Cryptogratography, in its purest form, is a type of science dedicated to securing communications in a logically consistent manner, i.e. one that simultaneously makes a given source of data completely indecipherable and blatantly easy to interpret, depending on whether you’re its intended recipient or not.
What’s particularly amazing is that cryptography is a largely cumulative craft. For example, many fundamental principles at the core of today’s state-of-the-art encryption technologies are thousands of years old. Of course, the actual techniques for securing communications improved immeasurably even over much shorter time frames.
Modern cryptography spans much more than Internet communications, but we’re primarily looking at it through the prism of the World Wide Web in this overview since our ultimate goal is to learn something about how modern virtual private networks and related services operate. Let’s start with a simple definition of encryption and describe it as a process of turning plain text into plain gibberish through an extremely specific succession of steps. That virtually unique sequence is commonly called an algorithm or cipher, whereas the values it uses to mix up any given message are known as keys.
The power of math
Encryption keys, themselves, are just numbers. Well, super long numbers, assuming any semblance of competence on the part of whomever or whatever is doing the encrypting. With a fifth of the 21st century now behind us, the most widely adopted encryption standard in the world is the adventurously named Advanced Encryption Standard (AES), whose latest definition of an acceptably lengthy cipher is 256 bits. A 256-bit key is virtually uncrackable using any currently available or anticipated tool, method, or combination thereof.
There’s a lot of education and entertainment value in illustrating the practical invulnerability of AES-256 encryption, but “a lot” is also what the bottom line of my college tuition receipt said, so I can’t help you. Fortunately, some nerd at ScramBox already did the math – assuming there were 2 billion high-end computers on the planet and you harvested every last ounce of computing power from them, a 256-bit AES key would, on average, take 13,689 trillion to the fourth power years to crack.
In more sophisticated terms, that’s 13,689 trillion trillion trillion trillion years – 60 zeroes. A number so huge that you need some knowledge of Latin and a formula to find its real name, like it’s some sort of an ancient cosmic power from an H.P. Lovecraft novel and not a measurement of how many rotations around the Sun we’d have to endure before a hypothetical boogeyman with a four-line Python script could theoretically decipher what your Google search intercepted 13,689 trillion4 years ago was about. Oh, and the universe is “only” 15 billion years old, so they’re out of luck, anyway.
What is cryptography, then, if not math? And all things considered, you’d think 256-bit encryption would be a bit of an overkill. It really isn’t, however, at least relative to how seamlessly the AES-256 standard integrates into the modern Internet browsing experience.
Number of possible combinations a brute force attack has to account for based on encryption key size, as per ATP.
Symmetric vs. asymmetric encryption in VPN use
Let’s fast-forward things a bit and see how today’s VPN services leverage these mathematical principles of old in real-world scenarios. Which leads us to algorithmically executed ciphers, i.e. digital encryption, a core component of every VPN connection ever established. A VPN service can either utilize encryption that’s either symmetric or asymmetric.
The former is a simpler user case based on matching a public key to an identical private one. Asymmetric encryption, on the other hand, leverages multiple keys: one while encrypting communications at their source, and another to trigger their decryption once they’re at their destination.
If that second option doesn’t sound particularly secure to you, we’re delighted that you’re paying attention – it isn’t. Not entirely, which isn’t just a potential cybersecurity issue but also a threat to your convenience (since you can’t restore one key with another), aka the only thing worth trading any extra security for, according to every person who ever moaned in response to a two-factor authentication prompt.
Which isn’t to say asymmetric, public-key encryption doesn’t have its uses because alternatives are sometimes simply too inconvenient. There’s no perfect solution to circumventing its downsides, but arguably the best one currently have are third-party certificates which verify the authenticity of a given public key, i.e. confirm one hasn’t been tampered with, which would compromise the entire process and its users.
Asymmetric encryption hence lives and dies by its ability to correctly identify communicating parties. Which is where digital signatures come in. These act similarly to regular signatures – they’re super easy to reproduce for a signing party but next to impossible to reproduce in practical circumstances, and they’re exchanged often enough that any attempt at a forgery wouldn’t only be straightforward to spot but futile to even attempt.
Today’s most popular digital signature algorithm is the Rivest–Shamir–Adleman (RSA) protocol, used in widely adopted protocols such as SSL and TTL. Some VPN providers are moving to more novel, advanced solutions such as elliptic curve cryptography (ECC) which generate handshakes using more convoluted protocols, thus being more secure overall.
Size matters, except when it doesn’t
One final thing to keep in mind is that longer encryption keys don’t necessarily equate to better, more secure cryptography. Which seemingly goes against every single word leading up to this betrayal, but hear us out, it actually makes perfect sense: length isn’t a good indicator of cryptographic efficiency *across* multiple protocols, but it’s still a perfectly good way to compare performance within any given standard. A 64-bit DES key is better than a hypothetical 32-bit one, but neither would do you any good today because this is a standard from the ‘70s, so a single GeForce RTX 3090 would take a couple of days tops to crack any possible combination.
In more practical terms, a 1,024-bit RSA key is about as secure as an 80-bit symmetric one. These differences are the main reason why many of today’s most popular encryption schemes – including SSL and TTL – rely on a mixture of protocols instead of any single math formula on its own.
There’s a whole other science to be derived from the encryption authentication part of all this cryptography business, but we won’t be delving into it too deeply just yet. For the time being, just remember that a hash is a unidirectional signing function, i.e. one that assigns a unique signature to a given data packet and is next to impossible to reverse-engineer.