Secured DICOM TLS communication







The communication between you and a DICOM PACS/server or another DICOM entity (f.e. another Rubo DICOM viewer), can be protected by TLS encryption. Since communication is possible with or without TLS encryption, both server and client must be setup to communicate encrypted. Communication will fail if either end is not expecting TLS communication.
The DICOM server data has a checkbox to enable TLS encrypted communication for a specific server and enable you to perform queries and retrieve DICOM image data encrypted. Check with your administrator which port number is used for encrypted communication, it will differ from the standard not-encrypted port. The official assigned port for TLS encrypted DICOM communication is 2762, but any port number may be used.

You can use the DICOM viewer as a server (see receive mode), enabling clients to send you any DICOM data secured by checking the TLS secured/encrypted checkbox in the 'Viewer receiving port (SCP server)' section in the DICOM Communications settings. The sending entity must support TLS encryption to enable TLS communication.

TLS communication requires the use of certificates. The certificates facilitate an encrypted connection between you and the DICOM PACS/server or another DICOM entity. The Rubo DICOM viewer uses self-signed certificates by default. These certificates are certified by the Rubo DICOM viewer and not by a Certificate Authority (CA). The certificates are used for one thing only: encryption between you and another DICOM entity. They do not provide any verification of who is on either end.

When a new DICOM viewer version is detected, it will check if the certificate and private key file exist. If that's not the case, a new self-signed certificate and private key file will be created. The certificate is valid for 5 years and the private key file password is generated using your computer credentials. See the 'TLS options for encrypted communication' in the DICOM Communications settings. A new self-signed certificate and private key file can be created at any time.
It's possible to use a different certificate and private key file, but this is not recommended. You then need to enter your password and this will be stored in the settings. Although the password will be stored encrypted, it still is stored on your PC and thus is not recommended.

Certificates of the PEM or PKCS12 format are supported. A newly created self-signed certificate is stored in both formats. As the PKCS12 certificate stores a private key in the same file, the separate private key file belongs to the PEM certificate. The private key is generated using the RSA algorithm and is 2048 bits long.
TLS versions 1.0, 1.1 and 1.2 are supported.

The Rubo DICOM viewer uses the OpenSSL toolkit to encrypt DICOM communication.