Whitelisting in DICOM

First, the ancient history with DIMSE

During the early days of DICOM the AE-title was used to whitelist access to DICOM services over DIMSE.

The secured DIMSE server (SCP) would be listening on a TLS port. When a connection was made, there would first be TLS connection setup

• The client (SCU) would confirm that the SCP was an acceptable site. This was most often done by using a hospital specific certificate signing. The SCP would use a certificate signed by the hospital, and the SCU would check that this was properly signed by the hospital.

  • The hospital CA is private and not known to the rest of the world, so outside connections could fail the TLS setup at this stage. Only internal SCUs would be able to verify the SCP connection. (Some SCUs will accept unknown signers, so they make it past this stage.)

• The SCU would confirm back the bi-directional TLS connection with its certificate signed by the hospital CA. The SCP would verify that this certificate was signed by the hospital CA. If this failed, the connection would be dropped. This keeps out the unwanted SCUs.

• Then for each request, the DIMSE service would check the requested AE-title and the requesting AE-title.

  • If the requested AE-title was not recognized by the SCP, the request would be dropped. Optionally the connection would be dropped.

  • If the requesting AE-title was not on the whitelist of the SCP, the request would be dropped. Optionally the connection would be dropped.

Unsecured DIMSE servers also used the AE-title whitelisting. This approach does not meet modern security criteria. It was used starting in the 1990’s when VPN, VLAN, and other techniques were used for connection protection. The internal network was treated as trustworthy. That is no longer considered a good practice, but I’m sure that there are sites that still operate this way.

Back then improperly configured systems were considered as big a problem as active malware. This kind of AE-title whitelisting was quite effective at catching configuration mistakes, so it was widely deployed. The AE-titles can potentially be random 16-character strings, but in practice they were useful but easily guessable names like CT-ROOM-314.