Military-grade encryption can be an unclear phrase if the users are not well aware of the basics behind the terminology and existing offerings. Encryption in a VPN is very important for privacy, security, anonymity. A basic encryption system for the VPN may easily be breached by any malicious attempt. Few of the VPN services increasingly using the phrase military-grade encryption. Readers may read more as third party review of VPN services get the idea of the usage of the phrase. In this article, we will discuss the origin of the phrase, discuss whether it is really secure, other protocol options and draw a conclusion.
|Table of Contents|
What is Exactly the Military-Grade?
There are many definitions of military-grade but taking the simplest becomes, it is the class of encryption that can be used for the military. Most militaries and their alliances have some standard for what constitutes acceptable technology.
For most of such VPN providers, military-grade encryption means that they comply with Federal Information Processing Standard (FIPS) Publication 140-2 standard. That is in short known as FIPS 140-2. These are U.S. government computer security standards. The FIPS 140-2 was issued on 25 May 2001. FIPS 140-2 has level 1 to level 4. The FIPS 140-3 officially will be effective from the end of September 2019. It is sure that FIPS 140-2 will continue to be in usage for a while. Two main classes of encryption commonly used, one is symmetric encryption and the other is asymmetric encryption.
The symmetric encryption uses one key to encrypt and decrypt. Asymmetric encryption is what we commonly use on different server settings (which uses two different keys to encrypt and to decrypt). So, military-grade encryption is becoming symmetric encryption of FIPS 140-2 standard. That has AES, TDEA as two specifications. The Advanced Encryption Standard (AES) is a specification established by NIST in 2001. Accompanying hash standards are
SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256. SHA-1 is broken. SHA-2 is based on SHA-1. There are already theoretical attacks. SHA-3 would be good. We can draw a conclusion that military-grade is AES-256 with 2048 DH for the VPN.
Is Military-Grade Really So Secure?
Military-grade of-course does not mean super secure. Technically, our website itself is of such “military-grade” encryption. But, hackers are unlikely to break the encryption. Hackers find the other weaknesses and to go straight to the data. Hacking is too much human way of thought, often these days are assisted by machine learning. But literally, just AES 128-bit is adequate for the next 10 years with the performance improvement of computers and supercomputers. So, AES-256 can be definitely said “military-grade”.
Now, various points arise, such as where and how the encryption keys are stored, what encryption mode has been used, how to exchange encryption key for data sharing.
Central one location of key constitutes over one-fifth of the hacker attacks. AES with encryption modes such as GCM or CBC is superior. What is GCM? Techniques have been developed to combine encryption and authentication into a single algorithm. That is called Authenticated Encryption (AE). Galois Counter Mode (GCM) is considered one of these AE algorithms. VPNs commonly use AES-GCM for encryption and authentication. The secret key required to be changed weekly, monthly or yearly.
The ultimate matter is how secretly the data is exchanged, which is the weakest link in security. That is the point where we deliberately brought our example of own website. An attacker may find the weakness of TLS. For this part, we need perfect forward secrecy, prevention of man-in-the-middle attack. AES-256-GCM has never been demonstrated to be broken in real outside theoretical attacks, kind of biclique attack. A biclique attack is a variant of the MITM method of cryptanalysis.
Snowden documents showed that the NSA is doing research on breaking AES. This information is shared for the Americans for academic and technical intention.
What Are Other Options Than AES-GCM?
It obviously matters what website the user is going to browse and what data going to write. The Rijndael algorithm, for the AES, is one of the newer additions to IPsec. It is durable and versatile. Blowfish is a symmetric block cipher like DES. It is a strong algorithm but attacks prevention needs knowledge of its weak key classes. The International Data Encryption Algorithm IDEA is one of the strongest cryptographic algorithms. It is a block cipher.
We had to go into technical details for the practical need to clarify what is exactly military-grade and what real technology it is. In reality, AES-256-GCM is the too big hammer for ordinary works, far away from any current probability to be compromised itself. However, as we have discussed in details above, only using a VPN service with “military-grade encryption” aka AES-256-GCM does not make a particular connection, data exchange heavily secured. It is definitely good to use such tight encryption but there are other factors which a user should be aware while using any VPN service.