DICOM Transport Layer Security (DICOM TLS) is derived from SSL 3.0 and is largely compatible with it. We provide support for use in DicomObjects, but the technical means differ between versions
As of V8 we have removed Bouncy Castle from DicomObjects.NET package
This is because:
Encryption in DICOM is important – and it’s going to become more important as hacking continues, which is why it needs to be done properly.
We have supported TLS in DicomObjects for over 10 years, and though uptake amongst vendors has always been low, it is important that it is available. Everyone who uses TLS in Windows for anything other than “web browsing” will know by now of the significant limitations of the Windows implementation, which is tied firmly to the “do I trust this web site” model with certificates, trusted roots and trust decisions being defined by the certificate store rather than user code. For this reason, about 8 years ago, we added support for “Bouncy Castle”, an external TLS library, which generally works well.
However, on reviewing the code for the final V8 release, we have realised the following:
- Bouncy Castle has moved on in intervening 8 years, but our version has not.
- We made various design decisions in the implementation concerning cyphers etc. which should be the developer’s decision, not ours
- It is hard to make all the features of a TLS toolkit such as Bouncy castle available to developers
- Developers may wish to use other encryption APIs
Putting all this together, we’ve decided that the best way to give developers the flexibility they should have is to remove the specific implementations of TLS from DicomObjects (removing the accompanying “Security” DLL), and instead make sure that it is easy to use any encrypted stream. The existing code has not, of course, been “thrown away” – it has gone into a sample application, showing how to use both the Windows and (the current, public) Bouncy Castle APIs to achieve the same effect.
All the above applies to network streams, but the same principles apply to file encryption and as a result, the overrides for reading/writing files with passwords have also been removed, with simple examples showing how to achieve the same result now in our Encryption sample project.
Intrinsic support for TLS is provided using the standard CAPICOM element in Windows - which still exists, even though it has officially been deprecated for several years. Options to create or accept TLS associations exist by specifying client and server certificates in DicomConnection.SetDestination and on the Listen methods - please ask for assistance if needed, or review the samples.
Unfortunately, there is no simple solution for this scenario due to the lack of CAPICOM or other standardised COM-accessible interface to encryption in 64 bit environments. We have therefore provided and alternative means for developers to “hook” other tools, conceptually similar to the .NET version above and managed via an IStream interface. This method is very new, so please ask for assistance if you wish to use it.
For samples showing how to use DICOM TLS in DicomObjects (COM & .NET) and XdsObjects, please see the Downloads and Examples page
Please check part 15 of the DICOM standard for more information about TLS.