In the wake of the Edward Snowden NSA revelations the use of encryption has become an extremely hot topic. Demand for anonymity tools has increased rapidly and providers are offering better services to satisfy that demand. Today we bring news of a new VPN client from Private Internet Access, one containing features that if regularly configured correctly would require “advanced alien technology” to crack.
Previously the domain of the particularly Internet savvy, in recent years the issue of online privacy has become a regular talking point in many mainstream tech publications.
The use of VPNs and services such as TOR have proven particularly popular with those looking to keep a low profile online with the added benefit of enabling users to bypass government imposed websites censorship around the world.
Of course, this year came a watershed moment for privacy when ex-CIA contractor Edward Snowden spilled the beans on the activities of the NSA, revelations which have sent shockwaves around the world. While previously corporations and geeks might have sought to heavily encrypt their communications, now everyone is getting in on the act. Needless to say, security-focused products are enjoying the boom.
For regular file-sharers, security requirements are somewhat different to those looking to whistle-blow or widely share government secrets. Nevertheless, one of the biggest VPN providers in the space will today up the ante with the release of a brand new VPN client. It offers more features than ever before to encrypt users’ communications to a level that will perfectly suit them but disappoint would-be attackers.
TorrentFreak was given access to the new software earlier this week for testing. It’s an upgrade to the current Private Internet Access OpenVPN client and installed without a hitch. It looks very much like the old software until a press of the ‘Advanced’ button reveals a new option titled ‘Encryption’.
“Our application allows our clients to change their encryption and security settings with just a few clicks to any combination they choose,” PIA CEO Andrew Lee told TorrentFreak. “We allow our customers to configure their handshake encryption, data authentication encryption and even the data itself with levels up to AES-256 and RSA 4096!”
With so many options now available, we took a brief look at each and detailed a summary below. We have avoided rocket-science type explanations – those will appear in a follow up article.
Data encryption AES-128 v AES-256 v Blowfish
Currently PIA uses 128-bit blowfish. Why should users get excited about the option to use AES-128 / AES-256 over the previous standard?
“As AES-128 is, in general, faster than Blowfish 128 on most modern processors, our customers will enjoy extra speed with this exciting addition,” Lee told us.
Interestingly, the client also allows users not to encrypt their communications at all. PIA confirmed that this setting is there for people who don’t care about encrypting their communications but still want to hide their IP addresses from sites and services they use. This setting also has the side effect of offering the greatest speeds.
Data authentication – SHA1 or SHA-256 ?
This hashing technology is used to ensure the integrity and authentication of data sent within a message. SHA1 (160bit) is the fastest option, but is it more desirable than SHA-256 (256bit)?
“SHA1 should be more than fine,” Lee explained. “However, we’re simply offering a stronger alternative for those who may feel it is a necessity.”
Handshake – RSA-2048 v RSA-3072 v RSA-4096
In 2010 it was reported that RSA 1024 bit encryption had been cracked. Now that PIA offers 2048, 3072 and 4096, is there a preferred setting for optimal efficiency?
“We believe that 2048 bit is sufficient at this point, but in-line with the previous question, we are providing the option for much stronger keysizes if the user feels it is a necessity,” Lee says.
Additionally, the new PIA client also offers elliptic curve cryptography options – ECC-256K1 (in use by BitCoin), ECC-256R1 and ECC-521. With rumors circulating that ECC may be vulnerable to NSA backdoor access, what is the best option?
“To be honest, at this point after the NSA revelations, we do not know exactly who has exactly what capability. In a crazy scenario, it could be possible that RSA is completely broken and ECC is the only viable option. Of course, we do not believe this, but again, we want to give people the choice,” Lee says.
Ok, enough crypto-babble…What’s the best setup?
PIA recommends the following setups for speed, safety and best trade-off performance.
- Default Recommended Protection — AES-128 / SHA1 / RSA-2048
- All Speed No Safety — None / None / ECC-256k1
- Maximum Protection — AES-256 / SHA256 / RSA-4096
- Risky Business — AES-128 / None / RSA-2048
Lee says that PIA have included the extra options for those who want to feel extra secure or may want to experiment a little more with cryptography. He adds that for those looking for the ultimate in protection, frequent changes of setup within the client could lead to an almost impossible situation for would-be attackers.
“With control of one’s level of encryption, even if someone were utilizing advanced alien technology, they would have a tough time if you changed your encryption settings every time you connect. But we recommend choosing the encryption strength/mode you desire and sticking with it,” Lee concludes.
Those wanting to learn more about the encryption options should head over to this page. The brand new client can be downloaded here.
TorrentFreak has also asked several other VPN providers to share their thoughts and concerns about encryption after the Snowden revelations. These will be addressed in a follow-up article.
Disclosure: PIA is a TorrentFreak sponsor