Encryption and Security
So what is a VPN and is it useful to me? What is encryption and how does it work? Mystified? Well have a read on for some simple (ish) explanations of some of the more common security terms. A VPN is exactly what is being described. It is a virtually private network. In other words it is information that is sent between two parties who have a shared pre-requisite of knowledge that allows them to decode each others messages. This is referred to as a tunnel because no one on the outside of our pre-shared information can see what is within because the information is encrypted and authenticated, that is each party can be sure of the identity of the sender and that no one was able to understand or change the information since being sent.
A type of tunnelling is in evidence every time you purchase something online or log in to an account with a website such as eBay, and this is called public/private key encryption. In the case of eBay they do not know if the computer you are using is who it says it is - it has no certificate to authenticate with-. The only important thing is that your computer believes eBay are who they say they are and your computer verifies this because eBay use a certificate that is issued by a Certification Authority that Microsoft or Macintosh have verified as authentic, and so your computer trusts the certificate and encrypts the information using the private key included in it. eBay trust you because once the encrypted tunnel between you and eBay is working, they ask you for your password, which is sent as encrypted traffic using the authenticated certificate eBay supplied. This form of encryption is typically used by the Secure Sockets Layer or its successor TLS - Transport Layer Security.
In a VPN, both parties must know who the other is and this is usually achieved with a shared secret combined with a hash algorithm known as a keyed hash algorithm. A hash algorithm takes a message of any length and returns a fixed length hash which is very difficult to fake because it is very very infeasible that you could find two messages that would give the same result. The two parties add an incrementing number to transmissions so that someone trying to decode and fake messages will not be verified as they will not be including the incrementing number in subsequent messages. Once authenticated, further communication is made using symmetric ciphers which rely on encrypting information using a pre-shared secret. The disadvantages being that this means that the two parties must have previously exchanged secure information and that the secret must be constantly changed to prevent the encryption being compromised.
The main thing to bear in mind is that it is all the same. Sure there are different methods of encryption and different methods of authentication, but as long as both are ensured to a sensible level we are more or less talking about the same thing. In the main the difference between VPN and normal use of TLS or SSL communications is tied to the factor of Authentication. VPNs require valid hosts at both or all ends.
How does any of it work though? Lets take a look at Public Key Encryption. SSL and its successor TLS both use Public Key Encryption as does the new IP versions IPV6 which uses IPSEC - Internet Protocol Security to encode all traffic. I must take this opportunity now to warn you now that none of this is necessary knowledge to put a working VPN system in place so don't come back complaining it wasn't in your Microsoft exam.
I want to tell my friend Marc how many apples I have collected from the orchards where we work but I do not want Rob or his competitive friends to know so that they do not deliberately stay longer so as to collect just a few more. I therefore devise a simple coding in advance with Marc that I will give a sign when I am about to say my collected number of apples and that amount will be 'encoded.' For instance I might give a sign to Marc by climbing onto my bike and ringing the bell - a sign that can easily be mistaken by Rob and his friends as we are about to head off home anyway - and then Marc will know that the amount I say will be multiplied by five. Five in this example is sufficient because Rob and his friends will have to spend so long collecting apples to compete that they will give up virtually before they start and still have no real idea how many apples I may have collected. This amount is 'encoded' (in this example by private encryption) because both of us know my private key - that the amount is multiplied by 5 -.
So what we are in effect creating is a private key tunnel. A way of communicating securely as long as we have a secure way of exchanging our private key and we can recognise each other and our own pre-agreed method of encryption - i.e. we can successfully Authenticate and Encrypt. But what if matters were different. What if Marc and I were separated and had no secure means of exchanging our private keys. Well, a method which allows us to achieve this is a relatively simple mathematical function but it is fairly slow to encrypt. It is referred to as Public Key Encryption and was developed at GCHQ in Britain by three men called James Ellis, Clifford Cocks and Malcolm J. Williamson. James Ellis had come up with the idea of Public Key Encryption but had not conceived how to implement it. Clifford Cocks - who was also working at GCHQ - heard of the idea and was intrigued and went home and literally thought up the system in less than half an hour. Cock's system did however work with a specific value for the public exponent (see below) and in 1974 Malcolm J. Williamson proposed using a general public exponent. The system is known as the Diffie-Hellman key exchange because of one very important reason. GCHQ is the British equivalent of the NSA and is responsible for the encryption of secret messages on behalf of the MOD (Ministry of Defence) and also the decoding of any suspicious messages intercepted in the UK. The fact that this method had existed - at least in secret - since the early 1970s was not discovered until 1997 when Cocks was allowed to divulge the information relating to a technology which GCHQ had never found much use for. It was, however, of no consequence by this time as in 1976-7, Ronald Rivest, Adi Shamir and Leonard Adleman discovered and published the same system and soon a real use for the functionality would make RSA one of the most commonly-found pieces of software on the planet. It should be noted that the Military are not so interested in Public Key Cryptography, usually because a pre-shared code can be easily exchanged and the early computers at the time of invention could not perform the math.
So how does it work, how can there be a secure way of knowing that I am really talking to who they say they are and also knowing that no one else will know what we are saying? Firstly, it is not true to say that no one can know what we are saying, just that if we encrypt our messages with sufficiently large values for our formulae that the chance of knowing a single exchange before long after we have stopped talking is very slender.
The system works by the two parties choosing a prime number and a base to create a one way trap door effect. Let us go back to the orchard to see how myself and Marc can use these numbers now we are trying to communicate the totals of apples harvested that working day by email and are wary of Rob and his cohorts reading our clear-text emails. We must therefore exchange some kind of code that we will both know but that is not derivable from our exchanges.
Marc and I are going to choose prime number 11 as our prime so p=11, and our base as 3 so q=3
I am encoding my number of apples harvested for that day, and so I decide upon a secret integer to multiply again just as before and this time I choose S=9, so I encrypt the number as follows. I send Marc our base number qs mod p (q=3 so 3 to the power 9 and mod simply means the remainder left after you divide by, so 39 divided by 11 so 39=19683/11 = 1789.3636 recurring so we remove the integer to be left with 0.3636 recurring and re multiply by 11) which gives us our remainder as 4.
Marc chooses a secret integer too, M=8, and then sends me qm mod p or 38 mod 11 = 5
I compute (qm mod p)s mod p = 59 mod 11 =9
Marc computes (qs mod p)m mod p = 48 mod 11=9
We have both derived the same value because qsm and qms are equal, and bear in mind that m, s, qsm, and qms are the only values transmitted publicly, all of the other values are kept entirely private. Once this exchange has taken place we have arrived at a number (please bear in mind it only turned out to be the number Simon chose by chance and would normally be a number unknown by either party until the calculation was carried out) we can use this number to encrypt our apple harvest. As long as we use sufficiently large values for our secret and prime numbers - i.e. our prime was over 300 figures and our secret numbers for Simon and Marc over 100 figures, it would take even the most efficient algorithms known to humankind more than the lifetime of the universe to crack our system. Our new number derived from performing the above with properly large values becomes Marc and Mines Secret Shared Key and may be used to encrypt future messages.
In reality there are more factors that must be taken into account to verify Authentication so as to make sure that I am talking to Marc and not someone impersonating him, which incorporates assigned certificates and certificate authorities just as those that you use every time your browser tells you that you are entering a secure zone and the http:// at the front of the web address url you are visiting is replaced by https://. This is the most typical use of SSL or TLS - to secure web pages.
A Note on the Truth
There are other variants of encryption used with communicating across the Internet to form VPNs such as Block Ciphers like 3DES and AES/Rijndael which are very commonly used in tunnelling often in partnership with hash algorithms like SHA1 or MD5. In truth it is some or all of these security measures acting together that represents most modern VPN tunnelling systems used in equipment like the Checkpoint NG, Windows Server or Cisco PIX. 3DES is still typically the cipher even though it is 56 bit DES performed 3 times and SHA1 is used as a hash algorithm for authentication. Both of these technologies are being superseded by AES/Rijndael and SHA2.