============================
CIPHERSUITE SUPPORT IN DCMTK
============================
When compiled with OpenSSL support, several of the DCMTK network
applications optionally support TLS encapsulated secure DICOM communication
as defined in the DICOM Security Enhancements One (Supplement 31). TLS
(Transport Layer Security) can be used with different so-called
"ciphersuites". Each ciphersuite defines
- the algorithm to be used for key-exchange of session keys,
- the algorithm to be used for bulk data encryption, and
- the algorithm to be used for secure hash (message digest).
The ciphersuites to be used for secure DICOM communication can be
controlled in the TLS-enabled DCMTK tools, e.g. with appropriate command
line parameters. The ciphersuite name constants known to DCMTK are
exactly as defined in RFC 2246 and in the draft IETF specification
draft-ietf-tls-56-bit-ciphersuites-00.txt
The TLS protocol allows a dynamic negotiation of the ciphersuite to be used.
For this purpose, the TLS-enabled DCMTK tools allow that multiple
ciphersuites be specified. During negotiation, the first ciphersuite that
is supported by both communicating entities is selected, i.e. the order of
the command line parameters decides in which order the ciphersuites are
negotiated.
It should be noted that the DICOM standard mandates support for the
TLS_RSA_WITH_3DES_EDE_CBC_SHA ciphersuite for secure DICOM communication.
Applications that wish to claim conformance to the DICOM "Basic TLS Secure
Transport Connection Profile" should make sure that this ciphersuite is
always included in the list of ciphersuites to be negotiated. The default
behaviour of the TLS-enabled DCMTK tools is to only negotiate this
ciphersuite.
==============================
NOTES ON CIPHERSUITE SELECTION
==============================
The selection of ciphersuites is a matter of Security Policy which is
outside the scope of a technical specification (like the DICOM standard) or
a tool-set like DCMTK. Nevertheless, when defining this local security
policy there is a number of aspects users should be aware of.
1. Unencrypted Ciphersuites
TLS defines two unencrypted ciphersuites, TLS_RSA_WITH_NULL_MD5 and
TLS_RSA_WITH_NULL_SHA. These ciphersuites do not provide any
confidentiality during data transmission - all data is transferred in
unencrypted plain text and can be read by any man-in-the-middle. They do,
however, provide peer entity authentication and integrity: they prevent
any unauthorised modification of data during transfer and allow to
identify the communicating entities. The use of these ciphersuites
should be avoided if confidential (e.g. patient) data is transmitted
over public networks.
2. Anonymous Ciphersuites
TLS defines a number of ciphersuites which use anonymous Diffie-Hellman
key exchange without signatures. These ciphersuites can be identified by a
name starting with "TLS_DH_anon_". They do not allow an authentication
of the communicating entities and, therefore, are susceptible to
man-in-the-middle attacks.
3. Ciphersuites with Key Length Restrictions
The length of the keys used for key exchange of session keys and bulk data
encryption determines the effort needed to decrypt a TLS communication
with "brute force" attacks (using massive computing power). A number of
TLS ciphersuites restricts key lengths in order to comply with U.S. export
regulations. These ciphersuites can be identified by the term "EXPORT" or
"EXPORT1024" in their name.
Users should be aware that the security offered by these ciphersuites is
in general lower than the security offered by unrestricted ciphersuites.
Whether or not a ciphersuite is considered "safe" for a particular
application is a matter of the local security policy, though.
Users in Europe should be aware of the European Prestandard ENV 13608-3
"Health informatics - Security for healthcare communication – Part 3:
Secure data channels" which requires that no TLS ciphersuite providing
less than 80 bits of symmetric effective key space or less than 768 bits
of RSA or DH asymmetric key strength may be negotiated if conformance to
ENV 13608-3 is claimed by an application.
4. Forward Secrecy Ciphersuites
TLS defines a number of ciphersuites which implement a security feature
called "forward secrecy", a technique of ensuring that the communicated
data are only decipherable for a limited time span by the communicating
parties. After that time the communicating parties typically achieve
forward secrecy by destroying cryptographic keys. This prevents an
attacker from coercing the communicating parties into decrypting old
ciphertext. The forward secrecy ciphersuites can be identified by
the name starting with "TLS_DHE_".
Forward secrecy makes it harder for attackers to compromise confidential
information in transit in encrypted form, and so is more secure than the
use of non-forward secret cipher suites. However, some national
legislations prohibit the use of forward secrecy in terms of non
recoverable encryption.
Users in Europe who want to use forward secrecy should be aware of the
European Prestandard ENV 13608-3 "Health informatics - Security for
healthcare communication – Part 3: Secure data channels" which requires
that the TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA ciphersuite must be supported
if forward secrecy is desired and must be negotiated before ciphersuites
not offering forward secrecy if conformance to ENV 13608-3 is claimed by
an application.
5. Ciphersuites not supported by OpenSSL 0.9.5a / 0.9.6
DCMTK relies on the OpenSSL library to implement TLS-secured DICOM
communication. However, the OpenSSL library does not yet implement all TLS
ciphersuites. At the time being, the following ciphersuites are not
implemented (see OpenSSL CIPHERS(1) man page):
- TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
- TLS_DH_DSS_WITH_DES_CBC_SHA
- TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
- TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
- TLS_DH_RSA_WITH_DES_CBC_SHA
- TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
==============================
TLS Ciphersuites from RFC 2246
==============================
TLS_RSA_WITH_NULL_MD5
Key exchange : RSA
Encryption : none
Secure Hash : MD5
Note : UNENCRYPTED, NO CONFIDENTIALITY
TLS_RSA_WITH_NULL_SHA
Key exchange : RSA
Encryption : none
Secure Hash : SHA
Note : UNENCRYPTED, NO CONFIDENTIALITY
TLS_RSA_EXPORT_WITH_RC4_40_MD5
Key exchange : RSA (max. 512 bit)
Encryption : RC4 with 40 bit key
Secure Hash : MD5
TLS_RSA_WITH_RC4_128_MD5
Key exchange : RSA
Encryption : RC4 with 128 bit key
Secure Hash : MD5
TLS_RSA_WITH_RC4_128_SHA
Key exchange : RSA
Encryption : RC4 with 128 bit key
Secure Hash : SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
Key exchange : RSA (max. 512 bit)
Encryption : RC2 (CBC mode) with 40 bit key
Secure Hash : MD5
TLS_RSA_WITH_IDEA_CBC_SHA
Key exchange : RSA
Encryption : IDEA (CBC mode, 128 bit key)
Secure Hash : SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
Key exchange : RSA (max. 512 bit)
Encryption : DES (CBC mode) with 40 bit key
Secure Hash : SHA
TLS_RSA_WITH_DES_CBC_SHA
Key exchange : RSA
Encryption : DES (CBC mode) with 56 bit key
Secure Hash : SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Key exchange : RSA
Encryption : 3DES (EDE CBC mode) with 168 bit key
Secure Hash : SHA
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
Key exchange : Diffie-Hellman (max. 512 bit) with DSS certificate signature
Encryption : DES (CBC mode) with 40 bit key
Secure Hash : SHA
Note : not supported by OpenSSL 0.9.5a / 0.9.6
TLS_DH_DSS_WITH_DES_CBC_SHA
Key exchange : Diffie-Hellman with DSS certificate signature
Encryption : DES (CBC mode) with 56 bit key
Secure Hash : SHA
Note : not supported by OpenSSL 0.9.5a / 0.9.6
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
Key exchange : Diffie-Hellman with DSS certificate signature
Encryption : 3DES (EDE CBC mode) with 168 bit key
Secure Hash : SHA
Note : not supported by OpenSSL 0.9.5a / 0.9.6
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
Key exchange : Diffie-Hellman (max. 512 bit) with RSA certificate signature
Encryption : DES (CBC mode) with 40 bit key
Secure Hash : SHA
Note : not supported by OpenSSL 0.9.5a / 0.9.6
TLS_DH_RSA_WITH_DES_CBC_SHA
Key exchange : Diffie-Hellman with RSA certificate signature
Encryption : DES (CBC mode) with 56 bit key
Secure Hash : SHA
Note : not supported by OpenSSL 0.9.5a / 0.9.6
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
Key exchange : Diffie-Hellman with RSA certificate signature
Encryption : 3DES (EDE CBC mode) with 168 bit key
Secure Hash : SHA
Note : not supported by OpenSSL 0.9.5a / 0.9.6
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
Key exchange : Ephemeral Diffie-Hellman (max. 512 bit) with DSS certificate signature
Encryption : DES (CBC mode) with 40 bit key
Secure Hash : SHA
Note : provides forward secrecy
TLS_DHE_DSS_WITH_DES_CBC_SHA
Key exchange : Ephemeral Diffie-Hellman with DSS certificate signature
Encryption : DES (CBC mode) with 56 bit key
Secure Hash : SHA
Note : provides forward secrecy
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Key exchange : Ephemeral Diffie-Hellman with DSS certificate signature
Encryption : 3DES (EDE CBC mode) with 168 bit key
Secure Hash : SHA
Note : provides forward secrecy
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
Key exchange : Ephemeral Diffie-Hellman (max. 512 bit) with RSA certificate signature
Encryption : DES (CBC mode) with 40 bit key
Secure Hash : SHA
Note : provides forward secrecy
TLS_DHE_RSA_WITH_DES_CBC_SHA
Key exchange : Ephemeral Diffie-Hellman with RSA certificate signature
Encryption : DES (CBC mode) with 56 bit key
Secure Hash : SHA
Note : provides forward secrecy
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Key exchange : Ephemeral Diffie-Hellman with RSA certificate signature
Encryption : 3DES (EDE CBC mode) with 168 bit key
Secure Hash : SHA
Note : provides forward secrecy
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
Key exchange : Anonymous Diffie-Hellman (max. 512 bit), no signatures
Encryption : RC4 with 40 bit key
Secure Hash : MD5
Note : anonymous ciphersuite, susceptible to man-in-the-middle attacks
TLS_DH_anon_WITH_RC4_128_MD5
Key exchange : Anonymous Diffie-Hellman, no signatures
Encryption : RC4 with 128 bit key
Secure Hash : MD5
Note : anonymous ciphersuite, susceptible to man-in-the-middle attacks
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
Key exchange : Anonymous Diffie-Hellman (max. 512 bit), no signatures
Encryption : DES (CBC mode) with 40 bit key
Secure Hash : SHA
Note : anonymous ciphersuite, susceptible to man-in-the-middle attacks
TLS_DH_anon_WITH_DES_CBC_SHA
Key exchange : Anonymous Diffie-Hellman, no signatures
Encryption : DES (CBC mode) with 56 bit key
Secure Hash : SHA
Note : anonymous ciphersuite, susceptible to man-in-the-middle attacks
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
Key exchange : Anonymous Diffie-Hellman, no signatures
Encryption : 3DES (EDE CBC mode) with 168 bit key
Secure Hash : SHA
Note : anonymous ciphersuite, susceptible to man-in-the-middle attacks
===============================================================
TLS Ciphersuites from draft-ietf-tls-56-bit-ciphersuites-00.txt
===============================================================
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
Key exchange : RSA (max. 1024 bit)
Encryption : DES (CBC mode) with 56 bit key
Secure Hash : SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
Key exchange : RSA (max. 1024 bit)
Encryption : RC4 with 56 bit key
Secure Hash : SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
Key exchange : Ephemeral Diffie-Hellman (max. 1024 bit) with DSS certificate signature
Encryption : DES (CBC mode) with 56 bit key
Secure Hash : SHA
Note : provides forward secrecy
TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
Key exchange : Ephemeral Diffie-Hellman (max. 1024 bit) with DSS certificate signature
Encryption : RC4 with 56 bit key
Secure Hash : SHA
Note : provides forward secrecy
TLS_DHE_DSS_WITH_RC4_128_SHA
Key exchange : Ephemeral Diffie-Hellman with DSS certificate signature
Encryption : RC4 with 128 bit key
Secure Hash : SHA
Note : provides forward secrecy