Mailing List Archive

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: John Woodman [mailto:johnwoodman@mindspring.com]
> Sent: 17 January 2000 22:44
> To: s.simpson@mia.co.uk
> Subject: Using GnuPG on shared virtual hosts -
>
>
> Hi, I've just recently joined the GnuPG list and was going to
hang
> around just a bit before posting, but the last post was so
> close to some
> of my own questions I just have to jump in here! :-)
>
> First, thanks for what looks to be a terrific product.

Doesn't it just?

> Like "G Nielson" who just posted, I'm wanting to use GnuPG in a
shared
> virtual hosting situation(s). In my case, it's to encrypt
transaction
> info for a small store - both for logging to a file and for
> sending via
> encrypted e-mail to my budding e-commerce merchant.

ok. Can you clarify: will you be signing the messages or not????
I'd expect so (to prevent spoofing of transactions!) and if you
are then this (very...) slightly evens things up - ElGamal
signatures are quicker to produce than RSA signatures.

> 1) One of my big concerns has to do with the processor time
required.
> I'm worried that my hosting company may find processing time
excessive
> and either shut the account down or ask for more money. Has
> anyone been
> using GnuPG in such a shared virtual web hosting situation? Any
> suggestions?

Use a small key that still offers sufficient security for this
kind of work - 1,024-bits will do nicely I'd suggest.

Actually try this out (with the co-operation of the ISP/hosting
service) and see if the performance is poor / unacceptable to the
hosting service.

On a P166, GPG takes 10 seconds to encrypt to a (excessively
large...) 3,072-bit key but only .58 seconds to encrypt to a more
reasonable 1,024-bit key.

On the same machine, encrypting to a 2048-bit RSA key takes just
.08 seconds. Hhhmmmm.

> 2) One thing I noted too, reading the literature, was that
> ElGamal takes
> about 10 times the processing time of the RSA algorithm. I'm
concerned
> that this in particular could make things difficult for a
reasonably
> busy online store.

It's true - ElGamal is intrinsically far slower than RSA for
encryption. Decryption is slower under RSA than with ElGamal,
but this will not be done in such a constrained environment and
will thus not matter as much.

> I suppose one could work around this by configuring things to
stack up
> transactions and only send one e-mail per day to the
> merchant, but then
> you would have to first store the transactions in an
> unencrypted format
> on the server, which sort of defeats the purpose of using
> encryption --
> especially given how easy it seems for hackers to get into
online
> systems... :-(

Quite.

> In that light, given the much higher security-per-clock-cycle,
I was
> wondering whether there are plans to incorporate the RSA
algorithm as
> second option starting in September?

I can see no reason that RSA won't be supported in Sept, but I
don't know of Werners thoughts on this?

If you live outside of the US then you can legally use RSA now as
RSA is only patented in the US....

> Looking forward to being a part of this list,
>
> John Woodman



Welcome to the list!


Regards,

Sam Simpson
Communications Analyst
- -- http://www.scramdisk.clara.net/ for ScramDisk hard-drive
encryption & Delphi Crypto Components. PGP Keys available at the
same site.

-----BEGIN PGP SIGNATURE-----
Version: 6.0.2ckt http://members.tripod.com/IRFaiad/

iQA/AwUBOIRHzO0ty8FDP9tPEQKJGQCeN0wZNzr1TnHdp8vX8YqcYYJM2n4AnjKJ
rFgkAflJcn9KskjQsXo62Dbp
=+/c3
-----END PGP SIGNATURE-----

On Tue, 18 Jan 2000, Simpson, Sam wrote:

> On a P166, GPG takes 10 seconds to encrypt to a (excessively
> large...) 3,072-bit key but only .58 seconds to encrypt to a more
> reasonable 1,024-bit key.

4k keys will be about 8 times faster and 1k keys will be 2 times
faster in the next release. It's already in the CVS.

> I can see no reason that RSA won't be supported in Sept, but I
> don't know of Werners thoughts on this?

I guess that there will be a new release on Sep 20th ;)


--
Werner Koch at guug.de www.gnupg.org keyid 621CC013

Boycott Amazon! - http://www.gnu.org/philosophy/amazon.html

I said:
> I'm wanting to use GnuPG in a shared virtual hosting
> situation(s) to encrypt transaction info for logging
> and for sending via encrypted e-mail

Sam Simpson replied:
> ok. Can you clarify: will you be signing the messages
> or not???? I'd expect so (to prevent spoofing of
> transactions!)

Sounds like the best idea -- however, how does one
adequately protect the private key used to sign the
messages? Hacker breaks into server, downloads private
key, then spoofs transactions anyway...

> Use a small key that still offers sufficient security for this
> kind of work - 1,024-bits will do nicely I'd suggest.... On a
> P166, GPG takes only .58 seconds [with a ] 1,024-bit key.

.58 sec times, say, 200 transactions a day ~= 2 minutes of
processor time.

Not much, but if the server hosts 150 sites, 2 minutes x
150 could tie up the processor for *6 hours.* Given all the
other things the processor has to do, and the crunch of
peak times, using 2 minutes of the processor's time for
encryption would appear to be well outside of the normal
acceptable customer range.

OTOH, if RSA encryption takes, say, 1 /12 the time at 1024
bits (I haven't tested it myself and don't know the exact ratio),
the 6 hours needed processor time (presuming everyone does
this kind of thing which of course I realize isn't likely to
happen) would reduce to only 25 minutes during the day,
which would seem (to me anyway) to be very acceptable!

> It's true - ElGamal is intrinsically far slower than RSA for
> encryption. Decryption is slower under RSA than with ElGamal,
> but this will not be done in such a constrained environment and
> will thus not matter as much.

Precisely...

> If you live outside of the US then you can legally use RSA
> now as RSA is only patented in the US....

Nope. Just moved back to the States last April from
Hertfordshire, I'm afraid... :-)

Best wishes, John

Werner Koch wrote:
> 4k keys will be about 8 times faster and 1k keys will be 2 times
> faster in the next release. It's already in the CVS.

This is great! Is there an expected date for the next release?

(Sam Simpson:)
> > I can see no reason that RSA won't be supported in Sept
> > [thus giving an option for faster encryption times], but I
> > don't know of Werners thoughts on this?

(Werner Koch):
> I guess that there will be a new release on Sep 20th ;)

Yeeeee-ha!! Won't complain in event of late release, of course, but
I'll definitely keep my eyes open -- the 20th is my birthday!! 8-)

Best wishes, John Woodman

> Not much, but if the server hosts 150 sites, 2 minutes x
> 150 could tie up the processor for *6 hours.*

Sorry, that shoulda been *5 hours*!

John
(demonstrating once again that his university major
was in mathematics) 8-)

On Tue, 18 Jan 2000, John Woodman wrote:

> This is great! Is there an expected date for the next release?

Depends on when the revised RFC will be published and the minor
changes are done in GnuPG. Will not be very far in future.

--
Werner Koch at guug.de www.gnupg.org keyid 621CC013

Boycott Amazon! - http://www.gnu.org/philosophy/amazon.html