Skip to content

Commit

Permalink
Add initial explanation for crypto used by AMS
Browse files Browse the repository at this point in the history
  • Loading branch information
morphis committed Aug 20, 2024
1 parent 980fc41 commit ea56896
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 0 deletions.
4 changes: 4 additions & 0 deletions .custom_wordlist.txt
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,8 @@ customisable
customisation
customisations
CustomLocale
Cryptographic
cryptographic
datacenter
dataset
deallocate
Expand Down Expand Up @@ -117,6 +119,7 @@ Graviton
gRPC
HAProxy
HIDL
HMAC
Honkai
hotfix
HTTPS
Expand All @@ -143,6 +146,7 @@ JS
JSON
Juju
Juju's
JWT
kb
keybinding
KeyError
Expand Down
31 changes: 31 additions & 0 deletions explanation/security/crypto_ams.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
(exp-security-crypto-ams)=
# Cryptographic information: AMS

Anbox Management Service (AMS) is using cryptographic technology for:

* TLS transport encryption
* Mutual TLS based authentication
* Token based authentication

## TLS transport encryption

All network endpoints exposed by the AMS server are secured with TLS using an 4096 bit RSA key. AMS strictly enforces TLS 1.3 or better and does not provide backward compatibility with older TLS versions.

## Mutual TLS based authentication

AMS authenticates with all of its clients through the use of mutual TLS. The server authenticates a client by the presented client certificate and checks if it is recorded in its trust store. A client checks the certificate provided by the server against a recorded one. Once both sides have checked and accepted the presented certificate a TLS connection is established for API access.

AMS uses an RSA key with a length of 4096 bits for its server. The standard AMS client `amc` uses a RSA key with a length of 4096 bits. The key in both cases is generated by the use of the [`rsa.GenerateKey`](https://pkg.go.dev/crypto/rsa#GenerateKey) method as provided by the Go standard library.

Authenticated clients can add additional certificates to the trust store AMS manages. The trust stored keeps a copy of all registered certificates and stores them in an [etcd database](https://etcd.io/).

Communication with LXD is using mutual TLS based authentication too. More details on this can be found in the [LXD documentation](https://documentation.ubuntu.com/lxd/en/latest/authentication/).

## Token based authentication

Individual Anbox instances have access to a limited set of API endpoints exposed by the AMS server to submit status information during runtime. Access is authenticated by a scope-limited JWT based token. The token is valid for one year and is signed with a [HMAC](https://www.okta.com/identity-101/hmac/) using SHA-256 (HS256) and a 64 byte secret key. The [`jwt.New`](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#Token) method is used internally to generate the JWT token.

## Packages used

* [Go standard library](https://pkg.go.dev/std)
* [`github.com/golang-jwt/jwt`](https://github.com/golang-jwt/jwt)

0 comments on commit ea56896

Please sign in to comment.