PKCS #7 Cryptographic Messaging Syntax Concepts

The CryptoAPI message functions adhere to PKCS #7 Cryptographic Message Syntax (CMS) Standard. Developers need to be familiar with this specification to most effectively use the low-level message functions. A few of its definitions are highlighted here.

The PKCS #7 standard describes a general syntax for data that may have cryptography applied to it, such as digital signatures and digital envelopes. The syntax admits recursion, so that, for example, one envelope can be nested inside another, or one party can sign digital data that has already been put into an envelope. It also allows arbitrary attributes, such as signing time, to be authenticated along with the content of a message. Further, it provides for other attributes, such as countersignatures, to be associated with a signature.

The type of data contained in a PKCS #7 message is called its content type. There are two classes of content types: Base and Enhanced.

  • Base content types contain only data with no cryptographic enhancements. Presently there is only one content type in this class, the data content type.
  • Enhanced content types contain data of some type (possibly encrypted), and other cryptographic enhancements (such as hashes or signatures).

The content in the Enhanced class employs encapsulation, giving rise to the terms outer content (the one containing the enhancements) and inner content (the one being enhanced). For example, an Enhanced class might contain the data content type (Base class) that has a signature included with it. In this case, the data content type is the inner content and the combination of the data content type and the signature forms the outer content.

The content types defined in the PKCS #7 standard are as follows.

Content typeDescription
DataAn octet (BYTE) string.
Signed DataContent of any type and encrypted message hashes (digests) of the content for zero or more signers.
Enveloped DataEncrypted content of any type and encrypted content-encryption keys for one or more recipients. The combination of encrypted content and encrypted content-encryption key for a recipient is a digital envelope for that recipient.
Signed-and-Enveloped DataEncrypted content of any type, encrypted content-encryption keys for one or more recipients, and doubly encrypted message digests for one or more signers. The double encryption consists of an encryption with a signer's private key followed by an encryption with the content-encryption key.
Digested DataContent of any type and a message hash (digest) of the content.
Encrypted DataEncrypted content of any type. Unlike the enveloped-data content type, the encrypted-data content type has neither recipients nor encrypted content-encryption keys. Keys are assumed to be managed by other means.


Note  Throughout the PKCS #7 specification, the terms digest and digested refer to the value produced from applying a hashing algorithm to data. This documentation uses the terms hash and hashed for the same purpose. For example, the data type used with the low-level message functions is called hashed rather than digested. For the purposes of this documentation, the two sets of terms may be used interchangeably.