Perfect Forward Secrecy

When you connect to a website (server) securely, you generally do so over HTTPS. In the first few milliseconds of the connection between your browser and the server, your browser sends the server some information about what kind of encryption it supports, and the server replies back with a verification and the encrypted connection begins. One option that may be sent in this communication is something called Perfect Forward Secrecy. Forward security provides additional protection in the case that the encrypted communication – while being encrypted – is still being listened in on and stored elsewhere.

Why is Forward Secrecy important? Data sent to the client from the server is encrypted with the server’s key (through public key encryption). In transmission, the data is safely encrypted until it is decrypted when it is received by the server. Unfortunately, this means the encrypted data is only as safe as the server’s private key – which is something often out of an average user’s control. Should the key be obtained through any means, all of the communications between the server and client could be decrypted, going as far back as the beginning of the communications.

Perfect Forward Secrecy is a measure to combat against this. With Perfect Forward Secrecy, if the server’s key to a communication was somehow obtained, it would only be able to decrypt the messages that were directly encrypted with that key. It does this by ensuring that when a key is generated to protected the transmission of data, the key is never derived from any previous keys. Essentially, all data is sent with a unique key, so obtaining a key in the future will not reveal all of the history of that communication – only the data secured by that key itself.



Support Organizations