MEDINFO 2004 M. Fieschi et al. (Eds) Amsterdam: IOS Press © 2004 IMIA. All rights reserved
EVEREST: An Efficient Method for Verification of Digital Signatures in Real-Time Teleradiology Kemal Bicakci, Nazife Baykal Informatics Institute, Middle East Technical University, Ankara, TURKEY
Kemal Bicakci, Nazife Baykal emergency triage, (2) non-interactive transmission and storage of images for later interpretation. The main difference between these two categories is that, in a real-time teleradiology application efficiency is a main concern since the system is expected to respond very quickly.
Abstract The introduction of digital medical images requires a legally binding digital signature that guarantees authenticity and integrity of the image. In real-time teleradiology services, the system is expected to respond very quickly however to verify the signature a considerable amount of time is spent to compute the hash value of the image since the image size might be huge (tens of megabytes). Motivating by this fact, in this paper we propose EVEREST, an efficient methodology for verification. The key observation we have made is that in the traditional verification the processor of the verifying machine is idle (I/O blocked) while the image is downloaded. In EVEREST, to improve the real-time efficiency the receiver can perform most of the hash computation while he is receiving the image itself. One other important advantage of our scheme is the communication efficiency since getting the entire image file is no longer necessary to detect the tampering.
In spite of high investments in infrastructure for high-speed networking, real-time teleradiology still has performance problems due to huge image file sizes. The introduction of digital signatures makes this problem only worse, since an additional amount of time is spent to verify the signature. This problem is precisely the topic of this paper where we propose EVEREST, an efficient methodology to verify digital signatures.
Materials and Methods General Organization of the Paper The rest of this paper is organized as follows: We first introduce the concept of digital signatures and summarize the contribution of our proposal. Subsequently, we give an overview of available methods to optimize the transmission in teleradiology and related work on digital signatures for medical images. Then, we provide the detailed description of EVEREST. Before the conclusion part, we present the results of our performance evaluation and experimental studies.
Keywords: Data Security, Digital Signature, Teleradiology, Efficiency.
Introduction According to a recent study [1], if health organizations in United States had spent $50 billion each year on information technology, they might have saved $270 billion each year. Only these figures are sufficient to demonstrate why healthcare industry is labeled as being desperately in need of the efficiencies provided by information systems. Apart from that prediction, throughout the world, the market for information technologies in the healthcare field has been expanding steadily. This market scale is expected to expand even further, for a number of reasons. We believe one of the biggest reasons is that electronic medical records and digital images have started to be accepted for use as formal documentation. Consequently, the security issues in health information systems have taken center stage in recent years and due to the importance and the complexity of the problem most experts see it as one of the significant challenges to successful projects.
Digital Signatures Handwritten signatures have long been used to authenticate the messages signed but the means to provide digital signatures for computer communication that is roughly equivalent to handwritten signatures on paper documents became available with the advances in modern cryptography. Whether we use a handwritten or a digital signature, other than authenticating the message signed, the signature also ensures the message integrity and solves the non-repudiation problem.
In cryptography world, while there are other tools like message authentication codes (MACs) to ensure data integrity and authentication, digital signatures are better in one important respect. They are the only ones addressing the issue of nonrepudiation (blocking a sender's false denial that he or she signed a particular document, thus enabling the recipient to easily prove that the sender actually did sign the document).
Teleradiology is the umbrella term to define the concepts of digitally transmitting radiographic patient images and consultative text from one location to another. Teleradiology services can be grouped into two general categories: (1) real-time on-demand services facilitating remote interactive communication and
Having this elegant solution, it is estimated that in a future teleradiology standard, digital signatures must be provided as the
1241
K. Bicakci et al.
EST we will see that no increase in server’s computation is necessary to have the verification efficiency.
legal binding document (a recent security extension to the DICOM standard describes how digital signatures can be embedded, archived and transmitted within DICOM images or reports [2]). Digital signatures are the prerequisites for the digital reports to be accepted as the replacement of today’s paper reports.
In EVEREST, the key observation we have made is that in the traditional verification the processor of the verifying machine is idle (I/O blocked) while the image is downloaded (the processor is utilized for hash computation only after all the entire image file is transferred). If we come up with a new verification methodology in which we do not need to wait until the entire image file is downloaded, we can utilize the previously idle processor for hash computation and as a result we can improve the realtime efficiency of verification or in other words the total time necessary for downloading and verification is decreased. The method proposed can also be considered as a way to parallelize the steps so that the receiver can perform most of the computation in background while he is receiving the image itself. Note that EVEREST does not decrease the total amount of computation carried out by the processor. It just shifts the time the processor is used for this computation.
A medical image consists of two parts, a short nominative image header and a big anonymous image body. Only the header containing the sensitive patient information needs to be kept secret in most scenarios however the integrity of the entire image file needs to be assured. This is the reason it is not secure to sign only a portion of the image file for efficiency reasons [3]. In fact, Cao et al. have demonstrated with some visual examples how easy to insert artifacts within the image, which causes confusion during diagnosis [3]. In practical implementations, algorithms are often too inefficient to sign long messages. To save time, digital signatures are usually implemented with hash functions, which convert the long message into a fixed length smaller output. This hash value not the message itself is signed and verified. Therefore traditionally, verification of digital signatures works in three steps as illustrated in Figure 1. (Due to space limitations, we defer to some reference books [4] for a comprehensive treatment of digital signatures and hash functions):
An alternate option and a more obvious trick for real-time efficiency is that the image is displayed immediately and the status of the digital signature will be displayed when it is available. The disadvantage of this option is that the user sees a disturbing status window that may easily be ignored. On the other hand the goal of EVEREST is to be more efficient without degrading the security and user-friendliness of the system. One other important advantage of EVEREST is communication-efficiency since detecting the tampering becomes possible without getting the entire image file. Optimizing the Transmission
Figure 1 - Traditional signature verification
In spite of vast improvements in the high-speed networking technology, networks have a well-known deficiency that is transmission of long files (like the images in teleradiology) has a significant delay. While it is obvious that expensive solutions based on an investment to increase the bandwidth capacity of the infrastructure helps a lot, there are also other elegant and less-expensive solutions like “image compression” to minimize the transmission delay.
Our Contribution in a Nutshell If the file has an average size (e.g. in kilobytes range), the second step, computing the hash value of the message can be performed in microseconds and the other steps are the dominant factors in the verification delay. However in teleradiology, a typical examination generates between 10 MBs and 40 MBs or much higher with volume magnetic resonance imaging (MRI), volume zoom CT and digital mammography. The high extreme is in digital mammography, which generates 160 MBs per examination [5]. Therefore, in teleradiology in contrast to other applications, a considerable amount of time for verification is spent to compute the hash value of the image. Motivating by this fact, without sacrificing security (by using existing secure cryptographic tools), in this paper we propose an efficient method called EVEREST (Efficient VERification of Electronic (digital) Signatures in real-time Teleradiology).
Other than digital signatures, another state of the art and emerging technology in teleradiology applications is image compression. There are two types of compression; while a 100:1 ratio is possible in lossy compression, the current maximum limit for lossless compression is 3:1 [3]. In practice, medical community is reluctant to accept the lossy compression to be used for medical images and this is why we should deal with tens of megabytes in teleradiology applications even when compression techniques are employed.
Generally speaking, verification efficiency is more important than efficiency for signing because of two main reasons: (1) generally an image is signed only for once but needs to be verified many times over a period of years. (2) Server machine that signs the image is chosen to be a powerful machine to serve multiple clients at the same time however the receiver machine might be a constrained device with limited computational capabilities (the recent studies [6] show that to display medical images even the handheld devices can be practically used). Moreover in EVER-
The other solution to optimize the transmission has been implemented in popular freeware download programs. The idea behind these simple tools is to split the long file into several pieces on the server side and open a separate connection to transmit in parallel each piece upon receiver’s request. How much speed up we can obtain is a function of many parameters but in general it is for sure that this is a more speed-optimized method of transmission of long files. This method in fact is in so widespread use that we believe that any method for efficiently verifying digital signatures on long files should be flexible to work with it.
1242
K. Bicakci et al.
EVEREST: The Proposed Method
.
A signature verification method for teleradiology should be flexible to work reliably and efficiently no matter how the underlying transmission takes place. It can be whether a traditional one with a single connection or the speed-optimized method introduced previously. We now introduce such a scheme, which consists of two parts: the set-up part working on the sender side and the downloading and verifying part working on the receiver side. EVEREST on the Server Side First, the issue of how many pieces the image file is split into is resolved. It is good in practice to have as many pieces as the number of connections the server would open per receiver when speed-optimized method is used. Optimum number of connections depends on the resources the server machine has and also on the number of independent receivers served at the same time. Note that more connections not always mean more speed. The transmission medium characteristics also affect the optimum number of connections. Having decided on the number of pieces, then the server executes the procedure illustrated in Figure 2 for each image it needs to sign:
As we mentioned earlier, in traditional signatures, the hash of the message, h(x) is signed to get the signature S(x) as seen from equation 1: S ( x ) = Sign ( h ( x ) ) S ( x ) = Sign ( h ( h ( x 1 ) ) h ( x 2 ) h ( x 3 ) )
(1) (2)
In EVEREST, the signing procedure is slightly modified. Equation 2 shows the generation of signature when the message is split into 3 parts (“||” means concatenation). Figure 3 - Signature verification in EVEREST EVEREST on the Receiver Side Unlike the traditional verification as shown in Figure 1, where all the steps are executed in a single thread, in EVEREST we have two threads working in parallel. While in the MAIN thread, the pieces of the image file, the hash values and the signature are downloaded, the VERIFY thread is used to verify the signature and the hash values as shown in Figure 3. The verification only starts when the required input becomes available otherwise the VERIFY thread waits in a loop. In the MAIN thread when downloading a message part starts, an I/O block occurs and the CPU can be entirely used by the VERIFY thread until that downloading is completed.
In the VERIFY thread after verifying the signature on the hash values, to verify hash values we compute the hash value of each piece received and compared it with previously received one. In Figure 3, “end” means a successful completion of the verification and “quit” means the verification is unsuccessful (a tampering has occurred) and the program terminates and discontinues downloading (results in communication efficiency). Also notice that the operation of EVEREST does not assume to get any specific piece first. If speed optimized method is used the receiver opens n separate parallel connections to the server machine to
Figure 2 - Signature generation in EVEREST After an image is signed and the hash values and signature is stored, the server is ready for secure transmission. EVEREST keeps the signing computation almost same (due to linearity of hash computation cost that will be seen in Figure 4)
1243
K. Bicakci et al.
We have observed that the time for signature verification is very
download each piece and we have a total number of n+1 threads working in parallel.
small compared to compute the hash value of image parts (around 80 msecs if 1024 bit DSA [9] is used as the signature algorithm). As illustrated in Figure 4, the time to compute the hash value has a nearly linear dependence on the size of the file (using SHS [10] as the hashing algorithm). So if the time to compute the hash value of the entire file is Th, then the time to compute the hash value of the last block is approximately Th / n where n is the number of parts. So traditionally, the total time necessary for verification is as follows:
Discussion Related Work In an earlier work [5], the authors have presented a method to sign digital mammography images. The efficiency was not the issue they dealt with, instead their contribution was to embed the digital signature into the image itself instead of attaching it to the head or the end of the image file. Just like other teleradiology applications, digital mammography mostly uses DICOM standard [7] that does not currently support digital signatures. The image embedded with the digital signature still conforms the DICOM image format standard. That is the reason behind the authors’ design rationale. However, recently a third security extension to the DICOM standard describes how digital signatures can be transmitted with the DICOM images [2]. So in the near future we believe that embedding the digital signature to the image instead of attaching it will not provide any additional advantage. Moreover verification becomes more inefficient if we embed the signature to the image.
T ver – tra = T h + T s
(3)
Where, Ts corresponds to the time for verification of the digital signature on the hash value. Whereas in EVEREST, by taking into account the value Td, the time for verification is Th T ver – EVEREST = ----- + T d n
(4)
If we ignore Ts and Td (a very small quantity considering network bandwidths available today) to simplify, then the overall performance gain will be n–1 T diff = T ver – tra – T ver – EVEREST = T h × -----------n
In another previous work [8], the authors have proposed an effi-
(5)
Lastly, note that the gain in Equation 5 is achieved when the verification is successful. If verification fails, the computational gain increases because of early detection.
cient method for signing digital streams (very long, potentially infinite sequence of bits, e.g. a movie or a live broadcast). The solution to digitally sign these streams is two kinds. In the first one proposed for a finite stream, the basic idea is to divide the stream into blocks and by a chaining technique attach authentication information of the current block to the subsequent block. In short, the reason of inapplicability of this work for the teleradiology case is two-folds: first of all, images in teleradiology do not match with the properties of digital streams therefore the complexity of the chaining technique used is unnecessary. Secondly, since it assumes to receive the parts in sequential order this work has a poor performance when the speed-optimized transmission method is used. We believe that the EVEREST is the first in literature to address the efficiency concerns for digital signatures in teleradiology.
Time (secs)
Performance of hash computation 12 10 8 6 4 2 0
PIII 450 MHz PIII 800 MHz
0
10 20 30 40 50 60 Image size (MB)
Performance Evaluation In this section, we would like to make an analytical evaluation of the performance of EVEREST and determine the maximum achievable theoretical gain with respect to traditional verification. In the following section, we provide the results of the experiments we have conducted and compare these results with the analytical findings.
Figure 4 - Performance of hash computation Experiments A Windows98 PC with 450 MHz Pentium III and 128 MB memory and a Windows2000 PC with 800 MHz Pentium III and 256 MB memory were chosen as the slow and fast receiver machines, respectively. A Windows XP Pentium IV with 1.7 GHz Pentium IV and 512 MB memory is the server. JCE (Java Cryptography extension) integrated to the Java 2 SDK Standard Edition v.1.4 was used for the implementation, which downloads the image using a single thread. The server and the receivers are connected via 10Mbps LAN.
In EVEREST, the transmitted file size is slightly larger than the original file size due to extra hash values transmitted. To make a comparison, let Td denotes the extra time delay for transmission of this extra amount. When the network delay to download each part is bigger than the time required to verify the hash values, it is reasonable to assume that at the time the receiver completes downloading the last part, only computing the hash value of this last part is left to verify the entire image since the processing for hash computations of all the previous parts and signature verification has been completed by utilizing the idle (I/O blocked) CPU.
Figure 5 illustrates the achieved gain by using three message pieces and different types of receiver machines. Using different number of pieces, Figure 6 is for demonstrating the difference
1244
K. Bicakci et al.
address the efficiency concerns for digital signatures in teleradiology. One other advantage of EVEREST is the communication efficiency since the receiver does not need to get the entire file to detect the tampering [11].
Performance gain of EVEREST
Unlike most of the other applications, in teleradiology the amount of time to compute the hash value is significant due to huge sizes of medical images. Therefore the real-time performance of the verification can be highly improved if we perform most of the hash computation before we get the entire image file. The performance evaluation study and experiments show the prospect of our method. This method would also be applicable in other applications where big files are required to be verified efficiently. The method EVEREST proposed in this paper has some unique features that will make it an exclusive choice for some applications while excluding others [11].
Gain (secs)
between theoretical gain and experimental gain (using the slow client and 50 MB image size).
6 5 4 3 2
Fast receiver Slow receiver
1 0 0
10
20
30
40
50
60
Image Size (MB)
References
Figure 5 - Performance gain of EVEREST using two different receivers
[1] http://www.pkiforum.org/pdfs/healthcarenote.pdf, Wagner R, US Healthcare, March 2001.
Gain (secs)
As seen from the figures, a significant gain can be obtained if EVEREST is preferred. Overheads due to thread usage, context switches etc. are the possible reasons for the difference between theoretical and experimental gains. However we see that when the number of message pieces increases, experimental gain is approaching to the theoretical gain. The time to download a 50 MB image is around 50 secs using 10 Mbps connection therefore using EVEREST the speed-up we obtain in the total time to download and verify the signature is calculated as 6-12%. We expect an increase in the speed-up when we have a higher speed networking. This is because the time gain we obtain will remain almost same but the time to download the image file will drop significantly. We also would like to point out that the theoretical maximum speed-up of EVEREST is 50% (when time to download and time for hash computation are equal and the message is split into infinite number of pieces).
[2] Riesmeier J and et al, DICOM security extensions and their application in medical reporting, European Congress of Radiology (ECR), March 1-5, 2002, Vienna Austria. [3] Cao F, Huang HK and Zhou XQ, Medical image security in a HIPAA mandated PACS environment, Computerized Medical Imaging and Graphics, 27 (2003), 185-196. [4] Menezes A, Van Oorshot P and Vanstone S, Handbook of applied cryptography, CRC Press, 1996. [5] Zhou XQ, Huang HK and Lou SL. Authenticity and Integrity of Digital Mammography Images. IEEE Transaction on Medical Imaging, Vol 20, No. 8, August 2001. [6] Schweitzer T and et al. Teleradiology on a Personal Digital Assistant, 2nd Conference on Mobile Computing in Medicine, Heidelberg, 2002.
Comparison of gains in EVEREST (slow client)
[7] National Electrical Manufacturers’ Association. Digital Imaging and Communications in Medicine (DICOM), Rosslyn, VA:, 1996, PS3.1-1996-3.
8
[8] Gennaro R, Rohatgi P. How to Sign Digital Streams, Proceedings of CRYPTO 1997.
6 4 2 0 0
1
2
3
4
5
Experimental gain
[9] National Institute of Standards and Technology (NIST). FIPS Publication 186: Digital Signature Standard (DSS).
Theoretical gain
[10]National Institute of Standards and Technology (NIST). FIPS Publication 180: Secure Hash Standard (SHS). [11]Bicakci K, On the Efficiency of Authentication Protocols, Digital Signatures and Their Applications in E-Health: A Top-Down Approach, Ph.D. Thesis, Middle East Technical University, Ankara, Turkey, September 2003.
6
Number of message pieces
Address for correspondence
Figure 6 - Theoretical and experimental gains in EVEREST.
Kemal Bicakci,
[email protected], Tel: +90-312-210-3796, Fax: +90-312-210-3745 Address: Middle East Technical University, Informatics Institute, 06531, Ankara, TURKEY.
Conclusion In this paper, we have investigated the problem of efficiently verifying digital signatures in real-time teleradiology and proposed a method called EVEREST to solve the problem and increase the efficiency. Our method is the first one in literature to
1245
