How RMS Protects Content

Applications can encrypt protected content so that it is readable only with the permission of Windows Rights Management Services (RMS). This illustration shows how an author adds protection to a document in Word 2003 Professional Edition.

(1) Using the Word Protect Document task pane, the author specifies which rights other users and groups will have to the document. For example, the author might specify that users can edit the document only if they are members of the Legal group, either by explicitly associating certain rights with certain users or by applying a template created by the user’s IT organization. Users can be specified by e-mail address, or users and groups can be picked from Active Directory.

(2) Word requests a publishing license for the content from the RMS client, specifying the rights each user and group should have. Rights are encoded in the Extensible Rights Markup Language (XrML), an XML-based language for describing digital rights.

(3) The RMS client generates a new content key and encrypts the content with the key. It then builds a publishing license for the content, which includes the rights and the content key. The content key in the license is encrypted with the RMS server’s public key so that only the RMS server can access it. The RMS client also digitally signs the license with the user’s Client Licensor Certificate, a digital certificate previously issued to the user by an RMS server; this certificate allows the user to publish protected content. The client returns the encrypted content and the publishing license to Word.