Using GnuPG on shared virtual hosts -
Tue, 18 Jan 2000 15:15:24 -0700
> I'm wanting to use GnuPG in a shared virtual hosting
> situation(s) to encrypt transaction info for logging
> and for sending via encrypted e-mail
Sam Simpson replied:
> ok. Can you clarify: will you be signing the messages
> or not???? I'd expect so (to prevent spoofing of
Sounds like the best idea -- however, how does one
adequately protect the private key used to sign the
messages? Hacker breaks into server, downloads private
key, then spoofs transactions anyway...
> Use a small key that still offers sufficient security for this
> kind of work - 1,024-bits will do nicely I'd suggest.... On a
> P166, GPG takes only .58 seconds [with a ] 1,024-bit key.
.58 sec times, say, 200 transactions a day ~= 2 minutes of
Not much, but if the server hosts 150 sites, 2 minutes x
150 could tie up the processor for *6 hours.* Given all the
other things the processor has to do, and the crunch of
peak times, using 2 minutes of the processor's time for
encryption would appear to be well outside of the normal
acceptable customer range.
OTOH, if RSA encryption takes, say, 1 /12 the time at 1024
bits (I haven't tested it myself and don't know the exact ratio),
the 6 hours needed processor time (presuming everyone does
this kind of thing which of course I realize isn't likely to
happen) would reduce to only 25 minutes during the day,
which would seem (to me anyway) to be very acceptable!
> It's true - ElGamal is intrinsically far slower than RSA for
> encryption. Decryption is slower under RSA than with ElGamal,
> but this will not be done in such a constrained environment and
> will thus not matter as much.
> If you live outside of the US then you can legally use RSA
> now as RSA is only patented in the US....
Nope. Just moved back to the States last April from
Hertfordshire, I'm afraid... :-)
Best wishes, John