This section contains the following topics:
Sealing is the process of transforming plaintext content into encrypted and signed content. The sealing process adds metadata, signs this metadata and encrypts the content. The result of this transformation is called sealed content. Sealed content can be opened only with Oracle IRM Desktop, the Oracle IRM client application. Oracle IRM Desktop checks the digital signature, decrypts the content, and maintains the protection of the sealed content while in use. One of the other changes currently made during sealing is to alter the file extension. For example, a sealed HTML document has a stml file extension rather than a html or htm file extension. Oracle IRM Desktop identifies sealed content using these different file extensions.
The metadata added to sealed content is called the public header. It is a human-readable XML document that appears near the top of the sealed content. The public header is digitally signed so that tampering of sealed content can be detected by Oracle IRM Desktop.
The public header contains a section called the classification. The classification is used by the Oracle IRM Desktop to determine whether the authenticated user can access the sealed content. Rights are expressed in terms of the classification, for example John can access all Top Secret classified content. The classification also includes information about which server (Oracle IRM Server) to contact for rights, and which cryptography keys were used to seal the content.
To allow content to be classified in different ways, the classification contains a section of XML data called the classification cookie. The classification cookie contains data that is used by Oracle IRM Desktop and the Oracle IRM J2EE application to associate rights with content. The data contained in the classification cookie is defined by the classification system.
Sealed content that uses the context classification system has a classification cookie that contains a UUID value (to identify a context) and an item code that identifies the document. This allows rights to be expressed either at the context level or for a particular document (for example, John can access any document sealed to context Top Secret or Mary can access the top secret document named secrets.sdoc).
Additional data can be tagged to sealed content using custom metadata. Custom metadata can be added by third party systems that perform sealing. This allows tamper proof metadata to be added to sealed content, which in turn can be extracted by these applications. For example, a content management system could add additional properties to the sealed content, such as the original author or document version.
Oracle IRM Desktop also uses custom metadata when displaying the poster page for sealed movies. When movie content is sealed the poster page can be specified as custom metadata.
Sealed content contains a version number called the content schema. This version number helps the Oracle IRM Desktop determine what features are supported in the sealed content.
Sealed content contains a record of when the content was first sealed and when subsequent edits were made.
The following XML document is an example of a public header one might see in an HTML document sealed against the Top Secret context.
<?xml version="1.0" ?>
<content:PublicHeader xmlns:content="http://xmlns.oracle.com/irm/content">
<contentDescription>
<schema>
<schemaVersion>
<version>6.0</version>
</schemaVersion>
</schema>
<classification>
<id>588403f9-9cff-4cce-88e4-e030cc57282a</id>
<system>
<uuid>37c8da32-5420-4146-816c-27f63de27250</uuid>
</system>
<keySet>
<uuid>213f8f65-c5d1-4868-9fff-ad156daa2dd6</uuid>
</keySet>
<uri>http://irm.example.com/irm_desktop</uri>
<classifications:ContextCookie xmlns:classifications="http://xmlns.oracle.com/irm/classifications">
<context>
<uuid>588403f9-9cff-4cce-88e4-e030cc57282a</uuid>
</context>
<itemCode>
<value>example.stml</value>
</itemCode>
</classifications:ContextCookie>
<classificationTime>2008-02-01T13:00:00.000+01:00</classificationTime>
<labels>
<locale>en</locale>
<name>Top Secret</name>
</labels>
</classification>
<customData>
<uuid>2b8cd20a-d4f5-47b6-9097-d12547f2b707</uuid>
<acme>
<author>John Smith</author>
<version>2</version>
</acme>
</customData>
<creationTime>2009-01-01T12:00:00.000+01:00</creationTime>
<editTime>2009-01-01T12:00:00.000+01:00</editTime>
<sealedMime>application/vnd.sealedmedia.softseal.html</sealedMime>
<unsealedSize>2367</unsealedSize>
</contentDescription>
<iv>d2hhdCB3aWxsIHByaW50IG91dA==</iv>
<sessionKey>SGVsbG8gTW9vbiBNb25rZXk=</sessionKey>
<publicHeaderPeriod>1024</publicHeaderPeriod>
<encryptedContentBlockSize>16384</encryptedContentBlockSize>
</content:PublicHeader>
The following is an example snippet of the encrypted section of a sealed file.
O£´—ä#Dmbg...l]>:z÷ýëËܲXçÚÔÞôü•›@ÓªÝ˙fl¤Ð3
Jòo|(0r8Cª3OÁJV'˛™ýZ{÷²VŠ˚Âl§o*ÒàY¢ä)èµRTÑ
‹› -€î†ê$<óóPVëcϬ®þÒ,œ- A-:n«HC"±>œUNµ´®î
#•⌊Ã×¾[Ò@»"C¯V¼@WL¼mÏÀG§ú)ê{Ô=Ya®fýÂÔظoLP
'dúÏ"w)<.1äÊÅb‹ Ë1flIJñu㌯':îŸ.}eTSñpåÕ@J
�;¯Y•u,‹˚¦R¢hZ_1qeÏD&hú§ŒF+wsè\¡˛'Ë'éðñÚGÃ
Unsealing is the process of taking sealed content and extracting the original, plaintext content. Unsealing can be considered the reverse process of sealing. Unsealing is typically used when content no longer requires Oracle IRM protection or when the content needs to be processed by a third party system, for example an application producing a search index for sealed content.
Peeking is the process of extracting the classification and custom metadata from sealed content. The process is called peeking because the process examines only the public header of the sealed content, not the encrypted data. Peeking is typically used to identify the classification of the sealed content without opening or viewing the content. Peeking can also check the digital signature: this is called validated peek. Peeking of this form requires the cryptography keys to be available to the caller, which typically means the authenticated user must have rights to open the sealed content.
Resealing is the process of saving a sealed file with some modifications. Oracle IRM Desktop allows certain formats, such as Microsoft Office, to be edited in sealed form: the process of saving edits is called resealing.
Reclassifying sealed content is the process of altering the classification of the sealed content. Reclassification usually means re-signing and re-encrypting the content as most classifications have their own set of cryptography keys. Reclassifying is typically used when content changes sensitivity (for example, a top secret document becomes a company confidential document).