This article in the “How VPNs Work” series describes how symmetric-key encryption works. If you’re already lost, don’t panic! This series of articles is written to explain the concepts and methods behind VPNs without requiring a deep dive into the mathematics that powers them.
If you’re completely new to the concept of VPNs, check out this introduction. If you already know a little about the how VPNs work and want to know a little more, this series is for you. Each article addresses one aspect of the means by which a VPN helps to secure data by telling a story which serves as a metaphor of the logical mechanisms involved. These stories involve two people, Adam and Burt, trying to keep a secret and a third person, Cesar, trying to nefariously discover their secret. Since VPNs have no perfect physical world equivalent, there may be some elements that stretch the bounds of credibility (for example, Cesar has access to a duplicator ray). Remember, it’s just a story….
Each article also has expandable sections (indicated with the gear icon) which contain a slightly more in-depth explanation that is somewhat more technical but still avoids getting too lost in the mathematics. These sections tie the events of the story a little more to the components or steps of encryption or authentication but are not required to get a basic understanding of the topic.
Basic Symmetric-Key Encryption
Let’s suppose that Adam and Burt are writing a comic book. Since they live in nearby towns and can’t meet in person all that often, they send drafts of their book to each other via the Greater Metropolitan Area Post Office. They don’t want anyone getting a peek at their book before it’s finished, so they use a lockbox (encryption) and make a copy of the key (encryption key) for each of them. Now, when Adam finishes a script, he can send it to Burt in this lockbox and be sure that only Burt can unlock it when he gets it in the mail.
This mechanism is analogous to one of the earliest widely-used encryption standards for computer data, DES (Digital Encryption Standard). DES is a symmetric-key encryption algorithm, meaning that the key that is used to encrypt the data is also used to decrypt it. On a simplified level, a symmetrical-key encryption algorithm is a method of applying a series of predefined mathematical steps, and the key is a sort of pivotal variable (one might say, a “key” variable) that plugs into that method to produce unique output–the encrypted data. This process can also be reversed by applying the same method in reverse, again with the same key.
Now, Cesar enters the picture. Cesar is obsessed with Adam and Burt’s comic book and can’t wait to learn more about it. For the sake of this story, Cesar has a duplicator ray. He is also a master of disguise, so he uses his talents to pose as a postal worker. His ultimate goal is to find a way to intercept the box Adam and Burt send back and forth to get a peek inside. Soon Cesar insinuates his way deeply enough into the Greater Metropolitan Area Post Office that he gains access to the central mail sorting room, and he spots the box from Adam to Burt. Cesar doesn’t want to arouse suspicion from either Adam or Burt from a delayed delivery, so he uses his duplicator ray to make a copy of the box. Sadly for Cesar, this box is also locked (encrypted), the same as the original. But, among his talents, he is a journeyman locksmith, so he takes this duplicate box to his lair to attempt to bypass the lock.
Network traffic is sent in discrete units called packets. So, whether you are sending something small (a short email) or something large (a video), the data will be segmented into easily managed packets before being transmitted. It’s the equivalent of sending a jigsaw puzzle to someone a piece at a time. Once it arrives at its destination, it will be reassembled.
This process of examining network traffic in transit is called “packet inspection” (sometimes more informally called “packet sniffing” or “sniffing the wire”). Packet inspection allows network administrators to identify and block much hostile traffic on their network. It can also be quite useful to help troubleshoot connectivity issues within a network.
It can also be used for less constructive purposes, such as eavesdropping. In these circumstances, this sort of use is often called a Man-in-the-Middle (MitM) attack. For someone like Cesar, who manages to insert himself in the transit path these messages take, this attack allows an interloper to copy all passing traffic (without delaying it and potentially alerting either end that something might be amiss) in order to analyze it later. Traffic that is not encrypted can be easily reassembled, allowing anyone with the proper tools to read the email or see the web page requested. Encrypted data would require knowing or discovering the key to decrypt each packet before reassembling it.
Brute Force Crack
Let us say, then, that Cesar spends time working on this lock and manages to finally pick the lock. After some practice, he learns to cut this time down significantly. Then, he intercepts the next package Burt sends back to Adam, copies it, and sends the original back on its way to Adam. Now, Cesar can pick the lock at his leisure, and, since Adam received the package without delay, he and Burt have no idea anything could be amiss. So imagine their surprise and dismay when Cesar posts all the spoiler details of their new comic book on his blog (called, naturally, “The Cesarian Section”).
Adam and Burt realize they will need to come up with a better way to securely exchange messages. If they were to re-key the lock, it would likely not take Cesar long to learn how to pick this new lock. They decide to invest in a lock with a much more complicated key (a stronger symmetric-key encryption algorithm). But how long might it take Cesar to crack this lock?
DES is no longer considered a strong means of encryption, implemented on its own. In 2008, SciEngines GmbH announced they were able to break DES in less than a day.
A variation called Triple Digital Encryption Standard (abbreviated 3DES, usually pronounced “triple-dez”) has, in many instances, supplanted DES. As its name implies, it functions using the DES algorithm but run three times. The key is three times as long, and in its strongest implementation, it is made up of three different DES keys, one for each iteration of the DES algorithm. It can be helpful to imagine this algorithm functioning as if it were an intricate puzzle box. The first key might be the combination of twists and machinations (as with a Rubik’s Cube) required to reveal a sliding-tile style puzzle, which, when solved (the second key), would expose a keyhole for your key (the third key).
An even stronger symmetric-key encryption algorithm is AES (Advanced Encryption Standard, though you may also sometimes see it referred to by its original name “Rijndael”, pronounced “rain-doll”). The strength of these sorts of algorithms is measured by the effective lengths of their keys (in bits). 3DES uses 168-bit keys (in its strongest implementation), though certain attacks have been shown to reduce that strength equivalent to an 80-bit key. AES can use 128-, 192-, and 256-bit keys. As the length of each of these keys goes up, so does its associated strength and computational requirements.
The Evolution of Encryption
Naturally, Adam and Burt have concerns that maintaining this lockbox solution, even if it is top-of-the-line, may not be as secure as they would like. A ne’er-do-well such as Cesar has several means to attempt to defeat this system. He can attempt to illicitly obtain a copy of the key from either Adam or Burt, or from the means they use to exchange the key in the first place (especially if this exchange is over an unsecured medium). Finally, he may, after practice and/or technological advance, discover a way to more efficiently “guess” the key. If they want to stay ahead of Cesar, they’ll need to find some new ways to make it much more difficult for him to find a way around or through.
More in the How VPNs Work Series:
Part 2: Public Key Cryptography
Part 3: Shared Key Exchange
Learn more about services from Atlantic.Net, including VMware hosting.