LEADTOOLS Medical Send comments on this topic. | Back to Introduction - All Topics | Help Version 17.0.3.22
Adding Security to a DICOM Connection

Based on the ISCL standards, LEADTOOLS provides support for adding security in the following areas:

Computer/Entity Authentication

Before establishing a DICOM Associate connection between two computers, each computer should "authenticate" the other computer. This ensures that both computers are legitimate, and are qualified to have access to the information that may be transferred. This is accomplished through mutual authentication. A more detailed description of this process can be found in either General Integrated Secure Commnuication Layer (ISCL) Information, or the "MEDIC-DC STANDARDS for Integrated Secure Communication Layer Protocols V 1.00".

A specific mode can be used for the mutual authentication process. This is set using the DicomNet.SetIsclMutualAuthenticationAlgorithm method. Currently only the "Three-pass-four-way" mode is used. During the mutual authentication process, authentication data, an authentication key and an index for the authentication key are used to authenticate one entity to another. The authentication data used for this process can be set using the DicomNet.SetIsclAuthenticationData method.

In addition, during the mutual authentication process an index into an array of authentication keys is used to further authenticate an entity. The authentication keys for both the client and the server must be the same. These keys can be set in the array using the DicomNet.SetIsclMutualAuthenticationKey method. An index is used to specify which key in the array should be used for authentication. This index is set using the DicomNet.SetIsclIndexForMutualAuthentication method. To determine the current index of the key to use for authentication, call the DicomNet.GetIsclIndexForMutualAuthentication method.

Confidentiality

Once two computers have authenticated each other, they can begin transferring messages and data between them. The confidentiality of these transfers is maintained by encrypting the data sent over the communication channel. Currently LEADTOOLS supports the ISCL standard of either using no encryption or using the DES encryption in cipher block chaining mode. The encryption mode can be set using the DicomNet.SetIsclDefaultEncryptionMode method.

In addition, during the encryption/decryption process an index into an array of encryption keys is used to further guard data confidentiality. The encryption keys for both the client and the server must be the same. These keys can be set in the array using the DicomNet.SetIsclEncryptionKey method. An index is used to specify which key in the array should be used for encryption. This index is set using the DicomNet.SetIsclEncryptionKeyIndex method. To determine the current index of the key to use for encryption, call the DicomNet.GetIsclIndexForEncryption method.

Data Integrity

Data integrity is maintained by adding message authentication codes to each message sent across the DICOM Network. The message authentication codes may be DESMAC or MD5. To set the type of message authentication codes to use, call the DicomNet.SetIsclDefaultSigningMode method.

Digital Signatures

Digital Signatures capability provides a first step towards lifetime integrity checks. When creating a Digital Signature, the creator of the Digital Signature identifies those Data Elements of a DICOM Data Set that are included in the calculation of the Message Authentication Code (MAC) used in the Digital Signature. The creator calculates the MAC, and then encrypts the MAC with a key or the private part of a key pair unique to the creator of the Digital Signature. Any receiver of the DICOM Data Set that knows the key or the public part of the key pair can then recalculate the MAC and compare it with the MAC recorded in the Digital Signature. If any of the identified Data Elements has been altered or removed, it is extremely unlikely that the MAC calculated by the receiver and the MAC within the Digital Signature will agree. Digital Signature Profiles are specified in Annex C in PS 3.15 of the DICOM Standard. For more information, refer to Working With DICOM Digital Signatures.