Definition of PKCS #7 in The Network Encyclopedia.

What is PKCS #7?

Also called the Cryptographic Message Syntax Standard, a cryptographic standard from RSA Security for the exchange of digital certificates in public key cryptography. PKCS #7 specifies the syntax of digital certificates and other encrypted information - specifically, the method by which data is encrypted and digitally signed, as well as the algorithms involved.

How It Works

You can use PKCS #7 to encrypt two types of data:

  • Base data:
    Data that has not been encrypted and contains no cryptographic enhancements such as hashes or digital signatures.


  • Enhanced data:
    Data that is encrypted or contains cryptographic enhancements or both. Enhanced content encapsulates one form of content within another.


A variety of content types are defined by the PKCS #7 standard, including the following:

  • Data:
    String of bytes or octets.


  • Signed data:
    Data along with an encrypted message digest. A message digest is the value produced when a hashing algorithm is applied to data. (The terms “digest” and “hash” are synonymous.) The message digest is used by the recipient to confirm that the original message was not tampered with during transit and to validate the identity of the sender.


  • Enveloped data:
    Encrypted data plus the public key that can decrypt the data. You use this method to keep the contents of the message secret from all but trusted recipients.


  • Signed-and-enveloped data:
    Encrypted content with its public key and doubly encrypted message digest.


  • Digested data:
    Data plus a message digest.


  • Encrypted data alone:
    The public key for decrypting the data must be transmitted by some other mechanism in this case.


When you use PKCS #7 to sign data, it usually includes the signing certificates, a list of relevant certificate revocation lists, and any other certificates in the certification path. If you use PKCS #7 to encrypt data, it usually includes references to the issuer and the serial number of the certificate that is associated with the public key that can be used to decrypt the encrypted data.

PKCS #7 supports additional features, such as the following:

  • Recursion, in which a digital envelope is enclosed in a digital envelope, which is enclosed in another digital envelope, and so on
  • Time-stamping of encrypted messages and digital signatures
  • Counter-signatures and user-defined attributes

See also: