Professional Documents
Culture Documents
Copyright 2002, OpenReach, Inc., which is solely responsible for its content. All rights reserved.
No part of this report may be reproduced or stored in a retrieval system or transmitted in any form
or by any means, without permission
Demystifying VPN: An Introduction to VPN Technology OpenReach, Inc.
Introduction
Virtual Private Networks (VPNs) are a great way to connect remote locations safely
and securely using common Internet connections, yet few people have a good
understanding of how they work. This paper is intended to give business and IT
professionals an overview of the basic components of VPNs—including encryption,
keys, digital signatures, authentication and tunneling—as well as a perspective on
why these components are important and how they are used in a VPN solution.
Still, many of our customers like to understand the nuts and bolts of how our service
works. If you don’t know the difference between cipher-text and a crypto-period, and
would like to understand this security jargon and VPN without enrolling in an MIT
computer security course, this paper is for you.
Encryption
Virtual private networks ensure privacy and confidentiality of information using encryption.
Encryption is a technique that scrambles information (so that it is difficult or impossible to read)
and unscrambles information (so that it can be read again). The scrambled information is referred
to as cipher-text and the unscrambled information is referred to as clear-text.
Clear-text Cipher-text
When a VPN transmits information from one location to another, the VPN Gateway at the first
location encrypts information into cipher-text before sending it on the Internet. At the other
location, the receiving VPN Gateway decrypts the information into clear-text and sends it to the
LAN.
VPN VPN
Gateway Internet Gateway
Clear- Clear-
Cipher-text
text text
It used to be that encryption was made secure by keeping the encryption algorithm a secret. In
this scenario, the reason you can’t read an encrypted message is because you don’t how it was
created. The problem with this approach is that once you crack the algorithm, you’ll have access
to all the information that has ever been encrypted with that algorithm. Furthermore, since the
encryption technique is a secret, it’s hard to tell how good the technique is because only a few
people really test it.
Today, the best encryption methods are published so that everyone knows how they work. In fact
everyone knows exactly how you encrypted your information. Popular encryption methods include
Data Encryption Standard (DES), Triple DES (3DES), and Blowfish. These methods are publicly
available and thoroughly tested.
Keys
So, if the method isn’t secret, how do you ensure that others can’t simply grab your cipher-text
and decrypt it to create the clear-text? The answer is keys. A key is a secret code that is used by
the encryption algorithm to create a unique version of the cipher-text.
Algorithm Key
The encryption method is essentially like a lock that you purchase at the hardware store, while
the key is the unique combination that comes with that lock. Even though we can each go to the
hardware store and purchase the same model of lock, it doesn’t mean that we have access to
each other’s tool shed. While we each might be using the same algorithm (the lock, in this case,)
we’ve each received a different key (the combination).
With this approach, security is no longer dependent upon keeping the encryption algorithm a
secret; it now depends on keeping the key or combination a secret. Most of today’s Internet
security standards (such as DES and 3DES) take this approach of exposing their algorithm for
anyone to examine and use while providing security through the generation of unique and hard-
to-crack keys. The level of security typically depends (in part) on the length of the keys.
Clear Clear
text text
Encryption Decryption
Algorithm Unique Algorithm
Cipher
Key text Key
Key Lengths
When working with well-known encryption algorithms, the security strength depends upon the
length of the keys used. An 8-bit key provides 256 combinations (two to the eighth power), while
a 16-bit key provides 65,536 combinations (two to the sixteenth power). And so on.
With a 16-bit key, someone could make 65,536 attempts before guessing the combination that
would unlock the cipher-text. For a person, this would be impossible, but with high-speed
computers, it wouldn’t take too long to run through all the possible combinations. The following
table shows key-lengths and the possible combinations they create.
8-bit 256
16-bit 65,536
56-bit 72,057,594,037,927,936
112-bit 5,192,296,858,534,827,628,530,496,329,220,096
168-bit 374,144,419,156,711,147,060,143,317,175,368,453,031,918,731,001,856
56-bit key
Two-key triple DES is a DES system that increases security by encrypting the information
multiple times. With triple-pass DES, the data is encrypted once using a 56-bit key. The resulting
cipher-text is then decrypted using a second 56-bit key. This results in clear-text that doesn’t
look anything like what was originally encrypted. Finally, the data is re-encrypted using the first
key again.
3DES is an encryption algorithm that provides even better security than triple-pass DES. With
3DES, the data is encrypted, decrypted and encrypted again (EDE), but with three separate keys.
This uses 168-bit keys to result in an effective key length of 112-bits. OpenReach VPN Services
use 3DES or 112-bit encryption on all traffic that flows between VPN gateways and to the
OpenReach Network Operations Center (NOC).
Generating secure keys is only part of the equation. To ensure continued security, you will want
to continually change those keys (or the combination to your lock). These changes are defined as
crypto-periods.
Re-keying Intervals
The OpenReach VPN Services use 168-bit keys to encrypt data. Still, that’s not enough to
provide the strongest security available. Remember we said that with a secret encryption
algorithm, once you guess the technique, you have access to all the information that has ever
been encrypted with it. This is also the case with keys. If you guess the key, you’ll have access to
all the information encrypted with it. Fortunately, with keys, you can routinely change the key or
combination, so that even if someone guessed the key, it would only be useful for the information
that was encrypted with that particular key. The length of time that a key is used is referred to as
a re-keying interval.
With OpenReach VPN Services, each time a VPN tunnel is established, new keys are generated
for encryption. In addition to this, the keys are automatically regenerated every two hours. Even if
someone were able to crack the code, it would only be useful to them for the information
transmitted over the previous two hours.
1024-bit 1024-bit
Private Key Public Key
With asymmetric keys, one key is referred to as the public key and the other is referred to as the
private key. The public key is generally available and not kept a secret. If someone wants to send
information to you so only you can see it, they encrypt the information using your public key. But
only you can decrypt it using your private key.
On the flip side, if you want someone to know that a message came from you, you can encrypt it
with your private key and the person receiving the message decrypts it with your public key. If the
message decrypts correctly, it must have come from you.
Asymmetric keys are typically very long—for example 1024 or 2048 bits. Encryption processing
using asymmetric keys requires a lot of computing power and takes a long time. Therefore,
asymmetric keys are used for events that happen infrequently, such as setting up a VPN tunnel.
Symmetric keys are typically shorter—for example 56, 112 or 168 bits. Encryption processing
using symmetric keys is hundreds of times faster than using asymmetric keys. Symmetric keys
are for high frequency transactions, particularly encryption of data for transmission over the VPN.
Authentication
Encryption technology guarantees the privacy of information as it flows over the Internet;
Authentication technology guarantees:
1) The identity of VPN participants, specifically that gateways and client PCs
are who they say they are
2) That the information received has integrity and has not been tampered with
There are many ways to authenticate, with the most common being name and password. For
example, when you connect to your ISP or your local network, you are prompted to enter you
login name and password. What you enter is compared to information maintained in a database.
If it matches, you are allowed to connect to the network, otherwise you are not permitted access
and may be asked to enter your login name and password again.
One problem with a name and password security approach is that it requires people to remember
their name/password combinations. Since people frequently use words and phrases that are easy
to remember such as their birthday or a child’s name, this is not a very secure approach.
Passwords that are easy to remember are also easy to guess.
A new technology called digital certificates lets people and systems authenticate or identify each
other without memorizing names and passwords. A digital certificate is a data record that includes
information such as a person’s name, address and public key. It also has dates specifying how
long the certificate is valid (like a credit card ‘valid through’ date). In a VPN, a digital certificate is
used like a passport or driver’s license to identify the person or system trying to connect to the
VPN and as a vehicle to distribute public keys.
Private
Key
Message Digital
Original Hash Encryption
Digest Signature
Message Function
Step 1 Step 2
To preclude forgery, digital certificates rely on technology called a digital signature. Digital
signatures guarantee that the information received is authentic and has integrity.
Creating a digital signature is a two-step process. First, the message being transmitted is
processed by a special kind of encryption algorithm known as a hash function. A hash function
is a one-way encryption algorithm that transforms an arbitrarily large message into a unique2
fixed-length number. The unique number created by the hash function is referred to as a
message digest. If you change the original message, the message digest changes as well.
Hash functions are well known and include Secure Hash Algorithm (SHA) and Message Digest
2-5 (MD2 – MD5). Second, to create a digital signature, you further encrypt the message digest
by using your private key. This generates the digital signature.
1
Digital signatures can be applied to any digital document (e.g., Microsoft Word™ files or .gif images) to
guarantee authenticity and integrity. For this example, we are particularly interested in the application to
digital certificates.
2
Since hash functions translate arbitrarily large data into fixed-length numbers, the results are not quite
unique. There are cases where one set of data will be transformed into the same number as another set of
data. From a practical perspective, this occurs so infrequently that it is not an issue.
Public
Key
To guarantee the authenticity of a message, you create a digital signature for that message and
include it with the message. The recipient tests authenticity by:
If you see that they’re the same, then the message is authentic and has not been tampered with.
A message that includes a digital signature is referred to as a signed message.
So, a Digital Certificate is a special type of signed message that associates a person,
organization or computer with a public key. A Certificate Authority (CA) accepts public keys with a
proof of identity and creates Digital Certificates that it makes available to others. The CA vouches
for the fact that this public key belongs to the person, organization or system. A CA may be
implemented in a proprietary fashion or it may use directory protocol like X.500 or LDAP.
A Public Key Infrastructure (PKI) is a set of security services for managing keys, digital
certificates and security policy. PKIs were designed for open user groups to support interactions
among people and systems that have never met before. For example, to support a consumer
purchases over the World Wide Web. In particular, PKIs provide coordination among multiple
CAs in the case that my certificate was issued by one CA and yours by another.
Digital Certificates provide the best form of authentication available today. Setting up and
maintaining a Certificate Authority can be a complex and expensive task. OpenReach VPN
Services use digital certificates to authenticate OpenReach VPN Gateways. Fortunately for
OpenReach VPN Service customers, OpenReach provides maintains and manages the
infrastructure at no additional cost.
Tunneling
Encryption, keys, certificates and digital signatures are all security technologies that provide
the ‘P’ (or the privacy) in VPN. You might ask yourself:
The answer is because you will typically want to send that information to private addresses (or
computers or users) that do not have a public address. This brings us to the ‘V’ in VPN that is
provided by a technology called tunneling.
Consider an office telephone system. When you’re in my office, you don’t need to dial the entire
telephone number (area code + number) to speak with someone else in the office. You just dial
an extension and another phone in the office will ring. However, when you’re outside of the office,
you need to provide the telephone network more information to connect. If you walk up to a pay
phone and punch in an extension only, nothing happens. You first need to dial the regular
telephone number and then key in the extension to connect. In the Internet (or IP) world, the
number is analogous to what’s called a publicly routable IP address. It works anywhere. The
extension is analogous to a private IP address. It only works in the building.
Tunneling is a technology that supports the routing of non-routable private IP addresses over
public networks such as the Internet.
Chicago Tokyo
a b c x y z
data a z data a z
VPNG VPNG
C T
C T
data a z
Let’s say you have an office in Chicago and an office in Tokyo. Each office has a LAN using
private IP addresses. Computer ‘a’ in Chicago can communicate with computer ‘b’ in Chicago
simply by placing a packet on the LAN with the from-address ‘a’ and the to-address ‘b’. The
private LAN ensures that the packet gets to the right place, just like a private telephone system
would ensure that an extension would ring the right phone.
A problem occurs when computer ‘a’ in Chicago wants to send information to computer ‘z’ in
Tokyo. Since both addresses are private, there is no way to route the packet over the public
network that connects them. This is where tunneling comes to the rescue.
A VPN Gateway (VPNG) in Chicago knows that private addresses x, y, and z aren’t actually in
the Chicago office, but in the Tokyo office. The Chicago VPNG also knows that public address of
the VPNG in Tokyo is ‘T’. When computer ‘a’ places the packet on the LAN, the Chicago VPNG
grabs the packet and prepares to send it to Tokyo.
The initial data packet with from-address ‘a’ and to-address ‘z’ is encrypted and then placed
inside a second packet with from-address ‘C’ and to-address ‘T’ (both publicly routable
addresses). This second packet is sent to the Internet and finds its way to Tokyo. The Tokyo
VPNG pulls the first packet out of the second and places it on the Tokyo LAN that then delivers it
to computer ‘z’.
The process of placing one packet inside another is called encapsulation and is a core
component of tunneling.
Conclusion
By combining encryption, keys, digital signatures, authentication and tunneling you can create
secure, private connections over a standard, public Internet connection. While most VPN
hardware and software products implement some variation on these sophisticated security
standards, few products make them simple to understand or use. We built OpenReach VPN
Services as a practical approach to VPNs, designed to enable regular businesses to use the
highest security available without hiring additional IT people or having to learn esoteric
technologies.
We hope this paper has been helpful to you in understanding how VPNs work. At OpenReach we
strive to ensure our customers and prospects have the information they need to make informed
and timely decisions. If you have any questions or would like assistance in setting up your own
VPN, please contact us at www.openreach.com or toll free at 888-783-0383.
With ten patents pending, OpenReach’s fluid networks shape effortlessly to the needs of
changing businesses unlike carrier services and standalone products that force companies
to adapt their business to the constraints of their communication networks.
The First Annual White Paper Awards, produced by Bitpipe, recognize the diligence,
effort, and creativity of IT companies in producing these documents
and the value the IT community places on these documents.
OPENREACH, INC.
660 Main Street,
Woburn, MA 01801
888.783.0383
www.openreach.com
info@openreach.com