How Auth Token used in authentication flow

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

How Auth Token used in authentication flow

Chun-Ta Kung
Hi all,

I am looking forward to verifying if the authentication result (fingerprint match success or failure) is genuinely from security zone and bottom fingerprint daemon when it is passed back to user domain. From below document, I think auth token is used in the flow however, cannot find the implementation. Could anyone point out if any info ? 


==

I am looking at the document here: https://source.android.com/security/authentication 

It described auth flow and divided into 4 steps. Auth Token got mentioned in the flow:

  • If authentication in the TEE is successful, Fingerprint in the TEE sends an AuthToken (signed with the AuthToken HMAC key) to its counterpart in the Android OS. (step 2)
  • The daemon receives a signed AuthToken and passes it to the keystore service through an extension to the keystore service's Binder interface. (Step 3)
  • The keystore service passes the AuthTokens to Keymaster and verifies them using the key shared with the Gatekeeper and supported biometric TEE component. Keymaster trusts the timestamp in the token as the last authentication time and bases a key release decision (to allow an app to use the key) on the timestamp (Step 4)

As Step 4 green portion highlights, AuthToken should be verified in key store. 

But when I look into android sources, I found AuthToken is added to key store in AuthenticationClient.onAuthenticated, but no further verification is explicily executed. 

https://cs.android.com/android/platform/superproject/+/master:frameworks/base/services/core/java/com/android/server/biometrics/AuthenticationClient.java;l=226 

In summary, questions below:
  1. I assume auth token should be used to verify the authentication result is genuine (not from replay attack or man in the middle). Is it correct?
  2. If 1 is correct, where it actually performs the verification inside authentication flow?
  3. Or if 1 is incorrect, how does it verify the result is genuine? More generally, how does a fingerprint-binding payment app on mobile phone guarantee the fingerprint result is authentic ? 


Can someone share any insights about it  ? 


Thanks

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-platform/fb860b62-c63f-42b9-b9f3-a7c46dd6b1d7n%40googlegroups.com.