What is Forward Secrecy and how does it work?

Perfect Forward Secrecy (PFS), also called forward secrecy (FS), refers to an encryption system that changes the keys used to encrypt and decrypt information frequently and automatically. This ongoing process ensures that even if the most recent key is hacked, a minimal amount of sensitive data is exposed.

  • Forward secrecy is a feature of specific key agreement protocols which gives assurance that even if the private key of the server is compromised the session keys will not be compromised. It is also known as perfect forward secrecy(PFS).
  • The Algorithm that helps in achieving this is called “Diffie–Hellman key exchange”.

Perfect Forward Secrecy (PFS), also called forward secrecy (FS), refers to an encryption system that changes the keys used to encrypt and decrypt information frequently and automatically. This ongoing process ensures that even if the most recent key is hacked, a minimal amount of sensitive data is exposed.

Web pages, calling apps, and messaging apps all use encryption tools with perfect forward secrecy that switch their keys as often as each call or message in a conversation, or every reload of an encrypted web page. This way, the loss or theft of one decryption key does not compromise any additional sensitive information—including additional keys.

Determine whether forward secrecy is present by inspecting the decrypted, plain-text version of the data exchange from the key agreement phase of session initiation. An application or website’s encryption system provides perfect forward secrecy if it does not reveal the encryption key throughout the session.

Perfect forward secrecy helps protect session keys against being compromised even when the server’s private key may be vulnerable. A feature of specific key agreement protocols, an encryption system with forward secrecy generates a unique session key for every user initiated session. In this way, should any single session key be compromised, the rest of the data on the system remains protected. Only the data guarded by the compromised key is vulnerable.

Before perfect forward secrecy, the Heartbleed bug affected OpenSSL, one of the common SSL/TLS protocols. With forward secrecy in place, even man-in-the-middle attacks and similar attempts fail to retrieve and decrypt sessions and communications despite compromise of passwords or secret long-term keys.

Compare Backwards vs Forwards Secrecy

Perfect forward secrecy guards against future compromises of past sessions, which could cause the loss of sensitive data such as passwords or additional secret keys.

Backward secrecy helps “self-heal” compromises of past sessions and the loss of sensitive data from them. This is confusing because both do focus on data from past sessions, but forward secrecy is preventative while backward secrecy is mitigating. For example, the Signal protocol uses the self-healing Double Ratchet Algorithm to achieve backward secrecy.

How Does Perfect Forward Secrecy Work?

Encryption perfect forward secrecy enables entirely private, short-term key exchanges between a client and the server.

Normally, web servers secure communication sessions with special encryption keys. Whenever a client wants to talk to the server, the client generates a pre-master secret and uses the server’s special key to encrypt it. Both users then continue the rest of the chat, encrypting it with this pre-master secret.

Only people who know the original key of the server can decrypt what client and server discuss. The network team, for example, supports the server and must monitor communications to assist in its task of tracking down bugs.

Without perfect forward secrecy, an attacker can spy on the server’s communications unobserved. This is because the server uses the same key to encrypt each pre-master secret with each client.

If the server secures communications with perfect forward secrecy, every time a new client starts a conversation with the server, the two generate a unique pre-master secret that is totally private. It is also ephemeral, and only lasts for that one communication. The client never sees the long-term key, and a hacker is limited to only what is shared during that one conversation.

Consider this hypothetical example of a basic instant messaging protocol using perfect forward secrecy:

  • Step One: X and Y each generate a pair of asymmetric, long-term, public keys and private keys. They use an already-authenticated channel to verify the public-key fingerprints, or verify them in person. The verification process establishes to a high degree of certainty that the public key’s claimed owner is also its actual owner.
  • Step Two: X and Y securely agree on an ephemeral key for the session using a key exchange algorithm such as Diffie-Hellman. They authenticate each other with the keys from Step One during this process.
  • Step Three: X uses the session key negotiated in Step Two to encrypt a message with a symmetric cipher and sends that encrypted version to Y.
  • Step Four: Y decrypts the message with the key from Step Two.

Step One never repeats. Instead, the process repeats starting from Step Two for each new message sent. Depending on the conversation, X and Y’s roles as sender or recipient may switch. It is this generation of new session keys for each message that achieves forward secrecy.

Even if Step Two is compromised at some point, that key is only good for one message. A compromise of Step One would also leave messages intact—although it might enable an attacker to impersonate X or Y moving forward, leaving future messages vulnerable.

Benefits of Perfect Forward Secrecy

There are many benefits to perfect forward secrecy. Brute force attacks can eventually penetrate even very secure encryption, given enough time and computing power to try combinations of security keys. Without forward secrecy, encryption keys are used for sessions—entire batches of transactions.

Brute force hacking demands extensive time and resources, but that level of return of sensitive data makes it worthwhile. Perfect forward secrecy guarantees brute force attacks won’t be as worthwhile.

Generating a unique session key for each transaction limits hackers to obtaining data from one exchange per successful attack. A server protected by perfect forward secrecy is simply a less appealing target for a hacker, because it demands more effort and time. There’s also no future value in such an attack, because the server with PFS generates a new set of Diffie-Hellman parameters per session.