Using GnuPG on shared virtual hosts -

[Simpson, Sam]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: John Woodman [mailto:johnwoodman@mindspring.com]
> Sent: 17 January 2000 22:44
> To: s.simpson@mia.co.uk
> Subject: Using GnuPG on shared virtual hosts -
> 
> 
> Hi, I've just recently joined the GnuPG list and was going to
hang
> around just a bit before posting, but the last post was so 
> close to some
> of my own questions I just have to jump in here! :-)
> 
> First, thanks for what looks to be a terrific product.

Doesn't it just?

> Like "G Nielson" who just posted, I'm wanting to use GnuPG in a
shared
> virtual hosting situation(s). In my case, it's to encrypt
transaction
> info for a small store - both for logging to a file and for 
> sending via
> encrypted e-mail to my budding e-commerce merchant.

ok.  Can you clarify: will you be signing the messages or not????
 I'd expect so (to prevent spoofing of transactions!) and if you
are then this (very...) slightly evens things up - ElGamal
signatures are quicker to produce than RSA signatures.

> 1) One of my big concerns has to do with the processor time
required.
> I'm worried that my hosting company may find processing time
excessive
> and either shut the account down or ask for more money. Has 
> anyone been
> using GnuPG in such a shared virtual web hosting situation? Any
> suggestions?

Use a small key that still offers sufficient security for this
kind of work - 1,024-bits will do nicely I'd suggest.

Actually try this out (with the co-operation of the ISP/hosting
service) and see if the performance is poor / unacceptable to the
hosting service.

On a P166, GPG takes 10 seconds to encrypt to a (excessively
large...) 3,072-bit key but only .58 seconds to encrypt to a more
reasonable 1,024-bit key.

On the same machine, encrypting to a 2048-bit RSA key takes just
.08 seconds.  Hhhmmmm.

> 2) One thing I noted too, reading the literature, was that 
> ElGamal takes
> about 10 times the processing time of the RSA algorithm. I'm
concerned
> that this in particular could make things difficult for a
reasonably
> busy online store.

It's true - ElGamal is intrinsically far slower than RSA for
encryption.  Decryption is slower under RSA than with ElGamal,
but this will not be done in such a constrained environment and
will thus not matter as much.

> I suppose one could work around this by configuring things to
stack up
> transactions and only send one e-mail per day to the 
> merchant, but then
> you would have to first store the transactions in an 
> unencrypted format
> on the server, which sort of defeats the purpose of using 
> encryption --
> especially given how easy it seems for hackers to get into
online
> systems... :-(

Quite.

> In that light, given the much higher security-per-clock-cycle,
I was
> wondering whether there are plans to incorporate the RSA
algorithm as
> second option starting in September?

I can see no reason that RSA won't be supported in Sept, but I
don't know of Werners thoughts on this?

If you live outside of the US then you can legally use RSA now as
RSA is only patented in the US....

> Looking forward to being a part of this list,
> 
> John Woodman



Welcome to the list!


Regards,

Sam Simpson
Communications Analyst
- -- http://www.scramdisk.clara.net/ for ScramDisk hard-drive
encryption & Delphi Crypto Components.  PGP Keys available at the
same site. 

-----BEGIN PGP SIGNATURE-----
Version: 6.0.2ckt http://members.tripod.com/IRFaiad/

iQA/AwUBOIRHzO0ty8FDP9tPEQKJGQCeN0wZNzr1TnHdp8vX8YqcYYJM2n4AnjKJ
rFgkAflJcn9KskjQsXo62Dbp
=+/c3
-----END PGP SIGNATURE-----