Private Internet Access has been hard at work adding more encryption options to their popular VPN client. Members can download the beta and test out the upgrades. In addition to connecting to VPN servers in 9 countries, the PIA Windows & Mac client beta includes an encryption tab that allows you to specify data encryption, data authentication and handshake methods. Enjoy unlimited VPN from just $38.95 a year.
We could try to explain all the options but the PIA team has already done a great job of that on their new encryption page. Here are some suggestions from their encryption guide:
“Presets”
- Default Recommended Protection — AES-128 / SHA1 / RSA-2048
- All Speed No Safety — None / None / ECC-256k1
- Maximum Protection — AES-256 / SHA256 / RSA-4096
- Risky Business — AES-128 / None / RSA-2048
Data Encryption
This is the symmetric cipher algorithm with which all of your data is encrypted and decrypted. The symmetric cipher is used with an ephemeral secret key shared between you and the server. This secret key is exchanged with the Handshake Encryption.
- AES-128 — Advanced Encryption Standard (128bit) in CBC mode. For most people this is the fastest encryption mode.
- AES-256 — Advanced Encryption Standard (256bit) in CBC mode.
- Blowfish — Blowfish (128bit) in CBC mode.
- None — No encryption. None of your data will be encrypted. Your login details will be encrypted. Your IP will still be hidden. This may be a viable option if you want the best performance possible while only hiding your IP address. This would be similar to a SOCKS proxy but with the benefit of not leaking your username and password.
Data Authentication
This is the message authentication algorithm with which all of your data is authenticated. This is only used to protect you from active attacks. If you are not worried about active attackers you can turn off Data Authentication.
- SHA1 — HMAC using Secure Hash Algorithm (160bit). This is the fastest authentication mode.
- SHA256 — HMAC using Secure Hash Algorithm (256bit)
- None — No authentication. None of your encrypted data will be authenticated. An active attacker could potentially modify or decrypt your data. This would not give any opportunities to a passive attacker.
Handshake Encryption
This is the encryption used to establish a secure connection and verify you are really talking to a Private Internet Access VPN server and not being tricked into connecting to an attacker’s server. We use TLS v1.2 to establish this connection. All our certificates use SHA512 for signing.
- RSA-2048 — 2048bit Ephemeral Diffie-Helman (DH) key exchange and 2048bit RSA certificate for verification that the key exchange really happened with a Private Internet Access server.
- RSA-3072 — Like above but 3072bit for both key exchange and certificate.
- RSA-4096 — Like above but 4096bit for both key exchange and certificate.
- [!] ECC-256k1 — Ephemeral Elliptic Curve DH key exchange and an ECDSA certificate for verification that the key exchange really happened with a Private Internet Access server. Curve secp256k1 (256bit) is used for both. This is the same curve that Bitcoin uses to sign its transactions.
- [!] ECC-256r1 — Like above but using curve prime256v1 (256bit, also known as secp256r1) is used for both key exchange and certificate.
- [!] ECC-521 — Like above but using curve secp521r1 (521bit) is used for both key exchange and certificate.
Please remember that the new client is currently in beta. While the PIA team has done quite a bit of testing their may still be some bugs in the beta version. If you want to test the new encryption options this is a great chance to try them all out. Members can download the beta here. If you don’t already an account PIA is kindly offering our visitors a special price of $6.45 a month or $38.95 a year for unlimited VPN access.
