VPN is a Virtual Private Network. In a nutshell, VPN technology is an encrypted connection that is imposed over a user connection. Your network is a public network, and VPN is an external secure network built on tunnels over a public network. These tunnels connect scattered networks or devices into a single network.
In practice, this works as follows. So, each computer has its own IP-address. Internet service providers obeying the will of local authorities can block access to banned or paid sites.
And in this situation, you just connect to VPN with the help of a program or extension in the browser.
What does VPN do? It replaces your real IP-address with a spoofing one. For example, you are in China, where access to Google services is blocked. With VPN, you change your real Chinese IP address to a dummy Italian or American one. This substitution of IP-address opens access to Internet resources blocked in a particular country, in this case to Google.
To understand the principle of VPN technology at a slightly deeper level, let’s understand the nuances of technology. The three pillars on which VPN is built are tunneling, encryption and authentication.
Let’s start with tunneling. Try to use your fantasy and imagine that the Internet is an open space through which trains, planes, cars move. Everyone can see where people and cars go, planes fly. And then you send a parcel from city A to city B. There is no guarantee that the parcel will not be lost, will not accidentally fall into the wrong hands, will not be stolen. This is how an ordinary Internet connection works.
And now imagine that an underground tunnel is built between city A and city B. The car with your parcel entered the tunnel in city A and left it in city B. No one had seen where the car was going and what it was carrying. This is how VPN connection works. Open space where everyone can see who and where goes and what carries is the public network. And the invisible underground tunnel through which the car carries your parcel is a virtual private network, VPN.
But the tunnel alone doesn’t provide a complete guarantee of secure data transmission. There can be two main problems. First, information can be intercepted by cybercriminals. For example, someone has revealed the tunnel, gained access to it and can stop the car and steal the parcel. The second unpleasant moment is that criminals can substitute the transferred data. In this case they don’t steal the parcel from the car, but replace it with another one. The result may be that you sent a box of chocolates to a friend, but he got a poisonous powder.
Therefore, another important aspect of VPN technology is the encryption of data transmitted through the tunnel.
Encryption is the process of transforming the original information into a form from which it cannot be brought into its original form without knowledge of the keys. Symmetric and asymmetric encryption algorithms are used to encrypt data transmitted through a special channel. For example, Alice and Bob want to send messages to each other. In symmetric encryption Alice and Bob use the same key to encrypt and decrypt the message. And in asymmetric encryption, different keys – private and public – are used to encrypt and decrypt the message. We will consider these nuances in more detail.
Authentication is the authenticity and integrity verification of the original message.
A hash function is used for authentication. This is so-called irreversible encryption. The hash function processes a block of data and the output is a digital imprint of the data. This is a hash. Imagine that you have minced a paper document through a shredder. The output is pieces of which it is impossible to recover the document. A handful of pieces is a hash. The hash has two important features:
- It is impossible to retrieve the original data by hash (irreversible encryption);
- If there is the slightest change in the original data (as a result of unauthorized access and substitution of the original data), then the hash is changed.
Authentication in VPN most often takes place according to the following scheme “request/response”:
- the user sends an authentication request to the server;
- the server sends a random password to the user;
- the user calculates the hash of the password and sends this hash to the server;
- the server, in turn, does the same: retrieves the hash from the random password sent to the user, and compares its hash with the hash that the user sent;
- if results are the same, the user has been authenticated.
VPN services are very useful in situations when you need to bypass bans, protect your data and keep anonymity. Let’s see what opportunities VPN has.
Access to blocked Internet resources. The Internet has long ceased to be free and democratic. Pirate sites are actively being blocked in the US. China authorities has banned Google, Youtube, Facebook and cryptocurrency exchanges. In Russia, LinkedIn is blocked, and Telegram is also banned more recently. Ukraine has banned Russian social network VKontakte. Such specific services as online casinos, bookmakers, sites “for adults” are also prohibited in many countries. VPN services perfectly solve this problem by spoofing IP address.
Data security. Connecting to a Wi-Fi network in public places makes your data vulnerable to cybercriminals. It’s like leaving a suitcase unattended at the railway station. A hacker sitting next to you will be able to steal everything he likes on your computer: a personal photo archive, bank card numbers, passport data, business contacts. And if you use VPN, there is an invisible wall occurring between you and the neighboring hacker.
Anonymity. After Edward Snowden disclosed information about the total surveillance of citizens via the Internet, many people become concerned about the anonymity in the Internet. In addition to government agencies in different countries, users’ information is collected behind the scenes and without users’ permission by many private organizations for commercial purposes. Have you ever noticed how after watching online shops the basket of goods “chase” you? VPN protects you from the possible attention of state security services and intrusive internet advertising. And if you manage to install VPN on your office computer your boss and system administrator of the company will never know what websites you have visited.
If you have decided you need VPN, you have already noticed that there are many offers of free VPN in the internet. Of course, getting what you need and saving money is always good. But think for a moment: why providing you with this service is profitable for free VPN providers? Software development and server support are expensive. This means that free VPN services sell user data to third parties and make money doing this. And this is only the most harmless thing that can be assumed. The level of protection provided by free VPN is also questionable. If their primary purpose is to collect and sell user data, who cares about your security and anonymity?.
Paid VPN services have other and much more honest revenue model. They just charge money from users. And there’s no point in trading data and losing their reputation.
Other VPN services provide an approximately similar basic set of features. A significant difference is in the number of servers and available countries, in the download speed of torrent files, in the options of the interface.
It is worth paying attention to one very important point, which is absolutely not evident. Every VPN service uses encryption with 256-bit key and believes this method of information protection is the most robust. For example, ExpressVPN declares that “A brute-force attack on a 256-bit keyspace is simply infeasible, even if all the world’s most powerful supercomputers ran for as long as the universe has existed so far, billions and billions of times over.
Yes, indeed, this algorithm is very reliable and even resistant to quantum computers. But there is one important nuance, which developers of VPN services don’t mention, but, nevertheless, it radically changes the situation of the data protection.
AES-256 is a symmetric encryption algorithm that encrypts the transmitted data flow. So, this algorithm has no public and private keys. to encrypt and decrypt data with AES-256, you use a single key. So Alice and Bob, who want to exchange messages, have the same keys. Alice needs to give Bob a key to decrypt the messages. Hence, the main drawback of the symmetric encryption algorithm is the need to transfer the key “from hand to hand” via insecure channels.
Thus, there is a need to encrypt the channel through which Bob and Alice transfer the symmetric AES key. This channel is encrypted using an asymmetric RSA algorithm or at best a more advanced ECDSA. Asymmetric algorithms use a public/private key pair. So, Bob generates two keys – private and public. These keys are mathematically interconnected. Bob sends Alice a public key. Alice encrypts her message (which contains a symmetric AES key) with Bob’s public key and sends the encrypted message to Bob. Bob decrypts the message with his private key and “gets out” the symmetric AES-key to the message. The idea of asymmetric encryption is that you can encrypt a message with a public key that is transmitted through communication channels. But you can decrypt the message only with a private key that hasn’t left its owner (Bob).
VPN services work as follows.
At the first level, Alice and Bob exchange symmetric AES keys via channels that are encrypted by asymmetric encryption, RSA or ECDSA.
At the second level, the data stream is encrypted with the received symmetric AES key.
Now let’s talk about an onion. And imagine onion rings: -) Data protection with multiple layers is called “onion routing”.
Some VPN services have a third level – the so-called multiplexing of streams. Multiplexing is the process of putting multiple logical data streams into a single physical channel. That is, data streams – audio, video, message, etc. – can be transmitted through one network connection. Respectively, on the third level, all multiplexed streams are split into data packets with headers and are packed into a single encrypted stream packet of the second level.
And this is like a garlic :-) Several different ”cloves” (audio, video data, etc.) are put in one “garlic“ (stream). In this case, only the sender and the recipient know which specific clove was sent by the sender to the recipient. At the second level, as we remember, the stream (“garlic”) is encrypted with a symmetric AES-key gained at the first level.
The existing VPN services get the problem at the first level, where asymmetric encryption algorithms are used for the transmission of AES-keys. The thing is, the asymmetric algorithms are vulnerable to quantum computers. In this article, we wrote in detail about the Quantum Apocalypse in relation to blockchains. But exactly the same is true of other systems that use asymmetric encryption algorithms.
As soon as a quantum computer with a capacity of 1000 qubits appears, it will be easy to hack almost all existing VPN services. It will happen in the following way:
- A quantum computer finds the key to the channel of the first level encrypted by RSA or ECDSA algorithm;
- After cracking the channel of the first level, a hacker intercepts the symmetric AES-key and decrypt the streams of the second level and the third level (if any).
The industry of VPN services doesn’t stand still and meets the new challenges of our time. Security and anonymity are the key features of VPN services and they will not stand firm in the face of the power of a quantum computer. DapCash is developing the project in this direction. One of the key services of DapCash project will be the quantum-resistant next-generation VPN – DiveVPN.
DiveVPN is based on the DAP blockchain platform, developed on the completely original source code.
This VPN service will have several distinctive characteristics:
- The use of quantum-resistant encryption algorithms in protocols at the first level of data exchange. Even a super-powerful quantum computer will not be able to access encryption of this level.
- Application of onion routing with garlic data packaging. Data packets will be put in a united stream and protected with at least two layers of encryption (three layers of protection in total).
- Additional features for “obfuscation” of traffic: throwing back and forth someone else’s traffic, mixing with fictitious traffic, the use of ring signatures. And all these in order to ensure the highest level of data transmission security.
Thus, DiveVPN will be able to offer the most secure and advanced solution to ensure the privacy and security on the Internet not only at the current moment, but also in the near future.