Working with DICOM Digital Signatures

ISO 7498-2 defines a digital signature as "Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of that unit and protect against forgery e.g. by the recipient."

Digital Signatures capability provides a first step towards lifetime integrity checks. A Digital Signature serves two purposes. First, it can be used to verify the identity of the signer. Second, it can be used to ensure that the signed data has not been altered or destroyed in an unauthorized manner. These two security aspects are usually termed as authentication and data integrity, respectively.

When creating a Digital Signature, the creator of the Digital Signature identifies those Data Elements of a DICOM Data Set that are included in the calculation of the Message Authentication Code (MAC) used in the Digital Signature. The creator calculates the MAC, and then encrypts the MAC with a key or the private part of a key pair unique to the creator of the Digital Signature. Any receiver of the DICOM Data Set that knows the key or the public part of the key pair can then recalculate the MAC and compare it with the MAC recorded in the Digital Signature. If any of the identified Data Elements has been altered or removed, it is extremely unlikely that the MAC calculated by the receiver and the MAC within the Digital Signature will agree. Digital Signature Profiles are specified in Annex C in PS 3.15 of the DICOM Standard.

The DICOM Standard defines the Message Authentication Code (MAC) Parameters Sequence (4FFE,0001) and the Digital Signatures Sequence (FFFA,FFFA) to include Digital Signatures in a Data Set. For each Digital Signature, there should be a corresponding Digital Signatures Sequence Item, which contains the signature itself and the digital certificate of the signer, in addition to other information. The Digital Signatures Sequence Item also references a MAC Parameters Sequence Item, which specifies some parameters related to the creation of the signature, like the Data Elements signed and the hash algorithm used. For more information, refer to Table C.12-5 in PS 3.3 of the DICOM Standard.

A Digital Signature can be created in the main Data Set as well as in an Item of a Sequence of Items. The two Sequences mentioned above must be at the same level where the Digital Signature is created. Only the Data Elements at this level can be signed by the Digital Signature. For example, if one or more Data Elements of an Item are to be signed, the two Sequences should be placed under that Item on the same level as the Data Elements. Multiple Digital Signatures can be created by adding more Digital Signatures Sequence Items.

LEADTOOLS provides a number of methods for creating, verifying, and handling Digital Signatures in DICOM Data Sets. The functionality provided allows you to implement all of the DICOM Security Profiles that are specified in the DICOM Standard. For many of these methods, a particular Digital Signature is identified by passing the DicomElement object that specifies the corresponding Digital Signatures Sequence Item.

Use the DicomDataSet.CreateSignature method to create a Digital Signature in the main Data Set or in an Item of a Sequence of Items.

When creating the signature, you can specify the profile with which the signature should conform. For more information about the profiles you can specify, refer to Annex C, Digital Signature Profiles, in PS 3.15 of the DICOM Standard.

You can use the DicomDataSet.GetSignaturesCount and DicomDataSet.GetSignature methods to enumerate the Digital Signatures that exist in the main Data Set or in an Item of a Sequence of Items. The former method returns the number of Digital Signatures while the latter method returns an object that specifies the Digital Signatures Sequence Item which corresponds to a particular Digital Signature. This object can then be passed to the various methods to verify, delete, or get information about the Digital Signature. Also, the DicomDataSet.FindSignature method can be used to search the whole Data Set for a Digital Signature by knowing its Digital Signature UID (0400,0100).

The DicomDataSet.VerifySignature method verifies a particular Digital Signature. It can also be used to verify all the Digital Signatures in the whole Data Set at once, as shown in the following example:

verified = dataSet.VerifySignature(null); if (verified) { // All Digital Signatures were verified } else { // At least one Digital Signature is invalid }

Use the DicomDataSet.DeleteSignature method to remove a particular Digital Signature from the Data Set, or to remove all the Digital Signatures in the whole Data Set.

Use the DicomDataSet.SaveCertificate method to save the digital certificate of the signer to a file.

Use the following methods to obtain information about a particular Digital Signature:






Help Version 20.0.2020.4.3
Products | Support | Contact Us | Intellectual Property Notices
© 1991-2020 LEAD Technologies, Inc. All Rights Reserved.

LEADTOOLS Imaging, Medical, and Document