Pour on That Secret Encryption Sauce
Encryption algorithms can be a bit of an enigma (pun intended) to those looking to use strong encryption on their VPN. Which encryption algorithm is most secure today and into the future? Are there performance considerations to selecting a more secure algorithm? Are there backward compatibility issues with selecting a newer cipher? We begin our series on encryption algorithms by discussing the encryption process within a VPN.
Just like a typical physical lock, a key is required to encrypt (lock) and unencrypt (unlock) data. In the VPN world, the key is typically a mathematical algorithm called a one-way function. Instead of going into the nitty-gritty details of what a one way function does, for the purposes of this article it is sufficient to say that a one-way function is the keyhole that data passes through to go from unencrypted (clear text) to encrypted (cypher text). Once data is encrypted,it cannot be unencrypted unless a specific piece of information (the key) is known and applied correctly to the one-way function.
To Be Static; Or Not?
Two main varieties of keys are shared static (doesn’t change) and dynamic public key (changes). For the purposes of a VPN, a static key is one that does not automatically change between VPN sessions. Once the VPN provider issues the VPN consumer/client a static key, that key typically remains unchanged. Static keys provide a good deal of simplicity in that if both parties have a secure way to share a static key initially, then the setup process should be very straightforward. However, if the key is compromised, then the data sent over the VPN is also compromised (lack of perfect forward secrecy).
One the other hand, a dynamic public key offers more robust security, but at the price of more complexity. Public Key Infrastructure (PKI) works under the assumption that neither sender nor receiver are able to securely pass a secret (private) key to one another without it being discovered by a third-party. Drats you say! How will we get passed this problem? Diffie-Helman to the rescue. We could spend a great deal of time talking about the Diffie-Helman key exchange method, but for the purposes of this article, know that it provides a way for two systems to agree on a private key (secret key) without anyone else being able to determine the secret key. Very cool! Once a secret key is shared between the two hosts, encryption can begin as with a static key. But wait, there’s more! Now that there is a secure method for sharing private keys, maybe both hosts can create new private keys every 60 seconds. That way if a private key becomes known by a third-party for some reason, the damage is limited to only the data sent during the 60 second period where the key was valid. This method is known as perfect forward secrecy and provides the best security on a VPN available today.
When it comes to encrypting your data, the key length is vitally important to determine how secure your data will be. Key length is similar to the complexity of a physical key in a padlock. If a physical key only had two teeth, then the lock would be quite easy to pick. However, if a physical key used an electronic chip and multiple teeth on both sides of the key, then it would be much harder to pick. Some physical keys are even available in 3D, with a total of 4 planes of teeth which makes them extremely difficult to pick. Use longer key length (i.e. at least 256 bits when using AES) if at all possible to better secure data on your VPN – but there are a few caveats.
Be aware that increasing key length also increases the computational load that a processor/computer/router will need to perform to encrypt/unencrypt data. If you are using a small router (i.e. ASUS) as the endpoint for your VPN connection, then going from 128bit key to a 256bit key might slow down your connection significantly if the CPU in the router is unable to key up with the processing requirements. The more data that needs to be encrypted, the more CPU cycles need to be available.
Unique or Non-Unique Keys
We usually think of twins as very cute and adorable. In the VPN world, trying to determine if you should hand out twin (the same) key to each VPN user or a unique key is an important question. Again we encounter a similar scenario to choosing an encryption algorithm and key type; better security has a cost which is complexity. Maintaining a single key for all users may seem like a natural thing to do. After all, the door to your car or house only has a single key. In most cases, it is a bad idea to give the same key to all users. If the key is compromised, then all users will need to change their keys in order to regain security. This is a bad scenario that you will want to avoid. It is far better to use unique keys for every users even if it adds some complexity. Keep the keys unique and your users will be much happier.
Encryption is the secret sauce of any VPN. If the encryption scheme is configured correctly to start with, then the users should feel a much better sense of security. Don’t fear the complexity – learning and working with the complexity far outweighs the alternative. Are you looking to setup a VPN of your own, or looking for reviews on a VPN provider? Visit VPNStrategy.com for the latest news and guides related to VPNs.