Using GnuPG on shared virtual hosts -
Simpson, Sam
s.simpson@mia.co.uk
Tue, 18 Jan 2000 10:58:26 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> -----Original Message-----
> From: John Woodman [mailto:johnwoodman@mindspring.com]
> Sent: 17 January 2000 22:44
> To: s.simpson@mia.co.uk
> Subject: Using GnuPG on shared virtual hosts -
>
>
> Hi, I've just recently joined the GnuPG list and was going to
hang
> around just a bit before posting, but the last post was so
> close to some
> of my own questions I just have to jump in here! :-)
>
> First, thanks for what looks to be a terrific product.
Doesn't it just?
> Like "G Nielson" who just posted, I'm wanting to use GnuPG in a
shared
> virtual hosting situation(s). In my case, it's to encrypt
transaction
> info for a small store - both for logging to a file and for
> sending via
> encrypted e-mail to my budding e-commerce merchant.
ok. Can you clarify: will you be signing the messages or not????
I'd expect so (to prevent spoofing of transactions!) and if you
are then this (very...) slightly evens things up - ElGamal
signatures are quicker to produce than RSA signatures.
> 1) One of my big concerns has to do with the processor time
required.
> I'm worried that my hosting company may find processing time
excessive
> and either shut the account down or ask for more money. Has
> anyone been
> using GnuPG in such a shared virtual web hosting situation? Any
> suggestions?
Use a small key that still offers sufficient security for this
kind of work - 1,024-bits will do nicely I'd suggest.
Actually try this out (with the co-operation of the ISP/hosting
service) and see if the performance is poor / unacceptable to the
hosting service.
On a P166, GPG takes 10 seconds to encrypt to a (excessively
large...) 3,072-bit key but only .58 seconds to encrypt to a more
reasonable 1,024-bit key.
On the same machine, encrypting to a 2048-bit RSA key takes just
.08 seconds. Hhhmmmm.
> 2) One thing I noted too, reading the literature, was that
> ElGamal takes
> about 10 times the processing time of the RSA algorithm. I'm
concerned
> that this in particular could make things difficult for a
reasonably
> busy online store.
It's true - ElGamal is intrinsically far slower than RSA for
encryption. Decryption is slower under RSA than with ElGamal,
but this will not be done in such a constrained environment and
will thus not matter as much.
> I suppose one could work around this by configuring things to
stack up
> transactions and only send one e-mail per day to the
> merchant, but then
> you would have to first store the transactions in an
> unencrypted format
> on the server, which sort of defeats the purpose of using
> encryption --
> especially given how easy it seems for hackers to get into
online
> systems... :-(
Quite.
> In that light, given the much higher security-per-clock-cycle,
I was
> wondering whether there are plans to incorporate the RSA
algorithm as
> second option starting in September?
I can see no reason that RSA won't be supported in Sept, but I
don't know of Werners thoughts on this?
If you live outside of the US then you can legally use RSA now as
RSA is only patented in the US....
> Looking forward to being a part of this list,
>
> John Woodman
Welcome to the list!
Regards,
Sam Simpson
Communications Analyst
- -- http://www.scramdisk.clara.net/ for ScramDisk hard-drive
encryption & Delphi Crypto Components. PGP Keys available at the
same site.
-----BEGIN PGP SIGNATURE-----
Version: 6.0.2ckt http://members.tripod.com/IRFaiad/
iQA/AwUBOIRHzO0ty8FDP9tPEQKJGQCeN0wZNzr1TnHdp8vX8YqcYYJM2n4AnjKJ
rFgkAflJcn9KskjQsXo62Dbp
=+/c3
-----END PGP SIGNATURE-----