This is part of the VPNCity Best Practices articles where we will explain along the way the “What”, “How” and “Why” the best practices will improve your security and privacy in your day-to-day life while helping you understand the technology, dispel the myths and give you the tools to understand why your personal privacy and security is in your hands. This part concentrates on encryption, the process behind it and why you should always use it.
Encryption is what protects your data online, from a simple browsing session, your banking details and even your passwords. Anytime you use HTTPS (which is shown by a little padlock icon in the address bar), you are using using encryption on that website. But HTTPS does not protect all your data, just the data on that site. The data outside your browser is not encrypted normally and as such your information is at risk.
Always use encryption where available, the stronger the better, however, local laws may force you to surrender your encryption keys if mandated. Some countries do not even require permission from a court.
Encryption is the practice of turning normal text into gibberish. Encryption works by scrambling the original message with a very large digital number (key). This is done using advanced mathematics. Commercial-level encryption uses a 128-bit (or higher) key that is very, very hard to crack. The computer receiving the message knows the digital key and so is able to work out the original message.
The most secure encryption works on multiple tiered systems;
- Encryption: This is the symmetric cipher algorithm with which all of your data is encrypted and decrypted. The symmetric cipher is used with an ephemeral secret key shared between you and the server. This secret key is exchanged with the Handshake Encryption.
- Authentication: This is the message authentication algorithm with which all of your data is authenticated. This is only used to protect you from active attacks. If you are not worried about active attackers you can turn off Data Authentication.
- Handshake: This is the encryption used to establish a secure connection and verify you are really talking to a VPNCity VPN server and not being tricked into connecting to an attacker’s server. We use TLS v1.2 to establish this connection.
Currently, there are two main models of encryption available;
AES (Advanced Encryption Standard) is a symmetric cipher based on the Rijandael block cipher that is currently the United States federal government standard. AES was adopted worldwide as the heir apparent to the now deprecated DES standard of 1977 and although there are published examples of attacks that are faster than brute force, the powerful AES technology is still thought to be computationally infeasible in terms of cracking. In addition, AES offers solid performance on a wide variety of hardware and offers both high speed and low RAM requirements making it a top-notch choice for most applications.
If you’re using a Mac, the popular encryption tool FileVault is one of many applications that use AES.
RSA (Rivst-Shamir-Adleman) is one of the first widely used asymmetric cryptosystems for data transmission. The algorithm was first described in 1977 and relies on a public key based on two large prime numbers and an auxiliary value in order to encrypt a message. Anyone can use the public key in order to encrypt a message but only someone with knowledge of the prime numbers can feasibly attempt to decode the message. RSA opened the doors to several cryptographic protocols such as digital signatures and cryptographic voting methods.
It’s also the algorithm behind several open source technologies, such as GPG, which allows you to encrypt digital correspondence.
That sounds all great and technical, but what does this mean?
Basically put, encryption makes files and browsing habits completely nonsensical. You can see some of the technical details in configuration files such as an openvpn (*.ovpn) file, which can be downloaded as a manual configuration from the Customer Control Panel. Within the file, you can see options such as cipher and auth which will give you insight to the level of security being used. A user is able to monitor the traffic on any connection by capturing the data as it moves across a network using capturing software such as Wireshark.
To illustrate what happens over a network, we opted to capture data whilst connected to the VPNCity on both the Ethernet card (Gigabit) and TAP adapter (Ethernet).
As you can see, the traffic clearly shows my connected IP (18.104.22.168 which is actually a VPNCity IP), how I connect (Asus Router) and what’s being browsed (www.wikipedia.com). Without a VPN or encryption, location and identity can easily be confirmed through IP and devices.
However, the TAP adapter encrypts and transmits the data to the required servers. This protects the end-user by providing privacy and security. The IP is not transmitted and hardware cannot be identified.
In addition to AES and RSA, there is also Elliptical Curve Cryptography (ECC) and is among the most powerful and least understood forms of encryption used today. Proponents of the ECC approach cite the same level of security with faster operational times largely due to the same levels of security while utilizing smaller key sizes. The high-performance standards are due to the overall efficiency of the elliptic curve, which makes them ideal for small embedded systems such as smart cards. The NSA is the biggest supporter of the technology, and it’s already being billed as the successor to the aforementioned RSA approach.
The NSA revelations by Edward Snowden raised concerns that certain or possibly all Elliptic Curves endorsed by US standards bodies may have backdoors allowing the NSA to more easily crack them. There is no proof of this for curves used with signing and key exchange† and there are experts who think this to be unlikely.
† There is strong evidence that a random number generator that uses ECC was backdoored but it was not widely used.