Is your VPN secure? … Understanding VPN Encryption


Virtual private networks (VPNs) use fancy marketing terms to attract potential customers, but they are difficult to examine and analyze in detail. Because the language that describes the encryption method is full of abbreviations and technical terms, the search for a phrase like ‘military encryption’ usually leads to more questions than answers.

Getty Images Bank

However, although the details of encryption may be confusing at first, things will become much clearer if you know how to categorize information. TLS and RSA certifications, keys, AES encryption, etc. are less well known, and estimating how useful a VPN is is easier than you think. The method is as follows.

How VPN encryption works

In general, encryption is the process of encoding data (encoding), which is decoded only by authorized parties. When the computer is connected to a VPN, a multi-level encryption process takes place. The level of security at each level depends on the protocol used. Each protocol handles issues such as authentication, key switching, and encryption of the established connection in its own way.

In general, the latest VPN encryption protocol can be divided into 4 parts as follows.

1. How the connection was first started (handshake)
2. How to generate the code (also known as key exchange) used to encrypt and decrypt the data during the connection session.
3. How long the encryption key is maintained
4. The encryption method used to secure the established connection

Protocols supported by the VPN specify specific encryption strength levels, but can be configured to suit your taste. As a result, VPN services can use the same protocol, but with a different level of security. One company is close to industry defaults to boast of speed, while another increases the key length / size they use for encryption to increase security.

How to understand VPN encryption details

How to disassemble VPN encryption details begins with deciding which protocols a particular VPN service supports.

Currently, the industry prefers three types: OpenVPN, iKev2 / IPSec and Wireguard for high level security. You may find proprietary riffs for familiar protocols as well as slower and less secure protocols such as Soft Ether, SSTP and L2TP / IPSec. Point-to-point tunneling protocol (PPTP) is an old protocol and is very rare these days because it no longer provides adequate protection.


Next, see the details of how the VPN configures the selected protocol. Most services provide basic explanations on customer support pages, FAQs and blog posts. You should see unknown terms such as ‘Ross Certificate’ and ‘ACDH (Elliptic Curve Diffie Hellman) Protocol’.

Finally, all the terminology found was compared with industry standards. Online search can help a lot in reducing the knowledge gap. Beware of VPNs that do not meet current industry defaults. For example, 2048-bit key and 128-bit AES encryption for RSA certificates. The level of encryption of your VPN should also match what you are marketing. It has strong security, but providers using PPTP or L2TP / IPSec should be suspicious.

For example, the description of the encryption method of the Hotspot Shield VPN should be understood as follows.


First, identify supported VPN protocols. The key phrase here is ‘Open VPN-based proprietary protocol’. This tells us that hotspan shield vendors have strengthened themselves using one of the most secure VPN protocols. Since the code has not been publicly reviewed, you must trust that you have implemented these changes well (in contrast, the OpenVPN Open Source Protocol).

Next, let us see what functions the rest of the terms in the OpenVPN protocol refer to. With a little effort, the following will become clear:

  • TLS 1.2 connection is initially security related.
  • The RAS certificate is part of the encryption process.
  • The Elliptic Curve Diffie Hellman (ECDH) algorithm dictates how the key exchange takes place.
  • This key conversion is a temporary exchange.
  • The connection is then converted to 128-bit AES encryption. The connection can be configured to use 256-bit AES encryption instead.

To see if the Hotspot Shield VPN chooses your settings wisely, further analysis provides an additional context.

1. TLS 1.2 initially uses VPN Transport Layer Security (TLS). Version 1.2 is considered by experts to be the minimum default. There is also a newer and more secure version 1.3, but it is not yet widely accepted.

2. RSA certificate with 2048 bit key. TLS certificates use the RSA algorithm to secure data transmission. The recommended minimum key length these days is 2048 bits. Some VPNs use longer key lengths (4096 bits), but the problem is that they are slower.

3. ECDH algorithm. This protocol describes how the data (keys) used to encrypt and encrypt data routed through the VPN are generated. Like the RSA algorithm, ECDH uses an asymmetric public-private key pair, but with different vulnerabilities. Use under RSA certification can help alleviate these vulnerabilities.

4. Temporary key exchange. A unique key is generated for each session and then discarded, minimizing the chance of a third party acquiring the key and decrypting the data.

5. 128-bit AES and 256-bit encryption. 256-bit AES encryption is more complex than the 128-bit type and provides more protection against brute force attacks. But it is also slow. By choosing 128-bit AES encryption by default for established connections, but allowing 256-bit as an optional configuration, Hotspot Shield offers the opportunity to increase the level of security while maintaining industry standards.

You will need to test the VPN to see if the extra time is worth it, but you can run the process with enough information between the online review and this analysis. Overall, if you can do this kind of analysis, you can filter out VPNs that do not meet your standards.

It takes some time to review these details and it takes longer than most people would like. This effort can be avoided if you choose a service that is recommended and well known by many experts in the field.


Source by [ciokorea]

Re Writted By [Baji Infotech]

Leave a Comment