Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add initial explanation for crypto used by AMS #114

Merged
merged 2 commits into from
Aug 27, 2024
Merged

Add initial explanation for crypto used by AMS #114

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ea56896
Add initial explanation for crypto used by AMS
morphis Aug 15, 2024
4073137
Merge branch 'main' into add-ams-crypto-exp
keirthana Aug 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .custom_wordlist.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,8 @@ customisable
customisation
customisations
CustomLocale
cryptographic
Cryptographic
cryptographic
datacenter
dataset
deallocate
Expand Down
31 changes: 31 additions & 0 deletions explanation/security/crypto_ams.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
(exp-security-crypto-ams)=
# Cryptographic information: AMS

Anbox Management Service (AMS) is using cryptographic technology for:

* TLS transport encryption
* Mutual TLS based authentication
* Token based authentication

## TLS transport encryption

All network endpoints exposed by the AMS server are secured with TLS using an 4096 bit RSA key. AMS strictly enforces TLS 1.3 or better and does not provide backward compatibility with older TLS versions.

## Mutual TLS based authentication

AMS authenticates with all of its clients through the use of mutual TLS. The server authenticates a client by the presented client certificate and checks if it is recorded in its trust store. A client checks the certificate provided by the server against a recorded one. Once both sides have checked and accepted the presented certificate a TLS connection is established for API access.

AMS uses an RSA key with a length of 4096 bits for its server. The standard AMS client `amc` uses a RSA key with a length of 4096 bits. The key in both cases is generated by the use of the [`rsa.GenerateKey`](https://pkg.go.dev/crypto/rsa#GenerateKey) method as provided by the Go standard library.

Authenticated clients can add additional certificates to the trust store AMS manages. The trust stored keeps a copy of all registered certificates and stores them in an [etcd database](https://etcd.io/).

Communication with LXD is using mutual TLS based authentication too. More details on this can be found in the [LXD documentation](https://documentation.ubuntu.com/lxd/en/latest/authentication/).

## Token based authentication

Individual Anbox instances have access to a limited set of API endpoints exposed by the AMS server to submit status information during runtime. Access is authenticated by a scope-limited JWT based token. The token is valid for one year and is signed with a [HMAC](https://www.okta.com/identity-101/hmac/) using SHA-256 (HS256) and a 64 byte secret key. The [`jwt.New`](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#Token) method is used internally to generate the JWT token.

## Packages used

* [Go standard library](https://pkg.go.dev/std)
* [`github.com/golang-jwt/jwt`](https://github.com/golang-jwt/jwt)
Loading