Secure DICOM Networking uses TLS (Transport Security Layer) to encrypt the DICOM network trafic and to validate peer AE identity. More...
Classes | |
interface | IDCXSEC |
Use this interface for secured DICOM network configuration and controlThe security context includes properties and methods to configure and control encrypted network comunication. To enable the security layer, create a security context instance and set it using DCXREQ or DCXACC SecurityContext property. See IDCXREQ.CertContext and IDCXACC.CertContext. More... | |
Secure DICOM Networking uses TLS (Transport Security Layer) to encrypt the DICOM network trafic and to validate peer AE identity.
TLS uses public-key cryptography https://en.wikipedia.org/wiki/Public-key_cryptography There are two aspects of security to consider:
Each party in the comunication has a pair of keys, private and public. Keep the private key secretly and never share it with anyone. The public key is usually included in a 'Certiticate'. The private key is sometimes called simply 'Key'.
The public key is, by its name, public and can be safely shared with anyone. Each party uses the other party's public key to encrypt the messages that it wants to send to it.
A message that was encrypted using a public key can only be decrypted with the matchig private key so only the party that it was meant to can decrypt and read the message content.
The asymetric encryption (public-private keys) is used only to setup the securre connnection. During this setup the parties exchange a symetric encryption key that is than used throughout the comunication. This is however internal to the implementation and the user is not required to take care of it.
The Windows OS has two types of stores:
When running as specific user account MODALIZER SDK will use that user's Certificate Store. When running as local system account MODALIZER SDK will use the local system Certificate Store.
Within the ceritificate store MODALIZER SDK uses the keys in the Personal Store (My) to identify the local AE.
Use the Windows MMC, security API or PowerShell Cmdlets to maintain the certificate stores.
Verifing the identity of the parties in the comunication is fundemental to TLS and is of major concern when developing applications for healthcare that should protect Patient Healthcare Information (PHI). That's where the certificate becomes handy. In addition to the public key, the certificate also incudes more information such as a serial number, date of issue, name and inteded use. To verify the certificate there are basically two options. The first option is that you got in advance the information of the other party and you can compare the information on the certificate with the information you have. For example you had a meeting with the owners of the certificate and they gave you a copy of it. Inn this case you can simply compare the two copies and cofirm the identity of the other party on the line. The other option is usful when you don't know in advace the other party. The solution in this case is a Certificate Authority (CA). Just like a physical certificate (like a passport or drivers licese) a certificate may carry a signiture. On a physical certificate you would see a stamp, watermark or other marks that show that the certificate is authentic. When a certificcate is signed by a CA you can check the CA's information and decide if you trust this CA or not. By verifing the authenticity of this 'digital signiture' you can decide if to trust the other party or not.
enum DCXSEC_CERT_STORE |
This enum is used to select the certificate store. When running in local system account, the default store is the computer store. When running in user account, the default store is the current user store. The selected store can be changed using IDCXSEC.CertStore property. Note that local security policy may deny access to the stores and prevent using it.
Enumerator | |
---|---|
DCXSEC_CERT_STORE_CURRENT_USER | Current user store. |
DCXSEC_CERT_STORE_LOCAL_COMPUTER | Local Computer Store. |
This enum is used to select the method that is used to verify the peer identity. See IDCXSEC.VerificationMethod
Enumerator | |
---|---|
DCXSEC_VERIFICATION_METHOD_NONE | No verification - Any certificate is accepted. |
DCXSEC_VERIFICATION_METHOD_TRUST_CHAIN | Use certificates chain of trust. A certificate is accepted if it passes the verification of the operating system by using wincrypt API See https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certverifycertificatechainpolicy |
DCXSEC_VERIFICATION_METHOD_THUMBPRINT | Look-up the peer certificate thumbprint in the list assigned to IDCXSEC.AcceptedThumbprints. |