Change of TUVPN OpenVPN Cipher to AES-CBC with 256bit key

TUVPN News Add comments

TUVPN new OpenVPN Cipher

After harsh deliberation, we have taken a decision about how to strengthen the security of our OpenVPN solution, something that some of our users have been requesting for a while.

For those of you new to this topic, this is a follow up from a very interesting engagement with our users that started with this blog post where we considered the options we had at hand and then continued with a performance analysis of each of the possible candidates.

So finally, after some heated discussions, we have decided to change our current cipher (Blowfish CBC 128bit key) to AES-CBC 256bit key.

This will not make everyone happy, but we think that it is what most of our users want and, even most importantly, a change that shouldn't,  according to the tests,  affect TUVPN's established record of high performance and speed.

To summarize, the points that have tipped the balance in favour of AES are:

  • It is a newer cipher than Blowfish and, as Blowfish, unbreakable at the moment.
  • Performance wise, as documented on several papers and moreover tested by us, it should be at least as good as Blowfish.
  • AES is a publicly accessible and open cipher.
  • It is what most of our users and potential users wanted.
  • It will be a relatively easy change to implement on our network (compared to control channel changes).

We understand that it will be very desirable in the future to strengthen security on the control channel too, as discussed in the linked posts. This is something that we look forward to doing in the future, ideally, giving users the choice to prioritise performance or security (as it has been clearly seen on our tests that top security implies reduced performance).

This change will not be applied immediately. We plan to deploy and test on some servers during coming weeks before moving it into our live VPN servers.

We will update here when and how the change will be done, and what our users will need to do to adapt (again trying to minimise the hassle involved).

Thanks to all for you support and cooperation in making of TUVPN the fastest and most secure VPN provider !


Go to TUVPN.COM

15 Responses to “Change of TUVPN OpenVPN Cipher to AES-CBC with 256bit key”

  1. A Non Says:

    It is absolutely inconceivable that an American owned encryption method will not have a backdoor specifically for the US governments convenience and it is assured that that will be a prerequisite in that increasingly Orwellian state.

    I believe that the move to AES, though well intentioned, is a mistake.

  2. A Non Says:

    I would like to add I hope I’m wrong, that any weakness would be easily discerned but the US is a threat when it comes to privacy and security.

  3. Welsh_Wizard Says:

    Good to have better security but would have liked the Blowfish to stay albeit higher rate of bits used.

    I dont think the AES scheme will have back doors to it as many banks use it incl companies that dont deal with the US! I see the point though because the US agencies in the past have been up to many things.

    Ideally Openvpn would support twofish which is the child of Blowfish and excellent but not supported. AES is all the rave, however it has been under extensive attack and cryptanalysis as its the leader, so we know its safe … its under constant scrutiny with it being the #1 used and trusted algorithm.

    To make things more secure, tuvpn could double or triple cascade vpn servers so 2-3 of them run through each other to enable more powerful security. I know of one provider that does this. So in theory you could connect proxy to openvpn as we do now, into vpn London > vpn Erfurt > vpn Steinsel and than another proxy onto the internet.

    Impossible to decrypt that and make heads of tails of it. Tuvpn would be wise to disable the domain name being shown as well such as the tuvpn.com at the end when someone does a who-is on the ips from them, that is off putting from a security standpoint.

  4. Anon Says:

    Better security will of course always be welcome and being no authority on the various encryption methods I will defer to the greater wisdom of others, but under the Patriot Act, the US Government has full access to all data in any US companys possession. I do not find that fact to be comforting in the least and it is for that reason that I am concerned by the move to an American encryption method.

  5. tuvpn Says:

    Hi all,

    You are continuously referring to AES as an American encryption method.

    As read in our article:

    “AES is a publicly accessible and open cipher.”

    What does this mean ? That the inner working of AES is publicly available and subject to scrutiny. So, it is not a cipher that NSA designed, that is private and where they could have some “key”. It is a public cipher that the NSA approved to protect American communications, this doesn’t mean that is an American cipher and even less a governmental tool (in fact was devised by Belgium cryptographers).

    That said, of course, with what you have to take care is with the implementation of the cipher (so moving the theoretical functioning to code). With OpenVPN it is implemented within the OpenSSL (http://www.openssl.org/) library, again a publicly available project, community based. Not precisely the type of project and people that would inject some malicious behaviour in their code.

    So in this case, we would put more attention on how AES is actually implemented and being all our systems based on Linux and Open Source, we should be reasonably safe.

    TUVPN.COM Team

  6. TigerTim Says:

    Thats good. Also when will tuvpn be adding additional servers/locations to the service? Other providers are adding several at a time yet tuvpn lags behind on that.

    I like tuvpn dont get me wrong but you guys need to start adding more locations and more servers to keep up with the competition or lose your customers!

  7. A Non Says:

    No doubt you will appreciate that the very people who require the services of a VPN are those most likely to be adamant that their privacy and security are of the utmost importance and consequently those most unwelcoming of a change they may perceive to be a backwards step. However as you have pointed out, I have been misled to believe that AES was US owned so thank you for that useful clarification.

  8. tuvpn Says:

    Absolutely A Non, and it is because of this that we try to explain, and not only explain but also decide each change we do in our network with our users.

    As you say, you are the ones most interested and so we think should take part on the decisions.

    Hopefully this change of cipher and the process taking to it will have teach us all a few things about cryptography !

    TUVPN.COM Team

  9. tuvpn Says:

    TigerTim, we continuously monitor our network and the available bandwidth to adjust it to our users needs.

    As you know, our policy with this is to have a straightforward and simple to use product that helps users to improve their online security. In this sense, you have no doubt realised, we don’t change prices when adding servers and do not have complex subscription schemes where the more you pay, the more servers you have access or more changes you can do or …

    So basically, we adjust the number of servers and locations to our users needs and the more users we get the more servers we add.

    We have in plan adding new servers soon, we are now focused on building a new site that should be up&running in a few weeks and that will give us a whole new and nicer face.

    Anyway, you can follow up this post to be up-to-date with up coming additions:

    http://blog.tuvpn.com/2011/02/new-vpn-servers-ideas-for-tuvpn-com-network/

    TUVPN.COM Team

  10. TigerTim Says:

    Good. I like tuvpn especially the proxies you offer and the location of your HQ but like I said you do need several more locations to liven things up abit and I say that with RESPECT and not to be cheeky.

    I see many tin pot vpn service providers ten a penny that offer 20-34 countries and 1000’s of IPs for say $10 p/m and that sounds good but depending on other factors they may be crap but still they have the locations to choose from with some having exotic locations like Israel, Malta and the Seychelles.

    I also really like the way tuvpn keeps users on the SHARED IP so the traffic is merged and crowded .. correct? making it harder to see whos who etc while most if not all other vpn providers make it sound better by having 100’s of IPs for a country, yet that is actually reducing anonymity to the user.

    An option for your future could be as well double and treble vpn cascading.

    Cheers

  11. Welsh_Wizard Says:

    I think the scare over AES being American influenced came from the NSA being worded where AES has been discussed in many articles.

    The truth is and I quote ”AES is the first publicly accessible and open cipher approved by the NSA for top secret information”

    The NSA approved it for top secret information and as such use it for American government.

    AES is very secure indeed. Blowfish was nice as well but its best to go with an algorithm that has been proven more successful like AES. Its tested and trusted more than any other algorithm to date.

    I look forward to when tuvpn implement it.

  12. HPotter Says:

    Gentlemen,

    this is obviously an improvement but we can be fully assured that backdoor access is ALWAYS available to certain agencies. As for usage it would be a great help if TUVPN added L2TP/IPSec protocol to its servers. Not only is this a more dynamic protocol but it should work better than OpenVPN especially on Android hardware. PPTP and OpenVPN has serious flaws on Android 2.1-2.2 making connections impossible.

  13. tuvpn Says:

    HPotter, which are the advantages that you see on using L2TP/IPSec ? What do you mean for more dynamic ?

    As far as I understand, being IPSec involved, chances of some of the ports/protocols being blocked by the ISP, mobile operator … are higher than i.e. OpenVPN that using just one port (and you can choose which one, i.e. we are offering OpenVPN over 443/tcp). With IPSec, you need 500 UDP (IKE), IP 50 (ESP) so more ports, more options of being blocked.

    In any case, it is an option. In fact we are currently checking options to implement an additional VPN system in our network. We are revisiting SSH2 tunnels (we did a quick check some time ago) so it is a good moment to start this discussion.

    We will try to create a post about it so the community can have a say.

  14. Blog TUVPN.COM - TUVPN News: April Says:

    […] already announced, and after long discussions with the community and our own testing, we are going to implement […]

  15. Blog TUVPN.COM - TUVPN Cipher Change to AES-256 Says:

    […] 17th TUVPN News Add comments var addthis_product = 'wpp-254'; As explained  in a previous blog post, we are changing OpenVPN Cipher to AES-256 on our TUVPN Network. This was agreed with our user […]

Leave a Reply

*

Get Your VPN NOW!

©2011 TUVPN.COM. All rights reserved.