How does VPN encryption work?

VPNs are a recent favorite in online security solutions. They are a tool that can allow users to remotely access the internet from behind a proxy VPN server, attaining near anonymity. However, that’s not all. The true strength of this technology resides in the fact that it can secure your online data. It does so by employing state-of-the-art encryption practices. But then the question arises, “how does VPN encryption work?”

Now, this is what we aim to uncover and help you understand in today’s article. However, before that, we must clarify that while VPN or security protocols and VPN encryption may be policies adopted by the VPNs, they are not exclusive. Thus, to understand the way VPN encryption works, we must gander at the workings of encryption in general. Continue reading and let’s take a glimpse under the hood of VPN machinery together.

What is encryption?

What does encryption represent? To answer this question in simple terms, imagine a safe with a lock. Now, puzzle this: if the safe is locked, can you delve into its contents? Not unless you open the lock, right? However, one needs the corresponding keys to open the locked safe. Encryption works the same way, more or less. However, it doesn’t “lock” the data. Instead, it scrambles data and changes it into something incomprehensible. At its core, encryption is a way of converting data from a readable format to an encoded, unreadable one with the help of an algorithm.

As with the lock, the key to encryption is the cipher or decoding decryption key, without which one can’t undo the encryption to understand the contents. Encryption is at the heart of VPNs for the same reasons. To clarify, it prevents third parties’ prying eyes from inferring, intercepting, or reading the data traffic from the VPN client to the server and vice versa. Doing so allows the user to hide sensitive or any data from the ISP, unwanted surveillance, and cybercriminals. Thus, a VPN is a tool that can aid users with their privacy and security.

When data leaves your VPN client via the tunnels (a result of VPN protocols and encapsulation/encryption), the protocols at work change the plaintext data packets into something incomprehensible and send it along its way to the server. The VPN server decrypts this data (using relevant decoding keys) and engages with the websites on behalf of the client.

Types of VPN encryption

A VPN provider employs security protocols, also known as VPN protocols, to ensure the activity of its service. Now, the encryption is limited and dependent on the security protocols. Meaning, if protocol A only supports encryption practice B, the provider cannot use other encryption policies like A, C, D, etc. With that in mind, read the following three popular encryption practices a VPN can employ.

Symmetric encryption

Symmetric encryption is one of the oldest encryption practices in the world. It is a code translation system that has roots back in Roman times. The identifying characteristic of a symmetric encryption cipher is the need for the same-substitution mapping to encrypt and decrypt data. Thus, the name symmetric represents the same key responsible for both sides. However, modern symmetric ciphers go far beyond a simple code shift system.

They also involve algorithms responsible for grouping texts into grids. The content of each grid gets transformed by the key-block to be shifted, scrambled, and swapped in numerous ways according to the encryption profile. The practice is called block ciphers and is common in VPNs. Two leading symmetric encryption practices are:

1. AES (Advanced Encryption Standard)

AES was a product of two Belgian cryptologists. It is a block cipher that breaks up streams (of data) into arrays of 128 bits. The key can be 128, 192, or 256 bits long. Each round of conversion involves one of four operations: transformation, substitution, row shifting, or column mixing. AES is a trustworthy cipher policy that most major VPN providers employ. This includes the likes of Express VPN, NordVPN, and CyberGhost VPN, among others.

2. Blowfish 

Blowfish is an alternative to AES and is open-source. Some VPN providers employ Blowfish over AES as a means to generate trust. OpenVPN also uses Blowfish, but it is rarer than AES. Although it got established as a niche against AES, the small block size made it vulnerable to attacks. Hence, it was gradually dropped from VPNs.

Public key encryption

PKE or Public Key Encryption is a counter to symmetric or rather AES. But why the need for other encryption profiles when AES is powerful? No matter how robust the symmetric encryption is, if someone gains the key, they can intercept the communication with ease. Hence, the protection of this key is paramount to VPNs, which gave rise to the PKE. It uses different keys for the encryption and decryption process. Thus, the risk of the encryption key falling into the wrong hands gets negated. The mystery behind the name of PKE is, hence, solved — the encryption key is public while the decryption one remains private. VPNs use PKE to protect the transfer of AES keys. 

Three different profiles that can transfer AES keys are namely:

1. Transport Layer Security — TLS provides an authentic system that strengthens the security of public keys. It is not only used by VPNs but is also widespread on the internet. TLS is what makes web pages secure. It’s the predecessor of SSL (Secure Sockets Layer), and the Netscape corporation was responsible for it.
2. RSA — It is a prudent PKE cipher and the oldest PKE practice, in service since 1977. It predates SSL, HTTP, and much of the internet. RSA is a lengthy key that consists of two prime numbers. Typical RSA keys can be 1024 bits, 2048 bits, and 4096 bits. However, it is slow.
3. Diffie-Hellman — As old as the RSA, the Diffie-Hellman system is also built into TLS procedures and part of the OpenSSL library. Hence, a lot of VPNs use it for AES key distribution. Under DH practice, the server’s key is on a certificate, and the client one gets generated randomly.

Hashing

The third method for encryption entails hashing, and many VPNs employ SHA (Secure Hash Algorithm). The purpose behind hashing is to preserve the integrity of data in transit. It also confirms whether the message came from the supposed source. SHA falls under the hashing method and is a part of the TLS procedures. However, hashing doesn’t take place through a VPN. It is a part of the certificate retrieval process and ensures the authenticity of the procedure.

There are many versions of SHA like SHA 1, SHA 2, SHA 3, etc. SHA 1 is problematic, while SHA 2 gets most commonly used in VPNs.

How does VPN encryption work?

VPN encryption is a process that may sound simple enough while explaining, but a lot goes on undetected by the user behind the scenes. We will examine the process as a whole while gleaning into the background activity.

1. First, let us start with the transmission of data packets by the user.
2. Then, the VPN client will intercept any outgoing data while the VPN connection is on to check for “Interesting traffic.”
3. The term interesting traffic refers to traffic that’s subject to a VPN tunnel and hence needs encryption.
4. The client will establish a tunnel to the server with the help of protocols.
5. This tunnel is responsible for the whole encapsulation process and functions on encryption profiles.
6. Interesting data is encrypted in the tunnel and reaches the server.
7. Then, the server forwards the data to the relevant web servers after decrypting it.
8. After that, the result gets similarly received by the server.
9. Again, it undergoes encryption in the tunnel before it reaches the client.
10. Now, the client decrypts the data from the server and presents it before you.

But how did the encryption happen? Sure, we know when it happened and why, but to understand how, continue reading.

Understanding VPN encryption

To comprehend VPN encryption, you need to know about its four stages:

1. Asymmetric key exchange
   1. At the first stage, you do a handshake. It is an automatic communication between a VPN client and a VPN server via the asymmetric key exchange.
   2. It creates two encryption keys: public and private. Why? Because most VPNs employ all three encryption methodologies to ensure optimum security. Hence, instead of a single private key, we get two keys.
   1. The public one can only encrypt data. Thus, it gets exchanged between the client and server.
   2. The private one remains with them to decrypt data at different stages.
   3. Secure communication gets established over an open channel.
2. Symmetric key exchange
   1. At the second stage, you perform a symmetric key exchange.
   2. It creates a new key that the encryption algorithm will use to transfer the actual data. It is for the sake of achieving perfect forward secrecy (PFC).
   1. Furthermore, it means that if by chance, your previous step got compromised, the data remains secure.
3. Encryption algorithm
   1. The third stage allows the encryption algorithm to use the symmetric key derived before.
   2. The leading symmetric encryption practice is AES. Therefore, the key used will most likely be AES-256-GCM.
   3. You now encrypt all your data with it.
4. Integrity algorithms
   1. Lastly, at stage four, integrity algorithms are utilized. This It is to assure the communicating parties regarding the authenticity of data.
   1. Simply put, VPNs use hashing to scramble the outgoing information partially.
   2. The server can now check both the function and private key.
   3. A match will corroborate the information hasn’t been interfered with.