Working with Digital Signatures

ISO 7498-2 defines a digital signature as, "Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of that unit and protect against forgery e.g. by the recipient."

Digital Signatures capability provides a first step towards lifetime integrity checks. A digital signature serves two purposes. First, it can be used to verify the identity of the signer. Second, it can be used to ensure that the signed data has not been altered or destroyed in an unauthorized manner. These two security aspects are usually termed as authentication and data integrity, respectively.

When creating a Digital Signature, the creator of a Digital Signature identifies those Data Elements of a DICOM Data Set that are included in the calculation of the Message Authentication Code (MAC) used in the Digital Signature. The creator calculates the MAC, and then encrypts the MAC with a key or the private part of a key pair unique to the creator of the Digital Signature. Any receiver of the DICOM Data Set that knows the key or public part of the key pair can then recalculate the MAC and compare it with the MAC recorded in the Digital Signature. If any of the identified Data Elements has been altered or removed, it is extremely unlikely that the MAC calculated by the receiver and the MAC within the Digital Signature will agree. Digital Signature Profiles are specified in Annex C of DICOM PS 3.15.

The DICOM standard defines the Message Authentication Code (MAC) Parameters Sequence (4FFE,0001) and the Digital Signatures Sequence (FFFA,FFFA) to include Digital Signatures in a Data Set. For each Digital Signature, there should be a corresponding Digital Signatures Sequence Item, which contains the signature itself and the digital certificate of the signer, in addition to other information. The Digital Signatures Sequence Item also references a MAC Parameters Sequence Item, which specifies some parameters related to the creation of the signature, like the Data Elements signed and the hash algorithm used. For more information, refer to Table C.12-5 of DICOM PS 3.3.

A Digital Signature can be created in the main Data Set as well as in an Item of a Sequence of Items. The two Sequences mentioned above must be at the same level where the Digital Signature is created. Only the Data Elements at this level can be signed by the Digital Signature. For example, if one or more Data Elements of an Item are to be signed, the two Sequences should be placed under that Item on the same level as the Data Elements. Multiple Digital Signatures can be created by adding more Digital Signatures Sequence Items.

LEADTOOLS provides a number of functions for creating, verifying, and handling Digital Signatures in DICOM Data Sets. The functionality provided allows you to implement all of the DICOM Security Profiles that are specified in the DICOM Standard. For many of these functions, a particular Digital Signature is identified by passing a pointer to the DICOMELEMENT structure that specifies the corresponding Digital Signatures Sequence Item.

Use the LDicomDS::CreateSignature function to create a Digital Signature in the main Data Set or in an Item of a Sequence of Items. For example, the following signs the main Data Set:

DataSet.CreateSignature(NULL,
                        "C:\\PrivateKey",
                        "C:\\Certificate.cer",
                        "password");

When creating the signature, use the uSecurityProfile parameter to specify the profile with which the signature should conform. For more information about profiles, refer to Annex C, Digital Signature Profiles, of DICOM PS 3.15.

You can use the LDicomDS::GetSignaturesCount and LDicomDS::GetSignature functions to enumerate the Digital Signatures that exist in the main Data Set or in an Item of a Sequence of Items. The former function returns the number of Digital Signatures while the latter function returns a pointer to the Digital Signatures Sequence Item that corresponds to a particular Digital Signature. This pointer can then be passed to the various functions to verify, delete, or get information about the Digital Signature. Also, the LDicomDS::FindSignature function can be used to search the whole Data Set for a Digital Signature by knowing its Digital Signature UID (0400,0100).

The LDicomDS::VerifySignature function verifies a particular Digital Signature. It can also be used to verify all the Digital Signatures in the whole Data Set at once, as shown in the following example:

uRet = DataSet.VerifySignature(NULL);
switch (uRet)
{
case DICOM_SUCCESS:
   // All Digital Signatures were verified
   break;

case DICOM_ERROR_INVALID_SIGNATURE:
   // At least one Digital Signature is invalid
   break;
}

Use the LDicomDS::DeleteSignature function to remove a particular Digital Signature from the Data Set, or to remove all the Digital Signatures in the whole Data Set.

Use the LDicomDS::SaveCertificate function to save the digital certificate of the signer to a file.

Use the following functions to obtain information about a particular Digital Signature:

LDicomDS::GetSignatureUID

LDicomDS::GetSignatureDateTime

LDicomDS::GetSignedElementsCount

LDicomDS::GetSignedElement

LDicomDS::GetMacTransferSyntax

LDicomDS::GetMacAlgorithm