AMS

Anbox Management Service (AMS) is using cryptographic technology for:

  • TLS transport encryption

  • Mutual TLS based authentication

  • Token based authentication

TLS transport encryption

All network endpoints exposed by the AMS server are secured with TLS using an 4096 bit RSA key. AMS strictly enforces TLS 1.3 or better and does not provide backward compatibility with older TLS versions.

Mutual TLS based authentication

AMS authenticates with all of its clients through the use of mutual TLS. The server authenticates a client by the presented client certificate and checks if it is recorded in its trust store. A client checks the certificate provided by the server against a recorded one. Once both sides have checked and accepted the presented certificate a TLS connection is established for API access.

AMS uses an RSA key with a length of 4096 bits for its server. The standard AMS client amc uses a RSA key with a length of 4096 bits. The key in both cases is generated by the use of the rsa.GenerateKey method as provided by the Go standard library.

Authenticated clients can add additional certificates to the trust store AMS manages. The trust stored keeps a copy of all registered certificates and stores them in an etcd database.

Communication with LXD is using mutual TLS based authentication too. More details on this can be found in the LXD documentation.

Token based authentication

Individual Anbox instances have access to a limited set of API endpoints exposed by the AMS server to submit status information during runtime. Access is authenticated by a scope-limited JWT based token. The token is valid for one year and is signed with a HMAC using SHA-256 (HS256) and a 64 byte secret key. The jwt.New method is used internally to generate the JWT token.

Packages used