VPN Encryption is way harder to understand than using it. It involves too many technical terms and procedures that are not possible to be understood by everyone. Particularly for the people who lack knowledge of technical computer terminologies. Keeping that in mind the difficulties of the VPN buyers and users, we have prepared this article to simplify the VPN encryption terms (read our VPN buying guide to know more about VPNs). So you can better understand it and then choose the right VPN with a secure encryption protocol.
Who Should Read this VPN Encryption Terms Guide?
This guide is for the VPN users, who are unable to understand the technical VPN encryption terms used by many VPN providers. Selecting a right and secure VPN depends on the encryption level they offer. If you don’t understand the basics of VPN encryption terms, how can you select the VPN with high encryption to be secure? (Read more about the best encrypted VPN).
VPN Encryption is the process of coding the text and readable data by the help of mathematical algorithms, to make them unreadable by any unauthorised person. It is protected by a pair of encryption keys which is known only to the authorised person. This is done for the privacy and security of the internet data of the user. When encryption is implemented by using a VPN, your entire internet data traffic is transmitted through the tunnel in an encrypted form and decrypted at the other end by the VPN server. This whole encryption process is done by using specific cryptographic protocols. VPN encryption is done by using various encryption methods which use different protocols (note that VPN protocols are different from encryption methods, different VPN protocols use different encryption methods). These are responsible for many essential jobs in an encryption process of securing the data packets travelling through the tunnel, encrypting the tunnel, monitoring the tunnel data packets traffic, verification of encryption keys, etc. In this article, we have tried to explain the VPN encryption terms as simply as we can. Let’s take a look at all the protocols and encryption terms below for a better understanding of VPN encryption.
Where to Begin?
The first thing that we all come across while selecting a VPN is it’s features. However, most of the people prefer price over features; that is not recommended. As the security and privacy are dependent on the level of encryption and security features a VPN service offers and it is correlated to the price of the VPN (read more about the best cheap VPN services). The higher the VPN price, the more quality it offers, higher encryption level, greater the privacy and security. Basic economics rule, the cheaper the product, the higher the number of compromises. However, what my point is that, the price should be the second priority while selecting yourself a VPN. Security and encryption level must be considered first, and for that, you need at least a basic understanding of all the VPN encryption terms. After finishing this article, you will be able to do that well, and we take credit for that.
Let’s begin with this picture that I found appropriate to start the explanation with. After selecting a VPN somehow, when people use and run it, they face some major and shared issues regarding the VPN encryption protocols and their selection. Take a look at this picture below for example;
In the picture above VPN users when asked to select the level of Data encryption, data authentication and a handshake, most of them don’t know what to select and why. To answer all these queries, we have written the article in a simple, common language understandable by any person and VPN user with a basic internet and computer knowledge.
A VPN protocol is a bundle of instructions used to establish a secure connection between two systems (computers). Protocols used in a VPN are;
PPTP, L2TP/IPSec, OpenVPN, SSTP and IKEv2. These protocols are compatible with and use different encryption methods. This combination of VPN protocol and encryption method defines the level of security and privacy a VPN provides and it is the mechanism of providing internet security to its users. Take a look at all the VPN protocols with the encryption method they use and level of security they offer.
- PPTP uses MS-CHAP v2 which is extremely insecure.
- L2TP always uses IPSec authentication method, (L2TP/IPSec). It is insecure as it is cracked by adversaries like NSA, many times. So, it is not recommended by security experts for a better security.
- OpenVPN is the recommended and now a standard protocol for VPN industry. As it is secure and still untouched by adversary like NSA (they are unable to break it when implemented). OpenVPN supports all VPN friendly devices and machines (except Blackberry devices). Due to good internet privacy and highly secure nature, we will discuss only the methods of encryption by OpenVPN throughout the article now, as we strongly recommend to select a VPN with OpenVPN only. OpenVPN uses the OpenSSL encryption method exclusively, and SSLv3/TLS protocol as well.
- SSTP uses OpenSSL encryption method which is secure. It is responsible to to develop a method to transfer PPP or L2TP traffic via an SSLv3 channel. Using SSL, makes it as secure and recommendable for high-end security, as OpenVPN.
What is RSA Handshake?
As I mentioned in the encryption paragraph, it is protected by a pair of keys to encrypt and decrypt the data packets in an encrypted network, and these keys need to be verified by some system to allow the decryption at the other end of the encrypted tunnel. RSA is asymmetric (asymmetric means one key is used for encryption and other is used for decryption of the data) key and certificate encryption algorithm in a cryptosystem. To establish a secure VPN connection SSL, OpenVPN and SSTP uses RSA for the verification of encryption keys. It verifies the keys at the receiving end and the also the TLS/SSL certificates, and it is used for the internet security for more than two decades now. It was believed after many incidents back in 2010, that RSA 1024-bit RSA (RSA-1024) private key encryption can be broken by NSA and other adversaries like it (or might have already been broken). Due to which Google upgraded all of its SSL certificate encryption to 2048-bit RSA key length, which was followed by the whole technology industry. As 2048-bit RSA is considered secure, it is the minimum encryption standard for all the commercial VPN services in the industry. Choosing stronger encryption like 3072-bit or 4096-bit RSA encryption is even better. Another non-popular and rival handshake of RSA is sometimes used by OpenVPN which is, Diffie-Hellman cryptographic key exchange. It is attached to some controversy of reusing a restrained set of prime number, which is why it is considered vulnerable to be cracked or already been broken by NSA. However, it patches this controversy with a newer Elliptic Curve Diffie-Hellman (ECDH) cryptography which is not vulnerable to brute force attacks by adversaries like NSA and others. To encrypt the connection it uses the properties of a particular type of algebraic curve and not a set of large prime numbers, which make it more than Diffie-Hellman cryptographic key exchange. The major advantage of using Diffie-Hellman cryptographic key exchange is that it supports Perfect Forward Secrecy (PFS). Which is a cryptographic system which creates a new set of encryption keys whenever there is a new SSL connection initiated? Which is practically hard and impossible for anyone to break, even for NSA because cracking a lot of new keys is practically impossible. On the other hand, RSA does not support this feature of PFS, but OpenVPN is compatible with PFS and can be implemented with it, which is why OpenVPN is considered the most secure and dynamic even against the strongest adversary, NSA.
What is SHA hash authentication?
Secure Hash Algorithm (SHA) or hash message authentication code (HMAC) is a cryptographic hash function which is used to authenticate the SSL connections (which also includes OpenVPN connections). It is also known as a data authentication hash which creates a peculiar fingerprint of a valid SSL certificate which can be validated by any OpenVPN client. If the certificate is changed or tampered, it spontaneously detects even the very minor change and refuses the connection. This authentication done by SHA is very crucial to stop Man-in-the-middle attacks. These attacks are established by any intruder or attacker which may attempt to divert your OpenVPN connection to its servers, which results is hacking of your details and data. The diversion caused by any attacker from your OpenVPN connection to their servers instead of your VPN provider’s server is called the Man-in-the-middle attack, and it can harm your privacy and security. It could be worse if the adversary who established the attack can crack the hash of your OpenVPN SSL certificate, then it can reverse the hash to create a fake SSL certificate and the VPN will consider it a genuine one and authenticate it. SHA-1 is the most commonly used hash which is almost used by to authenticate 28% of the digital certificates including the ones used by the VPN providers. However, the credibility of SHA-1 is shaken as it is considered to be broken by the NSA lately. There are three versions of SHA, SHA-1, SHA-2 and SHA-3. After Microsoft, Google and Mozilla have announced that their connection will no longer accept SHA-1 in 2017, NIST recommended using SHA-2 (SHA-256 or SHA-384) which now used by most of the VPN providers these days.
A cipher is a thing which is used to encrypt your data. VPN protocols, hash functions, handshake all are built to keep your data in a secure encrypted system and actual encryption of your data is done by the cipher. As mentioned earlier in the article, we recommend you to use OpenVPN as it is the most secure VPN protocol, so we are discussing everything regarding OpenVPN here. Cipher is a mathematical algorithm used to encrypt and decrypt the data. In easy term, we can say it is a code which changes your text data into code form. There are different types of ciphers, historical and modern. We here will talk about the modern ciphers used by the current software and VPN providers. OpenVPN uses 128-bit Blowfish cipher, by default. However, Blowfish has some weaknesses present in it and its creator himself announced in 2007 to use the alternative of Blowfish which is Twofish. Sadly OpenVPN does not support Twofish, due to the reason NIST recommended and declared AES cipher as the ‘’industry standard’’ for VPN encryption. Its security level can be imagined by knowing that, the US government is also using AES-256-bit level of encryption for securing its confidential data. Some VPN providers even used a non-standard cipher other than the recommended AES, like Camellia, however, when it’s about security and performance, AES is the king. When implemented along with OpenVPN, AES is the most secure combination which is almost unbreakable. AES generally in two versions, AES-128-bit and AES-256-bit. Both are secure, but as AES 256-bit has a longer encryption key which is almost hard to crack even for the strongest adversary like NSA. The US government using AES 256-bit itself for security is a proof of how secure it is (it might be broken later by NSA, but to date 14th December 2016, there is no such news).
Some Points to Note
To understand the encryption protocols, ciphers and hash fully, you need to keep these points in mind that who developed these, just in case you don’t know.
Encryption Protocols and their Developer
National Institute of Standards and Technology (NIST) is the body which is behind the development and authentication of all the versions of SHA, RSA, and AES. It is a US-based organisation works in close collaboration with NSA. Thanks to Snowden we all now know the deliberate efforts of NSA creating hidden weaknesses in this cipher so as to provide a backdoor to NSA, so it can break the ciphers later when needed. Realising this may lead to distrust on any cipher developed or approved by NIST, but unfortunately, the VPN users have little or no choice but using these as NIST is the governing body working for the development of such cryptographic ciphers.
Encryption has a Price to Pay (and that is not Money only)
Encryption is a long and complicated procedure which involves multiple layers of data coding and decoding, authentication, etc. It requires robust systems and high internet connection speed. Otherwise, you may suffer poor or slow internet connection. Normally all the reliable and most secure VPN services have little or no impact on your internet speed, but if you use a reduced connection speed, old machine or low bandwidth connection, then you may suffer slower connection while using a VPN.
VPN Encryption Process Summary
So, as we started with a picture as an example to let you explain and understand the whole procedure of VPN encryption and the terms used in it with a least possible technicality used. I am confident I did it well, and any non-technical person can understand the VPN process and the terms related to it after reading this article. It is the time, to sum up, the things and recommend you VPN encryption protocol and configuration (minimum and maximum) which are secure enough for your internet data privacy and security. Let’s first briefly, summarize the core terms explained in the article;
|VPN protocol||Handshake||Hash authentication||OpenVPN cipher|
|Definition||A set of instructions which secures a network||An algorithm used to establish a secure VPN connection||Creates a peculiar fingerprint to authenticate an SSL connection||The actual encryption algorithm used to encrypt your real data|
|Names||PPTP, L2TP/IPSec, OpenVPN, SSTP, IKv2||RSA-1024, RSA-2048, RSA-3072, RSA-4096, EEC, ECDH||SHA-1, SHA256, SHA-3||Blowfish-126, AES-128, AES-192, AES-256, Camellia128, Camellia-192, Camellia-256|
Recommendations for VPN Encryption
I am recommending two combinations of OpenVPN settings that you must opt for while selecting a secure VPN. First is based on the minimum criteria (it is also secure and can opt for while choosing a VPN) and the second one is the most recommended and the most secure level f VPN encryption you must look for in any VPN provider if you want high-level and unbeatable security and privacy.
Minimum Default OpenVPN Setting
Hash authentication: SHA-1
OpenVPN with Perfect Forward Secrecy (PFS)
VPN Protocol: OpenVPN with Perfect Forward Secrecy enabled
Hash authentication: SHA1
Conclusion of VPN Encryption Terms (AES vs RSA vs SHA etc.)
We have explained the complicated and technical terms related to VPN encryption in an easy and straightforward language so that every person trying to use or select a VPN service can understand the mechanism better and make the right choice. After reading this article, you are now able to recognise and differentiate among the VPN protocols, handshake, hash authentication and OpenVPN ciphers. We firmly believe that nothing can be selected correctly (like VPN) until we know the basics of the thing we are going to select. Now, you can easily look for the above-recommended settings in VPN services and make your choice correctly for the best of security and internet privacy.