What is Perfect Forward Secrecy?

What is Perfect Forward Secrecy?

Perfect Forward Secrecy (PFS), also known as Forward Secrecy, is an encryption property that protects past sessions against future compromises of keys. It has two properties that must hold to provide this protection.

What is It?

Perfect Forward Secrecy (PFS), also known as Forward Secrecy, is an encryption property that protects past sessions against future compromises of keys.

Its first (strong) property states that the exposure of long term keys, used in the session key exchange, should not compromise the secrecy of the session keys.

The second property (weak) of the Perfect Forward Secrecy (PFS) requires that the compromise of a single session key will not compromise any past data other than those of the current session, since a unique session key is generated for each sessions. This reduces the amount of information that is vulnerable should an attack succeeds.

Implementation of PFS

The most common way of achieving Perfect Forward Secrecy (PFS) is to use Diffie-Hellman key exchange protocol to establish the session key, while limiting the use of long term keys (such as digital signatures) only to authenticating the parties exchanging the session keys.

Thus, in contrast to the traditional approach of exchanging session keys in an encrypted form, in PFS, session keys are never transferred, even in an encrypted form (Meaning, session keys can’t be intercepted in PFS).

In this way, if an attacker records all the past communications between two parties and some time in the future manages to compromise the long term key, there is no way for the attacker to get access to the session data except for further cryptanalyzing the Diffie-Hellman key exchange for each session separately.

Note that, using only an asymmetric key (a.k.a. public key) algorithm does not ensure PFS and this is a pitfall in the implementation of PFS. Diffie-Hellman key exchange is essential in the implementation of PFS. If the long term key (asymmetric key) is compromised in the future, all the sessions key exchanged through the asymmetric key algorithm can also be compromised.

As a side note, in theory, session keys can be compromised by brute force attacks, given enough time and resources. However, compared to the effort expended, the payoff is so small, that is, only one session can be compromised. In this respect, PFS also discourages adversaries from conducting brute force hacking attempts.

Quote by Whitfield Diffie
Quote by Whitfield Diffie

The decision we make about communication security today will determine the kind of society we live in tomorrow.

Whitfield Diffie

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

Threat Model

The protection that Perfect Forward Secrecy (PFS) offers is limited by an assumption in the threat model though. Basically, it is assumed that the adversary will only collect communication traffic on the link passively and shall not conduct a Man-In-The-Middle (MITM) attack. Because, if the long term signing key is compromised, then an adversary can masquerade as one of the parties through the MITM attack, and can compromise the session keys exchanged via the Diffie-Hellman protocol.

For PFS protection, it is also assumed that the session keys are stored only temporarily and deleted after they have served their purpose. Otherwise, adversaries targeting the clients/servers could capture the stored session keys and compromise any previously recorded messages.

A Hypothetical PFS Example

A hypothetical messaging example where PFS is used is as follows:

  1. Alice and Bob each have asymmetric public and privates keys (Such as RSA). They authenticate each other through these keys at the beginning of the communication.
  2. Next Diffie-Hellman algorithm is used to exchange ephemeral session keys. Any key establishment data is sent both encrypted and signed using the asymmetric public and private keys.
  3. Using the ephemeral session key, Alice sends Bob a message encrypting it via a symmetric encryption algorithm (Such as AES-256).
  4. Steps 2 and 3 are repeated for the following messages exchanged.

PFS In Practice

In practice, PFS protects data on the transport layer where commonly SSL/TLS protocols are used. If PFS is used, any SSL/TLS communication recorded in the past cannot be decrypted by an attacker should the long term keys (SSL/TLS keys) compromised in the future.

Heartbleed bug (CVE-2014-0160), for instance, constitutes a recent case where SSL/TLS keys were exposed due to a vulnerability in the OpenSSL cryptographic library. In this case, PFS eliminated exposure of the session data, because session keys were still unknown to the adversaries.

Due to security concerns over the Public Key Infrastructure (PKI) model (especially after the revelations by Edward Snowden), PFS is seen as an important security property by several service providers and already implemented in major products. Just to name a few, WhatsApp started using PFS in 2016 and Twitter uses it since 2013. Apple has also mandated all App Store apps to use PFS. Last but not least, TLS 1.3 standard requires using PFS for all TLS sessions.

To learn more about principles on cryptography, you could also read our article What is Kerckhoffs’ Principle?