PKCS#7
What is PKCS#7?
PKCS#7A binary format for packaging signed and/or encrypted data, standardised by the IETF as Cryptographic Message Syntax (CMS) in RFC 5652.
PKCS#7, originally defined by RSA Laboratories, describes how to wrap arbitrary data inside cryptographically protected structures: SignedData, EnvelopedData, EncryptedData, DigestedData, and AuthenticatedData. The IETF re-issued it as the Cryptographic Message Syntax (CMS) in RFC 5652 with successive updates such as RFC 8933 (algorithm protection). CMS is ASN.1-encoded in DER and forms the basis of S/MIME (RFC 8551), code-signing (Authenticode, Apple notarisation), timestamping (RFC 3161), document signing (PAdES) and certificate-bag formats. Detached signatures (.p7s) and certificate-only bundles (.p7b/.p7c) are common file-level uses. CMS supports modern algorithms via RFC 8419 (EdDSA), RFC 5754 (SHA-2) and RFC 8769 (AES-GCM).
● Examples
- 01
An S/MIME-signed email whose signature is carried as a detached .p7s SignedData blob.
- 02
A Windows Authenticode-signed binary embeds a PKCS#7 SignedData structure in its PE header.
● Frequently asked questions
What is PKCS#7?
A binary format for packaging signed and/or encrypted data, standardised by the IETF as Cryptographic Message Syntax (CMS) in RFC 5652. It belongs to the Cryptography category of cybersecurity.
What does PKCS#7 mean?
A binary format for packaging signed and/or encrypted data, standardised by the IETF as Cryptographic Message Syntax (CMS) in RFC 5652.
How do you defend against PKCS#7?
Defences for PKCS#7 typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for PKCS#7?
Common alternative names include: CMS, Cryptographic Message Syntax, p7s, p7b.