MPs told PGP 'incompatible' with Parliament network MPs have been told that although they are free to install PGP on their parliamentary machines the technology is not compatible with Parliament’s remote access software, making its use impractical. The curious response came from the House of Commons Commission via Lib Dem MP Nick Harvey in response to questions raised by …
They'll install encryption software free of charge will they? I hope they are complying with the terms of the licence.
Maybe they are just hoping that the average less than tech savvy MP will allow the support guys to set the passphrase. Of course I can't imagine why they'd want to do that...
"The more paranoid among you might say that the other (unknown) product might be easier to eavesdrop upon."
I would have thought the other (unknown) product comes with free brown envelopes, whereas PGP although clearly the market leader doesnt. Either that or some ministers brother in on the board of execs.
As the PGP folks said in so many words, their software's output is just a binary file. The VPN is just another network layer on top of TCP/IP, and should not care what files are being transported. If there truly is an issue, it implies the VPN is misconfigured to filter out binary files, probably in the mistaken idea that doing so will keep viruses from transporting across the VPN. The experiment to try is to see if one can send the PGP file "as is", and again after MIME encoding. (MIME = Multipurpose Internet Mail Extensions) All email is transmitted as US-ASCII plain text. Period. The way binary attachments to email are transmitted is that they are first encoded to an output that is all US-ASCII text. The most common modern encoding scheme for this is MIME. Another encoding scheme not used much anymore is UUENCODE ("Unix-to-Unix encoding").
In MIME encoding, the input data undergoes a mathematical transformation from base-2 to base-64. In this conversion, the output results in 4 bytes of output data for every 3 bytes of input data. But the good part is that every single one of those output bytes is a simple plain US-ASCII text byte. Hence, the MIME encoded file can be sent as part of an email and everything between the sending client and the receiving client sees nothing but US-ASCII text. The receiving client reverses the encoding to produce the original attachment file.
If the MIME encoded file transports across this screwy VPN but the binary PGP does not, then they are blocking the transmission of binary files probably thinking this impedes the spread of viruses across the VPN. (Bad assumption.)
It's not that PGP is hard to use, but I can see some point in PICT choosing a different crypto system, and supporting it. If something goes wrong, they know how to fix it.
And I know of cases of companies using horribly old browser versions because some bean-counter doesn't want to pay for an update to some critical bespoke app.
It doesn't have to be because they don't know how to read PGP traffic.
But I don't blame anyone for thinking that.
I think I'd rather use Babel-17 than PGP. Something that subverts the attacker's thinking when he tried to read the messages may still be sci-fi, but it's pretty good protection,.
Considering HM gov's general love affair with all things Microsoft, I wouldn't be the least bit surprised to learn that this "other" product is one supplied by MS so that (a) they can suck-up to MS a bit more and (b) as an invitation to MS to screw them over in the future (I'm sure they'll find a way).
In failing to use PKI encryption. The GovConnect secure gateway is an example: set up a dedicated network, parallel mailboxes etc, to allow local and central government to communicate. Far more complex than just issuing certificates etc.
Government use of PKI for secure email would kick start more general use of the technology. Might even help to kill spam. Why doesn't the Passport and Identity Service issue digital certificates along with passports?
But then snooping would be so much harder once we're all encrypting our communications.
So the recommended software is currently unknown.
Anyone fancy submitting an FoI request? :)
If they refuse to divulge, we can probably assume it's cr@p. After all, not only PGP but many other examples of crypto software use algorithms that are virtually uncrackable (unless you have a room full of supercomputers to hand...). Case in point: distributed.net's attempts to crack RC5-72. They've been going over 5 years and they've only scratched the surface of the available keyspace...
This post has been deleted by its author
There could really be a problem. Most comments have focused on PGP's use of crypto algorithms. Perhaps there is a compatibility problem with the way both PGP and the VPN product integrate into the OS.
PGP does much more than merely encrypt files. PGP doesn't just rely on the user remembering to encrypt their data before sending it. PGP has also side-stepped the problem of integrating into the different mail clients. PGP functions as an internal proxy server to handle both inbound and outbound traffic.
I have PGP installed on my system at home. Look what happens when I try to make an SMTP connection to an arbitrary address.
$ telnet 1.2.3.4 25
Trying 1.2.3.4...
Connected to 1.2.3.4.
Escape character is '^]'.
The PGP SMTP proxy has intercepted the connection and will give me the opportunity to encrypt the subsequent message.
The VPN software will also be intercepting attempts to establish TCP connections. Perhaps the two attempts to intercept connections interfere with one another.
I'm not an expert on these matters but I can speak from experience of using PGP.
A lot of the laptops where I work have Whole Disk Encryption managed by Universal Server, the latter ensuring that if people forget their passwords or leave the company a recovery token can be issued to log on to the machine in question. These laptop users can all access the company systems via our VPN.
So as the AC asked, what part of PGP and I'd like to know what VPN?
"In failing to use PKI encryption. The GovConnect secure gateway is an example: set up a dedicated network, parallel mailboxes etc, to allow local and central government to communicate. Far more complex than just issuing certificates etc.
Government use of PKI for secure email would kick start more general use of the technology. Might even help to kill spam. Why doesn't the Passport and Identity Service issue digital certificates along with passports?
But then snooping would be so much harder once we're all encrypting our communications."
Funny you should say all that, but govconnect guidelines actually recommend against the use of ssl internally on the local government network. Why do you suppose that would be then?
It is always difficult to do customer support by long distance, and especially difficult when the problem report is coming in through a news story. PGP is established, long-standing technology. We use it with VPNs ourselves, as do millions of customers including a large number in the UK government. We firmly believe that this is an issue that can be solved with a support call or a short support visit.
We are committed to helping all of our customers resolve their configuration issues. We look forward to talking to PICT or any other PGP user to resolve any deployment issues and use PGP effectively in their environment. We welcome PICT or anyone else to contact PGP Corporation's technical support directly, or to contact me personally and I will direct the appropriate people to resolve this issue.
Regards,
Jon Callas, CTO and CSO, PGP Corporation
Why does Parliament continue to reinforce the idea they should not be allowed anywhere near sharp objects? Or heavy objects, or even each other....?
Point the Witch-doctor bone at whatever muppet decided on the product sets without checking compatibility and specifically correct interoperability. OTOH, if its just a configuration snafu, then fix it* and shut the pharq up, otherwise it just says 'aint it great - I'm stupid and I still get paid'.
How many readers of this in other countries shake their heads in wonder at the willfully advertised incompetence of the UK government, whether its spin or not.
*be a "JEDI Nike" : accompany your trainers with a brown monks robe that has "Just Effing-well Do It" emblazoned on the back.... laser sword optional
I used to have a paid subscription to PGP for my XP based PC. I gave up on it because I kept having problems with some kind of memory leak in PGP that caused it to unpredictably gobble massive amounts of memory and bring my machine to its knees. I reported the problem to PGP Corp, but never received a solution. No fix = no subscription renewal Mr Callas
I would imagine that MP's had a similar problem support of their PC's by the IT Support teams would be problematic.
our network is incompatable with PGP.
Only recent versions of PGP redirect the mail through a proxy and even then thats only for corporate installs where there are key servers.
That is not nessicary if you posess the recipiants public key. Just click on the PGP tray icon and choose Encrypt current window. It is (also) perfectly normal to encrypt an attachment and then attach the encrypted version, just as it is possible right.
To AC @13:32 GMT you are confusing VPN with mail servers.
The VPN only encrypts the connection (well a few other things too), but it DOSNT block attachments, thats what the policy on the mail server does.
I would have used the Icon for "May contain ... degree level" but I don't want to be associated with being wrong
I find it most concerning that PICT, are having issues enabling there customers "MPs" with a tool a which so popular and simple to deploy and use. Also of concern is the indication that PICT wish to use another encryption tool in its place.
It is also interesting that PGP is a CAPS evaluated encryption product, it would be interesting to know if the other encryption product PICT are offering is CAPS evaluated or not!
It would also be interesting to know if the VPN solution is approved for Government use....
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
