The dcmtk toolkit<\/a> is a powerful set of command line tools which enable us to play around with DICOM<\/a>, program test environments, transform images between DICOM<\/a> and other common formats (like JPEG or PNG) and simulate a simple PACS<\/a> or a worklist server. It does not feature all tools that you would wish to have (e.g., dealing with MP4 videos), but it’s powerful enough to start with.<\/p>\n\n\n\n As always, I recommend that you execute all scripts on a properly installed Linux machine. (Windows will also do it, but it’s… uh!) Fortunately, the dcmtk toolkit<\/a> is available for most Linuxes.<\/p>\n\n\n\n Let’s start with a simple setup. We need a folder structure like this:<\/p>\n\n\n\n The folder images<\/em> will contain some sample DICOM<\/a> images. Either you have some from your own medical examinations, or you download some demo pictures from the web. The folder pacs will serve as recipient of our transmitted DICOM<\/a> images. This command enables a recipient of DICOM<\/a> images; it will be our “mini” PACS<\/a>, and it will just store all the data it receives in the folder \/reserve\/playground\/pacs.<\/strong><\/p>\n\n\n\n The storescp command has a range of options which you might explore using “man storescp” on your Linux machine. Here, we use the options:<\/p>\n\n\n\n You can also see that the instance is listening on TCP port 10400. This is not<\/strong> the standardized port for DICOM<\/a> operation; in fact, in reality you would use port 104. But as we want to test around not using the root account, we will not use privileged ports<\/a>.<\/p>\n\n\n\n In the second shell, we transmit a DICOM<\/a> image by invoking a storescu command:<\/p>\n\n\n\n This will transfer the DICOM<\/a> image IM000001<\/strong> to the storescp and ultimately store it in the folder \/reserve\/playground\/pacs<\/strong>. The whole operation looks like in the image below. Do not get bothered by the messages of the storescu command; it just evidences that even commercially taken DICOM<\/a> images do not always fulfil the specs. <\/p>\n\n\n\n Now, let’s switch one gear higher and use TLS<\/a> encryption for the transfer of our DICOM<\/a> image. We need some preparation though, and for that, we need to download a script named dcmtk_ca.pl<\/strong>. You can get that at Github, for example (here<\/a>). Save it and make it executable. Of course, you need a Perl interpreter, but as you work on a well installed Linux machine, it is simply available. During the course of the execution of these commands, you will be asked several questions which refer to attributes used in X.509<\/a> certificates, like “organizational unit”, … The values that you give do not matter here in our test environment. But for certificates used in production environment, those attributes should be populated with meaningful values, of course.<\/p>\n\n\n\n The command sequence above has created our root certificate in the file \/reserve\/playground\/myca\/cacert.pem<\/strong>, and two key pairs in the folder \/reserve\/playground\/mycert\/<\/strong>. We will now repeat the transmission of a DICOM<\/a> image as shown in the previous chapter, however, using a TLS<\/a> connection. Hence, in our first shell, we will issue the command:<\/p>\n\n\n\n which will be our “mini” PACS<\/a> again, and in the second shell we issue the command:<\/p>\n\n\n\n You can see that for this example, I have used TCP port 2762 which is also the recommendation from NEMA<\/a>.<\/p>\n\n\n\n In this example, we have used a self-generated root certificate (cacert.pem<\/strong>) and derived two key pairs from this. But in real life, you might have an existing certificate that shall be used. My web server (caipirinha.spdns.org<\/a>) for example, has a real certificate (thanks to the Let’s Encrypt<\/a> initiative), and now, we want to use this certificate for the storescp sequence simulating our “mini” PACS<\/a>. In order to do so, I will start the storescp instance as root<\/em> user (because on my machine, only root<\/em> can read the server key). On a production system, this is exactly what you shall not<\/strong> do; rather than that, you will have to find a way for you to make the server key available for the user which shall run the PACS<\/a>, and this user should not<\/strong> be a normal user. But for our test here, this is OK. So, in that case, the storescp command would be:<\/p>\n\n\n\n The corresponding storescu command is:<\/p>\n\n\n\n You will realize here that in this example, the storescp instance has the root certificate of the storescu instance (which is the self-generated root certificate) whereas the storescu instance has the root ceritifcate chain of the storescp instance (which I extracted using the Firefox<\/a> browser and accessing my own page https:\/\/caipirinha.spdns.org\/)<\/a>. The reason for this crossover mentioning of the root certificates is simple:<\/p>\n\n\n\n This might put a problem for hospital installations. Very rarely would you be able to add self-generated root certificates to your PACS<\/a>, and therefore, the recommendation is that, when using TLS<\/a> in your hospital environment, the probably best approach is that all certificates (key pairs) are generated from the very same certificate authority that was used to issue the key pair for the PACS<\/a>. How certificate and key information is set up in various DICOM<\/a>-capable devices depend on the device. In one device I came across, all related certificates and keys could be saved on the hard disk where I created a folder D:\\Zertifikate and subsequently entered the related information in a JSON<\/a> object for the DICOM<\/a> configuration. That looked like this:<\/p>\n\n\n\n In this example, I still used a self-created certificate and key for the DICOM<\/a>-enabled device that shall talk to the PACS<\/a>, but the PACS<\/a> itself uses a real certificate. You can see that the DICOM<\/a>-enabled device also uses the storescu command in order to transmit DICOM<\/a> data. This is not unusual, as most device manufacturers would use the dcmtk toolkit<\/a> rather than programming DICOM<\/a> routines from scratch.<\/p>\n\n\n\n I hope that this small article can help you to better understand the two related commands storescp and storescu with the focus on TLS<\/a> encryption during the communication.<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" Executive Summary In this small article, I would like to point out how we can use the command line tools from the dcmtk toolkit in order to play around with DICOM images, setting up a DICOM recipient and how we integrate TLS (encryption) in the whole setup. The dcmtk toolkit is a powerful set of […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35],"tags":[81],"class_list":["post-143","post","type-post","status-publish","format-standard","hentry","category-it","tag-dicom"],"_links":{"self":[{"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=\/wp\/v2\/posts\/143","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=143"}],"version-history":[{"count":7,"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=\/wp\/v2\/posts\/143\/revisions"}],"predecessor-version":[{"id":154,"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=\/wp\/v2\/posts\/143\/revisions\/154"}],"wp:attachment":[{"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=143"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=143"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Sending DICOM images<\/h2>\n\n\n\n
gabriel@caipirinha:~> tree \/reserve\/playground\/\n\/reserve\/playground\/\n\u251c\u2500\u2500 images\n\u2502 \u251c\u2500\u2500 IM000001\n\u2502 \u251c\u2500\u2500 IM000002\n\u2502 \u251c\u2500\u2500 IM000003\n\u2502 \u251c\u2500\u2500 IM000004\n\u2502 \u251c\u2500\u2500 IM000005\n\u2502 \u251c\u2500\u2500 IM000006\n\u2502 \u251c\u2500\u2500 IM000007\n\u2502 \u251c\u2500\u2500 IM000008\n\u2502 \u2514\u2500\u2500 IM000009\n\u2514\u2500\u2500 pacs<\/pre>\n\n\n\n
We furthermore need two (bash<\/a>) shells open, and in the first shell, we start a storescp instance:<\/p>\n\n\n\nstorescp +B +xa -dhl -uf -aet PACS -od \/reserve\/playground\/pacs 10400<\/pre>\n\n\n\n
storescu localhost 10400 \/reserve\/playground\/images\/IM000001<\/pre>\n\n\n\n
![\"\"](\"https:\/\/caipirinha.spdns.org\/wp\/wp-content\/uploads\/ohne_TLS-1.jpg\")
Sending DICOM images with TLS<\/h2>\n\n\n\n
We first need to create a (self-generated) root certificate and subsequently two key pairs. On this blog post<\/a>, you can find the commands for that, and those are:<\/p>\n\n\n\n.\/dcmtk_ca.pl newca \/reserve\/playground\/myca
mkdir \/reserve\/playground\/mycert
.\/dcmtk_ca.pl mkcert -des no \/reserve\/playground\/myca\/ \/reserve\/playground\/mycert\/cert1 \/reserve\/playground\/mycert\/key1
.\/dcmtk_ca.pl mkcert -des no \/reserve\/playground\/myca\/ \/reserve\/playground\/mycert\/cert2 \/reserve\/playground\/mycert\/key2<\/pre>\n\n\n\nstorescp +B +xa -dhl -uf --aetitle PACS -od \/reserve\/playground\/pacs +tls \/reserve\/playground\/mycert\/key1 \/reserve\/playground\/mycert\/cert1 --add-cert-file \/reserve\/playground\/myca\/cacert.pem 2762<\/pre>\n\n\n\n
storescu +tls \/reserve\/playground\/mycert\/key2 \/reserve\/playground\/mycert\/cert2 --add-cert-file \/reserve\/playground\/myca\/cacert.pem localhost 2762 \/reserve\/playground\/images\/IM000001<\/pre>\n\n\n\n
![\"\"](\"https:\/\/caipirinha.spdns.org\/wp\/wp-content\/uploads\/mit_TLS-1024x711.jpg\")
storescp +B +xa -dhl -uf --aetitle PACS -od \/reserve\/playground\/pacs +tls \/etc\/letsencrypt\/live\/caipirinha.spdns.org\/privkey.pem \/etc\/letsencrypt\/live\/caipirinha.spdns.org\/cert.pem +cf \/reserve\/playground\/myca\/cacert.pem 2762<\/pre>\n\n\n\n
storescu +tls \/reserve\/playground\/mycert\/key2 \/reserve\/playground\/mycert\/cert2 --add-cert-file \/reserve\/playground\/caipirinha-spdns-org-zertifikatskette.pem localhost 2762 \/reserve\/playground\/images\/IM000001<\/pre>\n\n\n\n
![\"\"](\"https:\/\/caipirinha.spdns.org\/wp\/wp-content\/uploads\/mit_TLS_caipirinha-1024x711.jpg\")
{\n ...\n \"DefaultSendOptions\": {\n \"sendExecutable\": \"storescu-tls.exe\",\n ...\n },\n \"args\": [\n \"--log-level\",\n \"info\",\n ...\n \"+tls\",\n \"D:\/Zertifikate\/key\",\n \"D:\/Zertifikate\/cert\",\n \"+cf\",\n \"D:\/Zertifikate\/caipirinha-ca-chain.pem\"\n ],\n ...\n}<\/code><\/pre>\n\n\n\nLinks<\/h2>\n\n\n\n
Key Words<\/h2>\n\n\n\n