Using GnuPG on shared virtual hosts -

[John Woodman]

I said:
>  I'm wanting to use GnuPG in a shared virtual hosting
> situation(s) to encrypt transaction info for logging
> and for sending via encrypted e-mail

Sam Simpson replied:
> ok.  Can you clarify: will you be signing the messages
> or not???? I'd expect so (to prevent spoofing of
> transactions!)

Sounds like the best idea -- however, how does one
adequately protect the private key used to sign the 
messages? Hacker breaks into server, downloads private 
key, then spoofs transactions anyway...

> Use a small key that still offers sufficient security for this
> kind of work - 1,024-bits will do nicely I'd suggest.... On a
> P166, GPG takes only .58 seconds [with a ] 1,024-bit key.

.58 sec times, say, 200 transactions a day ~= 2 minutes of
processor time. 

Not much, but if the server hosts 150 sites, 2 minutes x 
150 could tie up the processor for *6 hours.* Given all the 
other things the processor has to do, and the crunch of 
peak times, using 2 minutes of the processor's time for 
encryption would appear to be well outside of the normal 
acceptable customer range.

OTOH, if RSA encryption takes, say, 1 /12 the time at 1024
bits (I haven't tested it myself and don't know the exact ratio),
the 6 hours needed processor time (presuming everyone does
this kind of thing which of course I realize isn't likely to 
happen) would reduce to only 25 minutes during the day, 
which would seem (to me anyway) to be very acceptable!

> It's true - ElGamal is intrinsically far slower than RSA for
> encryption.  Decryption is slower under RSA than with ElGamal,
> but this will not be done in such a constrained environment and
> will thus not matter as much.

Precisely...

> If you live outside of the US then you can legally use RSA
> now as RSA is only patented in the US....

Nope. Just moved back to the States last April from 
Hertfordshire, I'm afraid...  :-)

Best wishes, John