What is encryption? And why it matters in a VPN

What is encryption? And why it matters in a VPN

Encryption is a term used to describe the methods that hide the true meaning of messages using code, especially to prevent unauthorized access to the information in the messages.

Not all users of virtual private networks (VPN) care about encryption, but many are interested and benefit from strong end-to-end encryption. So let’s have a look at the different types of encryption and what makes them tick.

We have discussed the different types of VPN protocols elsewhere, and pointed out that a big factor in many of the important properties of a VPN is the type and strength of encryption. To accomplish end-to-end encryption a process called VPN tunneling is needed.

What is a VPN tunnel?

A VPN tunnel is an encrypted link between your device and an outside network. But there are significant differences between VPN tunnels and not all of them are equally effective in protecting your online privacy. The strength of a tunnel depends on the type of protocol your VPN provider uses. One of the key factors is the type of encryption.

What is encryption used for?

Encryption is used to hide the content of traffic from unauthorized readers. This is often referred to as end-to-end encryption since usually only the sender at one end and the receiver at the other end are authorized to read the content.

Privacy of Internet traffic is, or should be, a major concern, because we use the Internet in all its forms to send a lot of sensitive information to others. For example:

  • Personal information.
  • Information about your organization.
  • Bank and credit card information.
  • Private correspondence.

Since human-based code is far too easy to crack by modern computers, we rely on computers to encrypt and decrypt our sensitive data.

Types of encryption

“What are the types of encryption?”, you may ask. Computerized encryption methods generally belong to one of two types of encryption:

  • Symmetric key encryption
  • Public key encryption

Public-key cryptography is sometimes called asymmetric cryptography. It is an encryption scheme that uses two mathematically related, but not identical, keys. One is a public key and the other a private key. Unlike symmetric key algorithms that rely on one key to both encrypt and decrypt, each key performs a unique function. The public key is used to encrypt and the private key is used to decrypt. The mathematical relation makes it possible to encode a message using a person’s public key, and to decode it you will need the matching private key.

Symmetric-key encryption

This type of encryption is called symmetric because you need to have the same substitution mapping to encrypt text and decrypt the encoded message. This means that the key which is used in the encryption and decryption process is the same.

Symmetric key encryption requires that you know which computers will be talking to each other so you can install the key on each one. This way each computer has the secret key that it can use to encrypt a packet of information before being sent over the network to the other computer. Basically, it is a secret code that each of the two computers must know in order to decode the information. But since this design necessitates sharing of the secret key,  this is considered to be a weakness when there is a chance of the key being intercepted.

Advanced Encryption Standard (AES)

The best example of symmetric encryption is probably AES, which the US government adopted in 2001. The government classifies information in three categories: Confidential, Secret or Top Secret. All key lengths can be used to protect the Confidential and Secret level. Top Secret information requires either 192- or 256-bit key lengths.

How is AES encryption done?

The AES encryption algorithm defines numerous transformations that are to be performed on data stored in an array. The first transformation in the AES encryption cipher is substitution of data using a substitution table; the second transformation shifts data rows, and the third mixes columns. The last transformation is performed on each column using a different part of the encryption key. The key length is important because longer keys need more rounds to complete.

Public-key encryption

To deal with the possibility of a symmetric key being intercepted, the concept of public-key encryption was introduced. Public-key encryption uses two different keys at once. A combination of a private key and a public key. The private key is known only to your computer, while the public key is provided by your computer to any computer that wants to communicate securely with it.

To decode an encrypted message, a computer must use the public key, provided by the originating computer, and its own private key. The key pair is based on prime numbers of a long length. This makes the system extremely secure, because there is essentially an infinite number of prime numbers available, meaning there are nearly infinite possibilities for keys.

VPNs use public-key encryption to protect the transfer of AES keys. The server uses the public key of the VPN client to encrypt the key and then sends it to the client. The client program on your computer than decrypts that message using its own private key.

Why is end-to-end encryption important?

End-to-end encryption is important to create a secure line of communication that blocks third-party users from intercepting data. It limits the readability of transmitted data to the recipient. Most VPN services use asymmetric encryption to exchange a new symmetric encryption key at the start of each VPN session. The data is only encrypted between you and the VPN server. This secures it from being inspected by any server in-between you and the VPN, such as your ISP or an attacker operating a rogue WiFi hotspot. The data transferred between the VPN server and the website you’re visiting is not encrypted, unless the website uses HTTPS.

This is why we said in an earlier post that using a VPN is shifting your trust to a new provider. When you use a VPN you transfer access to your traffic to a third party, the VPN provider. All that visibility that users balk at relinquishing to their ISP has now been handed over to their VPN provider. Careful consideration should be given to the trustworthiness of said VPN provider.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.