Using GnuPG on shared virtual hosts -

John Woodman
Tue, 18 Jan 2000 15:15:24 -0700

I said:

> I'm wanting to use GnuPG in a shared virtual hosting
> situation(s) to encrypt transaction info for logging
> and for sending via encrypted e-mail
Sam Simpson replied:
> ok. Can you clarify: will you be signing the messages
> or not???? I'd expect so (to prevent spoofing of
> transactions!)
Sounds like the best idea -- however, how does one adequately protect the private key used to sign the messages? Hacker breaks into server, downloads private key, then spoofs transactions anyway...
> Use a small key that still offers sufficient security for this
> kind of work - 1,024-bits will do nicely I'd suggest.... On a
> P166, GPG takes only .58 seconds [with a ] 1,024-bit key.
.58 sec times, say, 200 transactions a day ~= 2 minutes of processor time. Not much, but if the server hosts 150 sites, 2 minutes x 150 could tie up the processor for *6 hours.* Given all the other things the processor has to do, and the crunch of peak times, using 2 minutes of the processor's time for encryption would appear to be well outside of the normal acceptable customer range. OTOH, if RSA encryption takes, say, 1 /12 the time at 1024 bits (I haven't tested it myself and don't know the exact ratio), the 6 hours needed processor time (presuming everyone does this kind of thing which of course I realize isn't likely to happen) would reduce to only 25 minutes during the day, which would seem (to me anyway) to be very acceptable!
> It's true - ElGamal is intrinsically far slower than RSA for
> encryption. Decryption is slower under RSA than with ElGamal,
> but this will not be done in such a constrained environment and
> will thus not matter as much.
> If you live outside of the US then you can legally use RSA
> now as RSA is only patented in the US....
Nope. Just moved back to the States last April from Hertfordshire, I'm afraid... :-) Best wishes, John