Archive | VPN Protocols

How VPN Encryption Works

Encryption is the process of obscuring information to make it unreadable without special knowledge, key files, and/or Passwords. You could use encryption to secure files on your computer or the electronic messages you send to friends or colleagues. An encryption key tells the computer what computations to perform on data in order to encrypt or decrypt it.

We have two most common forms of encryption, which are symmetric-key encryption or public-key encryption:

In symmetric-key encryption, all computers (or users) share the same key used to both encrypt and decrypt a message.

In public-key encryption, each computer (or user) has a public-private key pair. One computer uses its private key to encrypt a message, and another computer uses the corresponding public key to decrypt that message.

In a VPN, the computers at each end of the tunnel encrypt the data entering the tunnel and decrypt it at the other end. However, a VPN needs more than just keys files to apply encryption. That’s where protocols come in. A site-to-site VPN could use either Internet protocol security protocol (IPSec) or generic routing encapsulation (GRE). GRE provides the framework for how to package the passenger protocol for transport over the Internet protocol (IP). This framework includes information on what type of packet you’re encapsulating and the connection between sender and receiver.

IPSec is a widely used protocol for securing traffic on IP networks, including the Internet. IPSec can encrypt data between various devices, including router to router, firewall to router, desktop to router, and desktop to server.

IPSec consists of two sub-protocols which provide the instructions a VPN needs to secure its packets. They are Encapsulated Security Payload (ESP) and Authentication Header (AH).

Encapsulated Security Payload (ESP) encrypts the data it’s transporting with a symmetric key.

Authentication Header (AH) uses a hashing operation on the packet header to help hide certain sensitive information like the sender’s identity until it gets to its destination. This makes the sender anonymous to a hacker.

Networked devices can use IPSec in one of two encryption modes. In transport mode, devices encrypt the data traveling between them. In tunnel mode, the devices build a virtual tunnel between two networks. VPNs use the later.

In a remote- access VPN, tunneling typically relies on Point-to-point Protocol (PPP) which is part of the native protocols used by the Internet. More accurately, though, remote-access VPNs use one of three protocols based on PPP:

L2F (Layer 2 Forwarding) — Developed by Cisco; uses any authentication scheme supported by PPP

PPTP (Point-to-point Tunneling Protocol) — Supports 40-bit and 128-bit encryption and any authentication scheme supported by PPP

L2TP (Layer 2 Tunneling Protocol) — Combines features of PPTP and L2F and fully supports IPSec; also applicable in site-to-site VPNs

VPNs do such a good job at to keep businesses connected around the world. That is why tunneling protocols, haven’t changed much in that time.

Encryption is the process of obscuring information to make it unreadable without special knowledge, key files, and/or Passwords. You could use encryption to secure files on your computer or the electronic messages you send to friends or colleagues. An encryption key tells the computer what computations to perform on data in order to encrypt or decrypt it.

We have two most common forms of encryption, which are symmetric-key encryption or public-key encryption:

In symmetric-key encryption, all computers (or users) share the same key used to both encrypt and decrypt a message.

In public-key encryption, each computer (or user) has a public-private key pair. One computer uses its private key to encrypt a message, and another computer uses the corresponding public key to decrypt that message.

In a VPN, the computers at each end of the tunnel encrypt the data entering the tunnel and decrypt it at the other end. However, a VPN needs more than just keys files to apply encryption. That’s where protocols come in. A site-to-site VPN could use either Internet protocol security protocol (IPSec) or generic routing encapsulation (GRE). GRE provides the framework for how to package the passenger protocol for transport over the Internet protocol (IP). This framework includes information on what type of packet you’re encapsulating and the connection between sender and receiver.

IPSec is a widely used protocol for securing traffic on IP networks, including the Internet. IPSec can encrypt data between various devices, including router to router, firewall to router, desktop to router, and desktop to server.

IPSec consists of two sub-protocols which provide the instructions a VPN needs to secure its packets. They are Encapsulated Security Payload (ESP) and Authentication Header (AH).

Encapsulated Security Payload (ESP) encrypts the data it’s transporting with a symmetric key.

Authentication Header (AH) uses a hashing operation on the packet header to help hide certain sensitive information like the sender’s identity until it gets to its destination. This makes the sender anonymous to a hacker.

Networked devices can use IPSec in one of two encryption modes. In transport mode, devices encrypt the data traveling between them. In tunnel mode, the devices build a virtual tunnel between two networks. VPNs use the later.

In a remote- access VPN, tunneling typically relies on Point-to-point Protocol (PPP) which is part of the native protocols used by the Internet. More accurately, though, remote-access VPNs use one of three protocols based on PPP:

L2F (Layer 2 Forwarding) — Developed by Cisco; uses any authentication scheme supported by PPP

PPTP (Point-to-point Tunneling Protocol) — Supports 40-bit and 128-bit encryption and any authentication scheme supported by PPP

L2TP (Layer 2 Tunneling Protocol) — Combines features of PPTP and L2F and fully supports IPSec; also applicable in site-to-site VPNs

VPNs do such a good job at to keep businesses connected around the world. That is why tunneling protocols, haven’t changed much in that time.

 

Posted in VPN ProtocolsComments (0)

PPTP, L2TP, OpenVPN, SSTP and IKEv2 Function

Edward Snowden has revealed that the NSA has for years been working on how to overturn VPN encryption technologies, We will make a rundown of the major differences between the different VPN protocols and how they affect you, as a VPN user.

PPTP

PPTP is an acronym for Point-to-Point Tunneling Protocol. It was developed by a consortium founded by Microsoft for creating VPN over dialup networks, and as such has long been the standard protocol for internal business VPN. It is a VPN protocol only, and relies on various authentication methods to provide security. Available as standard on just about every VPN capable platform and device, and thus being easy to set up without the need to install additional software, it remains a popular choice both for businesses and VPN providers. It also has the advantage of requiring a low computational overhead to implement, making it very fast.

However, although now usually only found using 128-bit encryption keys, in the years since it was first bundled with Windows 95 OSR2 back in 1999, a number of security vulnerabilities have come to light, the most serious of which is the possibility of unencapsulated MS-CHAP v2 Authentication. Using this exploit, PPTP has been cracked within 2 days, and although Microsoft has patched the flaw (through the use of PEAP authentication), it has itself issued a recommendation that VPN users should use L2TP/IPsec or SSTP instead.

Knowing that PPTP was insecure anyway, it came as no surprise to anybody that the NSA almost certainly decrypts PPTP encrypted communications as standard. Perhaps more worrying is that the NSA has (or is in the process of) almost certainly decrypted the vast amounts of older data it has stored, which was encrypted back when even security experts considered PPTP to be secure.

L2TP and L2TP/IPsec

Layer 2 Tunnel Protocol is a VPN protocol that on its own does not provide any encryption or confidentiality to traffic that passes through it. For this reason it is usually implemented with the IPsec encryption suite (similar to a cipher, as discussed below) to provide security and privacy.

L2TP/IPsec is built-in to all modern operating systems and VPN capable devices, and is just as easy and quick to set up as PPTP (in fact it usually uses the same client). Problems can arise however, because the L2TP protocol uses UDP port 500, which is more easily blocked by NAT firewalls, and may therefore require advanced configuration (port forwarding) when used behind a firewall (this is  unlike SSL which can use TCP port 443 to make it indistinguishable from normal HTTPS traffic).

IPsec encryption has no major known vulnerabilities, and if properly implemented may still be secure. However, Edward Snowden’s revelations have strongly hinted at the standard being compromised by the NSA, and as John Gilmore said, it is likely that it has been been deliberately weakened during its design phase.

L2TP/IPsec encapsulates data twice which slows things down, but this is offset by the fact that encryption/decryption occurs in the kernel and L2TP/IPsec  allows multi-threading (which OpenVPN does not.) The result is that L2TP/IPsec is theoretically faster than OpenVPN.

OpenVPN

OpenVPN is a fairly new open source technology that uses the OpenSSL library and SSLv3/TLSv1 protocols, along with an amalgam of other technologies, to provide a strong and reliable VPN solution.  One of its major strengths is that it is highly configurable, and although it runs best on a UDP port, it can be set to run on any port, including TCP port 443. This makes traffic on it impossible to tell apart from traffic using standard HTTPS over SSL (as used by for example Gmail), and it is therefore extremely difficult to block.

Another advantage of OpenVPN is that the OpenSSL library used to provide encryption supports a number of cryptographic algorithms (e.g. AES, Blowfish, 3DES,  CAST-128, Camellia and more), although VPN providers almost exclusively use either AES or Blowfish. 128-bit Blowfish is the default cipher built into OpenVPN, and although generally considered secure, it does have known weaknesses, and even its creator was quoted in 2007 as saying ‘at this point, though, I’m amazed it’s still being used. If people ask, I recommend AES instead, because it is the newer technology, and has no known weakness.

How fast OpenVPN performs depends on the level of encryption employed, although technically speaking IPSec is faster than OpenVPN because encryption/decryption is performed in the kernel, and because it allows for multi-threading, which OpenVPN does not.

OpenVPN has become the default VPN connection type, and while natively supported by no platform, is widely supported on most through third party software (including  both iOS and Android).

Perhaps most importantly in light of the information obtained from Edward Snowden, it seems that as long as Perfect Forward Secrecy (ephemeral key exchanges, which we discuss later) is used, then OpenVPN has not been compromised or weakened by the NSA.

Although no-one knows the full capabilities of the NSA for sure, both the evidence and the mathematics strongly point to OpenVPN, if used in conjunction with a strong cipher and ephemeral keys, being the only VPN protocol that can be considered truly secure. Unfortunately, not all VPN providers use PFS when implementing OpenVPN…

SSTP

Secure Socket Tunneling Protocol was introduced by Microsoft in Windows Vista SP1, and although it is now available for Linux, RouterOS and SEIL, it is still largely a Windows-only platform (and there is a snowball’s chance in hell of it ever appearing on an Apple device!*). SSTP uses SSL v3, and therefore offers similar advantages to OpenVPN (such as the ability to use to TCP port 443 to avoid NAT firewall issues), and because it is integrated into Windows may be easier to use and more stable.

However unlike OpenVPN, SSTP is a proprietary standard owned by Microsoft. This means that the code is not open to public scrutiny, and Microsoft’s history of co-operating with the NSA, and on-going speculation about possible backdoors built-in to the Windows operating system, do not inspire us with confidence in the standard.

IKEv2

Internet Key Exchange (version 2) is an IPSec based tunnelling protocol that was jointly developed by Microsoft and Cisco, and which is baked into Windows 7 and above. The standard is supported by Blackberry devices, and independently developed (and largely compatible) versions of IKE have been developed for Linux (through various open source implementations) and other operating systems. As always, we are wary of anything developed by Microsoft, but if open source versions are used then there should be no problem.

Dubbed VPN Connect by Microsoft, IKEv2 is particularly good at automatically re-establishing a VPN connection when users temporarily lose their internet connections (such as when entering or leaving a train tunnel).

Mobile users in particular, therefore, benefit the most from using IKEv2, which, because of its support for the Mobility and Multihoming (MOBIKE) protocol, also makes it highly resilient to changing networks. It’s good news for cell phone users, who regularly switch between hotspots.

IKEv2 is even more useful to Blackberry users, as it is one of the few VPN protocols supported by Blackberry devices.

 

Posted in VPN ProtocolsComments (0)

How Open VPN Works

First of all, what is this OpenVPN that you might have seen its software before, and not installing it?

OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS (Note: SSL makes a website secure by encrypting vital information) for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL). It may be important to note that GNU General Public License is a widely used free software license, which guarantees end users the freedom to run, study, share and modify the software.

OpenVPN allows peers (Interconnected nodes) to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features. We can esily determine a site is secure when the URL starts with “https” and not just “http”.

OpenVPN has been ported and embedded to several systems. For example, DD-WRT has the OpenVPN server function. SoftEther VPN, a multi-protocol VPN server, has an implementation of OpenVPN protocol.

Private Tunnel VPN is a commercial spin-off of OpenVPN Technologies, a VPN service provider based in the US that, unusually, charges according to data transferred rather than per month.

Features of OpenVPN

Encryption

OpenVPN uses the OpenSSL library to provide encryption of both the data and control channels. It lets OpenSSL do all the encryption and authentication work, allowing OpenVPN to use all the ciphers available in the OpenSSL package. It can also use the HMAC packet authentication feature to add an additional layer of security to the connection (referred to as an “HMAC Firewall” by the creator). It can also use hardware acceleration to get better encryption performance. Support for mbed TLS is available starting from version 2.3.

Authentication

OpenVPN has several ways to authenticate peers with each other. OpenVPN offers pre-shared keys, certificate-based, and username/password-based authentication. Preshared secret key is the easiest; with certificate based being the most robust and feature-rich In version 2.0 username/password authentications can be enabled, either with or without certificates. However to make use of username/password authentications, OpenVPN depends on third-party modules.

Networking

SecurityOpenVPN can run over User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) transports, multiplexing created SSL tunnels on a single TCP/UDP port (RFC 3948 for UDP). From 2.3.x series on, OpenVPN fully supports IPv6 as protocol of the virtual network inside a tunnel and the OpenVPN applications can also establish connections via IPv6. It has the ability to work through most proxy servers (including HTTP) and is good at working through Network Address Translation (NAT) and getting out through firewalls. The server configuration has the ability to “push” certain network configuration options to the clients. These include IP addresses, routing commands, and a few connection options.

OpenVPN offers several internal security features. It has up to 256-bit Encryption through OpenSSL library although some service providers may offer lower rates effectively making the connection faster. It runs In userspace, instead of requiring IP stack (and therefore kernel) operation. OpenVPN has the ability to drop root priveledges, use mlockall to prevent swapping sensitive data to disk, enter a chroot jail after initialization and apply a SELinux context after initialization.

OpenVPN runs a custom security protocol based on SSL and TLS rather than support IKE, IPsec, L2TP or PPTP. OpenVPN offers support of smart cards via PKC#11 based cryptographic tokens.

Extensibility

OpenVPN can be extended with third-party plug-ins or scripts which can be called at defined entry points. The purpose of this is often to extend OpenVPN with more advanced logging, enhanced authentication with username and passwords, dynamic firewall updates, RADIUS integration and so on. The plug-ins are dynamically loadable modules, usually written in C, while the scripts interface can execute any scripts or binaries available to OpenVPN. In the OpenVPN source code there are some examples of such plug-ins, including a PAM authentication plug-in. Several third party plug-ins also exist to authenticate against LDAP or SQL databases such as SQLite and MySQL.

Platforms

It is available on Solaris, Linus OpenBSD, FreeBSD, NetBSD QNX, Mac OS X, and Windows XP and Later. OpenVPN is available for mobile phone operating systems (OS) including Maemo, Windows Mobile 6.5 and below, IOS 3GS+ devices, jailbroken IOS 3.1.2+ devices, Android 4.0+ devices, and Android devices that have had the Cyanogenmod aftermarket firmware flashed or have the correct kernel module installed. It is not compatible with some mobile phone OSes, including Palm OS.

 

Posted in VPN ProtocolsComments (3)

Expats Reviles The Secret Of Internet Encryption

Encryption is the process of encoding data so that only a computer with the right decoder will be able to read and use it. You could use encryption to protect files on your computer or e-mails you send to friends or colleagues. An encryption key tells the computer what computations to perform on data in order to encrypt or decrypt it. The most common forms of encryption are symmetric-key encryption or public-key encryption:

  • In symmetric-key encryption, all computers (or users) share the same key used to both encrypt and decrypt a message.
  • In public-key encryption, each computer (or user) has a public-private key pair. One computer uses its private key to encrypt a message, and another computer uses the corresponding public key to decrypt that message.

In a VPN, the computers at each end of the tunnel encrypt the data entering the tunnel and decrypt it at the other end. However, a VPN needs more than just a pair of keys to apply encryption. That’s where protocols come in. A site-to-site VPN could use either Internet protocol security protocol (IPSec) or generic routing encapsulation (GRE). GRE provides the framework for how to package the passenger protocol for transport over the Internet protocol (IP). This framework includes information on what type of package you’re encapsulating and the connection between sender and receiver.

Article 

 

Posted in VPN ProtocolsComments (3,573)

VPN and VPN Protocols

VPN stands for virtual private network, and it’s a type of technology that establishes a secure network connection over a public network, like the internet, or even within a service provider’s private network. Different institutions like government agencies, schools, and big corporations utilize the services of a VPN, so that their users will be able to connect securely to their private networks.

download hma

Just like with wide area network (WAN), VPN technology have the ability to link several sites together, even those separated over a large distance. With the case of educational institutions, to connect campuses together, even those located in another country, VPN is used for this purpose.

To use a virtual private network, users are required to provide a username and password for authentication. Some VPN connections also need to be provided a PIN (personal identification number), usually made up of unique verification code, which can be found in the form of a token. The said PIN changes every couple of seconds, and is matched with the account’s username and password. Even if the token is stolen, it will be useless without the aforementioned information.

A virtual private network is able to maintain privacy through the use of security procedures and tunneling protocols. I have listed below the different VPN protocols and their description:

PPTP

Because it makes use of 128 bit keys to encrypt traffic, PPTP or Point-to-Point Tunneling Protocol is considered a less secure protocol than others. However, for many users, this will already do, especially when they connect with a VPN only for personal use.

L2TP

A more secure choice is Layer 2 Tunneling Protocol or L2TP, because it works together with IPSec protocol that utilizes better protected encryption algorithms than what’s used with PPTP. The combination of the 3DES encryption algorithm and a 168 bit keys are what make L2TP encryption more powerful.

SSTP

Secure Socket Tunneling Protocol or SSTP is considered the most secure of all protocols, since it is a SSL VPN protocol, and uses 2048 bit encryption keys, as well as authentication certificates.

The reason why it’s the strongest out of all VPN protocols is that it has the ability to operate even on network environments that blocks VPN protocols. Some countries like Belize do not allow the use of VPN connections, and there are certain companies that do this as well. VPN with SSTP protocol is useful for these types of situations.

With the above information, you can match up the type of VPN protocols that can work best for you. If you only want the service because you want to feel safe and secure when browsing the web at home or hotspot connections, PPTP will work well with you. If you need more protection than what a PPTP can provide, you only have to go to the next one to answer you needs.

download hma

Posted in VPN Protocols, VPN SoftwareComments (1,861)


Share this page

high-speed-premium-vpn-square-7ad344e44db7fad48c20584ad45b3dc1

Related Sites