Adding ISCL Security to a DICOM Connection

Based on the ISCL standards, LEADTOOLS provides support for adding security in the following areas:

image\sqrblit.gif Computer or Entity Authentication

image\sqrblit.gif Confidentiality

image\sqrblit.gif Data Integrity

Computer/Entity Authentication

Before establishing a DICOM Associate connection between two computers, each computer should "authenticate" the other computer. This ensures that both computers are legitimate, and are qualified to have access to the information that may be transferred. This is accomplished through mutual authentication. A more detailed description of this process can be found in either General Integrated Secure Communication Layer (ISCL) Information, or the "MEDIC-DC STANDARDS for Integrated Secure Communication Layer Protocols V 1.00."

A specific mode can be used for the mutual authentication process. This is set using the SetMutualAuthAlgISCL method. Currently only the "Three-pass-four-way" mode is used. During the mutual authentication process, authentication data, an authentication key and an index for the authentication key is used to authenticate one entity to another. The authentication data used for this process can be set using the SetAuthDataISCL method.

In addition, during the mutual authentication process an index into an array of authentication keys is used to further authenticate an entity. The authentication keys for both the client and the server must be the same. These keys can be set in the array using the SetMutualAuthKeyISCL method.

An index is used to specify which key in the array should be used for authentication. This index is set using the SetIndexForMutualAuthISCL method. To determine the current index of the key to use for authentication, call the GetIndexForMutualAuthISCL method.

Confidentiality

Once two computers have authenticated each other, they can begin transferring messages and data between them. The confidentiality of these transfers is maintained by encrypting the data sent over the communication channel. Currently LEADTOOLS supports the ISCL standard of either using no encryption or using the DES encryption in cipher block chaining mode. The encryption mode can be set using the SetDefaultEncryptionISCL method. In addition, during the encryption/decryption process an index into an array of encryption keys is used to further guard data confidentiality. The encryption keys for both the client and the server must be the same. These keys can be set in the array using the SetEncryptKeyISCL method. An index is used to specify which key in the array should be used for encryption. This index is set using the SetIndexForEncryptISCL method. To determine the current index of the key to use for encryption, call the GetIndexForEncryptISCL method.

Data Integrity

Data integrity is maintained by adding message authentication codes to each message sent across the DICOM Network. The message authentication codes may be DESMAC or MD5. To set the type of message authentication codes to use, call the SetDefaultSigningISCL method.