DICOM PS3.15 2024e - Security and System Management Profiles

C.2 Creator RSA Digital Signature Profile

The creator of a DICOM SOP Instance may generate signatures using the Creator RSA Digital Signature Profile. The Digital Signature produced by this Profile serves as a lifetime data integrity check that can be used to verify that the pixel data in the SOP instance has not been altered since its initial creation. An implementation that supports the Creator RSA Digital Signature Profile may include a Creator RSA Digital Signature with every SOP Instance that it creates; however, the implementation is not required to do so.

The signature shall use one of the RIPEMD-160, MD5, SHA-1 or SHA-2 family (SHA256, SHA384, SHA512) of hashing functions to generate a MAC, which is then encrypted using a private RSA key. All validators of digital signatures shall be capable of using a MAC generated by any of the hashing functions specified (RIPEMD-160, MD5, SHA-1 or SHA256, SHA384, SHA512).

Note

Local rules and regulations may further restrict the hashing functions that are permitted. These regulations usually restrict the hashing functions that may be used by the SCP in creating a new signature on a new SOP Instance. For example, they may prohibit use of RIPEMD-160 and MD5. The regulations usually allow an SCU to verify an old signature that uses an algorithm that is now prohibited for new signatures. Implementations that support this profile will need to accommodate these local regulations.

As a minimum, an implementation shall include the following Attributes in generating the Creator RSA Digital Signature:

  1. the SOP Class and Instance UIDs

  2. the SOP Creation Date and Time, if present

  3. the Study and Series Instance UIDs

  4. any Attributes of the General Equipment Module that are present

  5. any Attributes of the Overlay Plane Module, Curve Module or Graphic Annotation Module that are present

  6. any Attributes of the General Image Module and Image Pixel Module that are present

  7. any Attributes of the SR Document General Module and SR Document Content Module that are present

  8. any Attributes of the Waveform Module and Waveform Annotation Module that are present

  9. any Attributes of the Multi-frame Functional Groups Module that are present

  10. any Attributes of the Enhanced MR Image Module that are present

  11. any Attributes of the MR Spectroscopy Module that are present

  12. any Attributes of the Raw Data Module that are present

  13. any Attributes of the Enhanced CT Image Module that are present

  14. any Attributes of the Enhanced XA/XRF Image Module that are present

  15. any Attributes of the Segmentation Image Module that are present

  16. any Attributes of the Encapsulated Document Series Module that are present

  17. any Attributes of the X-Ray 3D Image Module that are present

  18. any Attributes of the Enhanced PET Image Module that are present

  19. any Attributes of the Enhanced US Image Module that are present

  20. any Attributes of the Surface Segmentation Module that are present

  21. any Attributes of the Surface Mesh Module that are present

  22. any Attributes of the Structured Display Module, Structured Display Annotation Module, and Structured Display Image Box Module that are present

  23. any Attributes of the Implant Template Module that are present

  24. any Attributes of the Implant Assembly Template Module that are present

  25. any Attributes of the Implant Template Group Module that are present

  26. any Attributes of the Point Cloud Module that are present

  27. any Attributes of the Enhanced Mammography Image Module that are present

  28. any Attributes of the Tractography Results Modules that are present

  29. any Attributes of the Volumetric Graphic Annotation Module that are present

  30. any Attributes of the Microscopy Bulk Simple Annotations Module that are present

Note

The requirement is upon Attributes, and the use of Modules in the list above is for documentation brevity. For example, a SOP instance of an Encapsulated STL IOD will have all of the Attributes of the Encapsulated Document Series Module (used to encapsulate the STL file) signed. It will also have the Attributes used in any icon images signed, because the icon images use Attributes that are also Attributes of the General Image Module and Image Pixel Module. The General Image Module and Image Pixel Module are not incorporated the Encapsulated STL IOD and do not appear in the Encapsulated STL IOD Modules table.

The Digital Signature shall be created using the methodology described in the Base RSA Digital Signature Profile. Typically the certificate and associated private key used to produce Creator RSA Digital Signatures are configuration parameters of the Application Entity set by service or installation engineers.

The SCP may include other attributes when generating the Creator RSA Digital Signature, and the SCU shall support verification of such signatures.

Creator RSA Digital Signatures bear no direct relationship to other Digital Signatures. However, other Digital Signatures, such as the Authorization Digital Signature, may be used to collaborate the timestamp of a Creator RSA Digital Signature.

DICOM PS3.15 2024e - Security and System Management Profiles