Forward Secrecy

Forward secrecy, also known as "perfect forward secrecy" (PFS), protects data or communications encrypted in the past against compromises of secret keys or passwords in the future. Without forward secrecy, a patient attacker could capture an encrypted communication, and then obtain the private key for that communication at later date. With forward secrecy, a stolen private key or password does not allow decrypting the communication in the future. It remains private. This does not mean that they encryption cannot be broken in other ways, it just prevents the private key from being a weak point.


Public-key and TLS Forward Secrecy

Public-key communications can have forward secrecy if they use the Diffie-Hellman technique for key exchange. The client and server use their public and private keys to establish a temporary key (a "shared secret"). Then the temporary key is used to encrypt and decrypt the communication. Once the communication is complete, the temporary key disappears and is forgotten. It is said to be "ephemeral". Neither the client or the server's public or private keys can be used to decrypt the communication—not now, not in the future. An attacker possessing the communication would not be able to use them to decrypt a captured encrypted message.

TLS uses public keys to establish a connection and can provide forward secrecy when configured correctly, not all configurations guarantee it. To ensure forward secrecy, use the latest TLS protocol (currently version 1.2) and require that the encryption algorithm uses a Diffie-Hellman ephemeral key exchange (DHE or EDH). It is also a good idea to prioritize any "elliptic curve" DHE choices first (simply because ECDHE is faster).

Fork me on GitHub