PKCS#7 enveloped-data

PKCS#7 enveloped-data (now part of CMS – Cryptographic Message Syntax, RFC 5652) is a standard format for encrypting data for one or more recipients using public-key cryptography.

What It Does

The following describes what Chilkat does internally:

• Encrypt data once with a random symmetric key (e.g., AES)
• Then encrypt that symmetric key separately with each recipient’s RSA public key
• Package all of it into a single binary structure

  ---

Structure of Enveloped-Data

• Encrypted Content: The original data encrypted with a symmetric cipher.
• RecipientInfos: A list, one for each recipient, containing:
  • Recipient’s identifier (e.g., certificate issuer/serial)
  • The symmetric key encrypted with the recipient’s RSA public key

    ---

How Decryption Works

Any recipient who has the private key corresponding to one of the encrypted keys can:

1. Decrypt their copy of the symmetric key.
2. Use it to decrypt the actual content.

   ---

Use Cases

• Secure email (S/MIME)
• Secure file exchange
• Encrypting data for multiple recipients in one package

  ---

Summary

PKCS#7 enveloped-data is a secure container that encrypts content once, and lets multiple recipients decrypt it individually using their own private keys.