DICOM Security

DICOM SecurityDICOM Security

Andrei Leontiev, M.S.Andrei Leontiev, M.S.

Dynamic ImagingDynamic Imaging

April 1, 2005April 1, 2005 DICOM Seminar – Singapore 2005DICOM Seminar – Singapore 2005

Security ProfilesSecurity Profiles

Secure Transport ConnectionSecure Transport Connection– DICOM over TLSDICOM over TLS

Secure MediaSecure Media– Secured DICOM files on mediaSecured DICOM files on media

Secure UseSecure Use– Use of Digital SignaturesUse of Digital Signatures

ConfidentialityConfidentiality– De-idedntification and re-identificationDe-idedntification and re-identification

Secure TransportSecure Transport

DICOM over TLSDICOM over TLS


Key Use CaseKey Use Case

How can an application know How can an application know that:that:– Association Request comes from an Association Request comes from an

authorized node?authorized node?– Data are not tempered with during Data are not tempered with during

transfer?transfer?– Data were protected from third-Data were protected from third-

party?party?


ContentsContents

Addresses following Security aspects:Addresses following Security aspects:– Entity (node) AuthenticationEntity (node) Authentication– Data IntegrityData Integrity– PrivacyPrivacy

Allows to establish secure transport Allows to establish secure transport connection between nodesconnection between nodes– Via TLS negotiationVia TLS negotiation– Via ISCL negotiationVia ISCL negotiation

Three secure transport profilesThree secure transport profiles


TLS Secure Transport TLS Secure Transport ProfileProfile Node AuthenticationNode Authentication

– RSA CertificatesRSA Certificates Data IntegrityData Integrity

– SHASHA Privacy (Encryption)Privacy (Encryption)

– 3DES CBC - optional3DES CBC - optional


AES ProfileAES Profile

Similar to TLS Basic ProfileSimilar to TLS Basic Profile Requires use of AES EncryptionRequires use of AES Encryption Requires requestor tosupport Requires requestor tosupport

fallback to 3DESfallback to 3DES


ISCL Secure Transport ISCL Secure Transport ProfileProfile Node AuthenticationNode Authentication

– Three pass (four-way) authentication Three pass (four-way) authentication

(ISO/IEC 9798-2) (ISO/IEC 9798-2) Data IntegrityData Integrity

– MD-5 encrypted with DES, MD-5 encrypted with DES, or DES-MAC (ISO 8730) or DES-MAC (ISO 8730)

Privacy (Encryption)Privacy (Encryption)– DES - optionalDES - optional

Secure MediaSecure Media



How can an application know that How can an application know that information in DICOM file on the information in DICOM file on the media:media:– Has not been tempered with?Has not been tempered with?– Is protected from unauthorized Is protected from unauthorized

access?access?– is produced by an authorized is produced by an authorized

source?source?


ContentsContents

Addresses following Security aspects:Addresses following Security aspects:– Source Authentication (optional)Source Authentication (optional)– Data IntegrityData Integrity– PrivacyPrivacy

Secures each File in DICOM File-Set Secures each File in DICOM File-Set single DICOM File by encapsulating its single DICOM File by encapsulating its content with the Cryptographic content with the Cryptographic Message Syntax as defined in RFC Message Syntax as defined in RFC 2630 2630

Does not additionally secure File-Set or Does not additionally secure File-Set or Media itselfMedia itself


Secure Media ProfileSecure Media Profile

Source AuthenticationSource Authentication– RSA Digital SignatureRSA Digital Signature

Data IntegrityData Integrity– SHA DigestSHA Digest

Privacy (Encryption)Privacy (Encryption)– 3DES or AES3DES or AES

Secure Use and Secure Use and Digital SignaturesDigital Signatures



How can an application know that How can an application know that an object it received:an object it received:– Is an Original or a Copy?Is an Original or a Copy?– Has been authorized and by whom?Has been authorized and by whom?– Has not been tampered with?Has not been tampered with?


ContentsContents

Addresses following Security aspects:Addresses following Security aspects:– Source AuthenticationSource Authentication– Data IntegrityData Integrity

Provides mechanisms to calculate Provides mechanisms to calculate Digital Signature for Object content Digital Signature for Object content and include it as part of an Object and include it as part of an Object

Allows explicit distinction of Original Allows explicit distinction of Original and a Copy of a SOP Instance with the and a Copy of a SOP Instance with the same UIDsame UID


Secure Use ProfileSecure Use Profile

Allows AEs to negotiate support of the Allows AEs to negotiate support of the Secure Use ProfileSecure Use Profile– Extended Negotiation of Digital Signature Extended Negotiation of Digital Signature

LevelLevel Sets the management rules of Instance Sets the management rules of Instance

Status attribute Status attribute – Original, Authorized Original, Authorized CopyOriginal, Authorized Original, Authorized Copy

Rules assuring that only one Original of Rules assuring that only one Original of SOP Instance exists in the systemSOP Instance exists in the system– MOVE and COPY semantics for Storage ServiceMOVE and COPY semantics for Storage Service


Secure Use ProfileSecure Use Profile

Three Level of Digital Signature Three Level of Digital Signature SupportSupport– No preservationNo preservation– Non-bit preservingNon-bit preserving– Bit-PreservingBit-Preserving

Requires Level 2 (Full) Storage Requires Level 2 (Full) Storage Support Support

Attribute Attribute Confidentiality ProfileConfidentiality Profile



How can an application know that How can an application know that an object it received:an object it received:– Does not have any personal Does not have any personal

protected information (identifiers)?protected information (identifiers)?– Provides authorized application to Provides authorized application to

restore identifying information?restore identifying information?


ContentsContents

Addresses following Security Addresses following Security aspects:aspects:– Data ConfidentialityData Confidentiality

Provides mechanisms to de-Provides mechanisms to de-identify SOP Instance and identify SOP Instance and preserve original data within SOP preserve original data within SOP Instance in protected (encrypted) Instance in protected (encrypted) envelope envelope


Attribute Attribute Confidentiality ProfileConfidentiality Profile Application can comply asApplication can comply as

– De-identifierDe-identifier– Re-identifierRe-identifier

De-identifier De-identifier – Replaces confidential data with “dummy” Replaces confidential data with “dummy”

values preserving validity of the SOPvalues preserving validity of the SOP– Optionally encrypts original data and Optionally encrypts original data and

includes encrypted bit-stream as an includes encrypted bit-stream as an attribute in the object (3DES or AES)attribute in the object (3DES or AES)

– Profile defines list of attributes to replaceProfile defines list of attributes to replace


Attribute Name Tag

Instance Creator UID (0008,0014)

SOP Instance UID (0008,0018)

Accession Number (0008,0050)

Institution Name (0008,0080)

Institution Address (0008,0081)

Referring Physician’s Name (0008,0090)

Referring Physician’s Address (0008,0092)

Referring Physician’s Telephone Numbers (0008,0094)

Station Name (0008,1010)

… MORE ATTRIBUTES ARE DEFINED…


Attribute Attribute Confidentiality ProfileConfidentiality Profile

Re-identifier Re-identifier – If possessing valid keys, de-crypts If possessing valid keys, de-crypts

original valuesoriginal values– Restores original values of attributes Restores original values of attributes

tht were de-identifiedtht were de-identified– Profile defines list of attributes to Profile defines list of attributes to

replacereplace

Questions?Questions?

DICOM Security

Documents

Transcript of DICOM Security