diff --git a/.custom_wordlist.txt b/.custom_wordlist.txt index 37e216ab..979397fb 100644 --- a/.custom_wordlist.txt +++ b/.custom_wordlist.txt @@ -72,6 +72,8 @@ customisable customisation customisations CustomLocale +Cryptographic +cryptographic datacenter dataset deallocate @@ -117,6 +119,7 @@ Graviton gRPC HAProxy HIDL +HMAC Honkai hotfix HTTPS @@ -143,6 +146,7 @@ JS JSON Juju Juju's +JWT kb keybinding KeyError diff --git a/explanation/security/crypto_ams.md b/explanation/security/crypto_ams.md new file mode 100644 index 00000000..203843dc --- /dev/null +++ b/explanation/security/crypto_ams.md @@ -0,0 +1,31 @@ +(exp-security-crypto-ams)= +# Cryptographic information: AMS + +Anbox Management Service (AMS) is using cryptographic technology for: + +* TLS transport encryption +* Mutual TLS based authentication +* Token based authentication + +## TLS transport encryption + +All network endpoints exposed by the AMS server are secured with TLS using an 4096 bit RSA key. AMS strictly enforces TLS 1.3 or better and does not provide backward compatibility with older TLS versions. + +## Mutual TLS based authentication + +AMS authenticates with all of its clients through the use of mutual TLS. The server authenticates a client by the presented client certificate and checks if it is recorded in its trust store. A client checks the certificate provided by the server against a recorded one. Once both sides have checked and accepted the presented certificate a TLS connection is established for API access. + +AMS uses an RSA key with a length of 4096 bits for its server. The standard AMS client `amc` uses a RSA key with a length of 4096 bits. The key in both cases is generated by the use of the [`rsa.GenerateKey`](https://pkg.go.dev/crypto/rsa#GenerateKey) method as provided by the Go standard library. + +Authenticated clients can add additional certificates to the trust store AMS manages. The trust stored keeps a copy of all registered certificates and stores them in an [etcd database](https://etcd.io/). + +Communication with LXD is using mutual TLS based authentication too. More details on this can be found in the [LXD documentation](https://documentation.ubuntu.com/lxd/en/latest/authentication/). + +## Token based authentication + +Individual Anbox instances have access to a limited set of API endpoints exposed by the AMS server to submit status information during runtime. Access is authenticated by a scope-limited JWT based token. The token is valid for one year and is signed with a [HMAC](https://www.okta.com/identity-101/hmac/) using SHA-256 (HS256) and a 64 byte secret key. The [`jwt.New`](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#Token) method is used internally to generate the JWT token. + +## Packages used + +* [Go standard library](https://pkg.go.dev/std) +* [`github.com/golang-jwt/jwt`](https://github.com/golang-jwt/jwt)