-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add cryptographic explanation for the Anbox runtime
- Loading branch information
Showing
1 changed file
with
32 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| (exp-security-crypto-anbox-runtime)= | ||
| # Anbox runtime | ||
|
|
||
| The Anbox runtime (see {ref}`howto-anbox-runtime`) is using cryptographic technology for: | ||
|
|
||
| * TLS transport encryption | ||
| * Token based authentication | ||
| * WebRTC | ||
|
|
||
| ## TLS transport encryption | ||
|
|
||
| All HTTP communication Anbox performed over IP connections to external services is using TLS for transport encryption. | ||
|
|
||
| When talking to the HTTPS API of the Anbox Stream Agent, Anbox will either rely on [system CA certificates](https://launchpad.net/ubuntu/+source/ca-certificates) or verify the certificate presented via TLS against a SHA-256 fingerprint of the certificate it has been configured with. For the fingerprint validation Anbox will retrieve the remote certificate and use the `X509_digest` method from [OpenSSL](https://launchpad.net/ubuntu/+source/openssl/) to calculate a SHA-256 hash. The hash is then compared against the expected one. If both don't match, the connection to the Anbox Stream Gateway is cancelled by Anbox. | ||
|
|
||
| ## Token based authentication | ||
|
|
||
| Anbox accesses a limited set of API endpoints of AMS to submit status information during runtime. Access is authenticated by a scope-limited JWT based token. See {ref}`exp-security-crypto-ams` for more details. | ||
|
|
||
| As part of the WebRTC connection process Anbox talks to the HTTP API endpoints the Anbox Stream Agent provides. Anbox authenticates to the agent by presenting a token (see {ref}`exp-security-crypto-stream-agent)`) and validates the TLS certificate of the agent by checking its fingerprint. The fingerprint Anbox uses for the validation check is the SHA-256 hash of the complete ASN.1 DER content (certificate, signature algorithm and signature) of the TLS certificate the agent uses. | ||
|
|
||
| ## WebRTC | ||
|
|
||
| For streaming of audio, video and other data the Anbox runtime uses WebRTC as provided by the upstream [WebRTC](https://webrtc.org) project from Google. Different to usptreams default, the build of WebRTC for the Anbox runtime utilizes [OpenSSL](https://launchpad.net/ubuntu/+source/openssl/) instead of Googles [BoringSSL](https://boringssl.googlesource.com/boringssl) for any cryptographic use. | ||
|
|
||
| The security model and cryptographic use of WebRTC is described in [RFC8827](https://www.rfc-editor.org/rfc/rfc8827) and use of WebRTC in the Anbox runtime does not deviate from this. | ||
|
|
||
| ## Packages used | ||
|
|
||
| * [Go standard library](https://pkg.go.dev/std) | ||
| * [OpenSSL](https://launchpad.net/ubuntu/+source/openssl/) | ||
| * [`ca-certificates`](https://launchpad.net/ubuntu/+source/ca-certificates) |