Internet privacy and security course
About translation
Previous Next

Chapter 132

Choose a secure VPN: encryption algorithm, key length and data authentication

Going on with making out what indicators are and how they affect the security of the VPN, this is one of the most important articles of the cycle, in which we will talk about the choice of encryption algorithm and key length, as well as methods of data authentication.

Encryption algorithm

To understand what an encryption algorithm is, let’s remember the story with Caesar again. To encrypt his text he used the shift of letters, which is the encryption algorithm. Imagine that instead of shifting he would start using the replacement of letters for some characters and that would be a different algorithm.

OpenVPN offers two encryption algorithms, such as AES and Blowfish. Both have proven to be reliable and if you are not a mathematician, you do not need to understand their architecture.

I use AES in my cases. In OpenVPN Technologies manuals it is recommended to use Blowfish, since it is slightly faster than AES.

Key length

Let us come back to the story of Caesar; he and the senator have already created a unique session key, sending 4096 couriers to each other, and each of them has reported some new change. But it will be very inconvenient for them to make 4096 changes in the text, which is long and difficult, that is why they decide to transmit another simpler key using reliably encrypted channel (4096 changes) with only 256 changes. This allows them to speed up the correspondence significantly, but if they just immediately send each other this key, the enemies could intercept it.

Nowadays VPN providers offer 128-bit and 256-bit keys. From the fields of cryptologist-mathematicians there is information for 2018 claiming that a 128-bit key can only be decrypted in special data centers at very high powers and this will take a very long time. A computer capable of decrypting data encrypted with a 256-bit key has not been invented yet, according to scientists.

According to many VPN providers, a 128-bit key is the best solution in terms of security and performance. When using a 128-bit key, encryption is faster than with a 256-bit key; it creates less load on the server and on the user's device.

We conducted the test. We took one of the phones based on the Android operating system and put OpenVPN on it with the RSA-based session key generation parameter file with a length of 2048 bits (OpenVPN RSA 2048 / AES 128 - I do hope you now understand this data). With active web surfing, battery consumption increased by 12%, due to the fact that the device wasted resources to encrypt and decrypt traffic.

When using OpenVPN RSA 4096 / AES 256 with active web surfing, consumption increased by 26%. For example, if without a VPN device allowed 8 hours to use the Internet actively, then using OpenVPN RSA 4096 / AES 256 it does only about 6.

This indicator can not be used for accurate calculation, it is always individual and depends on the amount of encrypted traffic, battery power and device characteristics. However, it can be said with confidence that the increase in cryptographic strength of the used encryption algorithms increases the load on the device battery significantly.

Data authentication

There is another indicator that influences the required capacity and speed of the VPN, this is data authentication.

Imagine the situation: a messenger comes to Caesar and says that he is from the senator with a message, Caesar lets him in, and the messenger turns out to be a hired killer of barbarians. For Caesar this will be a fatal mistake.

How to check the authenticity of the messenger? Probably, he should have a code word. Imagine that the barbarians intercepted the messenger and with the help of torture received a code word from him, then they threw the blade in the heart, threw away the body into the ditch, and the same hired assassin goes to Caesar with the code word. A code word is a vulnerable way to establish the identity of a messenger.

Caesar and the senator decided to complicate the algorithm and in addition to the code word take only blue-eyed blond men as messengers. In this case, even if the barbarians intercepted the messenger and received the word, they fell through on face control, since even the messenger himself did not suspect the second condition.

Transmitted data is signed in the same way when using a VPN; special hashing algorithms are used for this. For now, just remember that MD5 and SHA1 are not enough reliable ones, while SHA512 and SHA256 are reliable algorithms.

What else to pay attention to? Using a more cryptographic algorithm will slow down the speed of the VPN, so a VPN with MD5 will always work faster than with SHA512.

In the next chapter we will practice the skills of assessing the reliability of a VPN.

Previous
6468
Next