Brochure [PDF]

Product Support

Related info:
   DAS Diagram [PDF]
   HSM Proxy [PDF]

Products:
   SecretAgent
   SecretAgent DAS
   CertAgent
   SpyProof!
   SecurePhone
   CDKs
   CMU
   CSPid

  SecretAgent Document Access Servlet™ (DAS)

 

Overview

Complementing SecretAgent (release 5.9 and above), ISC's leading file encryption utility, DAS† allows sensitive documents to be securely shared among the frequently changing members of one or more Communities of Interest (CoIs). Once a document is encrypted for a particular CoI (or for the union of several CoIs), it can only be decrypted by a current member of that group. Documents need not be re-encrypted as group membership rosters change -- DAS figures out in real time who should have access to a given document.

NEW! DAS 1.7 supports dynamic LDAP groups as well as static ones when used with SecretAgent 5.9 and above. Forthcoming SecretAgent 6.0 clients will allow documents to be encrypted for arbitrary intersections (of unions) of static and dynamic LDAP groups.


DoD Evaluation and User Comments

ISC's SecretAgent DAS interoperability demonstration project (IT 03.09) for CWID 2006 has been judged a "top performing technical solution" and is listed among the top twelve "standout" projects in the final report. The conclusion was that "DAS successfully secured and shared documents and files among established COI." On the issue of performance, they wrote:

"The Document Access Servlet (DAS), IT03.09, was an excellent product to control access to mass circulated documents. DAS provides a significant improvement to control access in this modern era for documents re-transmitted to offices not authorized to view the enclosed data.  The trial worked consistently well and issues encountered were easy to troubleshoot and solve. Most issues related to system configuration, setup, and MSEL execution not [negatively impact] product performance. The DAS trial met the CWID objective for Net-centric Enterprise Services."

Here is what a few of the participating warfighters had to say about the demo:

"... I was very impressed with the technology's capabilities and envision operational employment within the HLD/HLS environment."

"The versatility and utility of this product make this a viable technology for advancement."

"Seems like a very simple and transparent application. Just the kind of thing a warfighter needs."

"Enjoyable and easy to do.  The Secret Agent DAS program was extremely easy to learn and operate."

"This is one of the smoothest operating trials I had."

The complete Warfighter/Operator Report is here, while the complete Technical Interoperability Assessment is here.


How DAS Works

Regardless of where it's stored, when a user attempts to decrypt an archive owned by (i.e., encrypted for) a particular CoI, their SecretAgent client automatically establishes a TLS-secured session with the appropriate DAS webserver. DAS accepts a decryption request from the client and applies one of several configurable authentication mechanisms to check the user's membership in that CoI.

How DAS works

If DAS determines that the user is currently a CoI member, it processes the request and returns a document decryption key to the client; otherwise, the request is denied. (Actually, a document might be encrypted for number of ordinary recipients as well as a set of CoIs, so that the above process might be repeated until either a CoI membership test is passed or the user is found to possess the private key of one of the ordinary recipients.) If a document has been encrypted for more than one CoI, a user need only be a member of one of them to decrypt that document.

SecretAgent DAS provides a web-based administrative interface for all system configuration, key management, and CoI maintenance tasks. Administrators can easily grant or deny users access to large numbers of sensitive files using centrally-managed CoI membership rosters based on DAS' own integrated certificate database, an organization's existing LDAP repository, or on any authentication mechanism provided by a third party.

"SecretAgent DAS provides a solution to a mission critical problem encountered by a wide range of organizations," said ISC President Thomas J. Venn. "Once sensitive files have been encrypted for a group, DAS ensures that those files can only be decrypted by current members of that group." Use of such a server-mediated decryption process means that no wholesale re-keying of documents is required each time a group membership roster changes.

Optional Hardware Support

A network-attached hardware security module (HSM) may be used by one or more DAS servers to protect their system keys. The HSM may be directly connected over the network to the DAS servers, or indirectly connected via an optional proxy server:

DAS HSM Proxy


Additional Information

pdf SecretAgent DAS 1.7 Architecture Diagram

pdf SecretAgent DAS 1.7 HSM Proxy Architecture Diagram


† Patent pending.

     
           
   
Products | News | Support | Company | Terms of Use | Copyright
© 2004-2008 Information Security Corporation. All rights reserved.