Send comments on this topic. | Back to Introduction - All Topics | Help Version 15.12.21
Adding TLS Security to a DICOM Connection

This toolkit uses SSL (Secure Socket Layer) and TLS (Transport Layer Security) to implement security. Developed by Netscape, the Secure Socket Layer (SSL) protocol is designed to ensure the security of data being communicated between two points over a network, and uses TCP as the communication layer. SSL provides a way for the client and server to authenticate each other, ensures the integrity of the data during a session, and ensures that the data remains private between the client and the server. The Transport Layer Security (TLS) protocol is based on the SSL protocol.

Based on the TLS standards, LEADTOOLS provides support for adding security in the following areas:

  • Computer or Entity Authentication.
  • Confidentiality.
  • Data Integrity.

Computer/Entity Authentication

Before establishing a DICOM Associate connection between two computers, each computer should "authenticate" the other computer. This ensures that both computers are legitimate, and are qualified to have access to the information that may be transferred. This is accomplished through mutual authentication. For more information on this process, refer to the "TLS Protocol Version 1.00."

Do the following to set up the secure connection:

  • Specify the TLS security mode when creating the DICOM Network object. A special version of the DicomNet constructor can be used to change the default security settings. Please note that the LEADTOOLS DICOM DLL must be initialized before using any of the Network Operations methods. This is done by calling DicomNet.Startup.
  • If the constructor DicomNet(String, DicomNetSecurityeMode, Boolean) is used to create the DICOM Network object, use the DicomNet.Initialize method to change the security options from the defaults.

Authentication is carried out using a series of challenges and responses between the "client" and the "server". TLS has its own system of generating responses, which is handled internally, without using user provided methods. This authentication is based on the presence of an RSA certificate. Servers are required to have an RSA certificate, but clients may or may not have one. If both the client and the server use an RSA certificate, then by the end of the authentication process, each has authenticated the identity of the other. The RSA certificates for servers and clients can be set using DicomNet.SetTlsClientCertificate.

If the certificate files contain encrypted private keys, the DicomNet.OnPrivateKeyPassword callback method will be called so that the private key password can be provided.

Once a TLS connection has been established, the DicomNet.OnSecureLinkReady method is called.

Confidentiality

Once two computers have negotiated the cipher suite, and have authenticated each other, they can begin transferring messages and data between them. For more information on the cipher suite negotiation, refer to Negotiating a Ciphersuite. The confidentiality of these transfers is maintained by encrypting the data sent over the communication channel. Currently LEADTOOLS supports the TLS standard of using the DES or triple DES encryption mode. To determine the encryption mode used, find out the cipher suite that was negotiated by calling DicomNet.GetTlsCipherSuite. Once the cipher suite is known, you can call the DicomNet.GetTlsEncryptionAlgorithm method to obtain the encryption mode for the cipher suite.

Data Integrity

Data integrity is maintained by adding message authentication codes to each packet of each message sent across the DICOM Network. The message authentication codes may be SHA. To get the type of message authentication codes used, find out the cipher suite that was negotiated by calling DicomNet.GetTlsCipherSuite. Once the cipher suite is known, call the DicomNet.GetTlsIntegrityAlgorithm method.