In cryptography, some ciphers may be labelled with the acronym PFS. This stands for Perfect Forward Secrecy. Some implementations may simply refer to PFS as FS. This acronym means Forward Secrecy or Forward Secure. In any case, they all talk about the same thing. Understanding what Perfect Forward Secrecy means, requires you to understand the basics of cryptographic key exchange.
Contents
Cryptography basics
To communicate securely the ideal solution is to use symmetric encryption algorithms. These are fast, much faster than asymmetric algorithms. They, however, have a fundamental problem. Because the same key is used to encrypt and decrypt a message, you cannot send the key over an insecure channel. As such you need to be able to secure the channel first. This is done using asymmetric cryptography in practice.
Note: It would also be possible, if infeasible to use an out-of-band, secure channel, though the difficulty remains in securing that channel.
To secure an insecure channel a process called Diffie-Hellman key exchange is performed. In Diffie-Hellman key exchange, one party, Alice, sends their public key to the other party, Bob. Bob then combines his private key with Alice’s public key to generate a secret. Bob then sends his public key to Alice, who combines it with her private key, allowing her to generate the same secret. In this method, both parties can transmit public information but end up generating the same secret, without ever having to transmit it. This secret can then be used as the encryption key for a fast symmetric encryption algorithm.
Note: Diffie-Hellman key exchange doesn’t natively offer any authentication. An attacker in a Man in the Middle or MitM position could negotiate a secure connection with both Alice and Bob, and quietly monitor the decrypted communications. This issue is solved via PKI or Public Key Infrastructure. On the Internet, this takes the form of trusted Certificate Authorities signing certificates of websites. This allows a user to verify that they’re connecting to the server they expect to.
The problem with standard Diffie-Hellman
While the authentication problem is easy to solve, that’s not the only issue. Websites have a certificate, signed by a certificate authority. This certificate includes a public key, for which the server has the private key. You can use this set of asymmetric keys to communicate securely, however, what happens if that private key is ever compromised?
If an interested, malicious party wanted to decrypt encrypted data, they’d have a hard time of it. Modern encryption has been designed in such a way that it would take at least many millions of years to have a reasonable chance at guessing a single encryption key. A cryptographic system, however, is only as secure as the key. So if the attacker is able to compromise the key, say by hacking into the server, they can use it to decrypt any traffic it was used to encrypt.
This issue obviously has some large requirements. First, the key needs to be compromised. The attacker also needs any encrypted traffic that they want to decrypt. For your average attacker, this is quite a difficult requirement. If, however, the attacker is a malicious ISP, VPN provider, Wi-Fi hotspot owner, or nation-state, they are in a good place to capture vast amounts of encrypted traffic which they may be able to decrypt at some point.
The problem here is that with the server’s private key, the attacker could then generate the secret and use that to decrypt all traffic it was ever used to encrypt. This could allow the attacker to decrypt years of network traffic for all users to a website in one fell swoop.
Perfect Forward Secrecy
The solution to this is to not use the same encryption key for everything. Instead, you want to use ephemeral keys. Perfect forward secrecy requires the server to generate a new asymmetric key pair for each connection. The certificate is still used for authentication but is not actually used for the key negotiation process. The private key is kept in memory only long enough to negotiate the secret before being wiped. Likewise, the secret is only kept for as long as it’s in use before it is cleared. In particularly long sessions, it may even be renegotiated.
Tip: In cipher names, ciphers featuring Perfect Forward Secrecy are typically labelled with DHE or ECDHE. The DH stands or Diffie-Hellman, while the E on the end stands for Ephemeral.
By using a unique secret for each session, the risk of the private key being compromised is greatly reduced. If an attacker is able to compromise the private key, they can decrypt current and future traffic, but they can’t use it to bulk decrypt historical traffic.
As such perfect forward secrecy provides broad protection against blanket network traffic capture. While in the case of the server being compromised, some data may be decrypted, it is only current data, not all historical data. Additionally, once the compromise has been detected the issue can be resolved leaving only a relatively small amount of total lifetime traffic being decryptable by the attacker.
Conclusion
Perfect Forward Secrecy is a tool to protect against blanket historical surveillance. An attacker capable of collecting and storing vast troves of encrypted communications may be able to decrypt those if they ever gain access to the private key. PFS ensures that each session uses unique ephemeral keys. This limits the ability of the attacker to “only” be able to decrypt current traffic, rather than all historical traffic.
