In today’s digital world and with many individuals working remotely and executing transactions over the internet, you may wonder how secure your connection is and if your information and that of your employer remain private. Unscrupulous individuals want your private data and your company’s data. Nonpublic data is valuable and if it can be sold or exploited in some manner, it becomes payday for the unscrupulous individual. it is more important than ever to consider utilizing a virtual private network (VPN) for your business, home office, and/or personally. In this article, we will discuss VPNs, how a VPN works, VPN encryption protocols, and encryption.
What is a VPN?
A virtual private network (VPN) is a secured network that allows data to and from your device to be securely transmitted. Using a VPN improves the online privacy of your internet activity, improves the security of public Wi-Fi network connections, and bypasses blocked websites. There are many different VPN service providers that offer different levels of security, speed, and capabilities. See our blog on how to choose a VPN when working from home for further information.
How Does a VPN Work?
VPNs are utilized by consumers and organizations to enable remote access that is secured by changing your IP address and encrypting your internet traffic. Data to and from your device travels through an encrypted VPN tunnel to the VPN server that acts as a gateway to the public internet. Encryption and ciphers are key to the security of a VPN.
What are VPN Encryption Protocols?
A VPN encryption protocol is defined as the process used to generate a secured encrypted path between two computers. VPN encryption protocols vary between different VPN service providers that may impact security, speed, capabilities, and vulnerabilities. Common VPN encryption protocols are noted below.
- OpenVPN: OpenVPN is a very secure VPN encryption protocol and is considered the industry standard in use today. OpenVPN is an open-source technology and highly configurable. It utilizes the OpenSSL library and transport layer security (TLS) protocols enabling a strong and reliable solution. OpenVPN encryption consists of both the data channel encryption and the control channel encryption. The data channel encryption is made up of a cipher and hash authentication to secure the data. The control channel encryption or TLS encryption is made up of a cipher, hash authentication, and handshake encryption to secure the connection between your device and the VPN server. The algorithm or cipher encodes the data, the secure hash algorithm authenticates the data and SSL/TLS connection, and the handshake encryption secures the connection. Incorporating Perfect Forward Secrecy or ephemeral encryption keys by generating unique private keys and disposing of them after each TLS connection serves to add another layer of security. Strong encryption on both channels along with Perfect Forward Secrecy makes OpenVPN operationally a very secure protocol.
- L2TP/IPSec: Layer 2 Tunneling Protocol (L2TP) is generally implemented by pairing it with IPSec creating a secured connection between your device and the VPN server. IPSec or internet protocol security is a network layer packet security protocol that provides methods of encrypting the data portion of each packet and its header to ensure data privacy. A public key must be shared between the sending device and receiving device for IPSec to work across the internet. Key things to watch out for with this protocol are that firewalls can block the port used by L2TP/IPSec easily and the use of pre-shared keys (PSKs) should be avoided.
- SSTP: Secure Socket Tunneling Protocol (SSTP) is a Microsoft-owned VPN protocol primarily used with Windows operating systems. While it provides most of the features that OpenVPN provides, it is not an open-source technology. It can also be used on Linux but not so often used with Macs.
- IKEv2/IPSec: Internet Key Exchange v2 (IKEv2) is also paired with IPSec as mentioned above and is notably used for mobile devices. IKEv2/IPSec is successful at reestablishing a connection when the connection is temporarily lost or dropped making it a reliable and secure protocol for mobile devices.
- WireGuard: WireGuard is a relatively new VPN protocol that competes with OpenVPN. It is an open-source technology that focuses on speed and strong encryption and is gaining popularity.
- PPTP: Point-to-Point Tunneling Protocol is a method used for a VPN over a dial-up connection. Key things here to be mindful of are that this protocol is not as secure as the other protocols mentioned above as it is easier to break.
What Does Encryption Do?
Encryption uses a mathematical function that takes readable plaintext and randomly scrambles it to unreadable ciphertext which can’t be understood unless it is decrypted back to readable plaintext. Encryption protects data from being read or compromised if it is lost or stolen. Anyone who obtains encrypted data can’t read or do anything with it unless they have the encryption key to unlock or decrypt it back to its readable form. See our blog for more details on why encryption is necessary. The key elements of encryption include the following:
- Encryption algorithm – the mathematical function or cipher used to encrypt/decrypt data.
- Encryption keys – similar to a password, a key is needed to access or decipher the encrypted data.
- Key length – the longer the length of the key, the stronger it is and less likely to be cracked under a brute force attack. For example, a key length of 256 bits is stronger than 128 bits.
What Are Encryption Types?
Two common types of encryption are private key based upon a symmetric encryption algorithm and public key based upon asymmetric encryption algorithm. See our blog on data encryption for more information.
Symmetric encryption algorithm uses the same key to encrypt plaintext and decrypt ciphertext. Both the sender and receiver must have the same key in order to communicate with each other. Examples of this type of algorithm or cipher include Advanced Encryption Standard (AES) and Blowfish. The National Institute of Standards and Technology (NIST) has certified AES.
Asymmetric encryption algorithm uses two keys, a public key and a private key. Many users may have the public key, but generally only one knows the private key. The keys work as a pair in relation to each other such that the public key encrypts and the private key decrypts the data. RSA is a common example of asymmetric encryption.
While there are several different VPN protocols, OpenVPN stands out as the industry standard. Utilizing strong encryption, such as AES-256, on both the data and control channels in conjunction with Perfect Forward Secrecy makes OpenVPN operationally a very secure and strong protocol. At the end of the day, the security of encryption methods used with the chosen VPN protocol relies on maintaining the secrecy of the keys.
Becky McCarty (CPA, CISA, CRISC, CIA, CFE) specializes in SOC 1 and SOC 2 examinations for Linford & Co., LLP. She completed her Master’s degree in Information Systems in 1996, started working with KPMG in 1999, and joined Linford & Co., LLP in 2018. She works closely with clients so that the examinations are performed efficiently and with minimal disruption while ensuring performance in accordance with professional guidance. She enjoys helping clients successfully achieve the requirements for their SOC audit reports based on their applicable trust services criteria.