Encryption With RMS

RMS

• The RMS system generates certificates identifying individuals or entities authorized to publish or read encrypted content. An individual with a certificate decides who can see or use material she creates and under what conditions. To bind the conditions to the document, the creator requests an RMS publishing license. RMS validates the license request and then generates a symmetric key encrypting the content. The symmetric key is only one layer of encryption.

Encryption

• In addition to the symmetric key, RMS also provides each creator with a private encryption key and a machine-specific key for the particular computer he works on. Microsoft receives a public key that pairs up with each private key. RMS uses 1024-bit RSA keys for the public/private key pairs and for the RMS server that stores certificates, user IDs and other security data. RSA stands for the last names of the men who developed the encryption algorithm.

Access

• When a user requests content access, the RMS licensing server checks to confirm that it's a legitimate request. If the request is valid, the server decrypts the symmetric key and then re-encrypts it with the user's public key. The user receives a certificate authorizing him to read the material. The certificate includes an encrypted private key, which the user decrypts using the machine key. The user's private key then decrypts the symmetric key, which makes the content readable.

Considerations

• Even without encryption, RMS and RMS-aware applications limit access to material to what the creator allows. Without encryption, however, applications that aren't RMS-aware, such as Microsoft Notepad, can access protected content. When a user accesses material from a machine that doesn't have its own key -- a home computer or a library computer, for instance -- she can request a temporary authorization certificate that will decrypt the material for a short while.