Content Preparation

Article
03/13/2008

The Active Directory Rights Management Services (AD RMS) client can encrypt any kind of data, using AES. The content key, which can be chosen by the user or provided by the AD RMS system, is embedded in the license, encrypted by using the public key, and is never seen in the clear again. The encryption algorithm is specified in the content license. The license is signed by a licensing authority whose public key is named in an XrML license that is signed by the issuing authority, optionally along with named conditions that restrict the scope of the licensing authority's ability to license. The encrypted content and the license are delivered either together or separately to the client.

You can either use the encryption methods provided by the AD RMS client (which requires you to create an issuance license, and then request and bind to the end-user license), or you can use CryptoAPI functions to encrypt content and extract the content key to use in the license signing request.

The following diagram shows the chain of encryption that ties a computer and user to the encrypted piece of content.

Encryption chain between a computer and user, and a piece of encrypted content

The public key pair in a user's rights account certificate is archived on the service that provides it. This allows a user to keep the same end-user license and issuance license by simply requesting a duplicate rights account certificate. This also allows users to access their content on multiple machines.

Share via

Content Preparation

See Also

Additional resources