What is a VPN?
In this VPN Encryption guide, we will look at what encryption on a VPN is, how it works, and clarify the confusing terms for it.
A Virtual Private Network (VPN) encrypts all data as it travels between your devices and a VPN server. In this Guide to VPN Encryption, we will explain what VPN encryption is, and how it is used over a VPN connection.
When looking at VPN’s, you may notice the term ‘encryption’ is thrown around quite often. But what exactly does encryption mean when referring to a VPN? During research, we noticed quite a few companies carelessly tossing the word around. We also found that because it is such a technical subject, not many people actually fully understood the concept.
If you would like to know what a VPN is, or why someone would use one, we wrote a Beginners Guide for VPN’s here. A VPN can help protect a device, or multiple devices under one network. The smart way to have one in your home is to install one onto the router. For the sake of this article, we will assume this is true.
Encryption is a very complex subject, even for those that are technical. This article will be aimed at all audiences, so we will do our best to not get too elaborate, but we still want to clarify what encryption is actually doing, and how it is accomplishing that. We will also cover the different methods of encryption that a VPN might use.
Encryption simply takes your data, and ciphers it with a mathematical formula. A simple metaphor for this would be Pig Latin. Although that is a much simpler metaphor, there is an equation to cipher the words you actually intend to say, as well as a key or way to decipher it. Without the key to decipher, it is impossible to decipher the meaning of the data you are receiving, without cracking it.
If someone wants to read an encrypted message, but does not have the key, they must attempt to ‘crack’ the code (the cipher). Depending on the level of encryption, this could prove to be extremely difficult. The purpose of encryption on a VPN, is to make it extremely difficult for someone to steal your data.
When talking about VPN encryption, there are a couple variables that will tell us how complex it is to crack. Modern computer encryption is very complex. No matter how complex, any system can theoretically broken, and any encryption is subject to a ‘Brute force attack’, (an attack that attempts to match giant database of keys with the current).
The basic concept of a Brute Force Attack is trying every single combination of all characters of a password, or key. The more complex the algorithm, the harder it is to pull off. Once successful, the attackers have the key, thus can now see your data.
Computers process equations through binary numbers, which is a series of 0’s and 1’s. The algorithm of the key is expressed as the raw number of 0’s and 1’s, each zero or one will represent a digit. The longer the encryption key, the more complex the encryption becomes, thus raising the difficulty to break the code.
Now imagine trying to decipher a 256 bit key.
Encryption Key Length
There are 1.157920892373163 x 10^77 possible keys.
Let’s say you could try 10,000 per second. (That figure is a total guess – actually decrypting a message using a key might be somewhat faster or slower than this, but it doesn’t matter).
That still leaves you 1.157920892373163 x 10^73 seconds to complete the task, worst case. That’s 3.67 x 10^65 years. The universe is only 14 x 10^9 years old.
So the reason the above decryption time is irrelevant is that even if you could try a billion keys per second, the number of seconds you’d need still exceeds the age of the universe by many orders of magnitude.
Pros and Cons of a VPN
Unlike VPNs, Tor bounces your traffic through several actual server nodes on the way to the destination. Although it is not impossible to reverse, it does make it much harder to track down. Essentially you would need a pretty big warrant, to be caught using Tor. Tor is managed by a non-profit organization and is actually distributed for free. Fun Fact: Some VPN services will even connect to Tor via VPN, for additional security.
It is important to keep in mind that most VPN services are not actually non-profit, philanthropic organizations. They are there to make profit, thus act like a business. This means that they have to protect their business, they need to respond to sub-poenas and warrants. Keep this in mind when shopping for a VPN, making sure you know exactly what you are trying to disguise. These VPN services also have their own bills to pay, and loans to pay back. Do some research to make sure the company is not keeping too much data, and trying to make another profit behind your back.
Do your Research
We have already discussed one important aspect to a Virtual Private Network (VPN), the Key Length. The other aspect is the cipher, the mathematics, algorithm or formula used to encrypt the data. As we just discovered, trying to brute force an encryption key is almost impossible. However, an encryptions true weakness is not the key, but the cipher itself
The weakness lies in the design of the cipher algorithm, either deliberately or by a fundamental flaw in the design process itself. This is what leads to an encryption getting cracked. Sometimes the cipher leaves just enough information from the original data, before it was encrypted. This reduces the amount of key characters to try, which reduces the overall Encryption Key Length. There is an entire field of study devoted to weaknesses in encryption ciphers, called cryptoanalysis.
To make up for these weaknesses, a longer key length will create more possible outcomes, creating a more complex encryption.
Cipher Key Length
An attacker can focus their attack on the key itself, instead of the cipher. This would lead to a single site being affected, or a single software. The result would be the cipher remains intact, thus the security of all other programs protected by that cipher. The on break, in this specific case, would be the singled out site, as a result of the broken key. The rest of the systems utilizing the same algorithm, would remain unaffected.
The strength of a cipher is dependant on not only the mathematical equation that encrypts it, but also the length of its key as expressed in bits. The two variables are interchangeable, and the cipher is usually described along with its key size.
For instance, AES-256 (AES cipher with a 256-bit key length) is generally considered to be stronger than AES-128 encryption. There are a couple different types of encryption.
Symmetric Vs. Asymmetric Encryption
If you go by key length alone, this is not a good indicator of how strong an encryption is. The combination of key length, and cipher are what matters. Ciphers that use asymmetric encryption, require key sizes much longer than a symmetric encryption Cipher, to provide the same protection.
As we can see from the slide above, is that asymmetric encryption requires a more complex algorithm, thus resulting in slower speeds. Symmetric encryptions offer the same level of protection, with a lower encryption key size. As more complex algorithms require more computing power, and result in slower speeds, a VPN service must choose between level of protection and practicality.
The most common encryption cipher on VPNs are the 256 AES encryption with a 128 bit block, and the 448-bit Blowfish which uses a 64 bit block size. Companies like NordVPN, ExpressVPN, and IPVanish are all using AES encryption with different ciphers. RSA is generally used to encrypt / decrypt cipher keys, SHA-1 and SHA-2 is used as the hash function, which helps authenticate data.
Forward Secrecy (FS), also known as Perfect Forward Secrecy (PFS), protects against your specific keys, or even future compromises if the server key was compromised. Forward Secrecy protects most connections using common SSL/TLS, as well as OpenSSL, which was previously exploited by the ‘Heartbleed exploit’. TLS (Transport Layer Security) is an asymmetric encryption protocol that protects data for online communications, like email and fax. Unfortunately, companies have been known to use 1 Master Key, to encrypt everything, and as a result will lose all data if compromised.
This is where Forward Secrecy comes into play, making the company much more secure. It does this by generating a unique session key for every user generated session, making any potential compromises stick to only the session it compromised, and no other data will be affected.
Every session creates a new, unique key. At the end of every session, the key simply disappears, and new ones will be generated in the future. The result is no single Master Key, that may allow access to all data. With Forward Secrecy, if that session is compromised, then only THAT session can be compromised. This prevents any communication or data recorded in the past, from being intercepted in the event a long term secret key or password is compromised.
VPN Encryption Protocols
A VPN protocol refers to the technologies and services VPN providers use to ensure you get a secured and fast connection to and from the VPN servers. VPN protocol is a combination of encryption standards and transmission protocols.