Adding TLS Security to a DICOM Connection

This toolkit uses SSL (Secure Socket Layer) and TLS (Transport Layer Security) to implement security. Developed by Netscape, the Secure Socket Layer (SSL) protocol is designed to ensure the security of data being communicated between two points over a network, and uses TCP as the communication layer. SSL provides a way for the client and server to authenticate each other, ensures the integrity of the data during a session, and ensures that the data remains private between the client and the server. The Transport Layer Security (TLS) protocol is based on the SSL protocol.

Use the following procedure to set up or change the default security options:

1.

Set the UseSSLOptions property to VARIANT_TRUE

2.

Set the NetworkSecurityMode property to DICOM_SECURE_TLS

3.

Set any or all of the following properties.

SSLMethodType property

SSLVerifyMode property

SSLOptions property

SSLCAFile property

SSLVerifyDepth property

4.

Set the SSLCreateFlags property to have the flags that correspond to the properties that were set in step 3.

5.

Call the StartUp method.

Note that the properties in steps 1, 2, 3, and 4 must be set before calling the StartUp method, and that the NetworkSecurityMode property must be set to DICOM_SECURE_TLS. If the NetworkSecurityMode property is not DICOM_SECURE_TLS, then the SSL properties are ignored.

Call the SSLSuccess property to check for errors.

Based on the TLS standards, LEADTOOLS provides support for adding security in the following areas:

image\sqrblit.gif Computer or Entity Authentication

image\sqrblit.gif Confidentiality

image\sqrblit.gif Data Integrity

Computer/Entity Authentication

Before establishing a DICOM Associate connection between two computers, each computer should "authenticate" the other computer. This ensures that both computers are legitimate, and are qualified to have access to the information that may be transferred. This is accomplished through mutual authentication. For more information on this process, refer to the "TLS Protocol Version 1.00."

Authentication is carried out using a series of challenges and responses between the "client" and the "server". TLS has its own system of generating responses, which is handled internally, without using user provided event handlers. This authentication is based on the presence of an RSA certificate. Servers are required to have an RSA certificate, but clients may or may not have one. If both the client and the server use an RSA certificate, then by the end of the authentication process, each has authenticated the identity of the other. The RSA certificates for servers and clients can be set using the SetClientCertificateTLS and SetServerCertificateTLS methods.

If the certificate files contain encrypted private keys, an event will be fired so that the private key password can be provided. The password must be provided in the SSLPrivateKeyPassword property when processing the SSLPrivateKeyPasswordEvent event.

Once a TLS connection has been established, the NetSecureLinkReady event is fired.

Confidentiality

Once two computers have negotiated the ciphersuite, and have authenticated each other, they can begin transferring messages and data between them. For more information on the ciphersuite negotiation, refer to Negotiating a Ciphersuite. The confidentiality of these transfers is maintained by encrypting the data sent over the communication channel. Currently LEADTOOLS supports the TLS standard of using the DES or triple DES encryption mode. To determine the encryption mode used, find out the ciphersuite that was negotiated by calling GetCiphersuiteTLS. Once the ciphersuite is known, call the GetEncryptionAlgorithmTLS method.

Data Integrity

Data integrity is maintained by adding message authentication codes to each packet of each message sent across the DICOM Network. The message authentication codes may be SHA. To get the type of message authentication codes used, find out the ciphersuite that was negotiated by calling GetCiphersuiteTLS. Once the ciphersuite is known, call the GetIntegrityAlgorithmTLS method.