The Transport Layer Secure (TLS) protocol provides a means of adding security to DICOM communications. The security added targets three main areas:
Computer/Entity Authentication
Computer or entity authentication allows both the client and the server to make sure the computer to which they are communicating (the peer computer) is "legitimate" for communication. This is accomplished by exchanging information on RSA-based certificates. The server is required to use an RSA certificate; the client may or may not use an RSA certificate. During the mutual authentication "handshake" only a computer (or entity) having the private RSA key can decrypt messages from the peer computer (or entity). If both the client and the server use RSA certificates, then after the handshake both computers have uniquely identified each other. For more information on this, refer to the "TLS Protocol Version 1.00".
Confidentiality
Communication confidentiality is achieved by encrypting the data sent over the communication channel. All data sent over the network is compressed using the current compression algorithm (if any), encrypted with the current algorithm and encrypt keys and is accompanied by a message authentication code. The message authentication code is also encrypted. Currently, the encryption options are:
For more information on encryption, refer to the "TLS Protocol Version 1.00".
Data Integrity
Data integrity is maintained by using message authentication codes for each packet sent across a DICOM Network. These message authentication codes are encrypted using the same encryption mode used for encrypting data. Currently, TLS uses Secure Hash Algorithm message authentication codes.