Streaming¶
The Anbox Cloud Streaming Stack is based on WebRTC. WebRTC forbids unencrypted communication, which enforces a certain security level.
For communication with the Anbox stream gateway, token-based authentication is used. This allows components that need to communicate with the stream gateway to verify their identity, and in return receive a unique access token. During the life of the token, it acts as a means to verify the identity of the services that handle communication between the applications and the gateway.
Of course, the overall streaming security relies on a secure client implementation. This is ensured by Anbox Cloud’s web dashboard, but other client implementations might have weaknesses. However, since encryption is a mandatory feature of WebRTC, developers are forced to consider security aspects when implementing a client application.
See A Study of WebRTC Security for a detailed discussion of security features in WebRTC.
Cryptography used by the stream gateway¶
Anbox Streaming Gateway is using cryptographic technology for:
TLS transport encryption
Mutual TLS based authentication
Token based authentication
TLS transport encryption¶
All network endpoints exposed by the Anbox Stream Gateway are secured with TLS using a 4096 bit RSA key. The Anbox Stream Gateway strictly enforces TLS 1.3 or later and does not provide backward compatibility with older TLS versions.
Mutual TLS based authentication¶
To exchange messages with the Anbox Stream Agent through the NATS message queue, the Anbox Stream Gateway uses a CA certificate signed by a 4096 bit RSA key to ensure trust with the NATS server.
Token based authentication¶
Users can generate API tokens to authenticate with the HTTP API provided by the Anbox Stream Gateway. For the API tokens, a scope-limited Macaroon is used. The token is signed with a HMAC using SHA-256 (HS256) and a 64 byte secret key. The macaroon.New method is used internally to generate the JWT token.
Packages used¶
Cryptography used by the stream agent¶
Anbox Streaming Agent is using cryptographic technology for:
TLS transport encryption
Mutual TLS based authentication
Token based authentication
TLS transport encryption¶
All network endpoints exposed by the Anbox Stream Agent are secured with TLS using a 4096 bit RSA key. The Anbox Stream Agent strictly enforces TLS 1.3 or better and does not provide backward compatibility with older TLS versions.
Mutual TLS based authentication¶
The Anbox Stream Agent uses mutual TLS authentication to establish a trusted TLS communication channel with AMS to call its API. For this it generates a TLS certificate using a 4096 bit RSA key.
In order to exchange messages with the Anbox Stream Gateway through the NATS message queue, the Anbox Stream Agent uses a CA certificated signed by a 4096 bit RSA key to ensure trust with the NATS server.
Token based authentication¶
Individual Anbox instances have access to a limited set of API endpoints exposed by the Anbox Stream Agent to receive commands or exchange WebRTC signaling information with a connecting client. Access is authenticated by a scope-limited Macaroon based token. The token is signed with a HMAC using SHA-256 (HS256) and a 64 byte secret key. The macaroon.New method is used internally to generate the JWT token.
For authentication purposes with the Coturn TURN server the Anbox Stream Agent generates short living authentication tokens signed with a HMAC using SHA-1 and a 64 byte secret key. See RFC5389 and the Coturn documentation for more details.