This documentation is archived and is not being maintained.

Security Services Provided by CMS/PKCS #7 

CMS/PKCS #7 provides the ability to implement several security services into an application. A security service is some type of data protection, and is independent of the mechanism or cryptographic algorithm by which it is implemented.

Data encryption is provided through digital envelopes. This security service provides a high probability that only an intended recipient can read that message. The digital envelope encrypts a message for a set of recipients. The main class that provides digital enveloping is the EnvelopedCms class. For more information, see EnvelopedCms Message.

Entity authentication and data integrity are provided through digital signatures. These security services provide a high probability that an entity claiming to be the author or sender of a message is indeed that entity, and that the data has not been modified since it was signed. The entity can be a person, a software application, or any other source with a unique identity.

A set of signers can digitally sign a message. In addition, each signature can have a set of countersignatures. The main class that provides digital signing is the SignedCms class. For more information, see SignedCms Message.

The previously mentioned security services can be combined to give entity authentication, data integrity, and data confidentiality. This is done by both digitally signing and digitally enveloping a message. Although these mechanisms may be applied in either order, it might be advantageous to first sign a message and then envelope it. In that case, you can justify that the signed data was intelligible because it was not yet encrypted. For more information, see Enveloped and Signed CMS/PKCS #7 Message.

Both digitally signed and digitally enveloped messages can also carry attributes. Attributes effectively extend the security services that CMS/PKCS #7 provides. For example, the time that a message was digitally signed can be included in a SignedCms message. Including signing time might help to satisfy a requirement to implement nonrepudiation. It is a security service that helps prevent the author or sender of a message from later denying writing or sending it. For more background information about attributes, see Components of a CMS/PKCS #7 Message .

See Also