We recently reviewed LiquidVPN, and while we had a couple of doubts about the service, we were very impressed with (at least in concept) its unique, and arguably revolutionary Modulating IP technology. Well, now it has impressed us with another first, by implementing non-NIST certified OpenVPN encryption.
‘We discussed the problem with the cyphers commonly used by VPN providers – including AES, Blowfish and SHA (both SHA-1 and SHA-2) – that they were all developed and certified by the United States National Institute of Standards and Technology (NIST) in this article. In the wake of Edward Snowden’s evidence that the NSA has been deliberately weakening and manipulating encryption standards for years, and the fact that NIST has admitted to working closely with the NSA in the development of its cyphers, many have begun to question the integrity of its algorithms.
‘Although NIST has been quick to deny any wrong doing (‘NIST would not deliberately weaken a cryptographic standard’), and has invited public participation in a number of upcoming proposed encryption related standards in a move designed to bolster public confidence, the New York Times has accused the NSA of circumventing the NIST approved encryption standards by either introducing undetectable backdoors, or subverting the public development process to weaken the algorithms.
‘This distrust was further bolstered on September 17, when RSA Security (a division of EMC) privately told customers to stop using an encryption algorithm that reportedly contains a flaw engineered by the National Security Agency.’
The article was concerned with the announcement by John Callas, CTO of Silent Circle announcing that the company which shut down rather risk its customers’ privacy at the hands of the NSA planned to move away from NIST standards.
As we then noted in this article,
‘We would love to see to VPN providers move away from NIST certified cyphers, and instead follow Silent Circle’s lead in adopting TwoFish (or possibly ThreeFish) rather than AES (or Blowfish), and the Skein hash function rather than the commonly used RSA-1 and RSA-2 . As yet, however, we are not aware of any VPN provider talking about this, let alone implementing such changes, which is a shame.”
Well, we are pleased to see that at least one VPN provider has stepped up to our challenge, and received the following email from LiquidVPN this morning,
“We have just released our first node with our modified encryption. It is the Russian Node if you care to check it out. It uses CAMELLIA-256-CBC instead of the AES cipher. OpenVPN doesn’t support a lot of the ciphers we would like to use. The TLS ciphers the Russian node supports are
“Some of which OpenVPN does not support yet but will be supporting soon. We did this so users had some flexibility with the cipher they use. Giving them a choice. It is not an ideal solution by any means but unless more people pressure OpenVPN to include twofish or threefish this is the best we can do with our budget. On a brighter note the Russian node seems to be pretty fast.”
That development is still in its early stages is not a problem for us, and we are just delighted that LiquidVPN is taking this bold step in the right direction. Camellia is a 128-bit cypher ‘that possesses the security levels and processing abilities comparable to the Advanced Encryption Standard.’
Unfortunately at the time of writing this article we were unable to connect to LiquidVPN’s Moscow server to test the new encryption out, but it is still very early days, and we shall update this article with our findings as soon we can.
Update: LiquidVPN got back to us to let us know that they’ve fixed some technical issues, so we connected to the Russian server using the new encryption, and got the following results…
That’s not bad, and bodes very well for future implementation Carmelia CBC (and hopefully other non-NIST cyphers) on VPN servers. Great work LiquidVPN!