What is Perfect Forward Secrecy (PFS)?

A brief on perfect forward secrecy, its usage and implications.

According to Wikipedia:

In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised.

In other words, forward secrecy protects your past communications against future compromises of the encryption keys used to secure those communications.

Why do you need this? In a world where communications may be intercepted by law enforcement agencies or malicious actors, it is important to not only protect the data traversing the networks, but also the keys used to encrypt the data. PFS changes the keys used to encrypt and decrypt information frequently and automatically, making the capture of individual streams of data near useless. Of course, this assumes that the traffic is being passively captured and not susceptible to an active man-in-the-middle (MITM) attack. Also, PFS only protects keys, not the ciphers themselves i.e. it cannot help if the underlying cipher is broken in the future (e.g. using quantum computing).

This concept has been around for a while, but its necessity really came to the fore when the OpenSSL Heartbleed bug was discovered. This weakness allowed stealing of information protected using SSL/TLS encryption offered by the OpenSSL library. Cryptographically speaking, forward secrecy uses ephemeral Diffie-Hellman (DHE) or the more performant ephemeral Elliptic Curve Diffie-Hellman (ECDHE) for key exchange. A unique session key is used for every user generated session. The underlying handshake is quite complicated though, and we won't go into those details here.

Now you may ask why everyone isn't already using PFS if it has such good privacy properties. It's a valid question. For instance, Google has provided forward secrecy with TLS by default to users of its Gmail service, Google Docs service, and encrypted search services since 2011.

However, SSL/TLS performance impact on older cipher suites, lack of support from older versions of browsers and web servers, implementation complexity and lack of awareness are the top reasons why it has not been widely adopted. This is slowly changing though. In fact, the latest version of TLS (1.3) mandates the use of PFS using ephemeral Diffie-Hellman key exchange in all TLS sessions. As TLS 1.3 adoption increases, we can hope that PFS becomes a norm in the future.

Note: You can use the Qualys tool to check if PFS is enabled on a site.

Subscribe to alphasec

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.