Adding TLS Security to a DICOM Connection

This toolkit uses SSL (Secure Socket Layer) and TLS (Transport Layer Security) to implement security. Developed by Netscape, the Secure Socket Layer (SSL) protocol is designed to ensure the security of data being communicated between two points over a network, and uses TCP as the communication layer. SSL provides a way for the client and server to authenticate each other, ensures the integrity of the data during a session, and ensures that the data remains private between the client and the server. The Transport Layer Security (TLS) protocol is based on the SSL protocol.

Based on the TLS standards, LEADTOOLS provides support for adding security in the following areas:

image\sqrblit.gif Computer or Entity Authentication

image\sqrblit.gif Confidentiality

image\sqrblit.gif Data Integrity

Computer/Entity Authentication

Before establishing a DICOM Associate connection between two computers, each computer should "authenticate" the other computer. This ensures that both computers are legitimate, and are qualified to have access to the information that may be transferred. This is accomplished through mutual authentication. For more information on this process, refer to the "TLS Protocol Version 1.00."

Use the following function to set up the secure connection:

image\sqrblit.gif L_DicomCreateNetExt. This function is an extended version of the L_DicomCreateNet function, to be used when changing security settings.

Authentication is carried out using a series of challenges and responses between the "client" and the "server". TLS has its own system of generating responses, which is handled internally, without using user provided functions. This authentication is based on the presence of an RSA certificate. Servers are required to have an RSA certificate, but clients may or may not have one. If both the client and the server use an RSA certificate, then by the end of the authentication process, each has authenticated the identity of the other. The RSA certificates for servers and clients can be set using the L_DicomSetClientCertificateTLS and L_DicomSetServerCertificateTLS.

If the certificate files contain encrypted private keys, the L_DicomSetCallbackExt callback will be fired so that the private key password can be provided using the PRIVATEKEYPASSWORD function.

Once a TLS connection has been established, the ONSECURELINKREADY callback function is called.

Confidentiality

Once two computers have negotiated the ciphersuite, and have authenticated each other, they can begin transferring messages and data between them. For more information on the ciphersuite negotiation, refer to Negotiating a Ciphersuite. The confidentiality of these transfers is maintained by encrypting the data sent over the communication channel. Currently LEADTOOLS supports the TLS standard of using the DES or triple DES encryption mode. To determine the encryption mode used, find out the ciphersuite that was negotiated by calling L_DicomGetCiphersuiteTLS. Once the ciphersuite is known, call the L_DicomGetEncryptionAlgorithmTLS function.

Data Integrity

Data integrity is maintained by adding message authentication codes to each packet of each message sent across the DICOM Network. The message authentication codes may be SHA. To get the type of message authentication codes used, find out the ciphersuite that was negotiated by calling L_DicomGetCiphersuiteTLS. Once the ciphersuite is known, call the L_DicomGetIntegrityAlgorithmTLS function.