By Gil Vidals, , HIPAA Blog

Remote Capabilities

Virtual Private Networks (VPNs) are all about remote access – an increasingly desirable capability for performing work across an expanded region.

For example, you may have a need to access a shared file on your home network. Or, maybe you want to check email on your company’s private servers. Using a VPN allows you to securely connect to those private networks over the internet.

Normally, personal computers have one IP that is used to connect to other servers over the internet. When a user connects to a VPN, they are given access to an additional route through which they can communicate. The VPN essentially stops unauthenticated traffic by only allowing traffic over those specific routes. All other traffic is automatically denied. In essence, the VPN serves as a portal connecting a private subnet to the internet.

Secure Communications

Transmitting sensitive data, especially when it comes to maintaining HIPAA compliance, requires additional protection against vulnerabilities. VPNs allow these protections by offering various protocols through which to securely communicate with servers.

In addition, an SSL-VPN uses SSL (Secure Sockets Layer), or its successor, TLS (Transport Layer Security), to encrypt data. When communicating through a VPN-enabled route, your data will be encrypted with a specific cipher that both you and the VPN can understand. (A padlock image appearing before an HTTPS protocol in the status location bar is an indicator of this encryption). This ensures that data is secured before it is sent over the internet. Even if someone managed to intercept your transmitted data, they would only receive encrypted data.

In contrast to this “SSL Portal” type of VPN, “SSL Tunnel” VPNs run under SSL and provide functionality for active content, such as plug-ins and JavaScript that cannot pass through the SSL Portal. By using an SSL-VPN, you can gain access to private subnets and ensure that all information you send is secure.

SSL Ciphers: How it Works

In their most basic sense, SSL Cipher suites have three main parts: a key exchange program, a bulk encryption algorithm, and a message authentication code. SSL and TLS initially use a “handshake” procedure to create a secure connection. The computer initiating the handshake is typically called the “client,” and the server that is sending back information is the “host.”

Key Exchange

First, the client must signal that it wishes to use TLS for this connection. This is most commonly done by communicating over a specified port. After the connection is established, the client sends the server a list of keys it supports. The server picks a key from this list and notifies the client of its choice. The host then sends an SSL certificate to verify its identity. This ensures the client that it is communicating with the proper host. These SSL certificates are also verified by a third party to ensure that no one can spoof anyone else’s certificate.

Bulk Encryption Algorithm:

Once the client has verified the server identity, the client and server begin communicating using the chosen algorithm. These algorithms are almost always asymmetric, utilizing two keys. One key is used to encrypt a message that can only be decrypted with the other key. For example, a client wishes to send a secure message to the host. The client encrypts their message with the key host’s public key, which can then only be decrypted by use of the host’s private key. Using this technique, even if traffic between the client and host is intercepted, only the designated recipient will be able to decrypt it and read the actual contents.

Message Authentication Code:

The message authentication code provides a way to ensure that the message sent by either the client or the server hasn’t been tampered with by a “man in the middle” attack. It works by using an additional algorithm that takes the sender’s public key and message as input. The output is a unique tag that can only be recreated with that public key and that exact message. When the client or server receives the message, they verify the authenticity by trying to recreate the tag using the sender’s public key and message. If the tags match, the message hasn’t been changed.

By using these three processes, an SSL Cipher ensures that your data is safe and secure as it travels across the internet.