Adding TLS Security to a DICOM Connection

This toolkit uses SSL (Secure Socket Layer) and TLS (Transport Layer Security) to implement security. Developed by Netscape, the Secure Socket Layer (SSL) protocol is designed to ensure the security of data being communicated between two points over a network, and uses TCP as the communication layer. SSL provides a way for the client and server to authenticate each other, ensures the integrity of the data during a session, and ensures that the data remains private between the client and the server. The Transport Layer Security (TLS) protocol is based on the SSL protocol.

Based on the TLS standards, LEADTOOLS provides support for adding security in the following areas:

• Computer or Entity Authentication

• Confidentiality

• Data Integrity

Computer/Entity Authentication

Before establishing a DICOM Associate connection between two computers, each computer should "authenticate" the other computer. This ensures that both computers are legitimate, and are qualified to have access to the information that may be transferred. This is accomplished through mutual authentication. For more information on this process, refer to the "TLS Protocol Version 1.00."

Use the following functions to set up the secure connection:

• LDicomNet::LDicomNet - The LDicomNet constructors allocate memory for the network structure and set the site of the temporary files. A special version of the constructor can be used to change the default security settings. The LEADTOOLS DICOM DLL must be initialized before using any of the Network operation functions. To do so, call LDicomNet::StartUp.

• LDicomNet::Initialize - This function is to be used in conjunction with the LDicomNet::LDicomNet(*pszPath, nMode, bReserved) constructor when changing security options from the defaults.

Authentication is carried out using a series of challenges and responses between the "client" and the "server". TLS has its own system of generating responses, which is handled internally, without using user provided functions. This authentication is based on the presence of an RSA certificate. Servers are required to have an RSA certificate, but clients may or may not have one. If both the client and the server use an RSA certificate, then by the end of the authentication process, each has authenticated the identity of the other. The RSA certificates for servers and clients can be set using the LDicomNet::SetClientCertificateTLS and LDicomNet::SetServerCertificateTLS.

If the certificate files contain encrypted private keys, an event will be fired so that the private key password can be provided:

LDicomNet::OnPrivateKeyPassword

Once a TLS connection has been established, the LDicomNet::OnSecureLinkReady function is called.

Confidentiality

Once two computers have negotiated the ciphersuite, and have authenticated each other, they can begin transferring messages and data between them. For more information on the ciphersuite negotiation, refer to Negotiating a Ciphersuite. The confidentiality of these transfers is maintained by encrypting the data sent over the communication channel. Currently LEADTOOLS supports the TLS standard of using the DES or triple DES encryption mode. To determine the encryption mode used, find out the ciphersuite that was negotiated by calling LDicomNet::GetCiphersuiteTLS. Once the ciphersuite is known, call the LDicomNet::GetEncryptionAlgorithmTLS function.

Data Integrity

Data integrity is maintained by adding message authentication codes to each packet of each message sent across the DICOM Network. The message authentication codes may be SHA. To get the type of message authentication codes used, find out the ciphersuite that was negotiated by calling LDicomNet::GetCiphersuiteTLS. Once the ciphersuite is known, call the LDicomNet::GetIntegrityAlgorithmTLS function.