AD RMS: Document consumption overview.

How recipient gets access to RMS-protect file\email? What does it send to RMS server? How to decrypt symmetric key and decrypt document? These questions will be answered within this post today.

Numeration on a diagram below is continuing from previous post. The first 6 steps explain document protection process. Our recipient (User#2 on a diagram) received somehow RMS-protected document. User#2 might copy it from network share, or get it by email, etc. Since document protected with appropriate RMS-template this protected document isn’t available for operation unless these rights were granted in RMS-template, or granted directly to this user. Even if abuser receives protected document it won’t be available for opening. How safe is our protection? Insofar as RSA 1024 encryption protocol safe (with this protocol protected symmetric key).

User#2 got:

  • Original document protected with symmetric key
  • Publish license (encrypted with SLC public key and signed with user’s CLC private key):
  •     Symmetric key encrypted with SLC public key
  •     List of rights expressed in XrML format
  •     Copy of user’s CLC certificate

How Consume protected document_partII_v.1.0



7. User “unpacks” protected document takes out Publish License

8. User sends copy of its own RAC certificate (as you remember RAC is used to identity user) & Publish License to RMS server.

IMPORTANT: content (RMS-protected file\email) is never sent to RMS server. NEVER.

9. RMS server using its own private key decrypts Publish License and symmetric key. As of now RMS server has symmetric key, but hasn’t decrypted content (still on User#2 computer).

10. RMS server extracts list of rights from Publish License  and compares list of rights with user identity (RMS server has user’s RAC file, so RMS server knows exactly who asks for right to open a file).

11. RMS server generates Use License and puts there:

  • Symmetric key protected with RAC public key. As of now only RAC private key owner can decrypt this symmetric key.
  • New list of rights with appropriate entries only (e.g.User#2 – Read & Print)
  • RMS server signs Use License with its private key (SLC).

12. RMS server sends Use License back to requester (User#2).

13. User#2 (actually RMS-client) retrieves symmetric key from Use License and decrypt it with its own CLC private key.

14. Using symmetric key RMS-client finally decrypts document.

15. User’s rights are applied for decrypted document. As of now user can manage document according to his right in Use License (list of rights XrML document).

That is all.