|
Tools to Ensure Secure Connection |
|
At the Dr.Web Server installation, the following tools are created to ensure the secure connection between components of the anti-virus network: 1.The Dr.Web Server private encryption key drwcsd.pri. Stored at Dr.Web Server and is not passed to other components of the anti-virus network. If the private key is lost, the connection between components of the anti-virus network must be restored manually (create all the keys and certificates and also propagate them to all components of the network). The private key is used in the following ways: a)Creating pubic keys and certificates. The public encryption key and the certificate are created automatically from the private encryption key during the Dr.Web Server installation. At this, the private key can be either newly created or used existing (for example, from the previous Dr.Web Server installation). Also encryption keys and certificates can be created at any time using the drwsign Dr.Web Server utility (see the Appendices document, p. H7.1. Digital Keys and Certificates Generation Utility). Information on public keys and certificates is given below. b)The Dr.Web Server authentication. Dr.Web Server is authenticated by remote clients on the basis of an electronic digital signature (once within each connection). Dr.Web Server performs the digital sign of a message by a private key and sends the message to a client. A client checks the signature of a received message using the certificate. c)Decrypting the data. When the traffic between Dr.Web Server and clients are encrypted, the decryption of the data sent by a client is performed at Dr.Web Server using the private key. 2.The Dr.Web Server public encryption key *.pub. Available to all components of the anti-virus network. A public key can always be generated from a private key (see above). At each creation from the same private key you will get the same public key. Starting from the version 11 of Dr.Web Server, a public key is used for connection with previous versions of clients. The rest of the functionality is transferred to a certificate, which, among other things, contains a public encryption key. 3.The Dr.Web Server certificate drwcsd-certificate.pem. Available to all components of the anti-virus network. Certificate contains a public encryption key. Certificate can be generated from a private key (see above). At each creation from the same private key you will get a new certificate. Clients connected to Dr.Web Server, are bind to a specific certificate, so if the certificate is lost on client, it can be restored only if the same certificate is used by any other network component: in this case, certificate can be copied to a client from Dr.Web Server or from the other client. Certificate is used in the following ways: a)The Dr.Web Server authentication. Dr.Web Server is authenticated by remote clients on the basis of an electronic digital signature (once within each connection). Dr.Web Server performs the digital sign of a message by a private key and sends the message to a client. A client checks the signature of a received message using the certificate (particularly, a public key specified in the certificate). In the previous version of Dr.Web Server, to do this, a public key was used directly. A client must have one or several trusted certificates from Dr.Web Server to which a client can be connected. b)Encrypting the data. When the traffic between Dr.Web Server and clients are encrypted, the encryption of the data is performed by a client using a public key. c)Implementation of a TLS session between Dr.Web Server and remote clients. d)The Proxy Server authentication. Dr.Web Proxy Server is authenticated by remote clients on the basis of an electronic digital signature (once within each connection). The Proxy Server performs the digital sign of its certificates by a private key and a certificate of the Dr.Web Server. The client which trusts Dr.Web Server certificate will be automatically trust to certificates that are signed by it. 4.Web server private key. Stored at Dr.Web Server and is not passed to other components of the anti-virus network. Usage details are given below. 5.Web server certificate. Available to all components of the anti-virus network. Required to implement a TLS session between web server and a browser (over HTTPS). At the Dr.Web Server installation, on the basis of a private key of a web server, self-signed certificate is generated that will not be accepted by web browsers because it was not released by a well-known certification authority. To make a secure connection (HTTPS) available, you must perform one of the following: •Add a self-signed certificate to trusted certificates or to exclusions for all stations and web browsers on which the Control Center is opened. •Get a certificate signed by a well-known certification authority. |