Anyone intending to use a VPN is interested in encrypting data coming from their devices. Encrypting their data converts it to an unreadable format as ciphertext. With an unreadable format, hackers and cyber attackers would not make sense of the transmitted information. Only an authorized user can decrypt it back to its readable format known as plain text.
Encryption in virtual private networks comes in two types – site-to-site and remote access. Site-to-site VPN, also known as router-to-router, encrypts data exchanged between two or more locations. These locations have the software or router that passively encrypts and decrypts data exchanged as it goes in and out of the local network. Businesses with different office locations use this type of encryption for their virtual private networks. In this way, there’s no need to build physical connections to create a private and secure network.
As for remote access, VPN users have client software on their devices to connect to the network. This software provides encryption for outgoing data and a tunneled connection towards the network access server (NAS). The NAS authenticates user credentials through the software and its database. The network access server can then channel the connection to the internet or an intranet network. Remote-access VPNs are the ones offered by various VPN providers for personal use. Businesses also use it to provide remote employees access to their internal networks.
Encryption utilizes algorithms to make data unreadable. Without this algorithm, any data made unreadable by it cannot be converted back to its original format. In a way, algorithms serve as the key to lock and unlock a door that makes data private. There are two ways VPNs can encrypt data with algorithms.
This is the simplest and oldest way of encrypting data. It uses the same key to encrypt and decrypt information. This key can be a number, a word, a letter combination, or an alphanumeric combination. Symmetric-key encryption uses key sizes of 128, 192, and 256 bits.
Symmetric-key encryption uses stream ciphers or block ciphers to encrypt data. Stream ciphers encrypt data by converting a plain text bit to a corresponding value of a prearranged code known as the keystream. Block ciphers divide a file into blocks of bits and encrypt plain text by converting a block to its equivalent block in a key.
This encryption method provides the fastest way to encrypt and decrypt data. This means less processing power required while sending and receiving data through a VPN.
However, the symmetric-key encryption requires the sharing of the key for the receiver to decrypt the ciphertext. This key remains constant until the user changes their VPN password.
This means all encrypted data can be exposed as long as the password remains unchanged. This is why it is recommended to change passwords after every session or a set period of time.
Advanced Encryption Standard (AES): Formerly known as the Rijndael cipher, it is a block cipher developed in 1998. It encrypts plain text data at a range of 10 to 14 rounds – depending on the key length.
Blowfish: It is a cipher developed by security expert Bruce Schneier in 1993. It utilizes a block cipher and has a key length ranging from 32 to 448 bits.
Asymmetric-key encryption, or public-key encryption, utilizes one key to encrypt data and another to decrypt it. The first, known as the public key, can be accessed by anyone requiring to send data. The second, known as the private key, is only in possession of its owner.
These two keys are related mathematically in such a way that the second key can decrypt the ciphertext while the first key unable to decrypt what it encrypted. The values used to design the keys make it impossible to figure out the private key with the public key. RSA encryption, the most common asymmetric encryption, uses 2048-bit or 4096-bit keys, which can have 2^2048 possible combinations.
Due to the length of the keys used, asymmetric-key encryption is slow and inefficient. It is for this reason the method is generally used only for a VPN handshake. This occurs at the start of a session for the user’s device and VPN server to exchange keys.
Government agencies and spy alliances have massive VPN decryption efforts. These organizations aim to decrypt and utilize 100% of encrypted traffic worldwide. Although their efforts are nowhere near this goal, there is still a risk involved since the National Security Agency had reported decent results.
To combat their attacks, it is recommended to use VPN providers with hash authentication. It is also recommended to use longer keys and to change to a new one after every session.