Demystifying VPN

An Introduction to VPN Technology

An OpenReach Technical Backgrounder

Mark Tuomenoksa
Chairman & Founder
OpenReach, Inc.
mark@openreach.com

Copyright 2002, OpenReach, Inc., which is solely responsible for its content. All rights reserved.
No part of this report may be reproduced or stored in a retrieval system or transmitted in any form
or by any means, without permission
Demystifying VPN: An Introduction to VPN Technology OpenReach, Inc.

Introduction
Virtual Private Networks (VPNs) are a great way to connect remote locations safely
and securely using common Internet connections, yet few people have a good
understanding of how they work. This paper is intended to give business and IT
professionals an overview of the basic components of VPNs—including encryption,
keys, digital signatures, authentication and tunneling—as well as a perspective on
why these components are important and how they are used in a VPN solution.

At OpenReach, we’ve wrapped these sophisticated security technologies into an

easy-to-use VPN service that provides the highest levels of security along with the ease-
of-use of an instant messenger buddy list. If you’ve got an Internet connection,
a PC, a browser, and OpenReach, you can set up a VPN.

Still, many of our customers like to understand the nuts and bolts of how our service
works. If you don’t know the difference between cipher-text and a crypto-period, and
would like to understand this security jargon and VPN without enrolling in an MIT
computer security course, this paper is for you.

Copyright 2002, OpenReach, Inc. 1

Demystifying VPN: An Introduction to VPN Technology OpenReach, Inc.

Encryption
Virtual private networks ensure privacy and confidentiality of information using encryption.
Encryption is a technique that scrambles information (so that it is difficult or impossible to read)
and unscrambles information (so that it can be read again). The scrambled information is referred
to as cipher-text and the unscrambled information is referred to as clear-text.

This message is in clear text .h sinic.xtae rag sTsm slt

Clear-text Cipher-text

When a VPN transmits information from one location to another, the VPN Gateway at the first
location encrypts information into cipher-text before sending it on the Internet. At the other
location, the receiving VPN Gateway decrypts the information into clear-text and sends it to the
LAN.

VPN VPN
Gateway Internet Gateway

Clear- Clear-
Cipher-text
text text

An encryption algorithm is a repeatable technique for scrambling and unscrambling information

that can be performed by people or computers. A simple example of an encryption algorithm
would involve replacing every letter in a sentence with the letter in the alphabet immediately
following that letter. This creates the cipher-text. To read the message, simply replace every letter
in the cipher-text with the letter in the alphabet that precedes it.

It used to be that encryption was made secure by keeping the encryption algorithm a secret. In
this scenario, the reason you can’t read an encrypted message is because you don’t how it was
created. The problem with this approach is that once you crack the algorithm, you’ll have access
to all the information that has ever been encrypted with that algorithm. Furthermore, since the
encryption technique is a secret, it’s hard to tell how good the technique is because only a few
people really test it.

Today, the best encryption methods are published so that everyone knows how they work. In fact
everyone knows exactly how you encrypted your information. Popular encryption methods include
Data Encryption Standard (DES), Triple DES (3DES), and Blowfish. These methods are publicly
available and thoroughly tested.

Copyright 2002, OpenReach, Inc. 2

Demystifying VPN: An Introduction to VPN Technology OpenReach, Inc.

Keys
So, if the method isn’t secret, how do you ensure that others can’t simply grab your cipher-text
and decrypt it to create the clear-text? The answer is keys. A key is a secret code that is used by
the encryption algorithm to create a unique version of the cipher-text.

24 right – 18 left – 37 right

Algorithm Key

The encryption method is essentially like a lock that you purchase at the hardware store, while
the key is the unique combination that comes with that lock. Even though we can each go to the
hardware store and purchase the same model of lock, it doesn’t mean that we have access to
each other’s tool shed. While we each might be using the same algorithm (the lock, in this case,)
we’ve each received a different key (the combination).

With this approach, security is no longer dependent upon keeping the encryption algorithm a
secret; it now depends on keeping the key or combination a secret. Most of today’s Internet
security standards (such as DES and 3DES) take this approach of exposing their algorithm for
anyone to examine and use while providing security through the generation of unique and hard-
to-crack keys. The level of security typically depends (in part) on the length of the keys.

Sending information from Location A to Location B

Clear Clear
text text
Encryption Decryption
Algorithm Unique Algorithm
Cipher
Key text Key

Key Lengths
When working with well-known encryption algorithms, the security strength depends upon the
length of the keys used. An 8-bit key provides 256 combinations (two to the eighth power), while
a 16-bit key provides 65,536 combinations (two to the sixteenth power). And so on.

With a 16-bit key, someone could make 65,536 attempts before guessing the combination that
would unlock the cipher-text. For a person, this would be impossible, but with high-speed
computers, it wouldn’t take too long to run through all the possible combinations. The following
table shows key-lengths and the possible combinations they create.

Copyright 2002, OpenReach, Inc. 3

Demystifying VPN: An Introduction to VPN Technology OpenReach, Inc.

Key Lengths Possible Combinations

8-bit 256

16-bit 65,536

56-bit 72,057,594,037,927,936

112-bit 5,192,296,858,534,827,628,530,496,329,220,096

168-bit 374,144,419,156,711,147,060,143,317,175,368,453,031,918,731,001,856

DES, Two-Key Triple DES and 3DES

The Data Encryption Standard (DES) is a commonly used and thoroughly tested encryption
algorithm. The DES system uses 56-bit keys to encrypt data in 64-bit blocks. The 56-bit key
provides 256 or 72,057,594,037,927,900 possible combinations. A person with a personal
computer would spend about 20 years running through these combinations. However, a large
organization with millions of computers could run through these combinations in about 12
seconds. So, in general DES makes information safe from casual attacks by would-be hackers,
but not from a focused attack by a large, well-funded organization.

56-bit key

Clear-text Encrypt Cipher-text

Two-key triple DES is a DES system that increases security by encrypting the information
multiple times. With triple-pass DES, the data is encrypted once using a 56-bit key. The resulting
cipher-text is then decrypted using a second 56-bit key. This results in clear-text that doesn’t
look anything like what was originally encrypted. Finally, the data is re-encrypted using the first
key again.

56-bit key #1 56-bit key #2 56 -bit key #1

Encrypt Decrypt Encrypt

Clear-text Cipher-text

This technique of encrypting, decrypting and encrypting is referred to as EDE. It effectively

increases the key length from 56 bits to 112 bits.

Copyright 2002, OpenReach, Inc. 4

Demystifying VPN: An Introduction to VPN Technology OpenReach, Inc.

3DES is an encryption algorithm that provides even better security than triple-pass DES. With
3DES, the data is encrypted, decrypted and encrypted again (EDE), but with three separate keys.
This uses 168-bit keys to result in an effective key length of 112-bits. OpenReach VPN Services
use 3DES or 112-bit encryption on all traffic that flows between VPN gateways and to the
OpenReach Network Operations Center (NOC).

56-bit key #1 56-bit key #2 56-bit key #3

Encrypt Decrypt Encrypt

Clear-text Cipher-text

Generating secure keys is only part of the equation. To ensure continued security, you will want
to continually change those keys (or the combination to your lock). These changes are defined as
crypto-periods.

Re-keying Intervals
The OpenReach VPN Services use 168-bit keys to encrypt data. Still, that’s not enough to
provide the strongest security available. Remember we said that with a secret encryption
algorithm, once you guess the technique, you have access to all the information that has ever
been encrypted with it. This is also the case with keys. If you guess the key, you’ll have access to
all the information encrypted with it. Fortunately, with keys, you can routinely change the key or
combination, so that even if someone guessed the key, it would only be useful for the information
that was encrypted with that particular key. The length of time that a key is used is referred to as
a re-keying interval.

With OpenReach VPN Services, each time a VPN tunnel is established, new keys are generated
for encryption. In addition to this, the keys are automatically regenerated every two hours. Even if
someone were able to crack the code, it would only be useful to them for the information
transmitted over the previous two hours.

Symmetric vs. Asymmetric Keys

When the same key is used to both encrypt and decrypt information, the keys are called
symmetric keys. This requires that the locations sharing information via a VPN to have the same
key at each end of the connection. Because the key is shared, symmetric keys are frequently
referred to as shared secrets. Another approach to locking and unlocking data allows information
to be encrypted with one key, but decrypted with another. Information encrypted with the first
key cannot be unencrypted with the same key and vice versa. Two separate keys are required
for encryption and decryption and cannot be interchanged. These key-pairs are called
asymmetric keys.

Copyright 2002, OpenReach, Inc. 5

Demystifying VPN: An Introduction to VPN Technology OpenReach, Inc.

1024-bit 1024-bit
Private Key Public Key

Clear RSA Crypto RSA Clear

Text Encryption Text Encryption Text

With asymmetric keys, one key is referred to as the public key and the other is referred to as the
private key. The public key is generally available and not kept a secret. If someone wants to send
information to you so only you can see it, they encrypt the information using your public key. But
only you can decrypt it using your private key.

On the flip side, if you want someone to know that a message came from you, you can encrypt it
with your private key and the person receiving the message decrypts it with your public key. If the
message decrypts correctly, it must have come from you.

Asymmetric keys are typically very long—for example 1024 or 2048 bits. Encryption processing
using asymmetric keys requires a lot of computing power and takes a long time. Therefore,
asymmetric keys are used for events that happen infrequently, such as setting up a VPN tunnel.
Symmetric keys are typically shorter—for example 56, 112 or 168 bits. Encryption processing
using symmetric keys is hundreds of times faster than using asymmetric keys. Symmetric keys
are for high frequency transactions, particularly encryption of data for transmission over the VPN.

Authentication
Encryption technology guarantees the privacy of information as it flows over the Internet;
Authentication technology guarantees:

1) The identity of VPN participants, specifically that gateways and client PCs
are who they say they are
2) That the information received has integrity and has not been tampered with

There are many ways to authenticate, with the most common being name and password. For
example, when you connect to your ISP or your local network, you are prompted to enter you
login name and password. What you enter is compared to information maintained in a database.
If it matches, you are allowed to connect to the network, otherwise you are not permitted access
and may be asked to enter your login name and password again.

Copyright 2002, OpenReach, Inc. 6

Demystifying VPN: An Introduction to VPN Technology OpenReach, Inc.

One problem with a name and password security approach is that it requires people to remember
their name/password combinations. Since people frequently use words and phrases that are easy
to remember such as their birthday or a child’s name, this is not a very secure approach.
Passwords that are easy to remember are also easy to guess.

A new technology called digital certificates lets people and systems authenticate or identify each
other without memorizing names and passwords. A digital certificate is a data record that includes
information such as a person’s name, address and public key. It also has dates specifying how
long the certificate is valid (like a credit card ‘valid through’ date). In a VPN, a digital certificate is
used like a passport or driver’s license to identify the person or system trying to connect to the
VPN and as a vehicle to distribute public keys.

Private
Key

Message Digital
Original Hash Encryption
Digest Signature
Message Function

Step 1 Step 2

To preclude forgery, digital certificates rely on technology called a digital signature. Digital
signatures guarantee that the information received is authentic and has integrity.

Digital signatures guarantee:

1) That it is from the person who claims to have sent it

2) That it has not been altered in any way1

Creating a digital signature is a two-step process. First, the message being transmitted is
processed by a special kind of encryption algorithm known as a hash function. A hash function
is a one-way encryption algorithm that transforms an arbitrarily large message into a unique2
fixed-length number. The unique number created by the hash function is referred to as a
message digest. If you change the original message, the message digest changes as well.
Hash functions are well known and include Secure Hash Algorithm (SHA) and Message Digest
2-5 (MD2 – MD5). Second, to create a digital signature, you further encrypt the message digest
by using your private key. This generates the digital signature.

1
Digital signatures can be applied to any digital document (e.g., Microsoft Word™ files or .gif images) to
guarantee authenticity and integrity. For this example, we are particularly interested in the application to
digital certificates.

2
Since hash functions translate arbitrarily large data into fixed-length numbers, the results are not quite
unique. There are cases where one set of data will be transformed into the same number as another set of
data. From a practical perspective, this occurs so infrequently that it is not an issue.

Copyright 2002, OpenReach, Inc. 7

Demystifying VPN: An Introduction to VPN Technology OpenReach, Inc.

Original Hash Message

Message Function Digest

Digital Decryption Message

Signature Digest

Public
Key

To guarantee the authenticity of a message, you create a digital signature for that message and
include it with the message. The recipient tests authenticity by:

1) Decrypting the digital signature using your public key

(this provides the original message digest)
2) Re-computing the message digest using the hash function
(this provides a new message digest based on the document received)
3) Comparing the two results

If you see that they’re the same, then the message is authentic and has not been tampered with.
A message that includes a digital signature is referred to as a signed message.

So, a Digital Certificate is a special type of signed message that associates a person,
organization or computer with a public key. A Certificate Authority (CA) accepts public keys with a
proof of identity and creates Digital Certificates that it makes available to others. The CA vouches
for the fact that this public key belongs to the person, organization or system. A CA may be
implemented in a proprietary fashion or it may use directory protocol like X.500 or LDAP.

A Public Key Infrastructure (PKI) is a set of security services for managing keys, digital
certificates and security policy. PKIs were designed for open user groups to support interactions
among people and systems that have never met before. For example, to support a consumer
purchases over the World Wide Web. In particular, PKIs provide coordination among multiple
CAs in the case that my certificate was issued by one CA and yours by another.

Digital Certificates provide the best form of authentication available today. Setting up and
maintaining a Certificate Authority can be a complex and expensive task. OpenReach VPN
Services use digital certificates to authenticate OpenReach VPN Gateways. Fortunately for
OpenReach VPN Service customers, OpenReach provides maintains and manages the
infrastructure at no additional cost.

Tunneling
Encryption, keys, certificates and digital signatures are all security technologies that provide
the ‘P’ (or the privacy) in VPN. You might ask yourself:

“Why do I need any more than this?

Why can’t I simply encrypt information and send it over the Internet?”

The answer is because you will typically want to send that information to private addresses (or
computers or users) that do not have a public address. This brings us to the ‘V’ in VPN that is
provided by a technology called tunneling.

Copyright 2002, OpenReach, Inc. 8

Demystifying VPN: An Introduction to VPN Technology OpenReach, Inc.

Consider an office telephone system. When you’re in my office, you don’t need to dial the entire
telephone number (area code + number) to speak with someone else in the office. You just dial
an extension and another phone in the office will ring. However, when you’re outside of the office,
you need to provide the telephone network more information to connect. If you walk up to a pay
phone and punch in an extension only, nothing happens. You first need to dial the regular
telephone number and then key in the extension to connect. In the Internet (or IP) world, the
number is analogous to what’s called a publicly routable IP address. It works anywhere. The
extension is analogous to a private IP address. It only works in the building.

Tunneling is a technology that supports the routing of non-routable private IP addresses over
public networks such as the Internet.

Chicago Tokyo

a b c x y z

data a z data a z

VPNG VPNG

C T

C T
data a z

Let’s say you have an office in Chicago and an office in Tokyo. Each office has a LAN using
private IP addresses. Computer ‘a’ in Chicago can communicate with computer ‘b’ in Chicago
simply by placing a packet on the LAN with the from-address ‘a’ and the to-address ‘b’. The
private LAN ensures that the packet gets to the right place, just like a private telephone system
would ensure that an extension would ring the right phone.

A problem occurs when computer ‘a’ in Chicago wants to send information to computer ‘z’ in
Tokyo. Since both addresses are private, there is no way to route the packet over the public
network that connects them. This is where tunneling comes to the rescue.

A VPN Gateway (VPNG) in Chicago knows that private addresses x, y, and z aren’t actually in
the Chicago office, but in the Tokyo office. The Chicago VPNG also knows that public address of
the VPNG in Tokyo is ‘T’. When computer ‘a’ places the packet on the LAN, the Chicago VPNG
grabs the packet and prepares to send it to Tokyo.

The initial data packet with from-address ‘a’ and to-address ‘z’ is encrypted and then placed
inside a second packet with from-address ‘C’ and to-address ‘T’ (both publicly routable
addresses). This second packet is sent to the Internet and finds its way to Tokyo. The Tokyo
VPNG pulls the first packet out of the second and places it on the Tokyo LAN that then delivers it
to computer ‘z’.

The process of placing one packet inside another is called encapsulation and is a core
component of tunneling.

Copyright 2002, OpenReach, Inc. 9

Demystifying VPN: An Introduction to VPN Technology OpenReach, Inc.

Conclusion
By combining encryption, keys, digital signatures, authentication and tunneling you can create
secure, private connections over a standard, public Internet connection. While most VPN
hardware and software products implement some variation on these sophisticated security
standards, few products make them simple to understand or use. We built OpenReach VPN
Services as a practical approach to VPNs, designed to enable regular businesses to use the
highest security available without hiring additional IT people or having to learn esoteric
technologies.

We hope this paper has been helpful to you in understanding how VPNs work. At OpenReach we
strive to ensure our customers and prospects have the information they need to make informed
and timely decisions. If you have any questions or would like assistance in setting up your own
VPN, please contact us at www.openreach.com or toll free at 888-783-0383.

Copyright 2002, OpenReach, Inc. 10

About OpenReach, Inc.
With customers in 40 states and 28 countries, OpenReach provides global 2500 enterprises
network overlay services that augment or replace existing data networks (frame relay, ATM,
and leased line) to extend coverage, increase capacity and reduce operational expense.

With ten patents pending, OpenReach’s fluid networks shape effortlessly to the needs of
changing businesses unlike carrier services and standalone products that force companies
to adapt their business to the constraints of their communication networks.

The First Annual White Paper Awards, produced by Bitpipe, recognize the diligence,
effort, and creativity of IT companies in producing these documents
and the value the IT community places on these documents.

OPENREACH, INC.
660 Main Street,
Woburn, MA 01801
888.783.0383
www.openreach.com
info@openreach.com