Secure DICOM Networking (DICOM TLS)

Secure DICOM Networking uses TLS (Transport Security Layer) to encrypt the DICOM network trafic and to validate peer AE identity. More...


interface  IDCXSEC
 Use this interface for secured DICOM network configuration and control. More...



Detailed Description

Secure DICOM Networking uses TLS (Transport Security Layer) to encrypt the DICOM network trafic and to validate peer AE identity.

TLS Basics

TLS uses public-key cryptography There are two aspects of security to consider:

  1. Verifing the identity of the parties to make sure that you are comunicating with the right party and
  2. Encrypting the comunication to make sure no other party can eavsdrops to the comunication.

Each party in the comunication has a pair of keys, private and public. Keep the private key secretly and never share it with anyone. The public key is usually included in a 'Certiticate'. The private key is sometimes called simply 'Key'.

The public key is, by its name, public and can be safely shared with anyone. Each party uses the other party's public key to encrypt the messages that it wants to send to it.

A message that was encrypted using a public key can only be decrypted with the matchig private key so only the party that it was meant to can decrypt and read the message content.

The asymetric encryption (public-private keys) is used only to setup the securre connnection. During this setup the parties exchange a symetric encryption key that is than used throughout the comunication. This is however internal to the implementation and the user is not required to take care of it.

Certificate Stores
MODALIZER SDK use the Windows OS Certificates stores to keep the public and private keys.

The Windows OS has two types of stores:

When running as specific user account MODALIZER SDK will use that user's Certificate Store. When running as local system account MODALIZER SDK will use the local system Certificate Store.

Within the ceritificate store MODALIZER SDK uses the keys in the Personal Store (My) to identify the local AE.

Use the Windows MMC, security API or PowerShell Cmdlets to maintain the certificate stores.

Chains of Trust and Certificate Authentication

Verifing the identity of the parties in the comunication is fundemental to TLS and is of major concern when developing applications for healthcare that should protect Patient Healthcare Information (PHI). That's where the certificate becomes handy. In addition to the public key, the certificate also incudes more information such as a serial number, date of issue, name and inteded use. To verify the certificate there are basically two options. The first option is that you got in advance the information of the other party and you can compare the information on the certificate with the information you have. For example you had a meeting with the owners of the certificate and they gave you a copy of it. Inn this case you can simply compare the two copies and cofirm the identity of the other party on the line. The other option is usful when you don't know in advace the other party. The solution in this case is a Certificate Authority (CA). Just like a physical certificate (like a passport or drivers licese) a certificate may carry a signiture. On a physical certificate you would see a stamp, watermark or other marks that show that the certificate is authentic. When a certificcate is signed by a CA you can check the CA's information and decide if you trust this CA or not. By verifing the authenticity of this 'digital signiture' you can decide if to trust the other party or not.

Cipher Suites
Cipher Suites ( are sets of algorithms that are used by TLS. MODALIZER SDK delagates the selection, enable and disable of cipher suites to the Windows Operating System. Use PowerShell cmdlets to configure/enable/disable cipher suites (

Enumeration Type Documentation


This enum is used to select the certificate store. When running in local system account, the default store is the computer store. When running in user account, the default store is the current user store. The selected store can be changed using IDCXSEC.CertStore property. Note that local security policy may deny access to the stores and prevent using it.


Current user store.


Local Computer Store.


This enum is used to select the method that is used to verify the peer identity. See IDCXSEC.VerificationMethod


No verification - Any certificate is accepted.


Use certificates chain of trust. A certificate is accepted if it passes the verification of the operating system by using wincrypt API See


Look-up the peer certificate thumbprint in the list assigned to IDCXSEC.AcceptedThumbprints.