Annex C DIGITAL SIGNATURE PROFILES(Normative)

C.1 BASE RSA DIGITAL SIGNATURE PROFILE

The Base RSA Digital Signature Profile outlines the use of RSA encryption of a MAC to generate a Digital Signature. This Profile does not specify any particular set of Data Elements to sign. Other Digital Signature profiles may refer to this profile, adding specifications of which Data Elements to sign or other customizations.

The creator of a digital signature shall use one of the RIPEMD-160, MD5, SHA-1 or SHA-2 family (SHA256, SHA384, SHA512) of hashing functions to generate a MAC, which is then encrypted using a private RSA key. All validators of digital signatures shall be capable of using a MAC generated by any of the hashing functions specified (RIPEMD-160, MD5, SHA-1 or SHA256, SHA384, SHA512).

Note: The use of MD5 is not recommended by its inventors, RSA. See: ftp://ftp.rsasecurity.com/pub/pdfs/bulletn4.pdf

The MAC to be signed shall be padded to a block size matching the RSA key size, as directed in RFC 2437 (PKCS #1). The Value of MAC Algorithm (0400,0015) shall be set to either "RIPEMD160", “MD5”, “SHA1” , “SHA256”, “SHA384” or “SHA512”. The public key associated with the private key as well as the identity of the Application Entity or equipment manufacturer that owns the RSA key pair shall be transmitted in an X.509 (1993) signature certificate. The Value of the Certificate Type (0400,0110) Attribute shall be set to "X509_1993_SIG". A site-specific policy determines how the X.509 certificates are generated, authenticated, and distributed. A site may issue and distribute X.509 certificates directly, may utilize the services of a Certificate Authority, or use any reasonable method for certificate generation and verification.

If an implementation utilizes timestamps, it shall use a Certified Timestamp Type (0400,0305) of “CMS_TSP”. The Certified Timestamp (0400,0310) shall be generated as described in “Internet X.509 Public Key Infrastructure; Time Stamp Protocols; March 2000”.

C.2 CREATOR RSA DIGITAL SIGNATURE PROFILE

The creator of a DICOM SOP Instance may generate signatures using the Creator RSA Digital Signature Profile. The Digital Signature produced by this Profile serves as a lifetime data integrity check that can be used to verify that the pixel data in the SOP instance has not been altered since its initial creation. An implementation that supports the Creator RSA Digital Signature Profile may include a Creator RSA Digital Signature with every SOP Instance that it creates; however, the implementation is not required to do so.

As a minimum, an implementation shall include the following attributes in generating the Creator RSA Digital Signature:

  1. the SOP Class and Instance UIDs

  2. the SOP Creation Date and Time, if present

  3. the Study and Series Instance UIDs

  4. any attributes of the General Equipment module that are present

  5. any attributes of the Overlay Plane, Curve or Graphic Annotation modules that are present

  6. any attributes of the General Image and Image Pixel modules that are present

  7. any attributes of the SR Document General and SR Document Content modules that are present

  8. any attributes of the Waveform and Waveform Annotation modules that are present

  9. any attributes of the Multi-frame Functional Groups module that are present

  10. any attributes of the Enhanced MR Image module that are present

  11. any attributes of the MR Spectroscopy modules that are present

  12. any attributes of the Raw Data module that are present

  13. any attributes of the Enhanced CT Image module that are present

  14. any attributes of the Enhanced XA/XRF Image module that are present

  15. any attributes of the Segmentation Image module that are present

  16. any attributes of the Encapsulated Document module that are present

  17. any attributes of the X-Ray 3D Image module that are present

  18. any attributes of the Enhanced PET Image module that are present

  19. any attributes of the Enhanced US Image module that are present

  20. any attributes of the Surface Segmentation module that are present

  21. any attributes of the Surface Mesh Module that are present

  22. any attributes of the Structured Display, Structured Display Annotation, and Structured Display Image Box modules that are present

  23. any Attributes of the Implant Template module that are present

  24. any Attributes of the Implant Assembly Template module that are present

  25. any Attributes of the Implant Template Group module that are present

The Digital Signature shall be created using the methodology described in the Base RSA Digital Signature Profile. Typically the certificate and associated private key used to produce Creator RSA Digital Signatures are configuration parameters of the Application Entity set by service or installation engineers.

Creator RSA Digital Signatures bear no direct relationship to other Digital Signatures. However, other Digital Signatures, such as the Authorization Digital Signature, may be used to collaborate the timestamp of a Creator RSA Digital Signature.

C.3 Authorization RSA Digital Signature Profile

The technician or physician who approves a DICOM SOP Instance for use may request the Application Entity to generate a signature using the Authorization RSA Digital Signature Profile. The Digital Signature produced serves as a lifetime data integrity check that can be used to verify that the pixel data in the SOP instance is the same that the technician or physician saw when they made the approval.

As a minimum, an implementation shall include the following attributes in generating the Authorization RSA Digital Signature:

  1. the SOP Class and Instance UIDs

  2. the Study and Series Instance UIDs

  3. any attributes whose Values are verifiable by the technician or physician (e.g., their Values are displayed to the technician or physician)

  4. any attributes of the Overlay Plane, Curve or Graphic Annotation modules that are present

  5. any attributes of the General Image and Image Pixel modules that are present

  6. any attributes of the SR Document General and SR Document Content modules that are present

  7. any attributes of the Waveform and Waveform Annotation modules that are present

  8. any attributes of the Multi-frame Functional Groups module that are present

  9. any attributes of the Enhanced MR Image module that are present

  10. any attributes of the MR Spectroscopy modules that are present

  11. any attributes of the Raw Data module that are present

  12. any attributes of the Enhanced CT Image module that are present

  13. any attributes of the Enhanced XA/XRF Image module that are present

  14. any attributes of the Segmentation Image module that are present

  15. any attributes of the Encapsulated Document module that are present

  16. any attributes of the X-Ray 3D Image module that are present

  17. any attributes of the Enhanced PET Image module that are present

  18. any attributes of the Enhanced US Image module that are present

  19. any attributes of the Surface Segmentation module that are present

  20. any attributes of the Surface Mesh Module that are present

  21. any attributes of the Structured Display, Structured Display Annotation, and Structured Display Image Box modules that are present

  22. any Attributes of the Implant Template module that are present

  23. any Attributes of the Implant Assembly Template module that are present

  24. any Attributes of the Implant Template Group module that are present

The Digital Signature shall be created using the methodology described in the Base RSA Digital Signature Profile. The Application Entity shall determine the identity of the technician or physician and obtain their certificate through a site-specific procedure such as a login mechanism or a smart card.

Authorization RSA Digital Signatures bear no direct relationship to other Digital Signatures. However, other Digital Signatures, such as the Creator RSA Digital Signature, may be used to collaborate the timestamp of an Authorization RSA Digital Signature.

C.4 Structured Report RSA Digital Signature Profile

This profile defines a mechanism for adding Digital Signatures to Structured Reports or Key Object Selection Documents where there is no more than one Verifying Observer. Instances that follow this Digital Signature Profile shall include at least one Digital Signature at the top level of the Data Set.

All Digital Signatures that follow this profile shall include a Digital Signature Purpose Code Sequence Attribute (0400,0401).

As a minimum, an implementation shall include the following attributes in generating the Digital Signature required by this profile:

  1. the SOP Class UID

  2. the Study and Series Instance UIDs

  3. all attributes of the General Equipment Module that are present

  4. the Current Requested Procedure Evidence Sequence

  5. the Pertinent Other Evidence Sequence

  6. the Predecessor Documents Sequence

  7. the Observation DateTime

  8. all attributes of the SR Document Content Module that are present

If the Verification Flag is set to “VERIFIED” (and the SOP Instance UID can no longer change) at least one of the Digital Signatures profile shall have the purpose of (5,ASTM-sigpurpose,”Verification Signature“) and shall also include the following Attributes in addition to the above attributes:

  1. the SOP Instance UID

  2. the Verification Flag

  3. the Verifying Observer Sequence

  4. the Verification DateTime

Notes: The system may also add a Creator RSA Digital Signature, which could cover other attributes that the machine can verify.

All occurrences of Referenced SOP Instance MAC Sequence (0400,0403) shall have the Value of MAC Algorithm (0400,0015) set to either "RIPEMD160", “MD5”, “SHA1” , “SHA256”, “SHA384” or “SHA512”..

The Digital Signature shall be created using the methodology described in the Base RSA Digital Signature Profile. The Application Entity shall determine the identity of the signatories and obtain their certificate through an application-specific procedure such as a login mechanism or a smart card. The conformance statement shall specify how the application identifies signatories and obtains certificates.

Note: Structured Report RSA Digital Signatures bear no direct relationship to other Digital Signatures. However, other Digital Signatures, such as the Creator RSA Digital Signature, may be used to corroborate the timestamp of a Structured Report RSA Digital Signature.