VPN Encryption and Protocols

October 16, 2019

Introduced in the market about two decades ago, VPNs have matured enough to be the cornerstone of modern technology. Most people probably know that a VPN assigns users a new IP address and reroute online traffic through a secure tunnel. But what may not be clear is the features that determine how secure your tunnel is. And that brings us to the topic of VPN encryption and protocols.

Perhaps the most prominent feature of a VPN is encryption. Without encryption, a VPN service would be useless. It is what stands between you and ISP monitoring, government surveillance, and cyber-attacks. So, you shouldn’t take it lightly.

While most of us may know the importance of a VPN and how it works, you can easily get lost in the fine details of this technology. So, in the next section of this reference guide, we will discuss the nitty-gritty about VPN encryption and protocols, including clarifying mysteries about the following topics.

Top VPNs
1NordVPN
Rating:
9.8
Price from:
$3.49/mo
2Surfshark
Rating:
9.6
Price from:
$1.99/mo
3PrivateVPN
Rating:
9.3
Price from:
$1.95/mo

What Is VPN Encryption

Best VPN offers

Surfshark$1.99 / moSave 83%NordVPN$3.49 / moSave 70%Outbyte VPN$5.00 / moSave 38%

For the sake of everyone, VPN encryption involves converting data from its original state to an unreadable format, that no one can understand it. You could use encryption to secure files on your device or emails you send to colleagues.

At the basic level, encryption involves substituting numbers and letters to encode data in a way that an authorized party may not access or understand it. VPNs usually uses powerful algorithms known as ciphers to perform encryption and decryption. The operation of a cipher relies on a piece of auxiliary information referred to as a key. It is impossible to decrypt data if there isn’t any knowledge of the key.

So, when we talk about encryption, it basically refers to a mixture of key-length and ciphers. Here, the key-length denotes the number of bits on that specific key. For instance, a 128-bit cipher like Blowfish means it has a key-length of 128 bits. Similarly, AES-256 cipher has a 256-bit key-length and is usually considered stronger than a 128-bit cipher.

Types of Encryption and Key Encryption Concepts

01

How to Fix the Issue and Prevent Future DNS Leaks?

In symmetric-key encryption, your devices share the same key to both encrypt and decrypt data. In this arrangement, both parties must have the same key to communicate. Luckily, modern computers use 256-kit keys – the current gold standard – so a brute force attack on this keys pace is infeasible.

02

Public-Key Encryption:

For public-key encryption (asymmetric encryption), each computer has a public-private key pair. On one end, a computer uses a private key to encrypt data, and on the other end, another computer uses the corresponding public key to decrypt that data.

SSL and TLS

If you regularly browse the web, then you have most likely seen HTTPS on your browser’s address bar. The security protocol used here is Transport Layer Security (TLS), which relies on the older Secure Socket Layer. SSL uses a combination of symmetric and public-key encryption to protect your data. Your browser uses asymmetric encryption to communicate with the page’s server, and then share symmetric keys that are used to encrypt the communication.

While this setup is very convenient, it is easy for a hacker to decrypt a secure session. A better way to address this problem is to use Perfect Forward Secrecy.

Perfect Forward Secrecy (PFS)

PFS is a system in which a new and unique private encryption key is created for each session. The key is discarded at the end of the session, so the server will remain secure even if an attacker compromises a session’s private key.

Handshake Encryption

To securely connect to a VPN server, you need to use public-key encryption through a TLS handshake. Here, the handshake secures your connection, while a cipher secures your data.

Most VPNs achieve this via the RSA (Rivest-Shamir-Adleman) algorithm. RSA-1024 has been used for a while now, but a malicious party can crack it. So, for the best protection, go for RSA-2048.

Secure Hash Algorithm (SHA)

The Secure Hash Algorithm (SHA), also referred to as HMAC, is a cryptographic hash function that validates data and SSL/TLS connections. VPN providers use SHA to verify and authenticate the data integrity of a message. This way, no cybercriminal can interfere with any data that flow between the VPN server and the VPN client.

Why Should You Care about VPN Encryption?

You probably know that your personal information is a gold mine for corporations and governments. So, as you sit on your comfy chair, you should be aware that a million eyes are prying on you. One of the most effective cures to privacy worries is a VPN. And as we mentioned earlier, the VPN’s primary weapon against the prying eyes lies in its encryption.

To this point, we hope we have done a great job explaining the nitty-gritty about VPN encryption. But we can still expand thatknowledge a bit.

VPN Protocols

VPN software usually come loaded with several protocols. The term protocol may sound too technical, but it is just the way data is transmitted over a network. In short, it is a set of rules that VPN providers use to negotiate for a secure connection between a VPN server and a VPN client. Before we dive deep into VPN protocols, let’s cover the basics.

While each protocol connects your data to the VPN server, the method in which the data is sent will vary. So, when you choose a distinct protocol, you instruct your VPN service to handle your data in a particular manner. Some protocols prioritize security, while others focus on performance.

Outbyte VPN offers different protocols to guarantee reliable encryption between your device and the server location you choose. In most cases, you can switch between different protocols, but for optimal speed and security, it is better to stick with the automatic configuration.

Types of VPN Protocols

As mentioned above, the level of privacy and security you get from your VPN service depends on the protocol you use to protect your data. We will discuss the main protocols offered by VPN services.

01

Point-to-Point Tunneling Protocol (PPTP)

PPTP is one of the oldest protocols offered by VPN services, and it relies on various authentication methods to provide protection. It encrypts data by creating a secure tunnel and transferring data from it. This protocol has almost universal cross-platform compatibility and is easy to set up. Having been around for a while, PPTP supports thousands of devices and operating systems. It supports up to 128-bit encryption.

PPTP is a product of a Microsoft-led consortium. Its developers designed it for creating a VPN over dial-up networks. So, it has long been the standard protocol for corporate networks. Due to its lower level of encryption, this protocol is faster than its modern, strongly-encrypted counterparts.

When do you use PPTP? It is an ideal protocol for bandwidth-intensive use like streaming content. The only problem with this protocol is that it is insecure. Since its introduction in the late 90s, several security vulnerabilities have arisen. So, it is better to use L2TP/IPsec since it is more secure and has the same advantages as PPTP.

02

L2TP/IPsec

So, when do you use L2PTP/IPsec? This protocol is an excellent choice for average users who want a reasonable level of security with decent performance, but don’t want to stress themselves with compatibility issues.

On its own, it might not provide much confidentiality to the traffic that goes through it. Luckily, you can pair L2TP with other authentication suites. The most common pairing with this protocol is another security protocol suite known as Internet Protocol Security (IPsec). Some providers may label it as L2TP, but it is actually L2TP/IPsec.

In this pair, IPsec is the one that handles the authentication between your device and the VPN server. On top of this, IPsec has the technology to secure your data packets with the highest encryption levels.

The pair can use either AES or 3DES encryption standards. The latter is usually vulnerable to Sweet32 and Meet-in-the-middle collision attacks, so most VPNs don’t use it anymore. Luckily, 256-bit AES is resistant to brute force crack with any of the current computer technology.

L2TP can be a bit slower than PPTP since it encapsulates data twice. But the fact that encryption/decryption occurs within the kernel makes it a little faster than OpenVPN. The only drawback with L2TP/IPsec is that it uses a limited number of ports. For this reason, the protocol is somewhat easy to block.

Layer 2 Tunneling Protocol (L2TP) is about as old as PPTP, but it has not been a victim to many security vulnerabilities. So, we can say it is safer. L2TP is compatible with almost all modern VPN-capable devices and operating systems.

03

Secure Socket Tunneling Protocol (SSTP)

SSTP is more superior to both L2TP and PPTP because of its robust encryption. It doesn’t suffer from VPN blocking vulnerability, which is usually associated with L2TP. Like OpenVPN, there are many good things to talk about SSTP, which will cover in a short while.

However, it is necessary to point out that SSTP is mainly associated with Windows. There could be nascent support for Linus and macOS, but your mileage may vary.

SSTP uses SSL 3.0, so it offers similar advantages as OpenVPN, including the ability to use TCP port 443 to bypass censorship.

SSTP is a proprietary protocol owned by Microsoft. That might be a concern to some people since its code is not open to public scrutiny. Microsoft’s history of collaboration with NSA coupled with speculations about possible backdoors built into the Windows OS only help to undermine its credibility.

Another point of concern is that SSL v3.0 is vulnerable to the POODLE attack. But this vulnerability hasn’t been confirmed, so it shouldn’t be a big deal.

When do you use SSTP? Its close compatibility with Windows makes it easier to use on that platform. Since Windows is common in most regions of the world, there is a good chance compatibility isn’t a hindrance.

04

IKEv2/IPsec

Like L2TP, the Internet Key Exchange version 2 (IKEv2) is a tunneling protocol. But when paired with IPsec, it becomes a VPN protocol, with IPsec providing encryption. Once again, this is another protocol that Microsoft has fingers in the pie. IKEv2 is a joint product of Cisco and Microsoft.

It is a fairly new protocol, so it is yet to become widely supported. It’s mostly a closed system with corporate interests.

Despite being less common than L2TP/IPsec, it is considered to be as good as, if not superior to, Layer 2 Tunneling Protocol in terms of stability, speed, security, and ability to establish a connection. Some users avoid it because it is vulnerable to VPN blocking, and it has narrow support.

So, when do you use IKEv2? It is a great choice for mobile phone users who regularly switch between mobile connections and home Wi-Fi. Actually, IKEv2 supports Mobility and Multihoming (MOBIKE) protocol, so it is highly resilient to changing networks. That is why Blackberry and iOS have native support for IKEv2.

05

OpenVPN

OpenVPN is an open-source technology that uses TLS protocol and OpenSSL library, among other technologies. It is one of the most exciting things to happen in the world of privacy. No wonder it has become the industry standard VPN protocol for commercial VPNs. One thing that endears many people to this protocol is its flexibility.

Unlike SSTP, PPT, and most VPN protocols, OpenVPN is not supported by any platform, but it is available on most platforms via third-party software. This feature of OpenVPN can be a pro or a con, depending on how you look at it.

In the past, a couple of vulnerabilities were discovered in OpenVPN. Its servers were open to a Denial of Service (DoS) attack, but these weaknesses have been patched in OpenVPN 2.4.2. So, the bottom line is that OpenVPN remains the most secure and flexible protocol availabletoday.

When do you use OpenVPN? This protocol runs best on a range of UDP ports, but that does not mean it can’t run on TCP port443 or any other port. In fact, running OpenVPN over TCP port 443 makes it hard to block. The protocol is widely used by premium VPN providers to develop their own VPN clients since they have adequate resources.

Ciphers

As discussed earlier, a cipher is an algorithm for encrypting or decrypting your data. Generally, VPN protocols use different ciphers. For instance, OpenVPN uses several symmetric-key ciphers to secure data on control channels. These are the most commonly used ciphers:

01

AES

The Advanced Encryption Standard (AES) is universally considered very secure. It has become the gold standard symmetric-key cipher in the VPN industry. In fact, AES-256 is used by the US government to secure its data. While AES is available in both 128-bit and 256-bit key sizes, the latter provides a higher security margin.

02

Blowfish

The Advanced Encryption Standard (AES) is universally considered very secure. It has become the gold standard symmetric-key cipher in the VPN industry. In fact, AES-256 is used by the US government to secure its data. While AES is available in both 128-bit and 256-bit key sizes, the latter provides a higher security margin.

03

Camellia

Camellia is the latest cipher, and it is almost as quick and secure as AES. This cipher is available in 128-bit, 192-bit, and 256-bit key sizes. While there is a case to use Camellia, it has not been thoroughly tested as AES, probably because it is not associated with the US government.

Conclusion

Hopefully, you now have a better understanding of what VPN encryption is, and you are more prepared to protect your internet privacy. Even without dwelling so much into the technicalities, it should also be clear to you that the industry-standard encryption used by premium VPNs is as safe a sit gets. But note that when it comes to VPN configuration, encryption is only one part of the equation. The other half is to ensure no traffic leaves your device outside of the VPN framework. Additionally, VPN protocols are only a small part of what you should consider when selecting a VPN service.