How do VPNs work? Explain VPN encryption and tunnel

How do VPNs work? Explain VPN encryption and tunnel

– 👌

Encryption is the process of changing plain text data into a file secret code Obvious only to someone who knows how to decrypt it.

The purpose of encryption is to prevent unwanted individuals from being able to read your messages.

VPNs use encryption for Hide your browsing activity details As it travels between your device and the VPN server.

Using a VPN prevents ISPs, governments, WiFi administrators, hackers, and any intrusive third party from spying on your connection.

But how does it actually work? How does a VPN encrypt and secure your data?

In the rest of this section, we’ll take a closer look at the different components and processes that make up a VPN’s encryption, starting with the encryption cipher.

cipher cipher

To turn your online activity into incomprehensible code, VPNs need to use a file cipher encryption.

Encryption is just an algorithm (i.e. a set of rules) that encrypts and decrypts data.

Example: A very simple cipher might encrypt your data using the rule “swap each letter in the message for the one preceding it in the alphabet”. Therefore, privacy will become oqhuzbx.

Zeros are usually paired with a specific key length. In general, the longer the key the more secure the encryption. For example, AES-256 It is considered more secure than AES-128.

The most common ciphers in VPN services are:

1 Advanced Encryption Standard (AES)

The Advanced Encryption Standard (AES) is one of the most secure ciphers available. It gold scales For online encryption protocols, it is widely used in the VPN industry.

Created by the US National Institute of Standards and Technology (NIST) in 2001, AES is also sometimes known as the Rijndael algorithm. It is designed to handle files that are larger than other ciphers, such as blowfish, due to the increased block size.

AES is typically available in 128-bit and 256-bit key lengths. While AES-128 is still considered secure, we know that organizations like the NSA’s efforts are always trying to undermine encryption standards. As such, AES-256 is preferred because it likely provides much greater protection.

when you read aboutMilitary rank‘ or ‘bank degree“Encryption on a VPN service website, generally refers to the use of AES-256. The US government uses AES-256 encryption to secure its sensitive data, something we look for when testing and reviewing VPNs.

2 bluefish

Blowfish is an encryption designed by American cryptologist Bruce Schneier in 1993. It used to be the default encryption used for most VPN connections, but it has now been largely replaced by AES-256.

You’ll typically see Blowfish used with a key length of 128 bits, although it can range from 32 bits to 448 bits.

There are some weaknesses in the puffer fish. The most famous is its vulnerability to a cryptographic attack known as the “Christmas attack”. for this reason, Blowfish should only be used as a replacement for AES-256.

3 chuck 20

Published in 2008 by Daniel Bernstein, ChaCha20 is a new encryption VPN. Despite this, it is growing in popularity as it is the only code compatible with the emerging WireGuard protocol.

Like AES, ChaCha20 takes a key length of 256 bits, which is considered very secure. It is also reported that ChaCha20 is three times faster than AES.

There are currently no known vulnerabilities in ChaCha20, and it offers a welcome alternative to AES as cryptographic technologies look to meet the challenge of quantum computing in the not-too-distant future.

4 camellia

Camellia is a cipher very similar to AES in terms of security and speed. Even using the smaller key length (128 bits) option, it is believed that it is not possible to crack it with a brute force attack due to current technology. There are no known successful attacks that effectively weaken the camellia blade.

The main difference between Camellia and AES is that they are not endorsed by NIST, the American organization that created AES.

While there is certainly an argument for using encryption that is not tied to the US government, Camellia is rarely available in VPN software, and has not been as thoroughly tested as AES.

Abstract: A VPN should not use anything less than AES-256 encryption to encrypt your data. ChaCha20 and Camellia are both secure alternatives, but a VPN should at least give you an AES option.

VPN protocols

VPN protocols are the rules and processes that your device follows in order to establish a secure connection to a VPN server.

In other words, it defines the VPN protocol How is a VPN tunnel formed, while cipher cipher is used for Data encryption that flows through this tunnel.

Depending on the protocol used, a VPN will have different speeds, capabilities, and vulnerabilities. Most services will let you choose which protocol you’d like to use within the app’s settings.

There are many VPN protocols available, but not all of them are safe to use. Here is a quick overview of the most common:

• OpenVPN: Open source, highly secure, and compatible with almost all VPN-enabled devices.
• Wireguard: Very fast and very efficient, but it has not gained the trust of everyone in the VPN industry due to its latest release.
• IKEv2 / IPsec: An excellent closed source protocol for mobile VPN users, but suspected of being hacked by the NSA.
• SoftEther: Not supported by many VPN services, but it’s fast, secure and great for bypassing censorship.
• L2TP/IPsec: A slower protocol is also suspected of being hacked by the NSA.
• SSTP: It handles firewalls well, but is closed source and potentially vulnerable to man-in-the-middle attacks.
• PPTP: It is outdated, unsafe and should be avoided at all costs.

Learn more: For a more in-depth look at the different types of VPN protocols, and to find out which are the best, read the full VPN protocols Instructs.

VPN handshake

In addition to protocols and ciphers, VPNs also use processes known as Handshake and split endorsements For more security and authentication of your connection.

A handshake indicates the initial communication between two computers. It is a greeting in which both parties befriend each other and the rules of communication are established.

During the VPN handshake, the VPN client (i.e. your device) establishes an initial connection to the VPN server.

This connection is then used to securely share the encryption key between the client and server. This key is what is used to encrypt and decrypt data at either end of the VPN tunnel for the entire browsing session.

The VPN handshake tends to use the RSA (Rivest-Shamir-Adleman) algorithm. RSA has been the basis for Internet security for the past two decades.

Although there is no strong evidence yet of an RSA-1024 hack, it is generally considered a security risk given the processing power available today.

RSA-2048 is a safer alternative and comes with relatively little computational slowdown. As such, most VPN services have moved away from using RSA-1024.

You should only trust VPN services that use RSA-2048 or RSA-4096.

Although the handshake process works fine and generates secure encryption, each session that is generated can be decrypted using the private key used in the RSA handshake. In this sense, it is similar to a ‘master key’.

If the master key is compromised, it can be used to decrypt every secure session on that VPN server, past or present. The attacker can then access all the data that flows through the VPN tunnel.

To avoid this, we recommend using VPN services that are set up with Perfect Forward Secrecy.

strict secrecy forward

Perfect Forward Secrecy is a protocol feature that uses either the Diffie-Hellman (DH) or Elliptic Curve Diffie-Hellman (ECDH) key exchange algorithm in order to generate temporary session keys.

Perfect Forward Secrecy ensures that the encryption key is never exchanged over the connection.

Instead, the VPN server and VPN client independently generate the key themselves using the DH or ECDH algorithm.

It’s a mathematically complex process, but Perfect Forward Secrecy essentially removes a single private key threat that, if compromised, exposes every secure session hosted on the server.

Instead, the keys are temporary. This means that they can only reveal One specific sessionAnd nothing more.

It should be noted that RSA alone cannot provide complete redirection confidentiality. DH or ECDH must be included in the RSA cipher suite to be implemented.

ECDH can actually be used on its own – rather than RSA – to establish a secure VPN connection with Perfect Forward Secrecy. However, be wary of VPN services that use DH alone, as they are prone to cracking. This is not a problem when used with RSA.

Our top three recommended VPN protocols – OpenVPN, WireGuard, and IKEv2 – all support Perfect Forward Secrecy.

Retail authentication

Secure Hash Algorithms (SHA) are used to authenticate the integrity of transmitted data and client-server connections. They ensure that information is not altered in transit between the source and destination.

SHAs work by editing the source data using what is known as hash function. The original source message is run through an algorithm and the result is a fixed-length string of characters that doesn’t look like the original. This is known as the “hash value”.

It’s a one-way function – you can’t run the hashing process to select the original message from the hash value.

The hash is useful because changing just one character of the input source data will completely change the hash value that is output from the hash function.

The VPN client will run the data received from the server, along with the secret key, through the agreed-upon hash function during the VPN connection.

If the hash value generated by the client differs from the hash value in the message, the data will be discarded as the message has been tampered with.

SHA hash authentication prevents man-in-the-middle because it is able to detect any tampering with a valid certificate.