Tools to Ensure Secure Connection |
At Dr.Web Server installation, the following tools are created to ensure the secure connection between components of the anti-virus network: 1.The Server private encryption key drwcsd.pri. Is stored at the Server and is not passed to other components of the anti-virus network. If the private key is lost, the connection between components of the anti-virus network must be restored manually (create all the keys and certificates and also propagate them to all components of the network). The private key is used in the following ways: a)Creating pubic keys and certificates. The public encryption key and the certificate are created automatically from the private encryption key during the Server installation. At this, the private key can be either newly created or used existing (for example, from the previous Server installation). Also encryption keys and certificates can be created at any time using the drwsign Server utility (see the document, p. H9.1. Digital Keys and Certificates Generation Utility). Information on public keys and certificates is given below. b)The Server authentication. The Server is authenticated by remote clients on the basis of an electronic digital signature (once within each connection). The Server performs the digital sign of a message by a private key and sends the message to a client. A client checks the signature of a received message using the certificate. c)Decrypting the data. When the traffic between the Server and clients are encrypted, the decryption of the data sent by a client is performed at the Server using the private key. 2.The Server public encryption key drwcsd.pub. Is available to all components of the anti-virus network. A public key is always can be generated from a private key (see above). At each creation from the same private key you will get the same public key. Starting from the version 11 of the Server, a public key is used for connection with previous versions of clients. The rest of the functionality is transferred to a certificate, which, among other things, contains a public encryption key. 3.The Server certificate drwcsd-certificate.pem. Is available to all components of the anti-virus network. Certificate contains a public encryption key. Certificate can be generated from a private key (see above). At each creation from the same private key you will get a new certificate. Clients connected to the Server, are bind to a specific certificate, so if the certificate is lost on client, it can be restored only if the same certificate is used by any other network component: in this case, certificate can be copied to a client from the Server or from the other client. Certificate is used in the following ways: a)The Server authentication. The Server is authenticated by remote clients on the basis of an electronic digital signature (once within each connection). The Server performs the digital sign of a message by a private key and sends the message to a client. A client checks the signature of a received message using the certificate (particularly, a public key specified in the certificate). In the previous version of the Server, to do this, a public key was used directly. A client must have one or several trusted certificates from the Server to which a client can be connected. b)Encrypting the data. When the traffic between the Server and clients are encrypted, the encryption of the data is performed by a client using a public key. c)Implementation of a TLS session between the Server and remote clients. d)The Proxy server authentication. Dr.Web Proxy server is authenticated by remote clients on the basis of an electronic digital signature (once within each connection). The Proxy server performs the digital sign of its certificates by a private key and a certificate of the Dr.Web Server. The client which trusts Dr.Web Server certificate will be automatically trust to certificates that are signed by it. 4.Web server private key. Is stored at the Server and is not passed to other components of the anti-virus network. Usage details are given below. 5.Web server certificate. Is available to all components of the anti-virus network. Is used to implement a TLS session between web server and a browser (over HTTPS). At the Server installation, on the basis of a private key of a web server, self-signed certificate is generated that will not be accepted by web browsers because it was not released by a well-known certification authority. To make a secure connection (HTTPS) available, you must perform on of the following: •Add a self-signed certificate to trusted certificates or to exclusions for all stations and web browsers on which the Control Center is opened. •Get a certificate signed by a well-known certification authority. |