Trusted Chain of Keys

It is true that no one knows everything about a technology, but it does help if you have a background in the backend depedency components. When it comes to RMS, there is no denying it, you must understand key encryption, the various types of encryption strengths and how they are used in conjunction with RMS. I will attempt to explain how RMS uses these components in addition to explaining the various licenses (PL/UL).

On the RMS Client side

• Public and private key pairs are used for the RMS Machine Certificate, RAC, and CLC.
• The lockbox (a secure dll that exists on each RMS client) encrypts the private key of the machine certificate.
• The public key of the machine certificate is used to encrypt the RAC (which is unique for each user and machine).
• The public key of the RAC is then used to encrypt the CLC. The RMS servers public key is also stored along with the CLC for offline publishing and for creation of the PL (Publishing license).

On the RMS server side, you have the Server Licensor Certificate. The SLC is also a private and public key pair. The private key of the SLC is encrypted with either a software based password that is provided during RMS Provisioning OR it can be encrypted with an HSM (nCipher, etc.)

All users and computers are assigned public and private key pairs based on the RSA standard while all content is encrypted with AES Symmetric keys (which gets stored in the PL and is referred to in RMS as a content key). RMS uses XrML (not x.509) certificates.

Digital signatures are used as well and provided assurance that data has not changed, providing tamper evidence for document protection. (all certificate and licenses are digitially signed).Digital signatures use a one way hash, which reduces a document to a unique number, often referred to as a document finerprint. This unique has value will change if any of the content is changed. Some examples of has algorithums include SHA-1 and MD5.