LEADTOOLS TLS DICOM Security Included with LEADTOOLS DICOM PACS Module
More About TLS LEADTOOLS' General Transport Layer Secure (TLS) Information:
The Transport Layer Secure (TLS) protocol provides a means of adding security to DICOM communication. The security added targets three main areas:
DICOM Computer/Entity Authentication:
Computer or entity authentication allows both the client and the server to make sure the computer to which they are communicating (the peer computer) is "legitimate" for communication. This is accomplished by exchanging information on RSA-based certificates. The server is required to use an RSA certificate; the client may or may not use an RSA certificate. During the mutual authentication "handshake" only a computer (or entity) having the private RSA key can decrypt messages from the peer computer (or entity). If both the client and the server use RSA certificates, then after the handshake both computers have uniquely identified each other.
Before establishing a DICOM Associate connection between two computers, each computer should "authenticate" the other computer. This ensures that both computers are legitimate, and are qualified to have access to the information that may be transferred. This is accomplished through mutual authentication.
Authentication is carried out using a series of challenges and responses between the "client" and the "server". TLS has its own system of generating responses, which is handled internally, without using user provided functions. This authentication is based on the presence of an RSA certificate. Servers are required to have an RSA certificate, but clients may or may not have one. If both the client and the server use an RSA certificate, then by the end of the authentication process, each has authenticated the identity of the other. The RSA certificates for servers and clients can be set using LEADTOOLS function.
DICOM Communication Confidentiality:
Communication confidentiality is achieved by encrypting the data sent over the communication channel. All data sent over the network is compressed using the current compression algorithm (if any), encrypted with the current algorithm and encrypt keys and is accompanied by a message authentication code. The message authentication code is also encrypted. Currently, the encryption options are:
- DES encryption.
- 3DES encryption.
Once two computers have negotiated the ciphersuite, and have authenticated each other, they can begin transferring messages and data between them. The confidentiality of these transfers is maintained by encrypting the data sent over the communication channel. Currently LEADTOOLS supports the TLS standard of using the DES or triple DES encryption mode.
DICOM Data Integrity:
Data integrity is maintained by using message authentication codes for each packet sent across a DICOM Network. These message authentication codes are encrypted using the same encryption mode used for encrypting data. Of the TLS message authentication codes, LEADTOOLS supports "Secure Hash Algorithm" which is the only algorithm required by the DICOM standard.
Negotiating a Ciphersuite:
A ciphersuite is a collection of information that dictates how data and messages are transferred between clients and servers. This information includes encryption mode, mutual authentication mode, message authentication mode, etc. Currently LEADTOOLS supports DES and 3DES encryption. Before the client and server can begin transferring data and messages they must negotiate the ciphersuite to use.
The client sends the server a list of ciphersuites that it understands. These are sent in order of preference. The server selects the first ciphersuite that it understands. If this is acceptable to both sides, this is the ciphersuite selected for use.
Back to the DICOM Security Page
Related products
* Deployment requires runtime license. Marked toolkits require runtime licensing based on the deployment of the application you develop. Several purchase options are available. For more information, please contact oemsales@leadtools.com or call a LEAD sales representative. Click here for more information on LEADTOOLS Runtime Licensing requirements.
