A virtual private network is a service that allows you to connect to servers anywhere in the world, pretending to be somewhere else and securing your connection. But how does VPN encryption work? Here's how it keeps your connection secure.
Table of Contents
VPN protocols
To understand VPN encryption, we first need to look at VPN protocols. These are programs that govern how a VPN communicates with other entities on the network, such as servers or locations – it uses the term “protocol” in the same sense as “set of rules”.
There are several protocols to choose from, including some developed by the VPN providers themselves, such as Nordlynx by NordVPN or Lightway by ExpressVPN. The most reliable ones not tied to a specific VPN are probably the tried and tested OpenVPN and relative newcomer WireGuard.
The choice of protocol determines many things: for example, WireGuard is much faster than most other protocols, while OpenVPN is considered among the most secure. This is due to a number of factors, but in this case it is interesting, as the protocol also determines the type of encryption you can use in your VPN tunnel.
The basics of encryption
When you encrypt information, it is turned into gibberish using an algorithm that usually encrypts the information more than once. For example, when you were a child, you probably created a secret message by replacing the letters of the alphabet with numbers so that your friend Al's name became 1-12.
An algorithm does the same, but takes it a few thousand steps further, replacing letters with symbols which are then replaced again and again and again. The only way to unlock this mess and make it readable again is to use a so-called key.
In this case, a “key” is a piece of data that can unlock encrypted information. It's tempting to think of it as a password, but it's more than that: it's usually a long string of letters, numbers, and symbols that show the algorithm that you're authorized to decrypt the information.
Symmetric encryption
With the information itself secure, there is, of course, the question of what to do with the key, as this is the weakness of all encryption: if you have the key, you can unlock whatever it protects. The most basic way to handle keys is symmetric encryption, also known as shared-key encryption. In the case of you and your friend Al from earlier, you just told Al how the system works, which means you both had the key, as obvious as it was.
In more complex systems, symmetric encryption works more or less the same way: the key used to encrypt information is held by both parties. In the case of a VPN, your app or client encrypts your data with a key also held by the VPN server you connected to, so it can simply decrypt the information as it comes in.
AES and Blowfish
The most common types of symmetric encryption, called ciphers, are Advanced Encryption Standard (AES) and Blowfish. AES was developed by the US government and is the military-grade encryption that many companies like to brag about. Blowfish was developed as an open source encryption, but there is a lot of debate about how secure it is.
Regardless of which one you use, its strength depends largely on how many bits it has, essentially how large the piece of code that serves as the key is. The bigger the better, so AES-256 (ie 256 bits) is more secure than AES-128. AES-256 is probably the most common and also secure variant, so we recommend you stick with it in most cases.
Transmission keys
Of course, there is an obvious flaw in all of the above: if both parties to the exchange both have the insecure key, a clever operator could somehow intercept the key and then decrypt the information for himself . There are several ways to do this, such as impersonating an intermediate network node or other forms of eavesdropping.
To prevent this from happening, you must somehow encrypt the shared keys that are sent. Now, you could do this using even more public keys, but that would just add a step for anyone listening. Far better, instead, to introduce a new type of encryption, using public key encryption.
"Public key" is a confusing term because "public" and "secure" are almost antonyms. However, the public key is only half of the equation. While in a shared key system, both the sender and receiver have the same keys, in a public key system, only the sender's half is public, while the receiver's half is secret and known only to him.
This is actually a clever way of solving the problem: while the actual data is sent with shared keys, which are secret but can be easily intercepted, you transmit the keys themselves using an open system that is protected on the receiving end. In this way, data can be transmitted more or less freely, but safely from interference or spying.
Transport level security
The way public key distribution and control works is through authentication, which is essentially through a third party vouching for you that the key being sent is genuine. The most common way to do this is by using the Transport Security Layer protocol, a way for computers to communicate with each other securely on the internet.
TLS is used in all kinds of applications: often, when you connect to a website or other service, your password is double-checked via TLS. TLS itself also uses encryption to secure information, often using a simpler cipher called RSA.
RSA's chains are much larger (typically in the 1024-bit range or larger) than those used by AES or Blowfish, but because it does not encrypt information multiple times, it is not considered as secure. As such it is best used for sending keys over the internet as it decrypts faster as it is simpler, but is probably best not used for actual VPN traffic.
Making a Hash of It
Besides RSA, TLS has one more trick up its sleeve, namely hashing. In this case, hashing is an additional form of checking that a request to retrieve a shared key is legitimate. It acts as a safeguard in case an attacker discovers how to forge a certificate.
There are several types of hashing algorithms: the most commonly used is SHA, and more specifically SHA-2. However, there are several subtypes of this cipher, so you will often come across nomenclature such as SHA-256 or SHA-512.
Since the hashing step is a form of double-checking that everything is OK before proceeding with decryption, not every VPN uses it. However, most protocols allow it, and many providers will proudly tell you that they use it.
Layers upon Layers
The end result is a soup of hashes, algorithms and keys that probably boggles the mind, but the bottom line is that a good VPN will protect you sometimes: first, the actual connection is encrypted with AES or Blowfish, and then the keys that unlock this encryption protected again, often more than once.
All of the best VPNs out there follow this pattern, and we recommend that you double-check that your VPN of choice does the same. Quite often, VPNs offer this information in their promotional materials so you can see for yourself how it works.