指纹识别

网上有一堆做指纹识别的demo,但是仅限于识别这一步,其实对于一个项目来说,牵扯到的东西可能更多:从无指纹识别版本过渡到可以使用指纹登录,设置密码与指纹关联,识别后如何登录,却没有太多的资料。下面就简单说下这个流程。

一、概述

Android下的指纹识别是在Android6.0后添加的功能,因此,在实现的时候要判断用户机是否支持,然后对于开发来说,使用场景有两种,分别是本地识别和跟服务器交互;
1.本地识别:在本地完成指纹的识别后,跟本地信息绑定登陆;
2.后台交互:在本地完成识别后,将数据传输到服务器;
无论是本地还是与服务器交互,都需要对信息进行加密,通常来说,与本地交互的采用对称加密,与服务器交互则采用非对称加密。

二、对称与非对称加密

1. 对称加密

采用单密钥密码系统的方法,同一密钥作为加密和解密的工具,通过密钥控制加密和解密饿的指令,算法规定如何加密和解密。优点是算法公开、加密解密速度快、效率高,缺点是发送前的双方保持统一密钥,如果泄露则不安全,通常由AES、DES加密算法等;

2. 非对称加密

非对称加密算法需要两个密钥来进行加密和解密,这两个秘钥是公开密钥(简称公钥)和私有密钥(简称私钥),如果一方用公钥进行加密,接受方应用私钥进行解密,反之发送方用私钥进行加密,接收方用公钥进行解密,由于加密和解密使用的不是同一密钥,故称为非对称加密算法;与对称加密算法相比,非对称加密的安全性得到了很大的提升,但是效率上则低了很多,因为解密加密花费的时间更长了,所以适合数据量少的加密,通常有RSA,ECC加密算法等等

三、指纹识别的对称加密

1. 申请权限


2. 检测手机是否支持

FingerprintManagerCompat提供了三个方法:

  • isHardwareDetected() 判断是否有硬件支持
  • isKeyguardSecure() 判断是否设置锁屏,因为一个手机最少要有两种登录方式
  • hasEnrolledFingerprints() 判断系统中是否添加至少一个指纹
/**
* 判断是否支持指纹识别
*/
public static boolean supportFingerprint(Context mContext) {
    if (Build.VERSION.SDK_INT < 23) {
        Toast.makeText(mContext, "您的系统版本过低,不支持指纹功能", Toast.LENGTH_SHORT).show();
        return false;
    } else {
        KeyguardManager keyguardManager = mContext.getSystemService(KeyguardManager.class);
        FingerprintManagerCompat fingerprintManager = FingerprintManagerCompat.from(mContext);
        if (!fingerprintManager.isHardwareDetected()) {
            Toast.makeText(mContext, "您的系统版本过低,不支持指纹功能", Toast.LENGTH_SHORT).show();
            return false;
        } else if (keyguardManager != null && !keyguardManager.isKeyguardSecure()) {
            Toast.makeText(mContext, "您的手机不支持指纹功能", Toast.LENGTH_SHORT).show();
            return false;
        } else if (!fingerprintManager.hasEnrolledFingerprints()) {
            Toast.makeText(mContext, "您至少需要在系统设置中添加一个指纹", Toast.LENGTH_SHORT).show();
            return false;
        }
    }
    return true;
}
3. 开启指纹登录,一般来说都是弹出个提示框用于显示指纹识别的状态。

这时要注意,应该区分加密和解密。
首先是开通指纹验证,将原先的密码进行加密存储,而加密又要区分api level 28以上和以下
Api Level 28以下:

FingerprintManager.CryptoObject object;
CancellationSignal mCancellationSignal; //处理按指纹时取消操作
//加密
try {
    //通过工具类获取Cipher
    object = new FingerprintManager.CryptoObject(KeyGenTools.getEncryptCipher());
    getFingerprintManager(mActivity).authenticate(object, 
        mCancellationSignal, 
        0, 
        new FingerprintManager.AuthenticationCallback() {
            @Override
            public void onAuthenticationError(int errorCode, CharSequence errString) {
               super.onAuthenticationError(errorCode, errString);
            }

            @Override
            public void onAuthenticationHelp(int helpCode, CharSequence helpString) {
                super.onAuthenticationHelp(helpCode, helpString);
            }

            @Override
            public void onAuthenticationSucceeded(FingerprintManager.AuthenticationResult result) {
                super.onAuthenticationSucceeded(result);
                savePwd(result);
            }

            @Override
            public void onAuthenticationFailed() {
                super.onAuthenticationFailed();
           }
        }, 
        null);
} catch (Exception e) {
    e.printStackTrace();
}

public void savePwd(FingerprintManager.AuthenticationResult result){
    try {
        /**
        * 加密后的密码和iv可保存在服务器,登录时通过接口根据账号获取
        */
        Log.i("test", "原密码: " + pwd);
        Cipher cipher = result.getCryptoObject().getCipher();
        byte[] bytes = cipher.doFinal(pwd.getBytes());
        Log.i("test", "设置指纹时保存的加密密码: " + Base64.encodeToString(bytes,Base64.URL_SAFE));
        CacheTools.put("pwdEncode", Base64.encodeToString(bytes,Base64.URL_SAFE));
        byte[] iv = cipher.getIV();
        Log.i("test", "设置指纹时保存的加密IV: " + Base64.encodeToString(iv,Base64.URL_SAFE));
        CacheTools.put("iv", Base64.encodeToString(iv,Base64.URL_SAFE));
        Toast.makeText(MainActivity.this, "开通成功", Toast.LENGTH_LONG).show();
    }catch (Exception e){
        e.printStackTrace();
    }
}

Api Level 28以上:

BiometricPrompt.CryptoObject object;
CancellationSignal mCancellationSignal = new CancellationSignal(); //处理按指纹时取消操作
mCancellationSignal.setOnCancelListener(new CancellationSignal.OnCancelListener() {
    @Override
    public void onCancel() {
    }
});

//加密
try {
    //通过工具类获取Cipher
    object = new BiometricPrompt.CryptoObject(KeyGenTools.getEncryptCipher());
    mBiometricPrompt.authenticate(object, 
        mCancellationSignal,  
        mActivity.getMainExecutor(), 
        new BiometricPrompt.AuthenticationCallback() {
            @Override
            public void onAuthenticationError(int errorCode, CharSequence errString) {
                super.onAuthenticationError(errorCode, errString);
            }

            @Override
            public void onAuthenticationHelp(int helpCode, CharSequence helpString) {
                super.onAuthenticationHelp(helpCode, helpString);
            }

            @Override
            public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {
                super.onAuthenticationSucceeded(result);
                savePwd(result);
            }

            @Override
            public void onAuthenticationFailed() {
                super.onAuthenticationFailed();
            }
        });
} catch (Exception e) {
    e.printStackTrace();
}

public void savePwd(BiometricPrompt.AuthenticationResult result){
    try {
        /**
        * 加密后的密码和iv可保存在服务器,登录时通过接口根据账号获取
        */
        Log.i("test", "原密码: " + pwd);
        Cipher cipher = result.getCryptoObject().getCipher();
        byte[] bytes = cipher.doFinal(pwd.getBytes());
        Log.i("test", "设置指纹时保存的加密密码: " + Base64.encodeToString(bytes,Base64.URL_SAFE));
        CacheTools.put("pwdEncode", Base64.encodeToString(bytes,Base64.URL_SAFE));
        byte[] iv = cipher.getIV();
        Log.i("test", "设置指纹时保存的加密IV: " + Base64.encodeToString(iv,Base64.URL_SAFE));
        CacheTools.put("iv", Base64.encodeToString(iv,Base64.URL_SAFE));
        Toast.makeText(MainActivity.this, "开通成功", Toast.LENGTH_LONG).show();
    }catch (Exception e){
        e.printStackTrace();
    }
}

KeyGenTools.java:

    private static final String ANDROID_KEY_STORE = "AndroidKeyStore";
    private static final String KEY_ALGORITHM = KeyProperties.KEY_ALGORITHM_AES;
    private static final String KEY_BLOCK_MODE = KeyProperties.BLOCK_MODE_CBC;
    private static final String KEY_PADDING = KeyProperties.ENCRYPTION_PADDING_PKCS7;
    private static final String TRANSFORMATION = KEY_ALGORITHM + "/" + KEY_BLOCK_MODE + "/" + KEY_PADDING;
    private final String KEY_ALIAS;

    public KeyGenTools(Context context) {
        KEY_ALIAS = context.getPackageName()+"_fingerprint";
    }

    @RequiresApi(api = Build.VERSION_CODES.M)
    public Cipher getEncryptCipher() {
        Cipher cipher = null;
        try {
            cipher = Cipher.getInstance(TRANSFORMATION);
            cipher.init(Cipher.ENCRYPT_MODE, getKey());
        } catch (Exception e) {
            e.printStackTrace();
        }
        return cipher;
    }

    /**
     * 获取解密的cipher
     *  加密cipher的一些参数
     *  包括initialize vector(AES加密中 以CBC模式加密需要一个初始的数据块,解密时同样需要这个初始块)
     * @return
     */
    @RequiresApi(api = Build.VERSION_CODES.M)
    public Cipher getDecryptCipher(byte[] initializeVector) {
        Cipher cipher = null;
        try {
            cipher = Cipher.getInstance(TRANSFORMATION);
            IvParameterSpec ivParameterSpec = new IvParameterSpec(initializeVector);
            cipher.init(Cipher.DECRYPT_MODE, getKey(), ivParameterSpec);
        } catch (Exception e) {
            e.printStackTrace();
        }
        return cipher;
    }

    /**
     * 获取key,首先从秘钥库中根据别名获取key,如果秘钥库中不存在,则创建一个key,并存入秘钥库中
     * @return
     * @throws Exception
     */
    @RequiresApi(api = Build.VERSION_CODES.M)
    private SecretKey getKey() throws Exception {
        SecretKey secretKey = null;
        KeyStore keyStore = KeyStore.getInstance(ANDROID_KEY_STORE);
        keyStore.load(null);
        if (keyStore.isKeyEntry(KEY_ALIAS)) {
            KeyStore.SecretKeyEntry secretKeyEntry = (KeyStore.SecretKeyEntry) keyStore.getEntry(KEY_ALIAS, null);
            secretKey = secretKeyEntry.getSecretKey();
        } else {
            secretKey = createKey();
        }
        return secretKey;
    }


    /**
     * 在Android中,key的创建之后必须存储在秘钥库才能使用
     * @return
     * @throws Exception
     */
    @RequiresApi(api = Build.VERSION_CODES.M)
    private SecretKey createKey() throws Exception {
        //在创建KeyGenerator的时候,第二个参数指定provider为AndroidKeyStore,这样创建的key就会被存放在这个秘钥库中
        KeyGenerator keyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM, ANDROID_KEY_STORE);
        KeyGenParameterSpec spec = new KeyGenParameterSpec
                .Builder(KEY_ALIAS, KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
                .setBlockModes(KEY_BLOCK_MODE)
                .setEncryptionPaddings(KEY_PADDING)
                //这个设置为true,表示这个key必须是通过了用户认证才可以使用
                .setUserAuthenticationRequired(true)
                .build();
        keyGenerator.init(spec);
        return keyGenerator.generateKey();
    }

然后是使用指纹验证,也分为API Level 28以下和以上:

Api Level 28以下:

FingerprintManager.CryptoObject object;
CancellationSignal mCancellationSignal; //处理按指纹时取消操作
//解密
try {
    /**
    * 可通过服务器保存iv,然后在使用之前从服务器获取
    */
    String ivStr = CacheTools.getAsString("iv");
    byte[] iv = Base64.decode(ivStr, Base64.URL_SAFE);

    //通过工具类获取Cipher
    object = new FingerprintManager.CryptoObject(KeyGenTools.getDecryptCipher(iv));
    getFingerprintManager(mActivity).authenticate(object, 
        mCancellationSignal, 
        0, 
        new FingerprintManager.AuthenticationCallback() {
            @Override
            public void onAuthenticationError(int errorCode, CharSequence errString) {
               super.onAuthenticationError(errorCode, errString);
            }

            @Override
            public void onAuthenticationHelp(int helpCode, CharSequence helpString) {
                super.onAuthenticationHelp(helpCode, helpString);
            }

            @Override
            public void onAuthenticationSucceeded(FingerprintManager.AuthenticationResult result) {
                super.onAuthenticationSucceeded(result);
                usePwd(result);
            }

            @Override
            public void onAuthenticationFailed() {
                super.onAuthenticationFailed();
           }
        }, 
        null);
} catch (Exception e) {
    e.printStackTrace();
}

public void usePwd(FingerprintManager.AuthenticationResul result){
    try {
        Cipher cipher = result.getCryptoObject().getCipher();
        String text = aCache.getAsString("pwdEncode");
        Log.i("test", "获取保存的加密密码: " + text);
        byte[] input = Base64.decode(text, Base64.URL_SAFE);
        byte[] bytes = cipher.doFinal(input);
        /**
        * 然后这里用原密码(当然是加密过的)调登录接口
        */
        Log.i("test", "解密得出的加密的登录密码: " + new String(bytes));
        byte[] iv = cipher.getIV();
        Log.i("test", "IV: " + Base64.encodeToString(iv,Base64.URL_SAFE));
        Toast.makeText(MainActivity.this, "登录成功", Toast.LENGTH_LONG).show();
    } catch (Exception e) {
        e.printStackTrace();
    }

Api Level 28以上:

BiometricPrompt.CryptoObject object;
CancellationSignal mCancellationSignal = new CancellationSignal(); //处理按指纹时取消操作
mCancellationSignal.setOnCancelListener(new CancellationSignal.OnCancelListener() {
    @Override
    public void onCancel() {
    }
});

//解密
try {
    /**
    * 可通过服务器保存iv,然后在使用之前从服务器获取
    */
    String ivStr = CacheTools.getAsString("iv");
    byte[] iv = Base64.decode(ivStr, Base64.URL_SAFE);
    
    //通过工具类获取Cipher
    object = new BiometricPrompt.CryptoObject(KeyGenTools.getDecryptCipher(iv));
    mBiometricPrompt.authenticate(object, 
        mCancellationSignal,  
        mActivity.getMainExecutor(), 
        new BiometricPrompt.AuthenticationCallback() {
            @Override
            public void onAuthenticationError(int errorCode, CharSequence errString) {
                super.onAuthenticationError(errorCode, errString);
            }

            @Override
            public void onAuthenticationHelp(int helpCode, CharSequence helpString) {
                super.onAuthenticationHelp(helpCode, helpString);
            }

            @Override
            public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {
                super.onAuthenticationSucceeded(result);
                usePwd(result);
            }

            @Override
            public void onAuthenticationFailed() {
                super.onAuthenticationFailed();
            }
        });
} catch (Exception e) {
    e.printStackTrace();
}

public void usePwd(BiometricPrompt.AuthenticationResult result){
    try {
        Cipher cipher = result.getCryptoObject().getCipher();
        String text = aCache.getAsString("pwdEncode");
        Log.i("test", "获取保存的加密密码: " + text);
        byte[] input = Base64.decode(text, Base64.URL_SAFE);
        byte[] bytes = cipher.doFinal(input);
        /**
        * 然后这里用原密码(当然是加密过的)调登录接口
        */
        Log.i("test", "解密得出的加密的登录密码: " + new String(bytes));
        byte[] iv = cipher.getIV();
        Log.i("test", "IV: " + Base64.encodeToString(iv,Base64.URL_SAFE));
        Toast.makeText(MainActivity.this, "登录成功", Toast.LENGTH_LONG).show();
    } catch (Exception e) {
        e.printStackTrace();
    }
}
为什么Cipher需要包装传递给authenticate()方法

Cipher传递给指纹验证方法,再取出来做加密解密,和直接用Cipher加密解密有什么区别呢?问题的关键还是在创建的Key上,创建keyGenerator时,有一个方法setUserAuthenticationRequired(true),也就是说这个key秘钥必须用户验证了才可以使用的,所以使用这种key初始化的的Cipher如果直接用于加密或者解密,会报出错误W/System.err: javax.crypto.IllegalBlockSizeException,仔细查看错误栈信息会发现它是由于android.security.KeyStoreException: Key user not authenticated这个错误引起的。而当我们将Cipher包装传递给指纹验证方法时,其内部验证了用户的身份,也就解除了Cipher中的key的使用限制,因此在回调方法中就可以使用该Cipher来加解密了。

如何保存相关信息以配合指纹验证身份

指纹验证只是一个认证用户身份的方式,由于用于加密解密的实际操作其实是委托给CryptoObject内部的Cipher,因此主要的工作还是在Cipher的处理上,以指纹支付为例,加密方式是AES-CBC的对称加密:

首先是是加密,当用户选择开通指纹验证登录时,首先会要求用户输入登录密码,接下来代码中初始化一个Cipher用于加密操作,接着要求用户验证指纹,指纹验证成功后将登录密码通过Cipher加密并将做Base64转换成字符串,同时将Cipher的初始向量byte[] iv一起转换成字符串,将这两个字符串存储到服务器。同时,用于初始化Cipher的key保存在Android内部秘钥库AndroidKeyStore中,外部应用程序无法获取。

当用户发起登录时,首先从服务器获取之前加密过的密码字符串和初始向量字符串,同时从本地秘钥库AndroidKeyStore中通过alias别名取出之前存储的key,用初始向量和key初始化一个Cipher,接下来发起指纹登录,指纹验证通过后便可用这个Cipher解密字符串获取真正的登录密码,然后传递给服务器验证。

感谢:
https://www.jianshu.com/p/9b0160f60c85
https://github.com/Tendy-Lau/biometricdemo

你可能感兴趣的:(指纹识别)