RMS FAQ: Certificates, Keys, and Encryption

  • Article

Applies To: Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

RMS Certificates, Keys, and Encryption FAQ

  • What encryption algorithms are used in RMS?

  • For publishing licenses or templates that grant permissions to a distribution list rather than individual users, are use licenses handled differently in order to dynamically evaluate the members?

  • When RMS is used from a kiosk, a temporary rights account certificate (RAC) is issued. How is a temporary RAC different from a standard RAC? How does RMS detect it is being used on a kiosk?

  • When is a temporary RAC used?

  • Does RMS issue X.509v3 Certificates?

  • Where are XrML certificates stored?

  • Where is the machine private/public key pair stored?

  • Where is the client private/public key pair stored?

  • AES is a symmetric algorithm. How are the keys passed securely between the server and the user?

What encryption algorithms are used in RMS?

RMS uses 1024-bit RSA keys for the RMS server and 1024-bit RSA keys for the user and machine key pair.

For publishing licenses or templates that grant permissions to a distribution list rather than individual users, are use licenses handled differently in order to dynamically evaluate the members?

Use licenses are always issued to individual users. If a publishing license or template names a group, RMS evaluates group membership at the time of use license issuance. If the user requesting the license is a member of the named group, the use license is issued to the user's identity.

When RMS is used from a kiosk, a temporary rights account certificate (RAC) is issued. How is a temporary RAC different from a standard RAC? How does RMS detect it is being used on a kiosk?

The RMS-enabled application must determine whether the RMS client should request a temporary or a standard RAC for the user. There is no detection method for this situation. Microsoft Office 2003 is an example of an RMS-enabled application that allows the user to select the appropriate RAC.

The main difference between a temporary RAC and a standard RAC is the presence of the user security identifier and the validity period specification. Temporary RACs do not include the user SID and have a validity period specified in a number of minutes. The default validity period for a temporary RAC is 15 minutes. Standard RACs however, do include the user SID, and have a validity period specified as a number of days. The default validity period for a standard RAC is 365 days.

When is a temporary RAC used?

A temporary RAC is designed to enable a user to consume RMS-protected content on computers that meet any of the following criteria:

  • A computer that is not a member of the same forest as the RMS installation from which the RAC was obtained.

  • A computer that is not a member of the same forest where the user account is located.

  • The user is not ensured of using the same machine at a later time.

Examples of computers that fit these criteria can be found in airport terminals, public libraries, and Internet cafés.

Does RMS issue X.509v3 Certificates?

No. RMS issues XrML certificates intended to represent users and a policy expression that is beyond the scope of X.509v3 certificates.

Where are XrML certificates stored?

An RMS system uses the following certificates and licenses that are saved in XrML on the client computer.

  • Machine Certificate

    File name: CERT-Machine.drm file

    Location: %USERPROFILE%\Local Settings\Application Data\Microsoft\DRM\

  • Rights account certificate

    File name prefix: GIC

    Location: %USERPROFILE%\Local Settings\Application Data\Microsoft\DRM

  • Client licensor certificate

    File name prefix: CLC

    Location: %USERPROFILE%\Local Settings\Application Data\Microsoft\DRM

  • Use license

    File name prefix: EUL

    Location: %USERPROFILE%\Local Settings\Application Data\Microsoft\DRM

Note

A user account has a single Machine Certificate, GIC file and CLC file, but multiple EUL files for each piece of content that is accessed.

Note

For the RMS client integrated with Windows Vista®, the location is %USERPROFILE%\AppData\Local\Microsoft\DRM.

Where is the machine private/public key pair stored?

The machine private key is securely stored, protected by cryptographic keys related to the user’s logon credentials and computer configuration.

Where is the client private/public key pair stored?

The key pair for a user account is stored in the rights account certificate.

AES is a symmetric algorithm. How are the keys passed securely between the server and the user?

Symmetric and public/private keys are both used in the system. The content is encrypted with a symmetric key, but the other keys in the system (user, machine, and server) are RSA public/private keys. The symmetric content key is always encrypted in the various licenses — either to the RMS server RSA public key in the publishing license, or to the user's RSA public key in the use license.