Presentation is loading. Please wait.

Presentation is loading. Please wait.

DICOM Security Andrei Leontiev, Dynamic Imaging Presentation prepared by: Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington.

Published byAnne Lambert Modified over 8 years ago

Similar presentations

Presentation on theme: "DICOM Security Andrei Leontiev, Dynamic Imaging Presentation prepared by: Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington."— Presentation transcript:

1 DICOM Security Andrei Leontiev, Dynamic Imaging Presentation prepared by: Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington University in St. Louis School of Medicine

2 April 1, 2005DICOM Seminar – Singapore 2005 3 Supplements Digital Signatures in Structured Reports Digital Signatures in Structured Reports –In its public comment period (Supp. 86) Audit Trail Messages Audit Trail Messages –Frozen Trial Use Draft (Supp. 95) Extended Negotiation of User Identity Extended Negotiation of User Identity –Out for letter ballot now (Supp. 99)

3 Digital Signatures in Structured Reports Supplement 86

4 April 1, 2005DICOM Seminar – Singapore 2005 Status Has evolved to meet a new set of use cases Has evolved to meet a new set of use cases Completed public comment Completed public comment Currently in Letter Ballot Currently in Letter Ballot

5 April 1, 2005DICOM Seminar – Singapore 2005 Contents Addresses issues brought up in Digital Signature implementations: Addresses issues brought up in Digital Signature implementations: –Digital Signature Purpose field (e.g. author, verifier, transcriptionist, device) –Reports with multiple signers Adds methods to securely reference other composite objects Adds methods to securely reference other composite objects –Via Digital Signature in the referenced object –Via MAC embedded in the reference itself Adds profiles for using Digital Signatures in SRs Adds profiles for using Digital Signatures in SRs Extends Key Object Selection template to address new use cases Extends Key Object Selection template to address new use cases

6 April 1, 2005DICOM Seminar – Singapore 2005 Key Use Case How can an application know what objects constitute a complete set?

7 April 1, 2005DICOM Seminar – Singapore 2005 Options Considered Why not MPPS? Why not MPPS? –MPPS is not a persistent (composite) object –MPPS could trigger generation of a signed Key Object Selection document Why not Storage Commitment Why not Storage Commitment –Did not wish to change semantics some applications currently associate with Storage Commitment

8 April 1, 2005DICOM Seminar – Singapore 2005 Key Object Selection Extensions New Document Titles: New Document Titles: –Complete Study/Acquisition Content –Manifest –Related Contend Allow Key Object Selection Documents to refer to other Key Object Selection Documents (not allowed previously) Allow Key Object Selection Documents to refer to other Key Object Selection Documents (not allowed previously)

9 Audit Messages Supplement 95

10 April 1, 2005DICOM Seminar – Singapore 2005 Status Supplement 95 was frozen last June for trial use Supplement 95 was frozen last June for trial use Several trial implementations of the new audit trail message format now exist (IHE Connectathon 2005) Several trial implementations of the new audit trail message format now exist (IHE Connectathon 2005) No significant changes expected before letter ballot this spring No significant changes expected before letter ballot this spring IHE considering deprecating the initial message format IHE considering deprecating the initial message format

11 April 1, 2005DICOM Seminar – Singapore 2005 Lets Clear the Confusion! Base XML message format specified in RFC nnnn Base XML message format specified in RFC nnnn –To be shared by multiple domains –Needs vocabulary definition to be useful Supplement 95 profiles, augments, and defines DICOM-specific vocabulary Supplement 95 profiles, augments, and defines DICOM-specific vocabulary –Use the schema in Supplement to create messages and read DICOM extensions –Audit repositories can interpret key using the schema in the RFC

12 April 1, 2005DICOM Seminar – Singapore 2005 Next Steps Expected to go to Letter Ballot in June

13 Extended Negotiation of User Identity Supplement 99

14 April 1, 2005DICOM Seminar – Singapore 2005 Use Cases Facilitates audit logging Facilitates audit logging Step toward cross-system authorization and access controls Step toward cross-system authorization and access controls –DICOM still leaves access control in the hands of the application Query Filtering Query Filtering –For productivity as well as security

15 April 1, 2005DICOM Seminar – Singapore 2005 Design Goals Independent of other security mechanisms Independent of other security mechanisms Avoid incompatibility with the installed base Avoid incompatibility with the installed base No changes to current DICOM security mechanisms No changes to current DICOM security mechanisms Minimum of changes to existing implementation libraries Minimum of changes to existing implementation libraries Extensible for future mechanisms, e.g. Security Assertion Markup Language (SAML) Extensible for future mechanisms, e.g. Security Assertion Markup Language (SAML) Established during association negotiation before any regular DIMSE transactions take place, allowing SCU to reject associations based on ID Established during association negotiation before any regular DIMSE transactions take place, allowing SCU to reject associations based on ID

16 April 1, 2005DICOM Seminar – Singapore 2005 Several Options Several Options User identity alone, with no other security mechanisms User identity alone, with no other security mechanisms User identity plus the current DICOM TLS mechanism User identity plus the current DICOM TLS mechanism User identity plus future lower level transport mechanisms (e.g. IPv6 with security option) User identity plus future lower level transport mechanisms (e.g. IPv6 with security option) User identity plus VPN User identity plus VPN

17 April 1, 2005DICOM Seminar – Singapore 2005 ID Type Profiles Un-authenticated identity assertion Un-authenticated identity assertion –Systems in a trusted environment Username plus passcode Username plus passcode –Systems in a secure network Kerberos-based authentication Kerberos-based authentication –Strongest security

18 April 1, 2005DICOM Seminar – Singapore 2005 Kerberos Kerberos employs a Key Distribution Center (KDC) that Kerberos employs a Key Distribution Center (KDC) that –Authenticates the user –May be incorporated into local login process –Provides a Ticket Granting Ticket (TGT) to the local system Local application uses TGT to ask KDC to generate the Service Ticket, which then is passed in the Association Negotiation Request Local application uses TGT to ask KDC to generate the Service Ticket, which then is passed in the Association Negotiation Request Remote application uses the Service Ticket to securely identify the user, and optionally generate a Server Ticket that is returned in the Association Negotiation Response Remote application uses the Service Ticket to securely identify the user, and optionally generate a Server Ticket that is returned in the Association Negotiation Response

19 April 1, 2005DICOM Seminar – Singapore 2005 Prepared for the Future Could support any mechanism that supports uni-directional assertion mechanism (e.g. using PKI and Digital Signatures) Could support any mechanism that supports uni-directional assertion mechanism (e.g. using PKI and Digital Signatures) Does not support identity mechanisms that require bi-directional negotiation (e.g. Liberty Alliance proposals) Does not support identity mechanisms that require bi-directional negotiation (e.g. Liberty Alliance proposals)

20 Questions?

Download ppt "DICOM Security Andrei Leontiev, Dynamic Imaging Presentation prepared by: Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington."

Similar presentations

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.
Reporting Workflow Rita Noumeir, Ph.D. IHE Technical Committee.

Reporting Workflow Rita Noumeir, Ph.D. IHE Technical Committee.
DICOM Structured Reporting Workshop - March 2000 Structured Reporting and the IHE Year 2 Technical Framework Simon Wail, PhD Marconi Medical Systems.

DICOM Structured Reporting Workshop - March 2000 Structured Reporting and the IHE Year 2 Technical Framework Simon Wail, PhD Marconi Medical Systems.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Authentication & Kerberos

Authentication & Kerberos
Cryptography and Network Security Chapter 15 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 15 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
DICOM and Integrating the Healthcare Enterprise: Five years of cooperation and mutual influence Charles Parisot Chair, NEMA Committee for advancement of.

DICOM and Integrating the Healthcare Enterprise: Five years of cooperation and mutual influence Charles Parisot Chair, NEMA Committee for advancement of.
Kerberos Authentication for Multi-organization Cross-Realm Kerberos Authentication User sent request to local Authentication Server Local AS shares cross-realm.

Kerberos Authentication for Multi-organization Cross-Realm Kerberos Authentication User sent request to local Authentication Server Local AS shares cross-realm.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
THE DICOM 2014 Chengdu Workshop August 25, 2014 Chengdu, China Keeping It Safe Brad Genereaux, Agfa HealthCare Product Manager Industry Co-Chair, DICOM.

THE DICOM 2014 Chengdu Workshop August 25, 2014 Chengdu, China Keeping It Safe Brad Genereaux, Agfa HealthCare Product Manager Industry Co-Chair, DICOM.
Web services security I

Web services security I
Slide 1 Sharing Images without CDs, The Next Imaging Sea Change GE Healthcare Chris Lindop GE Healthcare Interoperability & Standards.

Slide 1 Sharing Images without CDs, The Next Imaging Sea Change GE Healthcare Chris Lindop GE Healthcare Interoperability & Standards.
THE DICOM 2013 INTERNATIONAL CONFERENCE & SEMINAR March 14-16Bangalore, India Keeping It Safe: Securing DICOM Lawrence Tarbox, Ph.D. Mallinckrodt Institute.

THE DICOM 2013 INTERNATIONAL CONFERENCE & SEMINAR March 14-16Bangalore, India Keeping It Safe: Securing DICOM Lawrence Tarbox, Ph.D. Mallinckrodt Institute.
Configuration Management Supplement 67 Robert Horn, Agfa Healthcare.

Configuration Management Supplement 67 Robert Horn, Agfa Healthcare.

Similar presentations

Ads by Google