In today’s digital world and with many individuals working remotely and executing transactions over the internet, you may wonder how secure your connection is and if your information and that of your employer remain private. Unscrupulous individuals want your sensitive private data such as your personally identifiable information (PII) and your electronic protected health information (ePHI), as well as your company’s confidential data.
Nonpublic data is valuable and if it can be sold or exploited in some manner, it becomes payday for the unscrupulous individual. It is more important than ever to utilize a virtual private network (VPN) for your business, home office, and personally when you are transmitting data over the internet. In this article, we will discuss VPNs, VPN encryption, how a VPN works, VPN protocols, and encryption.
What is a VPN & Why Should You Use One?
A virtual private network (VPN) is a secure network that allows data and communications to and from your device to be securely transmitted through an encrypted tunnel to its destination. A VPN provides online privacy and is used to hide the user’s internet protocol (IP) address and to encrypt data in transit. Using a VPN offers protection for your online internet activities, secures public Wi-Fi network connections, and bypasses blocked websites. There are many different providers of VPN services that offer different levels of security, speed, reliability, and capabilities. Pricing for VPN services will depend on the features selected. The better VPNs don’t log your online activities, IP addresses, or connection timestamps. See our blog on how to choose a VPN when working from home for further information.
What are the Risks of Not Using VPN Encryption?
Cybercriminals can intercept your sensitive data and communications when they are being transmitted over the internet through an unsecured connection. Public Wi-Fi is notorious for its vulnerability to cybercriminals because it is oftentimes unsecured and unencrypted. A common risk is from a man-in-the-middle (MITM) attack whereby a hacker can insert themselves in between the sender and receiver’s communication channel to maliciously steal confidential information. Incorporating a VPN is a useful tool to address the risks of these types of attacks.
Do all VPNs Have Encryption?
The short answer is yes or else it wouldn’t be a private network. End-to-end encryption is provided by a VPN-encrypted tunnel to secure the communication channel to prevent interception, alteration, or monitoring of the data so that only the sender and receiver have the ability to read the sensitive information. VPN encryption offers protection for sensitive data being transmitted between devices and the network by encrypting the data rendering it unreadable to others and protecting internet activity from privacy breaches.
Because an encryption key would be needed for the decryption of the data being transmitted in order to be read, an easier target would more likely be pursued by cybersecurity criminals. VPN encryption is critical in reducing the risk of having your data compromised when it is traveling over the internet by encoding the data packets. Encrypting your sensitive data in transit and concealing your IP address are a VPN’s primary job to protect your privacy online.
Does a VPN Encrypt Text Messages?
A VPN does not encrypt SMS (standard messaging service) text messages. These types of messages go over your mobile device carrier’s cellular network as opposed to going over the internet. A VPN encrypts online internet traffic or communication over the internet.
How Does a VPN Work?
VPNs are utilized by consumers and organizations to enable remote access that is secured by changing your IP address and encrypting your internet traffic. This renders you anonymous online, and makes sure your online activity is private in order to keep you safe. Data to and from your device travels through an encrypted VPN tunnel to the VPN server that acts as a gateway to the public internet. Encryption and ciphers are key to the security of a VPN.
What are Examples of VPN Connection Protocols?
A VPN protocol is defined as the process used to generate a secured encrypted path between two computers via an encrypted VPN connection. VPN protocols vary between different VPN service providers which may impact security, speed, capabilities, and vulnerabilities. Common VPN protocols are noted below.
OpenVPN
OpenVPN is a very secure VPN protocol and is considered the industry standard in use today. OpenVPN is an open-source technology and highly configurable. It utilizes the OpenSSL library and transport layer security (TLS) protocols enabling a strong and reliable solution. OpenVPN encryption consists of both the data channel encryption and the control channel encryption. The data channel encryption is made up of a cipher and hash authentication to secure the data. The control channel encryption or TLS encryption is made up of a cipher, hash authentication, and handshake encryption to secure the connection between your device and the VPN server.
The algorithm or cipher encodes the data, the secure hash algorithm (SHA) authenticates the data and SSL/TLS connection, and the handshake encryption secures the connection. Incorporating Perfect Forward Secrecy or ephemeral encryption keys by generating unique private keys and disposing of them after each TLS connection serves to add another layer of security. Strong encryption on both channels along with Perfect Forward Secrecy makes OpenVPN operationally a very secure protocol.
L2TP/IPSec
Layer 2 Tunneling Protocol (L2TP) is generally implemented by pairing it with IPSec creating a secured connection between your device and the VPN server. IPSec, or internet protocol security, is a network layer packet security protocol that provides methods of encrypting the data portion of each packet and its header to ensure data privacy. A public key must be shared between the sending device and receiving device for IPSec to work across the internet. Key things to watch out for with this protocol are that firewalls can block the port used by L2TP/IPSec easily and the use of pre-shared keys (PSKs) should be avoided.
SSTP
Secure Socket Tunneling Protocol (SSTP) is a Microsoft-owned VPN protocol primarily used with Windows operating systems. While it provides most of the features that OpenVPN provides, it is not an open-source technology. It can also be used on Linux but not so often used with Macs.
IKEv2/IPSec
Internet Key Exchange v2 (IKEv2) is also paired with IPSec as mentioned above, and is notably used for mobile devices. IKEv2/IPSec is successful at reestablishing a connection when the connection is temporarily lost or dropped making it a reliable and secure protocol for mobile devices.
WireGuard
WireGuard is a relatively new VPN protocol that competes with OpenVPN. It is an open-source technology that focuses on speed and strong encryption and is gaining popularity.
PPTP
Point-to-Point Tunneling Protocol is a method used for a VPN over a dial-up connection. Key things here to be mindful of are that this protocol is not as secure as the other protocols mentioned above as it is easier to break.
How Does a VPN Encrypt a Connection?
Encryption uses a mathematical function that takes readable plaintext and randomly scrambles it to unreadable ciphertext, which can’t be understood unless it is decrypted back to readable plaintext. Encryption protects data from being read or compromised if it is lost or stolen. Anyone who obtains encrypted data can’t read or do anything with it unless they have the encryption key to unlock or decrypt it back to its readable form. See our blog for more details on why encryption is necessary. The key elements of encryption include the following:
- Encryption algorithm – The mathematical function or cipher used to encrypt and decrypt data.
- Encryption key – Similar to a password, a key is needed to access or decipher the encrypted data.
- Key length – The longer the length of the key equates to the stronger it is with more possible combinations, and is less likely to be cracked under a brute force attack. For example, a key length of 256 bits is stronger than 128 bits and would take longer to crack.
What Are the Most Common Types of VPN Encryption Algorithms?
Two common types of encryption are private key, based upon a symmetric encryption algorithm, and public key, based upon an asymmetric encryption algorithm. See our blog on data encryption for more information.
Symmetric
Symmetric encryption algorithm uses the same key to encrypt plaintext and decrypt ciphertext. Both the sender and receiver must have the same key in order to communicate with each other. Examples of this type of algorithm or cipher include Advanced Encryption Standard (AES) and Blowfish. The National Institute of Standards and Technology (NIST) has certified AES, and it is widely used as a symmetric encryption standard. The highest level of encryption used by the better VPNs is 256-bit AES.
Asymmetric
Asymmetric encryption algorithm, also known as public-key cryptography, uses two keys – a public key and a private key. Many users may have the public key, but generally only one knows the private key. The keys work as a pair in relation to each other such that the public key encrypts and the private key decrypts the data. RSA is a common example of asymmetric encryption.
Summary
Be safe on the internet and use a VPN with strong encryption. Individuals may avoid having their internet activities monitored and identities disclosed through the use of VPN services. VPNs maintain secure and private communication tunnels between a device and the internet through encryption of the tunnel and encryption of the data stream. A VPN maintains the anonymity of your IP address and encrypts all the data sent and received.
While there are several different VPN protocols, OpenVPN stands out as the industry standard. Utilizing strong encryption, such as AES-256, on both the data and control channels in conjunction with Perfect Forward Secrecy, makes OpenVPN operationally a very secure and strong protocol. At the end of the day, the security of encryption methods used with the chosen VPN protocol relies on maintaining the secrecy of the keys.
Linford & Company provides SOC 1, SOC 2, HIPAA, HITRUST, FedRAMP, and CMMC & NIST 800-171 compliance assessment services. Please contact us if you would like more information.
This article was originally published on 9/1/2020 and was updated on 5/17/2023.
Becky McCarty has over 20 years of experience in internal controls, audit, and advisory services. She specializes in SOC 1 and SOC 2 examinations for Linford & Co., LLP. Becky completed a Bachelor’s degree in Business Administration (Accounting) and a Master of Science degree in Management Information Systems. She worked 6 years with KPMG LLP commencing in 1999, worked several years in the energy industry, and joined Linford & Co., LLP in 2018. Becky also served 9 years on the Board of Directors for a home healthcare nonprofit. She works closely with clients so that the examinations are performed efficiently and with minimal disruption while ensuring performance in accordance with professional guidance. She enjoys helping clients successfully achieve the requirements for their SOC compliance efforts based on their objectives and/or applicable trust services criteria.