Implementing a physical TLS Proxy for TCP (DICOM/HL7) communication

Global

Supervision: Dominik Noß, Jörg Schwenk

More details:

Description

Implementing a physical TLS Proxy for TCP (DICOM/HL7) communication

Medical devices use custom TCP-based protocols for peer-to-peer communication, two of which is DICOM and HL7. For example, a CRT can use DICOM to push imagery to the doctors computer. Those implementations often lack a necessary component: encryption via TLS.

Assuming a server is capable of TLS, but a certain medical device is not. The device is too expensive to be replaced, and the vendor is unable to provide this software feature. Due to the peer-to-peer nature of the existing topology, a centralized VPN solution cannot be used.

A secure solution for such a scenario are TLS proxies.

Your task is the implementation of a physical device based on Raspberry-Pi-like computers, which acts as a TLS proxy. It has two ethernet ports. One ist directly connected to the medical device, the other one connects to the LAN.

Upon connecting the first port, the device impersonates the medical devices. Outgoing TCP connections are caught, and tunneled though a TLS connections with the original address and port. Incoming TLS connections are accepted, unpacked, and forwarded as regular TCP connections. This way, the medical device can rest unchanged and the communication is secure.

One software solution supporting these features is ghostunnel.

You will be granted access to a lab setting with virtual medical devices and software in order to test your device. You do not need to have a deep understanding of DICOM and HL7 - it is treated as a generic TCP protocol.

Milestones: 1) Security Analysis - Define security goals of the system and how they are achieved 2) Implementation in a virtual environment (e.g. VirtualBox) 3) Deploy project on a physical device 4) Maybe: test it in real world scenarios (industry cooperation).

Optional: 4) Implement Certificate management based on LetsEncrypt architecture, but with private CA. 5) Enforce Client Authentication

If this subject peaks your interest, you can apply at dominik.noss@rub.de.

Requirements

Skills needed: 1) Experience with the Linux operating system. You know what network interface are, how services work. 2) You can solve practical problems using Bash and Python3. 3) Basic knowledge of TLS. What is a server, what is a client, basic handshake, a PKI? 4) Knowledge of computer networks. What is IP, TCP, UDP, a switch, a router?