Talking about VPN (Virtual privacte network)

VPN concept

• VPN (Virtual privacte network) virtual private network itself is not born to bypass the wall .
• Since HTTPS had not been included in the RFC at that time, many people used the HTTP protocol to surf the Internet at that time. The biggest disadvantage of the HTTP protocol was plain text transmission, and HTTP did not specify data encryption. Transmitting information in clear text is too risky for companies.
  
• The earliest VPN technology protocol pptp ( Point-to-Point Tunneling Protocol ) was born in 1996, which realizes remote access by establishing a virtual point-to-point connection. PPTP can transmit multiple protocols on the Internet, such as IP, IPX and NetBEUI. Its data transmission is encrypted to ensure data security.
• PPTP is a relatively simple and easy-to-implement VPN solution that is available on various operating systems including Windows, Mac OS, and Linux, and is compatible with many routers and firewalls. However, since the encryption algorithm used by PPTP has been proven to be insecure, it is no longer recommended. In their place are more secure VPN protocols such as OpenVPN and L2TP/IPSec.
  

PPTP (Point-to-Point Tunneling Protocol) is a protocol for virtual private networks (VPNs).

• Until 2000, VPN technology has been used within the enterprise. It is used for employees on business trips to temporarily access the company's data database, or when foreign branches need to share information with the company headquarters, transfer and retrieve data, and directly through the public Internet is likely to cause information leakage and be stolen by a third party. VPN technology is used for Information encryption.
  

• RFC stands for "Request for Comments" and is a standard document developed by the Internet Engineering Task Force (IETF).
• An RFC is an open, controversial technical standard that provides detailed information about network protocols, procedures, practices, and methodologies.
• The main purpose of RFC is to share information and ideas among the technical community, and to promote the development and standardization of protocols. RFC documents can be written and submitted by anyone, and they are often referenced in the development, design, and management of the Internet.

• The public Internet is equivalent to a channel, and the VPN is equivalent to a second channel with encryption and decryption functions, which can well ensure that information will not be intercepted or stolen by a third party.
  

VPN type

• VPN is divided into two types: site-site VPN , client-site (remote login VPN) . The core of VPN is that the data is encrypted in the public network .

site-site VPN

• For a site, it means that the locations of two or more terminals are relatively fixed, and the link is uninterrupted. When a data packet is sent to the VPN hub, the source address on the data packet will only be changed to the address of the current VPN hub, and the destination address will only be changed to the current VPN hub address. Change to the address of the destination VPN hub, and the packets will be encrypted. From the point of view of the man-in-the-middle, only encrypted data is transferred between the two hubs, thus hiding the actual source address and the actual destination address. (but not absolutely safe)
  

Client-Site VPN

• Remote login VPN is suitable for home office scenarios. This type is relatively flexible and is more suitable for methods that do not require long-term connections. Generally speaking, this type of VPN can communicate directly with a browser, or install an additional client software.

---

• Remote login VPN has full tunnel and half tunnel mode. If you want to send all network data to the company network, you can use the full tunnel, but you must be able to fish when you work from home, so generally many people will choose the accompanying mode.
  

How VPNs Work

• Technically speaking, the network activities of ordinary people are almost transparent. For example, if we want to visit Google, we first need to enter the URL of Google in the browser, and then the data request will be transmitted to the network service provider through the WiFi router, and then, The network service provider resolves the domain name of Google's goole.com website to Google's server through the DNS server, and the server will transmit the information we need to our computer browser.
  

• The whole process basically goes through the three links of wifi router, network service provider, and Google service, and this link can cause personal information leakage.

• In places such as fast food restaurants, coffee shops, and hotels, it is easy to be intercepted by others using the public network to publish information, or in the link of Internet service providers, they can see more things, such as: the website you visit, the time of visit , the equipment used, the ip address and the actual geographic location, and this information is also an important source of profit for network service providers. Although various Internet service providers claim that they have the strictest privacy protection regulations, you will still find that advertising for behavioral habits has not decreased at all. There is a saying that when you use free services, you are actually the biggest commodity and profit itself

• With the continuous development of Internet e-commerce, most of the websites we have now have adopted the encryption protocol of ssl ts, which is https. Now if the URL you enter is HTTP, the browser will not allow you to connect normally. The function of https is to encrypt the communication information between us and the visited website. For example, you enter bank card number, password and other information on the shopping website. , will be encrypted, which greatly improves the security of accessing the network, but despite this, the privacy of our accessing the network is still not guaranteed.
  

• In the case of visiting an https website, although the network service provider cannot obtain complete web browsing information, it can still know the website you visit, and VPN technology tries to solve this problem as much as possible. Once the process of sending and receiving VPN data is used, It will become a VP client , wifi router , network service provider , VPN server to a website or application server .

• First of all, once a device has a VPN client installed and enabled, all data traffic you send from the device will be processed through VPN encryption , so that even if you are connected to public wifi in public places, it will be difficult for third parties to directly obtain your data. information, because the information sent has been encrypted. At the network service provider, the network service provider can only see some encrypted data. It is necessary to connect to a VPN server, the time to connect to WeChat and the data traffic of the paid VPN server, but it is limited to this, and then these encrypted data It will be decrypted through the vpn server. The VPN server resolves through the dns domain name, and then sends the data to the website server to be accessed. The VPN will hide your real ip address for the website you want to visit, and use the ip address of the VPN proxy server, so that the data in the router stage, network service provider stage, and website server stage are protected by double security and privacy.

VPN Responsibilities

Responsibility 1: Confidentiality

• Encryption is for confidentiality, so that the data is not so easy to see through the container. Encryption requires the use of algorithms, commonly used are AES, 3DES, the names of these two algorithms have E, E means encryption (encryption).
  

integrity

• Simple encryption cannot transmit data perfectly. After all, hackers can’t understand your data, and they may change your data randomly. If they can’t get it, they won’t let you get it. Therefore, another duty of VPN is to protect data integrity.
  
• The algorithm used by VPN to ensure data integrity is the HASH algorithm ( HASH is a general term for a series of algorithms )

• Hash Algorithm (Hash Algorithm), also known as hash algorithm and digest algorithm, is an algorithm that compresses messages of any length to a certain fixed length.
  Hash algorithms are often used in data integrity checks, passwords and other security aspects, as well as optimization in search engine indexes and database indexes.
  The hash algorithm can convert data of any length into fixed-length summary information, which is called hash value (Hash Value) or message digest (Message Digest). Commonly used hash algorithms include MD5, SHA-1, SHA-256, etc.
  

certified

• The most important thing is to know whether you know the person you are communicating with. For example, what if someone hacks an employee's computer and uses a VPN to log into the company's intranet? This requires the third responsibility of the VPN, which is authentication.
  
• Both PSK and RSA algorithms are common encryption algorithms in cryptography, but their application scenarios and implementation methods are different.
• PSK refers to the pre-shared key (Pre-Shared Key), which is a symmetric encryption algorithm, also known as shared key encryption. In PSK encryption, the sender and receiver share the same encryption key. Before communication, the two parties need to negotiate a key, and then use the key for encryption and decryption. PSK is often used to secure network communications or communications between devices.
• Example: Java implements PSK algorithm
  • The Cipher class in the Java standard library implements AES encryption, where the pskEncrypt method is used for encryption, and the pskDecrypt method is used for decryption. When encrypting and decrypting, we need to use the same key. Here we use a simple string as the key. In practice, a more complex and secure key should be used.

PSK algorithm implementation (dedicated to the big brother)

/**PSK算法简单实现 */ 
import java.math.BigInteger; import java.util.Random;
	public class PSK {
    
    
	
	private BigInteger p;  //质数p
	private BigInteger q;  //质数q
	private BigInteger n;  //n = p * q
	private BigInteger phi;    //欧拉函数φ(n) = (p-1) * (q-1)
	private BigInteger e;  //公钥e
	private BigInteger d;  //私钥d
	
	public PSK(int numBits) {
    
    
	    //生成两个大质数p和q
	    p = new BigInteger(numBits, 100, new Random());
	    q = new BigInteger(numBits, 100, new Random());
	
	    //计算n和φ(n)
	    n = p.multiply(q);
	    phi = (p.subtract(BigInteger.ONE)).multiply(q.subtract(BigInteger.ONE));
	
	    //选择公钥e，要求1 < e < φ(n)且e与φ(n)互质
	    do {
    
    
	        e = new BigInteger(2 * numBits, new Random());
	    } while ((e.compareTo(phi) != -1) || (e.gcd(phi).compareTo(BigInteger.ONE) != 0));
	
	    //计算私钥d，使得d与e模φ(n)同余
	    d = e.modInverse(phi);
	}
	
	//加密
	public BigInteger encrypt(BigInteger message) {
    
    
	    return message.modPow(e, n);
	}
	
	//解密
	public BigInteger decrypt(BigInteger encrypted) {
    
    
	    return encrypted.modPow(d, n);
	}
	
	public static void main(String[] args) {
    
    
	    PSK psk = new PSK(1024);
	    BigInteger message = new BigInteger("123456789");
	    BigInteger encrypted = psk.encrypt(message);
	    BigInteger decrypted = psk.decrypt(encrypted);
	
	    System.out.println("明文：" + message);
	    System.out.println("加密后：" + encrypted);
	    System.out.println("解密后：" + decrypted);
	}
}

PSK application demo

import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;

public class PSKExample {
    
    
    public static void main(String[] args) throws Exception {
    
    
        String message = "Hello, world!";
        String key = "mysecretkey";
        byte[] encrypted = pskEncrypt(message, key);
        byte[] decrypted = pskDecrypt(encrypted, key);
        System.out.println("Encrypted message: " + new String(encrypted));
        System.out.println("Decrypted message: " + new String(decrypted));
    }

    /**
     * 使用PSK算法对消息进行加密
     *
     * @param message 要加密的消息
     * @param key     密钥
     * @return 加密后的消息
     * @throws Exception 加密异常
     */
    public static byte[] pskEncrypt(String message, String key) throws Exception {
    
    
        // 将密钥转换为SecretKeySpec对象，使用AES算法
        SecretKeySpec secretKey = new SecretKeySpec(key.getBytes("UTF-8"), "AES");
        // 创建Cipher对象，使用AES/ECB/PKCS5Padding加密模式
        Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
        // 使用密钥初始化加密模式
        cipher.init(Cipher.ENCRYPT_MODE, secretKey);
        // 对消息进行加密并返回结果
        return cipher.doFinal(message.getBytes("UTF-8"));
    }

    /**
     * 使用PSK算法对消息进行解密
     *
     * @param encrypted 加密后的消息
     * @param key       密钥
     * @return 解密后的消息
     * @throws Exception 解密异常
     */
    public static byte[] pskDecrypt(byte[] encrypted, String key) throws Exception {
    
    
        // 将密钥转换为SecretKeySpec对象，使用AES算法
        SecretKeySpec secretKey = new SecretKeySpec(key.getBytes("UTF-8"), "AES");
        // 创建Cipher对象，使用AES/ECB/PKCS5Padding加密模式
        Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
        // 使用密钥初始化解密模式
        cipher.init(Cipher.DECRYPT_MODE, secretKey);
        // 对加密后的消息进行解密并返回结果
        return cipher.doFinal(encrypted);
    }
}

---

• The RSA algorithm is an asymmetric encryption algorithm, also known as public key encryption. In RSA encryption, the sender uses the receiver's public key to encrypt, and the receiver uses its own private key to decrypt. The RSA algorithm is mainly used in digital signature and key agreement. In the digital certificate, the signature of the digital certificate is completed with the RSA algorithm. In addition, the RSA algorithm is also commonly used in the SSL/TLS protocol for key negotiation to ensure the security of both communication parties.

---

RSA algorithm implementation (dedicated to the big brother)

import java.math.BigInteger;
import java.util.Random;

public class RSA {
    
    

    private BigInteger p;  //质数p
    private BigInteger q;  //质数q
    private BigInteger n;  //n = p * q
    private BigInteger phi;    //欧拉函数φ(n) = (p-1) * (q-1)
    private BigInteger e;  //公钥e
    private BigInteger d;  //私钥d

    public RSA(int numBits) {
    
    
        //生成两个大质数p和q
        p = new BigInteger(numBits, 100, new Random());
        q = new BigInteger(numBits, 100, new Random());

        //计算n和φ(n)
        n = p.multiply(q);
        phi = (p.subtract(BigInteger.ONE)).multiply(q.subtract(BigInteger.ONE));

        //选择公钥e，要求1 < e < φ(n)且e与φ(n)互质
        do {
    
    
            e = new BigInteger(2 * numBits, new Random());
        } while ((e.compareTo(phi) != -1) || (e.gcd(phi).compareTo(BigInteger.ONE) != 0));

        //计算私钥d，使得d与e模φ(n)同余
        d = e.modInverse(phi);
    }

    //加密
    public BigInteger encrypt(BigInteger message) {
    
    
        return message.modPow(e, n);
    }

    //解密
    public BigInteger decrypt(BigInteger encrypted) {
    
    
        return encrypted.modPow(d, n);
    }

    public static void main(String[] args) {
    
    
        RSA rsa = new RSA(1024);
        BigInteger message = new BigInteger("123456789");
        BigInteger encrypted = rsa.encrypt(message);
        BigInteger decrypted = rsa.decrypt(encrypted);

        System.out.println("明文：" + message);
        System.out.println("加密后：" + encrypted);
        System.out.println("解密后：" + decrypted);
    }
}

RSA Application Demonstration: Implementing Signatures

- Java内置的RSA算法进行加密和解密，并添加了必要的注释以便其他开发者理解代码的作用和实现原理。其中，我们通过generateRSAKeyPair方法生成RSA密钥对，使用私钥对消息进行签名并通过公钥对签名进行验证。

import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;

public class RSAExample {
    
    
    public static void main(String[] args) throws Exception {
    
    
        // 生成RSA密钥对
        KeyPair keyPair = generateRSAKeyPair();
        // 获取公钥和私钥
        PublicKey publicKey = keyPair.getPublic();
        PrivateKey privateKey = keyPair.getPrivate();

        // 原始消息
        String message = "Hello, world!";

        // 使用私钥对消息进行签名
        byte[] signature = rsaSign(message.getBytes(), privateKey);

        // 使用公钥对签名进行验证
        boolean valid = rsaVerify(message.getBytes(), signature, publicKey);

        // 输出签名结果
        System.out.println("Signature: " + new String(signature));
        // 输出验证结果
        System.out.println("Valid: " + valid);
    }

    /**
     * 生成RSA密钥对
     *
     * @return RSA密钥对
     * @throws Exception 异常
     */
    public static KeyPair generateRSAKeyPair() throws Exception {
    
    
        // 创建KeyPairGenerator对象，使用RSA算法
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        // 初始化密钥大小为2048
        keyPairGenerator.initialize(2048);
        // 生成密钥对
        return keyPairGenerator.generateKeyPair();
    }

    /**
     * 使用私钥对消息进行签名
     *
     * @param message   要签名的消息
     * @param privateKey 私钥
     * @return 签名
     * @throws Exception 异常
     */
    public static byte[] rsaSign(byte[] message, PrivateKey privateKey) throws Exception {
    
    
        // 创建Signature对象，使用SHA256withRSA算法
        Signature signature = Signature.getInstance("SHA256withRSA");
        // 使用私钥初始化Signature对象
        signature.initSign(privateKey);
        // 更新要签名的消息
        signature.update(message);
        // 对消息进行签名并返回结果
        return signature.sign();
    }

    /**
     * 使用公钥对签名进行验证
     *
     * @param message   原始消息
     * @param signature 签名
     * @param publicKey 公钥
     * @return 验证结果
     * @throws Exception 异常
     */
    public static boolean rsaVerify(byte[] message, byte[] signature, PublicKey publicKey) throws Exception {
    
    
        // 创建Signature对象，使用SHA256withRSA算法
        Signature sig = Signature.getInstance("SHA256withRSA");
        // 使用公钥初始化Signature对象
        sig.initVerify(publicKey);
        // 更新要验证的消息
        sig.update(message);
        // 对签名进行验证并返回结果
        return sig.verify(signature);
    }
}

• In short, both PSK and RSA algorithms are important encryption algorithms, but their application scenarios and implementation methods are different. PSK is mainly used in symmetric encryption scenarios, and RSA algorithm is mainly used in asymmetric encryption scenarios.

Two frameworks of VPN

• Network communication is originally a bunch of protocols composed of a bunch of protocols, which can also form a framework. VPN mainly uses two major frameworks, IPSec and SSL/TLS . It is an acronym for security . The content of the two frameworks is complex, but the core is security.

---

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are network security protocols used to provide encrypted communication between clients and servers. SSL was originally developed by Netscape and was later replaced by TLS. TLS is an upgraded version of SSL and is currently widely used in secure communication between web browsers and servers.

The SSL/TLS framework includes the following parts:

1. Handshake Protocol (Handshake Protocol): used to establish a secure connection between the client and the server. During the handshake, the client and server negotiate encryption algorithms, generate keys, verify identities, and more.

2. Record Protocol (Record Protocol): Used to transmit data over an established secure connection. Before the data is transmitted, the data will be encrypted, compressed, and MAC will be added.

3. Cipher Suite (Cipher Suite): includes encryption algorithm, key exchange algorithm, MAC algorithm, etc. The client and server negotiate which cipher suite to use during the handshake.

4. Digital Certificate: Used to verify the identity of the server. The server must provide a digital certificate, and the client verifies the validity of the digital certificate during the handshake process.

5. Session (Session): used to maintain a connection between the client and the server. During the handshake process, a session ID is generated, and the client and server can use the session ID to restore the previous secure connection and avoid repeating the handshake process.

6. Security Parameters (Security Parameters): Contains encryption key, MAC key, initialization vector, etc. During the handshake, the client and server negotiate security parameters.

• The implementation of the SSL/TLS framework can use various programming languages ​​and libraries, such as Java's JSSE, Python's ssl, OpenSSL, etc. Developers can choose an appropriate implementation method according to their own needs.

---

The IPSec (Internet Protocol Security) framework is a protocol used to protect the security of IP data packets, and can provide security services such as data encryption, authentication, and integrity protection. IPSec can provide security protection at the network layer, regardless of the application program, and can protect all application programs using the IP protocol.

The IPSec framework includes the following parts:

1. Security Association (SA): It is used to describe a set of parameters of IPSec security services, including encryption algorithm, authentication algorithm, key, etc.

2. Security Association Database (SAD): Used to store security associations.

3. Security Policy Database (SPD): used to store security policies, including which data packets need to be processed safely, how to perform security processing, and so on.

4. Key Management Protocol (KMP): Used to negotiate and manage keys for security associations.

5. Authentication Header (Authentication Header, AH): It is used to provide integrity protection and authentication services of IP data packets, but does not provide encryption services.

6. Encapsulating Security Payload (ESP): used to provide encryption, integrity protection and authentication services for IP data packets.

• The implementation of IPSec can use various programming languages ​​and libraries, such as Java's JCE, Python's pycrypto, OpenSSL, etc. Developers can choose an appropriate implementation method according to their own needs.

---

• Why do you need to use these two frameworks?
  • SSL/TLS stands for the s of https, that is, the SSL/TLS we use when browsing the web, so the client-to-site VPN generally uses SSL/TLS. After all, there are browsers that can perform bp functions, so you can Yes, very convenient.
  • IPses is applicable to both types of VPNs, it can be used in client-to-site VPN and site-to-site VPN, but most of them are used in site-to-site VPN.
    

Misconceptions about VPNs

• An ISP is an Internet Service Provider (Internet Service Provider), which refers to a company or organization that provides Internet access services. ISPs provide Internet access services to users by providing broadband, dial-up, optical fiber, DSL, etc., so that users can access the Internet and perform online activities. ISPs may also provide other services such as email, website hosting, domain name registration, and more.
  

• First, the data whose target address has been modified is sent to the VPN server through the ISP (Internet Service Provider) network, and then the VPN server decrypts the data and sends it to the real server. An invisible channel is established between you and the VPN server , so VPN stands for Virtual Private Network.
• Risks in this process: the VPN may betray you and reveal the website you actually visit. Even if your VPN will not betray you, then when resolving the domain name, you should first ask the ISP for the address of a certain website. The DNS server you set is still provided by the ISP, so that the ISP can still reach the website you want to visit

---

• In general, it is safe to use HTTPS to access web pages. Although hackers know that you are visiting the website, they cannot obtain the content you actually send and access.

VPN legality and legal knowledge

• How does our country regulate personal use of VPNs? No circumvention signal is established, no circumvention service is provided, it is just a tool to buy, there is no temptation to take profits, and no inappropriate remarks are made on overseas websites, is it not illegal?
• From the perspective of judicial practice, taking the punishment of Zhejiang Province from 2019 to 2023 as an example, the results show that it is mainly concentrated in 2019 and 20 years, because there are about 50 punishments for overturning the wall (unauthorized establishment and use of illegal international networking). Multiple pieces. The starting point indicated that there is no profit-making behavior, which has constituted the unauthorized establishment and use of illegal channels for international networking, and was finally punished by the public security. The execution method of punishment includes admonition on the spot or a fine of 1,000 yuan and a warning. ( Are some friends starting to worry and be afraid? )
  

• • Circumvention refers to bypassing the corresponding ip to block content, filter domain names, hijack traffic restrictions, etc., to achieve access to network content. In my country, what netizens call circumventing the wall generally refers to bypassing our country's legal control and browsing relevant webpage content on overseas servers. For example, using VPN software to access overseas websites, as long as you use circumvention software in China, no matter what your purpose is, it is an illegal act. my country clearly stipulates that computer information networks must use the international ingress and egress channels provided by the national public telecommunication network for direct international networking, and no unit or individual may establish or use other channels for international networking.

• First of all, from an academic point of view, including many professional and technical personnel and legal scholars, they are all working together to demonstrate that the use of machinery "Article 6 of the Interim Regulations of the People's Republic of China on the Administration of International Networking of Computer Information Networks" is not standardized, because from the regulations It must be the use of the international ingress and egress channel provided by the national public telecommunications network of the Ministry of Posts and Telecommunications , but currently only through the three major domestic operators, that is, China Mobile, China Unicom, and China Telecom, the overseas server docking service applied by these three companies is legal. Is it illegal to circumvent the wall in form? According to this explanation, it is indeed the case.
• But the channel here is a physical channel, that is to say, if you go to a foreign country by pulling the network cable yourself, it is called private establishment, and that is illegal. A VPN is just a data subcontract, and the rules and regulations are different from using a VPN to access overseas websites. ( see here, are some friends starting to get lucky )
• It can be seen that the efforts of the technicians really cannot simply copy the provisions. But in practice, whether it is illegal for individual citizens to use it because of overpassing the wall, there is no clear legal provision in itself, and they are only used in a vague way . However, if the administrative penalty is imposed, it may not only be limited to browsing the web over the wall, but also other illegal activities, which lead to the final investigation and punishment, but it does not rule out that the person was arrested for surfing the Internet.

Summarize

• As an ordinary netizen, we should recognize the role and importance of the VPN, and at the same time clarify the necessity and urgency of legally using the VPN. We must actively appeal to everyone not to abuse VPN, not to break through the wall illegally, to abide by laws and regulations, and to protect personal privacy and information security. At the same time, we also need to support the government to strengthen network supervision, combat cybercrime, and maintain network security and order. Let us work together to use VPN reasonably and build a harmonious, free and safe cyberspace.