AD RMS: Document protection overview.

What happens when you press Protect Document button in your MS Office applications? What should be completed first, before you decide to protect document?

Protect Document button

Today I am going to dig little bit deep in this process and show you all processes which still transparent for end users, but MUST be clear for technical specialist (RMS-administrator).

So, first of all is diagram:

How Consume protected document_v.1.0


Comparison with previous diagrams (AD RMS server activation e.g.) this diagram looks not so scary. In fact protection process is really simple than previous activation processes on server\client sides.


Client did activation successfully (see previous post about it) and has:

  • Client Licencor Certificate (CLC)
  • Service Licencor Certificate (SLC) (public key only)

Let’s protect our document:

1. AD RMS client generates RANDOM AES-128 symmetric key. So, RMS-encryption is symmetric method of encryption: one key in use to encrypt and decrypt content.

2. Client applies symmetric AES-128 key for original document (plaintext) and encrypt it. As an output we have protected document (ciphertext). Using the same key we can do reverse operation and decrypt content to original state. Actually that is all, document is protected. The general idea of next efforts here is protect and hand over safety and securely symmetric key to recipient. We are not going to work with original\encrypted document, but only symmetric key.

3. AD RMS client encrypts symmetric key with a public key from SLC. As of know only SLC private key’s owner can decrypt symmetric key and use it afterwards to decrypt target encrypted file. AD RMS server is SLC’s private key owner, and this key is stored (safety, securely and encrypted) in SQL DB or HSM device (see AD RMS Root cluster installation post). Another words RMS server here is intermediator between document owner and document recipient. The both sides of this communication model trust to AD RMS server.

4. Rights Management Server isn’t just encryption system as you can see, because you also grant permission for end-users assigning rights on a document: allow\prohibit printing, saving, forwarding, copying content, etc.  Here is 2 options available:

4.1. User creates (indirectly) list of rights choosing “Manage Credentials” in Office application menu. See first diagram in this post.

4.3. User uses existing RMS-template with predefined (by RMS administrator) groups\users and rights. For example, template  Confidential might grant prohibit rights to print document to Anyone group.

All these rights are saved in *.xml file withing XrML formatting.

5. AD RMS client generates publish licensing and puts there:

  • List of rights from previous step\or RMS-template content
  • Copy of CLC from a document owner
  • Encrypted symmetric key

All these data are signed with CLC private key, and is encrypted by SLC public key. As of know (and again) only RMS server can decrypt this publish license and nobody else.

6. AD RMS client merges publish license with encrypted document and sends it to recipient. By the way this is a reason why protected document has bigger size than original file. You see, not because of encryption, it is because of publishing license. Pay attention please, that all there manipulations around original file (excluding PREREQUISITES section) doesn’t require network connection or collaborations with any other servers outside of local system.

Read my next post how recipient consumes RMS-protected file. More interesting, more difficult, more complex. )