DCMTK TLS and certificates use

All other questions regarding DCMTK

Moderator: Moderator Team

Post Reply
Message
Author
Florian Bouillet
Posts: 1
Joined: Mon, 2022-05-02, 14:54

DCMTK TLS and certificates use

#1 Post by Florian Bouillet »

Hello,

I'm wondering what is the standard use of TLS+DICOM in a professional environment.
I'm not an expert of TLS usage but as far as I understood and since my use case is using storescu and storescp :
- I can use storescp with +tls option and a certificate/key couple
- I can use storescu with +tla option

Is that the usual way to use TLS in a hospital where storescp is a PACS and storescu a data provider inside the hospital ?
Does storescu need to provide its own certificate/key couple ?
Are certificates in hospitals official PACS properly signed or could they be self-signed meaning that storescu should accept self-signed certificates ?
Are certificates usually provided by the hospital or the data provider ?
In the case where PACS has the storescu role, is it possible to use its certificate/key couple when communicating with a storescp ?

Please feel free to enlighten my understanding if I made some mistakes.
Kind regards,

Florian Bouillet

Marco Eichelberg
OFFIS DICOM Team
OFFIS DICOM Team
Posts: 1437
Joined: Tue, 2004-11-02, 17:22
Location: Oldenburg, Germany
Contact:

Re: DCMTK TLS and certificates use

#2 Post by Marco Eichelberg »

To my knowledge, TLS is used very little so far, and where it is used, it is primarily used for connections between healthcare provides, not within a hospital, although the rise of cybersecurity incidents may change this in the future.

Although technically possible, the "anonymous" TLS mode where the server proves its identity using a public/private key pair, but the client does not, is not useful in a hospital setting. If you think of a PACS server, it is actually more important that the PACS server only "talks" to trustworthy clients and does not permit information access otherwise. The risk of a modality or diagnostic workstation accidentally sending to a "rogue PACS server" in the network is very small. So it does make sense to use storescu with the +tls mode.

As long as certificates are used within a hospital, self-signed certificates make more sense than official ones, because this allows the hospital to control which devices get a certificate (and thus access to a certain server) and which ones do not. The problem is that hospitals nowadays hardly have any public key infrastructure in place for managing this, and there are no common standards for automated certificate renewal (other than Let'sEncrypt, which is not suitable for the purpose of in-hospital PKI).

Other forum participants are invited to agree or disagree and add their comments!

amal.jesudas
Posts: 36
Joined: Tue, 2017-12-19, 11:49

Re: DCMTK TLS and certificates use

#3 Post by amal.jesudas »

Just putting in my two cents on this topic.
Based on my limited knowledge on how the situation is working out with TLS, I would still say - "It is rapidly gaining popularity".
Much of this has to do with laws and regulatory compliances that medical devices need to meet for selling their products.
Strict laws related to security are being made mandatory and more and more OEMs are looking to implement encryption.
So there is huge relevance to TLS based implementations.

As pointed out by Marco, may be a very low percentage is using TLS now.
This being the case, there is still not a lot of clarity on usage of cipher suites including anonymous TLS and how certificates need to be handled.
There is also a certain section of OEMs that are looking at using Windows Certificate store.
All this is still pretty grey now, but in another year we should see more light.

The above points are put forward based on my experience with 2-3 medical device companies who hold major market share.
Things are changing and as Florian and Marco mentioned, I would like others too to join this discussion.

Regards,
Amal

Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], Google [Bot] and 1 guest