...

The study zip file is organized hierarchically by Study UID (top level), Series ID, and Image Instance ID. The first two levels are directories, named by their IDs. These names are produced using DICOM standards, and those who know how to read the IDs can identify what institution, department, machine, and date/time the particular study started, and use the assembled information to narrow down or identify the patient. To prevent this kind of attack, when encryption is chosen, mi2b2 will rename these studies, series, and images. Studie UIDs and Series IDs will be hashed (using the MD5 cryptographic hash function). The hashed value (16-bytes long) is then written out to be a string of 16 hexadecimal numbers (32 characters) and pre-pended with "Study-" or "Series-" appropriately. The image files, on the other hand, are named "Study-num", where num stands for the instance number of that image in its series. This helps the users identify which files appear before which.

Decrypting Images

The mi2b2 client first reads the first 50 bytes of the encrypted file. It apply the same SHA-256 algorithm to the key users supplied, and compare the result to see if the hash matches with the hash of the key in the file (first 32 bytes). If true, the mi2b2 client then uses the last 18 bytes of the 50 bytes to recreate the initialization vector. The key (supplied by user and verified to match the encrypted key) and the initialization vector are then used to initialize the decrypting algorithm.

The decryption occurs when users select a series from the Image Browser.