VPN Protocol Comparison: PPTP vs. L2TP vs. OpenVPN vs. SSTP vs. IKEv2
By now it’s become quite obvious that many VPN encryption technologies are certified and developed by the National Institute of Standards and Technology. But, shocking, new revelations from Edward Snowden have shown that the NSA has been working for years to subvert and crack these technologies. This definitely raises the question “Are these VPN technologies really safe”?
Let us begin by discussing the key differences between VPN protocols and how they affect users. Following this let’s dive into the main concepts involved in cryptography, and discuss how NSA’s attack on encryption standards impacts the millions of VPN users around the world.
Developed by a consortium founded by the Microsoft Corporation, Point-to-Point Tunneling creats a Virtual Private Network on dial-up networks. It has been the standard protocol for VPNs since its inception. The first VPN protocol to be supported by Windows, PPTP provides security by relying on a variety of authentication methods like MS_CHAP v2.
Every VPN capable device and platform has PPTP available as standard. Since its setup is relatively easy, it remains the primary choice for both VPN providers and businesses. Also, its implementation requires low computation overhead, making it one of the fastest VPN protocols available.
However, even with its use of 128-bit encryption, there are numerous security vulnerabilities, with the possibility of an unencapsulated MS-CHAP v2 Authentication being the most grave. Due to this, PPTP can be cracked within 2 days. Although the flaw has been patched by Microsoft, the tech giant itself recommends VPN users to use SSTP or L2TP instead.
With PPTP being so insecure, it comes as no surprise that decrypting PPTP encryption communications is almost certainly standard at the NSA. What’s even more worrying is that the NSA has (or is in the course of) decrypting huge amounts of older data that was encrypted even when PPTP was considered a secure protocol by security experts.
- Client built-in to almost all platforms.
- Easy to set up.
- It’s compromised by the NSA.
- Not completely secure.
L2TP and L2TP/IPsec
Layer 2 Tunnel Protocol, unlike other VPN protocols, does not provide any privacy or encryption to traffic passing through it. Due to this, it’s typically implemented with a suite of protocols known as IPsec to encrypt data before transmission, providing users with privacy and security. All modern VPN compatible devices and operating systems have L2TP/IPsec built in. The setup is as quick and easy as PPTP, but there can be problems, as the protocol makes use of UDP port 500; an easy target to be blocked by NAT firewalls. Therefore, port forwarding may be required if being used with a firewall.
There are no major vulnerabilities associated with IPsec encryption, and it may still be secure if properly implemented. Nevertheless, Edward Snowden’s revelations strongly hint at it being compromised by the NSA. John Gilmore, who is the founding member and security specialist of the Electric Frontier Foundation, claims that it’s likely that the protocol is deliberately weakened by the NSA. Moreover, since the LT29/IPsec protocol encapsulates data twice, it isn’t as efficient as SSL based solutions, and is therefore slightly slower than other VPN protocols.
- Typically considered secure.
- Available on all modern devices and operating systems.
- Easy to set up.
- Slower than OpenVPN.
- May be compromised by the NSA.
- Can be problematic if used with restrictive firewalls.
- It’s likely that the NSA has deliberately weakened the protocol.
A relatively new open source technology, OpenVPN uses the SSLv3/TLSv1 protocols and OpenSSL library, with a combination of other technologies, to provide users with a reliable and strong VPN solution. The protocol is highly configurable and runs best on a UDP port, but it can be configured to run on any port; making it extremely difficult for Google and other similar services to block them.
Another great advantage of this protocol is that its OpenSSL library supports a variety of cryptographic algorithms, such as 3DES, AES, Camellia, Blowfish, CAST-128, even though Blowfish and AES are almost exclusively used by VPN providers. OpenVPN comes with a built-in 128-bit Blowfish encryption. While it’s usually considered secure it has some known weaknesses as well.
When it comes to encryption, AES is the newest technology available and is considered the ‘gold standard’ because it has no known weaknesses. It has even been adopted by the US government and agencies to protect ‘secure’ data. It can handle larger files comparatively better than Blowfish, thanks to its 128-bit block size as compared to Blowfish’s 64-bit block size. But, both are NIST certified ciphers and while they might not be recognized widely as a problem, there are some issues that we look at below.
Firstly, how quick the OpenVPN protocol performs depends upon the level of encryption used; but it’s normally quicker than IPsec. Though OpenVPN is now the default VPN connection for most VPN services, it’s still not supported by any platforms. However, it is supported on most third-party software, including both Android and iOS.
When it comes to the setup, it’s a bit tricky as compared to L2TP/IPsec and PPTP, particularly when the generic OpenVPN software is being used. Not only do you have to download and install the client, but additional configuration files need to be set up, which needs looking into. Several VPN providers face this configuration problem due to the supply of customized VPN clients.
However, taking all factors into account and considering the information provided by Edward Snowden, it seems OpenVPN has neither been weakened, nor comprised by the NSA. It’s also considered immune to NSA Attacks because of its use of ephemeral key exchanges. Undoubtedly, no one is aware of NSA’s full capabilities, however, both the mathematics and evidence strongly indicates that OpenVPN, when combined with a strong cipher, is the only VPN protocol that can be considered secure.
- Has the ability to bypass most firewalls.
- Highly configurable.
- Since it is open source, it can be easily be vetted for backdoors.
- It is compatible a variety of encryption algorithms.
- Highly secure.
- Can be a little tricky to set up.
- It requires third-party software.
- Support for desktop is great, but on mobile devices, it needs improvement.
Introduced by the Microsoft Corporation in Windows Vista Service Package 1, secure socket tunneling is now available for SEIL, Linux and RouterOS, but is still mainly a Windows-only platform. Since it uses SSL v3, it provides advantages that are similar to OpenVPN, such as the ability to prevent NAT firewall issues. SSTP is a stable, and easier to use VPN protocol, particularly because it’s integrated into Windows.
However, it is a proprietary standard owned by Microsoft. The tech giant has a history of cooperation with the NSA and there are speculations about built-in backdoors in the Windows operating system. So,it does not ignite as much confidence as other standards.
- Has the ability to bypass most firewalls.
- The level of security depends on the cipher, but it is usually secure.
- Entirely integrated into Windows operating system.
- Microsoft support.
- Since it’s a proprietary standard owned by the Microsoft Corporation, it cannot be vetted for backdoors.
- Only works on Windows-only platforms
An IPsec-based tunneling protocol, Internet Key Exchange Version 2 was developed by both Cisco and Microsoft. It is baked into the 7th and later versions of the Windows platform. It comes with compatible and developed open source implementations for Linux and various other platforms, and supports Blackberry devices.
Referred to as VPN Connect by the Microsoft Corporation, it’s good at re-establishing VPN connections automatically when an internet connection is lost temporarily. Mobile users benefit the most from IKEv2 as the Mobility and Multi-homing protocol offered by the standard makes changing networks extremely flexible. It’s also great for Blackberry users, as IKEv2 is amongst the few VPN protocols that support Blackberry devices. Though IKEv2 is available on comparatively fewer platforms as compared to IPsec, it’s considered equally good in terms of stability, security and performance.
- Extremely secure – supports a variety of ciphers such as 3DES, AES, AES 256.
- Comes with support for Blackberry devices.
- It’s stable, especially when reconnecting after losing a connection or switching networks.
- It’s easy to set up, at least from the user’s end.
- Relatively faster than L2TP, PPTP and SSTP.
- Supported on limited platforms.
- The UDP port 500 used is easy to block as compared to SSL based solutions, like SSTP or OpenVPN.
- Not an open source implementation
- At the server-end, implementing IKEv2 is tricky, which can cause a few potential issues.
To understand encryption, you have to grasp a number of key concepts, all of which we discuss below.
Encryption Key Length
The crudest way of determining the time it takes to break a cipher is known as key length; the raw numbers consisting of ones and zeros that are used in the cipher. In the same way, exhaustive key search (or brute force attack) is the crudest form of attack on a cipher. THis approach involves trying every probable combination until the correct one is found. In terms of key length, the level of encryption used by VPN providers is between 128-bits and 256-bits. Higher levels are used for data authentication and handshake, but does this mean 256- bit encryption is better than 128-bit encryption?
To find the right answer, let’s put some numbers into the perspective:
- To reliably break a 128-bit key cipher, it requires 3.4×10(38) operations.
- To reliably break a 256-bit key cipher, it requires 2(128) times more computational power compared to a 128-bit key cipher.
- Brute forcing a 256-bit cipher requires 3.31 x 10(65) operations; almost equivalent to the total number of atoms in the Universe.
- Fujitsu K, 2011’s fastest supercomputer in the world, had Rmax speeds of up to 10.51 petaflops. Considering this figure, it would take approximately 1 billion years for the 128-bit AES key to be cracked by force.
- NUDT Tianhe-2, 2013’s most powerful supercomputer in the world, had Rmax speeds of up to 33.86 petaflops. That’s nearly 3 times faster than the Fujitsu K, and it would take approximately third of a billion years for the 128-bit AES key to be cracked by force.
Until Edward Snowden’s new revelations, it was widely believed that the 128-bit encryption was uncrackable through force, and it would remain so for another hundred years or more. However, considering the vast resources that the NSA has at hand, several experts and system administrators all over the world have upgraded cipher key lengths. It’s worth mentioning that the US government uses 256-bit encryption for protection of sensitive data (128-bit is used for routine encryption needs). Nevertheless, even the method used, AES, can cause a few problems.
Ciphers are mathematical algorithms used during encryptions as weak algorithms are vulnerable to hackers, allowing them to easily break the encryption. By far, Blowfish and AES are the most common ciphers users are likely to encounter on VPNs. RSA is used for the encryption and decryption of the cipher’s keys, while SHA-1 and SHA-2 are used to authenticate the data as a hash function.
However, now that AES is widely considered the most secure cipher for VPNs, to the point that it has been adopted by the US government, there has been a substantial increase in its perceived reliability and popularity. Nevertheless, there are reasons to believe this trust might be misplaced.
SHA-1, SHA-2, RSA and AES were all certified or developed by the United States National Institute of Standards and Technology (NIST); a body that works closely with the NSA for the development of its ciphers. Now that we are aware of the systematic efforts made by the NSA to build or weaken backdoors in the encryption standards, it makes sense to raise questions regarding the integrity of NIST algorithms.
NIST has always denied any wrongdoings (i.e. deliberately weakening cryptographic standard) and has tried to boost public confidence by inviting people to participate in their upcoming encryption related standards. But, NSA has been accused by the New York Times of circumventing NIST’s approved encryption standard, either by disrupting the public development process, or introducing undetectable backdoors to weaken the algorithms.
On September 17, 2013, the distrust was bolstered even further. Customers were told privately by RSA Security to stop using a particular encryption algorithm, as it contained a flaw intentionally engineered by NSA.
Moreover, an encryption standard engineered by NIST, Dual EC DRBG, is believed to have been insecure for years. So much so, it was even noted by the University of Technology in Netherlands in 2006. Despite these concerns, where NIST leads, the industry unreluctantly follows, mainly because complying with NIST standards is a requirement for obtaining contracts from the US government.
NIST’s standards are ubiquitous all over the world, throughout all areas of business and industry that are reliant on privacy, such as the VPN industry, so, this may all seem rather chilling. Since a lot relies on these standards, experts in the field of cryptography have been unwilling to tackle the problem. The only company that did, Silent Circle, chose to close its Silent Mail service rather than see it compromised by the NSA. The company then announced its move away from the NIST standards in November 2013.
Thanks to the coverage of this issue, small yet innovative VPN provider, LiquidVPN, has begun testing and experimenting with non-NIST ciphers. But, this is the only VPN provider moving in this direction that we are aware of. So, until the experiment is concluded, you need to make the most of 256-bit AES encryption; currently the best encryption standard available.
NSA Attacks on RSA Key Encryption
One of Edward Snowden’s new revelations indicates that a program codenamed ‘Cheesy Name’, was being developed. Its purpose – to single out encryption keys, called ‘certificates’, that may be at risk to being cracked by supercomputers in the GCHQ. This strongly suggests these certificates that are commonly protected by 1024-bit encryption, are weaker than we thought, and can be easily decrypted, much quicker than expected by the GHCQ and NSA. Once decrypted, all past and future exchanges are compromised by the use of a permanent private key to decrypt all the data.
As a result, several forms of encryption that are reliant on ephemeral keys and certificates must be considered broken, including both TLS and SSL. This has a huge effect on all HTTPS traffic. However, there is some good news. OpenVPN, which uses temporary key changes, shouldn’t be affected by this. Why? Because a new key is generated for each exchange, therefore not giving certificates the opportunity to establish trust.
Even if someone obtained the certificate’s private key, decrypting the communication would simply not be possible. With a man in the middle attack (MitM), it could be possible to target an OpenVPN connection, but it needs to be specifically targeted and the private key needs to be compromised. Since the news became public that the GHCQ and NSA is capable of cracking 1024-bits encryption, quite a few VPN providers have ramped up their encryption to 2048- bits, or even 4096-bits.
Perfect Forward Secrecy
More good news is that the solution for this problem, even for TLS and SSL connections is not that difficult if websites start implementing perfect forward secrecy systems. Here a unique and new private encryption key is created for each session. Unfortunately, so far, the only major internet company to implement a perfect forward secrecy system is Google.
As we conclude this article, we encourage you to follow the wise words of Edward Snowden, that encryption works and crypto systems should be implemented to enhance security. So, what should you take away from this article? It’s simple! OpenVPN is the most secure protocol available and VPN providers should continue working to strengthen its implementation. It would be simply great if providers also started moving away from NIST’s standards, but that’s one thing we definitely have to wait for.
- PPTP is extremely insecure. It’s has been compromised by the NSA, and even Microsoft has abandoned it, which is why it should be avoided totally. While you may find its cross platform compatibility and ease of setup attractive, be reminded that users can gain many of the same advantages and a considerably better level of security by using L2TP/IPsec.
- When it comes to non-critical use, L2TP/IPsec is the right VPN solution for you, even though it has been weakened and compromised by the NSA severely. If you are looking for a quick VPN setup that does not require additional software it remains useful, especially for mobile devices where support for OpenVPN remains inconsistent.
- Despite the need to download and install third-party software on all platforms, OpenVPN is unarguably the best VPN solution for all your needs. It’s fast, secure, reliable, and though setting it up may take a little more time, it’s worth it for the premium security and privacy you are provided while surfing the web.
- IKEv2 is also a fast and secure protocol if used along with open source implementations, particularly for mobile users courtesy of its ability to reconnect automatically after your internet connection has been disrupted. Additionally, since it’s one of the few VPN protocols that supports Blackberry devices, it’s clearly the only best option you have.
- SSTP provides users with pretty much the same advantages of an OpenVPN connection, however, only on Windows platforms. Therefore, you find it integrates into the Windows operating systems much better than other VPN protocols. However, it has limited support from VPN providers due to this limitation, and since Microsoft has a good, long history of cooperation with the NSA, SSTP is one protocol we do not trust.
In short, you should always use OpenVPN where possible, while for mobile devices, IKEv2 is a good option. For a quick solution, L2TP proves to be sufficed, but considering the increased availability of OpenVPN mobile apps, we still prefer using OpenVPN over all other protocols.