Is “Perfect Forward Secrecy” Perfect?


My previous post was a response to a participant’s question — How Diffie-Hellman key exchange works? This time I’d like to talk about “Perfect Forward Secrecy” because some participants asked, “What makes it perfect?”

Perfect Forward Secrecy or PFS is any scheme where discovering a key to access one message in an exchange between parties does not allow one to discover the contents of or keys for other messages.

A simple example of encrypted communication without PFS is where a single AES key k – regardless of length – is used to encrypt several messages between Alice and Bob. In this case, an attacker, Eve somehow discovered the key, she would have access to all the messages they’d exchanged using that key. The same would apply if they’d used some key k to generate individual session keys, but done that in a manner known to the attacker. An example of the latter might be to hash the key with a known value or with a value Eve could easily discover.

On the Internet, a server’s private key is used to generate session keys. That means that without PFS, if a server’s key were compromised, all recorded communication with that server would also be compromised. This compromise could have been via the Heartbleed bug, for example.

So, how do we get this “perfect” secrecy? One way, is to use Diffie-Hellman key exchange to generate a key for each message. But it isn’t perfect if you save that key anywhere. That is, both Alice and Bob need to keep the key in memory. We call that an ephemeral key. PFS can be enabled in TLSv1.2. It isn’t always done by default, though. That it’s not done by default is likely because it takes a bit more computing power and slows down the initial part of a communication slightly.

Other ways to do it involve changing keys for each information exchange using what is called a key ratchet. This means the parties Alice and Bob include Diffie-Hellman information with each message so the other can discover what key to use next.

Of course, this only works with data in transit, that is, data that is moving over a wire. It can’t work for data at rest because the keys needed to decrypt the data have to be stored somewhere. (Although one could argue that the key could be stored ephemerally in a human’s head, but that doesn’t seem to count here…).

To your safe computing,
John McDermott

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.