Published on September 12th, 2013 | by magnus0
Can NSA Crack VPN? The VPN Provider’s Perspective
It is often said that the United States is the “freest” country in the world, a believe held by many, in particular within the United States. This believe was shattered when Edward Snowden leaked classified information detailing the NSA’s broad surveillance activities both abroad and within the borders of the United States.
The last few months have shown just how far the US Government and many other western governments will go to gather intelligence on its own citizens and then hide their illegal activities from the very people who fund those programs through their taxes, also know as citizens even though subordinates or subjects maybe a more appropriate term to use.
One of the more shocking revelations was the ability of the NSA to crack encrypted traffic, although it remains unclear how far their capabilities really reach. We published “Can NSA crack VPN” in August which generated a lot of responses. In it we indicated that we would contact a select few VPN vendors to get their insider perspective on the topic. Here are what VPN providers think when we asked them: "if the NSA can crack VPN?"
Overall I would say we agree with the conclusions in your article – if you are using a VPN service for privacy/security reasons then it makes sense to go for a protocol with the best level of encryption. We've also noted the known issues with PPTP on our own blog.
However, the question of whether the NSA can "crack" L2TP or OpenVPN is an interesting one, however, in order to have done so, the NSA would have had to have made a major breakthrough in computer technology / processing power – and it is unlikely this would have been kept secret since 2008. Based on current known technology, a top grade super computer would need millions and millions of years to decypher 128-bit encryption. It also seems unlikely that if it was so easy to decrypt web traffic that the US government would go to such lengths to acquire data from private companies such as Google, Facebook and others, when it could just be intercepted secretly.
It is not even clear that the XKeyscore presentation is actually making the claim that it can decrypt VPN traffic – another interpretation is that it can show people in "country X" who are using a VPN, which is more within the realms of known technology.
– COO Danvers Baillieu
It is highly likely that the NSA's presentation is referring to PPTP as PPTP is in fact crackable by anyone with approximately $120.00. However, PPTP is only crackable in a simple fashion when the cracker has the handshake information. That is why they say "VPN Startups" in their presentation (a layman's term for "handshake").
OpenVPN, on the other hand, uses industry standard SSL to trade per session keys which are 128-256 bit, and it is generally globally agreed by cryptographers that no organization on Earth can crack a properly configured deployment of this protocol.
– Mimi Schirm
Private Internet Access also published a very good post "On Encryption" on their blog you might want to check out for more detailed information.
We are now using 2056 bit OpenVPN (not PPTP or L2TP/IPSec), 2056 bit SSH-2 (Secure Shell 2), and 2056 bit SSL/TLS respectively, network and tunneling protocols that allow data to be exchanged over a secure channel between your PC and our server. They are based on public-key cryptography to authenticate the remote computer and provide improved security through Diffie-Hellman key exchange and strong integrity checking via MACs. We are using AES-256 encryption to protect the confidentiality of the data. The cipher was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen. The algorithm has been analyzed extensively and is now used worldwide. As of 2007, no attacks that attack the underlying cipher itself have ever been found. In June 2003, the U.S. government announced that AES may be used for classified information: “The design and strength of all key lengths of the AES algorithm are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either key lengths.” This marks the first time that the public has access to a cipher approved by the NSA for encryption of TOP SECRET information.
– by Alec
We appreciate the help from the VPN providers who were so kind to respond to our question and the insights they provided. I think It is safe to assume that the NSA can crack certain VPN traffic. PPTP should be regarded as unsafe while L2TP and OpenVPN appear safe, at least for now.
Interestingly the NSA seems to believe that the people who's traffic they should intercept don't know the NSA and other US Government 3-letter orgaizations are on to them. Something I find hard to believe. Or maybe it was about monitoring you and me all along to squash dissent and prepare for a popular uprising should the truth ever come out…
As with all security both the technology itself and its implementation will determine how confidential your traffic is. While there is no gurantee for 100% security, reasonably high levels of security are better than none and if nothing else, they will make it significantly more costly to snoop into everybody's business.
Image Credit: Terry Johnston