We won’t mince words, so we will just say outright: VPNs can be hacked with about one year of computer time on a $100 million supercomputer. In the words of the Five Eyes countries which do heavy surveillance on the online activities of their citizens, “Privacy is not absolute.” This doesn’t mean you’re better off not using a
The only agency that’s capable of hacking
Aside from disclosing the extent to which the Five Eyes countries invade the privacy of its citizens and share the data with each other, Snowden’s revelation also included the NSA’s
This was supported by research headed by Halderman and Heninger who found some loopholes in the Diffie-Hellman cryptographic key exchange which is used by most
What it takes to hack VPNs
Before going into the vulnerabilities that Halderman and Heninger’s team found, let’s take a look at what it takes to hack VPNs.
It will take one year of computer time, and a $100-million supercomputer to crack a 1024-bit prime.
It will certainly require a lot of resources to hack encrypted
There are security experts who disputed this figure, but they still agree that some
We’re also talking only about 1024-bit prime numbers since 2048-bit key lengths are even harder and more expensive (even close to impossible) to crack. So VPNs are still necessary and effective in protecting people from hacking techniques such as the fake WAP attacks that hackers use in public.
How VPN encryption works
Now let’s get into the nitty-gritty details of the vulnerabilities around encryption that can be exploited by the NSA. To be clear, it’s not only the
Encryption is the process of converting readable, plaintext data into unreadable data called ciphertext. Anyone who intercepts your traffic will see the ciphertext instead of the plaintext, so they won’t know what the traffic contains. Think of encryption like a padlock—it’s the all-familiar symbol of encryption.
Nobody will know what’s behind the lock unless they have the keys. Not all padlocks are created equal though; combination locks are generally more secure than warded locks. The same is true with encryption.
- Encryption algorithm: It’s the cryptographic algorithm or cipher that defines how encryption and decryption is performed. Among the most popular ciphers are AES, DES/3DES, and Blowfish, with AES being the latest standard used by
VPN providers. - Key exchange algorithm: Aside from this, VPNs also use another algorithm for key exchange. Examples of this are the RSA and DH (Diffie-Hellman).
- Key length: Key length is expressed in bits and usually written along with the cipher so that it becomes AES-128 or AES-256.
VPNs you’ll encounter nowadays usually employ AES-256, a secure encryption algorithm that is very tough to crack.
Types of encryption
There is also a need to understand the different types of encryption, which is where the vulnerability comes in:
- Symmetric: Also called “private-key cryptography,” this type of encryption uses one key to encrypt and decrypt information. The most common symmetric encryption algorithm used with VPNs are Blowfish, DES, and AES. Symmetric encryption is easier to crack compared to other types of encryption since you only need to get a hold of that one key to decrypt the connection. To solve this problem, symmetric keys are often exchanged using an asymmetric algorithm.
- Asymmetric: Asymmetric encryption needs two different keys: one to encrypt the information, and the other one to decrypt it. This type of encryption is also called “public-key cryptography,” and one of the first algorithms of this type is the Diffie-Hellman algorithm. Both client and server using this algorithm need to agree on a large prime number in a particular format. The video below briefly shows how the Diffie-Hellman algorithm works:
This algorithm is considered as an important feature of modern cryptography and is widely used by VPNs for key exchange and Perfect Forward Secrecy. For instance, AES keys are exchanged using the Diffie-Hellman algorithm to make it more secure. Indeed, it is very secure, but the problem lies in the implementation.
Everyone seems to be using the same prime which is usually 1024 bits; several applications even hard-coded this prime. Someone (like the NSA as discussed earlier) will only need to precompute that one specific prime to gain access to all individual connections. Since 1024 prime is commonly used, the NSA only needs to crack this particular prime to decrypt trillions of
- Hashing: This type of encryption is primarily used by VPNs to verify the authenticity of email messages that are sent through the network. It makes use of one-way encryption. The most commonly used hashing algorithms are MD5, SHA-1, and SHA-2. MD5 and SHA-1 are no longer considered safe.
If there’s one thing we can take from Halderman and Heninger’s discovery of this vulnerability, it’s that digital security solutions are continuously evolving, which is the same with other areas of technology. The standards considered secure nowadays may not be secure in the future.
What this means to VPN users
Using a
With the right
VPN protocol: There are several VPN protocols. However, the most secure is the OpenVPN protocol, so choose aVPN provider that supports this one. There’s also a new protocol called WireGuard which is still in the works. It looks promising, and we will be on the lookout for this one.- Encryption algorithm: AES-256 is the most secure algorithm to use. There are no reports of it being vulnerable as compared to old standards like Blowfish and DES. If the provider uses Diffie-Hellman as the key exchange, make sure that it’s 2048 bit and not the 1024-bit prime.
- Hashing algorithm: As previously mentioned, MD5 and SHA-1 hash algorithms are no longer secure. Therefore, choose a provider that uses SHA-2 hashing which gathers four kinds of hash functions, including the SHA224, SHA256, SHA384, and SHA512.
Some