Cryptography

Virtual Private Networks (VPNs)

Howard Poston
August 27, 2020 by
Howard Poston

Introduction to VPNs

Virtual Private Networks (VPNs) are a solution designed to provide a secure connection between two parties over an untrusted network. Traffic is encrypted at one end of the connection and decrypted at the other.

This technology can be used for a variety of different purposes. Some common use cases include:

Learn Applied Cryptography

Learn Applied Cryptography

Build your applied cryptography and cryptanalysis skills with 13 courses covering hashing, PKI, SSL/TLS, full disk encryption and more.

  • Secure telework: Remote workers will use a VPN to securely access the corporate network over their home network and the public internet. This enables the teleworker to easily access internal corporate resources and have all of their internet-bound traffic scanned by the corporate cybersecurity solutions.
  • Linking sites: VPN endpoints located within two remote sites and connected by a VPN tunnel essentially merge the two networks. Since no traffic between the sites passes over the public internet — at least not in an unencrypted fashion — it is possible to use private IP addressing when communicating between the two sites.

In order for VPNs to be effectively used in these ways, they need to be capable of protecting the data that they carry against eavesdropping and modification. This is why cryptographic algorithms are a vital component of a VPN.

The use of cryptography in VPNs

VPNs heavily use cryptographic algorithms. At a minimum, a VPN likely uses symmetric cryptography, but it also makes sense to use asymmetric cryptography as well.

Symmetric cryptography is useful for bulk data encryption. In general, symmetric algorithms are faster and more efficient than their asymmetric counterparts. This is an important feature when talking about the volume of data carried over the average VPN connection.

However, symmetric encryption algorithms are limited by the fact that they require a pre-shared secret key to work. Unless both parties know the secret key, it is impossible for the recipient of the ciphertext to decrypt the data being sent to them.

For this reason, VPNs may use an asymmetric encryption algorithm as well. Public key cryptography enables a shared secret key to be securely created over a public channel. Once that key is generated, it can be passed to a symmetric encryption algorithm for bulk data encryption.

In theory, anyone can write a VPN using simple cryptographic algorithms. However, in practice, most people use one of the existing standards since they are designed to be secure and optimized to transfer large amounts of data quickly. Some of the more commonly-used VPN algorithms include:

  • OpenVPN
  • IPsec
  • Secure Socket Tunneling Protocol

This is not an exhaustive list of all of the VPN protocols that have ever been created, and one of the major reasons for this is that some VPN protocols are no longer used. Like any other cryptographic algorithm or protocols, VPNs are discarded when flaws are discovered that break their security.

The limitations of VPNs

VPNs are useful for a variety of different purposes; however, they are not a perfect solution. Two limitations on VPN functionality are the scope of encryption and the need to trust in a VPN provider.

Limits of encryption

VPNs are designed to implement point-to-point encrypted network connections between two parties. This is helpful for establishing a secure connection between a remote worker and the corporate network or two corporate networks.

However, this encryption only exists between these two points. Before traffic is encrypted on the source computer to travel over the VPN tunnel and after it reaches the VPN endpoint, it is not encrypted. If the traffic’s destination is not inside the corporate network where the VPN endpoint is located, it will travel over the public Internet unencrypted at some point.

These limits of encryption limit the applications of a VPN. VPNs are great when trying to remotely connect a user to a corporate network or to evade censorship in certain areas. However, they do not provide perfect protection against eavesdropping.

Trust in VPN provider

Without a VPN, an internet user is putting their trust in the internet service provider (ISP) not to monitor their network traffic. VPNs can eliminate this need for trust in an ISP by ensuring that all traffic passing through the ISP’s infrastructure is encrypted.

However, the cost of this is transferring trust from the ISP to the VPN provider. As a data breach in July 2020 — where seven VPN providers that claimed to perform no connection logging had their connection logs leaked — demonstrates, not all providers of personal VPN solutions should be trusted.

Using VPNs securely

During the COVID-19 pandemic, corporate use of VPNs surged dramatically. The ability to provide encrypted connections between remote workers and the corporate network is essential for a secure telework problem.

However, the use of a VPN is not a perfect solution for security. VPNs only encrypt network traffic for a portion of its journey, and the use of a broken VPN protocol is little better than using no VPN at all.

Learn Applied Cryptography

Learn Applied Cryptography

Build your applied cryptography and cryptanalysis skills with 13 courses covering hashing, PKI, SSL/TLS, full disk encryption and more.

 

Sources

  1. OpenVPN, GitHub
  2. Seven 'no log' VPN providers accused of leaking – yup, you guessed it – 1.2TB of user logs onto the internet, The Register
  3. VPN Usage Surges During COVID-19 Crisis [Infographic], Forbes
Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at howard@howardposton.com or via his website at https://www.howardposton.com.