Working with Digital Signatures

ISO 7498-2 defines a digital signature as, "Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of that unit and protect against forgery e.g. by the recipient."

Digital Signatures capability provides a first step towards lifetime integrity checks. A digital signature serves two purposes. First, it can be used to verify the identity of the signer. Second, it can be used to ensure that the signed data has not been altered or destroyed in an unauthorized manner. These two security aspects are usually termed as authentication and data integrity, respectively.

When creating a Digital Signature, the creator of a Digital Signature identifies those Data Elements of a DICOM Data Set that are included in the calculation of the Message Authentication Code (MAC) used in the Digital Signature. The creator calculates the MAC, and then encrypts the MAC with a key or the private part of a key pair unique to the creator of the Digital Signature. Any receiver of the DICOM Data Set that knows the key or public part of the key pair can then recalculate the MAC and compare it with the MAC recorded in the Digital Signature. If any of the identified Data Elements has been altered or removed, it is extremely unlikely that the MAC calculated by the receiver and the MAC within the Digital Signature will agree. Digital Signature Profiles are specified in Annex C of PS 3.15 of the DICOM Standard.

The DICOM standard defines the Message Authentication Code (MAC) Parameters Sequence (4FFE,0001) and the Digital Signatures Sequence (FFFA,FFFA) to include Digital Signatures in a Data Set. For each Digital Signature, there should be a corresponding Digital Signatures Sequence Item, which contains the signature itself and the digital certificate of the signer, in addition to other information. The Digital Signatures Sequence Item also references a MAC Parameters Sequence Item, which specifies some parameters related to the creation of the signature, like the Data Elements signed and the hash algorithm used. For more information, refer to Table C.12-5 of PS 3.3 of the DICOM Standard.

A Digital Signature can be created in the main Data Set as well as in an Item of a Sequence of Items. The two Sequences mentioned above must be at the same level where the Digital Signature is created. Only the Data Elements at this level can be signed by the Digital Signature. For example, if one or more Data Elements of an Item are to be signed, the two Sequences should be placed under that Item on the same level as the Data Elements. Multiple Digital Signatures can be created by adding more Digital Signatures Sequence Items.

LEADTOOLS provides a number of methods for creating, verifying, and handling Digital Signatures in DICOM Data Sets. The functionality provided allows you to implement all of the DICOM Security Profiles that are specified in the DICOM Standard. For many of these methods, a particular Digital Signature is identified by updating the CurrentElement property with the corresponding Digital Signatures Sequence Item before calling the method.

Use the CreateSignature method to create a Digital Signature in the main Data Set or in an Item of a Sequence of Items. For example, the following signs the main Data Set:

objDataSet.SetCurrentElement0
objDataSet.CreateSignature "C:\PrivateKey", _
                           "C:\Certificate.cer", _
                           "password"

When creating the signature, use the SecurityProfile parameter to specify the profile with which the signature should conform. For more information about profiles, refer to Annex C, Digital Signature Profiles, of PS 3.15 of the DICOM Standard.

You can use the GetSignaturesCount method and the MoveSignature method to enumerate the Digital Signatures that exist in the main Data Set or in an Item of a Sequence of Items. The former method returns the number of Digital Signatures while the latter method updates the CurrentElement property with the Digital Signatures Sequence Item that corresponds to a particular Digital Signature. Once this property specifies that Item, the various methods can be used to verify, delete, or get information about the Digital Signature. Also, the FindSignature method can be used to search the whole Data Set for a Digital Signature by its Digital Signature UID (0400,0100).

Use the VerifySignature method to verify a particular Digital Signature, or all of the Digital Signatures in the entire Data Set at once, as shown in the following example:

objDataSet.SetCurrentElement0
nRet = objDataSet.VerifySignature()
Select Case nRet
Case DICOM_SUCCESS
   ' All Digital Signatures were verified

Case DICOM_ERROR_INVALID_SIGNATURE
   ' At least one Digital Signature is invalid
End Select

Use the DeleteSignature method to remove a particular Digital Signature from the Data Set, or all of the Digital Signatures in the entire Data Set.

Use the SaveCertificate method to save the digital certificate of the signer to a file.

The following methods can be used to get information about a particular Digital Signature:

GetSignatureUID method

GetSignatureDateTime method

GetSignedElementsCount method

MoveSignedElement method

GetMacTransferSyntax method

GetMacAlgorithm method