DAS: Group Encryption and Brokered Authentication

DAS 5.0.4

DAS is a customer-hosted (on-premise or cloud) web service that performs cryptographic operations (such as decryption, signing, and key agreement) on behalf of properly authenticated users. Typically these users are members of a ‘community of interest’ (COI) or of a group authorized to play a specific organizational role.
DAS services can be configured to permit documents to be decrypted and/or signed only by persons authorized to play a particular organizational role (vice president, HR administrator, etc.). Authentication for website access can also be ‘role-enabled’.

Secure Collaboration
DAS makes it easy to securely share sensitive files and e-mail messages within a ‘community of interest’ (COI). Simply specify the COI certificate when encrypting your documents and only members of the COI, at the time of the access attempt, will be able to decrypt them.

Use Cases for DAS

Providing Confidentiality within a Community of Interest
Sensitive documents are easily shared among the members of a ‘community of interest’ (COI) with a dynamic membership roster

Permiting ‘Role-Based’ Signing
Digitally sign documents using a special ‘role certificate’ and recipients will implicitly know the person was authorized in the role

Facilitating Brokered Authentication
Restrict web service access to a single ‘role certificate’ and control access with DAS

Enabling Privilege Escalation
Utilize the user’s lower privilege, hardware protected, credentials to access information requiring higher privilege credentials. DAS brokers the connection, validating the user’s lower privilege credentials, and, if valid, uses the higher privilege credential to perform the required operation


  • Simplifies management of user, device, and application certificates
  • Lowers costs and reduces complexity of PKI
  • Makes PKI users and administrators happy
  • May be easily deployed and managed
  • Appropriate for organizations of any size, scaling up to millions of users and services
  • Uses NIST CMVP-validated FIPS 140-2 cryptography and today’s proven standards, including ANSI X.509 and IETF PKIX, TLS, and S/MIME

Technical Specifications

  • Complies with NIST FIPS 140-2 Level 1 requirements (when used with ISC’s software cryptographic module); keys may be optionally protected by employing a third party HSM directly or via the DAS HSM Proxy
  • Supports RSA and ECC for COI and DAS server keys, and is compatible with all leading X.509 Certificate Authorities
  • Generates up to 8192-bit RSA and up to 571-bit ECDSA self-signed certificates, and PKCS#10 requests
  • Performs RSA decryption, RSA signature, ECDSA signature, and ECDH key agreement operations
  • Includes a REST-based management API enabling integration into existing or custom PKI workflows
  • Supports SHA-256, SHA-384, and SHA-512
  • Maintains audit trails of all actions

System Requirements

  • Windows Server 2012 R2 or above
  • CentOS 6.7 x86-64 (Linux Kernel 2.6.32-573) or above
  • 4GB RAM, 50GB Disk, CPU w/RDRAND instruction
  • Java Runtime Environment 1.8 or higher
  • PostgreSQL, HyperSQL, or Oracle database