Knowing the key differences in VPN encryption technologies will help you determine the best VPN for your needs.
What is VPN
Virtual Private Network, or VPN, is a service used to encrypt data sent and received on public and private networks, specifically when using the Internet. VPN is for use with computers and mobile devices, the latter needing protection when on Wi-Fi hotspots.
Different Types of Encryptions
We will take a look at the differences between each protocol.
Point-to-Point Tunneling Protocol
Microsoft developed PPTP for creating VPN over dialup networks, which makes it the standard protocol for internal business VPNs. It is protocol only, relying on the many different authentication methods to provide the actual security. Easy to setup and install, it is standard on nearly every VPN capable device or platform. It continues to be a popular choice for businesses and VPN providers.
Since it was first bundled with Windows 95 OSR2 in 1999, many security issues have been brought up. Unencapsulated MS-CHAP v2 being the most serious of these. Although Microsoft has since patched the flaw allowing it to be cracked within 2 days, it has since issued an opinion that VPN users should instead employ L2TP/IPsec or SSTP instead. Its pros include being fast, quite easy to set up, and is client built-in to nearly all platforms.
L2TP and L2TP/IPsec
A VPN protocol on its own, Layer 2 Tunnel Protocol does not provide any encryption to traffic which pass through it. It is usually implemented with IPsec encryption suite, which provides security and privacy. Because L2Tp/IPsec is built-in to all modern OS and VPN capable devices, it is easy and quick to set up. Because L2TP protocol used UDP port 500, there are issues as it is more easily blocked by NAT firewalls. This may require advanced port forwarding when used behind a firewall. It’s considered very secure and has an easy set up. Besides being available on all modern platforms it is faster than OpenVPN. That being said, a major con is that it can struggle with firewalls that are restrictive.
Secure Socket Tunneling Protocol
SSTP was introduced in Windows Vista SP1 and is still generally a Windows only platform. Because SSTP uses SSL v3 it offers many of the same advantages as OpenVPN. As SSTP is integrated into Windows it is thought to be more stable and easier to use. Unlike OpenVPN, SSTP is a propriety standard owned by Microsoft, meaning the code is not open to public inspection. On the pro side it can bypass most firewalls. Also, it is considered very secure, and is completely integrated into Windows (up to Windows 8), which provides Microsoft support. Unfortunately it only works in a Windows only environment, and as it is a proprietary standard owned solely by Microsoft it cannot be independently audited.
A fairly new open source technology, it uses OpenSSL library and SSLv1/TLSv1 protocols to provide good VPN solution. One advantage of OpenVPN is the OpenSSL library supports several cryptographic algorithms; however VPN Providers usually exclusively use AES or Blowfish. The 128-bit Blowfish being the default cipher built into OpenVPN and is generally thought of as secure. Another strength is the fact that it is high configurable. While running best on a UDP port it can be set to run on any port. Thus making traffic on it virtually impossible to differentiate between using standard HTTPS over SSL and nearly impossible to block.
Adapted by the US government for use with “secure” data, AES a newer technology is considered by many to be the “gold standard” in encryption. As it has a 128-bit block size verses Blowfish’s 64-bit block size, it can better handle larger files (1 GB +). OpenVPN is now the default VPN connection type. It is highly configurable and secure, able to bypass firewalls. OpenVPN can use a wide array of encryption algorithms and is open source. Unfortunately it needs third party software and can be difficult when setting up.
Developed by Microsoft and Cisco in a joint effort, Internet Key Exchange (version2) is an IPSec based tunneling protocol. While it is usually treated as a VPN protocol, technically it is a control protocol for IPSec key exchange and not a VPN protocol, but is acceptable to use as such.
IKE2 is quite good at automatically re-establishing the VPN connection when the client temporarily looses Internet connections. Because of this, mobile users benefit from using IKEv2 the most. IKEv2 offers support for MOBIKE (Mobility and Multihoming) protocol, which makes it useful when changing networks. This is highly useful with cell phone users who routinely switch between Wi-Fi hotspots, and is one of a handful of VPN protocols supported by Blackberry devices.
While it isn’t supported on many platforms, it is faster than L2TP, SSTP, and PPTP. It is easy to setup and it supports AES 128, AES 192, AES 256 and 3DES ciphers, which make it quite, secure.
In encryption, its security is measured by key length. Key length is the most savage way to determine how long a cipher could take to break. An exhaustive key search or brute force attack requires trying every conceivable combination until it is solved. Encryption is always between 128-bits and 256-bits in key length when used by VPN providers. To put it in the most basic of terms a 256-bit key is far more secure than the 128-bit option.
Ciphers are the mathematics used to perform an encryption, and flaws in those algorithms often lead to encryption being broken. Blowfish and AES are the most common ciphers likely encountered with VPN. AES is now considered to be the most secure cipher for VPN use and the US government’s adoption has increased its popularity.
While PPTP, L2TP/IPsec, IKEv2, and SSTP all have their pros and cons, some being those specifically created by and only available in Windows environments, whenever possible OpenVPN should be used. If you need a fast solution that will work in a pinch, L2TP/IPsec should do, however there is an increasing number of OpenVPN apps for mobile devices.