What is perfect forward secrecy?
Perfect forward secrecy (or PFS) refers to a process in which an encryption system regularly changes its encryption keys, so only a tiny bit of data can be compromised in any single breach.
The system switches keys after every message, call, or page load. This means that an interceptor can only get hold of that one operation or message, but not all the other data, as it is encrypted by different sets of keys.
PFS also protects the data of a network of SSL/TLS protocols in case their long-term keys are compromised.
How does perfect forward secrecy work?
Let’s say that Tom and Jane are chatting via a secure messaging app, which uses PFS. The app uses public and private keys, which encrypt their communication and identifies them as intended senders and receivers. It uses these keys only to help them to identify one another.
Then a key exchange algorithm creates an ephemeral key, which encrypts every single message. When Tom sends Jane a message, it will be encrypted with that key. Jane decrypts it using the same key. The same process is repeated in every exchange of messages. Each message has new session keys.
Now even if a hacker intercepts Tom and Jane’s conversation, they’ll only be able to see a single message, rather than the whole conversation. Even if they get hold of their public and private keys, they still can’t access their chat as all the messages are encrypted by different sets of keys.
However, the snooper could fake Tom and Jane’s identities and potentially monitor future conversations using the obtained public and private keys.
What do we use perfect forward secrecy for?
People use perfect forward secrecy keys and encryption for:
- Securing instant messaging data. PFS is often used to secure online conversations. Signal is the messaging app which popularized this feature.
- Securing web data. PFS can protect your privacy and ensure that no one can intercept your web data. It protects the transport layer of a network in addition to commonly used SSL or TLS, as well as HTTPS protocols. Browsers can also initiate PFS with compatible HTTPS websites. However, not all websites uses PFS.
- Protecting email communications. For example, German email service provider Mailbox.org uses PFS to protect messages in transit.
Pros and cons of perfect forward secrecy
- Protects your past communications and data. Even if someone compromises your keys and intrudes on your personal conversations, they can’t get hold of your past data.
- If hackers attack a PFS-protected server, they will only get hold of a tiny bit of data that won’t be of any use to them.
- Requires more programming power and resources.
- Harder to troubleshoot from the developer’s side.
- In instant messaging use-cases, PFS doesn’t protect future communications once private and public keys are compromised.
Check out our video on perfect forward security below.
A simpler way to stay secure
While PFS is a powerful and useful tool, it’s not the only way to protect your privacy online. With a virtual private network, or VPN, you can keep you data secure at all times.
NordVPN provides layers of powerful encryption, so even if your internet connection is compromised by hackers, your online activity will still be inaccessible to them. It’s a simple and effective way to take next-gen encryption with you wherever you go.
One NordVPN account will cover up to six devices; that includes smartphones, computers, smart TVs, and even your home router. Secure privacy is just a click away.