Digital Envelope

The enveloped-data content type consists of an encrypted content of any type and encrypted content-encryption keys for one or more recipients.

The combination of the encrypted content and one encrypted content-encryption key for a recipient is a “digital envelope” for that recipient.

Content

The content is encrypted with the content-encryption key.

The data to be protected is padded, then the padded data is encrypted using the
content-encryption key.

Content-encryption Key

The content-encryption key for the desired content-encryption algorithm is randomly generated.

Any type of content can be enveloped for an arbitrary number of recipients using any of the three key management techniques for each recipient.

Source: RFC 3369: Cryptographic Message Syntax (CMS)

S/MIME and PGP

Both S/MIME and PGP support protecting the encryption/session key using the public-key encryption. At the conceptual level, S/MIME and PGP apply. The diagram is an excerpt from Wikipedia and I think that’s why PGP is the answer.

The session key in S/MIME can be exchanged through:

1. Key transport by public-key encryption (supported by CA)
2. Key agreement
3. Shared Key

References

• RFC 3369: Cryptographic Message Syntax (CMS)
• MIME
• S/MIME
• RFC 4134: Examples of S/MIME Messages
• COEN 350 S/MIME
• Chapter 41. Body Encryption and Signing via SMIME
• PKCS
• Understanding S/MIME
• Pretty Good Privacy
• Web of trust