A Complete Guide to VPN EncryptionLast Updated by Julia SJ on January 24, 2019
Table of Content
- 01 What type of encryption does my VPN offer?
- 02 What is encryption?
- 03 Encryption and VPNs
- 04 How internet connection and data flow works
- 05 HTTP/HTTPS encryption and your ISP
- 06 How is VPN encryption different to HTTPS?
- 07 Is data encrypted with HTTPS on desktop and mobile apps?
- 08 How your data is being transmitted
- 09 Is VPN encryption really secure?
- 10 What do the different encryption levels mean?
- 11 Understanding the numbers: 128 vs 256 bit encryption
- 12 What is military-grade encryption?
- 13 What’s the difference between symmetric and asymmetric encryption?
- 14 VPN protocols available
- 15 So, what is the best VPN encryption and protocol to use?
The most notable feature of a Virtual Private Network (VPN) is encryption. The purpose of a VPN is to hide you on the internet, to make you invisible by encrypting your data. VPNs are one of the best security tools available today and are widely used by the masses. But do you know the complex ins and outs of VPN encryption?
A VPN encrypts the data running between your computer and its server, by extending a private network across a public network. It cuts out the middleman by enabling the user to share data between public or shared networks as if their computer were directly connected to the private network. Not only does a VPN increase and improve security but it can also be used to “leap frog” barriers, improve functionality and provide better overall management of a private network.
1 What type of encryption does my VPN offer?
There are a multitude of VPN service providers available providing an array of different encryption types. However, with so many possibilities and so many providing confusing and sometimes false claims, it can be difficult to pinpoint which one is right for you.
Therefore, our A Complete Guide to VPN Encryption aims to provide you with a greater understanding of the subject to help you analyze the claims made by VPN service providers. Read on to find out more…
2 What is encryption?
Encryption scrambles data into nonsensical jargon, so that nobody can understand what it is unless they hold the key to decipher it. A pair of keys (the same or unique key used for encryption and decryption) is typical shared between the beginning and end point users.
The standard definition of encryption is “the process of converting information or data into a code, especially to prevent unauthorized access.” The easiest way to describe it is by using the analogy of a lock – the only person able to open it holds the key.
It can be demonstrated by using the following example. You may want to send a message intended for very few eyes, like “the dog barks at midnight”, which would be encrypted into “148$%AsdjW34398J3Q(*(#q$wjklsaefQ(#$*02342kjsadf”. This information will be sent in encrypted form between one computer to another and can only be unscrambled (decrypted) by the intended target using the key.
3 Encryption and VPNs
The finer details of encryption are complex but can be best described in the following way.
During encryption, data is scrambled into a cipher by using an algorithm. It has been proven that it is highly unlikely that humans are able to crack sophisticated ciphers on their own, even with the help of supercomputers they can be difficult to break. However, sophisticated computers are learning fast and are managing to decipher new codes at a phenomenal rate. It’s therefore extremely important to ensure that you use a complex and sophisticated algorithm to limit the possibilities of your data being infiltrated.
Each VPN works differently, so it’s important to assess whether the encryption level offered by your VPN service provider is good enough to keep your data safe.
4 How internet connection and data flow works
Let’s take a look at how your internet traffic works. Imagine that your internet connection is a series of singular wires connected via servers, which your data travels across.
The network connection to your ISP may flow via a fiber connection to your house, or if you use a smartphone it will fly across the airwaves to 4G transmitters until it hits the ISP exchange. In the United States, your ISP might be Verizon, in Australia, perhaps Telstra. Every country has a variety of ISPs to choose from.
Your ISP is your connection point to the internet. It’s like a door to the internet – data can only get in and out through that door.
5 HTTP/HTTPS encryption and your ISP
You may have noticed that some websites are “HTTP” and some are “HTTPS”. That extra “S” stands for “secure”. When a website uses only the HTTP protocol, your ISP can see what website you’re visiting, plus everything that you and the website are exchanging. Not only this but anyone “listening in” at any point between your device and the ISP, or across the wider internet can see the traffic.
It’s recommended that you use a browser extension such as HTTPS Everywhere to block pure HTTP sites, even if you already use a VPN. This is especially important when connecting to public networks, like those provided by a cafe or airport.
With HTTPS, all the data sent and received between you and that website is encrypted (via an SSL/TLS connection which we’ll address in detail later). Because it’s encrypted, this means the data is scrambled so nobody except you and the destination can see what is being transmitted.
Great, right? Well, not really. The HTTPS protocol still allows your ISP (or any listeners) to figure out what website you are visiting and the amount of data you’re transferring.
Now, this is all in relation to just your browser traffic, i.e. Chrome, Firefox, Safari, etc. Apps on your phone/tablet and software on your laptop also access the internet – with varying degrees of security and protocols in place. Again, we’ll take a look at this a little more closely later on.
6 How is VPN encryption different to HTTPS?
A basic VPN is one server, where everything across the series of connections between your device and that server is encrypted (in theory at least), including a website’s address.
At this level, an ISP (and any listeners) can only determine that your traffic is going to that particular VPN server, and how much incoming and outgoing data is sent across that connection. They don’t know what is being sent, or the end destination. Similarly, on the way back in, they can only see the amount of data, the VPN server, and you, the destination.
With this in mind, you can see that it adds an extra layer to obscuring your web traffic. However, different VPNs use different encryption techniques, and may be required by law in some countries to follow certain rules about networking – which might mean that the VPN isn’t as secure as you are led to believe.
Now we’re going to delve deeper into the topic to help you uncover just how secure a VPN really is…
7 Is data encrypted with HTTPS on desktop and mobile apps?
Your internet browser is just one piece of software that relies on the internet, you’ll have plenty more apps installed on your desktop and mobile devices which also connect to the web. For instance, if you use the Facebook, WhatsApp, or Uber apps on your phone, they will all be connected to the internet. If you use iTunes, Minecraft, or VLC on your computer, these are also connected to the internet. Nowadays, most mobile and desktop apps need access to the internet to function.
Large desktop or mobile software houses send out regular updates to patch network vulnerabilities, but if you use less sophisticated software (or apps) then this might not be the case.
8 How your data is being transmitted
This 2015 report from Computer World discovered that chat data exchanged on OkCupid’s Android app was being sent without SSL/TLS in place – the same thing as having that open HTTP connection.
While in this 2018 report into stock trading platforms, it was found that nine desktop applications (out of a sample size of 16) were transmitting unencrypted data, such as “passwords, balances, portfolio, personal information and other trading-related data”, either over HTTP or via out-of-date protocols.
This sort of stuff is pretty scary. While it can be easy enough to strengthen your browser’s defenses by yourself, hardening desktop or mobile applications at an app level is close to impossible.
9 Is VPN encryption really secure?
If you were up-to-speed with the latest encryption news, you’d know that SSL was actually replaced in 2015 by TLS – a similar protocol (so why are Astrill still saying SSL?).
Many VPN services also offer the option to change the type of encryption you use. For example, there might be a toggle button that will allow you to switch between AES-256 or another type of encryption – allowing you a choice or a more up-to-date service.
10 What do the different encryption levels mean?
So, what’s the difference between AES-128 and AES-256? What is OpenVPN? SSL-256? What does it mean when a VPN touts military-grade encryption?
Usually, when we’re talking encryption, those letters mentioned above, particularly when followed by a number, will refer to the standard algorithm used. AES, for instance, stands for Advanced Encryption Standard. Other times, we may be talking about the VPN protocol used (see the below section: Understanding VPN protocols).
The standard algorithm used is also referred to as the cipher – a complex mathematical scrambling method. How strong an encryption method is depends on the strength of this algorithm, whether it has any flaws or vulnerabilities, or whether other mathematicians can complete the problem faster than just guessing over and over again.
For instance, the Blowfish cipher, which for a time was a popular encryption algorithm, was found to have a vulnerability that exploited the Birthday Problem – an interesting mathematical probabilities paradox.
11 Understanding the numbers: 128 vs 256 bit encryption
You’ll notice a number alongside most encryption standards that you come across – e.g. AES-128 vs AES-256. That number alongside it is the bit length of the key used to decrypt your data. 128 = 2128 guesses to figure out the key. It’s a lot. Even the world’s biggest, fastest computers are yet to crack that sort of key length (in AES) by brute-force (aka continuous guessing). When it’s 256 bit AES, that makes it 2256 guesses.
A Brute Force Attack is the easiest way to gain access to anything protected with a password. It uses a quick succession of usernames and passwords to gain access and the easiest way to avoid having your information deciphered is by using a complicated algorithm.
You also have RSA encryption, which at 2048 bits would be around equivalent to the time taken to break the 128 bit AES. What’s the difference between the two? AES is hardened against these Brute Force Attacks – which means it would take longer. The answer is to choose the longest encryption key possible.
There is plenty of talk about governments being able to crack longer length encryption standards, by having mathematicians try and work out the cypher behind the standard, a practice known as cryptoanalysis. This Wired piece from 2013 hints at what’s going on behind the scenes at the NSA in relation to the practice.
Basically, as computers get faster and more powerful (using Moore’s law, processing power doubles every two years), the more likely these keys will be able to be cracked – if agencies haven’t managed to derive the keys already. There’s also the looming threat of quantum computing, which will be able to solve certain problems (such as Brute Force Attacks) within an instant of the time taken by traditional supercomputers.
12 What is military-grade encryption?
Well, you’ll need to fact check which military-grade your VPN is talking about for a start – and which year the encryption was applied.
Unless your VPN says which military and what sort of classification levels their encryption is valid for – and whether it’s a current military encryption standard – it’s best to take labels of “military-grade” encryption with a pinch of salt.
13 What’s the difference between symmetric and asymmetric encryption?
You may have already heard of these two terms – symmetric and asymmetric (aka public-key) encryption – when describing encryption algorithms. A simple way to think of it is in the following terms:
- Symmetric: Same (private) key used for encryption and decryption.
With symmetric encryption, sharing this private key between two parties securely can be difficult.
- Asymmetric: Unique (private) key used for encryption and decryption.
With asymmetric encryption, you use a person’s public key to encrypt a message for them. Only they have the private key to unscramble (decrypt) the message.
So why not use asymmetric all the time? Why is AES symmetric? Because asymmetric encryption takes a lot of time – it’s as simple as that. At this point in time, AES with its symmetricity is “good enough”.
If you’d like an explanation of the math behind AES, check out this cartoon.
14 VPN protocols available
A VPN protocol refers to how your VPN service provider has built their product (or how you want to build your own VPN), which underlying data exchange structure is used and what it offers in terms of functionality. Some commercial VPNs offer you the choice of which protocol you wish to use, like ExpressVPN.
Below is a list of VPN protocols available. It’s not an exhaustive list but gives you an idea of the fastest and most widely used on the market today.
OpenVPN is an open source VPN product currently behind many of the world’s largest VPN providers. OpenVPN is an industry stalwart, as it is reliable, fast, trustworthy, and runs on all systems. OpenVPN implementations run AES-256-CBC encryption by default (on new products), however this can be set to DES-CBC, RC2-CBC, DES-EDE-CBC, DES-EDE3-CBC, DESX-CBC, BF-CBC, RC2-40-CBC, CAST5-CBC, RC2-64-CBC, AES-128-CBC, AES-192-CBC or AES-256-CBC (via OpenVPN).
PPTP refers to Micosoft’s Point to Point Tunneling Protocol, an outdated VPN implementation method. This protocol’s encryption is known to be broken, and as such should not be used if you are concerned about high security. That being said, this protocol offers fast connections, due to weak encryption, and works across Windows/Linux/Mac desktop and mobile operating systems.
- L2TP and IPSec
L2TP/IPsec refers to the combination of Layer 2 Tunneling Protocol + Internet Protocol Security, and works natively across all Windows/Linux/Mac desktop and mobile devices. This is another implementation similar to OpenVPN (but known to be slower in performance), by which we mean there are a variety of different encryption algorithms available to choose from, such as AES 256 and 3DES. 3DES is now considered inferior to AES for new VPN implementations.
The Secure Socket Tunneling Protocol is a Microsoft product again, so offers native support on Microsoft desktop systems (not mobile). This product is somewhat outdated, appearing mainly in remote access Windows to Windows configurations.
IKEv2 is a protocol used in IPSec that refers to the way that security associations and key exchanges are performed. The IKEv2 encrypted payload recommends encrypting with AES-128 CBC. When using IPSec, IKEv2 should be used over the deprecated IKE.
WireGuard is an up and coming protocol that may soon shoot ahead of the current most-used choice, OpenVPN. It implements virtual private network techniques to provide secure bridged or routed configurations, and offers better security options than its rivals.
15 So, what is the best VPN encryption and protocol to use?
Currently, AES-256 is deemed “good enough” to be the encryption standard of choice. The complexity of the algorithm means even with discovered vulnerabilities it would take years to crack the code using supercomputers running at full speed with brute-force.
OpenVPN is the current leader in the VPN protocol space, although switching to other protocols in some cases could work out better. Although we provide details of the best options, you must do your research to determine what is the right one for you.
Considering that this is a changing landscape and computing power is increasing, it’s safe to say that “the best VPN and protocol to use” right now might be different to what is prominent in a few years time.