International Journal of Advance Foundation and Research in Computer (IJAFRC)

Volume 1, Issue 7, July !1"# I$$% &"' ( "')&

1 * + !1", IJAFRC All Ri,hts Reserved ---#i.afrc#or,
/erformance and $tren,th Comparison 0f Various
1ncryption /rotocol of //2/ V/%#
Anupriya Shrivastava,M A Rizvi
National Institute of Technical Teachers Training and Research Bhopal, India
1,
anushrivastava1!"!#g$ail%co$
1
, $arizvinitttr#&pl%ac%in

A 3 $ 2 R A C 2
In order to prevent spoofin, and hac4in, of the data, 0$I model provides numerous security
protocols such as Internet /rotocol $ecurity (I/$ec) in net-or4 layer and $oc4et $ecured 5ayer
($$5) in transport layer etc# 2here are a lar,e num6er of -ays to implement the Virtual /rivate
%et-or4 (V/%) that create the illusion of a private net-or4 -ithin pu6lic domain# 0ne such
protocol is /oint to /oint 2unnelin, /rotocol (//2/)# An attempt has 6een made in this paper to
compare the performance of various encryption protocols in /oint(to(/oint /rotocol 6ased
Virtual /rivate %et-or4# 7e analy8e the latency values for different protocols# %e9t -e compare
the relative cryptic stren,ths of each of these protocols and sho- that compromisin, on the
security does not result in much ,ain in data rate#
Inde9 2erms: ;//1< //2/< RC"< Cipher< V/%< ;$C=A/v

I# I%2R0>?C2I0%

Re$ote access is co$$on need for the traveling persons li'e &usiness$an, directors (ho desire to get
connected to their organizations private net(or' fro$ far)off locations% *ue to the valua&le infor$ation
it carries, the security issues $ust &e considered carefully% +ne of the popular technologies used to
achieve these goals is ,-N% A private net(or' is e.tended across a pu&lic net(or', as the Internet,
through ,-N /01% This allo(s sharing of data in pu&lic net(or's as if they (ere directly connected% So$e
popular ,-N technologies include --T-, (hich (or's on port T2- 134 /51, 6ayer Tunneling -rotocol
76T-8, Internet protocol security 7I-Sec8 and Secure Soc'et layer 7SS68% Several co$$ercial and open
Source ,-N products are no( availa&le that can &e con9igureured to provide ,-N services (ith varying
characteristic /31% Although a great deal of (or' is &eing done to standardize the ,-Ns, neither of the
trusted ,-N technologies are I:T9 standards yet /"1%

I$ple$entation of ,-N are done through different techni;ue, -oint)to)-oint Tunneling -rotocol 7--T-8
is one of $ethod for i$ple$entation% To encapsulate --- -ac'ets, --T- uses a control channel
over T2- and a <R: tunnel% --T- protocol is &eing tunneled to i$ple$ent functionality such as security%
:ncryption or authentication features are not specified &y --T- protocol% Being a Microsoft
i$ple$entation, the --T- pac'age that co$es shipped)in (ith the =indo(s > +perating Syste$ has
varying degrees of authentication and encryption protocols% The pri$ary intention is to provide to the
,-N users a 'ind of security and access fro$ far)off locations 7re$ote8 that are found in any state)of)the)
art ,-N technology% The encryption protocol ) Microsoft -oint)to)-oint :ncryption, as suggested &y the
na$e, (as an initial Microsoft i$ple$entation% But, it is no( availa&le in all co$$on +perating Syste$s
such as 6inu.% :ven android)&ased devices co$e &uilt)in (ith --T- soft(are%




International Journal of Advance Foundation and Research in Computer (IJAFRC)
Volume 1, Issue 7, July !1"# I$$% &"' ( "')&
* + !1", IJAFRC All Ri,hts Reserved ---#i.afrc#or,

Fi,ure 1# $ettin, up //2/ V/% in android(6ased mo6ile
M--: encrypts data in -oint)to)-oint -rotocol 7---8)&ased dial)up connections or -oint)to)-oint
Tunneling -rotocol 7--T-8 virtual private net(or' 7,-N8 connections% Supported encryption sche$e for
M--: are 1")&it 'ey 7strong8, 05)&it 'ey, and ?@)&it 'ey 7standard8% Bet(een ,-N client and ,-N server
there is a data security for --T- connection that is provided &y M--:%
II# R15A21> 70R@

Author /11 provides the infor$ation regarding the availa&ility of patches under 6inu. that allo( --- to
support R2?)co$pati&le ?@, 05 and 1" &it encryption% As --T- uses --- so so$e people $a'es the
$ista'e of assu$ing that there is a need of a $ode$ &ut that is no longer essential% Moreover, the
$ethodology used to connect to the I- net(or' is transparent to --T-% 9igure sho(s the I- pac'et
fra$e (ith encrypted portion%

Fi,ure # //2/ pac4et format -ith encryption
-all and Aorn, /1 have sho(n in the R92 ho( the length of the session 'ey to &e used for initializing
encryption ta&les can &e handled%1")&it and ?@)&it session 'eys are currently supported &y M--:%
Tha$&iraBa, Ra$esh and C$arani /41 in their research paper, have sho(n that R2? is faster and $ore
efficient protocol co$pared to A:S for encrypting large pac'ets% Throughput for encryption, (or' load &y
2-C, cost for energy and variation in 'ey size (ere the perfor$ance $etrics used &y the$% Also, they
have sho(n that R2? ta'es less ti$e to encrypt the files% Thus, (e can conclude that M--:, (hich
internally uses R2?, is a &etter protocol as co$pared to other A:S protocols for heavy traffic net(or's%

International Journal of Advance Foundation and Research in Computer (IJAFRC)
Volume 1, Issue 7, July !1"# I$$% &"' ( "')&
& * + !1", IJAFRC All Ri,hts Reserved ---#i.afrc#or,

Fi,ure &#Al,orithm to derive cipher te9t from 4ey usin, RC"
Nadhe$, *aniel, Denneth, Bertra$ and Eaco& /?1, sho(ed that single)&yte &ias attac' on R2? is ;uite
effective in recovering Fearly plain)te.t &ytes in the fi.ed)plainte.t $ulti)session setting%

*r% Sa&ah Nassir Gussein 92MI and A&dul GadiHais A&dul Gadi /1@1, in their research paper used the
security protocol --T-, 6T- and I-Sec on dedicated private net(or' and ,-N to see the i$pacts on
those t(o net(or's% -erfor$ance test result of the private net(or' is i$ple$ented using +-N:T ,ersion
1?%@ &y si$ulating t(o different net(or's and applying different security protocols% Csing +-N:T they
$easure the efficiency of perfor$ance and Huality of service 7Hos8 of the net(or's that are i$ple$ented
for this purpose they have sho(n different output for security protocols li'e voice conferencing Bitter,
$ean opinion score 7M+S8, *o(nload response ti$e across the net(or', 9T- do(nload response ti$e
and video conferencing pac'et delay variation for security protocols --T-, 6T- and I-Sec%
III# 70R@I%A 0F ;//1 1%CRB/2I0%

M--: alone does not e.pand or co$press data, &ut the protocol is fre;uently used in conBunction
(ith Microsoft -oint)to)-oint 2o$pression (hich co$presses data across --- or ,-N lin's% Negotiation
of M--: happens (ithin the 2o$pression 2ontrol -rotocol 722-8, a su& protocol of ---% This can lead to
incorrect &elief that it is a co$pression protocol% R2? is the $ost (idely used soft(are strea$ cipher
incorporated in M--: as (ell% +nce an initial session 'ey has &een derived, then the initialization R2?
conte.ts are as follo(sI

rc"C4ey (RC"@ey, 5en,thC0fC@ey, InitialC$essionC@ey)

The encryption of data is perfor$ed using follo(ing functionI

>ata (encrypted) D f (rc" 4ey, data len,th, data) -here f Drc"

It can &e o&served that the length of the 'ey is a critical para$eter in deter$ining the encryption
strength &ecause of (hich (e prefer using 1")&it M--: over ?@J05)&it M--: protocol% So during
stateful synchronization R2? ta&les are reinitialized, no( it is possi&le using the sa$e 'ey t(o different
pac'ets $ay &e encrypted% 9or this reason, in lossy net(or' environ$ents the stateful $ode SG+C6*
N+T &e used for this condition layer t(o tunnels on the Internet can &e an e.a$ple%

IV# 1E/1RI;1%2A5 $12?/

*ell -recision T451@ syste$ is used (ith, Intel> Keon> processor :0)15@@ v, 4 <B RAM, for &oth
client and server syste$s% +perating syste$ =indo(s ,ista $achine is con9igureured as a --T- Server
&y using the FInco$ing 2onnection functionality% A pool of addresses is assign in the I- address range
-%H%R%S L-%H%R%A fro$ (hich Server (ill select starting I- for itself and one a$ong the re$aining for
International Journal of Advance Foundation and Research in Computer (IJAFRC)
Volume 1, Issue 7, July !1"# I$$% &"' ( "')&
" * + !1", IJAFRC All Ri,hts Reserved ---#i.afrc#or,
2lient% +perating syste$ =indo(s " is con9igureured as a --T- 2lient% In the cases studied, (e vary the
encryption option fro$ the F-roperties section of the 2lient% Ne.t, a connection is esta&lished fro$ --T-
client to --T- server% 2onnection &et(een client and server occurs in three phasesI

/hase 1: 2onnection initiation &y ,-N client and deter$ination of authentication protocol to &e used%
9irstly :sta&lish a T2- connection &et(een client and server% The $essage for$at (ill &e Msg M 9
7Server I-, Server -ort8%Then ,-N client sends a Fconnection re;uest to ,-N server, If the ,-N server is
up and running, it responds &ac' (ith Fconnection reply% No( client and server decide upon the lin'
control para$eters% Then ,-N client suggests the authentication 7such as -A-, MS2GA-8 and encryption
7such as M--:8 protocols% The $essage for$at (ill &eI Msg M 9 7Auth -roto M a1, a Nan :ncryption
-roto M e1, e Nen8O No( server (ill decide to co$$unicate (ith client using any or all of the a&ove
$entioned protocol, it responds &ac' to the client (ith one of the follo(ing $essagesI
a) A2D I in case of straight agree$ent 7agrees to oneJany a$ong a1, a %%% and oneJany a$ong e1, e
N8O
b) NA2D I in case it (ant the client to choose another protocolO

R:EI in case it (ants to reBect the connection, this is sho(n in 9igure%?%




Fi,ure# "# First phase of //2/, post 2C/ connection

/hase : This is an authentication phase (here the authentication is perfor$ed &et(een 2lient and
Server using -A-, 2GA- or MS2GA- protocols% The user credentials sent $ay &e in plain)te.t for$at or
encrypted depending upon the protocol chosen%

/hase &: +nce the authentication is successful, virtual interfaces 7of the for$ pppK8 are &rought up%
Server assign an I- to the client and itself fro$ the pool of free I/s%

To verify the status of ,-N connection can &e chec'ed as follo(s is sho(n in 9igure%0

International Journal of Advance Foundation and Research in Computer (IJAFRC)
Volume 1, Issue 7, July !1"# I$$% &"' ( "')&
) * + !1", IJAFRC All Ri,hts Reserved ---#i.afrc#or,


Fi,ure ): /roperties can 6e vie-ed on $tatus ta6 in 7indo-s

Ne.t (e run a strea$ of ping traffic using the co$$andI

/in, FClient I/G (n 1!!!

T(o scenarios are considered (ith sa$e authentication protocolI MS2GA-v &ut different encryption
protocolsI M--:)?@ &it and M--:)1" &it%

CA$1 1: 9igure 5 sho(s the output ta'en on a net(or'ing tool L =ire shar' > (hen M--:)1" &it
encryption is chosen% The K)a.is sho(s the ti$e illustrated in the GGIMMISS for$at (ith 1 tic' interval M
1@ seconds% P)a.is sho(s the nu$&er of pac'ets per tic'% As ti$e increases, the graph shifts to(ards the
left and the $ost recent capture appears on the right hand side%



Fi,ure H: 7ire shar4 II0 result sho-in, the amount of 3ytes transferred -ith time (;//1 1')

V# 03$1RVA2I0%

The average nu$&er of I- pac'ets transferred per tic' interval is around 1@@ (ith occasional pea's at the
rate Q 0@ pac'etsJtic'% Also there are a fe( dips (hich sho( that the data rate is suddenly lo(ered
(hen --T- control pac'ets are transferred%

CA$1 : 9igure 3 sho(s the output ta'en on a net(or'ing tool L =ire shar' > (hen M--:)?@ &it
encryption is chosen% The K)a.is sho(s the ti$e illustrated in the GGIMMISS for$at (ith 1 tic' interval M
International Journal of Advance Foundation and Research in Computer (IJAFRC)
Volume 1, Issue 7, July !1"# I$$% &"' ( "')&
H * + !1", IJAFRC All Ri,hts Reserved ---#i.afrc#or,
1@ seconds% P)a.is sho(s the nu$&er of pac'ets per tic'% As ti$e increases, the graph shifts to(ards the
left and the $ost recent capture appears on the right hand side%




Fi,ure 7: =ire shar' IJ+ result sho(ing the a$ount of Bytes transferred (ith ti$e 7M--: ?@8

The average nu$&er of I- pac'ets transferred per tic' is around 3@, (hich is around 0 R &etter than
that o&served in case of previous stronger protocol% Though, there are certain pea's as (ell (hich sho(s
that the (ea'er encryption does ta'e significantly less ti$e in &et(een% Again, a fe( dips can &e
o&served (here the data rate gets reduced to S 1@ pac'etsJtic' due to the transfer of control pac'ets%
VI# C0%C5?$I0% A%> F?2?R1 70R@
=ith an ever increasing ris' of attac's on ,-N traffic, it is i$perative that the user $ust ensure that the
encryption and authentication protocols are strong enough to &e a&le to (ithstand such attac's% The
e.peri$ents sho(n a&ove also suggest that one should opt for a (ea'er encryption protocol only if
either one of the Server or 2lient does not support a stronger one% Though the e.peri$ent has &een
perfor$ed for --T-, the results very (ell apply to 6T- as (ell &ecause &oth use --- protocol for
encryption% There is scope for i$prove$ent (ith respect to the strength of M--: protocol% It $a'es use
of R2? strea$ cipher% There e.ists no authentication $ethod for cipher te.t strea$% As a result of (hich
the &it)flipping attac' can e.pose its vulnera&ility% The strea$ can &e $odified &y an attac'er in transit
and can $anipulate single &its so as to $odify the output strea$ (ith hardly any possi&ility of detection%
VII# R1F1R1%C1$

/11 /+nline1 Availa&leI httpIJJ(((%linu.Bournal%co$JarticleJ4!50

/1 /+nline1 Availa&leI httpIJJ(((%ietf%orgJrfcJrfc4@3"%t.t

/41 Tha$&iraBa, Ra$esh and C$arani, a Survey on ,arious Most 2o$$on :ncryptions Techni;ues,
International Eournal of Advanced Research in 2o$puter Science and Soft(are :ngineering%
/?1 Nadhe$, *aniel, Denneth, Bertra$ and Eaco&, T+n the Security of R2? in T6SU, nd CS:NIK
Security Sy$posiu$%
/01 /+nline1Availa&leI httpIJJen%(i'ipedia%orgJ(i'iJ,irtualVprivateVnet (or'

International Journal of Advance Foundation and Research in Computer (IJAFRC)
Volume 1, Issue 7, July !1"# I$$% &"' ( "')&
7 * + !1", IJAFRC All Ri,hts Reserved ---#i.afrc#or,
/51 D% Ga$zeh,<% -all, =% ,erthein, E% Taarud, =% 6ittle, <% Aorn,Upoint to point tunneling
protocolU%R925437Euly 1!!!8%

/31 Shashan' Dhanvil'ar and Ashfa; Dho'har, ,irtual -rivate Net(or'sI An +vervie( (ith
-erfor$ance :valuation, @154)5"@?J@?JW@%@@ X @@? I:::%

/"1 /+nline1Availa&leIhttpIJJ(((%vpnc%orgJvpn)standards%ht$l%

/!1 Bruce Schneier, Mudge, and *avid =agne, 2ryptanalysis of MicrosoftYs --T- Authentication
:.tensions 7MS)2GA-v8, XSpringer),erlag Berlin Geidel&erg, 1!!!%

/1@1 *r% Sa&ah Nassir Gussein 92MI and A&dul GadiHais A&dul Gadi, the I$pact of Csing Security
-rotocols in *edicated -rivate Net(or' and ,irtual -rivate Net(or', INT:RNATI+NA6 E+CRNA6
+9 S2I:NTI9I2 Z T:2GN+6+<P R:S:AR2G ,+6CM: , ISSC: 11, N+,:MB:R @14%

/111 R% Malhotra, R% Narula, Techno):valuation and :$pirical Study of ,irtual -rivate Net(or's Csing
Si$ulations, Eournal of 2o$puting, ,olu$e 4, Issue 3, Euly @11%

/11 M% 9inlayson, E% Garrison, R% Sugar$an,,-N T:2GN+6+<I:S L A 2+M-ARIS+N[ 9e&ruary @@4,
updated Eune @@?%

/141 Narayan% S%, Broo'ing, D% Ode ,ere, S, Net(or' perfor$ance analysis of ,-N protocolsI An
e$pirical co$parison on different operating syste$, Net(or's Security, =ireless
2o$$unications and Trusted 2o$puting, @@!% NS=2T2 Y@!, International 2onference on
7,olu$eI 18%

/1?1 Narayan% S%, Broo'ing, D%O de ,ere, S, %et-or4 :volution of ,-N -rotocols in (indo( @@4
environ$ent, Advanced 2o$puter Theory and :ngineering, I2A2T: @@"%