Secure transmission

[Spiney]

I've been using the dcmtk for a few years now, and first off, I have to say this is a fantastic set of tools for the medical imaging community.

I have been working with using encryption using the storescp and storescu utilities. The version I'm is the version that was available to download earlier this month. I compiled these on windows and everything works fine.

The encryption portion is somewhat of mystery to myself. I was wanting to verify that the data is being sent encrypted, and I'm thinking that TLS with a 1024 bit key generated by openssl would be the best possible solution for this.

My question are as follows:
How can I verify that the image data is being encrypted?
Can I use another cipher along with the TLS option? Is this needed?

Thanks,
Spiney

[Shaeto]

dcmtk sends data through tls layer socket, so, all incoming/outgoing data is crypted. you can check tlslayer.cpp and/or use tcpdump to make sure

also there is list of cipher, by default scu/scp use TLS1_TXT_RSA_WITH_AES_128_SHA or SSL3_TXT_RSA_DES_192_CBC3_SHA

imho it is enough.

[Shaeto]

btw 1 comment : i tried to use standard certificate schema - Root CA - Root 1 CA - Department Cert - Dicom Hosts certificates blabla and found that default tlslayer (and tlsscu also) accepts any connection with certificate signed by Root CA (or Root 1 CA), it is not good if we want to allow only ONE certificates from list of Dicom Hosts certificates, so, we have to use setCertificateVerification with own callback to reject unwanted certificates.

[Spiney]

Could you not set it to where it will only except certain certificates by the --add-cert-file option?

[Shaeto]

correct but in this case you can use only self signed certificates. openssl requires full chain if you want to use "CA" schema.