PKCS#7
What is PKCS#7?
PKCS#7A binary format for packaging signed and/or encrypted data, standardised by the IETF as Cryptographic Message Syntax (CMS) in RFC 5652.
PKCS#7, originally defined by RSA Laboratories, describes how to wrap arbitrary data inside cryptographically protected structures: SignedData, EnvelopedData, EncryptedData, DigestedData, and AuthenticatedData. The IETF re-issued it as the Cryptographic Message Syntax (CMS) in RFC 5652 with successive updates such as RFC 8933 (algorithm protection). CMS is ASN.1-encoded in DER and forms the basis of S/MIME (RFC 8551), code-signing (Authenticode, Apple notarisation), timestamping (RFC 3161), document signing (PAdES) and certificate-bag formats. Detached signatures (.p7s) and certificate-only bundles (.p7b/.p7c) are common file-level uses. CMS supports modern algorithms via RFC 8419 (EdDSA), RFC 5754 (SHA-2) and RFC 8769 (AES-GCM).
● Examples
- 01
An S/MIME-signed email whose signature is carried as a detached .p7s SignedData blob.
- 02
A Windows Authenticode-signed binary embeds a PKCS#7 SignedData structure in its PE header.
● Frequently asked questions
What is PKCS#7?
A binary format for packaging signed and/or encrypted data, standardised by the IETF as Cryptographic Message Syntax (CMS) in RFC 5652. It belongs to the Cryptography category of cybersecurity.
What does PKCS#7 mean?
A binary format for packaging signed and/or encrypted data, standardised by the IETF as Cryptographic Message Syntax (CMS) in RFC 5652.
How does PKCS#7 work?
PKCS#7, originally defined by RSA Laboratories, describes how to wrap arbitrary data inside cryptographically protected structures: SignedData, EnvelopedData, EncryptedData, DigestedData, and AuthenticatedData. The IETF re-issued it as the Cryptographic Message Syntax (CMS) in RFC 5652 with successive updates such as RFC 8933 (algorithm protection). CMS is ASN.1-encoded in DER and forms the basis of S/MIME (RFC 8551), code-signing (Authenticode, Apple notarisation), timestamping (RFC 3161), document signing (PAdES) and certificate-bag formats. Detached signatures (.p7s) and certificate-only bundles (.p7b/.p7c) are common file-level uses. CMS supports modern algorithms via RFC 8419 (EdDSA), RFC 5754 (SHA-2) and RFC 8769 (AES-GCM).
How do you defend against PKCS#7?
Defences for PKCS#7 typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for PKCS#7?
Common alternative names include: CMS, Cryptographic Message Syntax, p7s, p7b.
● Related terms
- cryptography№ 065
ASN.1
Abstract Syntax Notation One: an ITU-T standard (X.680 series) that describes data structures used in cryptography and telecoms in a language-independent way.
- cryptography№ 811
PEM Format
A textual encoding for cryptographic objects (keys, certificates, CRLs) defined by RFC 7468 that wraps Base64-encoded DER in BEGIN and END header lines.
- cryptography№ 830
PKCS#12
A password-protected file format (.pfx / .p12) that bundles a private key with its certificate chain, standardised by RFC 7292.
- cryptography№ 321
Digital Signature
A public-key cryptographic mechanism that proves the authenticity, integrity and non-repudiation of a message or document.
- network-security№ 955
S/MIME
An IETF standard for end-to-end signing and encryption of MIME email messages using X.509 certificates issued by a public or enterprise CA.