We'll lay down here some basis for fully understanding and using VPN technologies.
This post will be augmented, if some new basis are needed.
Basically, VPN makes use of tunnels, to join together several distinct networks, or to allow a remote user to join a network. As the datas have to cross the public Internet, the VPN tunnel allows to keep that data private and to control access to the private network. Here is a site-to-site VPN :
VPN can be site-to-site, host-to-site or host-to-host.
VPN relies on three ideas : Tunnelling, Authentication, Encryption
These three aspects must not be confused :
Tunelling is the fact of putting a network stream inside another network stream.
Authentication allows each endpoint of the VPN tunnel to authenticate, as well as guarentee data integrity.
Encryption does encrypt the payload of the stream, ie the content
For a VPN to be fully secure, we need :
a secure authentication
. not spyable ( sniffing the traffic does not allow to get the VPN login password )
. not replayable ( sniffing and replaying the VPN login traffic does not work )
. integrity verified ( the message has not been tampered with or changed )
a secure encryption
. using a good encryption scheme ( neither subject to brute-force attack or cryptographic weakness )
This is to make clear the difference between authentication and encryption.
Please do note the difference between data integrity and data encryption : Data integrity prevents from writing the datas ( changing them ), Data encryption prevents to read the data ( unencrypting them )
Data integrity may be challenged by bit-flipping attacks as an exemple.
Data encryption may be challenged by brute-force attacks as an exemple.
Here is a network representation of a site-to-site tunnel :
The native IP packets are added with a tunnel headers, and encapsulated into transport IP packets. A protocol manages the tunnel seamless functionning. At the tunnel endpoint, the IP packets are uncapsulated, stripped from the tunnel headers, and routed to the remote network.
Tunelling is not only used with VPN, it is used for 6in4 or 4in6 tunelling as an exemple.
OSI-wise, encapsulation can be represented this way :
Here is the more OSI-wise network representation of our site-to-site VPN :
Password entropy / Password strength
Password entropy, also named password strenght, is a representation of the number of attemps necessary to exhaust all the combinaisons of a password, and thus find it with certainty.
It is usually represented in bits, where number of combinaisons=2^entropy.
the entropy value can be rounded down.
exemple : a password made of 8 numbers = 8x10 = 80 combinaisons
80 ( decimal ) = 101 0000 ( binary ) = 7 bits
entropy is <7 bits ( 6,3219... )
exemple 2 : a password made of 8 higher case letters = 8x26 = 208 combinaisons
208 ( decimal ) = 1101 0000 ( binary ) = 8 bits
entropy is <8 bits ( 7,700439... )
exemple 3 : a password made of 8 high case and low case letters = 8x52 = 416 combinaisons
416 ( decimal ) = 1 1010 0000 ( binary ) = 9 bits
entropy is <9 bits ( 8,700439... )
As we can see, the biggest the data pool used, the highest the entropy for the same password length.
The exact formula for entropy with L=password length and N=Pool complexity :
Other aspects weaken actual entropy :
. character repetition ( 4444 vs 1423 )
. character patern ( 1234 vs 1423 )
. dictionnary presence ( home vs hmeo )
. keyboard topological pattern ( qwerty, number keys symbols, ... )
. language specificites ( In english q is mostly followed by u, qu is weaker than qz )
. other ( common expressions, personnal informations, ... )
One other metric that is often used is the number of attempts necessary to try half of the possible combinaisons, as it is this value that goes over 50% hit chance.
One interesting note is the importance of a good RNG ( random number generator ) for keeping a good entropy : either using a true RNG ( hardware chip, dices, ... ) or a good-enough pseudo-RNG ( Linux OS offers a good OS pseudo-RNG that mixes-in lots of system values for good-enough randomness )