Tools to Ensure Secure Connection

During the installation of Dr.Web Server, the following tools are created to ensure a secure connection between the components of the anti-virus network:

1.Dr.Web Server private encryption key drwcsd.pri.

It is stored on Dr.Web Server and is not shared with other components of the anti-virus network.

If the private key is lost, the connection between components of the anti-virus network must be restored manually (all keys and certificates must be generated and distributed to all components of the network).

The private key is used as follows:

a)Creating pubic keys and certificates.

The public encryption key and the certificate are automatically generated from the private encryption key during Dr.Web Server installation. Additionally, you can create a new private key or use the existing one (for example, from the previous Dr.Web Server installation). You can also create encryption keys and certificates at any time using the drwsign Dr.Web Server utility (see the Appendices, section G7.1. Digital keys and certificates generation utility).

Information on public keys and certificates is given below.

b)Authenticating Dr.Web Server.

Dr.Web Server is authenticated by remote clients on the basis of an electronic digital signature (once during each connection).

Dr.Web Server digitally signs a message using a private key and sends the message to a client. The client verifies the signature of the received message using the certificate.

c)Decrypting the data.

If the traffic between Dr.Web Server and clients is encrypted, the decryption of the data sent by a client is performed on Dr.Web Server using the private key.

2.Dr.Web Server public encryption key *.pub.

It is available to all components of the anti-virus network. A public key can always be generated from a private key (see above). Each time you generate it from the same private key you will get the same public key.

Starting with Dr.Web Server version 11, a public key is used for connection with previous versions of clients. The rest of the functionality is transferred to a certificate, containing, among other things, a public encryption key.

3.Dr.Web Server certificate drwcsd-certificate.pem.

It is available to all components of the anti-virus network. A certificate contains a public encryption key. Certificates can be generated from a private key (see above). Each time a certificate is generated from the same private key, a new certificate is created.

Clients connected to Dr.Web Server, are associated with a specific certificate, so if a client loses its certificate, it can be restored only if the same certificate is used by another network component: in this case, the certificate can be copied to a client from Dr.Web Server or from the other client.

Certificates are used as follows:

a)Authenticating Dr.Web Server.

Dr.Web Server is authenticated by remote clients based on an electronic digital signature (once during each connection).

Dr.Web Server digitally signs a message using the private key and sends the message to a client. The client verifies the signature of the received message using the certificate (specifically, the public key specified in the certificate). The previous version of Dr.Web Server used the public key directly.

A client must have one or more trusted certificates from Dr.Web Servers to which a client can connect.

b)Encrypting the data.

When the traffic between Dr.Web Server and clients is encrypted, the encryption of the data is performed by a client using a public key.

c)Implementation of a TLS session between Dr.Web Server and remote clients.

d)Authenticating the Proxy Server.

Dr.Web Proxy Server is authenticated by remote clients on the basis of an electronic digital signature (once during each connection).

The Proxy Server digitally signs its certificates using the private key and the certificate of the Dr.Web Server. The client that trusts the Dr.Web Server certificate will automatically trust the certificates signed by it.

4.Web server private key.

It is stored on Dr.Web Server and is not shared with other components of the anti-virus network. Its usage details are given below.

5.Web server certificate.

It is available to all components of the anti-virus network.

It is required to implement a TLS session between a web server and a browser (over HTTPS).

During the Dr.Web Server installation, a self-signed certificate based on the web server's private key is generated which is not accepted by web browsers because it is not issued by a well-known certificate authority.

To ensure a secure connection (HTTPS), you must do one of the following:

•Add the self-signed certificate to Trusted Certificates or to Exclusions for all stations and web browsers on which the Control Center is opened.

•Obtain a certificate signed by a well-known certificate authority.