Digital Envelope
The enveloped-data content type consists of an encrypted content of any type and encrypted content-encryption keys for one or more recipients.
The combination of the encrypted content and one encrypted content-encryption key for a recipient is a “digital envelope” for that recipient.
Content
The content is encrypted with the content-encryption key.
The data to be protected is padded, then the padded data is encrypted using the
content-encryption key.Content-encryption Key
The content-encryption key for the desired content-encryption algorithm is randomly generated.
Any type of content can be enveloped for an arbitrary number of recipients using any of the three key management techniques for each recipient.
S/MIME and PGP
Both S/MIME and PGP support protecting the encryption/session key using the public-key encryption. At the conceptual level, S/MIME and PGP apply. The diagram is an excerpt from Wikipedia and I think that’s why PGP is the answer.
The session key in S/MIME can be exchanged through:
- Key transport by public-key encryption (supported by CA)
- Key agreement
- Shared Key
References
- RFC 3369: Cryptographic Message Syntax (CMS)
- MIME
- S/MIME
- RFC 4134: Examples of S/MIME Messages
- COEN 350 S/MIME
- Chapter 41. Body Encryption and Signing via SMIME
- PKCS
- Understanding S/MIME
- Pretty Good Privacy
- Web of trust