解密。
首先是开通指纹验证,将原先的密码进行加密存储,而加密又要区分api level 28以上和以下
Api Level 28以下:
FingerprintManager.CryptoObject object;
CancellationSignal mCancellationSignal; //处理按指纹时取消操作
//加密
try {
//通过工具类获取Cipher
object = new FingerprintManager.CryptoObject(KeyGenTools.getEncryptCipher());
getFingerprintManager(mActivity).authenticate(object,
mCancellationSignal,
0,
new FingerprintManager.AuthenticationCallback() {
@Override
public void onAuthenticationError(int errorCode, CharSequence errString) {
super.onAuthenticationError(errorCode, errString);
}
@Override
public void onAuthenticationHelp(int helpCode, CharSequence helpString) {
super.onAuthenticationHelp(helpCode, helpString);
}
@Override
public void onAuthenticationSucceeded(FingerprintManager.AuthenticationResult result) {
super.onAuthenticationSucceeded(result);
savePwd(result);
}
@Override
public void onAuthenticationFailed() {
super.onAuthenticationFailed();
}
},
null);
} catch (Exception e) {
e.printStackTrace();
}
public void savePwd(FingerprintManager.AuthenticationResult result){
try {
/**
* 加密后的密码和iv可保存在服务器,登录时通过接口根据账号获取
*/
Log.i("test", "原密码: " + pwd);
Cipher cipher = result.getCryptoObject().getCipher();
byte[] bytes = cipher.doFinal(pwd.getBytes());
Log.i("test", "设置指纹时保存的加密密码: " + Base64.encodeToString(bytes,Base64.URL_SAFE));
CacheTools.put("pwdEncode", Base64.encodeToString(bytes,Base64.URL_SAFE));
byte[] iv = cipher.getIV();
Log.i("test", "设置指纹时保存的加密IV: " + Base64.encodeToString(iv,Base64.URL_SAFE));
CacheTools.put("iv", Base64.encodeToString(iv,Base64.URL_SAFE));
Toast.makeText(MainActivity.this, "开通成功", Toast.LENGTH_LONG).show();
}catch (Exception e){
e.printStackTrace();
}
}
Api Level 28以上:
BiometricPrompt.CryptoObject object;
CancellationSignal mCancellationSignal = new CancellationSignal(); //处理按指纹时取消操作
mCancellationSignal.setOnCancelListener(new CancellationSignal.OnCancelListener() {
@Override
public void onCancel() {
}
});
//加密
try {
//通过工具类获取Cipher
object = new BiometricPrompt.CryptoObject(KeyGenTools.getEncryptCipher());
mBiometricPrompt.authenticate(object,
mCancellationSignal,
mActivity.getMainExecutor(),
new BiometricPrompt.AuthenticationCallback() {
@Override
public void onAuthenticationError(int errorCode, CharSequence errString) {
super.onAuthenticationError(errorCode, errString);
}
@Override
public void onAuthenticationHelp(int helpCode, CharSequence helpString) {
super.onAuthenticationHelp(helpCode, helpString);
}
@Override
public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {
super.onAuthenticationSucceeded(result);
savePwd(result);
}
@Override
public void onAuthenticationFailed() {
super.onAuthenticationFailed();
}
});
} catch (Exception e) {
e.printStackTrace();
}
public void savePwd(BiometricPrompt.AuthenticationResult result){
try {
/**
* 加密后的密码和iv可保存在服务器,登录时通过接口根据账号获取
*/
Log.i("test", "原密码: " + pwd);
Cipher cipher = result.getCryptoObject().getCipher();
byte[] bytes = cipher.doFinal(pwd.getBytes());
Log.i("test", "设置指纹时保存的加密密码: " + Base64.encodeToString(bytes,Base64.URL_SAFE));
CacheTools.put("pwdEncode", Base64.encodeToString(bytes,Base64.URL_SAFE));
byte[] iv = cipher.getIV();
Log.i("test", "设置指纹时保存的加密IV: " + Base64.encodeToString(iv,Base64.URL_SAFE));
CacheTools.put("iv", Base64.encodeToString(iv,Base64.URL_SAFE));
Toast.makeText(MainActivity.this, "开通成功", Toast.LENGTH_LONG).show();
}catch (Exception e){
e.printStackTrace();
}
}
KeyGenTools.java:
private static final String ANDROID_KEY_STORE = "AndroidKeyStore";
private static final String KEY_ALGORITHM = KeyProperties.KEY_ALGORITHM_AES;
private static final String KEY_BLOCK_MODE = KeyProperties.BLOCK_MODE_CBC;
private static final String KEY_PADDING = KeyProperties.ENCRYPTION_PADDING_PKCS7;
private static final String TRANSFORMATION = KEY_ALGORITHM + "/" + KEY_BLOCK_MODE + "/" + KEY_PADDING;
private final String KEY_ALIAS;
public KeyGenTools(Context context) {
KEY_ALIAS = context.getPackageName()+"_fingerprint";
}
@RequiresApi(api = Build.VERSION_CODES.M)
public Cipher getEncryptCipher() {
Cipher cipher = null;
try {
cipher = Cipher.getInstance(TRANSFORMATION);
cipher.init(Cipher.ENCRYPT_MODE, getKey());
} catch (Exception e) {
e.printStackTrace();
}
return cipher;
}
/**
* 获取解密的cipher
* 加密cipher的一些参数
* 包括initialize vector(AES加密中 以CBC模式加密需要一个初始的数据块,解密时同样需要这个初始块)
* @return
*/
@RequiresApi(api = Build.VERSION_CODES.M)
public Cipher getDecryptCipher(byte[] initializeVector) {
Cipher cipher = null;
try {
cipher = Cipher.getInstance(TRANSFORMATION);
IvParameterSpec ivParameterSpec = new IvParameterSpec(initializeVector);
cipher.init(Cipher.DECRYPT_MODE, getKey(), ivParameterSpec);
} catch (Exception e) {
e.printStackTrace();
}
return cipher;
}
/**
* 获取key,首先从秘钥库中根据别名获取key,如果秘钥库中不存在,则创建一个key,并存入秘钥库中
* @return
* @throws Exception
*/
@RequiresApi(api = Build.VERSION_CODES.M)
private SecretKey getKey() throws Exception {
SecretKey secretKey = null;
KeyStore keyStore = KeyStore.getInstance(ANDROID_KEY_STORE);
keyStore.load(null);
if (keyStore.isKeyEntry(KEY_ALIAS)) {
KeyStore.SecretKeyEntry secretKeyEntry = (KeyStore.SecretKeyEntry) keyStore.getEntry(KEY_ALIAS, null);
secretKey = secretKeyEntry.getSecretKey();
} else {
secretKey = createKey();
}
return secretKey;
}
/**
* 在Android中,key的创建之后必须存储在秘钥库才能使用
* @return
* @throws Exception
*/
@RequiresApi(api = Build.VERSION_CODES.M)
private SecretKey createKey() throws Exception {
//在创建KeyGenerator的时候,第二个参数指定provider为AndroidKeyStore,这样创建的key就会被存放在这个秘钥库中
KeyGenerator keyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM, ANDROID_KEY_STORE);
KeyGenParameterSpec spec = new KeyGenParameterSpec
.Builder(KEY_ALIAS, KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
.setBlockModes(KEY_BLOCK_MODE)
.setEncryptionPaddings(KEY_PADDING)
//这个设置为true,表示这个key必须是通过了用户认证才可以使用
.setUserAuthenticationRequired(true)
.build();
keyGenerator.init(spec);
return keyGenerator.generateKey();
}
然后是使用指纹验证,也分为API Level 28以下和以上:
Api Level 28以下:
FingerprintManager.CryptoObject object;
CancellationSignal mCancellationSignal; //处理按指纹时取消操作
//解密
try {
/**
* 可通过服务器保存iv,然后在使用之前从服务器获取
*/
String ivStr = CacheTools.getAsString("iv");
byte[] iv = Base64.decode(ivStr, Base64.URL_SAFE);
//通过工具类获取Cipher
object = new FingerprintManager.CryptoObject(KeyGenTools.getDecryptCipher(iv));
getFingerprintManager(mActivity).authenticate(object,
mCancellationSignal,
0,
new FingerprintManager.AuthenticationCallback() {
@Override
public void onAuthenticationError(int errorCode, CharSequence errString) {
super.onAuthenticationError(errorCode, errString);
}
@Override
public void onAuthenticationHelp(int helpCode, CharSequence helpString) {
super.onAuthenticationHelp(helpCode, helpString);
}
@Override
public void onAuthenticationSucceeded(FingerprintManager.AuthenticationResult result) {
super.onAuthenticationSucceeded(result);
usePwd(result);
}
@Override
public void onAuthenticationFailed() {
super.onAuthenticationFailed();
}
},
null);
} catch (Exception e) {
e.printStackTrace();
}
public void usePwd(FingerprintManager.AuthenticationResul result){
try {
Cipher cipher = result.getCryptoObject().getCipher();
String text = aCache.getAsString("pwdEncode");
Log.i("test", "获取保存的加密密码: " + text);
byte[] input = Base64.decode(text, Base64.URL_SAFE);
byte[] bytes = cipher.doFinal(input);
/**
* 然后这里用原密码(当然是加密过的)调登录接口
*/
Log.i("test", "解密得出的加密的登录密码: " + new String(bytes));
byte[] iv = cipher.getIV();
Log.i("test", "IV: " + Base64.encodeToString(iv,Base64.URL_SAFE));
Toast.makeText(MainActivity.this, "登录成功", Toast.LENGTH_LONG).show();
} catch (Exception e) {
e.printStackTrace();
}
Api Level 28以上:
BiometricPrompt.CryptoObject object;
CancellationSignal mCancellationSignal = new CancellationSignal(); //处理按指纹时取消操作
mCancellationSignal.setOnCancelListener(new CancellationSignal.OnCancelListener() {
@Override
public void onCancel() {
}
});
//解密
try {
/**
* 可通过服务器保存iv,然后在使用之前从服务器获取
*/
String ivStr = CacheTools.getAsString("iv");
byte[] iv = Base64.decode(ivStr, Base64.URL_SAFE);
//通过工具类获取Cipher
object = new BiometricPrompt.CryptoObject(KeyGenTools.getDecryptCipher(iv));
mBiometricPrompt.authenticate(object,
mCancellationSignal,
mActivity.getMainExecutor(),
new BiometricPrompt.AuthenticationCallback() {
@Override
public void onAuthenticationError(int errorCode, CharSequence errString) {
super.onAuthenticationError(errorCode, errString);
}
@Override
public void onAuthenticationHelp(int helpCode, CharSequence helpString) {
super.onAuthenticationHelp(helpCode, helpString);
}
@Override
public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {
super.onAuthenticationSucceeded(result);
usePwd(result);
}
@Override
public void onAuthenticationFailed() {
super.onAuthenticationFailed();
}
});
} catch (Exception e) {
e.printStackTrace();
}
public void usePwd(BiometricPrompt.AuthenticationResult result){
try {
Cipher cipher = result.getCryptoObject().getCipher();
String text = aCache.getAsString("pwdEncode");
Log.i("test", "获取保存的加密密码: " + text);
byte[] input = Base64.decode(text, Base64.URL_SAFE);
byte[] bytes = cipher.doFinal(input);
/**
* 然后这里用原密码(当然是加密过的)调登录接口
*/
Log.i("test", "解密得出的加密的登录密码: " + new String(bytes));
byte[] iv = cipher.getIV();
Log.i("test", "IV: " + Base64.encodeToString(iv,Base64.URL_SAFE));
Toast.makeText(MainActivity.this, "登录成功", Toast.LENGTH_LONG).show();
} catch (Exception e) {
e.printStackTrace();
}
}
为什么Cipher需要包装传递给authenticate()方法
Cipher传递给指纹验证方法,再取出来做加密解密,和直接用Cipher加密解密有什么区别呢?问题的关键还是在创建的Key上,创建keyGenerator时,有一个方法setUserAuthenticationRequired(true),也就是说这个key秘钥必须用户验证了才可以使用的,所以使用这种key初始化的的Cipher如果直接用于加密或者解密,会报出错误W/System.err: javax.crypto.IllegalBlockSizeException,仔细查看错误栈信息会发现它是由于android.security.KeyStoreException: Key user not authenticated这个错误引起的。而当我们将Cipher包装传递给指纹验证方法时,其内部验证了用户的身份,也就解除了Cipher中的key的使用限制,因此在回调方法中就可以使用该Cipher来加解密了。
如何保存相关信息以配合指纹验证身份
指纹验证只是一个认证用户身份的方式,由于用于加密解密的实际操作其实是委托给CryptoObject内部的Cipher,因此主要的工作还是在Cipher的处理上,以指纹支付为例,加密方式是AES-CBC的对称加密:
首先是是加密,当用户选择开通指纹验证登录时,首先会要求用户输入登录密码,接下来代码中初始化一个Cipher用于加密操作,接着要求用户验证指纹,指纹验证成功后将登录密码通过Cipher加密并将做Base64转换成字符串,同时将Cipher的初始向量byte[] iv一起转换成字符串,将这两个字符串存储到服务器。同时,用于初始化Cipher的key保存在Android内部秘钥库AndroidKeyStore中,外部应用程序无法获取。
当用户发起登录时,首先从服务器获取之前加密过的密码字符串和初始向量字符串,同时从本地秘钥库AndroidKeyStore中通过alias别名取出之前存储的key,用初始向量和key初始化一个Cipher,接下来发起指纹登录,指纹验证通过后便可用这个Cipher解密字符串获取真正的登录密码,然后传递给服务器验证。
感谢:
https://www.jianshu.com/p/9b0160f60c85
https://github.com/Tendy-Lau/biometricdemo