-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #114 from morphis/add-ams-crypto-exp
Add initial explanation for crypto used by AMS
- Loading branch information
Showing
2 changed files
with
32 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| (exp-security-crypto-ams)= | ||
| # Cryptographic information: AMS | ||
|
|
||
| Anbox Management Service (AMS) is using cryptographic technology for: | ||
|
|
||
| * TLS transport encryption | ||
| * Mutual TLS based authentication | ||
| * Token based authentication | ||
|
|
||
| ## TLS transport encryption | ||
|
|
||
| All network endpoints exposed by the AMS server are secured with TLS using an 4096 bit RSA key. AMS strictly enforces TLS 1.3 or better and does not provide backward compatibility with older TLS versions. | ||
|
|
||
| ## Mutual TLS based authentication | ||
|
|
||
| AMS authenticates with all of its clients through the use of mutual TLS. The server authenticates a client by the presented client certificate and checks if it is recorded in its trust store. A client checks the certificate provided by the server against a recorded one. Once both sides have checked and accepted the presented certificate a TLS connection is established for API access. | ||
|
|
||
| AMS uses an RSA key with a length of 4096 bits for its server. The standard AMS client `amc` uses a RSA key with a length of 4096 bits. The key in both cases is generated by the use of the [`rsa.GenerateKey`](https://pkg.go.dev/crypto/rsa#GenerateKey) method as provided by the Go standard library. | ||
|
|
||
| Authenticated clients can add additional certificates to the trust store AMS manages. The trust stored keeps a copy of all registered certificates and stores them in an [etcd database](https://etcd.io/). | ||
|
|
||
| Communication with LXD is using mutual TLS based authentication too. More details on this can be found in the [LXD documentation](https://documentation.ubuntu.com/lxd/en/latest/authentication/). | ||
|
|
||
| ## Token based authentication | ||
|
|
||
| Individual Anbox instances have access to a limited set of API endpoints exposed by the AMS server to submit status information during runtime. Access is authenticated by a scope-limited JWT based token. The token is valid for one year and is signed with a [HMAC](https://www.okta.com/identity-101/hmac/) using SHA-256 (HS256) and a 64 byte secret key. The [`jwt.New`](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#Token) method is used internally to generate the JWT token. | ||
|
|
||
| ## Packages used | ||
|
|
||
| * [Go standard library](https://pkg.go.dev/std) | ||
| * [`github.com/golang-jwt/jwt`](https://github.com/golang-jwt/jwt) |