VPN services have become the preferred security solution for millions of people around the world. One of the main reasons for that is that they use encryption to protect users’ data as it passes between the computer and a VPN server. We will take a closer look at encryption and the way it is applied to VPN encryption. The main thing we will focus on is the variety of encryption terms that are used by VPN services, which can be confusing at times. This guide aims to help to simplify these terms and make them easier to understand. This in turn will allow you to know what to look for in a VPN and how to choose the right VPN service for your needs.
Understanding encryption
We should start by defining encryption. We could say that it works like a door lock that can only be opened using the right key. Without the right key, it won’t be possible to open the door, at least not without breaking the lock. Some locks are more difficult to break than others and the same can be said about encryption. To understand encryption, we can also think about secret messages that are created using a pattern that only those communicating know. If other people find out what is the pattern used, they could decipher the messages. Creating a formula to exchange secret messages works in the same way as encrypting the message based on a simple mathematical algorithm known as cipher.
In order to decrypt a cipher, a key is required and this is a parameter that establishes the final output of the cipher. Without it, you won’t be able to decrypt the cipher. To be able to read a message that is protected with encryption, it would be necessary to crack the cipher. This is an easy task when the encryption uses a simple letter substitution. However, if the mathematical algorithm is made more complex, it is possible to make the cipher more secure. The cipher could be made more difficult to break by replacing every third letter of the message with a number related to the letter.
Encryption Key Length
Nowadays, computer ciphers are highly complex algorithms. It is not possible to crack them, even if you use supercomputers for this purpose. The easiest way to measure how strong a cipher really is, is taking into consideration the complexity of the algorithm that was used to create it. A highly complex algorithm features a cipher that is more difficult to crack through a brute force attack. This is a crude method to try to crack encryption and it is also called an exhaustive key search. This type of attack involves an attempt at every combination of numbers that you can think of, until you find the right one. Computers perform all calculations using binary numbers: zeros and ones. The complexity of a cipher is dictated by the key size in bits, which is the basic number of ones and zeros that are required to express its algorithm in which each zero or one is represented by just one bit.
This is called the key length and it can also dictates how likely it would be to successfully perform a brute force attack on any cipher. The amount of combinations that you can think of, as well as how difficult it is to attack them via brute force, increases significantly with key size. Just think about this: the fastest supercomputer known at this time is the Sunway TaihuLight, a Chinese machine that can reach speeds of up to 93.02 petaflops. Even this powerful computer, would requite quadrillion years to be able to successfully crack a 128-bit AES key using brute force.
Computer Ciphers
Encryption key length is focused on the amount of raw numbers that are involved, but ciphers are the mathematical formulas or algorithms that are used to implement the encryption. Attacking modern computer ciphers using brute force is not exactly convenient, but there are vulnerabilities in these cipher algorithms that could result in the encryption being eventually cracked. This is because the output of the cipher that is not well designed could expose some structure from the original information, prior to the encryption. What this does is to set up a reduced set of possible combinations to try, which can reduce the effective key length.
Cryptoanalysis focuses on studying the vulnerabilities in cryptographic algorithms. Longer key lengths make up for these vulnerabilities and they rise the number of possible outcomes. The attacker can target the key itself, instead of the cipher, which can impact a specific site or some software solutions. However, the security of the cipher algorithm remains intact and other systems that use the same algorithm, but that have secure generation keys, are not affected by the attack.
Cipher Key Length
The strength of a cipher key length is based on both mathematics of the cipher itself, and the key length is represented in bits. This is why ciphers are generally described along with the key length that is in place. AES-256 (the AES cipher with a 256-bit key lenght) is generally considered as a stronger option than AEs-128. This doesn’t mean that that is always the case since the mathematics involved are very complex. It is not possible to use only the key length as an indicator of a cipher’s strength. The combination of key length and cipher is what counts.
Key Size
High key lengths require more calculation, as well as more processing power, which has an impact in the speed at which the data can be encrypted and decrypted. While selecting encryption solutions, VPN services and similar protection solutions, have to find a balance between security and performance. After all, what good is to have the strongest level of encryption if it is not possible to really use the service. Most VPN providers use Blowfish and AES. Furthermore, to encrypt and decrypt a cipher’s keys, RSA is used, while SHA-1 or SHA-2 is used as the hash function for data authentication purposes.
Perfect Forward Secrecy
Perfect Forward Secrecy or PFS is also known as FS, which stands for Forward Secrecy and it involves using ephemeral encryption keys. The majority of secure online communications available nowadays use SSL/TLS. PFS is used by HTTPS sites and OpenVPN protocol. TLS stands for Transport Layer Security and it is an asymmetric encryption protocol. With an asymetric cipher, the data is protected with a public key that is available to any person. However, it is only possible to decrypt it by an intended recipient that holds the right private key. This private key has to be kept secret and if it is stolen or compromised, the attacker will be able to intercept the data and read it.
Many servers or companies use only one private encryption key to protect communications because it is easy. The problem is that if that key is cracked, an attacker will be able to access all the data that is encrypted with that key. This is why the private encryption key is a master key that can be used to unlock all the data within a server or organization.The NSA has taken advantage of this vulnerability to collect data at a massive scale. To address this issue, Perfect Forward Secrecy is used. PFS is a system in which a new and unique private encryption key is created for every session. It works in a simple way, although the Diffie-Hellman exchange maths is complex. Every TLS session features its own set of keys, which is why they are known as ephemeral keys because they are used only once and then they disappear. In this scenario, there is no master key that can be cracked. Although a session is compromised, only that session is at risk. All the other sessions established with a server or company remain safe. While it is not common, you can refresh PFS keys within a session on an hourly basis, for example. This places a limit to the amount of data that can be intercepted by an attacker, even if a private key has been cracked. Currently, ephemeral keys are widely used.
L2TP/IPsec
This protocol is generally considered as a secure solution and one of its main advantages is that it is easy to set up. In addition, it is compatible with all major platforms and it offers fast performance. However, it is possible that it is compromised by the NSA, although this has not been confirmed. Another problem is that it may not be effective when it comes to bypassing restrictive walls. L2TP stands for Layer 2 Tunneling Protocol and it is included in pretty much all platforms currently available. As a stand alone solution, L2TP doesn’t offer any encryption, which is why it is generally implemented with the IPsec, L2TP/IPsec.
3DES or AES ciphers can be used by L2TP/IPsec. The first one is more likely to be affected by Man in the Middle and Sweet32 collision attacks, which is why it is not common nowadays. There may be issues due to the fact that the L2TP/IPSec protocol only uses a limited amount of ports. This can lead to complications when it is used behind NAT firewalls and the reliance on fixed ports could also make the protocol easier to block. L2TP/IPsec offers double protection for the data, which affects speed. However, multi-threading is supported and this allows L2TP/IPsec to be faster than OpenVPN in general.
L2TP/IPsec uses the AES cipher which doesn’t have known weaknesses and if it is implemented correctly, it may remain secure. Unfortunately, according to Edward Snowden’s leaks, it is likely that it has been already cracked by the NSA. It is believed that IPSec was weakened on purpose while it was being designed. Another issue is that many VPNs haven’t implemented L2TP/IPsec in the right way. They use pre-shared PSKs that can be downloaded for free online. They can only be used to authenticate the connection, so even if it has been cracked, the data remains securely protected with AES. An attacker would be able to use the pre-shared key to pass as the VPN server, which would allow them to access encrypted traffic. While L2TP/IPsec offers some advantages, the fact that it is a proprietary Microsoft standard raises concerns about its reliability as a solution to protect privacy because it is likely that Microsoft cooperates with the NSA.
SSTP
SSTP stands for Secure Socket Tunneling Protocol and it was first implemented in Windows Vista SP1. This is a type of encryption that relies on SSL 3.0 and as such, it provides almost the same advantages as OpenVPN, including the possibility to use TCP port 443 to get around censorship. It is strongly integrated with Windows and it is easier to use and more stable than other protocols, at least in that platform. The downside is that it is also a proprietary standard from Microsoft, meaning that its code is not open to public audit. It should also be noted that SSL v3.0 can be affected by POODLE attack, which is why it is no longer recommended. It has not been confirmed if this issue affects SSTP, but it makes it difficult to see SSTP as a highly reliable choice.
IKEv2
IKEv2 or Internet Key Exchange version 2 (IKEv2) was developed by Microsoft and Cisco. It is supported in iOS, Windows 7 and above, as well as Blackberry, which is rare. IKEv2 is known for its speed and stability, particularly when you change the network or reconnect after losing your internet connection. It is a secure solution when AES is used and it can be set up without major hassle. The protocol is supported on Blackberry devices, but it doesn’t work on all platforms. There are independently developed versions of IKEv2 that are compatible with IKEv2 and they have been developed for Linux and other platforms. Many of these versions are open source, meaning that their code can be inspected independently.
IKEv2 is a tunneling protocol that only turns into a VPN protocol when it is combined with an authentication suite like IPSec. The best thing about IKEv2 is that it works really well when you need to reconnect after losing your online connection. IKEv2 supports MOBIKE, which is a Mobility and Multihoming protocol and it is also very resistant to changing networks, which makes it a great solution for cell phone users who need to switch between WiFi and mobile data connections on a regular basis, o use different WiFi hotspots.
OpenVPN
OpenVPN is an open source protocol that relies on OpenSSL library and TLS, as well as other technologies. It is widely regarded as a highly secure solution and it has become the industry standard. One of the best thing of OpenVPN is that it can be configured without major hassle, even when it is not natively supported by any of them. You can get OpenVPN clients from commercial VPN services, but the main open source is developed by the OpenVPN project. OpenVPN offers its best performance on a UDP port, but it is possible to set it up on any port, including TCP port 443, which is used by standard HTTPS traffic. When OpenVPN runs over TCP port 443 it is very difficult to differentiate VPN connections from the high protection used by email services, online retailers and banks.
OpenVPN uses the OpenSSL library to provide encryption and while it supports many ciphers, in reality only Blowfish and AES are used by a commercial VPN services. It is believed that with PFS implemented, OpenVPN is strong and it has not been cracked by the NSA. OpenVN was recently audited following a campaign sponsored by Private Internet Access, one of the most popular providers in the VPN industry. There were no significant weaknesses found. OpenVPN is still seen as a highly secure VPN protocol and it is widely offered by VPN providers.
OpenVPN Encryption
Data channel encryption and control channel encryption are the main two parts of OpenVPN encryption. The first one is used to protect data with security and the second one is in charge of protecting the connection between your computer and the VPN server. Some VPN providers only use a truly strong level of encryption on one channel, usually on the control channel. You may come across a VPN service that is advertised as an AES-256 cipher with RSA-4096 handshake encryption and SHA-512 hash authentication. While this seems very good, you need to keep in mind that this only refers to the control channel and not the data channel. The latter is encrypted with plain Blowfish-128 with SHA1 hash authentication.
To provide the highest level of security, both the data control and the control channel encryption need to have the strongest level of encryption. The issue is with strong encryption, the speed of the connection is impacted. This is why some providers use lower encryption for the data channel. TLS encryption is also used to describe the Control Channel encryption since TLS is the technology that is used to establish the connection between your computer and the VPN server. This is the same technology that is used by your browser to establish a secure connection to an HTTPS-encrypted website. Control channel encryption involved a cipher, handshake encryption and hash authentication. Data channel encryption uses a cipher and hash authentication. VPN providers generally use the same level of encryption for control and data channels.
Ciphers
OpenVPN is able to use multiple symmetric-key ciphers in order to keep data protected on the control and data channel as well. However, commercial VPNs mainly support AES and Blowfish and in some cases, Camelia, so we will focus on these.
Blowfish
By default, OpenVPN uses Blowfish-128 with key sizes that range from 32 bits to 448 bits. However, Blowfish-128 is the only version that you may come across with in reality. Blowfish is usually considered as a solution that provides good security for standard use, but it has some vulnerabilities. While it is a good enough option to secure regular data, it is not the best choice for top security. It can be used on the OpenVPN data channel, but not on the control channel.
AES
AES is the standard across the VPN industry, it has received NIST certification and it is generally considered as a secure cipher. The government uses AES-256 to protect its data, which shows how strong this cipher is. Since it has a 128-bi block instead of a 64-bit block size like Blowfish, means that the AES instruction set advantages from built-in hardware acceleration on the majority of platforms. AES is generally available in 128-bit and 256-bit key sizes, but there is also 192-bit AES. Although 128-AES is still considered as secure, many experts believe that 256-bit provides stronger protection. However, there is a debate in the issue as some people claim that AES-256 is actually stronger.
Camellia
Camellia is not as popular as AES and Blowfish, but it is another option available. It is considered as a solution that provides as much security and speed as AES and it is available in 128, 256 and 192 bits. However, it hasn’t become as widely used as AES given that the later has NIST certification and it is the cipher that the US government relies on.
Handshake encryption
To be able to securely establish a connection between your device and a VPN server, OpenVPN uses a TLS handshake that allows the OpenVPN client and VPN server to set up the secret keys used for communication. In order to protect the handshake, TLS generally uses the RSA public-key cryptosystem, which is an encryption and digital signature algorithm that is used to identify TLS/SSL certificates. It is also possible that it uses a Diffie-Hellman or ECDH key exchange.
RSA
This is an asymmetric encryption system, which is a public key that is used to keep data encrypted. However, a different private key is used for decryption. RSA has been the base for online security in the last decades. RSA with a key length of 1024-bits (RSA-1024) or less is not a secure solution and it is likely that it has been compromised by the NSA. This is why it is generally recommended that RSA-1024 is avoided. The problem is that some VPN services still use it to secure handshakes. On the other hand, RSA-2048 and above is considered as secure and its own, RSA can’t provide Perfect Forward Secrecy or PFS. But it is possible to implement it by adding a Diffie-Hellman (DH) or Elliptic curve Diffie-Hellman (ECDH) key exchange in the cipher suite. The main element of security in this case is RSA and the strengths of the keys is not relevant.
Diffie-Hellman and ECDH
Sometimes, OpenVPN uses Diffie-Hellman cryptographic key exchange. It usually has a key length of 2048-bits or 4096-bits. Less than that is considered as not secure and should not be used. Diffie-Hellman handshake stands out due to the fact that it provides Perfect Forward Secrecy natively. However, adding a DH key exchange to an RSA handshake provides a similar result. One thing to note is that Diffie-Hellman has been controversial for reusing a limited set of prime numbers, which makes it more open to be compromised by a skillful attacker. This is why Diffie-Hellman on its own is not the most secure handshake encryption. Still it works well when it is used as part of an RSA cipher suite.
Elliptic curve Diffie-Hellman (ECDH) is a more recent method of cryptography that is not likely to be compromised. This is due to the fact that it uses properties of a specific type of algebraic curve, rather than large prime numbers to encrypt connections. It is possible to use ECDH as part of an RSA handshake to offer Perfect Forward Secrecy or to securely encrypt a handshake on its own with an ECDSA signature, which also provides Perfect Forward Secrecy. The starting point for ECDH key length is 384-bits, which is considered as secure, but if it is used on its own to secure TLS handshake, it is better to use a longer one.
SHA Hash Authentication
Secure Hash Algorithm is also known as data authentication or hash message authentication code (HMAC). It is a cryptographic hash function that is used to authenticate data and SSL/TLS connections, including OpenVPN connections. It established a unique fingerprint of a valid TLS certificate that can be verified by any OpenVPN client. Even the smallest change can be detected and if the certificate is modified, the connection will be rejected. This allows users to prevent a Man-in-the-middle attack in which an attacker tries to divert your OpenVPN connection to one of its own servers, rather than the server of your VPN service. If an attacker is able to crack the hash of your VPN’s true TLS certificate, it can reverse the hash to establish a fake certificate and then your OPenVPN client would authenticate the connection as a genuine one.
Can you trust SHA?
SHA-1 is broken when it is used to secure HTTPS websites and while this has been known for quite a while, it is still possible to find SHA-1 websites, although they are les common these days. The majority of browsers now warn users when they try to connect to a website that uses SHA-1. Now we have SHA-2 and SHA-3 and they are secure, but OpenVPN only uses SHA for HMAC. Launching a successful attack on HMAC with SHA-1 built-in is more difficult than trying to target the SHA-1 hash function on its own. This means that HMAC SHA-1 used by OpenVPN is considered as a secure solution, but HMAC SHA-2 and HMAC SHA-3 are even better.
Additional information
NIST
AES, RSA, SHA-1 and SHA-2 were created and/or certified by NIST, the United States National Institute of Standards and Technology. This organization works in collaboration with the NSA in the process of developing its ciphers. Considering the NSA’s work to weaken or implement backdoors into international encryption standards, the integrity of NIST algorithms is in doubt. Although NIST denies weakening cryptographic standards, there have been reports that insist that the NSA can get around NIST-approved encryption by implementing backdoors or modifying the public development process to make the algorithms vulnerable to attacks. RSA security advised customers to avoid using a NIST-approved encryption algorithm that is believed to feature a weakness created by the NSA. In addition, an encryption standard engineered by the NSA known as Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) is now considered as insecure as it can be easily attacked and there is a suspected backdoor in the algorithm. The problem is that NIST is a leading name in the industry an many large companies include its algorithm in the cryptographic libraries of their products. This is due to the fact that in order to obtain US government contracts, companies are required to meet NIST standards. This is why NIST-certified standards are available all over the world in many areas. Since so much depends on these standards, it is unlikely that the issue with them is addressed any time soon.
AES-CBC vs AES-GCM
Up until a while ago, you would only come across AES_CBC (Cipher Block Chaining) in the VPN industry. While in theory, CBC comes with some weaknesses, it is generally considered as secure. In fact, it is recommended in the VPN manual. OpenVPN also supports AES-GCM Galios/Counter Mode. GCM offers authentication, eliminating the need for a HMAC SHA hashing function. It is also a bit faster than CBC since it uses hardware acceleration. AES-CBC still is the most used mode, but AES-GCM is becoming more and more popular. Both AES-CBC and AES-GCM are both secure.
OpenVPN UDP vs OpenVPN TCP
UDP (User Datagram Protocol) and TCP (Transmission Control Protocol) are the protocols that OpenVPN can run over. The main advantage of UDP is that it is fast, but the problem with it is that data packets are just sent without verifying that they arrive to their destination correctly. TCP is slower but more reliable because it waits for confirmation to make sure that the data packet has arrived to its destination, before a new packet is sent. If there is no confirmation received, the packet is sent again. With TCP, data delivery is guaranteed, although it is significantly slower than UDP.
Defeat Censorship using OpenVPN on TCP Port 443
One of the best things about OpenVPN is the fact that it is possible to run it over any port, including TCP port 443, which is the port used by HTTPS, the encrypted protocol that protects all secure websites. HTTPS is needed for online shopping and banking, which is why it is unlikely that this port is blocked. In addition, it is possible to route VPN traffic on TCP port 443 in the same way as it is used by HTTPS. This means that it is way more difficult to find using advanced Deep Packet Inspection methods. As a result, TCP port 443 is the favorite port for getting around VPN blocks.
You will find that many VPN providers offer the possibility to change the port number used by OpenVPN with their custom software. If you are unsure if your VPN provider supports this option, we advise you to contact them. It is worth noting that by default SSTP uses TCP port.
Summary
VPN protocols
PPTP – While it is easy to set up and it is available in all platforms, it is not secure so it is advisable that you only use it as a last resource.
L2TP/IPsec – It is safer than PPTP and it also offers good compatibility. If OpenVPN is not available and you only need it for general browsing, it is a good option. However, it has been already cracked by the NSA.
SSTP – It is mainly a Windows protocol, but it offers the same advantages as OpenVPN. The fact that it is a proprietary protocol developed by Microsoft, raises some concerns about its integrity.
IKEv2 – This is secure and efficient protocol that is ideal for mobile users. The fact that it can reconnect easily when your internet connection drops means that it is a good option for mobile users as they are likely to change networks quite often. It supports Blackberry and there are open source versions available.
OpenVPN – This is the VPN protocol that is recommended in most cases due to the fact that it is fast, secure, reliable and open source. As long as it is implemented correctly (using PFS), it is secure.
OpenVPN Encryption – Keep in mind that while some providers may say that they use powerful AES-256, this is not enough to ensure that the protection is strong. All the other aspects of the encryption should be strong in order to keep your data secure.
Cipher – This is what protects your actual data and AES-256 has become the standard in the industry.
Handshake – Your connection to the VPN server is secured by handshake. The secure options are RSA-2048+ or ECDH-384+ are secure. Keep in mind that while RSA-1024 and Diffie-Hellman handshakes are common, they are not secure.
Hash authentication – This creates a unique fingerprint that is used to confirm data and TLS certificates, to verify that the server you are connecting to, is really the one you believe you are connecting to. HMAC SHA-1 is secure enough, but HMAC SHA-2 and above are better.
Perfect Forward Secrecy or PFS – This makes sure that new encryption keys are generated for every session. Without PFS, OpenVPN is not really secure. It is important that the encryption settings are secured strongly on the data and control channels. Higher bit lengths for ciphers and keys provide more security, but make the connection slower. OpenVPN will negotiate ciphers between the client and server as it sees suitable, unless there are specific parameters established.
Conclusion
This guide gives you the elements needed to understand better how encryption works and what you need to consider when it comes to choosing the best protection for your data. Apart from paying attention to encryption, you need to make sure that you always use a VPN when you are connected to the internet and handle personal data.
