200 likes | 205 Vues
DICOM Security. Andrei Leontiev, Dynamic Imaging Presentation prepared by: Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington University in St. Louis School of Medicine. 3 Supplements. Digital Signatures in Structured Reports
E N D
DICOM Security Andrei Leontiev, Dynamic Imaging Presentation prepared by: Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington University in St. Louis School of Medicine
3 Supplements • Digital Signatures in Structured Reports • In its public comment period (Supp. 86) • Audit Trail Messages • Frozen Trial Use Draft (Supp. 95) • Extended Negotiation of User Identity • Out for letter ballot now (Supp. 99) DICOM Seminar – Singapore 2005
Digital Signatures in Structured Reports Supplement 86
Status • Has evolved to meet a new set of use cases • Completed public comment • Currently in Letter Ballot DICOM Seminar – Singapore 2005
Contents • Addresses issues brought up in Digital Signature implementations: • Digital Signature Purpose field (e.g. author, verifier, transcriptionist, device) • Reports with multiple signers • Adds methods to securely reference other composite objects • Via Digital Signature in the referenced object • Via MAC embedded in the reference itself • Adds profiles for using Digital Signatures in SRs • Extends Key Object Selection template to address new use cases DICOM Seminar – Singapore 2005
Key Use Case How can an application know what objects constitute a complete set? DICOM Seminar – Singapore 2005
Options Considered • Why not MPPS? • MPPS is not a persistent (composite) object • MPPS could trigger generation of a signed Key Object Selection document • Why not Storage Commitment • Did not wish to change semantics some applications currently associate with Storage Commitment DICOM Seminar – Singapore 2005
Key Object Selection Extensions • New Document Titles: • Complete Study/Acquisition Content • Manifest • Related Contend • Allow Key Object Selection Documents to refer to other Key Object Selection Documents (not allowed previously) DICOM Seminar – Singapore 2005
Audit Messages Supplement 95
Status • Supplement 95 was frozen last June for trial use • Several trial implementations of the new audit trail message format now exist (IHE Connectathon 2005) • No significant changes expected before letter ballot this spring • IHE considering deprecating the initial message format DICOM Seminar – Singapore 2005
Lets Clear the Confusion! • Base XML message format specified in RFC nnnn • To be shared by multiple domains • Needs vocabulary definition to be useful • Supplement 95 profiles, augments, and defines DICOM-specific vocabulary • Use the schema in Supplement to create messages and read DICOM extensions • Audit repositories can interpret key using the schema in the RFC DICOM Seminar – Singapore 2005
Next Steps Expected to go to Letter Ballot in June DICOM Seminar – Singapore 2005
Extended Negotiation of User Identity Supplement 99
Use Cases • Facilitates audit logging • Step toward cross-system authorization and access controls • DICOM still leaves access control in the hands of the application • Query Filtering • For productivity as well as security DICOM Seminar – Singapore 2005
Design Goals • Independent of other security mechanisms • Avoid incompatibility with the installed base • No changes to current DICOM security mechanisms • Minimum of changes to existing implementation libraries • Extensible for future mechanisms, e.g. Security Assertion Markup Language (SAML) • Established during association negotiation before any regular DIMSE transactions take place, allowing SCU to reject associations based on ID DICOM Seminar – Singapore 2005
Several Options • User identity alone, with no other security mechanisms • User identity plus the current DICOM TLS mechanism • User identity plus future lower level transport mechanisms (e.g. IPv6 with security option) • User identity plus VPN DICOM Seminar – Singapore 2005
ID Type Profiles • Un-authenticated identity assertion • Systems in a trusted environment • Username plus passcode • Systems in a secure network • Kerberos-based authentication • Strongest security DICOM Seminar – Singapore 2005
Kerberos • Kerberos employs a Key Distribution Center (KDC) that • Authenticates the user • May be incorporated into local login process • Provides a Ticket Granting Ticket (TGT) to the local system • Local application uses TGT to ask KDC to generate the Service Ticket, which then is passed in the Association Negotiation Request • Remote application uses the Service Ticket to securely identify the user, and optionally generate a Server Ticket that is returned in the Association Negotiation Response DICOM Seminar – Singapore 2005
Prepared for the Future • Could support any mechanism that supports uni-directional assertion mechanism (e.g. using PKI and Digital Signatures) • Does not support identity mechanisms that require bi-directional negotiation (e.g. Liberty Alliance proposals) DICOM Seminar – Singapore 2005