Perhaps the most important feature of a Virtual Private Network (VPN) is its ability to encrypt the data sent between your computer and the VPN providerâs servers.
A VPNâs encryption not only protects your personal and business data, it also keeps your online activities safe from prying eyes.
In this article, Iâll offer a detailed look at encryption. Iâll cover what encryption is, how it works, and how the best VPN providers use it to keep their customersâ IP addresses and data safe from exposure.
By the end of this article, youâll know more about encryption than you ever dreamed you would, and you will be better prepared to sift through the promotional claims of VPN providers.
What Is Encryption?
Encryption is the process of converting plaintext (readable information) into ciphertext (unreadable information).
Decryption is the process of turning that ciphertext back into plaintext so that itâs intelligible again.
Remember how you and your friends used a âsecret codeâ to send notes in grade school? Modern encryption technology is similar, only itâs much tougher to decrypt than âA = 1, B = 2,â etc., ever was.
Modern encryption technology uses a secret cipher key to âscrambleâ a userâs data so that itâs unreadable by anyone who does not possess the cipher key, preventing outsiders from reading your personal info.
In order to encode plaintext or decode ciphertext, a secret key is needed. Both keys use a cipher, which is an algorithm that is applied to plaintext to both create and decode ciphertext.
Banks, credit card processors, merchants and others use encryption to protect sensitive information – such as credit card numbers, order information and other sensitive data – from the prying eyes of outsiders.
However, for the purposes of this article, we will concentrate on the encryption that VPN providers use to protect their usersâ information – such as their web traffic, downloaded files and accessed services – from those who would love to get a peek at their personal goings-on.
A VPN routes your internet connection through a âtunnelâ of encryption, preventing any outsiders – such as your Internet Service Provider, law enforcement or hackers – from monitoring your IP address, as well as your online travels and their associated, sensitive personal and business information.
The tunnel of encryption is aptly named, as it works much like a subway or highway tunnel works.
For example, while you may know that a subway is beneath your feet, you donât know how many trains are passing through the tunnel, how many cars each has, how many passengers are riding them, where theyâve been or where theyâre going.
A VPN connection works as a virtual âtunnel,â protecting your online travels from any outsiders and preventing them from knowing what youâre up to.
How Encryption Works
Earlier in this article, I offered a simple explanation of how encryption works.
Of course, the modern encryption used to protect data in the 21st century doesnât work quite as simply as that, but the process is similar.
When the encryption you use is as simple as an alphabetic or numeric substitution (such as the one you used in grade school), itâs easy to decrypt.
Modern encryption is based on sophisticated mathematical algorithms that make encryption and decryption much more complicated.
There are two main types of encryption keys in use today: symmetric and asymmetric.
Symmetric Key Algorithms (Private Keys)
- Pro: Fast
- Con: Less secure than asymmetric
A symmetric key algorithm uses the same encryption keys for both the encryption of the plaintext data source and the decryption of the resulting ciphertext.
The two parties sharing the information need to agree on a specific password (key) to use to encrypt and decrypt data. This keeps things simple, as the involved parties only need to exchange the key once.
Symmetric keys (also called private keys) are commonly used in one-time-only situations, where a new key is created each time. Payment solutions such as Apple Pay or Android Pay use a one-time symmetric key algorithm in the form of a one-time token to protect a payment.
Symmetric key algorithms are faster than asymmetric ones, as thereâs only one key involved. However, this is also a drawback, as any outsider who obtains the key can easily decrypt all of the encrypted information that the parties are sending and receiving.
Interception is entirely possible, as the users will need to agree on a key ahead of time via an unencrypted channel, such as a phone call, email or text message, all of which are unsecure in their own way.
The process is also a pain in the butt for users who need to share data with multiple parties. This is due to the requirement for a unique key to be used with each party. Sure, you could use the same key for all users, but then everyone could decrypt everyone elseâs data.
Asymmetric Key Algorithms (Public Keys)
- Pro: More secure than symmetric
- Con: Slow
An asymmetric key algorithm uses different keys for the encryption of plaintext and the decryption of the resulting ciphertext. The process makes use of both a public and a private key.
The public key is used to encrypt the data, and the private key is used to decrypt the data. Only the intended recipient of the data knows the private key. Any message encrypted using a public key can only be decrypted by using the corresponding private key.
Iâll use Appleâs iMessage service to explain how asymmetric encryption works.
You have a family reunion coming up, and you want to make Grandmaâs Double-Chocolate Coca-Cola Cake, but you donât have the recipe. So, you pick up your iPad and send a message to your momâs iPhone.
When you and your Mom were setting up your iPad, you turned on iMessage. This is an end-to-end encrypted messaging service that acts like an SMS messaging service, but protects your messages from – say it with me – prying eyes.
On your iPad, the iMessage app created a private key to use to decrypt data you receive on your iPad.
On your momâs iPhone, the iMessage app created a (different) private key to use to decrypt data she receives on her iPhone.
In both cases, the private key is unique to that particular device – one private key for your iPad, and one private key for your momâs iPhone.
The app also instructed Appleâs servers to create a unique public key for each user, which it stores on those servers.
When you send your message to Mom, your device retrieves your motherâs public key from Appleâs servers and uses her public key to encrypt your outgoing message, before it even leaves your phone.
Once you hit send, Appleâs servers forward the encrypted message on to your motherâs iPhone, where her private key decrypts your message.
When your mom replies, the process is performed again, but in reverse. This time, your motherâs message to you is encrypted using your public key (retrieved from Appleâs servers), and the message is then decrypted on your iPad using your private key.
This makes asymmetric cryptography more secure than symmetric cryptography, as it eliminates the need to share a single key.
However, because the asymmetric cryptography process is mathematically more complex than symmetric cryptography, adding to the computing overhead, the encryption/decryption process takes longer, slowing transmission slightly.
VPNs use asymmetric encryption to exchange symmetric session keys, which are then used for the rest of the session. Because of the computing overhead I mentioned above, youâll usually notice slower connection speeds when using a VPN as opposed to your normal ISP connection.
Encryption Key Lengths
The strength of any encryption depends upon the encryption keyâs bit size. Generally, the longer a key is, the stronger the encryption is.
Basically, the longer the key length, the more possible combinations a key could be made of, making it more difficult for a brute force attempt to come up with the correct values for the key.
The bit size of a key refers to the number of ones and zeros (binary) used to express the algorithm. This is known as the key length. The two terms are interchangeable, although âkey lengthâ is the more popular term.
The table below displays how the possible encryption key combinations increase exponentially as the key size increases:
Key Size | Possible Key Permutations |
1-bit | 2 |
2-bit | 4 |
8-bit | 256 |
16-bit | 65536 |
64-bit | 4.2 x 10^9 |
128-bit | 3.4 x 1^38 |
192-bit | 6.2 X 10^57 |
256-bit | 1.1 x 10^77 |
1-bit is a single binary digit, offering two permutations, either on (1) or off (0); 2-bit offers two binary digits (00, 01, 10, 11), offering four permutations, and so on. In the table above, key sizes below 128-bit are included only for demonstration purposes, as anything less than 128-bit would be too easily cracked.
As the key size increases, the number of combinations possible and the complexity of a cipher both increase. This also affects the success rate of a hacker performing a brute force attack on a key.
A brute force attack is when an attacker runs through all possible permutations of passwords or keys until they find the correct one. Even when using supercomputers, modern encryption can take years to crack, if ever.
The second-fastest supercomputer in the world, the Sunway TaihuLight, is capable of 93 petaflops per second, making it multiple millions of times faster than a personal computer.
ScramBox calculated that it would take the Sunway TaihuLight 27,337,893 trillion trillion trillion trillion (thatâs right, 4 trillions) of years to crack an AES 256-bit key, one of the strongest modern encryption ciphers (which Iâll discuss in the next section).
And thatâs one of the fastest supercomputers in the world. For one, high-performance PC to crack AES-256, it would take 27 trillion trillion trillion trillion trillion years.
May I remind you that the universe is only 15 billion years old? Even the Answer to Life, the Universe and Everything wouldnât take that long to calculate.
Suffice it to say that a hacker would be waiting a long, long time to access your bank account, and no one has time for that – so you can rest assured that your data is safe behind AES-256âs encryption.
Encryption Ciphers – What Are They?
As we saw in the previous section, encryption key length is the actual number of raw numbers involved in encryption.
Now, weâll take a look at ciphers, which are the actual algorithms (or series of steps) used to perform encryption. VPN protocols make use of these ciphers to encrypt your data. (Iâll be discussing protocols in the next section.)
While brute-forcing a modern computer cipher is basically useless, there are sometimes weaknesses in a poorly-designed cipher that hackers can exploit to break the associated encryption.
Luckily, longer key lengths can help compensate for these weaknesses by increasing the number of possible combinations.
However, key length alone is not an accurate indicator of a cipherâs strength. A combination of cipher complexity and key length are what matters.
In real-world applications, a balance between security and usability must be found, as the longer the key length, the more calculations are required, and in turn, the more processing power is required.
The most popular cipher in use today is AES.
AES
U.S. National Institute of Standards and Technology (NIST) established AES in 2002. AES stands for âAdvanced Encryption Standard,â which is a specification for the encryption of electronic data.
AES is comprised of 3 block ciphers: AES-128, AES-192 and AES-256. Each one encrypts and decrypts data using keys of 128, 192 and 256 bits, respectively.
As AES is a symmetric cipher, it uses the same key for both the encryption and decryption of data, so both the sending and receiving parties must know and use the same secret key.
The algorithm defines a specific number of data transformations to be performed on data stored in the array. The number of data transformations is determined by the key length, which is: 10 transformations for 128-bit, 12 for 192-bit and 14 for 256-bit keys. This is known as polymorphism.
For example, say weâre using a simple letter shift cipher of one. A would equal B, then B = C, C = D, D = E, and so on. In the first transformation, A is set to be equal to B; then in the second transformation, A ends up being equal to C; the third time around, A equals D; and so on.
So, if you were using AES-128, which performs 10 transformations, then A would equal K.
Of course, the AES cipher is far more complex than a simple letter shift cipher, so the final result would be far more complicated and difficult to decrypt than A equalling K.
There has been a significant amount of research into attacking the AES encryption standard since it was established in 2002.
However, AES has proven to be a reliable defense. The only times any attacks were successful, it was due to hackers exploiting implementation or management-related weaknesses. (In other words, human error during setup.)
Perfect Forward Secrecy
Perfect Forward Secrecy (PFS), also known as âForward Secrecy,â is a system of using ciphers, where a new and unique (or âephemeralâ) set of private encryption keys is generated for each session.
TechTerms defines a session as the âlimited time of communication between two systems.â In simple English, this typically refers to the amount of time between when a user logs into a website, and when they log out or close the browser.
Each session has its own keys, which are used once and never again.
Perfect Forward Secrecy removes the ability of a hacker to exploit a constant âmaster key,â e.g. a key to the userâs website account itself. Even if a key is hacked, only that single session is compromised, while all other sessions remain safe.
PFS is an excellent method of securing individual sessions, especially for both HTTPS websites and OpenVPN connections. Search giant Google announced in November 2011 that it would be using PFS to secure Gmail sessions, as well as Search, Docs and Google+.
What Weâve Learned So Far – Encryption
Encryption is the process of an algorithm turning readable plaintext into unreadable ciphertext, and decryption is the process of an algorithm turning that ciphertext back into plaintext.
There are two types of key algorithms: symmetric and asymmetric. Symmetric key algorithms only use a private key, making it fast but less secure, while asymmetric key algorithms use private and public keys, slowing it down but making it much more secure.
Encryption ciphers are algorithms of instructions for how to transform (encrypt) the data (A = K, B = L, etc.), and the encryption key indicates how many times the data will be transformed.
Encryption keys are pieces of information that determine the output of a cryptographic algorithm, specifying the transformation of plaintext information into ciphertext. The higher the bit count of the key, the higher the level of encryption.
VPN Encryption
In this section, Iâll explain how a Virtual Private Network (VPN) uses encryption to protect your online activities and their associated personal and business-related data.
In addition, Iâll also share information on the various types of VPN encryption protocols that providers use, explain how they work and explain each protocolâs strengths and weaknesses.
VPN software encrypts all of the data that passes from your computer to the providerâs VPN servers. This encrypted âtunnelâ keeps both your IP address and online travels safe from the eyes of third parties.
What Are Protocols?
A VPN protocol is the mechanism or âset of instructionsâ (or, to simplify, the method) that creates and maintains an encrypted connection between a userâs computer, or other connected device, and the VPN providerâs servers.
VPN protocols use an encryption algorithm to keep your data protected from prying eyes.
When using a VPN protocol, a connected device follows the protocolâs set of instructions, which tells it how to encrypt and decrypt the data being sent and received between it and the VPN server.
Commercial VPN providers use various types of security protocols, and all of them have their strengths and weaknesses. Most VPN protocols offer their own built-in encryption algorithms, although this isnât true for all of them, as Iâll explain a bit later.
How Do Protocols Work?
Each VPN protocol has their own strengths and weaknesses, as well as unique features.
For example, OpenVPN allows users to connect using either User Datagram Protocol (UDP) or Transmission Control Protocol (TCP), while IKEv2 is particularly good at reconnecting users who lose their internet connections.
However, of the things they comprise, 4 are most important to consider: ciphers, transport layer protocols, handshake encryption and SHA authentication. Iâll discuss each of these in the sections below.
After I cover that, Iâll then introduce the protocols that are most prevalent in the VPN industry today. These include: OpenVPN, L2TP/IPSec, IKEv2, SSTP and PPTP.
Most protocols are set in their configurations, but OpenVPN stands out because itâs highly configurable, so Iâll be using it as an example in this section.
Ciphers
As Iâve mentioned previously, protocols use algorithms called âciphersâ to perform encryption and decryption of data. A cipher is a series of steps that are followed to encrypt/decrypt the data.
Popular VPN protocols, such as OpenVPN, have the flexibility to use multiple symmetric key ciphers to secure data on both the control and data channels.
Control channel encryption protects the connection between your computer or device and the VPN providerâs servers. Data channel encryption secures the actual data that both parties are transmitting to each other.
The most common protocols that commercial providers use to secure their communications are AES, Blowfish and (to a much lesser extent) Camellia.
AES
While I mentioned AES in the previous section, I feel itâs important to revisit it in this section of the article, considering its popularity.
AES is arguably the most common symmetric-key cipher in use today, with even the U.S. government using AES-256 to secure its data. AES is considered to be very secure, and itâs certified as such by the National Institute of Standards and Technology.
AES is available in 3 different bit key sizes – AES-128, AES-192 and AES-256. AES-128 and AES-256 are the most used. AES-256 is the strongest of the two options, though AES-128 remains secure as far as experts can tell.
Blowfish
Internationally-renowned security technologist Bruce Schneier developed Blowfish-128, which is the default cipher that OpenVPN uses. The symmetric-key block is unpatented and royalty-free, and requires no license for use.
While Blowfish key sizes can range from 32 to 448 bits, the 128-bit key size is the one users usually make use of to secure data.
Blowfish is secure enough for casual use. However, it does have its weaknesses. There is a bug in some implementations of the cipher. However, the reference (base) version does not include the bug.
Camellia
While Camellia is a secure, modern cipher, the National Institute of Standards and Technology hasnât certified it, and it hasnât been tested for weaknesses as much as AES has.
Camellia is available in key sizes of 128, 192 and 256 bits. Mitsubishi Electric and NTT jointly developed the cipher to be suitable for both hardware and software implementations.
Transport Layer Protocols: TCP and UDP
Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are transport layer protocols. Transport layer protocols handle the end-to-end communication services for applications, such as those used on the internet.
TCP
Transmission Control Protocol (TCP) provides reliable and ordered, yet slow, communication.
If TCP is used to send a message, a file or another type of information, the sender can be confident the information will be delivered to the recipient with no corruption (errors in the data) and in the proper order. This is especially important for transferring files and sending messages.
TCP sends data in a âstream,â with nothing indicating where each packet begins or ends, so it does place a heavier strain on a device, as more processing power is required to ensure data is received properly.
If parts of a TCP data stream do arrive in the wrong order, a resend request for the data is automatically sent as part of the processing, before the data can be assembled in the proper order. This results in higher processing overhead.
TCP is used on the World Wide Web for HTTP access (viewing web pages), email, file transfers and other operations.
UDP
User Datagram Protocol (UDP) provides faster, but less reliable, communication.
If UDP is used to send information, the sender cannot be secure in the knowledge that the information will make it to the sender at all, and if it does make it there, it may not be in the correct order. Plus, when it does arrive, the data may be corrupt, as UDP offers no error correction at all.
This means that, if you send a serious of one-word text messages to your significant other, such as:
âFound a beautiful paradise. It’s yours, girl. Chrisâ
Then it may arrive like this instead:
âFound a beautiful girl. Itâs paradise. Yours, Chrisâ.
So itâs definitely not the best protocol for downloading files or sending and receiving other information, like text messages, that need to be in the correct order.
UDP is more lightweight than TCP, as it doesnât support tracking of connections, ordering of messages or other processor-intensive operations. UDP doesnât care, it simply takes the information in whatever order itâs received, wrong order or not.
UDP sends data packets individually, and the packets could arrive out of order, if they arrive at all.
UDP is used for Domain Name Systems (DNS), streaming media applications (such as Netflix) and online multiplayer games.
Handshake Encryption
When making a connection between your device and your VPN providerâs server, the process uses a Transport Layer Security (TLS) handshake to establish the secret keys used for the two to communicate.
This âhandshakeâ verifies that youâre connecting to the VPN providerâs servers, and not an attackerâs âspoofedâ server.
TLS usually makes use of the RSA public-key cryptosystem to protect the handshake, using the asymmetric encryption and digital signature algorithm to identify TLS/SSL certificates. However, it sometimes uses an ECDH or Diffie-Hellman key exchange as well.
RSA
RSA (RivestâShamirâAdleman) is an asymmetric encryption system that uses a public key to encrypt data while using a different, private key to decrypt the data. The system has been in use to secure communication on the internet for over two decades.
RSA can have various key lengths, but the most popular are 1024-bits (RSA-1024) and 2048-bits (RSA-2048).
A team of experts was able to crack RSA-1024 in 2017. This has led to companies that do business over the internet to move away from using RSA-1024 in droves.
Sadly, some VPN providers still use RSA-1024 to protect client/server handshakes. Before deciding on a VPN provider, be sure to check with the provider to ensure they no longer use RSA-1024 to protect their handshakes.
RSA-2048 and higher is considered secure, as it hasnât been cracked (as far as anyone knows).
However, itâs unwise to use it on its own, as it doesnât provide Perfect Forward Secrecy. Including a Diffie-Hellman (DH) or Elliptic Curve Diffie-Hellman (ECDH) key exchange in the cipher suite can remedy this, allowing it to meet the specification for PFS.
Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman (ECDH)
VPN protocols can also use an alternative type of handshake encryption, known as the Diffie-Hellman cryptographic key exchange.
The key usually makes use of a 2048-bit or 4096-bit key length. (Avoid anything less than 2048, otherwise, itâs vulnerable to a logjam attack.)
Diffie-Hellmanâs main advantage over RSA is that it natively offers Perfect Forward Secrecy protection. However, the RSA handshake can be improved by adding a DH key exchange to it, providing similar protection.
Security experts criticize Diffie-Hellman for re-using a small set of prime numbers. This leaves it open to being cracked by parties with unlimited resources, such as the NSA. However, itâs possible to create a secure handshake when itâs used as a part of the RSA cipher setup.
Elliptic Curve Diffie-Hellman (ECDH) is a more recent form of cryptography that doesnât have the vulnerabilities that Diffie-Hellman has. ECDH makes use of a particular type of algebraic curve, in place of the prime numbers that the original Diffie-Hellman uses.
ECDH can also be used in conjunction with an RSA handshake to offer Perfect Forward Secrecy. In addition, it can securely encrypt a handshake by itself and provide PFS with an Elliptic Curve Digital Signature Algorithm (ECDSA) signature.
ECDH key length starts at 384 bits. While this is considered secure, when it comes to encrypting a handshake on its own, the longer, the better.
SHA Authentication
Secure Hash Algorithm (SHA) is a cryptographic hash function that can be used to authenticate connections, including SSL/TLS and data connections.
Basically, SHA is used to create a unique check value for digital data. The receiving device uses the check value to confirm the integrity of the data.
A simple example would be if the check value for a file or a message is â456AHDâ on one end, and is also â456AHDâ when received – in which case, the receiving party can be confident no one has tampered with the data along the way.
So, if you receive the message âYouâre the best, kiddoâ from your mother, SHA assures you that this was not the handiwork of a hacker, and that your mom does, indeed, think youâre the best, kiddo.
OpenVPN connections are among those that can be authenticated using SHA.
SHA creates a unique fingerprint from a valid TLS certificate. The certificate can be validated by an OpenVPN client. If anyone alters the certificate, even the tiniest bit, SHA will detect it and reject the connection.
SHA helps prevent attacks, such as the Man-in-the-Middle attack, where a party attempts to divert a VPN connection from the providerâs VPN server to a server of the hackerâs own making.
There are 3 levels of SHA, increasing in security as they go up: SHA-1, SHA-2 and SHA-3.
While SHA-2 and SHA-3 hash functions are still considered secure, SHA-1 breaks easily when used to protect websites. Since SHA-1-protected websites are still in the wild, most modern browsers will warn you when connecting to an SHA-1 âsecureâ site.
What Weâve Learned So Far – VPN Encryption
A VPN protocol is the set of instructions used to create and maintain an encrypted connection between two devices, such as a userâs mobile device or computer and a VPN serviceâs servers.
Protocols use algorithms called âciphers,â which perform the encryption and decryption of data. A cipher is best described as a series of steps to follow to encrypt and decrypt the data being sent and received. Commercial VPN providers usually use AES and Blowfish ciphers to secure their communications.
Transport Layer Protocols manage the device-to-device communication services for internet applications. Transmission Control Protocol (TCP) is an error-correcting protocol, best used for downloading files and sending messages. User Datagram Protocol (UDP) is faster, but doesnât include error correction, and is best used for streaming content, like content from Netflix or other video and music providers.
The Transport Layer Security (TLS) handshake establishes the secret keys needed to enable two devices to communicate. TLS usually uses the RSA public-key cryptosystem to protect the handshake, but it can also use an ECDH or Diffie-Hellman key exchange.
Secure Hash Algorithm (SHA) is a cryptographic hash function used to authenticate connections.
VPN Protocols
In this section, Iâll discuss OpenVPN, L2TP/IPSec, IKEv2, SSTP and PPTP.
These are the most common protocols currently in use today. I will explain what they are and how they work. Generally, weâll discuss these in the order of best protocol to worst, as theyâre listed in the first sentence above. However, we will save the best for last: OpenVPN.
Since OpenVPN is arguably the industry standard, Iâll go into the most detail when discussing it. However, rest assured, I will not skimp on details about the other protocols, as they are also still in heavy use.
L2TP/IPSec
Pros:
- Considered to be mostly secure
- Easy to set up and use
- Widely available
- Often faster than OpenVPN
Cons:
- Possibly compromised by the NSA
- Implementation is sometimes incorrect
The Layer 2 Tunneling Protocol (L2TP) is built into most operating systems and VPN-able devices. This makes it easy to set up. L2TP is generally used in conjunction with the IPSec (Internet Protocol Security) authentication/encryption package, as L2TP doesnât provide any encryption on its own.
L2TP/IPsec can make use of both the 3DES and AES ciphers, although AES is usually used, as 3DES has been found to be vulnerable to the Sweet32 and meet-in-the-middle attacks.
L2TP/IPSec uses UDP for the initial, encrypted key exchange (handshake) and for data transmission.
While this protocol is a bit slower than others because encapsulates data twice, the slowdown is offset a bit due to the protocol allowing multi-threading, and encryption/decryption occurring at the kernel level.
In theory, this protocol could provide better performance than OpenVPN.
Although L2TP/IPSec has no known significant security vulnerabilities, both Edward Snowden and security specialist John Gilmore have indicated that IPSec was deliberately weakened by âsomeone, not an NSA employee, but who had longstanding ties to the NSAâ on the IPSec IETF standards committee during the design phase, and has thus been compromised by the NSA.
Sadly, some VPN providers do not implement L2TP/IPSec properly, using pre-shared keys (PSKs) that are available from their websites. This opens up the possibility of an attacker using a pre-shared key to impersonate a VPN server, allowing them to eavesdrop or insert malicious data.
While it is possible that L2TP/IPSec could be subject to security vulnerabilities, if implemented properly, it is considered secure. Its compatibility with most operating systems and devices is a definite plus.
IKEv2
Pros:
- Fast and stable
- Secure when used with AES
- Easy to set up
Cons:
- Not available on some platforms
Internet Key Exchange version 2 (IKEv2) was originally developed by a partnership between Cisco and Microsoft. The protocol is supported by the Windows 7 and above, iOS and BlackBerry devices.
In addition to the official version of IKEv2, open source, compatible versions have been developed for other operating systems.
Since IKEv2 is simply a tunneling protocol, it needs to be paired with an authentication suite, such as IPSec, to become an actual, secure VPN protocol.
IKEv2 can use a variety of cryptographic algorithms, including AES, Blowfish, 3DES and Camellia.
IKEv2 uses UDP for the initial (and encrypted) key exchange and for data transfer.
IKEv2 shines as a choice for smartphone users who switch between cellular and local Wi-Fi connections on a regular basis, as the protocol is excellent at automatically reconnecting when users lose and then regain an internet connection.
While IKEv2 isnât as popular as other protocols, as itâs supported on fewer platforms, its performance, security and ability to automatically re-establish a connection makes it a valid option, when available.
SSTP
Pros:
- Fully integrated into Windows
- Can usually tunnel under firewalls
Cons:
- Proprietary Microsoft protocol
- Limited support for platforms other than Windows
The Secure Socket Tunneling Protocol (SSTP) is Microsoftâs proprietary protocol standard, and itâs therefore tightly integrated with Windows. The protocol is available for Windows, macOS, Linux and BSD devices. SSTP has been available for Windows installations since the release of Windows Vista SP1.
Microsoft developed the protocol for remote client access, and as such, itâs not compatible with site-to-site VPN tunnels.
SSTP encryption makes use of SSL 3.0, so it offers features and advantages similar to OpenVPN, including the ability to make use of TCP port 443 to avoid blocking.
There are concerns with SSTP, as it is not an open standard, and as such, itâs not open to examination by the public. There are concerns over Microsoftâs previous cooperation with the National Security Agency (NSA), and an NSA official has admitted to working with Microsoft on the development of Windows 7.
SSTP does have the ability to tunnel under most firewalls thanks to its use of SSL/TLS over TCP port 443. This could make it an attractive option for those trapped behind overly restrictive firewalls.
PPTP
Pros:
- Popular client, built into most platforms
- Easy to set up
- Low computational overhead makes it fast!
Cons:
- Itâs quite unsecure
- Itâs been compromised by the NSA
- Easily detected and blocked
A Microsoft-led consortium created Point-to-Point Tunneling Protocol (PPTP) in 1995 to create VPNs over dial-up connections. It was integrated with Windows 95.
The protocol quickly became the standard for corporate VPN networks. It remains a popular protocol for commercial VPN service still today. However, over the years, as VPN technology has improved, PPTP has fallen by the wayside.
PPTP uses 128-bit encryption keys, so it requires a lower computational overhead than other protocols to implement, making it faster than many other protocols.
However, PPTP is not as secure as other protocols and faces numerous security vulnerabilities. While Microsoft has patched many of the vulnerabilities, the Redmond-based firm recommends using SSTP or L2TP/IPsec instead.
PPTP encrypts its payload using the Microsoft Point-to-Point Encryption protocol (MPPE). MPPE uses the RSA RC4 encryption algorithm with up to a maximum of 128-bit session keys.
It is widely believed that the National Security Agency (NSA) can easily decrypt PPTP-encrypted information and that it has collected mass amounts of data from the period of time when PPTP was considered secure.
PPTP is not recommended for use in countries like China, where the government is known to block VPN usage.
PPTP uses both TCP port 1723 and the GRE protocol, which are easily blocked, making it easy for tools like the Great Firewall of China to detect and block the protocol.
I would strongly suggest that users avoid PPTP whenever possible and only use it when thereâs no other compatible protocol.
OpenVPN
Pros:
- Quite secure
- Available on most platforms
- Open source
- Easily bypasses firewall blockades
- Highly customizable
Cons:
- Requires third-party software
OpenVPN is arguably the most popular VPN protocol available today. Itâs supported by most commercial VPN providers. OpenVPN is a free VPN protocol thatâs also open source, and its 256-bit encryption makes it one of the most secure protocols out there.
OpenVPN is highly configurable. Although the protocol is not natively supported by any of the popular device platforms, it is readily available for most of them via third-party software.
One particular feature of OpenVPN that makes it a popular choice is its ability to be set to run on any port.
The most notable port is TCP port 443, which is used by HTTPS traffic. As port 443 is used for secure connections for banks, online retailers and other security-conscious users, blocking port 443 would cause havoc for the operations of said banks and other security-conscious users.
Itâs for that reason that restrictive countries like China would have difficulty blocking OpenVPN out of hand, without endangering business.
OpenVPN can be set to use UDP if speed is the most important consider in what way(s) it would be a valid option and/or for what use.ration, or TCP if error correction is the most important factor.
The OpenSSL library that OpenVPN uses to encrypt connections supports a variety of ciphers, although AES and Blowfish are the most common.
How OpenVPN Encryption Works
As previously mentioned, OpenVPN encryption is made up of two parts: control channel encryption and data channel encryption.
Control channel encryption protects the connection made between your computer or device and the VPN providerâs servers.
Data channel encryption secures the actual data being transmitted and received by both parties.
Sadly, some VPN providers use weaker encryption on one of these channels – usually the data channel – which leaves your data at risk.
The strength of an OpenVPN connectionâs security is only as strong as the weakest encryption being used.
To ensure maximum security, both channels should use the strongest encryption possible. However, stronger encryption can slow a VPNâs connection speeds, which is why some providers use weaker encryption for the data channel – itâs all about whatâs most important to you: speed or security.
If possible, always research any VPN provider youâre considering in order to ensure it uses the most secure method available for its OpenVPN connections.
The control channelâs encryption uses Transport Layer Security (TLS) technology to securely negotiate the connection from your device to the VPNâs servers. Browsers use TLS to provide a secure connection to HTTPS-enabled websites.
In Conclusion
As long as a VPN provider has properly implemented OpenVPN on its servers and in its apps, the protocol is, in my humble opinion, the most secure VPN protocol around.
A 2017 audit of OpenVPN showed no serious vulnerabilities that would affect the privacy of users. While there were a few vulnerabilities that left OpenVPN servers open to Denial of Service (DoS) attacks, the latest version of OpenVPN plugged those holes.
Due to OpenVPNâs top-notch protection, flexibility and general acceptance by the VPN industry, I highly recommend you use the OpenVPN protocol whenever possible.
Letâs Summarize
Letâs take a look at the major ideas weâve covered in this article. Itâs been a long and winding road, but weâve made it to the end.
Encryption
In its simplest form, encryption is the process of converting readable text (plaintext) into unreadable text (ciphertext) thatâs only readable if you possess the âsecret codeâ (cipher) to unscramble the text back into a readable format.
Encryption ciphers are algorithms of instructions for how to encrypt data, and encryption keys are the pieces of information that determine the output of the cipher (i.e., the ciphertext). VPN protocols make use of these ciphers to encrypt your data.
A VPN uses an encrypted tunnel to keep your internet connection undercover. This prevents any third parties, such as your ISP or the government, from monitoring and recording your online activities.
VPN Encryption Protocols
Your VPN provider uses encryption protocols to protect your internet connection.
There are various types of encryption protocols available to safeguard VPN connections, each with their own advantages and disadvantages. The 4 most important considerations are which ciphers (such as AES or Blowfish), transport layer protocols, handshake encryption and SHA authentication they use.
Transport layer protocols handle the end-to-end (device-to-device) communication services for applications, such as those used on the internet.
Handshake encryption is the process used to make a connection between your device and the VPN providerâs server. This âhandshakeâ verifies that youâre connecting to an authentic VPN server, and not a hackerâs âspoofedâ server.
SHA Authentication is a cryptographic hash function that can be used to authenticate connections.
Protocols
L2TP/IPSec
Layer 2 Tunneling Protocol (L2TP) is available on most desktop and mobile operating systems. L2TP is easy to use and is generally used with the IPSec encryption package, as it contains no encryption of its own. Its speed is comparable to OpenVPN and IKEv2.
IKEv2
The Windows 7 and above, iOS and BlackBerry platforms all natively support this protocol. IKEv2 is a good choice for smartphone use, as it shines at automatically reconnecting to the internet as users lose and then regain internet connections.
SSTP
SSTP is tightly integrated into Windows, and is also available for the macOS, Linux, and BSD platforms. It isnât compatible for use with site-to-site VPN tunnels. It supports only user authentication, not device authentication, making it only usable for remote client access, such as when an employee logs in remotely to corporate servers.
PPTP
While PPTP has been around a long time and is available on most every platform, it isnât secure. However, because PPTPâs encryption overhead is the lowest of all the protocols, PPTP is the fastest.
OpenVPN
Of all of the protocols weâve taken a look at, OpenVPN offers the best all-around protection vs. speed ratio. Itâs fast, secure, reliable and open source. While it isnât native to any device platform, there are plenty of third-party options available.
OpenVPN is a particularly good choice for VPN users who are located in overly restrictive countries, such as China. While the Great Firewall of China has the ability to block many VPN protocols, its batting average against OpenVPN isnât as high.
In Closing
After reading this article, you should now have a better understanding of encryption, and how a VPN uses encryption to protect your online connection and the associated activities.
As youâve read, while each VPN protocol has its strengths and weaknesses, they all offer at least some level of protection when properly configured. OpenVPN is the best bet for all-around protection, compatibility and speed.
When considering a VPN provider, make sure they offer OpenVPN as a protocol option in order to provide the best protection for your personal and business activities online.
I highly suggest NordVPN as an option, as they provide OpenVPN protection, in addition to their excellent connection speeds, global server coverage, privacy protections and customer service.
NordVPN also provides OpenVPN-capable apps for nearly every modern connected platform.
For more information, visit the NordVPN website.
âVPN & Internet Securityâ by Mike MacKenzie licensed under CC by 2.0